SRX

Expand all | Collapse all

SRX IPv6 route filter

Jump to Best Answer
  • 1.  SRX IPv6 route filter

    Posted 02-11-2020 12:12

    Hello,

     

    I have two routing instances on an SRX1500; VR-Trust and VR-Untrust.  VR-Untrust connects to my WAN link; it has a default route that points to the WAN router of my ISP.  VR-Trust knows all my local routes, which are static.  VR-Untrust imports all these static routes, using the 'instance-import' command and a policy statement within routing-options.

     

    root@SRX1500-A-> show configuration routing-instances VR-Untrust
    description Untrust-VR;
    instance-type virtual-router;
    interface gr-0/0/0.1;
    interface gr-0/0/0.2;
    interface reth1.47
    interface st0.0;
    interface st0.1;
    routing-options {
    instance-import from_VR-Trust_to_VR-Untrust;
    }

     

    root@SRX1500-1> show configuration policy-options policy-statement from_VR-Trust_to_VR-Untrust
    term Trust_to_Untrust_reject_default_term {
    from {
    instance VR-Trust;
    route-filter 0.0.0.0/0 exact;
    }
    then reject;
    }
    term Trust_to_Untrust_term {
    from instance VR-Trust;
    then accept;
    }

     

     

    root@ISRX1500-1> show configuration routing-instances VR-Trust
    description "VR-Trust";
    instance-type virtual-router;
    interface reth1.1297;

    routing-options {
    rib VR-Trust.inet6.0 {
    static {
    route ::/0 discard;
    route <IPv6 destination> next-hop <IPv6 next hop>;
    }
    }
    static {
    route <IPv4 destination> next-hop <IPv4 next hop>;

    }

     

    I am trying to write a route filter to reject the default IPv6 route, but to permit all the other routes, so that VR-Untrust can import all IPv6 routes from VR-Trust, but not the default route.

     

    I wrote this, but it allows the default route to be learned by VR-Untrust.

     

    root@SRX1500-A> show configuration policy-options policy-statement from_VR-Trust_to_VR-Untrust

     

    term Trust_to_Untrust_reject_IPv6_default_term {
    from {
    instance VR-Trust;
    rib VR-Trust.inet6.0;
    route-filter ::/0 exact;
    }
    then reject;
    }
    term Trust_to_Untrust_IPv6_term {
    from {
    instance VR-Trust;
    rib VR-Trust.inet6.0;
    }
    then permit;
    }



  • 2.  RE: SRX IPv6 route filter
    Best Answer

    Posted 02-28-2020 07:54

    Hello,

     

    This was fixed by changing the order of the terms in the policy options policy statement and by removing the rib VR-Trust.inet6.0 part from the term in the policy statement.