[j-nsp] Junos Arp Expiration Timer Behavior & Active Flows

Nelson, Brian brian.nelson at utdallas.edu
Thu Jan 17 12:11:19 EST 2019


I put a policier on the upstream connection firewall of the sort

policer traceroute-limit {
    if-exceeding {
        bandwidth-limit 2k;
        burst-size-limit 1500;
    }
    then discard;
}

You might want to tweak this some. I can't remember why I chose these
values.

This tends to take care of most of the ARP problems. Academia is a
normal target for network researchers with little regard for others
networks.

Brian Nelson

-- 
Supervisor
Computing Systems Support 
Dept of Computer Science



On 01/17/2019 10:48 AM, Clarke Morledge wrote:
> Thank you for the responses folks.
>
> I am trying to figure out a way to cut down on ARP traffic, particularly 
> resulting from continued sweeps/scans running across our IP space from the 
> InterWebs, particularly for IPs that are currently not in use.
>
> Simply jacking up the ARP aging-timer is not a completely trustworthy 
> solution, since if you change the MAC address for a downstream host, the 
> upstream router has to timeout its ARP entry before it learns the new 
> downstream MAC... assuming the new downstream MAC does not do an ARP 
> request of its own, right away.
>
> Has anyone worked with the ARP Cache Protection feature, release in 16.1? 
> I was hoping to try to get this to work for me, but I am having a 
> difficult time wrapping my head around the arp-new-hold-limit knob, and 
> how it is supposed to work.
>
> https://www.juniper.net/documentation/en_US/junos/topics/example/example-arp-cache-protection-configuring.html
>
> It seems like the feature is designed more to protect the router from DDoS 
> attacks, and not so much protecting downstream nodes from bogus ARP 
> traffic.
>
> Clarke Morledge
> College of William and Mary
> Information Technology - Network Engineering
> Jones Hall (Room 18)
> 200 Ukrop Way
> Williamsburg VA 23187
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


More information about the juniper-nsp mailing list