Policy-Based Routing Policies

For most SD-WAN Software-Defined Wide Area Network. SD-WAN is an application for applying SDN technology to WAN connections that connect enterprise networks across disparate geographical locations. deployments, branch gateways forward traffic through the overlay network or to the Internet using destination-based routing. Each Branch Gateway includes static routes for the corporate subnets Subnet is the logical division of an IP network. that point to their respective VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. overlay tunnels as well as default gateways for each WAN Wide Area Network. WAN is a telecommunications network or computer network that extends over a large geographical distance. uplink.

However, for some deployments, you may need to forward traffic from a subset of devices through a specific VPN overlay tunnel or to a specific internet WAN uplink. Alternatively, you may require all traffic (corporate and Internet) to be forwarded through the overlay VPN tunnels or force all traffic to be forwarded locally using Policy-Based Routing (PBR Policy-based Routing. PBR provides a flexible mechanism for forwarding data packets based on polices configured by a network administrator.). A typical use case for PBR would be to force all traffic to a specific VPNC or a tunnel endpoint.

PBR allows your network administrators to create policies for making routing decisions. You can create a PBR rule that can forward traffic as normal, or route traffic over a VPN tunnel specified by an IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. map. The PBR rules can also route traffic to a next hop router on a next hop list, or redirect it over an L3 GRE Generic Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnel or tunnel group. PBR rules allow administrators to make use of all available uplinks.

PBR Policies for WAN Networks

In the SD Branch solution, the administrators can create PBR policies to configure preferred VPN traffic routing paths for different types of traffic based on their source and destination IPs and ports.

To use PBR policies or rules on WAN networks, you must configure the following features and parameters on HPE Aruba Networking Gateways:

• PBR next hop—The PBR next hop can be physical links such as the Ethernet Ethernet is a network protocol for data transmission over LAN. or 3G Third Generation of Wireless Mobile Telecommunications Technology. See W-CDMA./4G Fourth Generation of Wireless Mobile Telecommunications Technology. See LTE. uplinks. The administrators can also use logical links like site-to-site VPN tunnel.
• Route ACL—The administrators can define traffic match conditions and the next hop for the traffic in the ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port..
• Attach Points—To apply the PBR rules, the administrators associate the ACL rules to a user role or VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN..

  After the next hop list is configured and attached to route ACL, the active IP address for the next hop is selected based on the reachability and priority.

  When the user traffic hits the route ACL, the following actions are applied:

• If PBR is disabled on the user-role or VLAN, traffic is directly sent to the routing block where the regular routing takes place.
• If the PBR is enabled, the traffic is evaluated against the route ACL and the appropriate PBR next hop is selected for routing.
• If traffic does not match any rule in route ACL, it passes to the routing module for regular forwarding.

For more information, see the following sections:

• Configuring PBR Policies
• Assigning PBR Policies to User Role or VLAN
• Configuring Next Hop Lists for PBR
• Configuring Static Default Gateways
• Configuring Default Gateways for Dynamic Routing

The following animation shows you how to configure IP routes, default gateways, and dynamic default gateways for PBR.