On Wed, Dec 15, 2010 at 11:00:10AM -0500, Chris Morrow <morr...@ops-netman.net> wrote: > (ex-platform causes death/dismemberment/pain/anguish) > > On 12/15/10 09:18, Charlie Allom wrote: > > On Sun, Dec 12, 2010 at 09:49:02PM -0600, Richard A Steenbergen > > <r...@e-gerbil.net> wrote: > > > > Richard how did you come to this realisation? Was this a JTAC case or do > > you have a way to look at the filter optimization? > > juniper doesn't normally release this sort of data, you can run some > command to dump the optimized code out though... it's kinda ugly :(
Any tips on where to find this command? :) > > I think I have seen similar outcomes, but don't know how to match it up > > with proof. > > try this fun experiment: > 1) apply loopback filter, permit ssh/bgp/ospf (things you include > normally in your loopback filter) > 2) if you permit 'icmp' or 'traceroute' to the device (use the device > interface ips in the from clause, potentially with a prefix-list built > from an apply-path expression > 3) traceroute to something behind/beyond the device > > note that the device doesn't show up in the traceroute? ;( packet > processing/firewalling fail. No. I'll take your word for it :) Regards, C. -- +442077294797 http://mediaserviceprovider.com/ _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
