Configuring Next Hop Lists for PBR

You can configure SD-WAN Software-Defined Wide Area Network. SD-WAN is an application for applying SDN technology to WAN connections that connect enterprise networks across disparate geographical locations. Gateway to use policy-based routing and forward packets to a next hop device. With the next hop list, the administrators can ensure that when the next hop device becomes unreachable, the packets matching the policy can still reach their destination.

From AOS-8.7.0.0-2.3.0.0 release version onwards, when using IP Next-Hop lists, EdgeConnect SD-Branch gateways allow configuring two options for tracking. When configured to use an IP address or a DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. default-gateway, gateways can either track the immediate next-hop or the IP/FQDN Fully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. of the remote host defined as WAN Wide Area Network. WAN is a telecommunications network or computer network that extends over a large geographical distance. Health Check.

To define a next hop list, complete the following steps:

To configure a gateway group or a gateway device, complete either one of these steps:

To select a gateway group:
1. In the Classic Central app, set the filter to a group that contains at least one Branch Gateway.
  
  The dashboard context for a group is displayed.
2. Under Manage, click Devices > Gateways.
  
  A list of gateways is displayed in the List view.
3. Click Config.
  
  The configuration page is displayed for the selected group.
To select a gateway:
1. In the Classic Central app, set the filter to Global or a group that contains at least one Branch Gateway.
2. Under Manage, click Devices > Gateways.
  
  A list of gateways is displayed in the List view.
3. Click a gateway under Device Name.
  
  The dashboard context for the gateway is displayed.
4. Under Manage, click Device.
  
  The gateway device configuration page is displayed.

If you are in the Basic Mode, click Advanced Mode to access the advanced configuration options.
Click Routing > NextHop Configuration.

Click + to add a new next hop list and configure the following parameters:

Figure 1 Next Hop Settings
Parameter	Description
NextHop-list name	Name of the new next hop list.
NextHop IP/DHCP	IP address of the next hop device or the VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID of the VLAN used by the next hop device. If the VLAN gets an IP address using DHCP and the default gateway is determined by the VLAN interface, the gateway IP is used as the next hop IP address. When you click + to define a next hop IP or DHCP value, a pop-up list with a field that requires you to select either the IP or DHCP option is displayed. If you selected IP, enter the IP address and priority of the next hop device in the IP and Priority fields, respectively. If you selected DHCP, enter the VLAN ID and priority of the next hop device in the VLAN ID and Priority fields, respectively. NOTE: For Cellular or LTE Long Term Evolution. LTE is a 4G wireless communication standard that provides high-speed wireless communication for mobile phones and data terminals. See 4G. Uplinks, use 4095 as the VLAN ID for Gateways. If you selected PPPoE, enter the VLAN ID and priority of the next hop device in the VLAN ID and Priority fields, respectively. Priorities of next hops define which next hop should get a higher priority to carry the session traffic. A higher number indicates a higher priority (1 – 255). If two next hops have the same priority, they will be load-balanced.
IPsec name map	A next hop list may require policy-based redirection of traffic to different VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. tunnels. To add an IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. name map, complete the following steps: Click + from the IPsec name map table. The Add new IPsec Map pop-up is displayed. Select one of the following options from the Forward settings drop-down list based on your requirement: Using Site-to-Site IPSec—Select this option for a site-to-site VPN or Zscaler tunnel and select the required IPsec map from the Using site-to-site IPSec drop-down list. If uplink VLAN is configured for the selected IPsec map, then you can select the required uplink from the Uplink field. NOTE: The Uplink field does not appear for IPsec maps that are not configured with uplink VLAN. Select an SLA profile from the SLA profile drop-down list to associate it to a next hop. You can also create a new SLA profile by selecting Create new SLA Profile from the SLA profile drop-down list. The SLA profile created using this option gets associated to the required next hop. For more information, see Creating IP-SLA Profiles Using IPsec Tunnel to VPNC—Select this option for a Hub and Spoke VPN and select the required MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address and the uplink of the VPNC from the Using IPSec tunnel to VPNC and Uplink options lists respectively. You can also select None if you want to use Auto-VPN. For more information, see Configuring the SD-Branch Overlay Network. NOTE: The Using IPSec tunnel to VPNC drop-down will not list the configured VPNCs if you have configured Clustered hub groups as the preferred data center (VPN > SD-WAN Overlay > DC Preference). To view the list of configured VPNCs, you must enable the Orchestrated mode and configure Hubs as the preferred data center. For more information, see Setting Data Center Preference. Enter the priority value for the forward setting in the Priority field. NOTE: Use the same priority for different paths from the same SD-WAN Gateway but different priorities for different Zscaler data centers. Click OK.
Preemptive-failover	If Preemptive-failover is disabled and the highest-priority device on the next hop list is disabled, the new primary next hop device functions as the primary device even when the original device comes back online. NOTE: Ensure that Preemptive failover is enabled for Zscaler tunnels.

Click Save Settings.

The following animation shows you how to configure next hop lists for PBR Policy-based Routing. PBR provides a flexible mechanism for forwarding data packets based on polices configured by a network administrator..