Before you begin
This topic describes the tasks that must be completed to configure
the local routing policy to control routing decisions made for traffic
sent by an application. Assuming that the link names specified on
the routing policy statements are already defined to TCP/IP and OMPROUTE,
you do not need to perform additional configuration in the TCP/IP
profile or in the OMPROUTE configuration file to enable policy-based
routing.
Procedure
- Determine your requirements for the TCP/IP stack to make
routing decisions based on more than just destination IP address. The additional criteria can include job name, source port, destination
port, protocol type (TCP or UDP), source IP address, NetAccess security
zone, and security label.
- Create Policy Agent files
- Create a Policy Agent main configuration file containing
a TcpImage statement for the stack.
- Create a Policy Agent image configuration file for the
stack.
- If routing policies are to be retrieved from the policy
server, create image-specific routing configuration files, and optionally,
common routing configuration files, on the policy server.
- Add routing configuration
- For local Routing policies, add a RoutingConfig statement
to the Policy Agent image configuration file, identifying the RoutingConfig
policy file location:
RoutingConfig configFilepath
- For remote Routing policies, add a PolicyServer statement
to the policy client image configuration file:
PolicyServer
{
ClientName name
PolicyType Routing
{
…
}
…
}
Add a DynamicConfigPolicyLoad statement to the policy
server main configuration file:
DynamicConfigPolicyLoad clientname
{
PolicyType Routing
{
PolicyLoad configFilepath
}
…
}
- Add statements to the Routing policy file to configure
the policy-based route tables to be used by the TCP/IP stack for routing
the application traffic. Add the following Routing policy
statements to the configFilepath file:
RouteTable SecFast # Secure link, high bandwidth
{
# Static Routes:
# Destination Subnet Mask First Hop Link Name Packet Size Options
Route DEFAULT 9.67.101.3 SECHIGH1 MTU 2000 Replaceable
#
# Dynamic Routing Parameters:
# Link Name First Hop
DynamicRoutingParms SECHIGH2
DynamicRoutingParms SECHIGH1 9.67.101.3
}
RouteTable SecSlow # Secure link, low bandwidth
{
# Static Routes:
# Destination Subnet Mask First Hop Link Name Packet Size Options
Route DEFAULT 9.67.106.7 SECLOW1 MTU 2000 Replaceable
#
# Dynamic Routing Parameters:
# Link Name First Hop
DynamicRoutingParms SECLOW2 9.67.104.3
DynamicRoutingParms SECLOW1 9.67.106.7
DynamicRoutingParms SECLOW1 9.67.106.15
}
Table SecFast contains a replaceable static default
route. The dynamic routing parameters for SecFast direct OMPROUTE
to compute routes that use only link SECHIGH2, with any first hop,
and link SECHIGH1, with a first hop of 9.67.101.3.
Table SecSlow
contains a replaceable static default route. The dynamic routing parameters
for SecSlow direct OMPROUTE to compute only routes that use link SECLOW2,
with a first hop of 9.67.104.3, and link SECLOW1, with a first hop
of either 9.67.106.7 or 9.67.106.15.
- Add statements to the Routing policy file to ensure that
the application traffic is sent over only secure links, favoring high
bandwidth links over lower bandwidth links. Add the following
Routing policy statements to the configFilepath file:
RoutingRule SecBatchRule
{
TrafficDescriptor
{
Protocol TCP
SourcePortRange 7000
Jobname SECBATCH
}
RoutingActionRef SecBatchAction
}
RoutingAction SecBatchAction
{
UseMainRouteTable No
RouteTableRef SecFast
RouteTableRef SecSlow
}
- Start Policy Agent
Results
You know you are done when the Routing policies are installed
to the TCP/IP stack and the following console message is displayed:
EZZ8771I PAGENT CONFIG POLICY PROCESSING COMPLETE FOR image : ROUTING