4.3. Policy-based Routing
4.3.1. Overview
Policy-based Routing (PBR) is an extension to the standard routing described previously. It offers
administrators significant flexibility in implementing routing decision policies by being able to
define rules so alternative routing tables are used.
Normal routing forwards packets according to destination IP address information derived from static
routes or from a dynamic routing protocol. For example, using OSPF, the route chosen for packets
will be the least-cost (shortest) path derived from an SPF calculation. Policy-based Routing means
that routes chosen for traffic can be based on specific traffic parameters.
Policy-based Routing can allow:
Source based routing
A different routing table may need to be chosen based on the
source of traffic. When more than one ISP is used to provide
Internet
services,
Policy-based
Routing
can
route
traffic
originating from different sets of users through different routes.
For example, traffic from one address range might be routed
through one ISP, whilst traffic from another address range might
be through a second ISP.
Service-based Routing
A different routing table might need to be chosen based on the
service. Policy-based Routing can route a given protocol such as
HTTP, through proxies such as Web caches. Specific services
might also be routed to a specific ISP so that one ISP handles all
HTTP traffic.
User based Routing
A different routing table might need to be chosen based on the
user identity or the group to which the user belongs. This is
particularly useful in provider-independent metropolitan area
networks where all users share a common active backbone, but
each can use different ISPs, subscribing to different providers.
Policy-based Routing implementation in NetDefendOS is based on two building blocks:
•
One or more user-defined alternate Policy-based Routing Tables in addition to the standard
default main routing table.
•
One or more Policy-based routing rules which determines which routing table to use for which
traffic.
4.3.2. Policy-based Routing Tables
NetDefendOS, as standard, has one default routing table called main. In addition to the main table,
it is possible to define one or more, additional alternate routing tables (this section will sometimes
refer to these Policy-based Routing Tables as alternate routing tables).
Alternate routing tables contain the same information for describing routes as main, except that
there is an extra parameter ordering defined for each of them. This parameter decides how route
lookup is done using alternate tables in conjunction with the main table. This is described further in
Section 4.3.5, “The Ordering parameter”.
4.3.3. Policy-based Routing Rules
A rule in the policy-based routing rule set can decide which routing table is selected. A Policy-based
Routing rule can be triggered by the type of service (HTTP for example) in combination with the
Source/Destination Interface and Source/Destination Network.
4.3. Policy-based Routing
Chapter 4. Routing
165
Содержание DFL-1600 - Security Appliance
Страница 27: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 27 ...
Страница 79: ...2 7 3 Restore to Factory Defaults Chapter 2 Management and Maintenance 79 ...
Страница 146: ...3 9 DNS Chapter 3 Fundamentals 146 ...
Страница 227: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 227 ...
Страница 241: ...5 4 IP Pools Chapter 5 DHCP Services 241 ...
Страница 339: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 339 ...
Страница 360: ...7 4 7 SAT and FwdFast Rules Chapter 7 Address Translation 360 ...
Страница 382: ...8 3 Customizing HTML Pages Chapter 8 User Authentication 382 ...
Страница 386: ... The TLS ALG 9 1 5 The TLS Alternative for VPN Chapter 9 VPN 386 ...
Страница 439: ...Figure 9 3 PPTP Client Usage 9 5 4 PPTP L2TP Clients Chapter 9 VPN 439 ...
Страница 450: ...9 7 6 Specific Symptoms Chapter 9 VPN 450 ...
Страница 488: ...10 4 6 Setting Up SLB_SAT Rules Chapter 10 Traffic Management 488 ...
Страница 503: ...11 6 HA Advanced Settings Chapter 11 High Availability 503 ...
Страница 510: ...12 3 5 Limitations Chapter 12 ZoneDefense 510 ...
Страница 533: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 533 ...