Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[MX/QFX] How to identify and protect interfaces experiencing ARP storm

2

0

Article ID: KB36917 KB Last Updated: 20 Aug 2021Version: 2.0
Summary:

This article details the steps to identify and protect the IPV4 interfaces that are experiencing high volume of ARP storm. 

When a router is connected to devices with loop server malfunction or malicious attack, a high volume of broadcast traffic like ARP requests get punted to the router's control plane for further resolution. Excessive broadcast traffic entering the control plane (Routine Engine) causes host path congestion and high CPU. As a result, protocols in the same/lower priority may get dropped in the host path or not get processed in time, causing delay/protocol flap.

Symptoms:

Protocols in the same/lower priority may get dropped in the host path or not get processed in time, causing delay/protocol flap.

Solution:

Part 1

Identify the problematic interface. There are two methods. The first method is to identify the problematic interface by observing counters and checking input traffic. The second method is to use DDoS SCFD.

Method 1

  1. Check the default ARP policer counter for the entire router. A default ARP policer is programmed per Packet Forwarding Engine (PFE), with 150kbps bandwidth limit. The following output is an aggregate counter for all PFEs:

user@router-re0> show policer __default_arp_policer__ 
Policers:
Name                                                Bytes              Packets
__default_arp_policer__                            839460              12345
  1. Identify the FPC whose ARP policer is incrementing one by one:

user@router-re0> start shell pfe network fpc0 

NPC0(lab-re0 vty)# show filter index 17000
Term Filters:
------------
   Index    Semantic  Properties   Name
--------  ---------- --------  ------
   17000  Classic    -         __default_arp_policer__

NPC0(lab-re0 vty)# show filter index 17000 counters    
Filter Counters/Policers:
   Index               Packets                 Bytes  Name
--------  --------------------  --------------------  --------
   17000                  
12345                        __default_arp_policer__

  1. After the FPC has been identified, narrow down the interface by checking statistics. The following example shows FPC0 interface statistics:

user@router-re0> show interfaces terse | match -0/ | match "xe|ge|et-"   
xe-0/0/0                up    up
xe-0/0/0.0              up    up   aenet    --> ae12.0
xe-0/0/1                up    up
xe-0/0/1.32767          up    up   aenet    --> ae1.32767
xe-0/0/2                up    up
xe-0/0/2.32767          up    up   aenet    --> ae2.32767
xe-0/0/3                up    up
xe-0/0/3.32767          up    up   aenet    --> ae3.32767
xe-0/1/0                up    up
xe-0/1/1                up    up
xe-0/1/2                up    down
xe-0/1/3                up    down
xe-0/2/0                up    down
xe-0/2/0.0              up    down aenet    --> ae0.0
xe-0/2/1                up    down
xe-0/2/1.0              up    down aenet    --> ae0.0
xe-0/2/2                up    up
xe-0/2/3                up    up
xe-0/3/0                up    down
xe-0/3/1                up    down
xe-0/3/2                up    down
xe-0/3/3                up    down

Check which interface has rapid broadcast increment. In the following example, xe-0/0/0, which belongs to ae12, has very high broadcast count:

user@router-re0> show interfaces xe-0/0/0 extensive | match broadcast 
    Broadcast packets                  4318315843135               37
  1. If there are multiple inet sub-interfaces within the identified interface, use the following command to identify which sub-interface is receiving ARP storm. If there are excessive ARP requests from VLAN 28, then the problematic sub-interface with VLAN 28 needs to be protected.

labroot@router-re0> monitor traffic interface ae12 no-resolve layer2-headers matching arp count 100
 
10:59:07.543080  In 00:66:00:67:00:01 > 50:c5:8d:d2:2f:c5, ethertype 802.1Q (0x8100), length 60: vlan 28, p 0, ethertype ARP, arp who-has 97.109.80.10 tell 0.0.0.0
...

Method 2

  1. Use SCFD to detect the problematic flow from a DDoS perspective.

Note: This would be applied at the router level. 

Example configuration:

set system ddos-protection global flow-detection
set system ddos-protection global violation-report-rate 10
set system ddos-protection global flow-report-rate 10
set system ddos-protection protocols arp aggregate flow-detection-mode on
set system ddos-protection protocols arp aggregate flow-level-bandwidth logical-interface 500
set system ddos-protection protocols arp aggregate flow-level-bandwidth physical-interface 500
set system ddos-protection protocols arp aggregate flow-level-detection subscriber on
set system ddos-protection protocols arp aggregate flow-level-detection physical-interface on
set system ddos-protection protocols arp aggregate flow-level-control logical-interface police
set system ddos-protection protocols arp aggregate flow-level-control physical-interface police
  1. After committing, identify the problematic flow by using the following command:

> show ddos-protection protocols arp culprit-flows
 

Part 2

  1. Apply an ARP policer to restrict the input ARP volume for isolated interfaces.

From the step above, ae12.28 is experiencing a high volume of ARP storm. Apply an ARP filter to rate limit the incoming ARP packets:

set firewall policer ARP_Policer if-exceeding bandwidth-limit 8k
set firewall policer ARP_Policer if-exceeding burst-size-limit 1500
set firewall policer ARP_Policer then discard
set interfaces ae12.28 family inet policer arp ARP_Policer 
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search