Has anyone seen strange behavior when using a single prefix-list shared containing both IPv4 and IPv6 prefixes shared between two fw filters, one family inet and one family inet6? I just tried this, and the family inet6 filter is executing the "then syslog" term even when there is no match in the "from" clause.
Something like this: family inet { AND family inet6 { term PORT-MIRROR { then { port-mirror; next term; } } term TS-ALLOW { from { prefix-list { TS-ALLOW; } } then { count TS-ALLOW; syslog; next term; } } term Accept-All { then accept; } } For the family inet version, everything works correctly. For the family inet6 version (configured at the same time), any/all IPv6 traffic, regardless if it matches the prefix-list TS-ALLOW, is being subject to the syslog action. I was seeing link-local ND and site-local IPsec OSPF traffic matching. The prefix-list TS-ALLOW contains only IPv4 address prefixes. I tried adding an IPv6 one (ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128) just so there was at least one, but the result is the same. _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp