Policy Based Routing

A policy-based routing rule is an ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. that can forward traffic as normal, or route traffic over a VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. tunnel specified by an IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. map, routed to a next-hop router on a next-hop list, or redirected over an L3 GRE Generic Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnel or tunnel group.

ArubaOS now also supports IPv6 address in policy-based routing rule.

 

A Policy Based Routing rule does not become active until it is applied to a VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. interface or user role.

Associating PBR Rule with Managed Device

The following procedure describes how to associate a policy based routing rule with a managed device:

  1. In the Managed Network node hierarchy, navigate to the Configuration> Services > WAN tab.
  2. Expand the Policy-Based Routing accordion.
  3. Click + below the Policies table to create a new policy.
  4. Enter the Policy Name in the New Routing Policy pop-up window and click Submit.
  5. The policy type (route) is predefined in this window.
  6. Select the policy created in the Policies table.
  7. The Policy > (policy name) table is displayed.
  8. Click + to add a new policy.
  9. The New Rule pop-up window opens.
  10. Select one of the following rule types:

The Application rule type is not supported for IPv6 traffic.

  1. Configure the rule parameters.

Table 1: Policy Based Routing ACL Rule Parameters

Field

Description

IP version

Select either IPv4 or IPv6 from the drop-down list to specify whether the policy applies to IPv4 or IPv6 traffic.

Source (required)

Source of the traffic, which can be one of the following:

Any: Acts as a wildcard and applies to any source address.

User: This refers to traffic from the wireless client.

Host: This refers to traffic from a specific host. When this option is chosen, you must configure the IP address of the host.

Network: This refers to a traffic that has a source IP from a subnet Subnet is the logical division of an IP network. of IP addresses. When this option is chosen, you must configure the IP address and network mask of the subnet Subnet is the logical division of an IP network..

Alias: This refers to using an alias for a host or network. You configure the alias by navigating to the Configuration > Advanced Services > Stateful Firewall > Destination page.

NOTE: When you select IPv6 option in the IP version field, only Any, Host, and Network options are available as source of the traffic.

NOTE: You cannot configure IPv6 multicast, link-local, unspecified, loopback, and subnet Subnet is the logical division of an IP network. anycast addresses as IPv6 source addresses.

Destination (required)

Destination of the traffic, which can be configured in the same manner as source.

NOTE: When you select IPv6 option in the IP version field, only Any, Host, and Network options are available as destination of the traffic.

NOTE: You cannot configure IPv6 multicast, link-local, unspecified, loopback, and subnet Subnet is the logical division of an IP network. anycast addresses as IPv6 destination addresses.

IPv6 address

(Optional) Enter the IPv6 address to associate the policy to IPv6 traffic.

NOTE: This field is visible only when you select Host under Source or Destination fields.

IPv6 netmask

(Optional) Enter the subnet Subnet is the logical division of an IP network. mask for the IPv6 address.

NOTE: This field is visible only when you select Network under Source or Destination fields.

Service/APP

If you are creating an access control rule, select a type of traffic, which can be one of the following:

protocol: Using this option, you specify a different layer 4 protocol (other than TCP Transmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. /UDP User Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received.) by configuring the IP protocol value.

any: This option specifies that this rule applies to any type of traffic.

service: Using this option, you use one of the pre-defined services (common protocols such as HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection., HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands., and others) as the protocol to match for the rule to be applied. You can also specify a network service that you have manually configured. For details, see Creating a Network Service Alias.

tcp: A range of TCP Transmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. port(s) that must be used by the traffic in order for the rule to be applied.

udp: A range of UDP User Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. port(s) hat must be used by the traffic in order for the rule to be applied.

NOTE: : When you select IPv6 option in the IP version field, only Any option is available as Service/App Short form for application. It generally refers to the application that is downloaded and used on mobile devices. of the traffic.

Scope

If you are creating an application rule, select a type of traffic, which can be one of the following:

application: Create a rule that applies to a specific application type. Click the Application drop-down list and select an application type.

application category: Create a rule that applies to a specific application category. Click the Application Category drop-down list and select a category type.

Action (required)

The action that you want the controller to perform on a packet that matches the specified criteria. This can be one of the following:

Forward Regularly: Packets are forwarded to their next destination without any changes.

Forward to ipsec-map: Packets are forwarded through an IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel defined by the specified IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. map. You must specify the position of the forwarding or routing rule. (1 is first, default is last)

Forward to next-hop-list: packets are forwarded to the highest priority active device on the selected next hop list. You must also specify the position of the forwarding or routing rule (1 is first, default is last). For more information on next-hop lists, see Uplink Routing using Next-hop Lists

Forward to tunnel: Packets are forwarded through the tunnel with the specified tunnel ID. You must also specify the position of the forwarding or routing rule (1 is first, default is last). For more information on GRE Generic Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnels, see GRE Tunnels.

Forward to tunnel group: Packets are forwarded through the active tunnel in a GRE Generic Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnel group. You must also specify the position of the forwarding or routing rule (1 is first, default is last). For more information on tunnel groups, see GRE Tunnel Groups.

NOTE: When you select IPv6 option in the IP version field, only Forward Regularly, and Route to next-hop-list options are available.

Position

(Optional) Define a position for the rule in the ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port.. Rules are processed according to their position numbers, and new rules are added at the end of an ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. by default. A position of 1 puts the rule at the top of the list.

NOTE: The position that you select for an ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. rule is relative to either IPv4 or IPv6 policies.

  1. Click Submit.
  2. Click Pending Changes.
  3. In the Pending Changes window, select the check box and click Deploy Changes.