Source Interface-Based Routes Overview

Some security devices also enable you to configure a route entry based on the source interface (the interface on which a data packet arrives). You can use Source Interface-Based Routing (SIBR) to enable traffic from users on a specific subnet to be forwarded on one path while traffic from users on a different subnet is forwarded on another path.

Note: SIBR is supported in ScreenOS 5.1 and later.

SIBR can be used in conjunction with the source-based routing feature, which enables traffic to be forwarded based on the source IP address of a data packet. When a security device performs route lookup, the source interface-based routing table is checked first. If the route is not found in the source interface-based routing table and if source-based routing is enabled, the source-based routing table is checked. If the route is not found in the source-based routing table, the destination-based routing table is checked.

You define source interface-based routes as static routes on a specific virtual router and source interface. Source interface-based routes only apply to the virtual router in which you configure them. For example, you cannot specify another virtual router as the next hop for a source interface-based route. You also cannot redistribute source interface-based routes into another virtual router or into a routing protocol.

When configuring SIBR, you must specify the name of the interface in the virtual router on which the packet arrives, and then set the interface on which the packet is to be forwarded. This interface can belong to a zone in another virtual router, if that virtual router is sharable. (Sharable virtual routers are VRs that are accessible by any vsys on the device. The untrust-vr is, by default, a sharable virtual router, but you can configure other root-level VRs to be sharable). Next, enter the IP address of the next-hop router in Gateway. If you have already specified a default gateway for the interface, you do not need to specify this parameter; the interface’s default gateway is used for the source interface-based route.

You can also configure a metric for the route, if desired. By default, the metric for all SIBR entries is 1. If there are multiple source interface-based routes with the same prefix, only the route with the best (lowest) metric is used for route lookup and other routes with the same prefix are marked as “inactive.”

For instructions for configuring virtual router source interface-based route entries, see the Network and Security Manager Online Help.

