This is expected behaviour. All other IP packets will also have an ip-options field and they are matching so they are then discarded. Maybe you need some more terms to accomplish what you want. I suspect you might want to explicitly discard specific ip-options.
Truman On 21/12/2009, at 7:16 PM, Bit Gossip wrote: > Dear experts, > I am struggling to formulate a term to drop all packets with any > ip-option set apart from router-alert. > The following term does NOT work because drops not only packets with > ip-options other than router-alert, but also packet with NO > ip-option !!!! Which of course is devastating !!!!! > Any idea how to implement it? > Thanks, > bit. > > > inactive: term NO-RT-ALERT { > from { > ip-options-except router-alert; > } > then { > count NO-RT-ALERT; > log; > discard; > } > } > > > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp