On Wed, Jun 20, 2012 at 10:14 PM, Morgan McLean <[email protected]> wrote:
> I have a /24 I want to announce, but I don't actually have it anywhere on > the network. I NAT some of its IP's on the SRX that has the BGP session > with our providers. > > I've been using static routes with the discard flag, but I don't really > like the way the SRX handles traffic. It still creates sessions for traffic > destined to IP's not used anywhere (hitting the static route) and can be > easily dos'd because of this. > > Is there a better way to just tell our providers hey, we have this range? > > It sounds like you're using the SRX as an edge router with a BGP session upstream? I don't have this architecture here, but I had the same problem. I had my edge router announce the /24 to the BGP upstreams, and my SRX announce the /24 via OSPF to the MX. Unfortunately, one of my IPs was hammered, and filled up the session table with invalid sessions. That's the real issue, at least in my case, was that even invalid sessions were taking a session, and prohibiting legitimate traffic from flowing. The solution was only to announce from SRX to MX (edge router) the /32s that were actually in use. I suppose that a firewall filter may help on your ingress ports to only permit the traffic to the /32s that are actually in use, but I can't say from experience if this will happen before a session is created, even in invalid state. Scott _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
