>> This is exactly what happened. The session table filled up. One of >> our security guys took down our edge 650 cluster from a single unix >> box out on the net. > This is what happens when you use a stateful box for an internet router. > > a router with a covering aggreate and some knowledge of the more > specifc on the interior would inexpensively discard traffic bound for > unreachable destinations.
1. First, sorry for writing this once again, but it's just not the case. Any more or less smart stateful device, whether SRX or anything else, must not create session states for packets falling under a discard route. And SRX does not, I checked. Filling up the session table is caused by either a bug or (rather) a design/config mistake. 2. There is nothing wrong in the idea of using a firewall as a single border device for both stateful-processing and ASBR in most networks where a statful edge-device is needed and all external links are terminated in a single site. 3. This particular problem has nothing to do with BGP or any other routing. Even if Morgan had an MX at the edge and SRX behind it, this same thing would happen as well. He would use, say, /27 as a source NAT pool on SRX and announce it to the MX via IGP or iBGP, using actually the same means to create the route itself (static discard, aggregate, whatever). What will happen if an external host initiates a session towards an IP in this prefix? If the firewall creates sessions for such packets, what the firewall is needed at all? _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp