1. Home
    2. /
  2. Manuals
    3. /
  3. Zyxel
    4. /
  4. ZyWALL-USG50
    5. /
  5. 57
Page 281 / 944 Scroll up to view Page 276 - 280
ZyWALL USG 50 User’s Guide
281
C
HAPTER
13
Policy and Static Routes
13.1
Policy and Static Routes Overview
Use policy routes and static routes to override the ZyWALL’s default routing
behavior in order to send packets through the appropriate interface or VPN tunnel.
For example, the next figure shows a computer (
A
) connected to the ZyWALL’s
LAN interface. The ZyWALL routes most traffic from
A
to the Internet through the
ZyWALL’s default gateway (
R1
). You create one policy route to connect to services
offered by your ISP behind router
R2
. You create another policy route to
communicate with a separate network behind another router (
R3
) connected to
the LAN.
Figure 174
Example of Policy Routing Topology
Note: You can generally just use policy routes. You only need to use static routes if
you have a large network with multiple routers where you use RIP or OSPF to
propagate routing information to other routers.
13.1.1
What You Can Do in this Chapter
Use the
Policy Route
screens (see
Section 13.2 on page 284
) to list and
configure policy routes.
WAN
R1
R2
A
R3
LAN
Page 282 / 944
Chapter 13 Policy and Static Routes
ZyWALL USG 50 User’s Guide
282
Use the
Static Route
screens (see
Section 13.3 on page 291
) to list and
configure static routes.
13.1.2
What You Need to Know
Policy Routing
Traditionally, routing is based on the destination address only and the ZyWALL
takes the shortest path to forward a packet. IP Policy Routing (IPPR) provides a
mechanism to override the default routing behavior and alter the packet
forwarding based on the policy defined by the network administrator. Policy-based
routing is applied to incoming packets on a per interface basis, prior to the normal
routing.
How You Can Use Policy Routing
Source-Based Routing – Network administrators can use policy-based routing to
direct traffic from different users through different connections.
Bandwidth Shaping – You can allocate bandwidth to traffic that matches routing
policies and prioritize traffic (however the application patrol’s bandwidth
management is more flexible and recommended for TCP and UDP traffic). You
can also use policy routes to manage other types of traffic (like ICMP traffic) and
send traffic through VPN tunnels.
Note: Bandwidth management in policy routes has priority over application patrol
bandwidth management.
Cost Savings – IPPR allows organizations to distribute interactive traffic on high-
bandwidth, high-cost paths while using low-cost paths for batch traffic.
Load Sharing – Network administrators can use IPPR to distribute traffic among
multiple paths.
NAT - The ZyWALL performs NAT by default for traffic going to or from the
WAN
interfaces. A routing policy’s SNAT allows network administrators to have traffic
received on a specified interface use a specified IP address as the source IP
address.
Note: The ZyWALL automatically uses SNAT for traffic it routes from internal
interfaces to external interfaces. For example LAN to WAN traffic.
Static Routes
The ZyWALL usually uses the default gateway to route outbound traffic from
computers on the LAN to the Internet. To have the ZyWALL send data to devices
not reachable through the default gateway, use static routes. Configure static
routes if you need to use RIP or OSPF to propagate the routing information to
other routers. See
Chapter 14 on page 297
for more on RIP and OSPF.
Page 283 / 944
Chapter 13 Policy and Static Routes
ZyWALL USG 50 User’s Guide
283
Policy Routes Versus Static Routes
Policy routes are more flexible than static routes. You can select more criteria
for the traffic to match and can also use schedules, NAT, and bandwidth
management.
Policy routes are only used within the ZyWALL itself. Static routes can be
propagated to other routers using RIP or OSPF.
Policy routes take priority over static routes. If you need to use a routing policy
on the ZyWALL and propagate it to other routers, you could configure a policy
route and an equivalent static route.
DiffServ
QoS is used to prioritize source-to-destination traffic flows. All packets in the same
flow are given the same priority. CoS (class of service) is a way of managing traffic
in a network by grouping similar types of traffic together and treating each type as
a class. You can use CoS to give different priorities to different packet types.
DiffServ (Differentiated Services) is a class of service (CoS) model that marks
packets so that they receive specific per-hop treatment at DiffServ-compliant
network devices along the route based on the application types and traffic flow.
Packets are marked with DiffServ Code Points (DSCPs) indicating the level of
service desired. This allows the intermediary DiffServ-compliant network devices
to handle the packets differently depending on the code points without the need to
negotiate paths or remember state information for every flow. In addition,
applications do not have to request a particular service or give advanced notice of
where the traffic is going.
DSCP Marking and Per-Hop Behavior
DiffServ defines a new DS (Differentiated Services) field to replace the Type of
Service (TOS) field in the IP header. The DS field contains a 2-bit unused field and
a 6-bit DSCP field which can define up to 64 service levels. The following figure
illustrates the DS field.
DSCP is backward compatible with the three precedence bits in the ToS octet so
that non-DiffServ compliant, ToS-enabled network device will not conflict with the
DSCP mapping.
The DSCP value determines the forwarding behavior, the PHB (Per-Hop Behavior),
that each packet gets across the DiffServ network. Based on the marking rule,
different kinds of traffic can be marked for different kinds of forwarding. Resources
can then be allocated according to the DSCP values and the configured policies.
DSCP (6 bits)
Unused (2 bits)
Page 284 / 944
Chapter 13 Policy and Static Routes
ZyWALL USG 50 User’s Guide
284
Finding Out More
See
Section 6.5.6 on page 97
for related information on the policy route
screens.
See
Section 7.12 on page 152
for an example of creating a policy route for using
multiple static public WAN IP addresses for LAN to WAN traffic.
See
Section 13.4 on page 293
for more background information on policy
routing.
13.2
Policy Route Screen
Click
Configuration > Network > Routing
to open the
Policy Route
screen.
Use this screen to see the configured policy routes and turn policy routing based
bandwidth management on or off.
A policy route defines the matching criteria and the action to take when a packet
meets the criteria. The action is taken only when all the criteria are met. The
criteria can include the user name, source address and incoming interface,
destination address, schedule, IP protocol (ICMP, UDP, TCP, etc.) and port.
The actions that can be taken include:
Routing the packet to a different gateway, outgoing interface, VPN tunnel, or
trunk.
Limiting the amount of bandwidth available and setting a priority for traffic.
IPPR follows the existing packet filtering facility of RAS in style and in
implementation.
Figure 175
Configuration > Network > Routing > Policy Route
Page 285 / 944
Chapter 13 Policy and Static Routes
ZyWALL USG 50 User’s Guide
285
The following table describes the labels in this screen.
Table 76
Configuration > Network > Routing > Policy Route
LABEL
DESCRIPTION
Show Advance
Settings /
Hide Advance
Settings
Click this button to display a greater or lesser number of configuration
fields.
Enable BWM
This is a global setting for enabling or disabling bandwidth management
on the ZyWALL. You must enable this setting to have individual policy
routes or application patrol policies apply bandwidth management.
This same setting also appears in the
AppPatrol > General
screen.
Enabling or disabling it in one screen also enables or disables it in the
other screen.
Use Policy
Route to
Override
Direct Route
Select this to have the ZyWALL forward packets that match a policy route
according to the policy route instead of sending the packets directly to a
connected network. See
Section 6.4.1 on page 92
for how this option
affects the routing table.
Add
Click this to create a new entry. Select an entry and click
Add
to create a
new entry after the selected entry.
Edit
Double-click an entry or select it and click
Edit
to open a screen where
you can modify the entry’s settings.
Remove
To remove an entry, select it and click
Remove
. The ZyWALL confirms
you want to remove it before doing so.
Activate
To turn on an entry, select it and click
Activate
.
Inactivate
To turn off an entry, select it and click
Inactivate
.
Move
To change a rule’s position in the numbered list, select the rule and click
Move
to display a field to type a number for where you want to put that
rule and press [ENTER] to move the rule to the number that you typed.
The ordering of your rules is important as they are applied in order of
their numbering.
#
This is the number of an individual policy route.
Status
This icon is lit when the entry is active, red when the next hop’s
connection is down, and dimmed when the entry is inactive.
User
This is the name of the user (group) object from which the packets are
sent.
any
means all users.
Schedule
This is the name of the schedule object.
none
means the route is active
at all times if enabled.
Incoming
This is the interface on which the packets are received.
Source
This is the name of the source IP address (group) object.
any
means all
IP addresses.
Destination
This is the name of the destination IP address (group) object.
any
means
all IP addresses.

Rate

4.5 / 5 based on 2 votes.

Popular Zyxel Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top