Routing
Policy and Static Routes Overview
Use policy routes and static routes to override the Zyxel Device’s default routing behavior in order to send packets through the appropriate interface or VPN tunnel.
What You Need to Know
Policy Routing
Traditionally, routing is based on the destination address only and the Zyxel Device takes the shortest path to forward a packet. IP Policy Routing (IPPR) provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator. Policy-based routing is applied to incoming packets on a per interface basis, prior to the normal routing.
How You Can Use Policy Routing
• Source-Based Routing – Network administrators can use policy-based routing to direct traffic from different users through different connections.
• Cost Savings – IPPR allows organizations to distribute interactive traffic on high-bandwidth, high-cost paths while using low-cost paths for batch traffic.
• Load Sharing – Network administrators can use IPPR to distribute traffic among multiple paths.
• NAT - The Zyxel Device performs NAT by default for traffic going to or from the WAN interfaces. A routing policy’s SNAT allows network administrators to have traffic received on a specified interface use a specified IP address as the source IP address.
The Zyxel Device automatically uses SNAT for traffic it routes from internal interfaces to external interfaces. For example LAN to WAN traffic.Static Routes
The Zyxel Device usually uses the default gateway to route outbound traffic from computers on the LAN to the Internet. To have the Zyxel Device send data to devices not reachable through the default gateway, use static routes.
Policy Routes Versus Static Routes
• Policy routes are more flexible than static routes. You can select more criteria for the traffic to match and can also use schedules, NAT, and bandwidth management.
• Policy routes take priority over static routes. If you need to use a routing policy on the Zyxel Device and propagate it to other routers, you could configure a policy route and an equivalent static route.
DiffServ
QoS is used to prioritize source-to-destination traffic flows. All packets in the same flow are given the same priority. CoS (class of service) is a way of managing traffic in a network by grouping similar types of traffic together and treating each type as a class. You can use CoS to give different priorities to different packet types.
DiffServ (Differentiated Services) is a class of service (CoS) model that marks packets so that they receive specific per-hop treatment at DiffServ-compliant network devices along the route based on the application types and traffic flow. Packets are marked with DiffServ Code Points (DSCPs) indicating the level of service desired. This allows the intermediary DiffServ-compliant network devices to handle the packets differently depending on the code points without the need to negotiate paths or remember state information for every flow. In addition, applications do not have to request a particular service or give advanced notice of where the traffic is going.
DSCP Marking and Per-Hop Behavior
DiffServ defines a new DS (Differentiated Services) field to replace the Type of Service (TOS) field in the IP header. The DS field contains a 2-bit unused field and a 6-bit DSCP field which can define up to 64 service levels. The following figure illustrates the DS field.
DSCP (6 bits) | Unused (2 bits) |
DSCP is backward compatible with the three precedence bits in the ToS octet so that non-DiffServ compliant, ToS-enabled network device will not conflict with the DSCP mapping.
The DSCP value determines the forwarding behavior, the PHB (Per-Hop Behavior), that each packet gets across the DiffServ network. Based on the marking rule, different kinds of traffic can be marked for different kinds of forwarding. Resources can then be allocated according to the DSCP values and the configured policies.
NAT and SNAT
NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address in a packet in one network to a different IP address in another network. Use SNAT (Source NAT) to change the source IP address in one network to a different IP address in another network.
Assured Forwarding (AF) PHB for DiffServ
Assured Forwarding (AF) behavior is defined in RFC 2597. The AF behavior group defines four AF classes. Inside each class, packets are given a high, medium or low drop precedence. The drop precedence determines the probability that routers on the network will drop packets when congestion occurs. If congestion occurs between classes, the traffic in the higher class (smaller numbered class) is generally given priority. Combining the classes and drop precedence produces the following twelve DSCP encodings from AF11 through AF43. The decimal equivalent is listed in brackets.
Class 1 | Class 2 | Class 3 | Class 4 | |
|---|---|---|---|---|
Low Drop Precedence | AF11 (10) | AF21 (18) | AF31 (26) | AF41 (34) |
Medium Drop Precedence | AF12 (12) | AF22 (20) | AF32 (28) | AF42 (36) |
High Drop Precedence | AF13 (14) | AF23 (22) | AF33 (30) | AF43 (38) |
Policy Route Screen
Use this screen to see the configured policy routes and turn policy routing based bandwidth management on or off.
A policy route defines the matching criteria and the action to take when a packet meets the criteria. The action is taken only when all the criteria are met. The criteria can include the user name, source address and incoming interface, destination address, schedule, IP protocol (ICMP, UDP, TCP, etc.) and port.
The actions that can be taken include:
• Routing the packet to a different gateway, outgoing interface, VTI interface, or trunk.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Use IPv4 Policy Route to Override Direct Route | Select this to have the Zyxel Device forward packets that match a policy route according to the policy route instead of sending the packets directly to a connected network. |
Add | Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. |
Edit | Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. |
Remove | To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. |
Active | Select one or more policies, then click this to enable the selected policies. The Status light changes accordingly. |
Inactive | Select one or more policies, then click this to disable the selected policies. The Status light changes accordingly. |
Move to | Select a policy, click this, enter a new location up to and including the last policy number, then press [ENTER] to move it to the new location. Policies are checked in order beginning from the first. |
Search | Type an item in the search box, then click this to display all sessions in the table below according to the item you typed. |
Clear All | Click this to remove all items found in the search. |
Filter | Click the Filter icon  , click + to expand Policy Match, pick a filter, then click Find to display specific sessions according to the filter selected. You may select multiple filters, but just one of each type, configured one at a time. |
Status | This icon is lit when the entry is active, red when the next hop’s connection is down, and dimmed when the entry is inactive. |
Priority | This is the row number of the policy. Policies are checked in order beginning from the first. |
User | This is the name of the user (group) object from which the packets are sent. any means all users. |
Schedule | This is the name of the schedule object. any means the route is active at all times if enabled. |
Incoming | This is the interface on which the packets are received. |
Source | This is the name of the source IP address (group) object, including geographic address and FQDN (group) objects. any means all IP addresses. |
Destination | This is the name of the destination IP address (group) object, including geographic and FQDN (group) address objects. any means all IP addresses. |
DSCP Code | This is the DSCP value of incoming packets to which this policy route applies. any means all DSCP values or no DSCP marker. default means traffic with a DSCP value of 0. This is usually best effort traffic The “af” entries stand for Assured Forwarding. The number following the “af” identifies one of four classes and one of three drop preferences. See Assured Forwarding (AF) PHB for DiffServ for more details. |
Service | This is the name of the destination service object. any means all destination services. |
Source Port | This is the name of the source service object. any means all source services. |
Next-Hop | This is the next hop to which packets are directed. It helps forward packets to their destinations and can be an IP address of a router or a VTI interface. |
DSCP Marking | This is how the Zyxel Device handles the DSCP value of the outgoing packets that match this route. If this field displays a DSCP value, the Zyxel Device applies that DSCP value to the route’s outgoing packets. preserve means the Zyxel Device does not modify the DSCP value of the route’s outgoing packets. default means the Zyxel Device sets the DSCP value of the route’s outgoing packets to 0. The “af” choices stand for Assured Forwarding. The number following the “af” identifies one of four classes and one of three drop preferences. See Assured Forwarding (AF) PHB for DiffServ for more details. |
SNAT | This is the source IP address that the route uses. It displays none if the Zyxel Device does not perform NAT for this route. |
Hits | This is the number of sessions with traffic that matched the policy criteria. |
Apply | Click Apply to save your changes back to the Zyxel Device. |
Cancel | Click Cancel to return the screen to its last-saved settings. |
Policy Route Edit Screen
Use this screen to configure or edit a policy route.The following table describes the labels in this screen.
Label | Description |
|---|---|
Enable | Select this to activate the rule. |
Name | Enter a name to identify this rule. |
Description | Enter a descriptive name consists of 1 to 60 single-byte characters, including a-zA-Z0-9. Special characters and spaces are allowed. |
Criteria | |
User | Select a user name or user group from which the packets are sent. |
Incoming | Select where the packets are coming from; any, an interface, a tunnel, an SSL VPN, or the Zyxel Device itself. For an interface, a tunnel, or an SSL VPN, you also need to select the individual interface, VPN tunnel, or SSL VPN connection. |
Source Address | Select a source IP address object, including geographic address and FQDN (group) objects, from which the packets are sent. |
Destination Address | Select a destination IP address object, including geographic address and FQDN (group) objects, to which the traffic is being sent. If the next hop is a dynamic VPN tunnel and you enable Auto Destination Address, the Zyxel Device uses the local network of the peer router that initiated an incoming dynamic IPSec tunnel as the destination address of the policy instead of your configuration here. |
DSCP Code | Select a DSCP code point value of incoming packets to which this policy route applies or select User Define to specify another DSCP code point. The lower the number the higher the priority with the exception of 0 which is usually given only best-effort treatment. any means all DSCP value or no DSCP marker. default means traffic with a DSCP value of 0. This is usually best effort traffic The “af” choices stand for Assured Forwarding. The number following the “af” identifies one of four classes and one of three drop preferences. See Assured Forwarding (AF) PHB for DiffServ for more details. |
User-Defined DSCP Code | Use this field to specify a custom DSCP code point when you select User Define in the previous field. |
Schedule | Select a schedule to control when the policy route is active. none means the route is active at all times if enabled. |
Service | Select a destination service or service group to identify the type of traffic to which this policy route applies. |
Source Port | Select a source service or service group to identify the source port of packets to which the policy route applies. |
Next-Hop | |
Type | Select Auto to have the Zyxel Device use the routing table to find a next-hop and forward the matched packets automatically. Select Interface to route the matched packets through the specified outgoing interface to a gateway (which is connected to the interface). Select gateway to route the matched IPv6 packets through a 6to4 tunnel to the packets’ destination. Select gateway-ip to route the matched packets to the next-hop router or switch you specified in the Host IP Address field. You have to set up the next-hop router or switch as a HOST address object first. Select trunk to route the matched packets through the interfaces in the trunk group based on the load balancing algorithm. |
Interface | This field displays when you select Interface in the Type field. Select an interface to have the Zyxel Device send traffic that matches the policy route through the specified interface. |
Service | This field displays when you select gateway in the Type field. IP6to4-Relay service enables IPv6 packets to cross IPv4 networks; see What You Need to Know for more information. |
Host IP Address | This field displays when you select gateway-ip in the Type field. Select a HOST address object. The gateway is an immediate neighbor of your Zyxel Device that will forward the packet to the destination. The gateway must be a router or switch on the same segment as your Zyxel Device's interface(s). |
Trunk | This field displays when you select trunk in the Type field. Select a trunk group to have the Zyxel Device send the packets via the interfaces in the group. |
DSCP Marking | Set how the Zyxel Device handles the DSCP value of the outgoing packets that match this route. Select one of the pre-defined DSCP values to apply or select User Define to specify another DSCP value. The “af” choices stand for Assured Forwarding. The number following the “af” identifies one of four classes and one of three drop preferences. See Assured Forwarding (AF) PHB for DiffServ for more details. Select preserve to have the Zyxel Device keep the packets’ original DSCP value. Select default to have the Zyxel Device set the DSCP value of the packets to 0. |
User-Defined DSCP Marking | Use this field to specify a custom DSCP value. |
Address Translation | Use this section to configure NAT for the policy route. This section does not apply to policy routes that use a VPN tunnel as the next hop. |
Source Network Address Translation | Select none to not use NAT for the route. Select outgoing-interface to use the IP address of the outgoing interface as the source IP address of the packets that matches this route. To use SNAT for a virtual interface that is in the same WAN trunk as the physical interface to which the virtual interface is bound, the virtual interface and physical interface must be in different subnets. Otherwise, select a pre-defined address (group) to use as the source IP address(es) of the packets that match this route. |
Apply | Click Apply to save your changes back to the Zyxel Device. |
Cancel | Click Cancel to return the screen to its last-saved settings. |
Static Route Screen
This screen displays the configured static routes.The following table describes the labels in this screen.
Label | Description |
|---|---|
Add | Click this to create a new static route. |
Edit | Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. |
Remove | To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. |
Name | This is the name of the static route entry. |
Destination | This is the destination IP address. |
Next-Hop | This is the IP address of the next-hop gateway or the interface through which the traffic is routed. The gateway is a router or switch on the same segment as your Zyxel Device's interface(s). The gateway helps forward packets to their destinations. |
Metric | This is the route’s priority among the Zyxel Device’s routes. The smaller the number, the higher priority the route has. |
Static Route Add/Edit Screen
Click Network > Routing > Static Route > Add/Edit to display the next screen. Use this screen to configure the required information for a static route.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Name | Enter a name to identify this rule. You can use up to 30 single-byte characters, including 0-9a-zA-Z. The first character cannot be a number. |
Destination | This parameter specifies the IP network address of the final destination. Routing is always based on network number. If you need to specify a route to a single host, enter the specific IP address here. |
Next Hop | |
Gateway | Select the radio button and enter the IP address of the next-hop gateway. The gateway is a router or switch on the same segment as your Zyxel Device's interface(s). The gateway helps forward packets to their destinations. |
Gateway Object | Select the radio button to route the matched IPv6 packets through a 6to4 tunnel to the packets’ destination. |
Interface | Select the radio button and a predefined interface through which the traffic is sent. |
Metric | Metric represents the “cost” of transmission for routing purposes. IP routing uses hop count as the measurement of cost, with a minimum of 1 for directly connected networks. Enter a number that approximates the cost for this link. The number need not be precise, but it must be 0~127. In practice, 2 or 3 is usually a good number. |
Apply | Click Apply to save your changes back to the Zyxel Device. |
Cancel | Click Cancel to return the screen to its last-saved settings. |