[j-nsp] Rate limit ARP per interface (or JUNOS bug)?

david.roy at orange-ftgroup.com david.roy at orange-ftgroup.com
Fri May 15 03:53:53 EDT 2009

You can use ARP Policer per vlan : 

On your interface : 

set interface ge-X/Y/Y unit XXX family inet policer arp ARP-POLICER

firewall policer ARP-Policer {
if-exceeding {
    bandwidth-limit 32k;
    burst-size-limit 32k;
then discard;


-----Message d'origine-----
De : juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-bounces at puck.nether.net] De la part de Chris Adams
Envoyé : vendredi 15 mai 2009 01:51
À : juniper-nsp at puck.nether.net
Objet : [j-nsp] Rate limit ARP per interface (or JUNOS bug)?

I had a problem with a metroE circuit today where the provider screwed up the link and had it looped back to me (so every packet I sent came right back).  The link connects to a switch and comes into my Juniper M10i as a VLAN on an 802.1q trunk.

The problem was that my router was sending ARP requests out, getting them back, and sending them out again, looping madly.  On my monitoring system, it looks like we hit 1500 packets per second doing this.

While this doesn't appear to have had any effect on the CFEB or RE CPU, it appeared to have caused problems with other ARP requests (I'm assuming as other ARP entries expired).  I had various servers (on other ports on the same PIC) have traffic problems that cleared themselves up (and the problems stopped when I killed the problem metroE link).

Is this behavior a JUNOS bug or am I supposed to be rate-limiting ARP requests (on a per-VLAN basis) somehow?
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
juniper-nsp mailing list juniper-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp

This message and any attachments (the "message") are confidential and intended solely for the addressees. 
Any unauthorised use or dissemination is prohibited.
Messages are susceptible to alteration. 
France Telecom Group shall not be liable for the message if altered, changed or falsified.
If you are not the intended addressee of this message, please cancel it immediately and inform the sender.

More information about the juniper-nsp mailing list