How to disable the default ARP policer for selective interfaces or dynamic-profiles in MX routers.
In an MX subscriber management environment, one may need to disable the default ARP policer on static interfaces or autosense vlans to instead let the DDOS function protect system.
This is because when an ARP attack happens, normal user ARP traffic and attack ARP traffic might be dropped early by the default ARP policer. This prevents DDOS and flow-detection function to not get enough ARP traffic to identify and block the source of an actual attack. Therefore one needs to disable the default ARP policer and let DDOS function handle this.
A new hidden knob was introduced into Junos to disable the default ARP policer beginning in 12.3R6 and later releases and is applicable only for Trio line cards on MX routers.
Usage of this new hidden knob: CLI for static interface ============================================== [edit] User@Router# show interfaces xe-0/0/0 unit 0 { family inet { policer { disable-arp-policer; } } } CLI for dynamic-profiles(autosense vlan) ============================================== [edit] User@Router# show dynamic-profiles test interfaces { "$junos-interface-ifd-name" { unit "$junos-interface-unit" { family inet { policer { disable-arp-policer; } } } } }