[j-nsp] ssb NH: resolutions from x throttled

juniper at iber-x.com juniper at iber-x.com
Mon May 24 14:21:09 EDT 2010


Hi there,

I'm apologize by the delay in my reply.

We have made some test from different Internet route-server and since 
there we are seeing our networks without any announce problem.
We have also checked if someone is announcing a part of our network with 
less than /24 but we didn't detect this problem.

Is there another way to check if someone else from Internet is probing 
our addres block?

Thanks,


El 18/05/2010 20:21, Alex escribió:
> Hello there,
> I believe someone from Internet could be probing Your address block 
> including network and broadcast IP addresses on frame-relay link. 
> Hence unnecessary "resolutions" are throttled and event logged.
> Is it possible to change the /30 to /31? Same for IPv6, I'd suggest to 
> try /126.
> If not then I'd suggest to block traffic from Internet to Your /30 
> with FW filter unless there is a legitimate reason for Internet users 
> to access these IPs.
> Regards
> Alex
>
>     ----- Original Message -----
>     *From:* juniper at iber-x.com <mailto:juniper at iber-x.com>
>     *To:* Alex <mailto:alex.arseniev at gmail.com> ;
>     juniper-nsp at puck.nether.net <mailto:juniper-nsp at puck.nether.net>
>     *Sent:* Tuesday, May 18, 2010 4:43 PM
>     *Subject:* Re: [j-nsp] ssb NH: resolutions from x throttled
>
>     Hi,
>
>     Regardings your questions,
>
>     1.- The encapsulation in these interfaces is frame-relay.
>
>     2.- Addresses are public and we don't advertise this /30  link to
>     the Internet only the general range of IP.
>
>     3.- There isn't the same IPs in other interfaces.
>     The configuration of this particular interface is:
>
>     lt-0/2/0 {
>                     unit 101 {
>                         encapsulation frame-relay;
>                         dlci 100;
>                         peer-unit 100;
>                         family inet {
>                             no-redirects;
>                             address x/30;
>                         }
>                         family iso;
>                         family inet6 {
>                             y/124;
>                             z/64;
>                         }
>                         family mpls;
>                     }
>     }
>
>     Thanks for your time,
>
>
>
>     El 17/05/2010 20:32, Alex escribió:
>>     Hello there,
>>     May I ask some questions please?
>>     1/ What is the encapsulation on this link?
>>     2/ What are the link IP addresses: public or private? If public
>>     do you advertise these link addresses to the Internet at large?
>>     3/ Do these addresses overlap with addresses somewhere else in
>>     Your network? Perhaps in VRF?
>>     Regards
>>     Alex
>>
>>         ----- Original Message -----
>>         *From:* juniper at iber-x.com <mailto:juniper at iber-x.com>
>>         *To:* Alex <mailto:alex.arseniev at gmail.com> ;
>>         juniper-nsp at puck.nether.net <mailto:juniper-nsp at puck.nether.net>
>>         *Sent:* Monday, May 17, 2010 4:25 PM
>>         *Subject:* Re: [j-nsp] ssb NH: resolutions from x throttled
>>
>>         Hi,
>>
>>         Our router M20 is divided in two logical routers, one is the
>>         physical and the other is the logical. And it is in the
>>         logical tunnel interface, lt-0/2/0, where the problem are.
>>         And it is only in that two interfaces where we've thought to
>>         apply the statement: 'proxy-arp'. What is it your opinion
>>         about the implementation in this scenario?
>>
>>         Do you have any other idea to solve this message in our
>>         Juniper's log without make a JUNO's upgrade? I would
>>         appreciate it because we are trying to solve it for a long
>>         time without success.
>>
>>         Thanks,
>>
>>
>>         El 17/05/2010 11:16, Alex escribió:
>>>         I am sure You realise "proxy-arp" is an ARP Response function:
>>>
>>>         Warning: If you configure unrestricted proxy ARP, the proxy
>>>         router replies to ARP requests for the target IP address on
>>>         the same interface as the incoming ARP request.
>>>         http://www.juniper.net/techpubs/software/junos/junos90/swconfig-network-interfaces/configuring-unrestricted-proxy-arp.html
>>>
>>>
>>>         So if You have another JUNOS box sitting on the same PE-CE
>>>         subnet with M20, and M20 has traffic coming in from its
>>>         core-facing interface and addressed to unassigned IP
>>>         addresses on said subnet, You can always configure
>>>         "proxy-arp" on that other JUNOS box in order to respond to
>>>         M20 and keep poor old M20 happy...
>>>
>>>         Cheers
>>>         Alex
>>>
>>>         ----- Original Message ----- From: <juniper at iber-x.com>
>>>         To: "Christoph Blecker" <admin at toph.ca>;
>>>         <juniper-nsp at puck.nether.net>
>>>         Sent: Monday, May 17, 2010 10:45 AM
>>>         Subject: Re: [j-nsp] ssb NH: resolutions from x throttled
>>>
>>>
>>>         Hello,
>>>
>>>         Yes, we had read this upgrade recomendation but we are
>>>         looking for an
>>>         alternative solution. How I said, we read that there is a
>>>         possibility to
>>>         set a 'proxy-arp' option for a particular interface
>>>         (http://www.juniper.net/techpubs/software/junos/junos90/swconfig-network-interfaces/configuring-unrestricted-proxy-arp.html)
>>>
>>>         and maybe it exists a statement for the opposite because we
>>>         think that
>>>         perhaps it will solve the 'problem'.
>>>
>>>         Set this statement is only one idea (probably it doesn't
>>>         work) but, does
>>>         anyone have another idea?
>>>
>>>         Thanks for your help and time,
>>>
>>>
>>>         El 17/05/2010 10:18, Christoph Blecker escribió:
>>>>         -----BEGIN PGP SIGNED MESSAGE-----
>>>>         Hash: SHA1
>>>>
>>>>         Hello,
>>>>         The issue appears to be a bug in the JUNOS version you are
>>>>         running. A
>>>>         quick Google search turned up the following:
>>>>
>>>>         http://www.juniper.net/techpubs/software/junos/junos73/rn-sw-73/previous-releases.html
>>>>
>>>>
>>>>         "If a router receives rapid multicast traffic from various
>>>>         groups or
>>>>         sources that do not have entries in the forwarding table,
>>>>         the router
>>>>         might generate the ?router-name feb NH: resolutions from
>>>>         iif number
>>>>         throttled? system log message and might delay the
>>>>         installation of
>>>>         forwarding table entries for some of these multicast
>>>>         packets. [PR/46474:
>>>>         This issue has been resolved.]"
>>>>
>>>>         Solution would be to review your hardware and upgrade your
>>>>         JUNOS version
>>>>         as applicable. ARP resolution is a normal and necessary
>>>>         funtion of the
>>>>         router, and you would not want to disable it (I'm not even
>>>>         sure there
>>>>         *is* a way to disable it withing JUNOS).
>>>>
>>>>         Cheers,
>>>>         - -Christoph
>>>>
>>>>         On 10-05-17 01:43 AM, juniper at iber-x.com wrote:
>>>>
>>>>>         Hi there,
>>>>>
>>>>>         We have a Juniper M20 with JUNOS 7.3R1.4, old version :(
>>>>>         .. and since
>>>>>         few we have in our log these entries:
>>>>>
>>>>>         May 10 23:49:48.177 2010  xxxxx ssb NH: resolutions from
>>>>>         iif 73 throttled
>>>>>         May 10 23:50:41.168 2010  xxxxx ssb NH: resolutions from
>>>>>         iif 88 throttled
>>>>>         ..
>>>>>
>>>>>         Someone told us that maybe was a  port/ip scan on an
>>>>>         Ethernet subnet and
>>>>>         this causes a flood of ARP requests.
>>>>>         We found that there is a statement to set the 'proxy-arp'
>>>>>         option:
>>>>>
>>>>>         [edit]
>>>>>         user at host# set interfaces interface-name unit
>>>>>         logical-unit-number proxy-arp
>>>>>
>>>>>         But we can't find the opposite statement, I mean that the
>>>>>         router doesn't
>>>>>         register any arp resolution in one interface.
>>>>>
>>>>>         Also we read that it was a problem [PR/46474] solved since
>>>>>         the version
>>>>>         7.3R3 but we have an older JUNOS version..
>>>>>
>>>>>         Does anyone know how to solve this 'problem'?
>>>>>
>>>>>         Thanks in advance,
>>>>>
>>>>>
>>>>>
>>>>>         _______________________________________________
>>>>>         juniper-nsp mailing list juniper-nsp at puck.nether.net
>>>>>         https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>>>
>>>>         -----BEGIN PGP SIGNATURE-----
>>>>         Version: GnuPG v1.4.10 (GNU/Linux)
>>>>         Comment: Using GnuPG with Mozilla -
>>>>         http://enigmail.mozdev.org/
>>>>
>>>>         iEYEARECAAYFAkvxCdsACgkQg4DtNh1wGhrzaQCfbYbgJQAFUg5O/Gg/KTshJBoi
>>>>
>>>>         pz8AnAqD659S7c2PFCE+c2XlIo1yGWQb
>>>>         =wANs
>>>>         -----END PGP SIGNATURE-----
>>>>
>>>>
>>>
>>>         _______________________________________________
>>>         juniper-nsp mailing list juniper-nsp at puck.nether.net
>>>         https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>
>>>
>>
>



More information about the juniper-nsp mailing list