Supported Platforms
Related Documentation
- ACX, M, MX, T Series
- connectivity-fault-management
- Creating the Maintenance Domain
- Configuring Maintenance Intermediate Points
- Creating a Maintenance Association
- Continuity Check Protocol
- Configuring a Maintenance Endpoint
- Configuring a Connectivity Fault Management Action Profile
- Configuring Linktrace Protocol in CFM
- Configuring Ethernet Local Management Interface
- Configuring Port Status TLV and Interface Status TLV
- Configuring 802.1ag Ethernet OAM for VPLS
- ACX, M, MX, PTX, T Series
- IEEE 802.1ag OAM Connectivity Fault Management Overview
- M, MX, T Series
- Configuring M120 and MX Series Routers for CCC Encapsulated Packets
- MX, T Series
- Configuring MAC Flush Message Processing in CET Mode
- Additional Information
- Junos® OS Ethernet Interfaces
Configuring Rate Limiting of Ethernet OAM Messages
M Series, M320 with Enhanced III FPC, M120, M7i and M10 with CFEB, and MX Series routers support rate limiting of Ethernet OAM messages. Depending on the connectivity fault management (CFM) configuration, CFM packets are discarded, sent to the CPU for processing, or flooded to other bridge interfaces. This feature allows the router to intercept incoming CFM packets for prevention of DoS attacks.
You can apply rate limiting of Ethernet OAM messages at either of two CFM policing levels, as follows:
- Global-level CFM policing—uses a policer at the global level to police the CFM traffic belonging to all the sessions.
- Session-level CFM policing—uses a policer created to police the CFM traffic belonging to one session.
To configure global-level CFM policing, include the policer statement and its options at the [edit protocols oam ethernet connectivity-fault-management] hierarchy level.
To configure session-level CFM policing, include the policer statement at the [edit protocols oam ethernet connectivity-fault-management maintenance-domain name level number maintenance-association name] hierarchy level.
The following example shows a CFM policer used for rate-limiting CFM:
Case 1: Global-Level CFM Policing
This example shows a global level policer, at the CFM level, for rate-limiting CFM. The continuity-check cfm-policer statement at the global connectivity-fault-management policer hierarchy level specifies the policer to use for policing all continuity check packets of the CFM traffic belonging to all sessions. The other cfm-policer1 statement at the connectivity-fault-management policer hierarchy level specifies the policer to use for policing all non-continuity check packets of the CFM traffic belonging to all sessions. The all cfm-policer2 statement specifies to police all CFM packets with the specified policer cfm-policer2. If the all policer-name option is used, then the user cannot specify the previous continuity-check and other options.
Case 2: Session-Level CFM Policing
This example shows a session-level CFM policer used for rate-limiting CFM. The policer statement at the session connectivity-fault-management maintenance-domain md maintenance-association ma hierarchy level specifies the policer to use for policing only continuity check packets of the CFM traffic belonging to the specified session. The other cfm-policer1 statement at the connectivity-fault-management maintenance-domain md maintenance-association ma hierarchy level specifies the policer to use for policing all non-continuity check packets of the CFM traffic belonging to this session only. The all cfm-policer2 statement specifies to police all CFM packets with the specified policer cfm-policer2. If the all policer-name option is used, then the user cannot specify the previous continuity-check and other options.
In the case of global CFM policing, the same policer is shared across multiple CFM sessions. In per-session CFM policing, a separate policer must be created to rate-limit packets specific to that session.
 | Service-level policer configuration for any two CFM sessions on the same interface at different levels must satisfy the following constraints if the direction of the sessions is the same:
Note: A commit error will occur if such a configuration is committed. |
| Note: Policers with PBB and MIPs are not supported. |
Related Documentation
- ACX, M, MX, T Series
- connectivity-fault-management
- Creating the Maintenance Domain
- Configuring Maintenance Intermediate Points
- Creating a Maintenance Association
- Continuity Check Protocol
- Configuring a Maintenance Endpoint
- Configuring a Connectivity Fault Management Action Profile
- Configuring Linktrace Protocol in CFM
- Configuring Ethernet Local Management Interface
- Configuring Port Status TLV and Interface Status TLV
- Configuring 802.1ag Ethernet OAM for VPLS
- ACX, M, MX, PTX, T Series
- IEEE 802.1ag OAM Connectivity Fault Management Overview
- M, MX, T Series
- Configuring M120 and MX Series Routers for CCC Encapsulated Packets
- MX, T Series
- Configuring MAC Flush Message Processing in CET Mode
- Additional Information
- Junos® OS Ethernet Interfaces
Published: 2013-02-13
Supported Platforms
Related Documentation
- ACX, M, MX, T Series
- connectivity-fault-management
- Creating the Maintenance Domain
- Configuring Maintenance Intermediate Points
- Creating a Maintenance Association
- Continuity Check Protocol
- Configuring a Maintenance Endpoint
- Configuring a Connectivity Fault Management Action Profile
- Configuring Linktrace Protocol in CFM
- Configuring Ethernet Local Management Interface
- Configuring Port Status TLV and Interface Status TLV
- Configuring 802.1ag Ethernet OAM for VPLS
- ACX, M, MX, PTX, T Series
- IEEE 802.1ag OAM Connectivity Fault Management Overview
- M, MX, T Series
- Configuring M120 and MX Series Routers for CCC Encapsulated Packets
- MX, T Series
- Configuring MAC Flush Message Processing in CET Mode
- Additional Information
- Junos® OS Ethernet Interfaces
