ARP Policer Overview
Sending IP packets on a multiaccess network requires mapping from an IP address to a media access control (MAC) address (the physical or hardware address).
In an Ethernet environment, Address Resolution Protocol (ARP) is used to map a MAC address to an IP address. ARP dynamically binds the IP address (the logical address) to the correct MAC address. Before IP unicast packets can be sent, ARP discovers the MAC address used by the Ethernet interface where the IP address is configured.
Hosts that use ARP maintain a cache of discovered Internet-to-Ethernet address mappings to minimize the number of ARP broadcast messages. To keep the cache from growing too large, an entry is removed if it is not used within a certain period of time. Before sending a packet, the host searches its cache for Internet-to-Ethernet address mapping. If the mapping is not found, the host sends an ARP request.
Starting in Junos OS Release 18.4R1, you can apply policers on ARP traffic on SRX Series devices. You can configure rate limiting for the policer by specifying the bandwidth and the burst-size limit. Packets exceeding the policer limits are discarded. The traffic to the Routing Engine is controlled by applying the policer on ARP traffic. Using policers helps prevent network congestion caused by broadcast storms.
You can use policers to specify rate limits on traffic. A firewall filter configured with a policer permits only traffic within a specified set of rate limits, thereby providing protection from denial-of-service (DoS) attacks. Traffic that exceeds the rate limits specified by the policer is either discarded immediately or is marked as lower priority than traffic that is within the rate limits. The switch discards the lower-priority traffic when there is traffic congestion.
A policer applies two types of rate limits on traffic:
Bandwidth—The number of bits per second permitted, on average
Maximum burst size—The maximum size permitted for bursts of data that exceed the given bandwidth limit
Policing uses an algorithm to enforce a limit on average bandwidth while allowing bursts up to a specified maximum value. You can define specific classes of traffic on an interface and apply a set of rate limits to each class. After you name and configure a policer, it is stored as a template. You can then use the policer in a firewall filter configuration.
On SRX5400, SRX5600, and SRX5800 devices, ARP policer actions are applied on the SPUs as well as on the Routing Engine. For example, SPU A handles 15000 packets of ARP traffic, and SPU B handles 5000 packets. A policer is configured as rate-limit 10K, discard and applied to the ARP protocol. As a result, SPU A discards 5000 packets of ARP traffic and forwards 10000 packets to the Routing Engine, and SPU B forwards 5000 packets of ARP the Routing Engine. The Routing Engine therefore receives a total of 15000 packets of ARP traffic.
Benefits of the ARP Policer
Prevents network congestion caused by broadcast storms
Protects Routing Engines on SRX Series devices that are impacted by broadcast storms
Provides protection from denial-of-service (DoS) attacks