On Sun, Dec 12, 2010 at 09:49:02PM -0600, Richard A Steenbergen <r...@e-gerbil.net> wrote: > On Mon, Dec 13, 2010 at 10:51:26AM +0800, Gavin Tweedie wrote: > > > > > > I also have a case open with JTAC. > > For > example, if you configured a single term to match on 0.0.0.0/8, > 1.0.0.0/8, or 3.0.0.0/8, the firewall compiler would try to optimize > that match into "0.0.0.0/6 && !2.0.0.0/8". The problem is the NOT match > wasn't supported on the EX, so it would ignore that operation and match > the 2.0.0.0/8 packets anyways, even though you didn't configure that > range in your filter.
Richard how did you come to this realisation? Was this a JTAC case or do you have a way to look at the filter optimization? I think I have seen similar outcomes, but don't know how to match it up with proof. C. -- +442077294797 http://mediaserviceprovider.com/ _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp