Yep, Pekka (and Erdem and Gunjan) are right. I missed that little word in the policer section.
Apologies. Rgds, Guy On 29/06/07, Pekka Savola <[EMAIL PROTECTED]> wrote: > On Thu, 28 Jun 2007, Guy Davies wrote: > > Won't that simply rate-limit *all* traffic traversing that interface > > to 5m? You'd need to identify arp traffic specifically, using a > > firewall filter and apply that to the interface. > > No, because it's configured as an ARP policer, not as a generic > input/output policer [1]. > > It's not even possible to match ARP traffic with a firewall filter > because doing so would require L2 matching which isn't supported. > > [1] > http://www.juniper.net/techpubs/software/junos/junos82/swconfig82-network-interfaces/html/interfaces-summary336.html > > > > A shared, non-configurable policer is applied to all Ethernet > > interfaces on which family inet is configured in a chassis. You can > > configure an ARP policer on a per interface basis. This will override > > the default policer. > > > > Guy > > > > On 28/06/07, Gunjan GANDHI (BR/EPA) <[EMAIL PROTECTED]> wrote: > >> Jens, > >> It is possible to do this on a per interface basis, not sure if you can > >> do on a per node basis. Here is a sample syntax example. > >> > >> [edit] > >> [EMAIL PROTECTED] show interfaces ge-0/0/0 > >> vlan tagging; > >> unit 502 { > >> vlan-id 502; > >> family inet { > >> policer { > >> arp Block_ARP; > >> } > >> address 172.20.16.52/24; > >> } > >> } > >> > >> [edit] > >> [EMAIL PROTECTED] show firewall > >> policer Block_ARP { > >> if-exceeding { > >> bandwidth-limit 5m; > >> burst-size-limit 50k; > >> } > >> } > >> > >> Cheers > >> //Gunjan > >> > >> > >> -----Original Message----- > >> From: [EMAIL PROTECTED] > >> [mailto:[EMAIL PROTECTED] On Behalf Of > >> [EMAIL PROTECTED] > >> Sent: Thursday, 28 June 2007 3:01 AM > >> To: juniper-nsp@puck.nether.net > >> Subject: [j-nsp] Ratelimiting ARP-Requests > >> > >> Dear colleagues, > >> > >> I'm looking for an advice about the possibilities to ratelimit incomming > >> ARP requests. > >> > >> What's the correct syntax for an effective filter rule to solve this > >> problem ? > >> > >> Kind Regards > >> Jens > >> _______________________________________________ > >> juniper-nsp mailing list juniper-nsp@puck.nether.net > >> https://puck.nether.net/mailman/listinfo/juniper-nsp > >> _______________________________________________ > >> juniper-nsp mailing list juniper-nsp@puck.nether.net > >> https://puck.nether.net/mailman/listinfo/juniper-nsp > >> > > _______________________________________________ > > juniper-nsp mailing list juniper-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/juniper-nsp > > > > > -- > Pekka Savola "You each name yourselves king, yet the > Netcore Oy kingdom bleeds." > Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp