[j-nsp] no router alert
Alexander Tarkhov
karabass at gmail.com
Wed Dec 23 04:37:50 EST 2009
Hello Bit,
In addition to what Truman suggested (explicit approach)
you can also try adding "from ip-options any" to your term.
term NO-RT-ALERT {
from {
ip-options any;
ip-options-except router-alert;
}
then {
count NO-RT-ALERT;
log;
discard;
}
}
This way it might work.
I think the way "-except" is programmed requires some positive scope
of matching, otherwise it equals to an empty from clause matching all
packets. At least here in the documentation they alsways use some
positive matching along with -except match conditions:
http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/config-guide-policy/policy-firewall-filter-how-to-specify-match-conditions.html
Example:
destination-address {
0.0.0.0/0;
10.1.1.0/24 except;
}
Greetings,
-Alex
On Mon, Dec 21, 2009 at 11:16 AM, Bit Gossip <bit.gossip at chello.nl> wrote:
> inactive: term NO-RT-ALERT {
> from {
> ip-options-except router-alert;
> }
> then {
> count NO-RT-ALERT;
> log;
> discard;
> }
> }
More information about the juniper-nsp
mailing list