Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

protocols (DDoS)

Syntax

protocols protocol-group (aggregate | packet-type) {bandwidth packets-per-second;burst size;bypass-aggregate;disable-fpc;disable-logging;disable-routing-engine;flow-detection-mode (automatic | off | on);flow-detect-time seconds;flow-level-bandwidth {logical-interface flow-bandwidth;physical-interface flow-bandwidth;subscriber flow-bandwidth;}flow-level-control {logical-interface flow-control-mode;physical-interface flow-control-mode;subscriber flow-control-mode;}flow-level-detection {logical-interface flow-operation-mode;physical-interface flow-operation-mode;subscriber flow-operation-mode;}flow-recover-time seconds;flow-timeout-time seconds;fpc slot-number {bandwidth-scale percentage;burst-scale percentage;disable-fpc;}no-flow-loggingpriority level;recover-time seconds;timeout-active-flows;}

Hierarchy Level

[edit system ddos-protection]

Release Information

Statement introduced in Junos OS Release 11.2.

Description

Configure DDoS policers for all packet types within a protocol group or for a particular packet type within a protocol group.

Options

aggregate

Configure the policer to monitor all control packets within the protocol group. You can configure an aggregate policer for any protocol group.

packet-type

(Optional) Name of the control packet type to be policed. You can configure a specific policer for only the following packet types and protocol groups:

  • dhcpv4—The following packet types are available for DHCPv4 traffic:
    • ack—DHCPACK packets.
    • bad-packets—DHCPv4 packets with bad formats.
    • bootp—DHCPBOOTP packets.
    • decline—DHCPDECLINE packets.
    • discover—DHCPDISCOVER packets.
    • force-renew—DHCPFORCERENEW packets.
    • inform—DHCPINFORM packets.
    • lease-active—DHCPLEASEACTIVE packets.
    • lease-query—DHCPLEASEQUERYpackets.
    • lease-unassigned—DHCPLEASEUNASSIGNED packets.
    • lease-unknown—DHCPLEASEUNKNOWN packets.
    • nak—DHCPNAK packets.
    • no-message-type—DHCP packets that are missing the message type.
    • offer—DHCPOFFER packets.
    • release—DHCPRELEASE packets.
    • renew—DHCPRENEW packets.
    • request—DHCPREQUEST packets.
    • unclassified—All unclassified packets in the protocol group.
  • dhcpv6—The following packet types are available for DHCPv6 traffic:
    • advertise—ADVERTISE packets.
    • confirm—CONFIRM packets.
    • decline—DECLINE packets.
    • information-request—INFORMATION-REQUEST packets.
    • leasequery—LEASEQUERY packets.
    • leasequery-data—LEASEQUERY-DATA packets.
    • leasequery-done—LEASEQUERY-DONE packets.
    • leasequery-reply—LEASEQUERY-REPLY packets.
    • rebind—REBIND packets.
    • reconfigure—RECONFIGURE packets.
    • relay-forward—RELAY-FORWARD packets.
    • relay-reply—RELAY-REPLY packets.
    • release—RELEASE packets.
    • renew—RENEW packets.
    • reply—REPLY packets.
    • request—REQUEST packets.
    • solicit—SOLICIT packets.
    • unclassified—All unclassified packets in the protocol group.
  • frame-relay—The following packet types are available for Frame Relay traffic:
    • frf15—Multilink frame relay FRF.15 packets.
    • frf16—Multilink frame relay FRF.16 packets.
  • ip-fragments—The following packet types are available for IP fragments:
    • first-fragment—First IP fragment.
    • trail-fragment—Last IP fragment.
  • ip-options—The following packet types are available for IP option traffic:
    • router-alert—Router alert options packets.
    • unclassified— All unclassified packets in the protocol group.
  • mcast-snoop—Control traffic for multicast snooping.
    • igmp—Snooped IGMP traffic.
    • pim—Snooped PIM control traffic.
  • mlp—The following MLP packet types are available:
    • aging-exception—MLP aging exception packets.
    • packets—MLP packets.
    • unclassified—All unclassified packets in the protocol group.
  • ppp—The following PPP packet types are available:
    • authentication—PPP authentication protocol packets.
    • ipcp—IP Control Protocol packets.
    • ipv6cp—IPv6 Control Protocol packets.
    • isis—IS-IS packets.
    • lcp—Link Control Protocol packets.
    • mlppp-lcp—MLPPP LCP packets.
    • mplscp—MPLS Control Protocol packets.
    • unclassified—All unclassified packets in the protocol group.
  • pppoe—The following PPPoE packet types are available:
    • padi—PADI packets.
    • padm—PADM packets.
    • padn—PADN packets.
    • pado—PADO packets.
    • padr—PADR packets.
    • pads—PADS packets.
    • padt—PADT packets.
  • radius—The following RADIUS packet types are available:
    • accounting—RADIUS accounting packets.
    • authorization—RADIUS authorization packets.
    • server—RADIUS server traffic.
    • unclassified—All unclassified packets in the protocol group.
  • tcp-flags—The following TCP-flagged packet types are available:
    • established—TCP ACK and RST connection packets.
    • initial—TCP SYN and NAK packets.
  • unclassified—The following unclassified packet types are available:
    • control-layer2—Unclassified layer 2 control packets.
    • control-v4—Unclassified IPv4 control packets.
    • control-v6—Unclassified IPv6 control packets.
    • filter-v4—Unclassified IPv4 filter action packets; sent to the host because of reject terms in firewall filters.
    • filter-v6—Unclassified IPv6 filter action packets; sent to the host because of reject terms in firewall filters.
    • host-route-v4—Unclassified IPv4 routing protocol and host packets in traffic sent to the router local interface address for broadcast and multicast.
    • host-route-v6—Unclassified IPv6 routing protocol and host packets in traffic sent to the router local interface address for broadcast and multicast.
    • other—All unclassified packets that do not belong to another type.
    • resolve-v4—Unclassified IPv4 resolve packets sent to the host because of a traffic request resolve action.
    • resolve-v6—Unclassified IPv6 resolve packets sent to the host because of a traffic request resolve action.
  • virtual-chassis—The following packet types are available for virtual chassis packets:
    • control-low—Low-priority control packets.
    • control-high—High-priority control packets.
    • unclassified—All unclassified packets in the protocol group.
    • vc-packets—All exception packets on the virtual chassis link.
    • vc-ttl-errors—Virtual chassis TTL error packets.
protocol-group

Name of the protocol group for which traffic is policed. You can configure a policer for any of the following protocol groups:

  • amtv4—IPv4 AMT traffic.
  • amtv6—IPv6 AMT traffic.
  • ancp—ANCP traffic.
  • ancpv6—ANCPv6 traffic.
  • arp—ARP traffic.
  • atm—ATM traffic.
  • bfd—BFD traffic.
  • bfdv6—BFDv6 traffic.
  • bgp—BGP traffic.
  • bgpv6—BGPv6 traffic.
  • control—Control traffic.
  • demux-autosense—Demux autosensing traffic.
  • dhcpv4—DHCPv4 traffic.
  • dhcpv6—DHCPv6 traffic.
  • diameter—Diameter and Gx-Plus traffic.
  • dns—DNS traffic.
  • dtcp—DTCP traffic.
  • dynamic-vlan—Dynamic VLAN exception traffic.
  • egpv6—EGPv6 traffic.
  • eoam—EOAM traffic.
  • esmc—ESMC traffic.
  • firewall-host—Firewall send-to-host traffic.
  • frame-relay—Frame relay traffic.
  • ftp—FTP traffic.
  • ftpv6—FTPv6 traffic.
  • gre—GRE traffic.
  • icmp—ICMP traffic.
  • igmp—IGMP traffic
  • igmpv4v6—IGMP v4/v6 traffic.
  • igmpv6—IGMPv6 traffic.
  • inline-ka—Inline service interfaces keepalive traffic.
  • inline-svcs—Inline services traffic.
  • ip-fragments—IP fragments traffic.
  • ip-options–IP traffic with IP packet header options.
  • isis—IS-IS traffic.
  • jfm—JFM traffic.
  • keepalive—Keepalive traffic.
  • l2pt—Layer 2 protocol tunneling traffic.
  • l2tp—L2TP traffic.
  • lacp—LACP traffic.
  • ldp—LDP traffic.
  • ldpv6—LDPv6 traffic.
  • lldp—LLDP traffic.
  • lmp—LMP traffic.
  • lmpv6—LMPv6 traffic.
  • mac-host—Layer 2 MAC send-to-host traffic.
  • mcast-snoop—Control traffic for multicast snooping.
  • mlp—MLP traffic.
  • msdp—MSDP traffic.
  • msdpv6—MSDPv6 traffic.
  • multicast-copy—Host copy traffic due to multicast routing.
  • mvrp—MVRP traffic.
  • ntp—NTP traffic.
  • oam-lfm—OAM-LFM traffic.
  • ospf—OSPF traffic.
  • ospfv3v6—OSPFv3/IPv6 traffic.
  • pfe-alive—Packet Forwarding Engine keepalive traffic
  • pim—PIM traffic.
  • pmvrp—PMVRP traffic.
  • pos—POS traffic.
  • ppp—PPP traffic.
  • pppoe—PPPoE traffic.
  • ptp—PTP traffic.
  • pvstp—PVSTP traffic.
  • radius—RADIUS traffic.
  • redirect—Traffic that triggers ICMP redirects.
  • reject—Packets rejected by a next-hop forwarding decision.
  • rip—RIP traffic.
  • ripv6—RIPv6 traffic.
  • rsvp—RSVP traffic.
  • rsvpv6—RSVPv6 traffic.
  • services–Service traffic.
  • snmp—SNMP traffic.
  • snmpv6—SNMPv6 traffic.
  • ssh—SSH traffic.
  • sshv6—SSHv6 traffic.
  • stp—STP traffic.
  • tacacs—TACACS traffic.
  • tcp-flags—Traffic with TCP flags.
  • telnet—TELNET traffic.
  • telnetv6—TELNETv6 traffic.
  • ttl—TTL traffic.
  • tunnel-fragment—Tunnel fragments traffic.
  • unclassified—Unclassified traffic.
  • virtual-chassis—Virtual chassis traffic.
  • vrrp—VRRP traffic.
  • vrrpv6—VRRPv6 traffic.

The remaining statements are explained separately.

Required Privilege Level

admin—To view this statement in the configuration.

admin-control—To add this statement to the configuration.

 

Related Documentation

 

Published: 2013-07-30

Previous Page Next Page