Junos® OS
Transport and Internet Protocols User
Guide
Published
2021-04-18
ii
Juniper Networks, Inc. 1133 nn v n Way Sunnyvale, California 94089 USA
408-745-2000 www.juniper.net
Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their r s c v owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right
to change, modify, transfer, or otherwise revise this b c |
n without n c |
||
Junos® OS Transport and Internet Protocols User Guide |
|
|
|
Copyright © 2021 Juniper Networks, Inc. All rights reserved. |
|
|
|
The n rm |
n in this document is current as of the date on the |
page. |
YEAR 2000 NOTICE
Juniper Networks hardware and s ftw r products are Year 2000 compliant. Junos OS has no known m r
m ns through the year 2038. However, the NTP c n is known to have some c y in the year 2036.
END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical |
c m n |
n consists of (or is intended for use |
||||||
with) Juniper Networks s ftw r |
Use of such s |
ftw r |
is subject to the terms and c n |
ns of the End User License |
||||
Agreement ("EULA") posted at |
s s |
r |
n r n |
s |
r |
. By downloading, installing or using such |
||
s ftw r you agree to the terms and c n |
ns of that EULA. |
|
|
|
|
iii
1
2
About This Guide | vii
Understanding IP Support on Junos OS
Junos OS Support for IPv4, IPv6, and MPLS R n Protocols | 2
C n |
r Transport and Internet Protocol Features |
|||||||
C n |
r ARP Learning and Aging |
ns | 6 |
||||||
|
C n |
|
r n |
Passive ARP Learning for Backup VRRP Devices | 6 |
||||
|
|
|||||||
|
C n |
|
r n |
a Delay in Gratuitous ARP Requests | 7 |
||||
|
Sending a Gratuitous ARP Request When an Interface is Online | 8 |
|||||||
|
Purging ARP Entries | 8 |
|
|
|
||||
|
|
s |
n the ARP Aging Timer | |
8 |
|
|
||
|
Disabling Neighbor Discovery | 9 |
|
|
|
||||
Example: C n |
r n ARP Cache |
r |
c |
n | 10 |
||||
|
Requirements | 10 |
|
|
|
||||
|
|
|
|
|||||
|
Overview | 11 |
|
|
|
|
|||
|
C n |
|
r |
n | 14 |
|
|
|
|
|
r |
c |
n | 16 |
|
|
|
|
|
|
r |
b |
s |
n |
| 19 |
|
|
|
C n |
r |
ICMP Features | 20 |
|
|
|
|||
|
Protocol Redirect Messages | 20 |
|
|
c s Ping Packets | 22 |
||||
|
|
|
||||||
|
Disable the R |
n Engine Response to M |
||||||
|
Disable R |
r n |
IP Address and Timestamps in Ping Responses | 22 |
|||||
|
C n |
|
r Junos OS to Ignore ICMP Source Quench Messages | 23 |
|||||
|
Rate Limit ICMPv4 and ICMPv6 r |
c | 23 |
|
|||||
|
Rate Limit ICMPv4 and ICMPv6 Error Messages | 24 |
|||||||
|
|
|
|
|
|
|
|
|
iv
C n |
r |
IPv6 Features | 26 |
|
|
|
|
|
|
|||||
|
C |
n |
r IPv6 Duplicate Address |
c n |
m |
s | 27 |
|
|
|||||
|
|
|
|||||||||||
|
Accept IPv6 Packets with a Zero Hop Limit | 27 |
|
|
|
|
|
|||||||
|
Process IPv4-mapped IPv6 Addresses | 27 |
|
|
|
|
|
|||||||
|
Process 6PE Traceroutes | 28 |
|
|
|
|
|
|
||||||
C n |
r |
Path MTU Discovery | 29 |
|
|
|
|
|
||||||
|
C n |
r n |
Path MTU Discovery on Outgoing TCP C nn c |
ns | 29 |
|||||||||
|
|||||||||||||
|
C n |
r n |
IP-IP Path MTU Discovery on IP-IP Tunnel C nn c |
ns | 29 |
|||||||||
|
C n |
r n |
Path MTU Discovery on Outgoing GRE Tunnel C nn c ns | 30 |
||||||||||
C n |
r |
TCP |
ns | 31 |
|
|
|
|
|
|
||||
|
Security for TCP Headers with SYN and FIN Flags Set | 31 |
|
|
||||||||||
|
Disable TCP RFC 1323 Extensions | 32 |
|
|
|
|
|
|||||||
|
C n |
r TCP MSS for Session N |
n | 33 |
|
|
|
|
||||||
|
|
C n |
r n TCP MSS on T Series and M Series Routers, and MX Series Routers Using a |
||||||||||
|
|
||||||||||||
|
|
|
Service Card | 34 |
|
|
|
|
|
|
|
|||
|
|
C n |
r n |
TCP MSS Inline on MX Series Routers Using MPC Line Cards | 34 |
|||||||||
|
Select a Fixed Source Address for Locally Generated TCP/IP Packets | 35 |
||||||||||||
C n |
r |
TCP |
n |
c |
n |
n (TCP-AO) | 36 |
|
|
|||||
|
TCP |
|
n c |
n |
|
n (TCP-AO) for BGP and LDP Sessions | 37 |
|||||||
|
C n |
r a Keychain (TCP-AO) | 40 |
|
|
|
|
|
|
|||||
|
Example: |
|
n c |
BGP Session Using TCP |
|
n |
c |
n |
n (TCP-AO) | 43 |
||||
|
|
Requirements | 44 |
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|||||
|
|
Overview | 44 |
|
|
|
|
|
|
|
|
|||
|
|
C n |
r |
n | 44 |
|
|
|
|
|
|
|
||
|
Example: |
|
n c |
LDP Session Using TCP |
|
n |
c |
n |
n (TCP-AO) | 50 |
||||
|
|
Requirements | 51 |
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|||||
|
|
Overview | 51 |
|
|
|
|
|
|
|
|
|||
|
|
C n |
r |
n | 51 |
|
|
|
|
|
|
|
||
|
|
r |
c |
n | 56 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3
4
v
C |
n |
r |
Port Security |
|
|
|||
System S |
n s | 59 |
|
|
|
|
|||
|
Specifying the Physical |
c |
n of the Switch | 59 |
|||||
|
||||||||
|
Modifying the Default Time Zone for a Router or Switch Running Junos OS | 60 |
|||||||
|
C n |
r n |
Junos OS to Extend the Default Port Address Range | 61 |
|||||
|
C |
n |
r n |
Junos OS to Select a Fixed Source Address for Locally Generated TCP/IP Packets | 62 |
||||
|
R b |
n |
and |
n |
a Device | 63 |
|||
C |
n |
r n |
Password |
n |
c |
n for Console Access to PICs | 65 |
C n |
r |
n Statements |
|||
allow-6pe-traceroute | 68 |
|||||
allow-v4mapped-packets | 69 |
|||||
arp | 71 |
|
|
|
||
arp-max-cache | 76 |
|
||||
arp-new-hold-limit | 78 |
|||||
arp-system-cache-limit | 79 |
|||||
auxiliary | 82 |
|
|
|||
|
n |
c |
n |
y c |
ns (TCP-AO) | 84 |
console (System Ports) | 87 |
|||||
|
|
r |
ss s |
c |
n | 90 |
|
|
r |
n |
c |
n | 92 |
x |
n |
s |
s cs | 94 |
||
icmp (Error Message Rate Limit) | 95 |
|||||
icmp6 (Error Message Rate Limit) | 97 |
|||||
n |
rn |
|
ns | 99 |
|
|
n |
m |
c s |
c |
| 104 |
vi
non-subscriber-no-reply | 105 no-ping-record-route | 107
nn m s m | 108
path-mtu-discovery (Tunnel) | 110 r c r c n | 112
tcp-mss | 113
5 |
r |
n |
Commands |
|
|
clear arp | 117 |
|
||
|
clear m |
c s |
snooping s s cs | 119 |
|
|
show arp | 121 |
|
||
|
show system s |
s |
cs arp | 128 |
|
|
show system s |
s |
cs icmp | 138 |
|
|
show system s |
s |
cs icmp6 | 146 |
|
|
show system s |
s |
cs igmp | 155 |
|
|
show system s |
s |
cs ip | 160 |
|
|
show system s |
s |
cs ip6 | 172 |
|
|
show system s |
s |
cs tcp | 183 |
vii
Use this guide to c n r the common transport and Internet protocol |
ns |
1
CHAPTER
Junos OS Support for IPv4, IPv6, and MPLS R n Protocols | 2
2
Junos OS Support for IPv4, IPv6, and MPLS R n Protocols
Junos OS implements full IP r |
n |
nc |
n y providing support for IP version 4 and IP version 6 |
|
(IPv4 and IPv6, r s c v y) The r |
n |
protocols are fully interoperable with x s n IP r |
n |
protocols, and they have been developed to provide the scale and control necessary for the Internet core.
Junos OS supports the following unicast r |
n protocols: |
|
|||
• BGP—Border Gateway Protocol version 4 is an EGP that guarantees loop-free exchange of r |
n |
||||
n rm |
n between r |
n domains (also called autonomous systems). BGP, in c n nc n with |
|||
Junos OS r |
n policies, provides a system of m n s r v checks and balances that can be used |
||||
to implement peering and transit agreements. |
|
• ICMP—Internet Control Message Protocol router discovery enables hosts to discover the addresses of r n routers on the subnet.
•IS-IS—Intermediate System to Intermediate System is a link-state IGP for IP networks that uses the SPF algorithm, which also is referred to as the Dijkstra algorithm, to determine routes. The Junos OS
supports a new and complete m m n |
n of the protocol, addressing issues of scale, |
convergence, and resilience. |
|
• OSPF—Open Shortest Path First is an IGP that was developed for IP networks by the Internet Engineering Task Force (IETF). OSPF is a link-state protocol that makes r n decisions based on the SPF algorithm.
OSPF Version 2 supports IPv4. OSPF Version 3 supports IPv6. The fundamental mechanisms of
OSPF such as fl |
n |
designated router (DR) c n area-based topologies, and the SPF |
|||
c |
c |
ns remain unchanged in OSPF Version 3. Some |
r nc s exist either because of changes |
||
in protocol s m n cs between IPv4 and IPv6, or because of the need to handle the increased |
|||||
address size of IPv6. |
|
|
|||
• R |
R |
n n |
rm |
n Protocol version 2 is a distance-vector IGP for IP networks based on the |
Bellman-Ford algorithm. RIP dynamically routes packets between a subscriber and a service provider
without the subscriber having to c n |
r |
BGP or to |
r c |
in the service provider’s IGP |
|
|||
discovery process. |
|
|
|
|
|
|
|
|
Junos OS also provides the following r |
n |
and M |
r |
c |
Label Switching (MPLS) |
c |
ns |
|
protocols: |
|
|
|
|
|
|
|
|
• Unicast r |
n protocols: |
|
|
|
|
|
|
|
• BGP |
|
|
|
|
|
|
|
|
3
•ICMP
•IS-IS
•OSPF Version 2
•RIP Version 2
• M |
c s r n protocols: |
|
• |
DVMRP—Distance Vector M c s R n Protocol is a dense-mode (fl |
n r n ) |
mc s r n protocol.
•IGMP—Internet Group Management Protocol versions 1 and 2 are used to manage membership in
mc s groups.
• |
MS |
|
M |
c s |
Source Discovery Protocol enables m |
Protocol Independent M |
c s |
|||||||||||
|
(PIM) sparse mode domains to be joined. A rendezvous point (RP) in a PIM sparse mode domain |
|||||||||||||||||
|
has a peer r |
|
ns |
with an RP in another domain, enabling it to discover m |
c s |
sources |
||||||||||||
|
from other domains. |
|
|
|
|
|
|
|
|
|
|
|
|
|
||||
• PIM sparse mode and dense mode—Protocol-Independent M |
c s is a m |
c s |
r |
n |
|
|||||||||||||
|
protocol. PIM sparse mode routes to m |
c s |
groups that might span wide-area and interdomain |
|||||||||||||||
|
internets. PIM dense mode is a fl |
n |
r n |
protocol. |
|
|
|
|
|
|
|
|||||||
• SAP/SDP—Session Announcement Protocol and Session |
scr |
n Protocol handle conference |
||||||||||||||||
|
session announcements. |
|
|
|
|
|
|
|
|
|
|
|
|
|||||
• MPLS |
|
c |
ns protocols: |
|
|
|
|
|
|
|
|
|
|
|
||||
• |
LDP—The Label |
s r b |
n Protocol provides a mechanism for |
s r b |
n |
labels in n |
n |
r c |
||||||||||
|
n |
n |
r |
c |
ns LDP enables routers to establish label-switched paths (LSPs) through a |
|||||||||||||
|
network by mapping network layer r |
n |
n |
rm n directly to data-link layer switched paths. |
||||||||||||||
|
LSPs created by LDP can also traverse LSPs created by the Resource R s rv |
n Protocol (RSVP). |
||||||||||||||||
• |
M |
S |
M |
r |
c |
Label Switching, formerly known as tag switching, enables you to manually |
||||||||||||
|
or dynamically c |
n |
r |
LSPs through a network. It lets you direct r |
c through |
r |
c |
r paths |
||||||||||
|
rather than rely on the IGP least-cost algorithm to choose a path. |
|
|
|
|
|
||||||||||||
• |
RSVP—The Resource R s rv |
n Protocol version 1 provides a mechanism for engineering |
||||||||||||||||
|
network r |
c |
|
rns that is independent of the shortest path decided upon by a r |
n |
|
||||||||||||
|
protocol. RSVP itself is not a r |
n |
protocol; it operates with current and future unicast and |
|||||||||||||||
|
m |
c s r |
n protocols. The primary purpose of RSVP is to support dynamic signaling for |
|||||||||||||||
|
MPLS LSPs. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4
RELATED DOCUMENTATION
Junos OS Overview
2
CHAPTER
Transport and Internet
Protocol Features
C n |
r |
ARP Learning and Aging |
ns | 6 |
|
Example: C n |
r n ARP Cache r |
c n | 10 |
||
C n |
r |
ICMP Features | 20 |
|
|
C n |
r |
IPv6 Features | 26 |
|
|
C n |
r |
Path MTU Discovery | 29 |
||
C n |
r |
TCP |
ns | 31 |
|
C n |
r |
TCP |
n c n |
n (TCP-AO) | 36 |
|
|
|
|
|
6
C n r ARP Learning and Aging |
ns |
IN THIS SECTION
C |
n |
r n |
Passive ARP Learning for Backup VRRP Devices | 6 |
C |
n |
r n |
a Delay in Gratuitous ARP Requests | 7 |
Sending a Gratuitous ARP Request When an Interface is Online | 8
Purging ARP Entries | 8
s n the ARP Aging Timer | 8
Disabling Neighbor Discovery | 9
Address R s n Protocol (ARP) is a protocol used by IPv4 and IPv6 to map IP network addresses to MAC addresses. Use this topic to set passive ARP learning and ARP aging ns for network devices. In these s ns a switch operates as a virtual router.
C n r n Passive ARP Learning for Backup VRRP Devices
By default, the backup Virtual Router Redundancy Protocol (VRRP) device drops ARP requests for the VRRP-IP to VRRP-MAC address r ns n The backup device does not learn the ARP (IP-to-MAC address) mappings for the hosts sending the requests. When it detects a failure of the primary device and becomes the new primary, the backup device must learn all the entries that were present in the ARP cache of the primary device. In environments with many directly c hosts, such as metro Ethernet environments for a router, the backup device may have to learn a large number of ARP entries. This can
cause a s |
n c n r ns n delay, during which r c r nsm |
to some of the hosts might be |
dropped. |
|
|
Passive ARP learning enables the ARP cache in the backup device to hold approximately the same contents as the ARP cache in the primary device. When a backup device becomes the primary device, the new primary device will already know the entries in the ARP cache of what used to be the primary device, reducing the r ns n delay.
7
To enable passive ARP learning, include the passive-learning statement at the [edit system arp] hierarchy level:
[edit system arp] passive-learning;
While a device is |
r n as the primary, the passive learning c n r |
n has no |
r n impact. |
|
The primary (or a standalone) device always learns ARP entries from incoming requests. The |
||||
c n r n takes |
c only when the device is |
r n as a backup device. |
|
|
We recommend s |
n passive learning on both the backup and primary VRRP device. Otherwise, you |
|||
will need to remember to c n r passive learning on a primary device |
ft r it becomes a backup |
|||
device. |
|
|
|
|
C n r n a Delay in Gratuitous ARP Requests
By default, the Junos OS sends gratuitous ARP requests immediately ft r you make network-related
c n |
r |
n changes on an interface, like a VLAN ID, MAC address, or IP address change. It also sends |
||
gratuitous ARP requests if a failover occurs and the device becomes the new primary device. |
|
|||
The Packet Forwarding Engine may drop some n |
request packets if the IP address c n r |
n |
||
updates have not been fully processed by the m |
a gratuitous ARP request is sent. To avoid dropping |
|||
request packets, you can c n r a delay in gratuitous ARP requests. |
|
|||
To c |
n |
r a delay in gratuitous ARP requests, include the gratuitous-arp-delay seconds statement at |
||
the [edit system arp] hierarchy level: |
|
|
[edit system arp]
gratuitous-arp-delay seconds;
We recommend that you c n r a value in the range of 3 through 6 seconds.
8
To c n r the device to m c y send a gratuitous ARP request when an interface is online, include the gratuitous-arp-on-ifup statement at the [edit system arp] hierarchy level:
[edit system arp]
gratuitous-arp-on-ifup;
To c n r a device to purge obsolete ARP entries in the cache when an interface goes ffl n include the purging statement at the [edit system arp] hierarchy level:
[edit system arp]
purging;
Purging is c n |
r to delete ARP entries immediately |
ft r an interface that has gone ffl n is |
||||
detected. If purging is not c n |
r ARP entries in the ARP table are retried ft r they have expired |
|||||
and are deleted if there is no ARP response within the default |
m |
value of 20 minutes. The default |
||||
m |
value can be changed to other values using the |
n |
m r statement, as explained below. |
s n the ARP Aging Timer
By default, the ARP aging |
m r is set at 20 minutes. In environments with many directly |
c |
hosts, |
such as metro Ethernet environments, increasing the amount of m between ARP updates by |
|
||
c n r n the ARP aging |
m r can improve performance. Thousands of clients m n out at the same |
m might impact packet forwarding performance. In environments where there are devices connected
with lower ARP aging |
m rs (less than 20 minutes), decreasing the ARP aging m r can improve |
|
performance by r v n |
n the fl |
n of r c toward next hops with expired ARP entries. In most |
environments, the default ARP aging |
m r value does not need to be adjusted. |
9
The range of the ARP aging |
m r is 1 through 240 minutes. To c |
m r include the n m |
r statement at the [edit system arp] |
n r a system-wide ARP aging hierarchy level:
[edit system arp]
aging-timer minutes;
You can also c ARP aging m minutes at the
n |
r the ARP aging m r for each logical interface of family type inet. To c |
n |
r the |
r at the logical interface level, specify the n m r statement and the m |
r value in |
||
[edit system arp interfaces interface-name] hierarchy level: |
|
|
[edit system arp interfaces interface-name] aging-timer minutes;
To c n r the ARP aging m r for a s c c interface in a logical system, include the n m r statement and the m r value in minutes at the [edit logical-systems logical-system-
name system arp interfaces interface-name] hierarchy level:
[edit logical-systems logical-system-name system arp interfaces interface-name]
aging-timer minutes;
NOTE: If the aging |
m |
r value is c |
n r both at the system and the logical interface levels, |
|||
the value c |
n r |
at the logical interface level takes precedence for the s c |
c logical |
|||
interface. |
|
|
|
|
|
|
|
|
|
|
|
||
The |
m r value you c |
n |
r takes |
c as ARP entries expire. Each refreshed ARP entry receives the |
||
new |
m r value. The new |
m r value does not apply to ARP entries that exist at the |
m you commit |
|||
the c |
n r |
n |
|
|
|
|
You can prevent the device from learning the MAC addresses of its neighbors through ARP or neighbor discovery for IPv4 and IPv6 neighbors. To disable ARP address learning by not sending ARP requests and not learning from ARP replies, use the no-neighbor-learn c n r n statement.
10
To disable neighbor discovery for IPv4 neighbors:
[edit interfaces interface-name unit interface-unit-number family inet]
no-neighbor-learn;
To disable neighbor discovery for IPv6 neighbors:
[edit interfaces interface-name unit interface-unit-number family inet6]
no-neighbor-learn;
Example: C n r n ARP Cache r c n
IN THIS SECTION
Requirements | 10
Overview | 11
C n |
r |
n | 14 |
r |
c |
n | 16 |
r |
b s |
n | 19 |
S r n in Junos OS Release 16.1, you can c n r an ARP cache limit for resolved and unresolved next-hop entries in the cache. This example shows how to c n r ARP cache r c n by specifying a maximum count and hold limit for resolved and unresolved next-hop entries in the ARP cache. This
limit can be s c |
globally for all interfaces, or locally on a r c r interface of the device. The |
|
b n |
of c n |
r n such a limit on the ARP cache is to protect the device from denial-of-service (DoS) |
c |
s |
|
This example uses the following hardware and s ftw r components:
11
• Two routers that can be a c mb n n of M, MX, and T Series routers.
•Two host devices connected to the routers.
•Junos OS Release 16.1 or later running on the routers.
IN THIS SECTION
Topology | 13
Sending IP packets on a m cc ss network requires mapping from an IP address to a media access control (MAC) address (the physical or hardware address). In an Ethernet environment, ARP is used to map a MAC address to an IP address. Hosts that use ARP maintain a cache of discovered Internet-to- Ethernet address mappings to minimize the number of ARP broadcast messages.
To keep the cache from growing too large, by default, an entry is removed from the cache if it is not used
within a certain period of m In |
n to this, s r n in Junos OS Release 16.1, you can manage |
the number of ARP cache entries by c n |
r n a limit on the resolved and unresolved next-hop entries. |
The ARP cache feature supports two types of limits:
• Count—Count limit is the maximum number of next hops that can be created in the ARP cache.
• Hold—Hold limit is the maximum number of hold routes n n to a r c r interface that can be retained before n added to the ARP cache.
The ARP cache limits are executed at two levels:
• |
Local—Local limits are c n r |
per interface and are |
n for resolved and unresolved entries in |
||
|
the ARP cache. |
|
|
|
|
• |
Global—Global limits apply system-wide. A global limit is further |
n |
separately for the public |
||
|
interfaces and management interfaces, for example, fxp0. The management interface has a single |
||||
|
global limit and no local limit. The global limit enforces a system-wide cap on entries for the ARP |
||||
|
cache, including private Internal r |
n interfaces (IRIs) for internal r |
n instances, for example, |
||
|
em0 and em1. |
|
|
|
|
12
Small-sized |
rms ACX, EX22XX, EX3200, EX33XX, and SRX; default is 20,000. Medium-sized |
|||
|
rms EX4200, EX45XX, EX4300, EX62XX, and MX; default is 75,000. All other |
rms default is |
||
100,000. You can modify this limit by c n r n the ARP next-hop cache r c n feature. |
||||
• |
To c |
n |
r the ARP cache count limit for resolved and unresolved next-hop entries globally, include |
|
|
the arp-system-cache-limit statement at the [edit system] hierarchy level. |
|
||
• |
To c |
n |
r the ARP cache count limit for resolved and unresolved next-hop entries locally, include |
|
|
the arp-system-cache-limit statement at the [edit interfaces interface-name unit interface-unit- |
|||
|
number family inet] hierarchy level. |
|
||
• |
To c |
n |
r the ARP cache hold limit for unresolved next-hop entries locally, include the arp-new- |
hold-limit statement at the [edit interfaces interface-name unit interface-unit-number family inet] hierarchy level.
|
NOTE: The ARP cache hold limit is c n |
|
r on a per-interface basis only, and cannot be |
||||
|
c n r |
at the system level. |
|
|
|
|
|
|
|
|
|
|
|
||
The ARP cache next-hop entries get |
to |
r n types of interfaces |
r n |
y rr s c v of |
|||
the ARP cache r |
c n feature c n |
r |
n |
|
|
|
|
1. |
By default, 200 entries get |
to IRIs. |
|
|
|
|
|
2. |
80 percent of the remaining entries get |
|
to public interfaces. |
|
|
||
3. |
20 percent of the remaining entries get |
|
to management interfaces. |
|
|
||
When the ARP next-hop entries exceed the c |
n |
r count limit, new entries are either discarded, or |
|||||
kept under the hold counter, if a hold limit is c |
n |
r for that interface. The ARP next-hop hold limit |
|||||
s |
c s the maximum number of hold entries or hold routes that point to a |
r c |
r interface. When |
the number of hold entries exceeds the c n r |
hold limit, the drop counter for that interface is |
|||||
c |
r s |
c y as the new hold entries create a loop and c n n to increment n there is |
||||
bandwidth to accommodate them. |
|
|
|
|||
|
|
|
||||
NOTE: |
ft |
r modifying the default ARP next-hop cache limit on an interface, the interface must |
||||
be |
c |
v |
and r c v |
for the newly c |
n r values to take |
c |
|
|
|
|
|
|
|
13
Topology
Figure 1 on page 13 illustrates a simple two-router topology with ARP cache |
r c n enabled. |
Routers R1 and R2 are each connected to hosts, Host1 and Host2, r s c v |
y |
Figure 1: ARP Cache r c n |
|
For example, if Router R1 is c n r with an arp-system-cache-limit of 220 globally, and it receives 230 ARP entries, on the rs interface receiving the entries (say, ge-0/0/0), the following c ns are performed:
1. When 230 entries are received, the global limit of 220 entries is applied to the system, where the
c n |
r |
limit is divided among the |
r n types of interfaces, and the remaining entries received |
on a |
r c |
r interface get discarded. |
|
2.Out of the 220 cached entries, by default, 200 entries are allocated for IRI interfaces.
3.Out of the remaining 20 entries, 80 percent of the entries (16 entries) are sent to public interfaces and 20 percent of the entries (4 entries) are sent to the management interface. If the 230 ARP entries are received on the public interface, only the cache limit of 16 entries is retained, and the remaining 214 entries get discarded.
In |
n if ge-0/0/0 on Router R1 is c n r with an arp-new-hold-limit value of 8, the following |
cns are performed:
1.Out of the 230 received entries, only 220 entries are cached in the ARP table. However, instead of discarding the remaining entries, the hold entries are sent to the hold counter of ge-0/0/0, and then the remaining entries are sent to the drop counter of ge-0/0/0.
2.Depending on availability of bandwidth, the eight hold entries are cached in the ARP table of ge-0/0/0 before taking any newly received entries into account.
3.The drop counter of ge-0/0/0, however, does not increment by single entries. The discarded hold
entries in the drop counter form a loop and add to the entries count n there is bandwidth on the
14
interface to accommodate all the entries. Therefore, |
ns to the drop counter have a r s c |
c on the interface performance. |
|
C n r n
IN THIS SECTION
CLI Quick C n r n | 14
Procedure | 15
Results | 15
CLI Quick C n |
r |
n |
|
To quickly c n |
r this example, copy the following commands, paste them into a text |
remove any |
|
line breaks, change any details necessary to match your network c n r n copy and paste the |
|||
commands into the CLI at the [edit] hierarchy level, and then enter commit from c n r |
n mode. |
||
R1 |
|
|
|
set interfaces ge-0/0/0 unit 0 family inet address 1.1.1.1/30 set interfaces ge-0/0/0 unit 0 family inet arp-new-hold-limit 8 set interfaces ge-0/0/1 unit 0 family inet address 2.2.2.1/30 set interfaces lo0 unit 0 family inet address 10.10.10.1/32 set system arp-system-cache-limit 220
R2
set interfaces ge-0/0/0 unit 0 family inet address 1.1.1.2/30 set interfaces ge-0/0/1 unit 0 family inet address 3.3.3.1/30 set interfaces lo0 unit 0 family inet address 20.20.20.1/32
15
Procedure
Step-by-Step Procedure
The following example requires you to navigate various levels in the c |
n |
r n hierarchy. For |
|||
n |
rm |
n about n v |
n the CLI, see Using the CLI Editor in C n |
r |
n Mode. |
To c n |
r Router R1 with ARP cache r c n |
|
|
||
1. |
C n |
r the interfaces of Router R1. |
|
|
[edit interfaces]
user@R1# set ge-0/0/0 unit 0 family inet address 1.1.1.1/30 user@R1# set ge-0/0/1 unit 0 family inet address 2.2.2.1/30 user@R1# set lo0 unit 0 family inet address 10.10.10.1/32
2. C n r ARP cache r c n globally for all the interfaces of Router R1.
[edit system]
user@R1# set arp-system-cache-limit 220
3. C n r a hold limit on the ARP cache entries of interface ge-0/0/0 of Router R1.
[edit interfaces]
user@R1# set ge-0/0/0 unit 0 family inet arp-new-hold-limit 8
Results
From c n r n mode, c n rm your c n r n by entering the show interfaces and show system
commands. If the output does not display the intended c n r |
n repeat the ns r c ns in this |
|
example to correct the c n r |
n |
|
user@R1# show interfaces
ge-0/0/0 {
unit 0 {
family inet {
address 1.1.1.1/30;
}
}
16
}
ge-0/0/1 { unit 0 {
family inet {
address 2.2.2.1/30;
}
}
}
lo0 {
unit 0 {
family inet {
address 10.10.10.1/32;
}
}
}
user@R1# show system arp-system-cache-limit 220 ;
r c n
IN THIS SECTION
Verifying Global ARP Next-Hop Cache Limit | 16
Verifying Local ARP Next-Hop Cache Limit | 17
C n rm that the c n r n is working properly.
Verifying Global ARP Next-Hop Cache Limit
Purpose
Verify the system-wide ARP next-hop cache limits and the |
c n of next-hop entries for |
r n |
interfaces. |
|
|
17
cn
From |
r |
n |
mode, run the show system s s cs arp command. |
|
|||
user@R1> show system s s cs arp |
|||
arp: |
|
717253 datagrams received |
|
|
|
||
|
|
47 ARP requests received |
|
|
|
31 ARP replies received |
|
|
|
285 resolution request received |
|
|
|
0 |
unrestricted proxy requests |
|
|
0 |
restricted proxy requests |
|
|
0 |
received proxy requests |
|
|
0 |
unrestricted proxy requests not proxied |
|
|
***** |
|
|
|
220 Max System ARP nh cache limit |
|
|
|
16 Max Public ARP nh cache limit |
|
|
|
200 Max IRI ARP nh cache limit |
|
|
|
4 |
Max Management n ARP nh cache limit |
|
|
16 Current Public ARP next-hops present |
|
|
|
1 |
Current IRI ARP next-hops present |
|
|
2 |
Current Management ARP next-hops present |
|
|
2457 Total ARP next-hops creation failed as limit reached |
|
|
|
2454 Public ARP next-hops creation failed as public limit reached |
|
|
|
3 |
IRI ARP next-hops creation failed as iri limit reached |
|
|
0 |
Management ARP next-hops creation failed as mgt limit reached |
|
|
|
|
Meaning
The global ARP next-hop cache limits are displayed in the output, along with the c n of next-hop entries for IRI, pubilc, and management interfaces.
Verifying Local ARP Next-Hop Cache Limit
Purpose
Verify the interface ARP next-hop cache limit.
18
cn
From r n mode, run the show interfaces interface-name command.
user@R1> show interface fxp0 fxp0
Physical interface: fxp0, Enabled, Physical link is Up
Interface index: 1, SNMP ifIndex: 1
Type: Ethernet, Link-level type: Ethernet, MTU: 1514, Speed: 100mbps
Device flags |
: |
Present Running |
|
Interface flags: |
SNMP-Traps |
||
Link |
type |
: |
Full-Duplex |
Current address: |
00:a0:a5:62:8e:39, Hardware address: 00:a0:a5:62:8e:39 |
||
Last |
flapped |
: |
2014-10-16 10:23:29 PDT (16:27:21 ago) |
Input packets : 0
Output packets: 0
Logical interface fxp0.0 (Index 3) (SNMP ifIndex 13)
Flags: Up SNMP-Traps Encapsulation: ENET2
Bandwidth: 0
Input packets : 23 Output packets: 4 Protocol inet, MTU: 1500
Max nh cache: 220 New hold nh limit: 8, Curr nh cnt: 2, Curr new hold cnt: 0, NH drop cnt: 0
Flags: Sendbcast-pkt-to-re, Is-Primary
Addresses, Flags: Is-Default Is-Preferred Is-Primary
Destination: 10.209.0/18, Local: 10.209.3.69, Broadcast: 10.209.63.255
Meaning
The local ARP next-hop cache count and hold limits for the management interface is displayed in the output.
19
r b s |
n |
IN THIS SECTION
r b s |
n System Log Messages | 19 |
To troubleshoot the ARP cache r c n c n r n see:
rb s n System Log Messages
Problem
System log messages are generated to record events when the ARP cache limits are exceeded.
Sn
To interpret the system log messages, refer to the following:
• Feb 08 17:12:39 [TRACE] [R1]: Public n s (80%) arp nh cache limit reached—Router R1 has reached 80 percent of the allowed ARP next-hop cache limit for public interfaces.
•Feb 08 17:07:43 [TRACE] [R1]: Public n hard arp nh cache limit reached—Router R1 has reached the maximum allowed limit for ARP next-hop cache entries on the public interface.
• |
Feb 08 |
17:15:14 [TRACE] [R1]: Max cache s |
(80%) arp nh cache limit for n idx 325 reached— |
|
Router R1 has reached 80 percent of the c n |
r global ARP next-hop cache limit for all its |
|
|
interfaces. |
|
|
• |
Feb 08 |
17:19:41 [TRACE] [R1]: Max cache hard arp nh cache limit for n idx 325 reached—Router |
R1 has reached the maximum c n r global ARP next-hop cache limit for all its interfaces.
Release History Table
Release scr n
16.1 |
S r n in Junos OS Release 16.1, you can c n |
r an ARP cache limit for resolved and unresolved |
|
next-hop entries in the cache. |
|
20
RELATED DOCUMENTATION
arp-system-cache-limit | 79
arp-new-hold-limit | 78
C n r ICMP Features
IN THIS SECTION
Protocol Redirect Messages | 20
Disable the R |
n Engine Response to M c s Ping Packets | 22 |
|
Disable R |
r n |
IP Address and Timestamps in Ping Responses | 22 |
C n r |
Junos OS to Ignore ICMP Source Quench Messages | 23 |
Rate Limit ICMPv4 and ICMPv6 r c | 23
Rate Limit ICMPv4 and ICMPv6 Error Messages | 24
Learn more about how to c n r Internet Control Message Protocol (ICMP) features.
IN THIS SECTION
Understanding Protocol Redirect Messages | 21
Disable Protocol Redirect Messages | 21
ICMP redirect, also known as protocol redirect, is a mechanism used by switches and routers to convey
r |
n n rm |
n to hosts. Devices use protocol redirect messages to n y the hosts on the same |
||
data link of the best route available for a given s |
n |
n All EX series switches support sending |
||
protocol redirect messages for both IPv4 and IPv6 |
r |
c |
21
NOTE: Switches do not send protocol redirect messages if the data packet contains r |
n |
n rm n |
|
|
|
Understanding Protocol Redirect Messages
Protocol redirect messages inform a host to update its r n n rm n and to send packets on an alternate route. Suppose a host tries to send a data packet through a switch S1 and S1 sends the data packet to another switch, S2. Also, suppose that a direct path from the host to S2 is available (that is, the host and S2 are on the same Ethernet segment). S1 then sends a protocol redirect message to inform the host that the best route for the s n n is the direct route to S2. The host should then send packets directly to S2 instead of sending them through S1. S2 s sends the original packet that it received from S1 to the intended s n n
Refer to RFC-1122 and RFC-4861 for more details on protocol r r c n
Disable Protocol Redirect Messages
By default, devices send protocol redirect messages for both IPv4 and IPv6 r c For security reasons, you may want to disable the device from sending protocol redirect messages.
To disable protocol redirect messages for the n r device, include the no-redirects or no-redirects- ipv6 statement at the [edit system] hierarchy level.
• For IPv4 r c
[edit system] user@host# set no-redirects
• For IPv6 r c
[edit system]
user@host# set no-redirects-ipv6
To re-enable the sending of redirect messages on the device, delete the no-redirects statement (for IPv4 r c) or the no-redirects-ipv6 statement (for IPv6 r c) from the c n r n
To disable protocol redirect messages on a per-interface basis, include the no-redirects statement at the [edit interfaces interface-name unit logical-unit-number family family] hierarchy level.
22
• For IPv4 r c
[edit interfaces interface-name unit logical-unit-number] user@host# set family inet no-redirects
• For IPv6 r c
[edit interfaces interface-name unit logical-unit-number] user@host# set family inet6 no-redirects
Disable the R |
|
n Engine Response to M |
c s Ping Packets |
By default, the R |
n |
Engine responds to ICMP echo requests sent to m c s group addresses. By |
|
c n r n the R |
n |
Engine to ignore m c s ping packets, you can prevent unauthorized persons |
|
from discovering the list of provider edge (PE) devices in the network. |
|||
To disable the R |
n Engine from responding to these ICMP echo requests, include the no- |
||
multicast-echo statement at the [edit system] hierarchy level: |
|
[edit system] no-multicast-echo;
Disable R |
r n IP Address and Timestamps in Ping Responses |
|||
When you issue the ping command with the record-route |
n the R n Engine displays the path |
|||
of the ICMP echo request packets and the |
m s |
m s in the ICMP echo responses by default. By |
||
c n r n the no-ping-record-route and n |
n |
m s m |
ns you can prevent unauthorized |
persons from discovering n |
rm |
n about the provider edge (PE) device and its loopback address. |
|||
You can c n |
r the R |
n Engine to disable the s |
n of the record-route |
n in the IP header |
|
of the ping request packets. Disabling the record-route |
n prevents the R |
n Engine from |
recording and displaying the path of the ICMP echo request packets in the response.
23
To c n |
r the R |
n Engine to disable the s n of the record route |
n include the no-ping- |
record-route statement at the [edit system] hierarchy level: |
|
[edit system] no-ping-record-route;
To disable the r r n of n at the [edit system]
m s m s in the ICMP echo responses, include the no-ping-time-stamp hierarchy level:
[edit system]
no-ping-time-stamp;
C n r Junos OS to Ignore ICMP Source Quench Messages
By default, the device reacts to Internet Control Message Protocol (ICMP) source quench messages. To ignore ICMP source quench messages, include the no-source-quench statement at the [edit system internet-options] hierarchy level:
[edit system internet-options] no-source-quench;
To stop ignoring ICMP source quench messages, use the source-quench statement:
[edit system internet-options]
source-quench;
Rate Limit ICMPv4 and ICMPv6 r c
To limit the rate at which ICMPv4 or ICMPv6 messages can be generated by the R |
n Engine and |
|
sent to the R |
n Engine, include the appropriate rate m n statement at the [edit system |
|
internet-options] hierarchy level. |
|