The Excessive ARP
Punt Protection feature monitors ARP control packet traffic arriving from
non-subscriber interfaces. These could be physical interfaces, sub-interfaces,
or BVIs. It divides interfaces into two categories:
-
"Parent"
interfaces, which can have other interfaces under them.
-
"Non-parent"
interfaces, which have no interfaces under them.
A physical interface
is always a parent interface because it has VLAN sub-interfaces. An L3 VLAN
sub-interface can either be a parent or a non-parent interface.
When a flow is
trapped, the Excessive ARP Punt Protection feature tries to identify the source
of the flow. The first thing it determines is from which interface the flow
came. If this interface is not a "parent" interface, then the feature assumes
that it is the end-point source of the flow and penalty policing is applied
only on the non-parent interface and not the parent interface. The software
applies a penalty-policer in the case of a BVI interface also. If the trapped
interface is a "parent" interface, then the entire interface is penalized,
which would penalize all the interfaces under it.
For more information
about enabling the Excessive ARP Punt Protection feature, see
Enabling the Excessive ARP Punt Protection.
Note
|
The Excessive ARP
Punt Protection feature monitors all punt ARP traffic. You can exclude a
particular interface on the router from the monitoring but a remote interface
cannot be prevented from being flagged as bad if it is the source of excessive
flows.
|
Bad actors are policed
for ARP protocol. There is a static punt rate and a penalty rate for ARP
protocol. For example, the sum total of all ARP punts from remote devices is
policed at 1000 packets per second (pps) to the router's CPU. If one remote
device sends an excessive rate of ARP traffic and is trapped, then ARP traffic
from that bad actor is policed at 10 pps. The remaining (non-bad) remote
devices continue to use the static 1000 pps queue for ARP.
Note
|
The excessive rate
required to cause an interface to get trapped has nothing to do with the static
punt rate (that is,1000 pps ). The excessive rate is a rate that is
significantly higher than the current average rate of other control packets
being punted. The excessive rate is not a fixed rate, and is dependent on the
current overall punt packet activity.
|
When an interface is
trapped, it is placed in a "penalty box" for a period of time (a default of 15
minutes). At the end of the penalty timeout, it is removed from penalty
policing (that is, packet dropping). If there is still an excessive rate of ARP
control packet traffic coming from the remote device, then the remote interface
is trapped again.