Experts, on the ground that only the following protocols are allowed to reach the RE: - BGP (runs PMTU so should not fragment packets) - ISIS is only L2 so it is not blocked by a firewall filter - OSPF, LDP, RSVP, PIM, IGMP, BFD, VRRP: don't know about them - ssh, snmp, tacacs, ntp, Icmp, domain
Is it correct to assume that for none of them is necessary to allow fragmens and packet with IP options? This way it is possible and safe to immediately reject on a loopback inbound filter all fragments and packets with IP options? Thanks, Bit. _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp