Re: [j-nsp] Maximum no. of static arp entries in M7i

Mon, 29 Jun 2009 12:22:47 -0700

Make sure that you add the static arp entries into the configuration and not from any shell commands; otherwise if the router reboots your entries will need to be re-added.
I know you can configure 10k mac filters on the IQ2, not sure about scaling higher than that. You could test this or ask your local SE team to help you. 

Truman


On 29/06/2009, at 2:20 PM, Samit wrote:


So, do you think if i acquire IQ2 Pic should I be able to insert
thousands of filter lines like below:

/sbin/iptables -i eth2 -m mac --mac-source 00:60:47:40:f0:72 -s
192.168.0.1/24 -m limi
t --limit 100/second -j ACCEPT

Regards,
Samit

Patrik Olsson wrote:

Hello,

Too bad!
With IQ2 PIC and possibly ISE features on an I chip upgraded M series
you probably could have fixed it without static ARP:s

Cheers
Patrik


Samit wrote:

Hi Tarique,

Thanks, but I am not running mpls/vpls nor do I have a IQ pic.

Regards,
Samit


Nalkhande Tarique Abbas wrote:

Samit


Something similar to limit source-mac should help...you can try  
to fine

tune it further!


l...@m120# show interfaces ge-1/3/0
encapsulation flexible-ethernet-services;
gigether-options {   <===
   source-filtering;

}

}
....
....
....

vlan-id 1001;
encapsulation vlan-vpls
accept-source-mac {
      mac-address 00:17:9a:00:73:91; <===





Thanks & Regards,
Tarique

-----Original Message-----
From: juniper-nsp-boun...@puck.nether.net
[mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Samit
Sent: Friday, June 26, 2009 10:50 AM
To: Patrik Olsson
Cc: juniper-nsp
Subject: Re: [j-nsp] Maximum no. of static arp entries in M7i


In a static IP address allocation to the customers scenario, is  
there
any other way other to discourage the users to abuse another  
subscribers
IP or MAC address and access/abuse the internet in a L2 switched  
network
(wire/wireless) where you do not have capabilities to control  
this from

a switch port?

Currently am using linux router and doing IP+Mac filtering using

iptables, and now wondering if I can replace it with Juniper M7i  
do the

same but I believe it is not possible to run such filtering.

Samit

Patrik Olsson wrote:

Out of sheer curiosity, why static arp:s?

Patrik


Hi,


Any idea how many no. of static arp entries M7i interfaces/ 
junos will

accept and work?

interfaces ge-1/3/0 {
   unit 0 {
       family inet {
           address 192.168.0.1/24 {
               arp 192.168.0.2 mac  00:17:f2:cb:89:43;
           }
       }
   }
}

Regards,
Samit
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp



_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp




_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp



_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp






















					Reply via email to