Netscreen – Routing Basics / Virtual Routers / PBR

Juniper introduces a new feature to the area of routing, called Virtual Routers. The model consists of: interfaces are applied to zones and zones are applied to Virtual Routers. Virtual routers allow for you to segment routing updates in and from the firewall/router.

Virtual Routers
There are 4 different types of routing tables that you can use on each VR,

  • Destination based routing table – Traffic is routed based on destination.
  • Source based routing table – Traffic is routed based on where the traffic came from.
  • Source interface routing table – Also referred to as SIBR – Traffic is routed based on which interface the traffic came in on.
  • Multicast routing table – Traffic from a multicast source can be routed out to a certain interface based on source ip, multicast group, and incoming interface.

Route-maps and Accesslists

Access-lists intruct which traffic the netscreen is allowed to query the subsqeuent routing table for. Each access-list is assigned to a VR and actioned by order of seqence. Allowing a action of either permit or deny.

set vrouter “VR-Trust” access-list 1
set vrouter “VR-Trust” access-list 1 deny 1
set vrouter “VR-Trust” access-list 1 permit ip 2

Route-maps are mainly designed to filter routes that are advertised to the firewall inbound or advertised from the firewall outbound. They also allow you to change various values on routes as well. As you can see below the route map matchs the IP (via an access-list) then sets an action to this route.

set vrouter “VR-Trust”
set route-map name “Route-map 1” permit 1
set match ip 1
set metric 150

PBR (Policy Based Routing)

Policy Based routing allows you to route traffic based on Extended ACLs. This gives you greater control on how you decide to route your traffic. This allows you to route based on source IP, source port, destination Port, Destination IP, Protocol etc etc.
The basic framework of configuring policy based routing is as follows,

  1. Create a Extended ACL
  2. Create a Match Group (this allows you to aggregate one or more access lists)
  3. Create a Action Group (this allows you to define where the traffic is routed to)
  4. Create a Policy (this combines your Match group and Action group)
  5. Configure your Policy Binding to bind this new policy to a zone.


Rick Donato

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial