Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

protocols (DDoS) (ACX Series, PTX Series, and QFX Series)

Syntax (ACX Series Routers)

Syntax (PTX Series Routers and QFX Series Switches)

Syntax (PTX Series and ACX7100-48L for Junos OS Evolved)

Hierarchy Level

Description

Change default configurable control plane DDoS protection policer parameters for all packet types within a protocol group or for a particular packet type within a protocol group.

Note:

PTX10003 router doesn’t support the priority option to change default priority values for aggregate or individual packet type policers. QFX10002-60C switches and PTX Series routers do not support the bypass-aggregate option.

Note:

Although the term bandwidth usually refers to bits per second (bps), this feature’s bandwidth option represents a packets per second (pps) value, and the burst option represents number of packets in a burst. These options are explained separately.

Not all protocol groups and packet types listed in Table 1 or Table 2 are supported on all devices. Exceptions include:

  • ACX Series routers support only the following protocol group options: arp, bfd, bfdv6, bgp, dhcpv4v6, eoam, esmc, igmp, ipmcast-miss (unknown multicast packets), isis, lacp, ldp, lldp, ndpv6, oam-lfm, ospf, pim, pvstp, rip, rsvp, stp, and vrrp.

  • PTX10003 and PTX10008 routers do not support the following policer protocol group options: all-fiber-channel-enode, bridge-control, diameter, garp-reply, l2pt, ptp, radius, and tacacs.

  • Other PTX Series routers do not support the following policer protocol group options: all-fiber-channel-enode, (however, arp protocol group is supported), bridge-control, diameter, garp-reply, martian-address, proto-802-1x, ptp, pvstp, radius, stp, and tacacs

  • QFX10002-60C switches do not support the following policer protocol group options: all-fiber-channel-enode, (however, arp protocol group is supported), bridge-control, diameter, garp-reply, martian-address, proto-802-1x, ptp, radius, and tacacs

  • QFX10002, QFX10008, and QFX10016 switches do not support the ttl protocol group option.

Options

aggregate

Configure parameters for the policer that polices all control packets belonging to the specified protocol as a combined group. An aggregate policer exists for all protocol groups.

Note:

ACX Series routers support only the aggregate policer for the supported protocol groups.

packet-type

Configure policer values for the specified individual control packet type within a protocol group. On some devices, you can configure the packet-type policers in the protocol groups listed in Table 1. For all other protocol groups not listed in Table 1, only aggregate policers are available.

Table 1 lists the protocol groups with packet-type policers available on some devices, and common values for default-configured parameters. Default values can differ among supporting devices and across different Junos OS releases; you can run the show ddos-protection protocols or show ddos-protection protocols parameters CLI command before modifying any configurable values to see the default policer values for all supported protocol groups and packet types. You can also include a specific protocol group and packet type (or aggregate) with those commands.

Each of the protocol groups in Table 1 also supports the aggregate policer. See Table 2 for the default aggregate policer values for all protocol groups.

Table 1: Packet Types Supported by Control Plane DDoS Protection on PTX Series Routers and QFX Series Switches

Protocol Group

Packet Type

Description

Default Bandwidth (pps)

Default Burst (number of packets)

Default Priority

arp

arp-snoop or arp

Note:

Starting in Junos OS Release 20.3R1 and several other maintenance releases on PTX and QFX Series switches, option name arp-snoop is renamed simply arp.

ARP traffic

10000

1024 or 2048

High

unclassified

Unclassified ARP packets

500

1024

High

bfd

bundle-bfd

(PTX 10003 only) Link bundle BFD traffic

10000

10000

High

multihop-bfd

Multihop BFD traffic

5000 or 10000

2048 or 10000

High

unclassified

Unclassified BFD packets

10000

2048

High

dhcpv4

(PTX10003 and PTX10008 routers only; for rate-limiting at line card and RE levels)

ack

DHCPACK packets

500

500

Medium

bad-packets

DHCPv4 packets with bad formats

0

0

Low

bootp

DHCPBOOTP packets

300

300

Low

decline

DHCPDECLINE packets

500

500

Low

discover

DHCPDISCOVER packets

500

500

Low

force-renew

DHCPFORCERE-NEW packets

2000

2000

High

inform

DHCPINFORM packets

500

500

Low

lease-active

DHCPLEASEACT-IVE packets

2000

2000

High

lease-query

DHCPLEASE-QUERY packets

2000

2000

High

lease-unassigned

DHCPLEASEUN-ASSIGNED packets

2000

2000

High

lease-unknown

DHCPLEASEUN-KNOWN packets

2000

2000

High

nak

DHCPNAK packets

500

500

Low

no-message-type

DHCP packets that are missing the message type

1000

1000

Low

offer

DHCPOFFER packets

1000

1000

Low

rebind

DHCPv4 REBIND packets

2000

2000

High

release

DHCPRELEASE packets

2000

2000

High

renew

DHCPRENEW packets

2000

2000

High

request

DHCPREQUEST packets

1000

1000

Medium

unclassified

All unclassified DHCPv4 packets

300

150

Low

dhcpv6

(PTX10003 and PTX10008 routers only; for rate-limiting at line card and RE levels)

advertise

DHCPv6 ADVERTISE packets

500

500

Low

confirm

DHCPv6 CONFIRM packets

1000

1000

Medium

decline

DHCPv6 DECLINE packets

1000

1000

Low

information-request

DHCPv6 INFORMATION-REQUEST packets

1000

1000

Low

leasequery

DHCPv6 LEASEQUERY packets

1000

1000

Low

leasequery-data

DHCPv6 LEASEQUERY-DATA packets

1000

1000

Low

leasequery-done

LEASEQUERY-DONE packets

1000

1000

Low

leasequery-reply

DHCPv6 LEASEQUERY-REPLY packets

1000

1000

Low

rebind

DHCPv6 REBIND packets

2000

2000

Medium

reconfigure

DHCPv6 RECONFIGURE packets

1000

1000

Low

relay-forward

DHCPv6 RELAY-FORWARD packets

1000

1000

Low

relay-reply

DHCPv6 RELAY-REPLY packets

1000

1000

Low

release

DHCPv6 RELEASE packets

2000

2000

High

renew

DHCPv6 RENEW packets

2000

2000

Medium

reply

DHCPv6 REPLY packets

1000

1000

Medium

request

DHCPv6 REQUEST packets

1000

1000

Medium

solicit

DHCPv6 SOLICIT packets

500

500

Low

unclassified

All unclassified DHCPv6 packets

3000

3000

Low

eoam

oam-cfm

Ethernet OAM CFM traffic

1000

1024 or 2048

High

unclassified

Unclassified Ethernet OAM traffic

100000

1024 or 2048

High

igmpv6

mld

MLD traffic

1000 or 5000

1024 or 2048

High

unclassified

Unclassified IGMPv6 packets

1000 or 90000

1024 or 2048

High

ldp

ldp-hello

Some devices have an ldp-hello aggregate policer. Only the following devices support this packet type policer:

  • PTX10003 and PTX10008 routers

  • QFX10002, QFX10008, and QFX10016 switches

LDP HELLO traffic

1000

1024

High

unclassified

LDP unclassified packets

1000

1024

High

mcast-snoop

igmp

Control packets for IGMP snooping

500, 5000, or 20000

2048 or 5000

High

mld

Control packets for MLD snooping

500, 2000, or 5000

2048

High

pim

Control packets for PIM snooping

500, 2000, or 5000

2048

High

unclassified

Unclassified multicast snooping control packets

500

2048

High

radius

accounting

RADIUS accounting packets

200

2048

High

authorization

RADIUS authorization packets

200

2048

High

server

RADIUS server traffic

200

2048

High

unclassified

Unclassified RADIUS traffic

200

2048

High

tcc

ethernet-tcc

TCC-encapsulated Ethernet traffic

100

100, 1024 or 2048

High

iso-tcc

TCC-encapsulated ISO traffic

100

100, 1024 or 2048

High

unclassified

Unclassified TCC-encapsulated traffic

100

1024 or 2048

High

protocol-group

Configure policer values for the specified protocol group. You can configure the aggregate policer for any of the following protocol groups listed in Table 2. The table shows the aggregate policer default-configured parameters for each protocol group. Default values can differ among supporting devices and across different Junos OS releases; you can run the show ddos-protection protocols or show ddos-protection protocols parameters CLI command before modifying any configurable values to see the default policer values for all supported protocol groups. You can also include a specific protocol group with or without the aggregate option with those commands to see the aggregate policer parameters.

The protocol groups in Table 2 also support any corresponding individual packet-type policers listed in Table 1.

Table 2: Protocol Groups Supported by Control Plane DDoS Protection on ACX Series Routers, PTX Series Routers, and QFX Series Switches

Protocol Group

Description

Default Bandwidth (pps)

Default Burst (number of packets)

The default bandwidth and burst values varies based on the platform type and underlying DDoS infra settings.

all-fiber-channel-enode

Fiber channel ENode traffic

10

1024 or 2048

arp or arp-snoop

(Different platforms support an aggregate policer protocol group option for ARP traffic named either arp or arp-snoop.)

ARP traffic

Note:

On some platforms, the arp protocol group encompasses arp-snoop as a packet type. See Table 1. Starting in Junos OS Release 20.3R1 and other maintenance releases on PTX and QFX Series switches, the arp-snoop packet type option in the arp protocol group is renamed arp.

1000, 2000, or 10000

512, 1024, 2000, or 2048

bfd

Single-hop BFD traffic

1000, 6200, 10000, 20000, or 250000

512, 2048 or 20000

bfdv6

BFDv6 traffic

512, 3000, 10000, 20000, or 250000

512, 2048 or 20000

bgp

BGP traffic

1200, 1500, 3000, 5000, 10000, 20000, or 250000

512, 2048, 4096, or 20000

bridge-control

Bridge Control traffic

10

2048

dhcpv4

(PTX10003 and PTX10008 routers only)

Aggregate for all DHCPv4 traffic (priority Medium)

Note:

On PTX10003 and PTX10008 routers, use this option for rate-limiting at PFE line card and RE levels. Use aggregate option dhcpv4v6 for rate-limiting at PFE chip level.

5000

5000

dhcpv6

(PTX10003 and PTX10008 routers only)

Aggregate for all DHCPv6 traffic (priority Low)

Note:

On PTX10003 and PTX10008 routers, use this option for rate-limiting at PFE line card and RE levels. Use aggregate option dhcpv4v6 for rate-limiting at PFE chip level.

5000

5000

dhcpv4v6

DHCPv4 and DHCPv6 traffic (limits apply to combined traffic)

Note:

On PTX10003 and PTX10008 routers, use this aggregate option for rate-limiting at PFE chip level only (priority is Low). Use dhcpv4 and dhcpv6 protocol group and individual packet type options for rate-limiting at line card and RE levels.

600 or 5000

512, 2048 or 5000

diameter

Diameter and Gx-Plus traffic

200

2048

dns

DNS traffic

200

200 or 2048

dtcp

DTCP traffic

200

200 or 2048

egpv6

EGPv6 traffic

10

10 or 2048

eoam

Ethernet OAM traffic

Note:

On PTX10003 and PTX10008 routers, the aggregate eoam protocol group option includes OAM-CFM packets (no oam-cfm individual packet type option).

1000, 6200, or 100000

102, 512, 2048, or 10000

esmc

ESMC traffic

200

512

ethernet-tcc

TCC-encapsulated Ethernet traffic

Note:

The tcc protocol group option encompasses this as a packet type option on some devices.

100

100 or 2048

exception

  • MTU traffic

  • Multicast traffic

  • TTL traffic (QFX10002, QFX10008, and QFX10016 switches only)

100

2048

ftp

FTP traffic

500 or 1500

1500 or 2048

garp-reply

Gratuitous ARP reply traffic

100

2048

gre

GRE traffic

500

500 or 2048

icmp

ICMP traffic

500, 1000, or 20000

500, 2048, or 20000

igmp

IGMPv4 and IGMPv6 traffic

Note:

Use this option on PTX Series and QFX10002-60C devices for IGMPv4 traffic only, and igmpv6 option for IGMPv6 traffic. On PTX10003 and PTX10008 routers, this option encompasses aggregated IGMP and MLD traffic.

1000, 1600, 5000, or 90000

512, 2048 or 5000

igmpv6

IGMPv6 traffic

20000 or 90000

2048 or 5000

ip-options

IP traffic with IP packet header options

100

100 or 2048

ipmcast-miss

(ACX Series only)

Unknown IPv4 and IPv6 multicast packets

600

512

isis

IS-IS traffic

1000, 1200, 5000, or 20000

512, 2048, 4096, or 20000

isis-data

ISIS-Data traffic

5000, 8000, or 10000

4096 or 8000

isis-hello

ISIS-Hello traffic

1000, 5000, or 12000

4096 or 12000

iso-tcc

TCC-encapsulated ISO traffic

Note:

The tcc protocol group option encompasses this as a packet type option on some devices.

100

100 or 2048

l2pt

Layer 2 protocol tunneling traffic

500

2048

l2tp

Layer 2 tunneling protocol traffic

500

500 or 2048

lacp

LACP traffic

800, 1000, or 2000

512, 300, 2000, or 2048

ldp

LDP traffic

1200, 5000, 10000, or 20000

200, 512, 2048, or 20000

ldp-hello

LDP hello packets

Note:

The following devices have an ldp-hello packet type policer and do not use this aggregate policer:

  • PTX10003 and PTX10008 routers

  • QFX10002, QFX10008, and QFX10016 switches

1000 or 5000

2048 or 5000

lldp

LLDP traffic

100, 800, or 2000

300, 512, 2000, or 2048

lmp

LMP traffic

100

100 or 2048

martian-address

Martian address

200

20

mcast-snoop

Control traffic for multicast snooping

5000, 20000, or 22000

2048, 6000, or 20000

mld

MLD traffic

Note:

The igmpv6 protocol group option encompasses this as a packet type option on some devices.

1000

2048

msdp

MSDP traffic

20000

20000

multihop-bfd

Multihop BFD traffic

Note:

The bfd protocol group option encompasses this as a packet type option on some devices.

1500

2048

ndpv6

NDPv6 traffic

100, 1000, or 2000

512, 1024, or 2000

ntp

NTP traffic

20000

20000

oam-cfm

OAM CFM traffic

Note:

The eoam protocol group option encompasses this as a packet type option on some devices. On PTX10003 and PTX10008 routers, the aggregate eoam protocol group option includes OAM-CFM packets (no oam-cfm individual packet type option).

200

2048

oam-lfm

OAM LFM traffic

200, 800, 1000, or 20000

512, 1000, 2048, or 20000

ospf

OSPF traffic

1200, 5000, 10000, or 20000

200, 512, 2048, 4096, or 20000

ospf-hello

OSPF hello packets

1000, 1500, or 10000

2048, 4096, or 20000

overlay

Packets such as ARP and NDP coming over VxLAN tunnel with VxLAN header.

500

200

pim

(ACX Series only)

PIM IPv4 and IPv6 packets

1600

512

pim-ctrl

PIM control packets

1000 or 1500

200 or 2048

pim-data

PIM data

2000 or 3000

1024 or 2048

proto-802-1x

802.1X traffic

200

200 or 2048

ptp

PTP traffic

100

2048

pvstp

PVSTP traffic

800, 2000, or 20000

512, 2048, or 20000

radius

RADIUS traffic

200

2048

reject

Packets rejected by a next-hop forwarding decision

100, 200, or 2000

200, 2000, or 2048

resolve

Unclassified IPv4 and IPv6 resolve packets sent to the host because of a traffic request resolve action

100, 500, or 5000

100, 2048, or 5000

rip

RIP traffic

200, 1200, or 20000

200, 512, 2048, or 20000

rsvp

RSVP traffic

1200, 5000, 10000, or 20000

512, 2048, 10000, or 20000

snmp

SNMP traffic

1000 or 20000

1024, 2048, or 20000

ssh

SSH traffic

5000 or 20000

500, 2048, or 20000

stp

STP traffic

800 or 20000

512, 2048, or 20000

tacacs

TACACS+ traffic

200

2048

tcc

Transitional Cross-connect encapsulated traffic

100 or 200

200, 1024, or 2048

telnet

Telnet traffic

5000 or 20000

500, 2048, or 20000

ttl

Time to Live packets

100 or 2000

2048

unclassified

Traffic that cannot be classified into one of the other available protocol groups

100 or 10000

2048 or 10000

vrrp

VRRP traffic

512, 1000, 2000, or 20000

512, 1000, 2048, or 20000

vxlan

VXLAN Layer 2 and Layer 3 packets

300

10

Table 3: Protocol Groups Supported by Control Plane DDoS Protection on PTX Series Routers for Junos OS Evolved

Protocol Group

Description

arp or

Configure ARP traffic

bfd

Configure BFD traffic

bfdv6

BFDv6 traffic

bgp

Configure BGP traffic

custom

Configure CUSTOM traffic

sample

Configure Sampling traffic

dhcpv4

Configure DHCPv4 traffic

dhcpv6

Configure DHCPv6 traffic

dhcpv4v6

Configure DHCPv4/v6 traffic

l2tp

Configure L2TP traffic.

ppp

Configure PPP traffic.

pppoe

Configure PPPoE traffic.

Starting in Junos OS Evolved Release 23.1R1, on QFX5220, QFX5130, and QFX5700 Series devices, the default DDoS localnh aggregate bandwidth value is 1500 pps. Earlier to Junos OS Evolved Release 23.1R1, you can configure the bandwidth value using the [set system ddos-protection protocols localnh aggregate bandwidth 1500 burst 200] CLI command. This configuration enables you to prevent LAG interface down time during the heavy local IP traffic.

Starting in Junos OS Release 23.3R1, on QFX Series devices, we've added the ip-option protocol support at the [edit ddos-protection protocols] hierarchy level.

Starting in Junos OS Release 23.4R1, on QFX5000 Series and EX4000 Series devices, the address resolution protocol (ARP) packets over the virtual tunnel endpoints (VTEP) tunnel goes to the overlay ARP. You can check the ARP details using the show ddos-protection protocols overlay arp CLI command. We also introduce the overlay statement at the [edit system ddos-protection protocols] hierarchy level to control the VxLANDDOS packets.

Starting Junos OS Evolved release 23.4R1 supports, DVLAN (single and dual tag) for subscriber services scaling, performance on ACX7100-48L devices that includes:
  • DHCP (IP-DEMUX lite) & PPPoE subscribers (IPv4, IPV6, and Dual stack) with CoS Lawful Intercept and filter support.
  • DVLAN (Single and dual tag) with L2TP (LAC) DDOS policers configuration for BBE protocols. Individual BBE protocol and DDOS protocol group configuration is enabled.
  • Support for protocol groups DHCPv6, L2TP, PPP, and PPPoE

  • Only the aggregate DDOS protocol group dhcpv4v6 is active.
  • Subscriber scale qualification with Class of Support (CoS) for Layer 2 Tunneling Protocol (L2TP), L2TP access concentrator (LAC) subscriber interfaces for IPV4, IPV6 and dual stack.

    The remaining statements are explained separately. Search for a statement in CLI Explorer or click a linked statement in the Syntax section for details.

Required Privilege Level

admin—To view this statement in the configuration.

admin-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 11.2.