[j-nsp] Junos Arp Expiration Timer Behavior & Active Flows
Clarke Morledge
chmorl at wm.edu
Thu Jan 17 11:48:04 EST 2019
Thank you for the responses folks.
I am trying to figure out a way to cut down on ARP traffic, particularly
resulting from continued sweeps/scans running across our IP space from the
InterWebs, particularly for IPs that are currently not in use.
Simply jacking up the ARP aging-timer is not a completely trustworthy
solution, since if you change the MAC address for a downstream host, the
upstream router has to timeout its ARP entry before it learns the new
downstream MAC... assuming the new downstream MAC does not do an ARP
request of its own, right away.
Has anyone worked with the ARP Cache Protection feature, release in 16.1?
I was hoping to try to get this to work for me, but I am having a
difficult time wrapping my head around the arp-new-hold-limit knob, and
how it is supposed to work.
https://www.juniper.net/documentation/en_US/junos/topics/example/example-arp-cache-protection-configuring.html
It seems like the feature is designed more to protect the router from DDoS
attacks, and not so much protecting downstream nodes from bogus ARP
traffic.
Clarke Morledge
College of William and Mary
Information Technology - Network Engineering
Jones Hall (Room 18)
200 Ukrop Way
Williamsburg VA 23187
More information about the juniper-nsp
mailing list