ON THIS PAGE
Example: Configuring ARP Policer
This example shows how to configure an Address Resolution Protocol (ARP) policer on SRX Series Firewalls.
Support for ARP policers on pseudowire interfaces on MX Series routers is available in Junos OS Release 20.2R1. The configuration principles are the same as shown here.
Requirements
This example uses the following hardware and software components:
SRX Series Firewall.
Junos OS Release 18.4R1 or later.
Before you begin, see ARP Policer Overview.
Overview
ARP is used to map a MAC address to an IP address. ARP dynamically binds the IP address (the logical address) to the correct MAC address. Before IP unicast packets can be sent, ARP discovers the MAC address used by the Ethernet interface where the IP address is configured. This feature is supported on all SRX Series Firewalls. The traffic to the Routing Engine on the SRX Series Firewall is controlled by applying the policer on ARP. This prevents network congestion caused by broadcast storms.
A default ARP policer named __default_arp_policer__ is used and shared by all
Ethernet interfaces with family inet configured, by
default.
On MX Series routers, you can create policers for ARP traffic on pseudowire
interfaces. (You configure rate limiting for the policer by specifying the bandwidth
and the burst-size limit of a firewall policer and attaching the policy to a
pseudowire interface, just like you would any other interface, and apply the ARP
policer to a pseudowire interface at the [edit interfaces interface-name
unit unit-number family inet policer arp policy-name] level of the
hierarchy. Traffic that exceeds the specified rate limits can be dropped or marked
as low priority and delivered when congestion permits.
Configuration
This example shows how to configure rate limiting for the policer by specifying the bandwidth and the burst-size limit.
Configuring ARP Policer on Interface
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste
them into a text file, remove any line breaks, change any details necessary to match your
network configuration, copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set firewall policer arp_limit if-exceeding bandwidth-limit 1m set firewall policer arp_limit if-exceeding burst-size-limit 1m set firewall policer arp_limit then discard set interfaces ge-0/0/7 unit 0 family inet policer arp arp_limit
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Use the CLI Editor in Configuration Mode in the CLI User Guide.
To configure the ARP policer:
Specify the name of the policer.
[edit firewall] user@host# set policer arp-limit
Configure rate limiting for the policer.
Specify the bandwidth limit in bits per second (bps) to control the traffic rate on an interface:
[edit firewall policer arp_limit] user@host# set if-exceeding bandwidth-limit 1m
The range for the bandwidth limit is 1 through 150,000 bps.
Specify the burst-size limit (the maximum allowed burst size in bytes) to control the amount of traffic bursting:
[edit firewall policer arp_limit] user@host# set if-exceeding burst-size-limit 1m
To determine the value for the burst-size limit, multiply the bandwidth of the interface on which the filter is applied by the amount of time to allow a burst of traffic at that bandwidth to occur:
burst size = (bandwidth) * (allowable time for burst traffic)
The range for the burst-size limit is 1 through 150,00 bytes.
Specify the policer action discard to discard packets that exceed the rate limits.
[edit firewall] user@host# set policer arp_limit then discard
Discard is the only supported policer action.
Configure the interfaces.
user@host# set interfaces ge-0/0/7 unit 0 family inet policer arp arp_limit
Results
From configuration mode, confirm your configuration by entering the show
firewall command. If the output does not display the intended configuration, repeat
the instructions in this example to correct.
[edit]
user@host# show firewall
policer arp_limit {
if-exceeding {
bandwidth-limit 1m;
burst-size-limit 1m;
}
then discard;
}
[edit]
user@host# show interfaces
ge-0/0/7 {
unit 0 {
family inet {
policer {
arp arp_limit;
}
}
}
}
After you are done configuring the device, enter commit from configuration
mode.
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying the results of arp policer
Purpose
Verify the results of the Arp policer.
Action
From the top of the configuration in operational mode, enter the show policer policer-name command.
user@host> show policer arp_limit-ge-0/0/7.0-inet-arp Policers: Name Bytes Packets arp_limit-ge-0/0/7.0-inet-arp 0 0
Meaning
The show policer policer-name command displays
the names of all firewall filters and policers that are configured on the device.
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.