Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

English  

English

Configuring DDoS Protection Policers for Individual Packet Types

DDoS policers are applied to control packet traffic. You configure the maximum allowed traffic rate, maximum burst size, traffic priority, and how much time must pass since the last violation before the traffic flow is considered to have recovered from the attack. You can also scale the bandwidth and burst values for individual line cards so that the policers at this level trigger at lower thresholds than the overall protocol or packet thresholds.

You can configure an aggregate policer for any protocol group. The aggregate policer applies to the combination of all types of control packet traffic for that group. When you configure an aggregate policer for certain protocol groups, you can optionally bypass that policer for one or more particular packet types in that group. For those same groups, you can configure policers for individual packet types instead of configuring an aggregate policer.

DDoS protection is enabled by default. Although all policers have default parameter values, these values might not accurately reflect the control traffic pattern of your network.

Best Practice: We recommend that you model your network to determine the best values for your situation. Before you configure policers for your network, you can quickly view the default values for all packet types from operational mode by issuing the show ddos-protection protocols parameters brief command. You can also use the command to specify a single protocol group of interest; for example, issue the show ddos-protection protocols dhcpv4 parameters brief command.

You can disable a packet type’s policer at either the Routing Engine, at a specified line card, or for all line cards. You can also disable logging of all DDoS events for individual packet types within a protocol group.

1. Specify the protocol group.
   [edit system ddos-protection protocols]user@host# edit protocol-group

   For example, to specify the DHCPv4 protocol group:

   [edit system ddos-protection protocols]user@host# edit dhcpv4
2. Specify the packet type or the combination of all packet types in the group.
   [edit system ddos-protection protocols protocol-group]user@host# set packet-type

   or

   [edit system ddos-protection protocols protocol-group]user@host# set aggregate

   For example, to specify the DHCPv4 release packets:

   [edit system ddos-protection protocols dhcpv4]user@host# edit release
3. (Optional) Configure the maximum traffic rate the policer allows for the packet type.
   [edit system ddos-protection protocols protocol-group packet-type]user@host# set bandwidth packets-per-second

   For example, to set a bandwidth of 600 packets per second for DHCPv4 release packets:

   [edit system ddos-protection protocols dhcpv4 release]user@host# set bandwidth 600
4. (Optional) Configure the maximum number of packets of the packet type that the policer allows in a burst of traffic.
   [edit system ddos-protection protocols protocol-group packet-type]user@host# set burst size

   For example, to set a maximum of 5000 DHCPv4 release packets:

   [edit system ddos-protection protocols dhcpv4 release]user@host# set burst 5000
5. (Optional) Set the traffic priority.
   [edit system ddos-protection protocols protocol-group packet-type]user@host# set priority level

   For example, to specify a medium priority for DHCPv4 release packets:

   [edit system ddos-protection protocols dhcpv4 release]user@host# set priority medium
6. (Optional) Configure how much time must pass since the last violation before the traffic flow is considered to have recovered from the attack.
   [edit system ddos-protection protocols protocol-group packet-type]user@host# set recover-time seconds

   For example, to specify that 600 seconds must have passed since the last violation of the DHCPv4 release packet policer:

   [edit system ddos-protection protocols dhcpv4 release]user@host# set recover-time 600
7. (Optional) Bypass the aggregate policer configuration. This is relevant only when an aggregate policer is configured for the protocol group.
   [edit system ddos-protection protocols protocol-group packet-type]user@host# set bypass-aggregate

   For example, to bypass the aggregate policer for DHCPv4 renew packets:

   [edit system ddos-protection protocols dhcpv4 renew]user@host# set bypass-aggregate
8. (Optional) Disable line card policers for the packet type on all line cards.
   [edit system ddos-protection protocols protocol-group packet-type]user@host# set disable-fpc

   Note: When you disable line card policers globally at the [edit system ddos-protection global] hierarchy level, the global setting overrides the per-packet type setting shown in this step. If you subsequently remove the global configuration, then the per-packet type configuration takes effect.

   For example, to disable the line card policer for DHCPv4 bootp packets:

   [edit system ddos-protection protocols dhcpv4 bootp]user@host# set disable-fpc
9. (Optional) Disable DDoS event logging for only this packet type.
   [edit system ddos-protection protocols protocol-group packet-type]user@host# set disable-logging

   Note: Events disabled for the packet are associated with policer violations; logging of flow detection culprit flow events is not affected by this statement.

   Note: When you disable DDoS event logging globally at the [edit system ddos-protection global] hierarchy level, the global setting overrides the per-packet type setting shown in this step. If you subsequently remove the global configuration, then the per-packet type configuration takes effect.

   For example, to disable DDoS event logging line card policer for DHCPv4 discover packets:

   [edit system ddos-protection protocols dhcpv4 discover]user@host# set disable-logging
10. (Optional) Disable the Routing Engine policer for only this packet type.
    [edit system ddos-protection protocols protocol-group packet-type]user@host# set disable-routing-engine

    Note: When you disable the Routing Engine policer globally at the [edit system ddos-protection global] hierarchy level, the global setting overrides the per-packet type setting shown in this step. If you subsequently remove the global configuration, then the per-packet type configuration takes effect.

    For example, to disable the Routing Engine policer for DHCPv4 discover packets:

    [edit system ddos-protection protocols dhcpv4 discover]user@host# set disable-routing-engine
11. (Optional) Configure packet-level settings for the packet type on a single line card.
    [edit system ddos-protection protocols protocol-group packet-type]user@host# edit fpc slot-number

    For example, to access DHCPv4 discover packet settings on the line card in slot 3:

    [edit system ddos-protection protocols dhcpv4 discover]user@host# edit fpc 3
12. (Optional) Scale the policer bandwidth for the packet type on the line card.
    [edit system ddos-protection protocols protocol-group packet-type fpc slot-number]user@host# set bandwidth-scale percentage

    For example, to scale the bandwidth to 80 percent of the all-line-card setting configured for DHCPv4 discover packets on the line card in slot 3:

    [edit system ddos-protection protocols dhcpv4 discover fpc 3]user@host# edit bandwidth-scale 80
13. (Optional) Scale the policer burst size for the packet type on the line card.
    [edit system ddos-protection protocols protocol-group packet-type fpc slot-number]user@host# set burst-scale percentage

    For example, to scale the maximum bandwidth to 75 percent of the all-line-card setting configured for DHCPv4 discover packets on the line card in slot 3:

    [edit system ddos-protection protocols dhcpv4 discover fpc 3]user@host# edit burst-scale 75
14. (Optional) Disable the line card policer for the packet type on a particular line card.
    [edit system ddos-protection protocols protocol-group packet-type fpc slot-number]user@host# set disable-fpc

    For example, to disable the line card policer for DHCPv4 discover packets on the line card in slot 3:

    [edit system ddos-protection protocols dhcpv4 discover fpc 3]user@host# edit disable-fpc