Hello,
I have two routing instances on an SRX1500; VR-Trust and VR-Untrust. VR-Untrust connects to my WAN link; it has a default route that points to the WAN router of my ISP. VR-Trust knows all my local routes, which are static. VR-Untrust imports all these static routes, using the 'instance-import' command and a policy statement within routing-options.
root@SRX1500-A-> show configuration routing-instances VR-Untrust
description Untrust-VR;
instance-type virtual-router;
interface gr-0/0/0.1;
interface gr-0/0/0.2;
interface reth1.47
interface st0.0;
interface st0.1;
routing-options {
instance-import from_VR-Trust_to_VR-Untrust;
}
root@SRX1500-1> show configuration policy-options policy-statement from_VR-Trust_to_VR-Untrust
term Trust_to_Untrust_reject_default_term {
from {
instance VR-Trust;
route-filter 0.0.0.0/0 exact;
}
then reject;
}
term Trust_to_Untrust_term {
from instance VR-Trust;
then accept;
}
root@ISRX1500-1> show configuration routing-instances VR-Trust
description "VR-Trust";
instance-type virtual-router;
interface reth1.1297;
routing-options {
rib VR-Trust.inet6.0 {
static {
route ::/0 discard;
route <IPv6 destination> next-hop <IPv6 next hop>;
}
}
static {
route <IPv4 destination> next-hop <IPv4 next hop>;
}
I am trying to write a route filter to reject the default IPv6 route, but to permit all the other routes, so that VR-Untrust can import all IPv6 routes from VR-Trust, but not the default route.
I wrote this, but it allows the default route to be learned by VR-Untrust.
root@SRX1500-A> show configuration policy-options policy-statement from_VR-Trust_to_VR-Untrust
term Trust_to_Untrust_reject_IPv6_default_term {
from {
instance VR-Trust;
rib VR-Trust.inet6.0;
route-filter ::/0 exact;
}
then reject;
}
term Trust_to_Untrust_IPv6_term {
from {
instance VR-Trust;
rib VR-Trust.inet6.0;
}
then permit;
}