[j-nsp] Rate limit ARP per interface (or JUNOS bug)?

[Niels den Otter]

On Friday, 15 May 2009, david.roy at orange-ftgroup.com wrote:
> You can use ARP Policer per vlan : 
> 
> On your interface : 
> 
> set interface ge-X/Y/Y unit XXX family inet policer arp ARP-POLICER
> 
> firewall policer ARP-Policer {
> if-exceeding {
>     bandwidth-limit 32k;
>     burst-size-limit 32k;
> }
> then discard;
> }

We have also found out the hard way. Doing above using a group configuration
makes it easy to implement;

set groups klant-interface interfaces <*> unit <*> family inet policer arp per-interface-arp-limiter
set interfaces ge-0/3/0 apply-groups klant-interface
[...]
set firewall policer per-interface-arp-limiter if-exceeding bandwidth-limit 150k
set firewall policer per-interface-arp-limiter if-exceeding burst-size-limit 15k
set firewall policer per-interface-arp-limiter then discard



-- Niels
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20090515/cdf9daa9/attachment.bin>