On Tue, Dec 23, 2008 at 07:56:00PM -0500, Chuck Anderson wrote: > On Tue, Dec 23, 2008 at 03:27:13PM -0800, snort bsd wrote: > > Could those routes in the L3VPN table be copied to inet.0? I tried > > to use policy and it doesn't seem to be working: > > Yes, you can do that. > > > term l3vpn->inet.0 { > > from { > > rib l3vpn.inet.0; > > route-filter 100.100.0.0/16 orlonger; > > } > > to rib inet.0; > > then { > > accept; > > } > > } > > How are you applying this policy? You need to create a rib-group like > this: > > MAIN-to-VPN { > import-rib [ inet.0 l3vpn.inet.0 ]; > import-policy [ l3vpn->inet.0 REJECT ]; > }
Ooos, I have these backwards. This should be correct: VPN-to-MAIN { import-rib [ l3vpn.inet.0 inet.0 ]; import-policy [ l3vpn->inet.0 REJECT ]; } > and I don't believe the "from rib l3vpn.inet.0" part should be > specified, at least I haven't needed it: > > term l3vpn->inet.0 { > from { > route-filter 100.100.0.0/16 orlonger; > } > to rib inet.0; > then { > accept; > } > } > > term REJECT { > then reject; > } _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp