Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

show ddos-protection protocols

Syntax

show ddos-protection protocols <protocol-group (aggregate | packet-type)>

Release Information

Command introduced in Junos OS Release 11.2.

Description

Display DDoS protection configuration and statistics for protocol groups or individual packet types.

Options

none

Display information for all packet types in all protocol groups.

aggregate

(Optional) Display DDoS protection information for the aggregate policer. The aggregate option is available for all protocol groups.

packet-type

(Optional) Display DDoS protection information for the specified packet type in the protocol group. The available packet types vary by protocol group. Only an aggregate policer is available for protocol groups that are not in the following list:

  • dhcpv4—The following packet types are available for DHCPv4 traffic:
    • ack—DHCPACK packets.
    • bad-packets—DHCPv4 packets with bad formats.
    • bootp—DHCPBOOTP packets.
    • decline—DHCPDECLINE packets.
    • discover—DHCDISCOVER packets.
    • force-renew—DHCPFORCERENEW packets.
    • inform—DHCPINFORM packets.
    • lease-active—DHCPLEASEACTIVE packets.
    • lease-query—DHCPLEASEQUERYpackets.
    • lease-unassigned—DHCPLEASEUNASSIGNED packets.
    • lease-unknown—DHCPLEASEUNKNOWN packets.
    • nak—DHCPNAK packets.
    • no-message-type—DHCP packets that are missing the message type..
    • offer—DHCOFFER packets.
    • release—DHCPACK packets.
    • renew—DHCPRENEW packets.
    • request—DHCPREQUEST packets.
    • unclassified— All unclassified packets in the protocol group.
  • dhcpv6—The following packet types are available for DHCPv6 traffic:
    • advertise—ADVERTISE packets.
    • confirm—CONFIRM packets.
    • decline—DECLINE packets.
    • information-request—INFORMATION-REQUEST packets.
    • leasequery—LEASEQUERY packets.
    • leasequery-data—LEASEQUERY-DATA packets.
    • leasequery-done—LEASEQUERY-DONE packets.
    • leasequery-reply—LEASEQUERY-REPLY packets.
    • rebind—REBIND packets.
    • reconfigure—RECONFIGURE packets.
    • relay-forward—RELAY-FORWARD packets.
    • relay-reply—RELAY-REPLY packets.
    • release—RELEASE packets.
    • renew—RENEW packets.
    • reply—REPLY packets.
    • request—REQUEST packets.
    • solicit—SOLICIT packets.
    • unclassified— All unclassified packets in the protocol group.
  • frame-relay—The following packet types are available for Frame Relay traffic:
    • frf15—Multilink frame relay FRF.15 packets.
    • frf16—Multilink frame relay FRF.16 packets.
  • ip-fragments—The following packet types are available for IP fragments:
    • first-fragment—First IP fragment.
    • trail-fragment—Last IP fragment.
  • ip-options—The following packet types are available for IP option traffic:
    • non-v4v6—Options packets other than IPv4/v6.
    • router-alert—Router alert options packets.
    • unclassified— All unclassified packets in the protocol group.
  • mcast-snoop—Control traffic for multicast snooping.
    • igmp—Snooped IGMP traffic.
    • pim—Snooped PIM control traffic.
  • mlp—The following MLP packet types are available:
    • aging-exception—MLP aging exception packets.
    • packets—MLP packets.
    • unclassified— All unclassified packets in the protocol group.
  • ppp—The following PPP packet types are available:
    • authentication—PPP authentication protocol packets.
    • echo-rep—LCP echo reply packets.
    • echo-req—LCP echo request packets.
    • ipcp—IP Control Protocol packets.
    • ipv6cp—IPv6 Control Protocol packets.
    • isis—IS-IS packets.
    • lcp—Link Control Protocol packets.
    • mlppp-lcp—MLPPP LCP packets.
    • mplscp—MPLS Control Protocol packets.
    • unclassified— All unclassified packets in the protocol group.
  • pppoe—The following PPPoE packet types are available:
    • padi—PADI packets.
    • padm—PADM packets.
    • padn—PADN packets.
    • pado—PADO packets.
    • padr—PADR packets.
    • pads—PADS packets.
    • padt—PADT packets.
  • radius—The following RADIUS packet types are available:
    • accounting—RADIUS accounting packets.
    • authorization—RADIUS authorization packets.
    • server—RADIUS server traffic.
    • unclassified— All unclassified packets in the protocol group.
  • sample—The following sample packet types are available:
    • host—Host packets.
    • pfe—Packet Forwarding Engine packets.
    • syslog—System log message packets.
    • tap—TAP packets.
  • tcp-flags—The following TCP-flagged packet types are available:
    • established—TCP ACK and RST connection packets.
    • initial—TCP SYN and SYN ACK packets.
  • unclassified—The following unclassified packet types are available:
    • control-layer2—Unclassified layer 2 control packets.
    • control-v4—Unclassified IPv4 control packets.
    • control-v6—Unclassified IPv6 control packets.
    • filter-v4—Unclassified IPv4 filter action packets; sent to the host because of reject terms in firewall filters.
    • filter-v6—Unclassified IPv6 filter action packets; sent to the host because of reject terms in firewall filters.
    • host-route-v4—Unclassified IPv4 routing protocol and host packets in traffic sent to the router local interface address for broadcast and multicast.
    • host-route-v6—Unclassified IPv6 routing protocol and host packets in traffic sent to the router local interface address for broadcast and multicast.
    • other—All unclassified packets that do not belong to another type.
    • resolve-v4—Unclassified IPv4 resolve packets sent to the host because of a traffic request resolve action.
    • resolve-v6—Unclassified IPv6 resolve packets sent to the host because of a traffic request resolve action.
  • virtual-chassis—The following packet types are available for virtual chassis packets:
    • control-low—Low-priority control packets.
    • control-high—High-priority control packets.
    • unclassified— All unclassified packets in the protocol group.
    • vc-packets—All exception packets on the virtual chassis link.
    • vc-ttl-errors—Virtual chassis TTL error packets.
protocol-group

(Optional) Display DDoS protection information for one of the following protocol groups:

  • amtv4—IPv4 AMT traffic.
  • amtv6—IPv6 AMT traffic.
  • ancp—ANCP traffic.
  • ancpv6—ANCPv6 traffic.
  • arp—ARP traffic.
  • atm—ATM traffic.
  • bfd—BFD traffic.
  • bfdv6—BFDv6 traffic.
  • bgp—BGP traffic.
  • bgpv6—BGPv6 traffic.
  • control—Control traffic.
  • demux-autosense—Demux autosensing traffic.
  • dhcpv4—DHCPv4 traffic.
  • dhcpv6—DHCPv6 traffic.
  • diameter—Diameter and Gx-Plus traffic.
  • dns—DNS traffic.
  • dtcp—DTCP traffic.
  • dynamic-vlan—Dynamic VLAN exception traffic.
  • egpv6—EGPv6 traffic.
  • eoam—EOAM traffic.
  • esmc—ESMC traffic.
  • fab-probe—Fab out probe packets.
  • firewall-host—Firewall send-to-host traffic.
  • frame-relay—Frame relay traffic.
  • ftp—FTP traffic.
  • ftpv6—FTPv6 traffic.
  • gre—GRE traffic.
  • icmp—ICMP traffic.
  • igmp—IGMP traffic
  • igmpv4v6—IGMP v4/v6 traffic.
  • igmpv6—IGMPv6 traffic.
  • inline-ka—Inline service interfaces keepalive traffic.
  • inline-svcs—Inline services traffic.
  • ip-fragments—IP fragments traffic.
  • ip-options–IP traffic with IP packet header options.
  • isis—IS-IS traffic.
  • jfm—JFM traffic.
  • keepalive—Keepalive traffic.
  • l2pt—Layer 2 protocol tunneling traffic.
  • l2tp—L2TP traffic.
  • lacp—LACP traffic.
  • ldp—LDP traffic.
  • ldpv6—LDPv6 traffic.
  • lldp—LLDP traffic.
  • lmp—LMP traffic.
  • lmpv6—LMPv6 traffic.
  • mac-host—Layer 2 MAC send-to-host traffic.
  • mcast-snoop—Control traffic for multicast snooping.
  • mlp—MLP traffic.
  • msdp—MSDP traffic.
  • msdpv6—MSDPv6 traffic.
  • multicast-copy—Host copy traffic due to multicast routing.
  • mvrp—MVRP traffic.
  • ndpv6—NDPv6 traffic.
  • ntp—NTP traffic.
  • oam-lfm—OAM-LFM traffic.
  • ospf—OSPF traffic.
  • ospfv3v6—OSPFv3/IPv6 traffic.
  • pfe-alive—Packet Forwarding Engine keepalive traffic
  • pim—PIM traffic.
  • pimv6—PIMv6 traffic.
  • pmvrp—PMVRP traffic.
  • pos—POS traffic.
  • ppp—PPP traffic.
  • pppoe—PPPoE traffic.
  • ptp—PTP traffic.
  • pvstp—PVSTP traffic.
  • radius—RADIUS traffic.
  • redirect—Traffic that triggers ICMP redirects.
  • reject—Packets rejected by a next-hop forwarding decision.
  • rejectv6—V6 packets rejected by a next-hop forwarding decision.
  • rip—RIP traffic.
  • ripv6—RIPv6 traffic.
  • rsvp—RSVP traffic.
  • rsvpv6—RSVPv6 traffic.
  • services–Service traffic.
  • snmp—SNMP traffic.
  • snmpv6—SNMPv6 traffic.
  • ssh—SSH traffic.
  • sshv6—SSHv6 traffic.
  • stp—STP traffic.
  • tacacs—TACACS traffic.
  • tcp-flags—Traffic with TCP flags.
  • telnet—TELNET traffic.
  • telnetv6—TELNETv6 traffic.
  • ttl—TTL traffic.
  • tunnel-fragment—Tunnel fragments traffic.
  • virtual-chassis—Virtual chassis traffic.
  • vrrp—VRRP traffic.
  • vrrpv6—VRRPv6 traffic.

Required Privilege Level

view

 

Related Documentation

 

List of Sample Output

show ddos-protection protocols
show ddos-protection protocols (Specific Packet Type with Flow Detection Disabled)
show ddos-protection protocols (Specific Packet Type with Flow Detection Enabled and Automatic)
show ddos-protection protocols (Specific Packet Type with Bandwidth Violation)

Output Fields

Table 1 lists the output fields for the show ddos-protection protocols command. Output fields are listed in the approximate order in which they appear.

Table 1: show ddos-protection protocols Output Fields

Field Name

Field Description

Packet types

Number of packet types

Modified

Number of packets for which policer values have been modified from the default.

Received traffic

Number of traffic flows received.

Currently violated

Number of flows that are currently violating the flow bandwidth limit.

Currently tracked flows

Number of active flows that are being tracked as culprit flows by flow detection.

Total detected flows

Total number of culprit flows that have been detected, including those that have recovered or timed out.

Protocol Group

Name of protocol group.

Packet type

Name of packet type in protocol group.

Bandwidth

Bandwidth policer value; number of packets per second that is allowed before a violation is declared.

Burst

Burst policer value; the maximum number of packets that is allowed in a burst before a violation is declared.

Priority

Priority of the packet type for individual packet policers that enables more important traffic to pass through in the event of traffic congestion: low, medium, or high. Lower priority packets can be dropped when insufficient bandwidth is available.

Recover time

Time that must pass since the last violation before the traffic flow is considered to have recovered from the attack. A notification is generated when the timer expires.

Enabled

State of the policer, enabled (Yes), disabled (No), or partially disabled (Partial); Partial indicates that only some of the policer instances are disabled for the policer.

Bypass aggregate

State of the bypass aggregate configuration:

  • Yes—The aggregate policer is bypassed.
  • No—The aggregate policer is enforced.

This field appears only for individual policers.

Flow detection configuration

State of flow detection configured on the router:

  • Detection mode—Mode of operation for suspicious flow detection: automatic, off, or on.
  • Log flows—State of automatic logging of suspicious traffic flows: on (Yes) or off (No).
  • Timeout flows—State of culprit flow timeout behavior: flow is suppressed for a configured timeout period (Yes) or flow is suppressed until it is no longer in violation (No).
  • Detect time—Time in seconds that must pass before a suspicious flow that has exceeded the bandwidth allowed for the packet type is considered to be a culprit flow.
  • Recover time—Time in seconds that must pass before a culprit flow is considered to have returned to normal. The period starts when the flow drops below the threshold that triggered the last violation.
  • Timeout time—Time in seconds that a culprit flow is suppressed, if timeouts have been enabled.
  • Flow aggregation level configuration—Flow detection mode, flow control mode, and flow bandwidth for traffic at each of the traffic flow aggregation levels: subscriber, logical interface, and physical interface.
    • Detection mode—State of flow detection: automatic, off, or on.

      Control mode—Mode of controlling culprit traffic: dropped, kept, or policed back to within the allowed bandwidth.

      Flow rate—Bandwidth allowed for the control traffic in packets per second.

System-wide information

The following information collected for the router:

  • A message indicates whether the policer has been violated.
  • No. of FPCs currently receiving excess traffic—Number of cards that are currently in violation of a policer.
  • No. of FPCs that have received excess traffic—Number of cards that have at some point been in violation of a policer.
  • Violation first detected at—Timestamp of the first violation.
  • Violation last seen at—Timestamp of the last observed violation.
  • Duration of violation—Length of the violation.
  • Number of violations—Number of times the violation has occurred.
  • Received—Number of packets received at all card slots and the Routing Engine.
  • Dropped—Number of packets dropped regardless of where they were dropped.
  • Arrival rate—Current traffic rate for packets arriving from all cards and at the Routing Engine.
  • Max arrival rate—Highest traffic rate for packets arriving from all cards and at the Routing Engine.

Routing Engine information

The following information collected for the Routing Engine:

  • Bandwidth—Maximum number of packets per second that is allowed.
  • Burst—Maximum number of packets that is allowed in a burst.
  • A message indicates the State of the policer, enabled (Yes) or disabled (No).
  • A message indicates whether the policer has been violated; the policer might be passed at the individual cards, but the combined rate of packets arriving at the Routing Engine can exceed the configured policer value.
  • Violation first detected at—Timestamp of the first violation.
  • Violation last seen at—Timestamp of the last observed violation.
  • Duration of violation—Length of the violation.
  • Number of violations—Number of times the violation has occurred.
  • Received—Number of packets received at the Routing Engine from all cards.
  • Dropped—Number of packets dropped at the Routing Engine; includes packets dropped by the aggregate policer and by individual protocol policers.
  • Arrival rate—Current traffic rate for packets arriving at the Routing Engine from all cards.
  • Max arrival rate—Highest traffic rate for packets arriving at the Routing Engine from all cards.
  • Dropped by aggregate policer—Number of packets dropped by the aggregate policer.
  • Dropped by individual policers—Number of packets dropped by individual policer.

FPC slot information

The following information collected for the card in the indicated slot:

  • Bandwidth—Bandwidth scaling percentage and the number of packets per second that is allowed before a violation is declared.
  • Burst—Burst scaling percentage and the maximum number of packets that is allowed in a burst before a violation is declared.
  • A message indicates whether the policer has been violated.
  • Violation first detected at—Timestamp of the first violation.
  • Violation last seen at—Timestamp of the last observed violation.
  • Duration of violation—Length of the violation.
  • Number of violations—Number of times the violation has occurred.
  • Received—Number of packets received on the line card.
  • Dropped—Number of packets dropped at the line card; includes packets dropped by the aggregate policer and by individual protocol policers.
  • Arrival rate—Current traffic rate for packets arriving at the line card.
  • Max arrival rate—Highest traffic rate for packets arriving at the line card.
  • Dropped by this policer—Number of packets dropped by the individual policer.
  • Dropped by aggregate policer—Number of packets dropped by the aggregate policer.

Bypass aggr.

State of the bypass aggregate configuration:

  • Yes—The aggregate policer configuration is bypassed.
  • No—The aggregate policer configuration is enforced.

Dashes indicate that the bypass aggregate configuration is not available; this is possible only for aggregate policers.

FPC Mod

Indicates whether configuration has changed from the default for any line cards.

  • No—The default configuration has not changed from the default for the packet type.
  • Yes—The default configuration has changed from the default for the packet type

Op mode

Mode of operation for suspicious flow detection for the packet type: always-on (on), (auto), or disabled (off).

Policer BW (pps)

Bandwidth policer value; number of packets per second that is allowed before a violation is declared.

Aggr level Op:Fc:Bwidth (pps)

Flow operation mode, flow control mode, and flow bandwidth for traffic of the packet type at each traffic flow aggregation level: subscriber (sub), logical interface (ifl), and physical interface (ifd).

Log flow

State of automatic logging of suspicious traffic flows for the packet type: on (Yes) or off (No).

Time out

State of culprit flow timeout behavior for the packet type: flow is suppressed or monitored for a configured timeout period (Yes) or flow is suppressed or monitored until it is no longer in violation (No).

Sample Output

show ddos-protection protocols

user@host> show ddos-protection protocols
Packet types: 190, Modified: 0, Received traffic: 12, Currently violated: 3
Currently tracked flows: 0, Total detected flows: 0
* = User configured value

Protocol Group: IPv4-Unclassified

  Packet type: aggregate (Aggregate for unclassified host-bound IPv4 traff)
    Aggregate policer configuration:
      Bandwidth:        2000 pps
      Burst:            10000 packets
      Recover time:     300 seconds
      Enabled:          Yes
    Flow detection configuration:
      Detection mode: Automatic  Detect time:  3 seconds
      Log flows:      No         Recover time: 60 seconds
      Timeout flows:  No         Timeout time: 300 seconds
      Flow aggregation level configuration:
        Aggregation level   Detection mode  Control mode  Flow rate
        Subscriber          Automatic       Drop          10 pps
        Logical interface   Automatic       Drop          10 pps
        Physical interface  Automatic       Drop          2000 pps
    System-wide information:
      Aggregate bandwidth is never violated
      Received:  0                   Arrival rate:     0 pps
      Dropped:   0                   Max arrival rate: 0 pps
    Routing Engine information:
      Bandwidth: 2000 pps, Burst: 10000 packets, enabled
      Aggregate policer is never violated
      Received:  0                   Arrival rate:     0 pps
      Dropped:   0                   Max arrival rate: 0 pps
        Dropped by individual policers: 0
    FPC slot 1 information:
      Bandwidth: 100% (2000 pps), Burst: 100% (10000 packets), enabled
      Aggregate policer is never violated
      Received:  0                   Arrival rate:     0 pps
      Dropped:   0                   Max arrival rate: 0 pps
        Dropped by individual policers: 0
        Dropped by flow suppression:    0

…

Protocol Group: PPPoE

  Packet type: aggregate (Aggregate for all PPPoE control traffic)
    Aggregate policer configuration:
      Bandwidth:        2000 pps
      Burst:            2000 packets
      Recover time:     300 seconds
      Enabled:          Yes
    Flow detection configuration:
      Detection mode: Automatic  Detect time:  3 seconds
      Log flows:      No         Recover time: 60 seconds
      Timeout flows:  No         Timeout time: 300 seconds
      Flow aggregation level configuration:
        Aggregation level   Detection mode  Control mode  Flow rate
        Subscriber          Automatic       Drop          10 pps
        Logical interface   Automatic       Drop          10 pps
        Physical interface  Automatic       Drop          2000 pps
    System-wide information:
      Aggregate bandwidth is never violated
      Received:  0                   Arrival rate:     0 pps
      Dropped:   0                   Max arrival rate: 0 pps
    Routing Engine information:
      Bandwidth: 2000 pps, Burst: 2000 packets, enabled
      Aggregate policer is never violated
      Received:  0                   Arrival rate:     0 pps
      Dropped:   0                   Max arrival rate: 0 pps
        Dropped by individual policers: 0
    FPC slot 1 information:
      Bandwidth: 100% (2000 pps), Burst: 100% (2000 packets), enabled
      Aggregate policer is never violated
      Received:  0                   Arrival rate:     0 pps
      Dropped:   0                   Max arrival rate: 0 pps
        Dropped by individual policers: 0
        Dropped by flow suppression:    0

  Packet type: padi (PPPoE PADI)
    Individual policer configuration:
      Bandwidth:        500 pps
      Burst:            500 packets
      Priority:         Low
      Recover time:     300 seconds
      Enabled:          Yes
      Bypass aggregate: No
    Flow detection configuration:
      Detection mode: Automatic  Detect time:  3 seconds
      Log flows:      No         Recover time: 60 seconds
      Timeout flows:  No         Timeout time: 300 seconds
      Flow aggregation level configuration:
        Aggregation level   Detection mode  Control mode  Flow rate
        Subscriber          Automatic       Drop          10 pps
        Logical interface   Automatic       Drop          10 pps
        Physical interface  Automatic       Drop          500 pps
    System-wide information:
      Bandwidth is never violated
      Received:  0                   Arrival rate:     0 pps
      Dropped:   0                   Max arrival rate: 0 pps
    Routing Engine information:
      Bandwidth: 500 pps, Burst: 500 packets, enabled
      Policer is never violated
      Received:  0                   Arrival rate:     0 pps
      Dropped:   0                   Max arrival rate: 0 pps
        Dropped by aggregate policer: 0
    FPC slot 1 information:
      Bandwidth: 100% (500 pps), Burst: 100% (500 packets), enabled
      Policer is never violated
      Received:  0                   Arrival rate:     0 pps
      Dropped:   0                   Max arrival rate: 0 pps
        Dropped by aggregate policer: 0
        Dropped by flow suppression:  0
...

show ddos-protection protocols (Specific Packet Type with Flow Detection Disabled)

user@host> show ddos-protection protocols pppoe padi
Currently tracked flows: 0, Total detected flows: 0
* = User configured value

Protocol Group: PPPoE

  Packet type: padi (PPPoE PADI)
    Individual policer configuration:
      Bandwidth:        500 pps
      Burst:            500 packets
      Priority:         Low
      Recover time:     300 seconds
      Enabled:          Yes
      Bypass aggregate: No
    Flow detection configuration:
      Detection mode: Off*       Detect time:  3 seconds
      Log flows:      No         Recover time: 60 seconds
      Timeout flows:  No         Timeout time: 300 seconds
      Flow aggregation level configuration:
        Aggregation level   Detection mode  Control mode  Flow rate
        Subscriber          Automatic       Drop          10 pps
        Logical interface   Automatic       Drop          10 pps
        Physical interface  Automatic       Drop          500 pps
    System-wide information:
      Bandwidth is never violated       
      Received:  0                   Arrival rate:     0 pps
      Dropped:   0                   Max arrival rate: 0 pps
    Routing Engine information:
      Bandwidth: 500 pps, Burst: 500 packets, enabled
      Policer is never violated
      Received:  0                   Arrival rate:     0 pps
      Dropped:   0                   Max arrival rate: 0 pps
        Dropped by aggregate policer: 0
    FPC slot 1 information:
      Bandwidth: 100% (500 pps), Burst: 100% (500 packets), enabled
      Policer is never violated
      Received:  0                   Arrival rate:     0 pps
      Dropped:   0                   Max arrival rate: 0 pps
        Dropped by aggregate policer: 0
        Dropped by flow suppression:  0

show ddos-protection protocols (Specific Packet Type with Flow Detection Enabled and Automatic)

user@host> show ddos-protection protocols pppoe padi
Currently tracked flows: 0, Total detected flows: 0
* = User configured value

Protocol Group: PPPoE

  Packet type: padi (PPPoE PADI)
    Individual policer configuration:
      Bandwidth:        500 pps
      Burst:            500 packets
      Priority:         Low
      Recover time:     300 seconds
      Enabled:          Yes
      Bypass aggregate: No
    Flow detection configuration:
      Detection mode: Automatic  Detect time:  3 seconds
      Log flows:      No         Recover time: 60 seconds
      Timeout flows:  No         Timeout time: 300 seconds
      Flow aggregation level configuration:
        Aggregation level   Detection mode  Control mode  Flow rate
        Subscriber          Automatic       Drop          10 pps
        Logical interface   Automatic       Drop          10 pps
        Physical interface  Automatic       Drop          500 pps
    System-wide information:
      Bandwidth is never violated       
      Received:  0                   Arrival rate:     0 pps
      Dropped:   0                   Max arrival rate: 0 pps
    Routing Engine information:
      Bandwidth: 500 pps, Burst: 500 packets, enabled
      Policer is never violated
      Received:  0                   Arrival rate:     0 pps
      Dropped:   0                   Max arrival rate: 0 pps
        Dropped by aggregate policer: 0
    FPC slot 1 information:
      Bandwidth: 100% (500 pps), Burst: 100% (500 packets), enabled
      Policer is never violated
      Received:  0                   Arrival rate:     0 pps
      Dropped:   0                   Max arrival rate: 0 pps
        Dropped by aggregate policer: 0
        Dropped by flow suppression:  0

show ddos-protection protocols (Specific Packet Type with Bandwidth Violation)

user@host> show ddos-protection protocols bfd
Packet types: 1, Modified: 0, Received traffic: 1, Currently violated: 1
Currently tracked flows: 1, Total detected flows: 1
* = User configured value

Protocol Group: BFD

  Packet type: aggregate (Aggregate for all bfd traffic)
    Aggregate policer configuration:
      Bandwidth:        20000 pps
      Burst:            20000 packets
      Recover time:     300 seconds
      Enabled:          Yes
    Flow detection configuration:
      Detection mode: Automatic  Detect time:  3 seconds
      Log flows:      No         Recover time: 60 seconds
      Timeout flows:  No         Timeout time: 300 seconds
      Flow aggregation level configuration:
        Aggregation level   Detection mode  Control mode  Flow rate
        Subscriber          Automatic       Drop          10 pps
        Logical interface   Automatic       Drop          10 pps
        Physical interface  Automatic       Drop          20000 pps
    System-wide information:
      Aggregate bandwidth is being violated!
        No. of FPCs currently receiving excess traffic: 1
        No. of FPCs that have received excess traffic:  1
        Violation first detected at: 2012-10-24 23:40:20 EDT
        Violation last seen at:      2012-10-25 10:25:48 EDT
        Duration of violation: 10:45:28 Number of violations: 1
      Received:  1173471731          Arrival rate:     30304 pps
      Dropped:   399135607           Max arrival rate: 30331 pps
      Flow counts:
        Aggregation level     Current       Total detected
        Subscriber            1             1             
        Total                 1             1             
    Routing Engine information:
      Bandwidth: 20000 pps, Burst: 20000 packets, enabled
      Aggregate policer is never violated
      Received:  366831604           Arrival rate:     0 pps
      Dropped:   0                   Max arrival rate: 9522 pps
        Dropped by individual policers: 0
    FPC slot 1 information:
      Bandwidth: 100% (20000 pps), Burst: 100% (20000 packets), enabled
      Aggregate policer is currently being violated!
        Violation first detected at: 2012-10-24 23:40:21 EDT
        Violation last seen at:      2012-10-25 10:25:48 EDT
        Duration of violation: 10:45:27 Number of violations: 1
      Received:  1173471731          Arrival rate:     30304 pps
      Dropped:   399135607           Max arrival rate: 30331 pps
        Dropped by individual policers: 0
        Dropped by aggregate policer:   398854530
        Dropped by flow suppression:    281077
      Flow counts:
        Aggregation level     Current       Total detected   State
        Subscriber            1             1                Active
        Logical-interface     0             0                Active
        Physical-interface    0             0                Active
        Total                 1             1

Published: 2013-07-24

Previous Page Next Page