On Thu, 28 Jun 2007, Guy Davies wrote: > Won't that simply rate-limit *all* traffic traversing that interface > to 5m? You'd need to identify arp traffic specifically, using a > firewall filter and apply that to the interface.
No, because it's configured as an ARP policer, not as a generic input/output policer [1]. It's not even possible to match ARP traffic with a firewall filter because doing so would require L2 matching which isn't supported. [1] http://www.juniper.net/techpubs/software/junos/junos82/swconfig82-network-interfaces/html/interfaces-summary336.html > A shared, non-configurable policer is applied to all Ethernet > interfaces on which family inet is configured in a chassis. You can > configure an ARP policer on a per interface basis. This will override > the default policer. > > Guy > > On 28/06/07, Gunjan GANDHI (BR/EPA) <[EMAIL PROTECTED]> wrote: >> Jens, >> It is possible to do this on a per interface basis, not sure if you can >> do on a per node basis. Here is a sample syntax example. >> >> [edit] >> [EMAIL PROTECTED] show interfaces ge-0/0/0 >> vlan tagging; >> unit 502 { >> vlan-id 502; >> family inet { >> policer { >> arp Block_ARP; >> } >> address 172.20.16.52/24; >> } >> } >> >> [edit] >> [EMAIL PROTECTED] show firewall >> policer Block_ARP { >> if-exceeding { >> bandwidth-limit 5m; >> burst-size-limit 50k; >> } >> } >> >> Cheers >> //Gunjan >> >> >> -----Original Message----- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On Behalf Of >> [EMAIL PROTECTED] >> Sent: Thursday, 28 June 2007 3:01 AM >> To: juniper-nsp@puck.nether.net >> Subject: [j-nsp] Ratelimiting ARP-Requests >> >> Dear colleagues, >> >> I'm looking for an advice about the possibilities to ratelimit incomming >> ARP requests. >> >> What's the correct syntax for an effective filter rule to solve this >> problem ? >> >> Kind Regards >> Jens >> _______________________________________________ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> _______________________________________________ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
