You are here: Home > Configuring ArubaOS Features > Managed Devices > Policy Based Routing

Policy Based Routing

A policy-based routing rule is an ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. that can forward traffic as normal, or route traffic over a VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. tunnel specified by an IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. map, routed to a nexthop router on a nexthop list, or redirected over an L3 GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnel or tunnel group.

 

A Policy Based Routing rule does not become active until it is applied to a VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. interface or user role.

Associating PBR Rule with Managed Device

To associate a policy based routing rule with a managed device:

1. In the Managed Network node hierarchy, navigate to the Configuration> Services > WAN tab.

2. Expand the Policy-Based Routing menu.

3. Click + below the Policies table to create a new policy. Enter the Policy Name in the New Routing Policy pop-up and click Submit. The policy type (route) is predefined in this window.

4. Select the policy created in the Policies table. The Policies > (policy name) table appears.

5. Click + to add a new policy.

6. The New Rule window opens. Select a rule type

Access Control: Applies the rule to all traffic, or traffic using a specific service, protocol, or TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. /UDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. port or range of ports.

Application: Applies a rule to an traffic for an application or application category.

7. Configure the rule parameters.

Table 1: Policy Based Routing ACL Rule Parameters

Field

Description

IP version

Specifies whether the policy applies to IPv4 or IPv6 traffic.

Source (required)

Source of the traffic, which can be one of the following:

any: Acts as a wildcard and applies to any source address.

user: This refers to traffic from the wireless client.

host: This refers to traffic from a specific host. When this option is chosen, you must configure the IP address of the host.

network: This refers to a traffic that has a source IP from a subnetSubnet is the logical division of an IP network. of IP addresses. When this option is chosen, you must configure the IP address and network mask of the subnetSubnet is the logical division of an IP network..

alias: This refers to using an alias for a host or network. You configure the alias by navigating to the Configuration > Advanced Services > Stateful Firewall > Destination page.

Destination (required)

Destination of the traffic, which can be configured in the same manner as Source.

Service/APP

If you are creating an access control rule, select a type of traffic, which can be one of the following:

protocol: Using this option, you specify a different layer 4 protocol (other than TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. /UDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received.) by configuring the IP protocol value.

any: This option specifies that this rule applies to any type of traffic.

service: Using this option, you use one of the pre-defined services (common protocols such as HTTPSHypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection., HTTPHypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands., and others) as the protocol to match for the rule to be applied. You can also specify a network service that you have manually configured. For details, see Creating a Network Service Alias.

tcp: A range of TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. port(s) that must be used by the traffic in order for the rule to be applied.

udp: A range of UDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. port(s) hat must be used by the traffic in order for the rule to be applied.

Scope

If you are creating an application rule, select a type of traffic, which can be one of the following:

application: Create a rule that applies to a specific application type. Click the Application drop-down list and select an application type.

application category: Create a rule that applies to a specific application category. Click the Application Category drop-down list and select a category type.

Action (required)

The action that you want the controller to perform on a packet that matches the specified criteria. This can be one of the following:

Forward Regularly: Packets are forwarded to their next destination without any changes.

Forward to ipsec-map: Packets are forwarded through an IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel defined by the specified IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. map. You must specify the position of the forwarding or routing rule. (1 is first, default is last)

Forward to next-hop-list: packets are forwarded to the highest priority active device on the selected next hop list. You must also specify the position of the forwarding or routing rule (1 is first, default is last). For more information on next-hop lists, see Uplink Routing using Nexthop Lists

Forward to tunnel: Packets are forwarded through the tunnel with the specified tunnel ID. You must also specify the position of the forwarding or routing rule (1 is first, default is last). For more information on GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnels, see GRE Tunnels.

Forward to tunnel group: Packets are forwarded through the active tunnel in a GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnel group. You must also specify the position of the forwarding or routing rule (1 is first, default is last). For more information on tunnel groups, see GRE Tunnel Groups.

Position

(Optional) Define a position for the rule in the ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port.. Rules processed according to their position numbers, and new Rules are added at the end of an ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. by default. A position of 1 puts the rule at the top of the list.

8. Click Submit.

9. Click Pending Changes.

10. In the Pending Changes window, select the check box and click Deploy Changes.

/*]]>*/