Example: Configuring ARP Cache Protection
You can configure an ARP cache limit for resolved and unresolved next-hop entries in the cache. This example shows how to configure ARP cache protection by specifying a maximum count and hold limit for resolved and unresolved next-hop entries in the ARP cache. This limit can be specified globally for all interfaces, or locally on a particular interface of the device. The benefit of configuring such a limit on the ARP cache is to protect the device from denial-of-service (DoS) attacks.
Requirements
This example uses the following hardware and software components:
-
Two routers that can be a combination of MX Series routers.
-
Two host devices connected to the routers.
-
Junos OS Release running on the routers.
Overview
Sending IP packets on a multiaccess network requires mapping from an IP address to a media access control (MAC) address (the physical or hardware address). In an Ethernet environment, ARP is used to map a MAC address to an IP address. Hosts that use ARP maintain a cache of discovered Internet-to-Ethernet address mappings to minimize the number of ARP broadcast messages.
To keep the cache from growing too large, by default, an entry is removed from the cache if it is not used within a certain period of time. In addition to this, you can manage the number of ARP cache entries by configuring a limit on the resolved and unresolved next-hop entries.
Topology
Figure 1 illustrates a simple two-router topology with ARP cache protection enabled. Routers R1 and R2 are each connected to hosts, Host1 and Host2, respectively.
The ARP cache next-hop entries get allotted to different types of interfaces differently, irrespective of the ARP cache protection feature configuration.
-
By default, 200 entries get allotted to IRIs.
-
80 percent of the remaining entries get allotted to public interfaces.
-
20 percent of the remaining entries get allotted to management interfaces.
For example, if Router R1 is configured with an arp-system-cache-limit of 220 globally, and it receives 230
ARP entries, on the first interface receiving the entries (say, ge-0/0/0),
the following actions are performed:
-
When 230 entries are received, the global limit of 220 entries is applied to the system, where the configured limit is divided among the different types of interfaces, and the remaining entries received on a particular interface get discarded.
-
Out of the 220 cached entries, by default, 200 entries are allocated for IRI interfaces.
-
Out of the remaining 20 entries, 80 percent of the entries (16 entries) are sent to public interfaces and 20 percent of the entries (4 entries) are sent to the management interface. If the 230 ARP entries are received on the public interface, only the cache limit of 16 entries is retained, and the remaining 214 entries get discarded.
In addition, if ge-0/0/0 on Router R1 is configured with
an arp-new-hold-limit value of 8, the following actions
are performed:
-
Out of the 230 received entries, only 220 entries are cached in the ARP table. However, instead of discarding the remaining entries, the hold entries are sent to the hold counter of ge-0/0/0, and then the remaining entries are sent to the drop counter of ge-0/0/0.
-
Depending on availability of bandwidth, the eight hold entries are cached in the ARP table of ge-0/0/0 before taking any newly received entries into account.
-
The drop counter of ge-0/0/0, however, does not increment by single entries. The discarded hold entries in the drop counter form a loop and add to the entries count until there is bandwidth on the interface to accommodate all the entries. Therefore, additions to the drop counter have a drastic effect on the interface performance.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.
R1
set interfaces ge-0/0/0 unit 0 family inet address 192.0.2.1/24 set interfaces ge-0/0/0 unit 0 family inet arp-new-hold-limit 8 set interfaces ge-0/0/1 unit 0 family inet address 192.0.2.1/24 set interfaces lo0 unit 0 family inet address 10.10.10.1/32 set system arp-system-cache-limit 220
R2
set interfaces ge-0/0/0 unit 0 family inet address 192.0.2.2/24 set interfaces ge-0/0/1 unit 0 family inet address 192.0.2.1/24 set interfaces lo0 unit 0 family inet address 10.20.20.1/32
Procedure
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.
To configure Router R1 with ARP cache protection:
-
Configure the interfaces of Router R1.
[edit interfaces] user@R1# set ge-0/0/0 unit 0 family inet address 192.0.2.1/24 user@R1# set ge-0/0/1 unit 0 family inet address 192.0.2.1/24 user@R1# set lo0 unit 0 family inet address 10.10.10.1/32
-
Configure ARP cache protection globally for all the interfaces of Router R1.
[edit system] user@R1# set arp-system-cache-limit 220
-
Configure a hold limit on the ARP cache entries of interface ge-0/0/0 of Router R1.
[edit interfaces] user@R1# set ge-0/0/0 unit 0 family inet arp-new-hold-limit 8
Results
From configuration mode, confirm your configuration
by entering the show interfaces and show system commands. If the output does not display the intended configuration,
repeat the instructions in this example to correct the configuration.
user@R1# show interfaces
ge-0/0/0 {
unit 0 {
family inet {
address 192.0.2.1/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 192.0.2.1/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 10.10.10.1/32;
}
}
}
user@R1# show system arp-system-cache-limit 220 ;
Verification
Confirm that the configuration is working properly.
Verifying Global ARP Next-Hop Cache Limit
Purpose
Verify the system-wide ARP next-hop cache limits and the allocation of next-hop entries for different interfaces.
Action
From operational mode, run the show system statistics arp command.
user@R1> show system statistics arp
arp:
717253 datagrams received
47 ARP requests received
31 ARP replies received
285 resolution request received
0 unrestricted proxy requests
0 restricted proxy requests
0 received proxy requests
0 unrestricted proxy requests not proxied
*****
220 Max System ARP nh cache limit
16 Max Public ARP nh cache limit
200 Max IRI ARP nh cache limit
4 Max Management intf ARP nh cache limit
16 Current Public ARP next-hops present
1 Current IRI ARP next-hops present
2 Current Management ARP next-hops present
2457 Total ARP next-hops creation failed as limit reached
2454 Public ARP next-hops creation failed as public limit reached
3 IRI ARP next-hops creation failed as iri limit reached
0 Management ARP next-hops creation failed as mgt limit reachedMeaning
The global ARP next-hop cache limits are displayed in the output, along with the allocation of next-hop entries for IRI, public, and management interfaces.
Verifying Local ARP Next-Hop Cache Limit
Purpose
Verify the interface ARP next-hop cache limit.
Action
From operational mode, run the show interfaces interface-name command.
user@R1> show interface fxp0
fxp0
Physical interface: fxp0, Enabled, Physical link is Up
Interface index: 1, SNMP ifIndex: 1
Type: Ethernet, Link-level type: Ethernet, MTU: 1514, Speed: 100mbps
Device flags : Present Running
Interface flags: SNMP-Traps
Link type : Full-Duplex
Current address: 00:a0:a5:62:8e:39, Hardware address: 00:a0:a5:62:8e:39
Last flapped : 2014-10-16 10:23:29 PDT (16:27:21 ago)
Input packets : 0
Output packets: 0
Logical interface fxp0.0 (Index 3) (SNMP ifIndex 13)
Flags: Up SNMP-Traps Encapsulation: ENET2
Bandwidth: 0
Input packets : 23
Output packets: 4
Protocol inet, MTU: 1500
Max nh cache: 220 New hold nh limit: 8, Curr nh cnt: 2, Curr new hold cnt: 0, NH drop cnt: 0
Flags: Sendbcast-pkt-to-re, Is-Primary
Addresses, Flags: Is-Default Is-Preferred Is-Primary
Destination: 10.209.0/18, Local: 10.209.3.69, Broadcast: 10.209.63.255Meaning
The local ARP next-hop cache count and hold limits for the management interface is displayed in the output.
Troubleshooting
To troubleshoot the ARP cache protection configuration, see:
Troubleshooting System Log Messages
Problem
System log messages are generated to record events when the ARP cache limits are exceeded.
Solution
To interpret the system log messages, refer to the following:
-
Feb 08 17:12:39 [TRACE] [R1]: Public intf soft (80%) arp nh cache limit reached—Router R1 has reached 80 percent of the allowed ARP next-hop cache limit for public interfaces.
-
Feb 08 17:07:43 [TRACE] [R1]: Public intf hard arp nh cache limit reached—Router R1 has reached the maximum allowed limit for ARP next-hop cache entries on the public interface.
-
Feb 08 17:15:14 [TRACE] [R1]: Max cache soft (80%) arp nh cache limit for intf idx 325 reached—Router R1 has reached 80 percent of the configured global ARP next-hop cache limit for all its interfaces.
-
Feb 08 17:19:41 [TRACE] [R1]: Max cache hard arp nh cache limit for intf idx 325 reached—Router R1 has reached the maximum configured global ARP next-hop cache limit for all its interfaces.