[j-nsp] __default_arp_policer__
Bit Gossip
bit.gossip at chello.nl
Fri Oct 16 11:22:12 EDT 2009
In reply to (a little bit late :-):
https://puck.nether.net/pipermail/juniper-nsp/2009-May/013325.html
I have done some testing with M7i and Junos 9.5R2 and simulated
ARP-FLOOD attack. No protection on the M7i.
Attack generates ~8500000 arp requests in 180 secs
which makes roughly 48000 arp-req/sec =~ 23mbps
The internal policer dropped almost all of them:
l at r4> show policer
Policers:
Name Packets
__default_arp_policer__ 8493207
and only ~40000 arp requests received a reply from M7i
which makes roughly ~222 arp-reply/sec
During the attack the CPU raised of ~14%.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
My conclusion is that the setting for __default_arp_policer__
are perfectly fine and there is no need to apply a custom arp policer to
any interface.
What is the opinion of the experts over there?
Bit.
More information about the juniper-nsp
mailing list