[j-nsp] __default_arp_policer__

Bit Gossip bit.gossip at chello.nl
Fri Oct 16 11:22:12 EDT 2009

In reply to (a little bit late :-):


I have done some testing with M7i and Junos 9.5R2 and simulated
ARP-FLOOD attack. No protection on the M7i.

Attack generates ~8500000 arp requests in 180 secs
which makes roughly 48000 arp-req/sec =~ 23mbps

The internal policer dropped almost all of them:
l at r4> show policer    
Name                                              Packets 
__default_arp_policer__                           8493207

and only ~40000 arp requests received a reply from M7i
which makes roughly ~222 arp-reply/sec

During the attack the CPU raised of ~14%.


My conclusion is that the setting for __default_arp_policer__
are perfectly fine and there is no need to apply a custom arp policer to
any interface.

What is the opinion of the experts over there?


More information about the juniper-nsp mailing list