Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

English  

English

Configuring How Flow Detection Operates at Each Flow Aggregation Level

When flow detection is turned on, traffic flows are monitored by default for all protocol groups and packet types. When a policer violation occurs, each suspicious flow is examined to determine whether it is the culprit flow that caused the violation. You can include the flow-level-detection statement to configure how flow detection works at each flow aggregation level for a packet type: subscriber, logical interface, or physical interface.

Note: The flow detection mode at the packet level must be either automatic or on for flow detection to operate at individual flow aggregation levels.

• automatic—When a DDoS protection policer is violated, traffic flows at this flow aggregation level are monitored for suspicious behavior only until flow detection determines that the suspect flow is not at this aggregation level and instead must be at a coarser level of aggregation. Flows at this level are subsequently not searched again until the policer is no longer violated at the coarser level.
• off—Traffic flows are never monitored at this flow aggregation level.
• on—Traffic flows at this flow aggregation level are monitored for suspicious flows even when no DDoS protection policer is currently being violated, if flow detection at the packet level is configured to on. Monitoring continues at this level regardless of whether a suspect flow is identified at this level. However, If the packet level mode is automatic, then the policer must be in violation for traffic flows to be checked at this level.

Flows are examined first at the finest-grained (lowest bandwidth) flow aggregation level, subscriber. If the suspect flow is not found at the subscriber level, then flows are checked at the logical interface level. Finally, if the suspect is not found there, then flows are checked at the physical interface level; barring some misconfiguration, the culprit flow must be found at this level.

1. (Optional) Specify the detection mode at the subscriber level.
   [edit system ddos-protection protocols protocol-group packet-type flow-level-detection]user@host# set subscriber flow-operation-mode
2. (Optional) Specify the detection mode at the logical interface level.
   [edit system ddos-protection protocols protocol-group packet-type flow-level-detection]user@host# set logical-interface flow-operation-mode
3. (Optional) Specify the detection mode at the physical interface level.
   [edit system ddos-protection protocols protocol-group packet-type flow-level-detection]user@host# set physical-interface flow-operation-mode

For example, include the following statements to configure flow detection to check for suspicious flows at the subscriber level only when the policer is being violated, to never check at the logical interface level, and to always check at the physical interface level: