Hi,
Yes you can use policy to filter routes that are advised by ISIS:
Here we can see the downstream device is receiving the loopback (10.0.255.7/32) from the upstream node via ISIS:
lab@srx-vpn> show route protocol isis
inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[IS-IS/165] 2w0d 04:29:05, metric 30
> to 137.221.196.5 via ge-0/0/0.0
10.0.255.7/32 *[IS-IS/18] 2w0d 04:29:05, metric 20> to 137.221.196.5 via ge-0/0/0.0
137.221.196.0/30 *[IS-IS/18] 2w0d 04:29:15, metric 20> to 137.221.196.5 via ge-0/0/0.0Now let's create a policy to filter the prefix from being advertised in the ISIS process:
[edit]
lab@mx104-edge# show policy-options policy-statement isis-filter
from {
protocol direct;
route-filter 10.0.255.7/32 exact;
}
then reject;Apply the policy as an export policy under protocols isis:
lab@mx104-edge# show protocols isis
export [ DEFAULT-TO-ISIS isis-filter ];
level 1 disable;
interface ge-0/0/1.0 {
point-to-point;
}
interface lo0.0 {
passive;
}Now we can see the prefix 10.0.255.7/32 is filtered and no longer present on the downstream device whilst other ISIS routes are still present:
lab@srx-vpn> show route protocol isis
inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[IS-IS/165] 2w0d 04:29:06, metric 30
> to 137.221.196.5 via ge-0/0/0.0
137.221.196.0/30 *[IS-IS/18] 2w0d 04:29:16, metric 20> to 137.221.196.5 via ge-0/0/0.0You can also filter at ingress.
I hope this helps 