[j-nsp] no router alert
Bit Gossip
bit.gossip at chello.nl
Mon Dec 28 04:46:55 EST 2009
Hi Alex,
that would be a great solution but unfortunately 'ip-option any' and
'ip-options-except router-alert' are mutually exclusive; that is the
last one typed in overwrites the previous one :-(
Thanks,
bit.
On Wed, 2009-12-23 at 12:37 +0300, Alexander Tarkhov wrote:
> Hello Bit,
>
> In addition to what Truman suggested (explicit approach)
> you can also try adding "from ip-options any" to your term.
>
> term NO-RT-ALERT {
> from {
> ip-options any;
> ip-options-except router-alert;
> }
> then {
> count NO-RT-ALERT;
> log;
> discard;
> }
> }
>
> This way it might work.
> I think the way "-except" is programmed requires some positive scope
> of matching, otherwise it equals to an empty from clause matching all
> packets. At least here in the documentation they alsways use some
> positive matching along with -except match conditions:
> http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/config-guide-policy/policy-firewall-filter-how-to-specify-match-conditions.html
>
> Example:
> destination-address {
> 0.0.0.0/0;
> 10.1.1.0/24 except;
> }
>
> Greetings,
> -Alex
>
>
> On Mon, Dec 21, 2009 at 11:16 AM, Bit Gossip <bit.gossip at chello.nl> wrote:
> > inactive: term NO-RT-ALERT {
> > from {
> > ip-options-except router-alert;
> > }
> > then {
> > count NO-RT-ALERT;
> > log;
> > discard;
> > }
> > }
More information about the juniper-nsp
mailing list