Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Example: Configuring ARP Policer

This example shows how to configure an Address Resolution Protocol (ARP) policer on SRX Series Firewalls.

Support for ARP policers on pseudowire interfaces on MX Series routers is available in Junos OS Release 20.2R1. The configuration principles are the same as shown here.

Requirements

This example uses the following hardware and software components:

  • SRX Series Firewall.

  • Junos OS Release 18.4R1 or later.

Before you begin, see ARP Policer Overview.

Overview

ARP is used to map a MAC address to an IP address. ARP dynamically binds the IP address (the logical address) to the correct MAC address. Before IP unicast packets can be sent, ARP discovers the MAC address used by the Ethernet interface where the IP address is configured. This feature is supported on all SRX Series Firewalls. The traffic to the Routing Engine on the SRX Series Firewall is controlled by applying the policer on ARP. This prevents network congestion caused by broadcast storms.

Note:

A default ARP policer named __default_arp_policer__ is used and shared by all Ethernet interfaces with family inet configured, by default.

On MX Series routers, you can create policers for ARP traffic on pseudowire interfaces. (You configure rate limiting for the policer by specifying the bandwidth and the burst-size limit of a firewall policer and attaching the policy to a pseudowire interface, just like you would any other interface, and apply the ARP policer to a pseudowire interface at the [edit interfaces interface-name unit unit-number family inet policer arp policy-name] level of the hierarchy. Traffic that exceeds the specified rate limits can be dropped or marked as low priority and delivered when congestion permits.

Configuration

This example shows how to configure rate limiting for the policer by specifying the bandwidth and the burst-size limit.

Configuring ARP Policer on Interface

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Use the CLI Editor in Configuration Mode in the CLI User Guide.

To configure the ARP policer:

  1. Specify the name of the policer.

  2. Configure rate limiting for the policer.

    • Specify the bandwidth limit in bits per second (bps) to control the traffic rate on an interface:

      The range for the bandwidth limit is 1 through 150,000 bps.

    • Specify the burst-size limit (the maximum allowed burst size in bytes) to control the amount of traffic bursting:

      To determine the value for the burst-size limit, multiply the bandwidth of the interface on which the filter is applied by the amount of time to allow a burst of traffic at that bandwidth to occur:

      burst size = (bandwidth) * (allowable time for burst traffic)

      The range for the burst-size limit is 1 through 150,00 bytes.

  3. Specify the policer action discard to discard packets that exceed the rate limits.

    Discard is the only supported policer action.

  4. Configure the interfaces.

Results

From configuration mode, confirm your configuration by entering the show firewall command. If the output does not display the intended configuration, repeat the instructions in this example to correct.

After you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying the results of arp policer

Purpose

Verify the results of the Arp policer.

Action

From the top of the configuration in operational mode, enter the show policer policer-name command.

Meaning

The show policer policer-name command displays the names of all firewall filters and policers that are configured on the device.

Release History Table
Release
Description
20.2R1
Support for MX Series routers is available in Junos OS Release 20.2R1, and the configuration principles are the same as shown here.