SRX Services Gateway
SRX Services Gateway

SRX IPv6 route filter

[ Edited ]
3 weeks ago

Hello,

 

I have two routing instances on an SRX1500; VR-Trust and VR-Untrust.  VR-Untrust connects to my WAN link; it has a default route that points to the WAN router of my ISP.  VR-Trust knows all my local routes, which are static.  VR-Untrust imports all these static routes, using the 'instance-import' command and a policy statement within routing-options.

 

root@SRX1500-A-> show configuration routing-instances VR-Untrust
description Untrust-VR;
instance-type virtual-router;
interface gr-0/0/0.1;
interface gr-0/0/0.2;
interface reth1.47
interface st0.0;
interface st0.1;
routing-options {
instance-import from_VR-Trust_to_VR-Untrust;
}

 

root@SRX1500-1> show configuration policy-options policy-statement from_VR-Trust_to_VR-Untrust
term Trust_to_Untrust_reject_default_term {
from {
instance VR-Trust;
route-filter 0.0.0.0/0 exact;
}
then reject;
}
term Trust_to_Untrust_term {
from instance VR-Trust;
then accept;
}

 

 

root@ISRX1500-1> show configuration routing-instances VR-Trust
description "VR-Trust";
instance-type virtual-router;
interface reth1.1297;

routing-options {
rib VR-Trust.inet6.0 {
static {
route ::/0 discard;
route <IPv6 destination> next-hop <IPv6 next hop>;
}
}
static {
route <IPv4 destination> next-hop <IPv4 next hop>;

}

 

I am trying to write a route filter to reject the default IPv6 route, but to permit all the other routes, so that VR-Untrust can import all IPv6 routes from VR-Trust, but not the default route.

 

I wrote this, but it allows the default route to be learned by VR-Untrust.

 

root@SRX1500-A> show configuration policy-options policy-statement from_VR-Trust_to_VR-Untrust

 

term Trust_to_Untrust_reject_IPv6_default_term {
from {
instance VR-Trust;
rib VR-Trust.inet6.0;
route-filter ::/0 exact;
}
then reject;
}
term Trust_to_Untrust_IPv6_term {
from {
instance VR-Trust;
rib VR-Trust.inet6.0;
}
then permit;
}

1 REPLY 1
SRX Services Gateway
Solution
Accepted by topic author Bobby321
yesterday

Re: SRX IPv6 route filter

yesterday

Hello,

 

This was fixed by changing the order of the terms in the policy options policy statement and by removing the rib VR-Trust.inet6.0 part from the term in the policy statement.