Becuase of arp requests caused by loop from switch that connected to MX interface cause my bgp peers to flap
i have some questions:
1. the arp policer is part of ddos protection ?
2.is the arp policer limit to 150k ?
3.is this policer per MPC ? or FPC ?
i think the arp default policer came to maximum on this mpc and deny all the legitimate arp request from uplink interfaces (bgp neigbors)
I want to config geberic arp policer to all my inet interfaces
I have several interfaces with family inet, vpls, ccc
the configuration is:
set firewall policer ARP-Policer if-exceeding bandwidth-limit 8kset firewall policer ARP-Policer if-exceeding burst-size-limit 1500set firewall policer ARP-Policer then discard
set interfaces ge-1/1/8 flexible-vlan-taggingset interfaces ge-1/1/8 encapsulation flexible-ethernet-servicesset interfaces ge-1/1/8 unit 1050 encapsulation vlan-cccset interfaces ge-1/1/8 unit 1050 vlan-id 1050set interfaces ge-1/1/8 unit 1051 vlan-id 1051set interfaces ge-1/1/8 unit 1051 family inet address 172.20.20.1/24
set interfaces ge-1/1/8 unit 1052 encapsulation vlan-vpls
set interfaces ge-1/1/8 unit 1052 vlan-id 1052
set groups arp interfaces ge-1/1/8 unit <*> family inet policer arp ARP-Policer
set apply-groups arp
re1:[edit interfaces ge-1/1/8 unit 1050] 'family' Only the CCC family is allowed on CCC interfaces
the apply groups not working with other familys vpls,ccc only with inet
is there other way to accomplish this
Please find my reply below:1. the arp policer is part of ddos protection ? Yes, the default arp policer is always at the front.You can login to FPC and see arp policer stats:#show ddos policer arp stats 2.is the arp policer limit to 150k ?Yes, default policer bandwidth is 150Kbps combined with a burst size of 15000bytes.Please refer page 380 for more details from the book : Juniper MX series
3.is this policer per MPC ? or FPC ?The default ARP policer is per-PFE. All Ethernet ifls of one PFE will be mapped to the default ARP policer which polices all packets at a rate of 150Kbps4. the apply groups not working with other familys vpls,ccc only with inet is there other way to accomplish this :You can apply the policer on the units with appropriate family like below:
set firewall policer police2 if-exceeding bandwidth-percent 10set firewall policer police2 if-exceeding burst-size-limit 1500set firewall policer police2 then discardset interfaces ge-0/0/1 unit 512 family vpls policer input police2set interfaces ge-0/0/1 unit 512 family ccc policer input police2Regards,Rahul
Please mark my solution as accepted if it helped.