> I have a /24 I want to announce, but I don't actually have it anywhere on > the network. I NAT some of its IP's on the SRX that has the BGP session > with our providers. Static discard is really the best way. Aggregate/generate routes are also theoretically possible, but if you are not sure you really need some sort of external dynamism, it's better to nail it down with static — less chances to have your routes damped somewhere after an internal link flap. > > I've been using static routes with the discard flag, but I don't really > like the way the SRX handles traffic. It still creates sessions for traffic > destined to IP's not used anywhere (hitting the static route) and can be > easily dos'd because of this. I saw such a thing a couple of times and it was not because SRX handles traffic wrongly, but due to some sort of misconfiguration. If a packet fell under the discard route, the session would not be created (otherwise you caught a real showstopper bug, but I don't much believe in this, to be honest). Moreover, in order to have a session established you also need a security policy permit.
1. Check the route where the packets actually fall under with "show security flow session session-identifier <xxxx>". Very likely that your packets actually fall under a longer specific route. Say, automatically generated for proxy-arp or something like. 2. Check the zones, from and to which the sessions are established, which policy permits the traffic. As of what you describe, policies should block such traffic anyway. _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp