Netscreen - Routing Basics / Virtual Routers / PBR
Juniper introduces a new feature to the area of routing, called Virtual Routers. The model consists of: interfaces are applied to zones and zones are applied to Virtual Routers. Virtual routers allow for you to segment routing updates in and from the firewall/router.
There are 4 different types of routing tables that you can use on each VR,
- Destination based routing table - Traffic is routed based on destination.
- Source based routing table - Traffic is routed based on where the traffic came from.
- Source interface routing table - Also referred to as SIBR - Traffic is routed based on which interface the traffic came in on.
- Multicast routing table - Traffic from a multicast source can be routed out to a certain interface based on source ip, multicast group, and incoming interface.
Route-maps and Accesslists
Access-lists intruct which traffic the netscreen is allowed to query the subsqeuent routing table for. Each access-list is assigned to a VR and actioned by order of seqence. Allowing a action of either permit or deny.
set vrouter "VR-Trust" access-list 1
set vrouter "VR-Trust" access-list 1 deny 10.1.1.0/24 1
set vrouter "VR-Trust" access-list 1 permit ip 192.168.1.0/24 2
Route-maps are mainly designed to filter routes that are advertised to the firewall inbound or advertised from the firewall outbound. They also allow you to change various values on routes as well. As you can see below the route map matchs the IP (via an access-list) then sets an action to this route.
set vrouter "VR-Trust"
set route-map name "Route-map 1" permit 1
set match ip 1
set metric 150
PBR (Policy Based Routing)
Policy Based routing allows you to route traffic based on Extended ACLs. This gives you greater control on how you decide to route your traffic. This allows you to route based on source IP, source port, destination Port, Destination IP, Protocol etc etc.
The basic framework of configuring policy based routing is as follows,
- Create a Extended ACL
- Create a Match Group (this allows you to aggregate one or more access lists)
- Create a Action Group (this allows you to define where the traffic is routed to)
- Create a Policy (this combines your Match group and Action group)
- Configure your Policy Binding to bind this new policy to a zone.