[j-nsp] Whats the best way to announce an IP range in BGP? Doesn't physically exist anywhere.
Pavel Lunin
plunin at senetsy.ru
Fri Jun 22 07:26:08 EDT 2012
> I have a /24 I want to announce, but I don't actually have it anywhere on
> the network. I NAT some of its IP's on the SRX that has the BGP session
> with our providers.
Static discard is really the best way. Aggregate/generate routes are
also theoretically possible, but if you are not sure you really need
some sort of external dynamism, it's better to nail it down with static
— less chances to have your routes damped somewhere after an internal
link flap.
>
> I've been using static routes with the discard flag, but I don't really
> like the way the SRX handles traffic. It still creates sessions for traffic
> destined to IP's not used anywhere (hitting the static route) and can be
> easily dos'd because of this.
I saw such a thing a couple of times and it was not because SRX handles
traffic wrongly, but due to some sort of misconfiguration. If a packet
fell under the discard route, the session would not be created
(otherwise you caught a real showstopper bug, but I don't much believe
in this, to be honest). Moreover, in order to have a session established
you also need a security policy permit.
1. Check the route where the packets actually fall under with "show
security flow session session-identifier <xxxx>". Very likely that your
packets actually fall under a longer specific route. Say, automatically
generated for proxy-arp or something like.
2. Check the zones, from and to which the sessions are established,
which policy permits the traffic. As of what you describe, policies
should block such traffic anyway.
More information about the juniper-nsp
mailing list