Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Example: Configuring ARP Cache Protection

Starting in Junos OS Release 16.1, you can configure an ARP cache limit for resolved and unresolved next-hop entries in the cache. This example shows how to configure ARP cache protection by specifying a maximum count and hold limit for resolved and unresolved next-hop entries in the ARP cache. This limit can be specified globally for all interfaces, or locally on a particular interface of the device. The benefit of configuring such a limit on the ARP cache is to protect the device from denial-of-service (DoS) attacks.

Requirements

This example uses the following hardware and software components:

  • Two routers that can be a combination of M, MX, and T Series routers.

  • Two host devices connected to the routers.

  • Junos OS Release 16.1 or later running on the routers.

Overview

Sending IP packets on a multiaccess network requires mapping from an IP address to a media access control (MAC) address (the physical or hardware address). In an Ethernet environment, ARP is used to map a MAC address to an IP address. Hosts that use ARP maintain a cache of discovered Internet-to-Ethernet address mappings to minimize the number of ARP broadcast messages.

To keep the cache from growing too large, by default, an entry is removed from the cache if it is not used within a certain period of time. In addition to this, starting in Junos OS Release 16.1, you can manage the number of ARP cache entries by configuring a limit on the resolved and unresolved next-hop entries.

The ARP cache feature supports two types of limits:

  • Count—Count limit is the maximum number of next hops that can be created in the ARP cache.

  • Hold—Hold limit is the maximum number of hold routes pointing to a particular interface that can be retained before getting added to the ARP cache.

The ARP cache limits are executed at two levels:

  • Local—Local limits are configured per interface and are defined for resolved and unresolved entries in the ARP cache.

  • Global—Global limits apply system-wide. A global limit is further defined separately for the public interfaces and management interfaces, for example, fxp0. The management interface has a single global limit and no local limit. The global limit enforces a system-wide cap on entries for the ARP cache, including private Internal routing interfaces (IRIs) for internal routing instances, for example, em0 and em1.

Small-sized platforms: ACX, EX22XX, EX3200, EX33XX, and SRX; default is 20,000. Medium-sized platforms: EX4200, EX45XX, EX4300, EX62XX, and MX; default is 75,000. All other platforms, default is 100,000. You can modify this limit by configuring the ARP next-hop cache protection feature.

  • To configure the ARP cache count limit for resolved and unresolved next-hop entries globally, include the arp-system-cache-limit statement at the [edit system] hierarchy level.

  • To configure the ARP cache count limit for resolved and unresolved next-hop entries locally, include the arp-system-cache-limit statement at the [edit interfaces interface-name unit interface-unit-number family inet] hierarchy level.

  • To configure the ARP cache hold limit for unresolved next-hop entries locally, include the arp-new-hold-limit statement at the [edit interfaces interface-name unit interface-unit-number family inet] hierarchy level.

    Note:

    The ARP cache hold limit is configured on a per-interface basis only, and cannot be configured at the system level.

The ARP cache next-hop entries get allotted to different types of interfaces differently, irrespective of the ARP cache protection feature configuration.

  1. By default, 200 entries get allotted to IRIs.

  2. 80 percent of the remaining entries get allotted to public interfaces.

  3. 20 percent of the remaining entries get allotted to management interfaces.

When the ARP next-hop entries exceed the configured count limit, new entries are either discarded, or kept under the hold counter, if a hold limit is configured for that interface. The ARP next-hop hold limit specifies the maximum number of hold entries or hold routes that point to a particular interface. When the number of hold entries exceeds the configured hold limit, the drop counter for that interface is affected drastically, as the new hold entries create a loop and continue to increment until there is bandwidth to accommodate them.

Note:

After modifying the default ARP next-hop cache limit on an interface, the interface must be deactivated and reactivated for the newly configured values to take effect.

Topology

Figure 1 illustrates a simple two-router topology with ARP cache protection enabled. Routers R1 and R2 are each connected to hosts, Host1 and Host2, respectively.

Figure 1: ARP Cache ProtectionARP Cache Protection

For example, if Router R1 is configured with an arp-system-cache-limit of 220 globally, and it receives 230 ARP entries, on the first interface receiving the entries (say, ge-0/0/0), the following actions are performed:

  1. When 230 entries are received, the global limit of 220 entries is applied to the system, where the configured limit is divided among the different types of interfaces, and the remaining entries received on a particular interface get discarded.

  2. Out of the 220 cached entries, by default, 200 entries are allocated for IRI interfaces.

  3. Out of the remaining 20 entries, 80 percent of the entries (16 entries) are sent to public interfaces and 20 percent of the entries (4 entries) are sent to the management interface. If the 230 ARP entries are received on the public interface, only the cache limit of 16 entries is retained, and the remaining 214 entries get discarded.

In addition, if ge-0/0/0 on Router R1 is configured with an arp-new-hold-limit value of 8, the following actions are performed:

  1. Out of the 230 received entries, only 220 entries are cached in the ARP table. However, instead of discarding the remaining entries, the hold entries are sent to the hold counter of ge-0/0/0, and then the remaining entries are sent to the drop counter of ge-0/0/0.

  2. Depending on availability of bandwidth, the eight hold entries are cached in the ARP table of ge-0/0/0 before taking any newly received entries into account.

  3. The drop counter of ge-0/0/0, however, does not increment by single entries. The discarded hold entries in the drop counter form a loop and add to the entries count until there is bandwidth on the interface to accommodate all the entries. Therefore, additions to the drop counter have a drastic effect on the interface performance.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

R1

R2

Procedure

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.

To configure Router R1 with ARP cache protection:

  1. Configure the interfaces of Router R1.

  2. Configure ARP cache protection globally for all the interfaces of Router R1.

  3. Configure a hold limit on the ARP cache entries of interface ge-0/0/0 of Router R1.

Results

From configuration mode, confirm your configuration by entering the show interfaces and show system commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

Verification

Confirm that the configuration is working properly.

Verifying Global ARP Next-Hop Cache Limit

Purpose

Verify the system-wide ARP next-hop cache limits and the allocation of next-hop entries for different interfaces.

Action

From operational mode, run the show system statistics arp command.

Meaning

The global ARP next-hop cache limits are displayed in the output, along with the allocation of next-hop entries for IRI, pubilc, and management interfaces.

Verifying Local ARP Next-Hop Cache Limit

Purpose

Verify the interface ARP next-hop cache limit.

Action

From operational mode, run the show interfaces interface-name command.

Meaning

The local ARP next-hop cache count and hold limits for the management interface is displayed in the output.

Troubleshooting

To troubleshoot the ARP cache protection configuration, see:

Troubleshooting System Log Messages

Problem

System log messages are generated to record events when the ARP cache limits are exceeded.

Solution

To interpret the system log messages, refer to the following:

  • Feb 08 17:12:39 [TRACE] [R1]: Public intf soft (80%) arp nh cache limit reached—Router R1 has reached 80 percent of the allowed ARP next-hop cache limit for public interfaces.

  • Feb 08 17:07:43 [TRACE] [R1]: Public intf hard arp nh cache limit reached—Router R1 has reached the maximum allowed limit for ARP next-hop cache entries on the public interface.

  • Feb 08 17:15:14 [TRACE] [R1]: Max cache soft (80%) arp nh cache limit for intf idx 325 reached—Router R1 has reached 80 percent of the configured global ARP next-hop cache limit for all its interfaces.

  • Feb 08 17:19:41 [TRACE] [R1]: Max cache hard arp nh cache limit for intf idx 325 reached—Router R1 has reached the maximum configured global ARP next-hop cache limit for all its interfaces.

Release History Table
Release
Description
16.1
Starting in Junos OS Release 16.1, you can configure an ARP cache limit for resolved and unresolved next-hop entries in the cache.