Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Join Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions as they discuss ongoing efforts to support digital transformation.
Register to attend
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Join us for an enlightening webinar with Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; retail guru Jack Stratten of Insider Trends; and Christian Gilby, Director of Product Marketing at Juniper Networks, as they discuss the future of in-store technologies.
Reserve my spot

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Register now
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Explore Pathfinder Apps
CLI Explorer
Feature Explorer
Hardware Compatibility Tool
Port Checker
Browse All
Collapse

Pathfinder Apps

All

By Software

By Hardware

Learn More
Pathfinder HomeCLI ExplorerCompliance AdvisorFeature ExplorerHardware Compatibility ToolJunos XML API ExplorerJunos YANG Data Model ExplorerPort CheckerPower CalculatorSNMP MIB ExplorerSystem Log Explorer
CLI ExplorerFeature ExplorerJunos XML API ExplorerJunos YANG Data Model ExplorerSNMP MIB ExplorerSystem Log Explorer
Compliance AdvisorFeature ExplorerHardware Compatibility ToolPort CheckerPower Calculator
Home Documentation Junos OS Junos CLI Reference CLI Reference S

Junos CLI Reference

keyboard_arrow_up
close
keyboard_arrow_left
Junos CLI Reference
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

show ddos-protection protocols isis

date_range 19-Nov-23
arrow_backward
arrow_forward

Syntax

content_copy zoom_out_map
show ddos-protection protocols <protocol-group> isis
 <aggregate | isis-data | isis-hello>

Description

Display the ISIS data traffic information for all protocol groups or individual packet types.

Options

none

Display information for all protocol groups and packet types.

protocol-group

(Optional) Display control plane DDoS protection information for a protocol group.

packet-type

(Optional) Display control plane DDoS protection information for the specified packet type in the specified protocol group. The available packet types vary by protocol group, and only some protocol groups can have policers for individual packet types.

aggregate

(Optional) Display control plane DDoS protection information for the aggregate policer. The aggregate option is available for all ISIS data traffic information.

isis-data

(Optional) Display ISIS Data traffic information.

isis-hello

(Optional) Display ISIS Hello traffic information.

Required Privilege Level

view

Output Fields

Table 1 lists the output fields for the show ddos-protection protocols isis command. Output fields are listed in the approximate order in which they appear.

Table 1: show ddos-protection protocols isis Output Fields

Field Name

Field Description

Packet types

Number of packet types

Modified

Number of packets for which policer values have been modified from the default.

Received traffic

Number of traffic flows received.

Currently violated

Number of flows that are currently violating the flow bandwidth limit.

Currently tracked flows

Number of active flows that are being tracked as culprit flows by flow detection.

Total detected flows

Total number of culprit flows that have been detected, including those that have recovered or timed out.

Protocol Group

Name of protocol group.

Packet type

Name of packet type in protocol group.

Bandwidth

Bandwidth policer value; number of packets per second that is allowed before a violation is declared.

Burst

Burst policer value; the maximum number of packets that is allowed in a burst before a violation is declared.

Priority

Priority of the packet type for individual packet policers that enables more important traffic to pass through in the event of traffic congestion: low, medium, or high. Lower priority packets are dropped when insufficient bandwidth is available.

Recover time

Time in seconds that must pass before the traffic flow is considered to have recovered from the attack. A notification is generated when the timer expires.

Enabled

State of the policer:

  • Yes—The policer is enabled on both the Routing Engine and the FPC (line card). This is the default state.

  • No—The policer is disabled on both the Routing Engine and the FPC by global configuration. The policer is not disabled by the packet type level configuration.

  • No*—The policer is disabled on both the Routing Engine and the FPC. The asterisk (*) indicates that one or both of these instances are disabled at the packet type level; the policer can also be disabled globally.

  • Partial—The policer is disabled on either the Routing Engine or the FPC, but not both. It is disabled by global configuration. The policer is not disabled by the packet type level configuration.

  • Partial*—The policer is disabled on either the Routing Engine or the FPC, but not both. The asterisk (*) indicates that the instance is disabled by the packet type level configuration; the policer can also be disabled globally.

Disabling to occurs globally for all packet types at the [edit system ddos-protection global] hierarchy level, for a specific packet type at the [edit system ddos-protection protocols protocol-group (aggregate | packet-type] hierarchy level, or at both levels.

Bypass aggregate

State of the bypass aggregate configuration:

  • Yes—The aggregate policer is bypassed.

  • No—The aggregate policer is enforced.

This field appears only for individual policers.

Flow detection configuration

State of flow detection configured on the router:

  • Detection mode—Mode of operation for suspicious flow detection: automatic, off, or on.

  • Log flows—State of automatic logging of suspicious traffic flows: on (Yes) or off (No).

  • Timeout flows—State of culprit flow timeout behavior: flow is suppressed for a configured timeout period (Yes) or flow is suppressed until it is no longer in violation (No).

  • Detect time—Time in seconds that must pass before a suspicious flow that has exceeded the bandwidth allowed for the packet type is considered to be a culprit flow.

  • Recover time—Time in seconds that must pass before a culprit flow is considered to have returned to normal. The period starts when the flow drops below the threshold that triggered the last violation.

  • Timeout time—Time in seconds that a culprit flow is suppressed, if timeouts have been enabled.

  • Flow aggregation level configuration—Flow detection mode, flow control mode, and flow bandwidth for traffic at each of the traffic flow aggregation levels: subscriber, logical interface, and physical interface.

    • Aggregation level— Flow detection mode, flow control mode, and flow bandwidth for traffic at each of the traffic flow aggregation levels: subscriber, logical interface, and physical interface.

    • Detection mode—State of flow detection: automatic, off, or on.

    • Control mode—Mode of controlling culprit traffic: dropped, kept, or policed back to within the allowed bandwidth.

    • Flow rate—Bandwidth allowed for the control traffic in packets per second.

System-wide information

The following information is collected for the router:

  • A message indicates whether the policer has been violated.

  • No. of FPCs currently receiving excess traffic—Number of cards that are currently in violation of a policer.

  • No. of FPCs that have received excess traffic—Number of cards that have at some point been in violation of a policer.

  • Violation first detected at—Timestamp of the first violation.

  • Violation last seen at—Timestamp of the last observed violation.

  • Duration of violation—Length of the violation.

  • Number of violations—Number of times the violation has occurred.

  • Received—Number of packets received at all card slots and the Routing Engine.

  • Dropped—Number of packets dropped regardless of where they were dropped.

  • Arrival rate—Current traffic rate for packets arriving from all cards and at the Routing Engine.

  • Max arrival rate—Highest traffic rate for packets arriving from all cards and at the Routing Engine.

Routing Engine information

The following information is collected for the Routing Engine:

  • Bandwidth—Maximum number of packets per second that is allowed.

  • Burst—Maximum number of packets that is allowed in a burst.

  • State of the policer:

    • enabled—The Routing Engine policer is enabled. This is the default state.

    • disabled—The Routing Engine policer is disabled globally. It is not disabled by the packet type level configuration.

    • disabled*—The Routing Engine policer is disabled by the packet type level configuration; it can also be disabled globally.

  • A message indicates whether the policer has been violated; the policer might be passed at the individual cards, but the combined rate of packets arriving at the Routing Engine can exceed the configured policer value.

  • Violation first detected at—Timestamp of the first violation.

  • Violation last seen at—Timestamp of the last observed violation.

  • Duration of violation—Length of the violation.

  • Number of violations—Number of times the violation has occurred.

  • Received—Number of packets received at the Routing Engine from all cards.

  • Dropped—Number of packets dropped at the Routing Engine; includes packets dropped by the aggregate policer and by individual protocol policers.

  • Arrival rate—Current traffic rate for packets arriving at the Routing Engine from all cards.

  • Max arrival rate—Highest traffic rate for packets arriving at the Routing Engine from all cards.

  • Dropped by aggregate policer—Number of packets dropped by the aggregate policer.

  • Dropped by individual policers—Number of packets dropped by individual policer.

FPC slot information

The following information is collected for the line card in the indicated slot:

  • Bandwidth—Bandwidth scaling percentage and the number of packets per second that is allowed before a violation is declared.

  • Burst—Burst scaling percentage and the maximum number of packets that is allowed in a burst before a violation is declared.

  • State of the policer:

    • enabled—The FPC policer is enabled. This is the default state.

    • disabled—The FPC policer is disabled globally. It is not disabled by the packet type level configuration.

    • disabled*—The FPC policer is disabled by the packet type level configuration; it may also be disabled globally.

  • A message indicates whether the policer has been violated.

  • Violation first detected at—Timestamp of the first violation.

  • Violation last seen at—Timestamp of the last observed violation.

  • Duration of violation—Length of the violation.

  • Number of violations—Number of times the violation has occurred.

  • Received—Number of packets received on the line card.

  • Dropped—Number of packets dropped at the line card; includes packets dropped by the aggregate policer and by individual protocol policers.

  • Arrival rate—Current traffic rate for packets arriving at the line card.

  • Max arrival rate—Highest traffic rate for packets arriving at the line card.

  • Dropped by this policer—Number of packets dropped by the individual policer.

  • Dropped by aggregate policer—Number of packets dropped by the aggregate policer.

Sample Output

show ddos-protection protocols isis

content_copy zoom_out_map
user@host> show ddos-protection protocols isis

Packet types: 3, Modified: 0, Received traffic: 0, Currently violated: 0
Currently tracked flows: 0, Total detected flows: 0
* = User configured value

Protocol Group: ISIS

  Packet type: aggregate (Aggregate for isis traffic)    
  Packet type: isis-data (All isis-data traffic)
  Packet type: isis-hello (All isis hello traffic)
...

show ddos-protection protocols isis aggregate

content_copy zoom_out_map
user@host> show ddos-protection protocols isis aggregate

Currently tracked flows: 0, Total detected flows: 0
* = User configured value
Protocol Group: ISIS

  Packet type: aggregate (Aggregate for isis traffic)
    Aggregate policer configuration:
      Bandwidth:        6000 pps
      Burst:            6000 packets
      Recover time:     300 seconds
      Enabled:          Yes
    System-wide information:
      Aggregate bandwidth is never violated
      Received:  0                   Arrival rate:     0 pps
      Dropped:   0                   Max arrival rate: 0 pps
    Routing Engine information:
      Bandwidth: 6000 pps, Burst: 6000 packets, enabled
      Aggregate policer is never violated
      Received:  0                   Arrival rate:     0 pps
      Dropped:   0                   Max arrival rate: 0 pps
        Dropped by individual policers: 0
    FPC slot 0 information:
      Bandwidth: 100% (6000 pps), Burst: 100% (6000 packets), enabled
      Hostbound queue 255
      Aggregate policer is never violated
      Received:  0                   Arrival rate:     0 pps
      Dropped:   0                   Max arrival rate: 0 pps
        Dropped by individual policers: 0
        Dropped by flow suppression:    0

show ddos-protection protocols isis isis-data

content_copy zoom_out_map
user@host> show ddos-protection protocols isis isis-data

Currently tracked flows: 0, Total detected flows: 0
* = User configured value
Protocol Group: ISIS

  Packet type: isis-data (All isis-data traffic)
    Individual policer configuration:
      Bandwidth:        5000 pps
      Burst:            4096 packets
      Priority:         High
      Recover time:     300 seconds
      Enabled:          Yes
      Bypass aggregate: No
    Flow detection configuration:
      Flow detection system is off
      Detection mode: Automatic  Detect time:  0 seconds
      Log flows:      Yes        Recover time: 0 seconds
      Timeout flows:  No         Timeout time: 0 seconds
      Flow aggregation level configuration:
        Aggregation level   Detection mode  Control mode  Flow rate
        Subscriber          Automatic       Drop          0  pps
        Logical interface   Automatic       Drop          0  pps
        Physical interface  Automatic       Drop          5000 pps
    System-wide information:
      Bandwidth is never violated
      Received:  0                   Arrival rate:     0 pps
      Dropped:   0                   Max arrival rate: 0 pps
    Routing Engine information:
      Bandwidth: 5000 pps, Burst: 4096 packets, enabled
      Policer is never violated
      Received:  0                   Arrival rate:     0 pps
      Dropped:   0                   Max arrival rate: 0 pps
        Dropped by aggregate policer: 0
    FPC slot 0 information:
      Bandwidth: 100% (5000 pps), Burst: 100% (4096 packets), enabled
      Hostbound queue 255
      Policer is never violated
      Received:  0                   Arrival rate:     0 pps
      Dropped:   0                   Max arrival rate: 0 pps
        Dropped by aggregate policer: 0
        Dropped by flow suppression:  0

show ddos-protection protocols isis isis-hello

content_copy zoom_out_map
user@host> show ddos-protection protocols isis isis-hello

Currently tracked flows: 0, Total detected flows: 0
* = User configured value
Protocol Group: ISIS

  Packet type: isis-hello (All isis hello traffic)
    Individual policer configuration:
      Bandwidth:        1000 pps
      Burst:            2048 packets
      Priority:         High
      Recover time:     300 seconds
      Enabled:          Yes
      Bypass aggregate: No
    Flow detection configuration:
      Flow detection system is off
      Detection mode: Automatic  Detect time:  0 seconds
      Log flows:      Yes        Recover time: 0 seconds
      Timeout flows:  No         Timeout time: 0 seconds
      Flow aggregation level configuration:
        Aggregation level   Detection mode  Control mode  Flow rate
        Subscriber          Automatic       Drop          0  pps
        Logical interface   Automatic       Drop          0  pps
        Physical interface  Automatic       Drop          1000 pps
    System-wide information:
      Bandwidth is never violated
      Received:  0                   Arrival rate:     0 pps
      Dropped:   0                   Max arrival rate: 0 pps
    Routing Engine information:
      Bandwidth: 1000 pps, Burst: 2048 packets, enabled
      Policer is never violated
      Received:  0                   Arrival rate:     0 pps
      Dropped:   0                   Max arrival rate: 0 pps
        Dropped by aggregate policer: 0
    FPC slot 0 information:
      Bandwidth: 100% (1000 pps), Burst: 100% (2048 packets), enabled
      Hostbound queue 255
      Policer is never violated
      Received:  0                   Arrival rate:     0 pps
      Dropped:   0                   Max arrival rate: 0 pps
        Dropped by aggregate policer: 0
        Dropped by flow suppression:  0

Release Information

Command introduced in Junos OS Release 21.4R1.

Related Documentation

arrow_backward PREVIOUS show ddos-protection protocols flow-detection
NEXT arrow_forward show ddos-protection protocols parameters
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top