On Fri, 17 May 2024 at 10:36, Antti Ristimäki <[email protected]> wrote:
> iACL design becomes a bit more challenging if you want to keep the > link-local things link local (e.g. there are legit ND packets with > link-local srcaddr and GUA dstaddr). It is doable, though. Not disagreeing, but what are these packets? And can you drop link-local in two forwarding-filter terms? I know ND can be any permutation, but those can be handled in earlier terms in iACL without matching addresses, by matching icmp6 types and hop-limit 255. -- ++ytti _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
