Hi Alex, that would be a great solution but unfortunately 'ip-option any' and 'ip-options-except router-alert' are mutually exclusive; that is the last one typed in overwrites the previous one :-( Thanks, bit.
On Wed, 2009-12-23 at 12:37 +0300, Alexander Tarkhov wrote: > Hello Bit, > > In addition to what Truman suggested (explicit approach) > you can also try adding "from ip-options any" to your term. > > term NO-RT-ALERT { > from { > ip-options any; > ip-options-except router-alert; > } > then { > count NO-RT-ALERT; > log; > discard; > } > } > > This way it might work. > I think the way "-except" is programmed requires some positive scope > of matching, otherwise it equals to an empty from clause matching all > packets. At least here in the documentation they alsways use some > positive matching along with -except match conditions: > http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/config-guide-policy/policy-firewall-filter-how-to-specify-match-conditions.html > > Example: > destination-address { > 0.0.0.0/0; > 10.1.1.0/24 except; > } > > Greetings, > -Alex > > > On Mon, Dec 21, 2009 at 11:16 AM, Bit Gossip <bit.gos...@chello.nl> wrote: > > inactive: term NO-RT-ALERT { > > from { > > ip-options-except router-alert; > > } > > then { > > count NO-RT-ALERT; > > log; > > discard; > > } > > } _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp