Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

show ddos-protection protocols flow-detection

Syntax

show ddos-protection protocols <protocol-group> flow-detection <brief | detail | terse>

Release Information

Command introduced in Junos OS Release 12.3.

Description

Display flow detection information for all protocol groups or for a particular protocol group.

Options

none

Display information for all protocol groups.

brief | detail | terse

(Optional) Display the specified level of output.

  • brief—Display basic function information.
  • detail—Add information to the brief output; it is identical to the output displayed when you choose no option. The brief and detail options display information for all protocol groups, which can be a long list.
  • terse—Display the same level of information as the brief option but only for active protocol groups.
protocol-group

(Optional) Display information for a particular protocol group. See show ddos-protection protocols for a list of available groups.

Required Privilege Level

view

 

Related Documentation

 

List of Sample Output

show ddos-protection protocols flow-detection
show ddos-protection protocols flow-detection brief (Parameters for a Specific Protocol)

Output Fields

Table 1 lists the output fields for the show ddos-protection protocols flow-detection command. Output fields are listed in the approximate order in which they appear.

Table 1: show ddos-protection protocols flow-detection Output Fields

Field Name

Field Description

Level of Output

Packet types

Number of packet types.

All levels

Modified

Number of packets for which policer values have been modified from the default.

All levels

Protocol Group

Name of protocol group.

All levels

Packet type

Name of packet type in protocol group.

All levels

Flow detection configuration

Configuration of flow detection at the packet level.

detail none

Detection mode or Op mode

Mode of operation for flow detection at the packet level:

  • Automatic or a—Search flows only when a policer is being violated.
  • Off or x—Never search flows even when a policer is being violated.
  • On or o—Search flows even when no policer is being violated.

All levels

Policer BW (pps)

Bandwidth allowed at the packet level.

brief terse

Detect time

Time in seconds that a suspicious flow that has exceeded the bandwidth allowed for the packet type must remain in violation to be confirmed as a culprit flow.

detail none

Log flows or Log flow

State of automatic logging of suspicious traffic flows for the packet type: on (Yes) or off (No).

All levels

Recover time

Time in seconds that must pass before a culprit flow for the packet type is considered to have returned to normal. The period starts when the flow drops below the threshold that triggered the last violation.

detail none

Timeout flows or Time out

State of timeout enabling for culprit flows:

  • Yes—Enabled; flows can time out (released from suppression) when a timeout period expires, regardless of whether flow is still in violation.
  • No—Disabled; flows are not allowed to time out.

All levels

Timeout time

Time in seconds that a culprit flow is suppressed. On expiration, the flow times out even if it is still violating the bandwidth limit.

detail none

Flow aggregation level configuration

Configuration of flow detection for each flow aggregation level.

detail none

Aggregation level or Agg level

One of three levels of flow aggregation

  • Subscriber or sub
  • Logical interface or ifl
  • Physical interface or ifd

All levels

Detection mode or Op

Mode of operation for flow detection at the flow aggregation level:

  • Automatic—Search flows only when a policer is being violated.
  • Off—Never search flows even when a policer is being violated.
  • On—Search flows even when no policer is being violated.

All levels

Control mode or Fc

Mode by which traffic in a culprit flow is handled.

  • drop—Drop all traffic in flow.
  • keep—Keep all traffic in flow.
  • police—Police the traffic to within its allowed bandwidth.

All levels

Flow rate or BWidth (pps)

Bandwidth allowed at the flow aggregation level.

brief terse

Sample Output

show ddos-protection protocols flow-detection

user@host> show ddos-protection protocols flow-detection
Packet types: 190, Modified: 2
* = User configured value

Protocol Group: IPv4-Unclassified

  Packet type: aggregate
    Flow detection configuration:
      Detection mode: Automatic  Detect time:  3 seconds
      Log flows:      No         Recover time: 60 seconds
      Timeout flows:  No         Timeout time: 300 seconds
      Flow aggregation level configuration:
        Aggregation level   Detection mode  Control mode  Flow rate
        Subscriber          Automatic       Drop          10 pps
        Logical interface   Automatic       Drop          10 pps
        Physical interface  Automatic       Drop          2000 pps


Protocol Group: IPv6-Unclassified

  Packet type: aggregate
    Flow detection configuration:
      Detection mode: Automatic  Detect time:  3 seconds
      Log flows:      No         Recover time: 60 seconds
      Timeout flows:  No         Timeout time: 300 seconds
      Flow aggregation level configuration:
        Aggregation level   Detection mode  Control mode  Flow rate
        Subscriber          Automatic       Drop          10 pps
        Logical interface   Automatic       Drop          10 pps
        Physical interface  Automatic       Drop          2000 pps

...

show ddos-protection protocols flow-detection brief (Parameters for a Specific Protocol)

user@host> show ddos-protection protocols dhcpv4 flow-detection brief
Packet types: 19, Modified: 1
* = User configured value

Detection mode(Op): a = automatic    Flow control mode(Fc): d = drop
                    o = on                                  k = keep
                    x = off                                 p = police

Protocol    Packet      Op   Policer  Aggr level Op:Fc:BWidth(pps)   Log  Time
group       type        mode BW(pps)  sub       ifl       ifd        flow out
dhcpv4      aggregate   auto 5000     a:d:10    a:d:10    a:d:5000   No   No
dhcpv4      unclass..   auto 300      a:d:10    a:d:10    a:d:300    No   No
dhcpv4      discover    auto 777*     a:d:10    a:d:10    a:d:500    No   No
dhcpv4      offer       auto 1000     a:d:10    a:d:10    a:d:1000   No   No
dhcpv4      request     auto 1000     a:d:10    a:d:10    a:d:1000   No   No
dhcpv4      decline     auto 500      a:d:10    a:d:10    a:d:500    No   No
dhcpv4      ack         auto 500      a:d:10    a:d:10    a:d:500    No   No
dhcpv4      nak         auto 500      a:d:10    a:d:10    a:d:500    No   No
dhcpv4      release     auto 2000     a:d:10    a:d:10    a:d:2000   No   No
dhcpv4      inform      auto 500      a:d:10    a:d:10    a:d:500    No   No
dhcpv4      renew       auto 2000     a:d:10    a:d:10    a:d:2000   No   No
dhcpv4      forcerenew  auto 2000     a:d:10    a:d:10    a:d:2000   No   No
dhcpv4      leasequery  auto 2000     a:d:10    a:d:10    a:d:2000   No   No
dhcpv4      leaseuna..  auto 2000     a:d:10    a:d:10    a:d:2000   No   No
dhcpv4      leaseunk..  auto 2000     a:d:10    a:d:10    a:d:2000   No   No
dhcpv4      leaseact..  auto 2000     a:d:10    a:d:10    a:d:2000   No   No
dhcpv4      bootp       auto 300      a:d:10    a:d:10    a:d:300    No   No
dhcpv4      no-msgtype  auto 0        a:d:10    a:d:10    a:d:0      No   No
dhcpv4      bad-pack..  auto 0        a:d:10    a:d:10    a:d:0      No   No

Published: 2013-07-24

Previous Page Next Page