Skip to main content
Versa Networks

Configure Traffic Steering

  1. Last updated
  2. Save as PDF

Versa-logo-release-icon.pngFor supported software information, click here.

When a Titan device in a branch has two or more WAN links, you can configure Layer 2 and Layer 3 SD-WAN traffic steering to direct outgoing traffic flows to the desired WAN link. To identify the traffic, you create a policy rule that matches the desired traffic. When you configure traffic steering, all traffic is load-balanced across all available WAN links, and voice and video traffic are prioritized dynamically to deliver the best user performance. You can configure SD-WAN and internet traffic steering based on protocol, IP address, hostname, application, URL, or Differentiated Services Code Point (DSCP).

Note: You can configure internet traffic steering only on spoke sites. When you view the Steering screen on non-spoke sites, the internet traffic-steering option does not display.

When you configure client systems to use a proxy server in a data center or a hub location, you can configure web proxy traffic steering to break out specific traffic to the internet.

Configure SD-WAN Traffic Steering

You can configure SD-WAN traffic steering on spoke and non-spoke devices.

To configure SD-WAN traffic steering:

  1. Click Configure in the left menu bar to open the Configure dashboard.
  2. Hover over the device in the honeycomb and click Configure to open the site information window.
  3. Click Next to open the Configuration > Network screen.
  4. Click the Steering tab to open the Configuration > Steering screen. Note that you can click Easy Steering Picks to populate steering with default values.

    steering-home.png
     
  5. In the Profile tab, click one of the following boxes to open the profile configuration screen for the selection:
    • Real Time
    • Business Critical
    • Default
    • Low Priority

Create a Traffic-Steering Rule

Traffic-steering rules define the conditions for matching packets and the rules are evaluated in order until a match occurs. A rule can match traffic based on any combination of Layer 3 criteria (such as IP addresses and header fields, zones, and DSCP values), Layer 4 criteria (such as Layer 4 protocol and ports), and Layer 7 criteria. A rule can match individual applications and groups of applications.

To create a traffic-steering rule:

  1. In the Steering tab, click Rules tab.

    steering-rule.png
     
  2. If needed, click Reorder Rules to enter rule reorder mode.
    1. To change a rule order, click the rule name and drag the rule to a different spot in the rule set.
    2. Click Publish Reordered Rules to save the changes to the Titan cloud. By default, the rules are displayed in grid view. To change the view to list, click the list view icon. To pin the view to grid or list for the login session, use the pin icon.
  3. Click the icon-rules.png icon to display the Steering > Rules > Add screen.

    steering-rule-add.png
     
  4. Enter information for the following fields.
     
    Field Description
    Rule Name (Required) Enter a name for the rule. Slide the toggle to enable or disable the rule.
    Description Enter a text description for the rule. The description can be a maximum of 63 characters.
    SD-WAN/Internet For spoke devices, slide the toggle to select SD-WAN or internet rule.
    Match Criteria Click Protocol, Address, Hostname, Application, URL, DSCP, or User and Group to add details for that match criteria type. For more information about match criteria, see Apply Match Criteria for Traffic Steering Rules, below.
    Scope (Group of Fields)  
    • Source Zone

    Click the down arrow in the Please Select field. A popup window displays the configured interfaces and tunnels.

    steering-rule-add-source-zone.png

    Select a source zone type, and then select the source zone:
    • Arrow

    Choose a Portal_one_way_arrow.png one-way or Portal_two_way_arrow.png two-way connection.
    • Destination Zone

    Click the down arrow in the Please Select field. A popup window displays the configured interfaces and tunnels.

    security-policy-firewall-rules-destination-zone.png

    Select a destination zone type, and then select the destination zone:
    • Select Profile

    Select a profile:

    • Business critical
    • Default
    • Low priority
    • Real time

    To create a new profile, see Create a Traffic Steering Profile.
    • TCP Optimization

    Slide the toggle to enable or disable TCP optimization. TCP optimization mitigates the effects of high latency and packet loss on the performance of TCP-based applications. The optimizations are based on a TCP proxy. TCP optimization is enabled only on devices that use secure application optimization license.
    Logging

    Click to configure logging:

    • None—Click to perform no logging.
    • Default—Click to use the default logging.
    • Custom—Click to configure logging to a customer log server. Based on the rule match, the device sends many log messages.

      steering-rule-add-logging.png
    • Please Select—If you select Custom, click the down arrow to select a log profile. To create a new custom flow logs profile, click icon-log-server.png. For more information, see Add Custom Log Profiles.
  5. Click Add. The rule is saved to the screen but not the Titan cloud.
  6. Click Save to save the rule to the Titan cloud.

Create a Traffic-Steering Rule for a SASE Gateway

Ensure that you create a profile before you create a rule. To create a new profile, see Create a Traffic Steering Profile for a SASE Gateway.

To add a traffic-steering rule for a SASE gateway:

  1. In the Steering tab, click Rules tab.

    steering-rule-sase.png
     
  2. If needed, click Reorder Rules to reorder rules.
    1. To change a rule order, click the rule name and drag the rule to a different spot in the rule set.
    2. Click Publish Reordered Rules to save the changes to the Titan cloud. By default, the rules are displayed in grid view. To change the view to list, click the list view icon. To pin the view to grid or list for the login session, use the pin icon.
  3. Click the icon-rules.png icon to display the Steering > Rules > Add screen.

    steering-rule-add-sase.png
     
  4. Enter information for the following fields.
     
    Field Description
    Rule Name (Required) Enter a name for the rule.
    Description Enter a text description for the rule. The description can be a maximum of 63 characters.
    Match Criteria Click Protocol, Address, Hostname, Application, URL, DSCP, or User and Group to add details for that criteria type. For information about match criteria, see Apply Match Criteria for Traffic-Steering Rules, below.
    Scope (Group of Fields)  
    • Source Zone

    Click the down arrow in the Please Select drop-down list. A popup window displays the zones that classify the traffic flows coming to the gateway from various sources.

    steering-rule-add-source-zone-sase.png

    Select a source zone, and then click Continue:

    • Host—Click to match the traffic originated from device itself (non-transient traffic).
    • Remote Client—Click to use as the ingress zone for the traffic coming from VSA clients.
    • SD-WAN—Click for traffic coming to the gateway over overlay tunnels from remote SD-WAN branches.
    • Trust (LAN)—Click to use LAN interfaces that are controlled by enterprises.
    • Untrust (Internet)—Click to use for internet-facing WAN interfaces.
    • Arrow

    Choose a Portal_one_way_arrow.png one-way or Portal_two_way_arrow.png two-way connection.
    • Destination Zone

    Click the down arrow in the Please Select drop-down list. A popup window displays the zones that classify the traffic flows coming to the gateway from various sources.

    Select a destination zone, and then click Continue.

    security-policy-firewall-rules-destination-zone-sase.png

    • Host—Click to match the traffic originated from device itself (non-transient traffic)
    • Remote Client—Click to use as the egress zone for the traffic coming from VSA clients.
    • SD-WAN—Click for traffic coming to the gateway over overlay tunnels from remote SD-WAN branches.
    • Trust (LAN)—Click to use LAN interfaces that are controlled by enterprises.
    • Untrust (Internet)—Click to use for internet-facing WAN interfaces.
    • Select Profile

    Select a profile. To create a new profile, see Create a Traffic-Steering Profile.

    Logging

    Click to configure logging:

    • None—Click to perform logging.
    • Default—Click to use default logging.
  5. Click Add. The rule is saved to the screen but not the Titan cloud.
  6. Click Save to save the rule to the Titan cloud.

Apply Match Criteria for Traffic-Steering Rules

You can apply the following match criteria types in a traffic-steering rule:

  • Address
  • Application
  • DSCP
  • Hostname
  • Protocol
  • URL
  • User and Group

steering-rule-match-criteria.png

To specify the match criteria for a traffic-steering rule:

  1. To specify protocol criteria for a traffic-steering rule:
    1. Click the Protocol tab to display the protocol window.

      steering-rules-match-criteria-protocol.png
    2. In the Please Select field, select a protocol. Titan Portal automatically populates the next field with common port numbers.
    3. If needed, click the port number field and edit the port number range.
  2. To specify address criteria for a traffic-steering rule:
    1. Click the Address tab to display the address window.

      steering-rules-match-criteria-address.png
    2. Click the toggle switch to enter the source or destination IP address. Then click Source.

      steering-rules-match-criteria-address1.png
    3. Enter a source IP address in CIDR format, and then click the icon-plus.png icon. To remove an IP address from the list, click the icon-minus.png icon.

      portal_security_add_firewall_rules_match_criteria_address_source.png
    4. Click Continue
    5. Enter a destination IP address in CIDR format, and then click the icon-plus.png icon. To remove an IP address from the list, click the icon-minus.png icon.

      portal_security_add_firewall_rules_match_criteria_address_destination.png
    6. Click Continue
  3. To specify hostname criteria for a traffic-steering rule:
    1. Click the Hostname tab to display the Hostname window.

      steering-rules-match-criteria-hostname.png
    2. Click the toggle switch to enter the source or destination hostname. Then click Source.

      steering-rules-match-criteria-hostname1.png
    3. Enter a source hostname, and then click the icon-plus.png icon. To remove a hostname from the list, click the icon-minus.png icon.

      portal_security_add_firewall_rules_match_criteria_hostname_source.png
    4. Click Continue
    5. Enter a destination hostname, and then click the icon-plus.png icon. To remove a hostname from the list, click the icon-minus.png icon.

      portal_security_add_firewall_rules_match_criteria_hostname_destination.png
    6. Click Continue.
  4. To specify application and application groups criteria for a traffic-steering rule:
    1. Click the Application tab, and then click Click Here To Add or Modify Applications.

      steering-rules-match-criteria-application.png
    2. The Steering > Rules > Add Application popup window displays. Select the Applications tab. Then, select the application to include in the match list, or type the name of the application in the search box and then select it from the search results, and then click Add.

      match-criteria-steering-add-application-tab.png
      • Click + Custom Applications to create a new custom application object. For more information, see Add Custom Applications.
    3. Select the Application Groups tab. Then select predefined application groups to include in the match list, or type the name of the application group in the search box and then select it from the search results, and then click Add.

      match-criteria-steering-add-application-group-tab.png
  5. To specify URL criteria for a traffic-steering rule:
    1. Click the URL tab to display the URL window.

      steering-rules-match-criteria-url.png
    2. In the URL Category section, click the Click here to add or modify URL link to select URL category.

      steering-rules-add-url-categories.png
      • Click + Custom URL Category to create a new custom URL category object. For more information, see Add Custom URL Categories.
      • Click Look Up URL to enter a URL and to look up the mappings to predefined and custom URL reputations and categories. For more information, see Troubleshoot Titan Portal.
    3. Click Add.
    4. In the URL Reputation section, click the Click here to add or modify link to select URL reputation.

      portal_security_add_firewall_rules_match_criteria_url_reputation.png
    5. Click Continue. Use the Customize option to modify the URL reputation.
  6. To specify DSCP criteria for a traffic-steering rule, click the DSCP tab and enter a DSCP value. DSCP allows you to classify and manage network traffic and to provide quality of service (QoS) in Layer 3 networks. It uses the 6-bit differentiated services (DS) field in the IP header to classify packets.

    steering-rules-match-criteria-dscp.png
  7. By default, security enforcement is applied to all users and user groups. To change the default, click the User and Group tab and do the following:

    steering-rules-match-criteria-user-group.png
    • Select a user to bind with the security policy:
      • Any
      • Known
      • Selected
      • Unknown
    • To select specific user and group, click Selected and then do the following:
      1. Select an LDAP user group profile from the Select LDAP drop-down list.
      2. Use the search box to search for the user and group, or click the check box next to the user and group name.

        steering-rules-match-criteria-user-group1.png
         
    • Click Add.

To edit or delete a rule:

  1. In the Steering > Rules tab, click a rule name to edit a rule.
  2. In the Steering > Rules tab, click the X to delete a rule.
  3. Click Save to save the changes to the Titan cloud.

Configure Web Proxy Bypass Rules

You can configure a device to be a web proxy, which is a type of explicit proxy. An explicit proxy processes SSL or TLS traffic destined to a specific IP address and port. A web proxy acts as an intermediary between a user and a website that they are accessing, making requests to the website using its IP address. As a result, the website logs the IP address of the proxy, not that of the user. In this way, the web proxy allows the user to remain anonymous. A web proxy can also speed up browsing by caching webpage data.

For web proxy, you specify domain patterns, applications, and URL category to steer the traffic. You can configure a source NAT (SNAT) pool and monitor object criteria for the web proxy traffic.

NAT is a method of remapping one IP address space into another by modifying the network address information in a packet's IP header. SNAT is a type of NAT that translates the source IP address in the packet's header to an address that you configure. For SNAT to work, you configure a source pool IP address that SNAT uses when translating source IP addresses. An SNAT pool is a range of IP addresses, and SNAT selects one of the IP addresses from the pool as the source address. By using the egress network in an SNAT pool, one of the IP address, that is allocated to the interface is used as source address.

You can configure monitoring for an IP address to prevent black holing of traffic when a local internet breakout circuit is down. After you configure a monitor object, you associate it with a web proxy bypass rule. If the monitor is down, the web proxy bypass rule is disabled and proxy traffic is not bypassed, but the proxy traffic is sent to the proxy server that you configured.

To configure a web proxy:

  1. Click Configure in the left menu bar to open the Configure dashboard.
  2. Hover over the device in the honeycomb and click Configure to open the site information window.
  3. Click Next to open the Configuration > Network screen.
  4. Select the Steering tab to open the Configuration > Steering screen.
  5. In the Steering tab, Select the Rules tab.

    steering-rule.png
     
  6. If needed, click Reorder Rules to reorder the rules.
    1. To change the order, click a rule name and drag it to a different location in the rule set.
    2. Click Publish Reordered Rules to save the changes to the Titan cloud.

      steering-rule-web-proxy-bypass.png
       
  7. Click the icon-rules.png icon in the Web Proxy Bypass section, and enter information for the following fields.

    steering-rule-web-proxy-bypass-add.png
     
    Field Description
    Rule Name (Required) Enter a name for the web proxy.
    Description Enter a text description for the web proxy. The description can be a maximum of 63 characters.
    Proxy Port (Required)

    Click the Port Numbers link. In the Add Proxy port Numbers popup window, enter the port number to use to connect to the web proxy. Then, click Continue.
     

    steering-rule-web-proxy-bypass-add-proxy-port.png
    VRF (Required) Select a virtual routing and forwarding (VRF) instance. You can select the VRF instance on the router, or select the default.
    Match Criteria (Group of Fields)  
    • Domain Pattern
    		 Enter the hostname to match the domain pattern of the web proxy and then click the add-icon.png Add icon. For example, for the web proxy https://www.salesforce.com, the domain pattern is www.google.com.
    • Applications

    Specify application match criteria for a web proxy rule:

    • Click the Click here to add or modify applications link.
    • In the Steering > Rules > Add Application popup window, select the application type, and then click Add.

      steering-rules-add-application.png
      • Click + Custom Applications to create a new custom application object. For more information, see Add Custom Applications.
    • URL Category

    Specify URL category match criteria for a web proxy rule:

    • Click the Click here to add or modify URLs link.
    • In the Steering > Steering Rule > Web Proxy Bypass > Add URL popup window, select the URL category, and then click Add.

      steering-rules-add-url-categories-web-proxy.png
      • Click + Custom URL Category to create a new custom URL category object. For more information, see Add Custom URL Categories.
      • Click Look Up URL to enter a URL and to look up the mappings to predefined and custom URL reputations and categories. For more information, see Troubleshoot Titan Portal.
    Set Criteria (Group of Fields)  
    • SNAT Pool

    Select the SNAT pool for the web proxy to use.

    To add a SNAT pool, click the SNAT Pool icon and enter information for the following fields.

     

    steering-rule-web-proxy-bypass-add-snat.png
     

    • Name (Required)—Enter a name for the SNAT pool.
    • Egress Network (Required)—Select an egress network to use for cloud lookup requests.

    Click Add, and then click Continue.
    • Monitor

    Select the monitor object for an IP address to associate with the web proxy rule.

    To add a monitor object, click the Monitor icon, and then enter information for the following fields.
     

    steering-rule-web-proxy-bypass-add-monitor.png
     

    • Name (Required)—Enter a name for the IP SLA monitor object.
    • Monitor Type (Required)—Select the type of packets to monitor on the IP address:
      • DNS
      • ICMP
      • TCP
    • IP Address (Required)—Enter the IP address to monitor.
    • Next Hop—Select the device to use as the next hop.
    • Networks—Select the source network on which to send the probe packets.
    • Source Interface—Select the source interface on which to send the probe packets.

    Click Add and then click Continue.
  8. Click Add.

Create a Traffic-Steering Profile

You create traffic-steering profiles to control the behavior of the traffic passing over SD-WAN links. A traffic-steering profile defines circuit and path priorities, the connection method, load balancing, and other capabilities to apply for any traffic that matches the rules you configure in the SD-WAN policy.

The actions available on the Real Time screen are identical to the Business Critical, Default, and Low Priority screens. The examples below show the Real Time screen.

To create a new steering profile:

  1. In the Steering tab, click Profile tab.

    configure-steering-screen.png
  2. Click Real Time to display the Real Time profile screen.

    configure-steering-profile-realtime.png
     
  3. Click the icon-profile.png icon to display the Steering > Profile > Real Time > Add screen.

    configure-steering-profile-realtime-add.png
     
  4. Enter information for the following fields.
     
    Field Description
    Profile Name Enter a name for the profile.
    Select Circuit

    Select circuit priorities for local and remote clients. Enter information for the following fields, and then click Continue.
     

    configure-steering-profile-realtime-circuit.png

    • Circuits—Select the WAN circuit by circuit name.
    • Priority—Select the priority level to assign to circuits.
      Range: 1 through 8
      Default: 1
    Next Hop

    Select the next hop. Enter information for the following fields, and then click Continue.
     

    configure-steering-profile-realtime-nexthop.png

    • Steering Optimization—Control whether application traffic to select the best path.
      • Enable—Set to enable if the profile is mapped to SD-WAN policy with at least one application in the match criteria.
      • Disable—Set to disable if the SD-WAN policy has no applications in the match criteria.
    • Steering Pinning to DNS Path—Slide to On to pin all sessions between a client and a server to the path of the DNS query that resolved the server.
    • Select Gateway—Select one or more next hops from the Versa-hosted SASE gateways.
    • Select Devices List—Select one or more next hops from the SD-WAN sites in the network. If you have configured a VRF instance, when you set the gateway as a next hop, it works only with the default VRF.
    • Select Circuits—Select one or more WAN links on the device. To select circuits, a remote IP address must be configured on all WAN interfaces. To configure the IP addresses, navigate to Network tab > WAN > Advanced Configuration > Link Monitoring.
    Circuit Selection Criteria

    Click to specify circuit selection criteria, and then specify the following.

    • Latency—Click Low, or click Ms to specify the latency time, in milliseconds.
    • Packet Loss—Click Low, or click Percentage to specify the percentage of packet loss.
    • Delay Variation—Click Low, or click Percentage to specify the percentage of packet loss.
    • MOS Value Threshold—Enter a value for the mean opinion score (MOS). MOS is a measure of the quality of voice data traffic, and it represents the user experience of audio, video, and voice applications. The MOS value is from 1 through 5, where 5 represents the best traffic quality. The default is 2. MOS value threshold is enabled only on the devices that use the secure application optimization license.
    • Circuit Tx Utilization—Enter the percentage of circuit bandwidth used to transmit traffic.
    • Circuit Rx Utilization—Enter the percentage of circuit bandwidth used to receive traffic.
    Policing

    Configure policing criteria:

    • Peak Rate—Enter the maximum transmission rate, in Kbps.
    • Peak Burst Size (Bytes)—Enter the number of bytes that are allowed beyond the configured peak rate. You set the burst size to avoid retransmission during burst of traffic.
    Loss Recovery

    Choose the loss recovery method:

    • Forward Error Correction (FEC)
    • Packet Replication

    Loss recovery is available only on devices that use secure application optimization license.
    Load Balance

    Select how to load-balance a flow of traffic when two or more paths have the same highest priority. All packets in a flow are directed to the same path.

    • Per Flow—Load-balance the traffic flows across all eligible paths. This is the default. Per-flow load-balancing can increase the total throughput for an application when multiple paths of the same type are present.
    • Per Packet—Load-balance the packets in a traffic flow among the paths at the current highest priority level.

    Default: Per Flow
  5. Click Add. The profile is saved to the screen but not the Titan cloud.
  6. Click Save to save the profile to the Titan cloud.

Create a Traffic-Steering Profile for a SASE Gateway

To create a traffic-steering profile for a SASE gateway:

  1. In the Steering tab, click Profile tab.

    configure-steering-profile-sase.png
     
  2. Click Real Time to display the Real Time profile screen.

    configure-steering-profile-realtime-sase.png
  3. Click the icon-profile.png icon to display the Steering > Profile > Real Time > Add screen.

    configure-steering-profile-realtime-add-sase.png
     
  4. Enter information for the following fields.
     
    Field Description
    Profile Name Enter a name for the profile.
    Circuit Selection Criteria

    Click the circuit selection criteria, then specify:

    • Latency—Click Low, or click ms to specify the latency in milliseconds.
    • Packet Loss—Click Low, or click Percentage to specify the percentage of packet loss.
    • Delay Variation—Click Low, or click Percentage to specify the percentage of delay variation.
    • Circuit Tx Utilization—Enter the percentage of circuit bandwidth used to transmit traffic.
    • Circuit Rx Utilization—Enter the percentage of circuit bandwidth used to receive traffic.
    Policing

    Configure policing criteria:

    • Peak Rate—Enter the maximum transmission rate, in Kbps.
    • Peak Burst Size—Enter the number of bytes that are allowed beyond the configured peak rate. You set the burst size to avoid retransmission during burst of traffic.
    Loss Recovery

    Choose the loss recovery method:

    • Forward Error Correction (FEC)
    • Packet Replication

    Loss recovery is available only on devices that use secure application optimization license.
    Load Balance

    Choose the load balancing mechanism:

    • Per Flow
    • Per Packet
  5. Click Add. The profile is saved to the screen but not to the Titan cloud.
  6. Click Save to save the profile to the Titan cloud.

Configure Internet Traffic Steering

A hub-and-spoke topology uses internet traffic steering to provide direct internet access (DIA), also called local breakout, rather than remote break out from the hub. Internet traffic steering is applicable only for spoke devices with hub-and-spoke topology. To steer the internet traffic over local WAN circuits, prioritize local WAN circuits over central breakout path.

When you configure internet traffic steering, the system automatically does the following after you save the configuration:

  • Create specific traffic-steering rules.
  • Identify the next hop as the local internet-accessible WAN interface.
  • Create a matching security rule so that the traffic and route preference changes to ensure redundancy.
  • Create the next-hop setting for the rules defined for local internet breakout.

To configure internet traffic steering:

  1. Click Configure in the left menu bar to open the Configure dashboard.
  2. Hover over the device in the honeycomb and click Configure to open the site information window.
  3. Click Next to open the Configuration > Network screen.
  4. In the Steering tab, click Rules tab. Note that you can click Easy Steering Picks to populate steering with default values, see Default Configuration Templates.

    internet-traffic-steering-spoke-rule.png
     
  5. If needed, click Reorder Rules to reorder rules.
    1. To change a rule order, click the rule name and drag the rule to a different spot in the rule set.
    2. Click Publish Reordered Rules to save the changes to the Titan cloud. By default, the rules are displayed in grid view. To change the view to list, click the list view icon. To pin the view to grid or list for the login session, use the pin icon.
  6. Click the icon-rules.png icon to display the Steering > Rules > Add screen.

    internet-traffic-steering-spoke-rule-add.png
     
  7. Slide the toggle to select Internet rule.
  8. Create a rule, as described in the Create a Traffic-Steering Rule section, above.

Supported Software Information

Releases 10.3.4 and later support all content described in this article.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Page type
    Topic
    Product
    Titan
  2. Tags
    This page has no tags.