Can policy-options policy-statements be put anywhere else besides on protocols (with export keyword)? Like on interfaces or vlans?
I just remembered something else that confused me when I was trying to apply my filters earlier today which all had no effect toward achieving my goal.
Some of my filters were matching against source-address but they did not have any effect. It was only when I saw your earlier post that I matched against both source-address and destination-address. I do not understand why my filter would not also work. Wouldn't it also find a match and discard the packets? Why does it take both source and destination to have the final effect of actually discarding the packets?
I remember that there were some cases where it would not allow me to apply a filter on egress.
Also, there was a case that I could not apply a filter with the action reject, it could only be discard. I think this was because on egress it could not send an error message because maybe the Routing Engine, which handles ICMP error messages, would not be involved during 'output'? Does this sound right?
this is also confusing because I think with policies there are only the actions of accept and reject (no discard), which is exactly the opposite as the above case.
THANKS
I just remembered another thing I was hoping someone might be able to comment on. I read somewhere that Router-on-a-stick is an outdated way of doing things. Evidently this is because all connectivity between Vlans can be done by the L3-interface on the switch. But I could not find a way on a switch only to do something that is very common these days. That is have connectivity between Vlans and have connectivity from all Vlans to the Internet. I could only find that to do both, I needed to use the Router-on-a-stick beyond the switch, that is, on the Router. At some point this has to all come together, and this is through the trunk link. I could not find a way to have a trunk link without having a router and I could not find a way just on a switch to have each Vlan to have its own unique Gateway without using the Router-on-a-stick.
Is there a way to have connectivity, both, between Vlans and to One Internet on just a switch? If not, why would Router-on-a-stick be outdated?
Even if your Router is a Security device (SRX) you are still trunking to it and putting subinterfaces on the firewall, so this is still a Router-on-a-stick, isn't it?? I really sincerely would like to know of a better way of doing this if it is possible.
THANKS
robin hood