On Fri, Feb 29, 2008 at 05:51:20PM +0300, Alexandre Snarskii wrote: > Hi! > > During narrowing down one of our problems, I found, that I'm able > to ping juniper from directly connected (vlan) subinterface only > when ICMP payload size is more or equal 18 bytes... > [....] > > Question: is there any way to fix this behaviour ? (short ICMP pings > is the way the RAD IPMux verifies mac-address of his gateway, and > we're just unable to use IPMux'es as downlinks to Juniper)..
Just for google: RAD IPMux not checking ICMP code in reply, so rejecting 'short' pings with host-prohibited helps them to verify next-hop availability. And that can be done with next firewall filter: [EMAIL PROTECTED]> show configuration firewall filter drop_shorts term main { from { packet-length 20-45; protocol icmp; icmp-type echo-request; } then { reject host-prohibited; } } term default { then accept; } _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp