[j-nsp] Ratelimiting ARP-Requests

Pekka Savola pekkas at netcore.fi
Fri Jun 29 01:59:43 EDT 2007 

On Thu, 28 Jun 2007, Guy Davies wrote:
> Won't that simply rate-limit *all* traffic traversing that interface
> to 5m?  You'd need to identify arp traffic specifically, using a
> firewall filter and apply that to the interface.

No, because it's configured as an ARP policer, not as a generic 
input/output policer [1].

It's not even possible to match ARP traffic with a firewall filter 
because doing so would require L2 matching which isn't supported.

[1]
http://www.juniper.net/techpubs/software/junos/junos82/swconfig82-network-interfaces/html/interfaces-summary336.html

> A shared, non-configurable policer is applied to all Ethernet
> interfaces on which family inet is configured in a chassis.  You can
> configure an ARP policer on a per interface basis.  This will override
> the default policer.
>
> Guy
>
> On 28/06/07, Gunjan GANDHI (BR/EPA) <gunjan.gandhi at ericsson.com> wrote:
>> Jens,
>>  It is possible to do this on a per interface basis, not sure if you can
>> do on a per node basis. Here is a sample syntax example.
>>
>> [edit]
>> root at Testlab1# show interfaces ge-0/0/0
>> vlan tagging;
>>         unit 502 {
>>         vlan-id 502;
>>         family inet {
>>          policer {
>>              arp Block_ARP;
>>          }
>>          address 172.20.16.52/24;
>>      }
>> }
>>
>> [edit]
>> root at Testlab1# show firewall
>> policer Block_ARP {
>>      if-exceeding {
>>          bandwidth-limit 5m;
>>          burst-size-limit 50k;
>>      }
>> }
>>
>> Cheers
>> //Gunjan
>>
>>
>> -----Original Message-----
>> From: juniper-nsp-bounces at puck.nether.net
>> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of
>> jens.hoffmann at email.de
>> Sent: Thursday, 28 June 2007 3:01 AM
>> To: juniper-nsp at puck.nether.net
>> Subject: [j-nsp] Ratelimiting ARP-Requests
>>
>> Dear colleagues,
>>
>> I'm looking for an advice about the possibilities to ratelimit incomming
>> ARP requests.
>>
>> What's the correct syntax for an effective filter rule to solve this
>> problem ?
>>
>> Kind Regards
>> Jens
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

More information about the juniper-nsp mailing list