[j-nsp] Maximum no. of static arp entries in M7i

Mon Jun 29 15:21:04 EDT 2009

Make sure that you add the static arp entries into the configuration  
and not from any shell commands; otherwise if the router reboots your  
entries will need to be re-added.

I know you can configure 10k mac filters on the IQ2, not sure about  
scaling higher than that. You could test this or ask your local SE  
team to help you.

Truman

On 29/06/2009, at 2:20 PM, Samit wrote:

> So, do you think if i acquire IQ2 Pic should I be able to insert
> thousands of filter lines like below:
>
> /sbin/iptables -i eth2 -m mac --mac-source 00:60:47:40:f0:72 -s
> 192.168.0.1/24 -m limi
> t --limit 100/second -j ACCEPT
>
> Regards,
> Samit
>
> Patrik Olsson wrote:
>> Hello,
>>
>> Too bad!
>> With IQ2 PIC and possibly ISE features on an I chip upgraded M series
>> you probably could have fixed it without static ARP:s
>>
>> Cheers
>> Patrik
>>
>>
>> Samit wrote:
>>> Hi Tarique,
>>>
>>> Thanks, but I am not running mpls/vpls nor do I have a IQ pic.
>>>
>>> Regards,
>>> Samit
>>>
>>>
>>> Nalkhande Tarique Abbas wrote:
>>>> Samit
>>>>
>>>> Something similar to limit source-mac should help...you can try  
>>>> to fine
>>>> tune it further!
>>>>
>>>>
>>>> lab at M120# show interfaces ge-1/3/0
>>>> encapsulation flexible-ethernet-services;
>>>> gigether-options {   <===
>>>>    source-filtering;
>>>>
>>>> }
>>>>
>>>> }
>>>> ....
>>>> ....
>>>> ....
>>>>
>>>> vlan-id 1001;
>>>> encapsulation vlan-vpls
>>>> accept-source-mac {
>>>>       mac-address 00:17:9a:00:73:91; <===
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Thanks & Regards,
>>>> Tarique
>>>>
>>>> -----Original Message-----
>>>> From: juniper-nsp-bounces at puck.nether.net
>>>> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Samit
>>>> Sent: Friday, June 26, 2009 10:50 AM
>>>> To: Patrik Olsson
>>>> Cc: juniper-nsp
>>>> Subject: Re: [j-nsp] Maximum no. of static arp entries in M7i
>>>>
>>>> In a static IP address allocation to the customers scenario, is  
>>>> there
>>>> any other way other to discourage the users to abuse another  
>>>> subscribers
>>>> IP or MAC address and access/abuse the internet in a L2 switched  
>>>> network
>>>> (wire/wireless) where you do not have capabilities to control  
>>>> this from
>>>> a switch port?
>>>>
>>>> Currently am using linux router and doing IP+Mac filtering using
>>>> iptables, and now wondering if I can replace it with Juniper M7i  
>>>> do the
>>>> same but I believe it is not possible to run such filtering.
>>>>
>>>> Samit
>>>>
>>>> Patrik Olsson wrote:
>>>>> Out of sheer curiosity, why static arp:s?
>>>>>
>>>>> Patrik
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> Any idea how many no. of static arp entries M7i interfaces/ 
>>>>>> junos will
>>>>>> accept and work?
>>>>>>
>>>>>> interfaces ge-1/3/0 {
>>>>>>    unit 0 {
>>>>>>        family inet {
>>>>>>            address 192.168.0.1/24 {
>>>>>>                arp 192.168.0.2 mac  00:17:f2:cb:89:43;
>>>>>>            }
>>>>>>        }
>>>>>>    }
>>>>>> }
>>>>>>
>>>>>> Regards,
>>>>>> Samit
>>>>>> _______________________________________________
>>>>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>> _______________________________________________
>>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>>
>>>>
>>> _______________________________________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>