Junos OS

Hi!

 

Is there a way to monitor the arp entries in JunOS?

I want to know when the ARP entry changes, like when a IP-address get a new mac-address-binding.

 

Do you get me?

 

There are no traceoptions under system>arp in Junos so I can't write it in log-file.

Is there another way to solve this?

Hi,

what platform are you using? If it's a switch and your aim is to prevent ARP-spoofing attacks, then you can configure Dynamic-Arp-Inspection:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB10960&actp=RSS


One (really tough) way to monitor this would be to write a script and keep on monitoring the ARP table using the 'arp -a' handle from the shell-prompt. You can use hash-based key-value pairs to parse the IP and MAC addresses.

Thanks,
ankit

try this:

monitor traffic count 4 matching “arp” detail

 

https://www.juniper.net/techpubs/software/junos-es/junos-es93/junos-es-admin-guide/using-the-monitor-traffic-command.html

Hi nisse,

 

There is a way you can monitor all the changes in the forwarding table, and that includes ARP changes. Of course, this only makes sense in routers with a small number of routes, is that your case?

Ato

Sorry for the late answer.

We're using the EX4500.

 

What do you mean with small number of routes?

I'll guess we have a small number of routes.

 

Do you have any example how I can solve this?

 

If an IP address changes its MAC resolution, the following message will be syslogged:

 

Mar 27 23:55:45  mitrofan-re1 /kernel: %KERN-6-KERN_ARP_ADDR_CHANGE: arp info overwritten for 10.255.1.2 from 00:23:9c:9a:d1:4c to 00:23:9c:9a:d1:4b

<--- This prefix %KERN-6- is only added if you configure explicit-priority

 

There is also a KERN_ARP_DUPLICATE_ADDR message.

 

You can also display in real time ARP changes as follows (unsupported):

 

amonge@mitrofan-re1> start shell user root    
Password:
root@mitrofan-re1% rtsockmon -tn
    sender   flag    type       op
[23:48:52] kernel   P    route      delete  inet 192.168.0.2 tid=0 plen=32 type=dest flags=0x180 nh=ucst nhflags=0x1 nhidx=857 rt_nhiflist = 0 altfwdnhidx=0 filtidx=0
[23:48:52] unknown  P    nexthop    delete  inet 192.168.0.2 nh=ucst flags=0x5 idx=857 ifidx=387 filteridx=0
<---- This is an ARP entry deleted

[23:49:01] kernel   P    route      add     inet 192.168.0.2 tid=0 plen=32 type=dest flags=0x0 nh=hold nhflags=0x1 nhidx=857 rt_nhiflist = 0 altfwdnhidx=0 filtidx=0
[23:49:01] kernel   P    nexthop    add     inet 192.168.0.2 nh=hold flags=0x1 idx=857 ifidx=387 filteridx=0
[23:49:01] kernel   P    nexthop    change  inet 192.168.0.2 nh=ucst flags=0x1 idx=857 ifidx=387 filteridx=0
<---- This is an ARP entry added

 

If this helped, please mark it as solution and click on the white star (kudos).

 

 

 

amonge@mitrofan-re1> show arp no-resolve hostname 192.168.0.2   
MAC Address       Address         Interface     Flags
00:00:b1:1d:d9:2f 192.168.0.2     ge-2/2/1.0           none

amonge@mitrofan-re1> clear arp hostname 192.168.0.2              
192.168.0.2      deleted

amonge@mitrofan-re1> ping 192.168.0.2 count 1                    
PING 192.168.0.2 (192.168.0.2): 56 data bytes
64 bytes from 192.168.0.2: icmp_seq=0 ttl=64 time=1.023 ms

--- 192.168.0.2 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.023/1.023/1.023/0.000 ms

Maybe the best thing is to turn on dhcp snooping and would do it.