[j-nsp] Negative ARP caching, on an MX router (again)

Jared Mauch jared at puck.nether.net
Mon Apr 3 13:13:40 EDT 2017 

Last I knew this was an architecture problem and was not yet addressed.

I can't recommend Juniper right now for any platform that might get internet scanned and having a large connected subnet as a result.

- Jared

> On Apr 3, 2017, at 1:11 PM, Eduardo Schoedler <listas at esds.com.br> wrote:
> 
> Hi Clarke,
> 
> Maybe arp policer problem?
> https://lists.gt.net/nsp/juniper/18201#18201
> 
> 
> Regards,
> 
> 
> 2017-04-03 14:07 GMT-03:00 Clarke Morledge <chmorl at wm.edu>:
>> I would like to revisit a question that has come up several times on the
>> list:
>> 
>> https://lists.gt.net/nsp/juniper/57670
>> https://lists.gt.net/nsp/juniper/60797
>> 
>> I am trying to figure out a way to cut down on unnecessary ARP requests,
>> being generated by MX routers, when someone comes sweeping across my L3
>> space, and triggering these unnecessary ARP broadcasts, for unused
>> addresses.
>> 
>> There is a possible solution of ARP sponging, but it would be really, really
>> nice if there was something on-board with JUNOS to handle this, instead a
>> rolling out a special purpose box:
>> 
>> https://ams-ix.net/technical/specifications-descriptions/controlling-arp-traffic-on-ams-ix-platform
>> 
>> Ideally, if JUNOS could do something like this:
>> 
>> (a) Get a request from an incoming packet that would trigger an ARP request
>> to go out.
>> 
>> (b) If the router does not get a response back after X number of tries in Y
>> number of seconds, put some type of dummy MAC address in the ARP cache that
>> can be easily sinkholed.
>> 
>> (c) Stay in this state for Z number of seconds, before flushing that dummy
>> MAC address out of the cache, and then re-enabling ARP for that particular
>> address.
>> 
>> (d) In addition, the router would passively listen for packets coming into
>> the L3 interface that would overwrite the dummy MAC address in the ARP cache
>> with a (hopefully) legitimate MAC address, which would allow the process to
>> exit out of the above state, without waiting for the above "Z" timer to
>> expire.
>> 
>> Is there any way that JUNOS on an MX could configured to do this?
>> Enhancement request anyone?
>> 
>> 
>> Clarke Morledge
>> College of William and Mary
>> Information Technology - Network Engineering
>> Jones Hall (Room 18)
>> Williamsburg VA 23187
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 
> 
> 
> -- 
> Eduardo Schoedler
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list