[j-nsp] Ratelimiting ARP-Requests

Guy Davies aguydavies at gmail.com
Fri Jun 29 04:02:06 EDT 2007 

Yep, Pekka (and Erdem and Gunjan) are right.  I missed that little
word in the policer section.

Apologies.

Rgds,

Guy

On 29/06/07, Pekka Savola <pekkas at netcore.fi> wrote:
> On Thu, 28 Jun 2007, Guy Davies wrote:
> > Won't that simply rate-limit *all* traffic traversing that interface
> > to 5m?  You'd need to identify arp traffic specifically, using a
> > firewall filter and apply that to the interface.
>
> No, because it's configured as an ARP policer, not as a generic
> input/output policer [1].
>
> It's not even possible to match ARP traffic with a firewall filter
> because doing so would require L2 matching which isn't supported.
>
> [1]
> http://www.juniper.net/techpubs/software/junos/junos82/swconfig82-network-interfaces/html/interfaces-summary336.html
>
>
> > A shared, non-configurable policer is applied to all Ethernet
> > interfaces on which family inet is configured in a chassis.  You can
> > configure an ARP policer on a per interface basis.  This will override
> > the default policer.
> >
> > Guy
> >
> > On 28/06/07, Gunjan GANDHI (BR/EPA) <gunjan.gandhi at ericsson.com> wrote:
> >> Jens,
> >>  It is possible to do this on a per interface basis, not sure if you can
> >> do on a per node basis. Here is a sample syntax example.
> >>
> >> [edit]
> >> root at Testlab1# show interfaces ge-0/0/0
> >> vlan tagging;
> >>         unit 502 {
> >>         vlan-id 502;
> >>         family inet {
> >>          policer {
> >>              arp Block_ARP;
> >>          }
> >>          address 172.20.16.52/24;
> >>      }
> >> }
> >>
> >> [edit]
> >> root at Testlab1# show firewall
> >> policer Block_ARP {
> >>      if-exceeding {
> >>          bandwidth-limit 5m;
> >>          burst-size-limit 50k;
> >>      }
> >> }
> >>
> >> Cheers
> >> //Gunjan
> >>
> >>
> >> -----Original Message-----
> >> From: juniper-nsp-bounces at puck.nether.net
> >> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of
> >> jens.hoffmann at email.de
> >> Sent: Thursday, 28 June 2007 3:01 AM
> >> To: juniper-nsp at puck.nether.net
> >> Subject: [j-nsp] Ratelimiting ARP-Requests
> >>
> >> Dear colleagues,
> >>
> >> I'm looking for an advice about the possibilities to ratelimit incomming
> >> ARP requests.
> >>
> >> What's the correct syntax for an effective filter rule to solve this
> >> problem ?
> >>
> >> Kind Regards
> >> Jens
> >> _______________________________________________
> >> juniper-nsp mailing list juniper-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/juniper-nsp
> >> _______________________________________________
> >> juniper-nsp mailing list juniper-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/juniper-nsp
> >>
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
>
>
> --
> Pekka Savola                 "You each name yourselves king, yet the
> Netcore Oy                    kingdom bleeds."
> Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
>

More information about the juniper-nsp mailing list