Junos OS

Expand all | Collapse all

Arp policer

  • 1.  Arp policer

    Posted 07-26-2017 05:38

    Hi

     

    Becuase of arp requests caused by loop from switch that connected to MX interface cause my bgp peers to flap 

    i have some questions:

    1. the arp policer is part of ddos protection ?

    2.is the arp policer limit to 150k ?

    3.is this policer per MPC ? or FPC ?

    i think the arp default policer came to maximum on this mpc and deny all the legitimate arp request from uplink interfaces (bgp neigbors)

    I want to config geberic arp policer to all my inet interfaces 

    I have several interfaces with family inet, vpls, ccc

    the configuration is:

     

    set firewall policer ARP-Policer if-exceeding bandwidth-limit 8k
    set firewall policer ARP-Policer if-exceeding burst-size-limit 1500
    set firewall policer ARP-Policer then discard

     

    set interfaces ge-1/1/8 flexible-vlan-tagging
    set interfaces ge-1/1/8 encapsulation flexible-ethernet-services
    set interfaces ge-1/1/8 unit 1050 encapsulation vlan-ccc
    set interfaces ge-1/1/8 unit 1050 vlan-id 1050
    set interfaces ge-1/1/8 unit 1051 vlan-id 1051
    set interfaces ge-1/1/8 unit 1051 family inet address 172.20.20.1/24

    set interfaces ge-1/1/8 unit 1052 encapsulation vlan-vpls

    set interfaces ge-1/1/8 unit 1052 vlan-id 1052

     

    set groups arp interfaces ge-1/1/8 unit <*> family inet policer arp ARP-Policer

    set apply-groups arp

     

    commit check

    re1:
    [edit interfaces ge-1/1/8 unit 1050]
    'family'
    Only the CCC family is allowed on CCC interfaces

     

    the apply groups not working with other familys vpls,ccc only with inet

    is there other way to accomplish this 

    Regards

    Oren



  • 2.  RE: Arp policer

    Posted 08-02-2017 02:20

    Hi Oren,

     

    Please find my reply below:

    1. the arp policer is part of ddos protection ?
        
    Yes, the default arp policer is always at the front.
    You can login to FPC and see arp policer stats:
    #show ddos policer arp stats

       

    2.is the arp policer limit to 150k ?

    Yes, default policer bandwidth is 150Kbps combined with a burst size of 15000bytes.
    Please refer page 380 for more details from the book : Juniper MX series



    3.is this policer per MPC ? or FPC ?

    The default ARP policer is per-PFE. All Ethernet ifls of one PFE will be mapped to the default ARP policer which polices all packets at a rate of 150Kbps





    4. the apply groups not working with other familys vpls,ccc only with inet
      is there other way to accomplish this :


    You can apply the policer on the units with appropriate family like below:


    set firewall policer police2 if-exceeding bandwidth-percent 10
    set firewall policer police2 if-exceeding burst-size-limit 1500
    set firewall policer police2 then discard

    set interfaces ge-0/0/1 unit 512 family vpls policer input police2

    set interfaces ge-0/0/1 unit 512 family ccc policer input police2




    Regards,
    Rahul


    Please mark my solution as accepted if it helped.