As traffic reaches the Ecessa appliance, intelligent decisions need to be made regarding how to route it. Additionally, the Ecessa listens on certain ports in order to route traffic for specific services - such as Site-to-Site Line Bonding (WAN Virtualization) or VPN – and may “intercept” traffic intended for other services due to this. The following diagram shows the routing priorities attached to features and rules:
For Static Routes: The Ecessa appliance uses two different types of Static Routes – Static Policy Routes and Static Routes. The difference between the two types is how each identifies traffic with Static Policy Routes being more specific (including protocol and port information). The Ecessa will route by the most-to-least specific rule set, giving a Static Policy Route precedence over a Static Route. The order of the static routes also affects which rule is used for matching traffic.
The example below illustrates how this can affect the network.
Assumptions for this example:
- The Ecessa device does not have VPN or Site-to-Site Line Bonding (WAN Virtualization) features enabled
- The destination networks included in the routing tables are remote (not directly connected to the Ecessa appliance)
Static Policy Route Configuration
# |
Destination Network |
Source Network |
Protocol |
Source Port(s) |
Destination Port(s) |
Source WAN IP or Hostname |
Type |
1a |
0.0.0.0/0 |
192.168.50.10 |
TCP |
1-65535 |
25 |
WAN1 |
Fixed |
2a |
0.0.0.0/0 |
192.168.50.35 |
TCP |
1-65535 |
20-21 |
WAN2 |
Fixed |
3a |
0.0.0.0/0 |
192.168.50.100 |
TCP |
1-65535 |
443 |
WAN2 |
Fixed |
Static Route Configuration
# |
Destination Network |
Source Network |
Source WAN IP or Hostname |
Type |
1b |
0.0.0.0/0 |
192.168.50.10 |
WAN2 |
Fixed |
2b |
203.0.113.24 |
192.168.50.16 |
WAN2 |
Fixed |
3b |
0.0.0.0/0 |
192.168.50.100 |
WAN1 |
Priority Failback |
4b |
203.0.113.24 |
192.168.50.16 |
WAN1 |
Fixed |
What effect does this routing table have on traffic?
- When SMTP (TCP port 25) traffic comes from 192.168.50.10: the Ecessa appliance will route the traffic over WAN1 (via rule #1a). Any traffic that is not destined for TCP port 25 from 192.168.50.10 will be routed over WAN2, as according to the matching Static Route (rule #1b).
- When SSL (TCP port 443) traffic comes from 192.168.50.100: the Ecessa appliance will route the traffic over WAN1 (via rule #3b). This is due to the “Priority Failback” type set for the Static Route, making this a high-priority route taking precedence over the configured Static Policy route (rule #3a).
- Traffic coming from 192.168.50.16: the Ecessa appliance will route traffic over WAN2 (via rule #2b). There are two Static Routes configured for 192.168.50.16 (rules #2b and 4b). The routing table is read from top-to-bottom in each section (in this case Static Route Configuration) and uses the first rule that matches. The duplicate rule will never be used so if traffic coming from 192.168.50.16 needs to route over WAN1 the incorrect rule should be removed from the table.
The load-balancing algorithm used by the Ecessa appliance to intelligently load-balance traffic across the various WAN lines is “over-ruled” by static routes. Creating a “default” route, such as the one below, is not typically recommended as it prevents the Ecessa appliance from load-balancing.
Example assumes the LAN subnet is 192.168.50.0/24:
Destination Network |
Source Network |
Source WAN IP or Hostname |
Type |
0.0.0.0/0 |
192.168.50.0/24 |
WAN1 |
Fixed |
In conclusion, here is a review of issues that may be caused by route prioritization:
- Traffic going out of the wrong WAN line: Check the static route configuration – is there a rule that may be affecting the traffic and routing it incorrectly?
- Improper load-balancing (or no load-balancing): Check the static route configuration – is there a “default” route that may be causing all traffic to be routed over a single WAN line? Please keep in mind that a static route isolating one kind of traffic (such as HTTP – TCP port 80) can cause imbalances depending on how much of that traffic is generated in the environment (high use of web applications, for example).
0 Comments