[j-nsp] j-series vs. short pings ?

[Alexandre Snarskii]

On Fri, Feb 29, 2008 at 05:51:20PM +0300, Alexandre Snarskii wrote:
> Hi!
> 
> During narrowing down one of our problems, I found, that I'm able 
> to ping juniper from directly connected (vlan) subinterface only 
> when ICMP payload size is more or equal 18 bytes... 
> 
[....]
> 
> Question: is there any way to fix this behaviour ? (short ICMP pings
> is the way the RAD IPMux verifies mac-address of his gateway, and
> we're just unable to use IPMux'es as downlinks to Juniper)..

Just for google: RAD IPMux not checking ICMP code in reply, so
rejecting 'short' pings with host-prohibited helps them to verify
next-hop availability. 

And that can be done with next firewall filter: 

snar at RT088-002> show configuration firewall filter drop_shorts   
term main {
    from {
        packet-length 20-45;
        protocol icmp;
        icmp-type echo-request;
    }
    then {
        reject host-prohibited;
    }
}
term default {
    then accept;
}