Hello Bit, In addition to what Truman suggested (explicit approach) you can also try adding "from ip-options any" to your term.
term NO-RT-ALERT { from { ip-options any; ip-options-except router-alert; } then { count NO-RT-ALERT; log; discard; } } This way it might work. I think the way "-except" is programmed requires some positive scope of matching, otherwise it equals to an empty from clause matching all packets. At least here in the documentation they alsways use some positive matching along with -except match conditions: http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/config-guide-policy/policy-firewall-filter-how-to-specify-match-conditions.html Example: destination-address { 0.0.0.0/0; 10.1.1.0/24 except; } Greetings, -Alex On Mon, Dec 21, 2009 at 11:16 AM, Bit Gossip <bit.gos...@chello.nl> wrote: > inactive: term NO-RT-ALERT { > from { > ip-options-except router-alert; > } > then { > count NO-RT-ALERT; > log; > discard; > } > } _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp