logical-interface (DDoS Flow Detection)
Syntax
logical-interface (flow-bandwidth | flow-control-mode | flow-detection-mode)
Hierarchy Level
[edit system ddos-protection protocols protocol-group packet-type flow-level-bandwidth], [edit system ddos-protection protocols protocol-group packet-type flow-level-control], [edit system ddos-protection protocols protocol-group packet-type flow-level-detection]
Description
(MX Series routers with only MPCs, T4000 Core Routers with only FPC5s, or EX9200 switches) Configure flow bandwidth, flow control mode, or flow detection mode for flow detection at the logical interface flow aggregation level for the packet type.
Options
flow-bandwidth—Bandwidth for the
flow at the logical interface level. Available only at the [edit system ddos-protection
protocols protocol-group packet-type flow-level-bandwidth] hierarchy level.
Default: 200 packets per second
Range: 1 through 30,000 packets per second
flow-control-mode—Mode for how traffic in the
detected flow is controlled at the logical interface level. Available only at the [edit
system ddos-protection protocols protocol-group packet-type flow-level-control] hierarchy level.
The configuration at this level overrides the global configuration using the flow-level-control statement at the [edit system ddos-protection global] hierarchy level.
drop—Drop all traffic in flow.keep—Keep all traffic in flow.police—Police the traffic to within its allowed bandwidth.
Default:
drop
flow-detection-mode—Mode for how flow detection
operates at the logical interface level when a policer has been violated. Available only at
the [edit system ddos-protection protocols protocol-group packet-type flow-level-detection] hierarchy level.
The configuration at this level overrides the global configuration using the flow-detection-mode statement at the [edit system ddos-protection global] hierarchy level.
automatic—Search flows at the logical interface level only when a DDoS policer is being violated and only when the flow causing the policer violation is not discovered at the finer flow aggregation level, subscriber. When the suspicious flow is not found at this level, then the search moves to a coarser level of flow aggregation (physical interface). Flows at the logical interface level are subsequently not searched again until the policer is no longer violated at the coarser level, and a subsequent violation occurs that cannot be found at the subscriber level.off—Disable flow detection at the logical interface level so that flows are never searched at this level.on—Search flows at the logical interface level, even when no DDoS protection policer is currently being violated. Monitoring continues at this level regardless of whether a suspect flow is identified at this level.
Default:
automatic
Required Privilege Level
admin—To view this statement in the configuration.
admin-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 12.3.
Support for Enhanced Subscriber Management added in Junos OS Release 17.3R1.