[j-nsp] ssb NH: resolutions from x throttled
juniper at iber-x.com
juniper at iber-x.com
Mon May 24 14:21:09 EDT 2010
Hi there,
I'm apologize by the delay in my reply.
We have made some test from different Internet route-server and since
there we are seeing our networks without any announce problem.
We have also checked if someone is announcing a part of our network with
less than /24 but we didn't detect this problem.
Is there another way to check if someone else from Internet is probing
our addres block?
Thanks,
El 18/05/2010 20:21, Alex escribió:
> Hello there,
> I believe someone from Internet could be probing Your address block
> including network and broadcast IP addresses on frame-relay link.
> Hence unnecessary "resolutions" are throttled and event logged.
> Is it possible to change the /30 to /31? Same for IPv6, I'd suggest to
> try /126.
> If not then I'd suggest to block traffic from Internet to Your /30
> with FW filter unless there is a legitimate reason for Internet users
> to access these IPs.
> Regards
> Alex
>
> ----- Original Message -----
> *From:* juniper at iber-x.com <mailto:juniper at iber-x.com>
> *To:* Alex <mailto:alex.arseniev at gmail.com> ;
> juniper-nsp at puck.nether.net <mailto:juniper-nsp at puck.nether.net>
> *Sent:* Tuesday, May 18, 2010 4:43 PM
> *Subject:* Re: [j-nsp] ssb NH: resolutions from x throttled
>
> Hi,
>
> Regardings your questions,
>
> 1.- The encapsulation in these interfaces is frame-relay.
>
> 2.- Addresses are public and we don't advertise this /30 link to
> the Internet only the general range of IP.
>
> 3.- There isn't the same IPs in other interfaces.
> The configuration of this particular interface is:
>
> lt-0/2/0 {
> unit 101 {
> encapsulation frame-relay;
> dlci 100;
> peer-unit 100;
> family inet {
> no-redirects;
> address x/30;
> }
> family iso;
> family inet6 {
> y/124;
> z/64;
> }
> family mpls;
> }
> }
>
> Thanks for your time,
>
>
>
> El 17/05/2010 20:32, Alex escribió:
>> Hello there,
>> May I ask some questions please?
>> 1/ What is the encapsulation on this link?
>> 2/ What are the link IP addresses: public or private? If public
>> do you advertise these link addresses to the Internet at large?
>> 3/ Do these addresses overlap with addresses somewhere else in
>> Your network? Perhaps in VRF?
>> Regards
>> Alex
>>
>> ----- Original Message -----
>> *From:* juniper at iber-x.com <mailto:juniper at iber-x.com>
>> *To:* Alex <mailto:alex.arseniev at gmail.com> ;
>> juniper-nsp at puck.nether.net <mailto:juniper-nsp at puck.nether.net>
>> *Sent:* Monday, May 17, 2010 4:25 PM
>> *Subject:* Re: [j-nsp] ssb NH: resolutions from x throttled
>>
>> Hi,
>>
>> Our router M20 is divided in two logical routers, one is the
>> physical and the other is the logical. And it is in the
>> logical tunnel interface, lt-0/2/0, where the problem are.
>> And it is only in that two interfaces where we've thought to
>> apply the statement: 'proxy-arp'. What is it your opinion
>> about the implementation in this scenario?
>>
>> Do you have any other idea to solve this message in our
>> Juniper's log without make a JUNO's upgrade? I would
>> appreciate it because we are trying to solve it for a long
>> time without success.
>>
>> Thanks,
>>
>>
>> El 17/05/2010 11:16, Alex escribió:
>>> I am sure You realise "proxy-arp" is an ARP Response function:
>>>
>>> Warning: If you configure unrestricted proxy ARP, the proxy
>>> router replies to ARP requests for the target IP address on
>>> the same interface as the incoming ARP request.
>>> http://www.juniper.net/techpubs/software/junos/junos90/swconfig-network-interfaces/configuring-unrestricted-proxy-arp.html
>>>
>>>
>>> So if You have another JUNOS box sitting on the same PE-CE
>>> subnet with M20, and M20 has traffic coming in from its
>>> core-facing interface and addressed to unassigned IP
>>> addresses on said subnet, You can always configure
>>> "proxy-arp" on that other JUNOS box in order to respond to
>>> M20 and keep poor old M20 happy...
>>>
>>> Cheers
>>> Alex
>>>
>>> ----- Original Message ----- From: <juniper at iber-x.com>
>>> To: "Christoph Blecker" <admin at toph.ca>;
>>> <juniper-nsp at puck.nether.net>
>>> Sent: Monday, May 17, 2010 10:45 AM
>>> Subject: Re: [j-nsp] ssb NH: resolutions from x throttled
>>>
>>>
>>> Hello,
>>>
>>> Yes, we had read this upgrade recomendation but we are
>>> looking for an
>>> alternative solution. How I said, we read that there is a
>>> possibility to
>>> set a 'proxy-arp' option for a particular interface
>>> (http://www.juniper.net/techpubs/software/junos/junos90/swconfig-network-interfaces/configuring-unrestricted-proxy-arp.html)
>>>
>>> and maybe it exists a statement for the opposite because we
>>> think that
>>> perhaps it will solve the 'problem'.
>>>
>>> Set this statement is only one idea (probably it doesn't
>>> work) but, does
>>> anyone have another idea?
>>>
>>> Thanks for your help and time,
>>>
>>>
>>> El 17/05/2010 10:18, Christoph Blecker escribió:
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> Hello,
>>>> The issue appears to be a bug in the JUNOS version you are
>>>> running. A
>>>> quick Google search turned up the following:
>>>>
>>>> http://www.juniper.net/techpubs/software/junos/junos73/rn-sw-73/previous-releases.html
>>>>
>>>>
>>>> "If a router receives rapid multicast traffic from various
>>>> groups or
>>>> sources that do not have entries in the forwarding table,
>>>> the router
>>>> might generate the ?router-name feb NH: resolutions from
>>>> iif number
>>>> throttled? system log message and might delay the
>>>> installation of
>>>> forwarding table entries for some of these multicast
>>>> packets. [PR/46474:
>>>> This issue has been resolved.]"
>>>>
>>>> Solution would be to review your hardware and upgrade your
>>>> JUNOS version
>>>> as applicable. ARP resolution is a normal and necessary
>>>> funtion of the
>>>> router, and you would not want to disable it (I'm not even
>>>> sure there
>>>> *is* a way to disable it withing JUNOS).
>>>>
>>>> Cheers,
>>>> - -Christoph
>>>>
>>>> On 10-05-17 01:43 AM, juniper at iber-x.com wrote:
>>>>
>>>>> Hi there,
>>>>>
>>>>> We have a Juniper M20 with JUNOS 7.3R1.4, old version :(
>>>>> .. and since
>>>>> few we have in our log these entries:
>>>>>
>>>>> May 10 23:49:48.177 2010 xxxxx ssb NH: resolutions from
>>>>> iif 73 throttled
>>>>> May 10 23:50:41.168 2010 xxxxx ssb NH: resolutions from
>>>>> iif 88 throttled
>>>>> ..
>>>>>
>>>>> Someone told us that maybe was a port/ip scan on an
>>>>> Ethernet subnet and
>>>>> this causes a flood of ARP requests.
>>>>> We found that there is a statement to set the 'proxy-arp'
>>>>> option:
>>>>>
>>>>> [edit]
>>>>> user at host# set interfaces interface-name unit
>>>>> logical-unit-number proxy-arp
>>>>>
>>>>> But we can't find the opposite statement, I mean that the
>>>>> router doesn't
>>>>> register any arp resolution in one interface.
>>>>>
>>>>> Also we read that it was a problem [PR/46474] solved since
>>>>> the version
>>>>> 7.3R3 but we have an older JUNOS version..
>>>>>
>>>>> Does anyone know how to solve this 'problem'?
>>>>>
>>>>> Thanks in advance,
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>>>
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG v1.4.10 (GNU/Linux)
>>>> Comment: Using GnuPG with Mozilla -
>>>> http://enigmail.mozdev.org/
>>>>
>>>> iEYEARECAAYFAkvxCdsACgkQg4DtNh1wGhrzaQCfbYbgJQAFUg5O/Gg/KTshJBoi
>>>>
>>>> pz8AnAqD659S7c2PFCE+c2XlIo1yGWQb
>>>> =wANs
>>>> -----END PGP SIGNATURE-----
>>>>
>>>>
>>>
>>> _______________________________________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>
>>>
>>
>
More information about the juniper-nsp
mailing list