On Mon, 16 Jul 2018 at 16:32, Benny Lyne Amorsen <benny+use...@amorsen.dk> wrote:
> Ideally JunOS should offer another way of distinguishing between forward > traffic and locally-terminated/originated traffic in ACL's, without > having to rely on getting lists of IP addresses correct. The box knows > whether it is terminating the traffic or not. Just let me filter based > on that... (I know, it is not that easy to implement in practice.) Generally yes. But then there are some debatable things like IP options and DHCP snooping. Which are transit, but subject to RE. So should they be subject to LO0, or should you just police them in forwarding-filters? I believe latter, Juniper seems to think former. -- ++ytti _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
