[j-nsp] Junos Arp Expiration Timer Behavior & Active Flows
Nelson, Brian
brian.nelson at utdallas.edu
Thu Jan 17 12:11:19 EST 2019
I put a policier on the upstream connection firewall of the sort
policer traceroute-limit {
if-exceeding {
bandwidth-limit 2k;
burst-size-limit 1500;
}
then discard;
}
You might want to tweak this some. I can't remember why I chose these
values.
This tends to take care of most of the ARP problems. Academia is a
normal target for network researchers with little regard for others
networks.
Brian Nelson
--
Supervisor
Computing Systems Support
Dept of Computer Science
On 01/17/2019 10:48 AM, Clarke Morledge wrote:
> Thank you for the responses folks.
>
> I am trying to figure out a way to cut down on ARP traffic, particularly
> resulting from continued sweeps/scans running across our IP space from the
> InterWebs, particularly for IPs that are currently not in use.
>
> Simply jacking up the ARP aging-timer is not a completely trustworthy
> solution, since if you change the MAC address for a downstream host, the
> upstream router has to timeout its ARP entry before it learns the new
> downstream MAC... assuming the new downstream MAC does not do an ARP
> request of its own, right away.
>
> Has anyone worked with the ARP Cache Protection feature, release in 16.1?
> I was hoping to try to get this to work for me, but I am having a
> difficult time wrapping my head around the arp-new-hold-limit knob, and
> how it is supposed to work.
>
> https://www.juniper.net/documentation/en_US/junos/topics/example/example-arp-cache-protection-configuring.html
>
> It seems like the feature is designed more to protect the router from DDoS
> attacks, and not so much protecting downstream nodes from bogus ARP
> traffic.
>
> Clarke Morledge
> College of William and Mary
> Information Technology - Network Engineering
> Jones Hall (Room 18)
> 200 Ukrop Way
> Williamsburg VA 23187
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list