Twice we saw arp DDoS from Layer 2 networks Operator to our different routers. It was above 1,5 million arp packets per second which dropped default arp policer.   [email protected]> show policer __default_arp_policer__    Policers: Name                                                Bytes              Packets __default_arp_policer__                       61113045326           1328544093   {master}djkj [email protected]> show policer __default_arp_policer__    Policers: Name                                                Bytes              Packets __default_arp_policer__                       61176856048           1329931282   {master}       But besides dangerous arp packets was dropped legitimate arp packets. In first  accident we had lost management of two Cisco switch and in second accident we had lost many services our clients. In second accident traffic on the subinterface grew up  before 373 Mb/s but policer to rate limit traffic on this subinterface didn't dropped exceeding traffic. Why?   [email protected]> show policer lim1m-xe-0/1/0.974-inet-i   Policers: Name                                                Bytes              Packets lim1m-xe-0/1/0.974-inet-i                               0                    0   {master} [email protected]> show policer lim1m-xe-0/1/0.974-inet-o    Policers: Name                                                Bytes              Packets lim1m-xe-0/1/0.974-inet-o                        57932665                40992   {master}       The correct solution the problem was use policer Rate Limiting ARP packets on the subinterface.   firewall {  policer ARP-Policer {  if-exceeding {  bandwidth-limit 8k;  burst-size-limit 1500;  }  then discard;  } }   interfaces {  xe-0/1/0 {  unit 974 {  family inet {  policer {  arp ARP-Policer;  }  }  }  } }     Best regards, Alexey ... View more