[j-nsp] Filtering for the ARP database

Bjørn Skovlund skovlund at gmail.com
Fri Jun 4 09:00:17 EDT 2010


Hi all,

I have a little issue with some MX-240s running static subscribers and
some DHCP relay. The issue is that our subscribers (delviered in
Q-in-Q) have a tendency to leak out their LAN side to the WAN -
causing situations like this:
bsr at eca1-hoer> show arp no-resolve | grep 192.168.1.1 | count
Count: 379 lines

Since I'm running proxy-arp, this is not very ideal. So I'm looking
for an idea as to how to filter them out. Either by only allowing
entries that are received by DHCP (Dynamic ARP Inspection-style from
the EXs) or simply by filtering out the rfc1918 entries.

Any idea?

Thanks in advance,

Bjørn



More information about the juniper-nsp mailing list