SonicOS Enhanced provides Policy Based Routing (PBR) to provide more flexible and granular
traffic handling capabilities. The following sections describe PBR:
For general information on routing in SonicOS Enhanced, see
Network > Routing
.
A simple static routing entry specifies how to handle traffic that matches specific criteria, such
as destination address, destination mask, gateway to forward traffic, the interface that gateway is located, and the route metric. This method of static routing satisfies most static requirements, but is limited to forwarding based only on destination addressing.
Policy Based Routing (PBR) allows you to create extended static routes to provide more flexible
and granular traffic handling capabilities. SonicOS Enhanced PBR allows for matching based upon source address, source netmask, destination address, destination netmask, service, interface, and metric. This method of routing allows for full control of forwarding based upon a large number of user defined variables.
A metric is a weighted cost assigned to static and dynamic routes. Metrics have a value
between 0 and 255. Lower metrics are considered better and take precedence over higher costs. SonicOS Enhanced adheres to Cisco defined metric values for directly connected interfaces, statically encoded routes, and all dynamic IP routing protocols.
You can change the view your route policies in the
Route Policies
table by selecting one of the view settings in the View Style
menu.
All Policies
displays all the routing policies including Custom Policies
and Default Policies
. Initially, only the Default Policies
are displayed in the Route Policies
table when you select All Policies
from the View Style
menu.
The
Route Policies
table provides easy pagination for viewing a large number of routing policies. You can navigate a large number of routing policies listed in the Route Policies
table by using the navigation control bar located at the top right of the Route Policies
table. Navigation control bar includes four buttons. The far left button displays the first page of the table. The far right button displays the last page. The inside left and right arrow buttons moved the previous or next page respectively.
You can enter the policy number (the number listed before the policy name in the
# Name
column) in the Items
field to move to a specific routing policy. The default table configuration displays 50 entries per page. You can change this default number of entries for tables on the System > Administration
page.
You can sort the entries in the table by clicking on the column header. The entries are sorted
by ascending or descending order. The arrow to the right of the column entry indicates the sorting status. A down arrow means ascending order. An up arrow indicates a descending order.
In SonicOS Enhanced, a static route is configured through a basic route policy. To configure a
static route, complete the following steps:
|
Step 2
|
From the
Source
menu, select the source address object for the static route, or select Create
new address object
to dynamically create a new address object.
|
|
Step 3
|
From the
Destination
menu, select the destination address object.
|
|
Step 4
|
From the
Service
menu, select a service object. For a generic static route that allows all traffic types, simply select Any
.
|
|
Step 5
|
From the
Gateway
menu, select the gateway address object to be used for the route.
|
|
Step 6
|
From the
Interface
menu, select the interface to be used for the route.
|
|
Step 8
|
(Optional) Select the
Disable route when the interface is disconnected
checkbox to have the route automatically disabled when the interface is disconnected.
|
|
Step 9
|
(Optional) The
Allow VPN path to take precedence
option allows you to create a backup route for a VPN tunnel. By default, static routes have a metric of one and take precedence over VPN traffic. The Allow VPN path to take precedence
option gives precedence over the route to VPN traffic to the same destination address object. This results in the following behavior:
|
|
Step 11
|
Click
OK
to add the route.
|
When configuring a static route, you can optionally configure a Network Monitor policy for the
route. When a Network Monitor policy is used, the static route is dynamically disabled or enabled, based on the state of the probe for the policy.
|
Step 2
|
In the
Probe
pulldown menu select the appropriate Network Monitor object or select Create
New Network Monitor object...
to dynamically create a new object. For more information, see “Network > Network Monitor”
.
|
|
Step 3
|
Typical configurations will not check the
Disable route when probe succeeds
checkbox, because typically administrators will want to disable a route when a probe to the route’s destination fails. This option is provided to give administrators added flexibility for defining routes and probes.
|
|
Step 4
|
Select the
Probe default state is UP
to have the route consider the probe to be successful (i.e. in the “UP” state) when the attached Network Monitor policy is in the “UNKNOWN” state. This is useful to control the probe-based behavior when a unit of a High Availability pair transitions from “IDLE” to “ACTIVE,” because this transition sets all Network Monitor policy states to “UNKNOWN.”
|
|
Step 5
|
Click
OK
to apply the configuration.
|
The following example walks you through creating a route policy for two simultaneously active
WAN interfaces. For this example, a secondary WAN interface needs to be setup on the X3
interface and configured with the settings from your ISP. Next, configure the security appliance for load balancing by checking the Enable Load Balancing
on the Network
>
WAN
Failover
&
LB
page. For this example, choose Per Connection Round-
Robin
as the load balancing method in the Network
>
WAN
Failover
&
LB
page. Click Accept to save your changes on the Network
>
WAN
Failover
&
LB
page.
|
Step 1
|
Click the
Add
button under the Route Policies table. The Add Route Policy
window is displayed.
|
|
Step 2
|
Create a routing policy that directs all
LAN Subnet
sources to Any
destinations for HTTP
service out of the X1 Default Gateway
via the X1
interface by selecting these settings from the Source
, Destination
, Service
, Gateway
and Interface
menus respectively. Use the default 1
in the Metric
field and enter force http out primary
into the Comment
field. Click OK
.
|
|
Step 3
|
Create a second routing policy that directs all
LAN Subnet
sources to Any
destinations for Telnet
service out of the X3
Default Gateway
via the X3
interface by selecting these settings from the Source
, Destination
, Service
, Gateway
and Interface
menus respectively. Use the default 1
in the Metric
field and enter force telnet out backup
into the Comment
field. Click OK
.
|
|
|
Note
|
Do not enable the
Allow VPN path to take precedence
option for these routing policies. The Allow VPN path to take precedence
option gives precedence over the route to VPN traffic to the same destination address object. This option is used for configuring static routes as backups to VPN tunnels. See the “Static Route Configuration” section
for more information.
|
These two policy-based routes force all sources from the LAN subnet to always go out the
primary WAN when using any HTTP-based application, and forces all sources from the LAN subnet to always go out the backup WAN when using any Telnet-based application.
To test the HTTP policy-based route, from a computer attached to the LAN interface, access
the public Web site http://www.whatismyip.com
and http://whatismyip.everdot.org
. Both sites display the primary WAN interface’s IP address and not the secondary WAN interface.
To test the Telnet policy-based route, telnet to route-server.exodus.net and when logged in,
issue the who
command. It displays the IP address (or resolved FQDN) of the WAN IP address of the secondary WAN interface and not the primary WAN interface.