Juniper Transport and Internet Protocols User Manual

Junos® OS

Transport and Internet Protocols User

Guide

Published

2021-04-18

Juniper Networks, Inc. 1133 nn v n Way Sunnyvale, California 94089 USA

408-745-2000 www.juniper.net

Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their r s c v owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right


to change, modify, transfer, or otherwise revise this b c		n without n c
Junos® OS Transport and Internet Protocols User Guide
Copyright © 2021 Juniper Networks, Inc. All rights reserved.
The n rm	n in this document is current as of the date on the		page.

YEAR 2000 NOTICE

Juniper Networks hardware and s ftw r products are Year 2000 compliant. Junos OS has no known m r

m ns through the year 2038. However, the NTP c n is known to have some c y in the year 2036.

END USER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical						c m n	n consists of (or is intended for use
with) Juniper Networks s ftw r	Use of such s		ftw r	is subject to the terms and c n				ns of the End User License
Agreement ("EULA") posted at	s s	r	n r n	s	r	. By downloading, installing or using such
s ftw r you agree to the terms and c n		ns of that EULA.

iii

About This Guide | vii

Understanding IP Support on Junos OS

Junos OS Support for IPv4, IPv6, and MPLS R n Protocols | 2

C n		r Transport and Internet Protocol Features
C n		r ARP Learning and Aging					ns \| 6
	C n		r n	Passive ARP Learning for Backup VRRP Devices \| 6
	C n		r n	Passive ARP Learning for Backup VRRP Devices \| 6
	C n		r n	a Delay in Gratuitous ARP Requests \| 7
	Sending a Gratuitous ARP Request When an Interface is Online \| 8
	Purging ARP Entries \| 8
		s	n the ARP Aging Timer \|			8
	Disabling Neighbor Discovery \| 9
Example: C n				r n ARP Cache		r	c	n \| 10
	Requirements \| 10
	Requirements \| 10
	Overview \| 11
	C n		r	n \| 14
	r	c	n \| 16
	r	b	s	n	\| 19
C n		r	ICMP Features \| 20
	Protocol Redirect Messages \| 20							c s Ping Packets \| 22
	Protocol Redirect Messages \| 20
	Disable the R				n Engine Response to M
	Disable R			r n	IP Address and Timestamps in Ping Responses \| 22
	C n		r Junos OS to Ignore ICMP Source Quench Messages \| 23
	Rate Limit ICMPv4 and ICMPv6 r						c \| 23
	Rate Limit ICMPv4 and ICMPv6 Error Messages \| 24

C n

IPv6 Features | 26

r IPv6 Duplicate Address

c n

s | 27

Accept IPv6 Packets with a Zero Hop Limit | 27

Process IPv4-mapped IPv6 Addresses | 27

Process 6PE Traceroutes | 28

C n

Path MTU Discovery | 29

C n

r n

Path MTU Discovery on Outgoing TCP C nn c

ns | 29

C n

r n

IP-IP Path MTU Discovery on IP-IP Tunnel C nn c

ns | 29

C n

r n

Path MTU Discovery on Outgoing GRE Tunnel C nn c ns | 30

C n

TCP

ns | 31

Security for TCP Headers with SYN and FIN Flags Set | 31

Disable TCP RFC 1323 Extensions | 32

C n

r TCP MSS for Session N

n | 33

C n

r n TCP MSS on T Series and M Series Routers, and MX Series Routers Using a

Service Card | 34

C n

r n

TCP MSS Inline on MX Series Routers Using MPC Line Cards | 34

Select a Fixed Source Address for Locally Generated TCP/IP Packets | 35

C n

TCP

n (TCP-AO) | 36

TCP

n c

n (TCP-AO) for BGP and LDP Sessions | 37

C n

r a Keychain (TCP-AO) | 40

Example:

n c

BGP Session Using TCP

n (TCP-AO) | 43

Requirements | 44

Overview | 44

C n

n | 44

Example:

n c

LDP Session Using TCP

n (TCP-AO) | 50

Requirements | 51

Overview | 51

C n

n | 51

n | 56

C	n	r	Port Security
System S			n s \| 59
	Specifying the Physical					c	n of the Switch \| 59

	Modifying the Default Time Zone for a Router or Switch Running Junos OS \| 60
	C n		r n	Junos OS to Extend the Default Port Address Range \| 61
	C	n	r n	Junos OS to Select a Fixed Source Address for Locally Generated TCP/IP Packets \| 62
	R b		n	and	n	a Device \| 63
C	n	r n	Password			n	c	n for Console Access to PICs \| 65

C n		r	n Statements
allow-6pe-traceroute \| 68
allow-v4mapped-packets \| 69
arp \| 71
arp-max-cache \| 76
arp-new-hold-limit \| 78
arp-system-cache-limit \| 79
auxiliary \| 82
	n	c	n	y c	ns (TCP-AO) \| 84
console (System Ports) \| 87
		r	ss s	c	n \| 90
		r	n	c	n \| 92
x	n	s	s cs \| 94
icmp (Error Message Rate Limit) \| 95
icmp6 (Error Message Rate Limit) \| 97
n	rn		ns \| 99
n	m	c s	c	\| 104

non-subscriber-no-reply | 105 no-ping-record-route | 107

nn m s m | 108

path-mtu-discovery (Tunnel) | 110 r c r c n | 112

tcp-mss | 113

5	r	n	Commands
	clear arp \| 117
	clear m	c s	snooping s s cs \| 119
	show arp \| 121
	show system s		s	cs arp \| 128
	show system s		s	cs icmp \| 138
	show system s		s	cs icmp6 \| 146
	show system s		s	cs igmp \| 155
	show system s		s	cs ip \| 160
	show system s		s	cs ip6 \| 172
	show system s		s	cs tcp \| 183

vii

About This Guide

Use this guide to c n r the common transport and Internet protocol

Juniper Transport and Internet Protocols User Manual

CHAPTER

Understanding IP Support on Junos OS

Junos OS Support for IPv4, IPv6, and MPLS R n Protocols | 2

Junos OS Support for IPv4, IPv6, and MPLS R n Protocols

Junos OS implements full IP r	n	nc	n y providing support for IP version 4 and IP version 6
(IPv4 and IPv6, r s c v y) The r		n	protocols are fully interoperable with x s n IP r	n

protocols, and they have been developed to provide the scale and control necessary for the Internet core.


Junos OS supports the following unicast r				n protocols:
• BGP—Border Gateway Protocol version 4 is an EGP that guarantees loop-free exchange of r					n
n rm	n between r		n domains (also called autonomous systems). BGP, in c n nc n with
Junos OS r		n policies, provides a system of m n s r v checks and balances that can be used
to implement peering and transit agreements.

• ICMP—Internet Control Message Protocol router discovery enables hosts to discover the addresses of r n routers on the subnet.

•IS-IS—Intermediate System to Intermediate System is a link-state IGP for IP networks that uses the SPF algorithm, which also is referred to as the Dijkstra algorithm, to determine routes. The Junos OS

supports a new and complete m m n	n of the protocol, addressing issues of scale,
convergence, and resilience.

• OSPF—Open Shortest Path First is an IGP that was developed for IP networks by the Internet Engineering Task Force (IETF). OSPF is a link-state protocol that makes r n decisions based on the SPF algorithm.

OSPF Version 2 supports IPv4. OSPF Version 3 supports IPv6. The fundamental mechanisms of

OSPF such as fl			n	designated router (DR) c n area-based topologies, and the SPF
c	c	ns remain unchanged in OSPF Version 3. Some			r nc s exist either because of changes
in protocol s m n cs between IPv4 and IPv6, or because of the need to handle the increased
address size of IPv6.
• R	R	n n	rm	n Protocol version 2 is a distance-vector IGP for IP networks based on the

Bellman-Ford algorithm. RIP dynamically routes packets between a subscriber and a service provider

without the subscriber having to c n		r	BGP or to		r c	in the service provider’s IGP
discovery process.
Junos OS also provides the following r		n	and M	r	c	Label Switching (MPLS)	c	ns
protocols:
• Unicast r	n protocols:
• BGP

•ICMP

•IS-IS

•OSPF Version 2

•RIP Version 2

• M	c s r n protocols:
•	DVMRP—Distance Vector M c s R n Protocol is a dense-mode (fl	n r n )

mc s r n protocol.

•IGMP—Internet Group Management Protocol versions 1 and 2 are used to manage membership in

mc s groups.

•

c s

Source Discovery Protocol enables m

Protocol Independent M

c s

(PIM) sparse mode domains to be joined. A rendezvous point (RP) in a PIM sparse mode domain

has a peer r

with an RP in another domain, enabling it to discover m

c s

sources

from other domains.

• PIM sparse mode and dense mode—Protocol-Independent M

c s is a m

c s

protocol. PIM sparse mode routes to m

c s

groups that might span wide-area and interdomain

internets. PIM dense mode is a fl

r n

protocol.

• SAP/SDP—Session Announcement Protocol and Session

scr

n Protocol handle conference

session announcements.

• MPLS

ns protocols:

•

LDP—The Label

s r b

n Protocol provides a mechanism for

s r b

labels in n

r c

ns LDP enables routers to establish label-switched paths (LSPs) through a

network by mapping network layer r

rm n directly to data-link layer switched paths.

LSPs created by LDP can also traverse LSPs created by the Resource R s rv

n Protocol (RSVP).

•

Label Switching, formerly known as tag switching, enables you to manually

or dynamically c

LSPs through a network. It lets you direct r

c through

r paths

rather than rely on the IGP least-cost algorithm to choose a path.

•

RSVP—The Resource R s rv

n Protocol version 1 provides a mechanism for engineering

network r

rns that is independent of the shortest path decided upon by a r

protocol. RSVP itself is not a r

protocol; it operates with current and future unicast and

c s r

n protocols. The primary purpose of RSVP is to support dynamic signaling for

MPLS LSPs.

Sending a Gratuitous ARP Request When an Interface is Online

To c n r the device to m c y send a gratuitous ARP request when an interface is online, include the gratuitous-arp-on-ifup statement at the [edit system arp] hierarchy level:

[edit system arp]

gratuitous-arp-on-ifup;

Purging ARP Entries

To c n r a device to purge obsolete ARP entries in the cache when an interface goes ffl n include the purging statement at the [edit system arp] hierarchy level:

[edit system arp]

purging;


Purging is c n		r to delete ARP entries immediately		ft r an interface that has gone ffl n is
detected. If purging is not c n			r ARP entries in the ARP table are retried ft r they have expired
and are deleted if there is no ARP response within the default					m	value of 20 minutes. The default
m	value can be changed to other values using the			n	m r statement, as explained below.

s n the ARP Aging Timer

By default, the ARP aging	m r is set at 20 minutes. In environments with many directly	c	hosts,
such as metro Ethernet environments, increasing the amount of m between ARP updates by
c n r n the ARP aging	m r can improve performance. Thousands of clients m n out at the same

m might impact packet forwarding performance. In environments where there are devices connected

with lower ARP aging	m rs (less than 20 minutes), decreasing the ARP aging m r can improve
performance by r v n	n the fl	n of r c toward next hops with expired ARP entries. In most
environments, the default ARP aging		m r value does not need to be adjusted.

The range of the ARP aging	m r is 1 through 240 minutes. To c
m r include the n m	r statement at the [edit system arp]

n r a system-wide ARP aging hierarchy level:

[edit system arp]

aging-timer minutes;

You can also c ARP aging m minutes at the

n	r the ARP aging m r for each logical interface of family type inet. To c	n	r the
r at the logical interface level, specify the n m r statement and the m		r value in
[edit system arp interfaces interface-name] hierarchy level:

[edit system arp interfaces interface-name] aging-timer minutes;

To c n r the ARP aging m r for a s c c interface in a logical system, include the n m r statement and the m r value in minutes at the [edit logical-systems logical-system-

name system arp interfaces interface-name] hierarchy level:

[edit logical-systems logical-system-name system arp interfaces interface-name]

aging-timer minutes;

NOTE: If the aging			m	r value is c	n r both at the system and the logical interface levels,
the value c		n r	at the logical interface level takes precedence for the s c			c logical
interface.

The	m r value you c		n	r takes	c as ARP entries expire. Each refreshed ARP entry receives the
new	m r value. The new			m r value does not apply to ARP entries that exist at the		m you commit
the c	n r	n

Disabling Neighbor Discovery

You can prevent the device from learning the MAC addresses of its neighbors through ARP or neighbor discovery for IPv4 and IPv6 neighbors. To disable ARP address learning by not sending ARP requests and not learning from ARP replies, use the no-neighbor-learn c n r n statement.

To disable neighbor discovery for IPv4 neighbors:

[edit interfaces interface-name unit interface-unit-number family inet]

no-neighbor-learn;

To disable neighbor discovery for IPv6 neighbors:

[edit interfaces interface-name unit interface-unit-number family inet6]

no-neighbor-learn;

Example: C n r n ARP Cache r c n

IN THIS SECTION

Requirements | 10

Overview | 11

C n	r	n \| 14
r	c	n \| 16
r	b s	n \| 19

S r n in Junos OS Release 16.1, you can c n r an ARP cache limit for resolved and unresolved next-hop entries in the cache. This example shows how to c n r ARP cache r c n by specifying a maximum count and hold limit for resolved and unresolved next-hop entries in the ARP cache. This

limit can be s c		globally for all interfaces, or locally on a r c r interface of the device. The
b n	of c n	r n such a limit on the ARP cache is to protect the device from denial-of-service (DoS)
c	s

Requirements

This example uses the following hardware and s ftw r components:

• Two routers that can be a c mb n n of M, MX, and T Series routers.

•Two host devices connected to the routers.

•Junos OS Release 16.1 or later running on the routers.

Overview

IN THIS SECTION

Topology | 13

Sending IP packets on a m cc ss network requires mapping from an IP address to a media access control (MAC) address (the physical or hardware address). In an Ethernet environment, ARP is used to map a MAC address to an IP address. Hosts that use ARP maintain a cache of discovered Internet-to- Ethernet address mappings to minimize the number of ARP broadcast messages.

To keep the cache from growing too large, by default, an entry is removed from the cache if it is not used

within a certain period of m In	n to this, s r n in Junos OS Release 16.1, you can manage
the number of ARP cache entries by c n	r n a limit on the resolved and unresolved next-hop entries.

The ARP cache feature supports two types of limits:

• Count—Count limit is the maximum number of next hops that can be created in the ARP cache.

• Hold—Hold limit is the maximum number of hold routes n n to a r c r interface that can be retained before n added to the ARP cache.

The ARP cache limits are executed at two levels:

•	Local—Local limits are c n r	per interface and are	n for resolved and unresolved entries in
	the ARP cache.
•	Global—Global limits apply system-wide. A global limit is further			n	separately for the public
	interfaces and management interfaces, for example, fxp0. The management interface has a single
	global limit and no local limit. The global limit enforces a system-wide cap on entries for the ARP
	cache, including private Internal r	n interfaces (IRIs) for internal r			n instances, for example,
	em0 and em1.


Small-sized			rms ACX, EX22XX, EX3200, EX33XX, and SRX; default is 20,000. Medium-sized
	rms EX4200, EX45XX, EX4300, EX62XX, and MX; default is 75,000. All other			rms default is
100,000. You can modify this limit by c n r n the ARP next-hop cache r c n feature.
•	To c	n	r the ARP cache count limit for resolved and unresolved next-hop entries globally, include
	the arp-system-cache-limit statement at the [edit system] hierarchy level.
•	To c	n	r the ARP cache count limit for resolved and unresolved next-hop entries locally, include
	the arp-system-cache-limit statement at the [edit interfaces interface-name unit interface-unit-
	number family inet] hierarchy level.
•	To c	n	r the ARP cache hold limit for unresolved next-hop entries locally, include the arp-new-

hold-limit statement at the [edit interfaces interface-name unit interface-unit-number family inet] hierarchy level.

	NOTE: The ARP cache hold limit is c n				r on a per-interface basis only, and cannot be
	c n r	at the system level.

The ARP cache next-hop entries get			to		r n types of interfaces	r n	y rr s c v of
the ARP cache r		c n feature c n	r	n
1.	By default, 200 entries get		to IRIs.
2.	80 percent of the remaining entries get				to public interfaces.
3.	20 percent of the remaining entries get				to management interfaces.
When the ARP next-hop entries exceed the c				n	r count limit, new entries are either discarded, or
kept under the hold counter, if a hold limit is c				n	r for that interface. The ARP next-hop hold limit
s	c s the maximum number of hold entries or hold routes that point to a					r c	r interface. When

the number of hold entries exceeds the c n r					hold limit, the drop counter for that interface is
c	r s		c y as the new hold entries create a loop and c n n to increment n there is
bandwidth to accommodate them.

NOTE:		ft	r modifying the default ARP next-hop cache limit on an interface, the interface must
be	c	v	and r c v	for the newly c	n r values to take	c

Topology

Figure 1 on page 13 illustrates a simple two-router topology with ARP cache	r c n enabled.
Routers R1 and R2 are each connected to hosts, Host1 and Host2, r s c v	y
Figure 1: ARP Cache r c n

For example, if Router R1 is c n r with an arp-system-cache-limit of 220 globally, and it receives 230 ARP entries, on the rs interface receiving the entries (say, ge-0/0/0), the following c ns are performed:

1. When 230 entries are received, the global limit of 220 entries is applied to the system, where the

c n	r	limit is divided among the	r n types of interfaces, and the remaining entries received
on a	r c	r interface get discarded.

2.Out of the 220 cached entries, by default, 200 entries are allocated for IRI interfaces.

3.Out of the remaining 20 entries, 80 percent of the entries (16 entries) are sent to public interfaces and 20 percent of the entries (4 entries) are sent to the management interface. If the 230 ARP entries are received on the public interface, only the cache limit of 16 entries is retained, and the remaining 214 entries get discarded.

In	n if ge-0/0/0 on Router R1 is c n r with an arp-new-hold-limit value of 8, the following

cns are performed:

1.Out of the 230 received entries, only 220 entries are cached in the ARP table. However, instead of discarding the remaining entries, the hold entries are sent to the hold counter of ge-0/0/0, and then the remaining entries are sent to the drop counter of ge-0/0/0.

2.Depending on availability of bandwidth, the eight hold entries are cached in the ARP table of ge-0/0/0 before taking any newly received entries into account.

3.The drop counter of ge-0/0/0, however, does not increment by single entries. The discarded hold

entries in the drop counter form a loop and add to the entries count n there is bandwidth on the

interface to accommodate all the entries. Therefore,	ns to the drop counter have a r s c
c on the interface performance.

C n r n

IN THIS SECTION

CLI Quick C n r n | 14

Procedure | 15

Results | 15

CLI Quick C n	r	n
To quickly c n	r this example, copy the following commands, paste them into a text		remove any
line breaks, change any details necessary to match your network c n r n copy and paste the
commands into the CLI at the [edit] hierarchy level, and then enter commit from c n r			n mode.
R1

set interfaces ge-0/0/0 unit 0 family inet address 1.1.1.1/30 set interfaces ge-0/0/0 unit 0 family inet arp-new-hold-limit 8 set interfaces ge-0/0/1 unit 0 family inet address 2.2.2.1/30 set interfaces lo0 unit 0 family inet address 10.10.10.1/32 set system arp-system-cache-limit 220

set interfaces ge-0/0/0 unit 0 family inet address 1.1.1.2/30 set interfaces ge-0/0/1 unit 0 family inet address 3.3.3.1/30 set interfaces lo0 unit 0 family inet address 20.20.20.1/32

Procedure

Step-by-Step Procedure

The following example requires you to navigate various levels in the c				n	r n hierarchy. For
n	rm	n about n v	n the CLI, see Using the CLI Editor in C n	r	n Mode.
To c n		r Router R1 with ARP cache r c n
1.	C n	r the interfaces of Router R1.

[edit interfaces]

user@R1# set ge-0/0/0 unit 0 family inet address 1.1.1.1/30 user@R1# set ge-0/0/1 unit 0 family inet address 2.2.2.1/30 user@R1# set lo0 unit 0 family inet address 10.10.10.1/32

2. C n r ARP cache r c n globally for all the interfaces of Router R1.

[edit system]

user@R1# set arp-system-cache-limit 220

3. C n r a hold limit on the ARP cache entries of interface ge-0/0/0 of Router R1.

[edit interfaces]

user@R1# set ge-0/0/0 unit 0 family inet arp-new-hold-limit 8

Results

From c n r n mode, c n rm your c n r n by entering the show interfaces and show system

commands. If the output does not display the intended c n r		n repeat the ns r c ns in this
example to correct the c n r	n

user@R1# show interfaces

ge-0/0/0 {

unit 0 {

family inet {

address 1.1.1.1/30;

}

ge-0/0/1 { unit 0 {

family inet {

address 2.2.2.1/30;

}

lo0 {

unit 0 {

family inet {

address 10.10.10.1/32;

}

user@R1# show system arp-system-cache-limit 220 ;

r c n

IN THIS SECTION

Verifying Global ARP Next-Hop Cache Limit | 16

Verifying Local ARP Next-Hop Cache Limit | 17

C n rm that the c n r n is working properly.

Verifying Global ARP Next-Hop Cache Limit

Purpose

Verify the system-wide ARP next-hop cache limits and the	c n of next-hop entries for	r n
interfaces.

From	r	n	mode, run the show system s s cs arp command.

user@R1> show system s s cs arp
arp:		717253 datagrams received
		717253 datagrams received
		47 ARP requests received
		31 ARP replies received
		285 resolution request received
		0	unrestricted proxy requests
		0	restricted proxy requests
		0	received proxy requests
		0	unrestricted proxy requests not proxied
		*****
		220 Max System ARP nh cache limit
		16 Max Public ARP nh cache limit
		200 Max IRI ARP nh cache limit
		4	Max Management n ARP nh cache limit
		16 Current Public ARP next-hops present
		1	Current IRI ARP next-hops present
		2	Current Management ARP next-hops present
		2457 Total ARP next-hops creation failed as limit reached
		2454 Public ARP next-hops creation failed as public limit reached
		3	IRI ARP next-hops creation failed as iri limit reached
		0	Management ARP next-hops creation failed as mgt limit reached

Meaning

The global ARP next-hop cache limits are displayed in the output, along with the c n of next-hop entries for IRI, pubilc, and management interfaces.

Verifying Local ARP Next-Hop Cache Limit

Purpose

Verify the interface ARP next-hop cache limit.

From r n mode, run the show interfaces interface-name command.

user@R1> show interface fxp0 fxp0

Physical interface: fxp0, Enabled, Physical link is Up

Interface index: 1, SNMP ifIndex: 1

Type: Ethernet, Link-level type: Ethernet, MTU: 1514, Speed: 100mbps

Device flags		:	Present Running
Interface flags:			SNMP-Traps
Link	type	:	Full-Duplex
Current address:			00:a0:a5:62:8e:39, Hardware address: 00:a0:a5:62:8e:39
Last	flapped	:	2014-10-16 10:23:29 PDT (16:27:21 ago)

Input packets : 0

Output packets: 0

Logical interface fxp0.0 (Index 3) (SNMP ifIndex 13)

Flags: Up SNMP-Traps Encapsulation: ENET2

Bandwidth: 0

Input packets : 23 Output packets: 4 Protocol inet, MTU: 1500

Max nh cache: 220 New hold nh limit: 8, Curr nh cnt: 2, Curr new hold cnt: 0, NH drop cnt: 0

Flags: Sendbcast-pkt-to-re, Is-Primary

Addresses, Flags: Is-Default Is-Preferred Is-Primary

Destination: 10.209.0/18, Local: 10.209.3.69, Broadcast: 10.209.63.255

Meaning

The local ARP next-hop cache count and hold limits for the management interface is displayed in the output.

r b s

IN THIS SECTION

r b s

n System Log Messages | 19

To troubleshoot the ARP cache r c n c n r n see:

rb s n System Log Messages

Problem

System log messages are generated to record events when the ARP cache limits are exceeded.

To interpret the system log messages, refer to the following:

• Feb 08 17:12:39 [TRACE] [R1]: Public n s (80%) arp nh cache limit reached—Router R1 has reached 80 percent of the allowed ARP next-hop cache limit for public interfaces.

•Feb 08 17:07:43 [TRACE] [R1]: Public n hard arp nh cache limit reached—Router R1 has reached the maximum allowed limit for ARP next-hop cache entries on the public interface.

•	Feb 08	17:15:14 [TRACE] [R1]: Max cache s	(80%) arp nh cache limit for n idx 325 reached—
	Router R1 has reached 80 percent of the c n		r global ARP next-hop cache limit for all its
	interfaces.
•	Feb 08	17:19:41 [TRACE] [R1]: Max cache hard arp nh cache limit for n idx 325 reached—Router

R1 has reached the maximum c n r global ARP next-hop cache limit for all its interfaces.

Release History Table

Release scr n

16.1	S r n in Junos OS Release 16.1, you can c n	r an ARP cache limit for resolved and unresolved
	next-hop entries in the cache.

Protocol Redirect Messages

IN THIS SECTION

Understanding Protocol Redirect Messages | 21

Disable Protocol Redirect Messages | 21

ICMP redirect, also known as protocol redirect, is a mechanism used by switches and routers to convey


r	n n rm	n to hosts. Devices use protocol redirect messages to n y the hosts on the same
data link of the best route available for a given s			n	n All EX series switches support sending
protocol redirect messages for both IPv4 and IPv6			r	c

NOTE: Switches do not send protocol redirect messages if the data packet contains r	n
n rm n

Understanding Protocol Redirect Messages

Protocol redirect messages inform a host to update its r n n rm n and to send packets on an alternate route. Suppose a host tries to send a data packet through a switch S1 and S1 sends the data packet to another switch, S2. Also, suppose that a direct path from the host to S2 is available (that is, the host and S2 are on the same Ethernet segment). S1 then sends a protocol redirect message to inform the host that the best route for the s n n is the direct route to S2. The host should then send packets directly to S2 instead of sending them through S1. S2 s sends the original packet that it received from S1 to the intended s n n

Refer to RFC-1122 and RFC-4861 for more details on protocol r r c n

Disable Protocol Redirect Messages

By default, devices send protocol redirect messages for both IPv4 and IPv6 r c For security reasons, you may want to disable the device from sending protocol redirect messages.

To disable protocol redirect messages for the n r device, include the no-redirects or no-redirects- ipv6 statement at the [edit system] hierarchy level.

• For IPv4 r c

[edit system] user@host# set no-redirects

• For IPv6 r c

[edit system]

user@host# set no-redirects-ipv6

To re-enable the sending of redirect messages on the device, delete the no-redirects statement (for IPv4 r c) or the no-redirects-ipv6 statement (for IPv6 r c) from the c n r n

To disable protocol redirect messages on a per-interface basis, include the no-redirects statement at the [edit interfaces interface-name unit logical-unit-number family family] hierarchy level.

• For IPv4 r c

[edit interfaces interface-name unit logical-unit-number] user@host# set family inet no-redirects

• For IPv6 r c

[edit interfaces interface-name unit logical-unit-number] user@host# set family inet6 no-redirects

Disable the R		n Engine Response to M	c s Ping Packets
By default, the R	n	Engine responds to ICMP echo requests sent to m c s group addresses. By
c n r n the R	n	Engine to ignore m c s ping packets, you can prevent unauthorized persons
from discovering the list of provider edge (PE) devices in the network.
To disable the R	n Engine from responding to these ICMP echo requests, include the no-
multicast-echo statement at the [edit system] hierarchy level:

[edit system] no-multicast-echo;


Disable R	r n IP Address and Timestamps in Ping Responses
When you issue the ping command with the record-route				n the R n Engine displays the path
of the ICMP echo request packets and the		m s	m s in the ICMP echo responses by default. By
c n r n the no-ping-record-route and n		n	m s m	ns you can prevent unauthorized


persons from discovering n		rm	n about the provider edge (PE) device and its loopback address.
You can c n	r the R	n Engine to disable the s		n of the record-route	n in the IP header
of the ping request packets. Disabling the record-route				n prevents the R	n Engine from

recording and displaying the path of the ICMP echo request packets in the response.

To c n	r the R	n Engine to disable the s n of the record route	n include the no-ping-
record-route statement at the [edit system] hierarchy level:

[edit system] no-ping-record-route;

To disable the r r n of n at the [edit system]

m s m s in the ICMP echo responses, include the no-ping-time-stamp hierarchy level:

[edit system]

no-ping-time-stamp;

C n r Junos OS to Ignore ICMP Source Quench Messages

By default, the device reacts to Internet Control Message Protocol (ICMP) source quench messages. To ignore ICMP source quench messages, include the no-source-quench statement at the [edit system internet-options] hierarchy level:

[edit system internet-options] no-source-quench;

To stop ignoring ICMP source quench messages, use the source-quench statement:

[edit system internet-options]

source-quench;

Rate Limit ICMPv4 and ICMPv6 r c


To limit the rate at which ICMPv4 or ICMPv6 messages can be generated by the R		n Engine and
sent to the R	n Engine, include the appropriate rate m n statement at the [edit system
internet-options] hierarchy level.

+ 173 hidden pages

C n		r	n Statements
allow-6pe-traceroute \| 68
allow-v4mapped-packets \| 69
arp \| 71
arp-max-cache \| 76
arp-new-hold-limit \| 78
arp-system-cache-limit \| 79
auxiliary \| 82
	n	c	n	y c	ns (TCP-AO) \| 84
console (System Ports) \| 87
		r	ss s	c	n \| 90
		r	n	c	n \| 92
x	n	s	s cs \| 94
icmp (Error Message Rate Limit) \| 95
icmp6 (Error Message Rate Limit) \| 97
n	rn		ns \| 99
n	m	c s	c	\| 104

cause a s	n c n r ns n delay, during which r c r nsm	to some of the hosts might be
dropped.

While a device is	r n as the primary, the passive learning c n r		n has no	r n impact.
The primary (or a standalone) device always learns ARP entries from incoming requests. The
c n r n takes	c only when the device is	r n as a backup device.
We recommend s	n passive learning on both the backup and primary VRRP device. Otherwise, you
will need to remember to c n r passive learning on a primary device			ft r it becomes a backup
device.


c n	r	n changes on an interface, like a VLAN ID, MAC address, or IP address change. It also sends
gratuitous ARP requests if a failover occurs and the device becomes the new primary device.
The Packet Forwarding Engine may drop some n			request packets if the IP address c n r	n
updates have not been fully processed by the m			a gratuitous ARP request is sent. To avoid dropping
request packets, you can c n r a delay in gratuitous ARP requests.
To c	n	r a delay in gratuitous ARP requests, include the gratuitous-arp-delay seconds statement at
the [edit system arp] hierarchy level:

C n	r	ARP Learning and Aging		ns \| 6
Example: C n			r n ARP Cache r	c n \| 10
C n	r	ICMP Features \| 20
C n	r	IPv6 Features \| 26
C n	r	Path MTU Discovery \| 29
C n	r	TCP	ns \| 31
C n	r	TCP	n c n	n (TCP-AO) \| 36

Disable the R		n Engine Response to M c s Ping Packets \| 22
Disable R	r n	IP Address and Timestamps in Ping Responses \| 22
C n r	Junos OS to Ignore ICMP Source Quench Messages \| 23

Juniper Transport and Internet Protocols User Manual

Table of Contents

About This Guide

Understanding IP Support on Junos OS

Sending a Gratuitous ARP Request When an Interface is Online

Purging ARP Entries

Disabling Neighbor Discovery

Requirements

Overview

Protocol Redirect Messages