protocols (DDoS) (ACX Series, PTX Series, and QFX Series)
Syntax (ACX Series Routers)
protocols protocol-group aggregate {
bandwidth packets-per-second;
burst size;
disable-logging;
disable-routing-engine;
priority level;
}
Syntax (PTX Series Routers and QFX Series Switches)
protocols protocol-group (aggregate | packet-type) {
bandwidth packets-per-second;
burst size;
bypass-aggregate;
disable-fpc;
disable-logging;
fpc slot-number {
bandwidth-scale percentage;
burst-scale percentage;
disable-fpc;
}
priority level;
}
Syntax (PTX Series and ACX7100-48L for Junos OS Evolved)
protocols{
arp;
bfd;
bfdv6;
bgp;
custom;
sample;
dhcpv4;
dhcpv6;
dhcpv4v6;
l2tp;
ppp;
pppoe;
}
Hierarchy Level
[edit system ddos-protection]
Description
Change default configurable control plane DDoS protection policer parameters for all packet types within a protocol group or for a particular packet type within a protocol group.
PTX10003 router doesn’t support the priority option to change default priority values for aggregate or individual packet type policers. QFX10002-60C switches and PTX Series routers do not support the bypass-aggregate option.
Although the term bandwidth usually refers to bits per second (bps), this feature’s bandwidth option represents a packets per second (pps) value, and the burst option represents number of packets in a burst. These options are explained separately.
Not all protocol groups and packet types listed in Table 1 or Table 2 are supported on all devices. Exceptions include:
ACX Series routers support only the following protocol group options:
arp,bfd,bfdv6,bgp,dhcpv4v6,eoam,esmc,igmp,ipmcast-miss(unknown multicast packets),isis,lacp,ldp,lldp,ndpv6,oam-lfm,ospf,pim,pvstp,rip,rsvp,stp, andvrrp.PTX10003 and PTX10008 routers do not support the following policer protocol group options:
all-fiber-channel-enode,bridge-control,diameter,garp-reply,l2pt,ptp,radius, andtacacs.Other PTX Series routers do not support the following policer protocol group options:
all-fiber-channel-enode, (however,arpprotocol group is supported),bridge-control,diameter,garp-reply,martian-address,proto-802-1x,ptp,pvstp,radius,stp, andtacacsQFX10002-60C switches do not support the following policer protocol group options:
all-fiber-channel-enode, (however,arpprotocol group is supported),bridge-control,diameter,garp-reply,martian-address,proto-802-1x,ptp,radius, andtacacsQFX10002, QFX10008, and QFX10016 switches do not support the
ttlprotocol group option.
Options
aggregate |
Configure parameters for the policer that polices all control packets belonging to the specified protocol as a combined group. An aggregate policer exists for all protocol groups. Note:
ACX Series routers support only the aggregate policer for the supported protocol groups. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
packet-type |
Configure policer values for the specified individual control packet type within a protocol group. On some devices, you can configure the packet-type policers in the protocol groups listed in Table 1. For all other protocol groups not listed in Table 1, only aggregate policers are available. Table 1 lists the protocol groups with packet-type policers available on some devices, and common values for default-configured parameters. Default values can differ among supporting devices and across different Junos OS releases; you can run the Each of the protocol groups in Table 1 also supports the aggregate policer. See Table 2 for the default aggregate policer values for all protocol groups.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
protocol-group |
Configure policer values for the specified protocol group. You can configure the aggregate policer for any of the following protocol groups listed in Table 2. The table shows the aggregate policer default-configured parameters for each protocol group. Default values can differ among supporting devices and across different Junos OS releases; you can run the The protocol groups in Table 2 also support any corresponding individual packet-type policers listed in Table 1. |
Protocol Group |
Description |
Default Bandwidth (pps) |
Default Burst (number of packets) |
|---|---|---|---|
The default bandwidth and burst values varies based on the platform type and underlying DDoS infra settings. |
|||
|
Fiber channel ENode traffic |
10 |
1024 or 2048 |
(Different platforms support an aggregate policer protocol group option for ARP traffic named either |
ARP traffic Note:
On some platforms, the |
1000, 2000, or 10000 |
512, 1024, 2000, or 2048 |
|
Single-hop BFD traffic |
1000, 6200, 10000, 20000, or 250000 |
512, 2048 or 20000 |
|
BFDv6 traffic |
512, 3000, 10000, 20000, or 250000 |
512, 2048 or 20000 |
|
BGP traffic |
1200, 1500, 3000, 5000, 10000, 20000, or 250000 |
512, 2048, 4096, or 20000 |
|
Bridge Control traffic |
10 |
2048 |
(PTX10003 and PTX10008 routers only) |
Aggregate for all DHCPv4 traffic (priority Medium) Note:
On PTX10003 and PTX10008 routers, use this option for rate-limiting at PFE line card and RE levels. Use aggregate option |
5000 |
5000 |
(PTX10003 and PTX10008 routers only) |
Aggregate for all DHCPv6 traffic (priority Low) Note:
On PTX10003 and PTX10008 routers, use this option for rate-limiting at PFE line card and RE levels. Use aggregate option |
5000 |
5000 |
|
DHCPv4 and DHCPv6 traffic (limits apply to combined traffic) Note:
On PTX10003 and PTX10008 routers, use this aggregate option for rate-limiting at PFE chip level only (priority is Low). Use |
600 or 5000 |
512, 2048 or 5000 |
|
Diameter and Gx-Plus traffic |
200 |
2048 |
|
DNS traffic |
200 |
200 or 2048 |
|
DTCP traffic |
200 |
200 or 2048 |
|
EGPv6 traffic |
10 |
10 or 2048 |
|
Ethernet OAM traffic Note:
On PTX10003 and PTX10008 routers, the aggregate |
1000, 6200, or 100000 |
102, 512, 2048, or 10000 |
|
ESMC traffic |
200 |
512 |
|
TCC-encapsulated Ethernet traffic Note:
The |
100 |
100 or 2048 |
|
|
100 |
2048 |
|
FTP traffic |
500 or 1500 |
1500 or 2048 |
|
Gratuitous ARP reply traffic |
100 |
2048 |
|
GRE traffic |
500 |
500 or 2048 |
|
ICMP traffic |
500, 1000, or 20000 |
500, 2048, or 20000 |
|
IGMPv4 and IGMPv6 traffic Note:
Use this option on PTX Series and QFX10002-60C devices for IGMPv4 traffic only, and |
1000, 1600, 5000, or 90000 |
512, 2048 or 5000 |
|
IGMPv6 traffic |
20000 or 90000 |
2048 or 5000 |
|
IP traffic with IP packet header options |
100 |
100 or 2048 |
(ACX Series only) |
Unknown IPv4 and IPv6 multicast packets |
600 |
512 |
|
IS-IS traffic |
1000, 1200, 5000, or 20000 |
512, 2048, 4096, or 20000 |
isis-data |
ISIS-Data traffic |
5000, 8000, or 10000 |
4096 or 8000 |
isis-hello |
ISIS-Hello traffic |
1000, 5000, or 12000 |
4096 or 12000 |
|
TCC-encapsulated ISO traffic Note:
The |
100 |
100 or 2048 |
|
Layer 2 protocol tunneling traffic |
500 |
2048 |
|
Layer 2 tunneling protocol traffic |
500 |
500 or 2048 |
|
LACP traffic |
800, 1000, or 2000 |
512, 300, 2000, or 2048 |
|
LDP traffic |
1200, 5000, 10000, or 20000 |
200, 512, 2048, or 20000 |
|
LDP hello packets Note:
The following devices have an
|
1000 or 5000 |
2048 or 5000 |
|
LLDP traffic |
100, 800, or 2000 |
300, 512, 2000, or 2048 |
|
LMP traffic |
100 |
100 or 2048 |
|
Martian address |
200 |
20 |
|
Control traffic for multicast snooping |
5000, 20000, or 22000 |
2048, 6000, or 20000 |
|
MLD traffic Note:
The |
1000 |
2048 |
|
MSDP traffic |
20000 |
20000 |
|
Multihop BFD traffic Note:
The |
1500 |
2048 |
|
NDPv6 traffic |
100, 1000, or 2000 |
512, 1024, or 2000 |
|
NTP traffic |
20000 |
20000 |
|
OAM CFM traffic Note:
The |
200 |
2048 |
|
OAM LFM traffic |
200, 800, 1000, or 20000 |
512, 1000, 2048, or 20000 |
|
OSPF traffic |
1200, 5000, 10000, or 20000 |
200, 512, 2048, 4096, or 20000 |
|
OSPF hello packets |
1000, 1500, or 10000 |
2048, 4096, or 20000 |
(ACX Series only) |
PIM IPv4 and IPv6 packets |
1600 |
512 |
|
PIM control packets |
1000 or 1500 |
200 or 2048 |
|
PIM data |
2000 or 3000 |
1024 or 2048 |
|
802.1X traffic |
200 |
200 or 2048 |
|
PTP traffic |
100 |
2048 |
|
PVSTP traffic |
800, 2000, or 20000 |
512, 2048, or 20000 |
|
RADIUS traffic |
200 |
2048 |
|
Packets rejected by a next-hop forwarding decision |
100, 200, or 2000 |
200, 2000, or 2048 |
|
Unclassified IPv4 and IPv6 resolve packets sent to the host because of a traffic request resolve action |
100, 500, or 5000 |
100, 2048, or 5000 |
|
RIP traffic |
200, 1200, or 20000 |
200, 512, 2048, or 20000 |
|
RSVP traffic |
1200, 5000, 10000, or 20000 |
512, 2048, 10000, or 20000 |
|
SNMP traffic |
1000 or 20000 |
1024, 2048, or 20000 |
|
SSH traffic |
5000 or 20000 |
500, 2048, or 20000 |
|
STP traffic |
800 or 20000 |
512, 2048, or 20000 |
|
TACACS+ traffic |
200 |
2048 |
|
Transitional Cross-connect encapsulated traffic |
100 or 200 |
200, 1024, or 2048 |
|
Telnet traffic |
5000 or 20000 |
500, 2048, or 20000 |
|
Time to Live packets |
100 or 2000 |
2048 |
|
Traffic that cannot be classified into one of the other available protocol groups |
100 or 10000 |
2048 or 10000 |
|
VRRP traffic |
512, 1000, 2000, or 20000 |
512, 1000, 2048, or 20000 |
|
VXLAN Layer 2 and Layer 3 packets |
300 |
10 |
Protocol Group |
Description |
|---|---|
|
Configure ARP traffic |
|
Configure BFD traffic |
|
BFDv6 traffic |
|
Configure BGP traffic |
|
Configure CUSTOM traffic |
sample |
Configure Sampling traffic |
|
Configure DHCPv4 traffic |
|
Configure DHCPv6 traffic |
dhcpv4v6 |
Configure DHCPv4/v6 traffic |
|
Configure L2TP traffic. |
|
Configure PPP traffic. |
|
Configure PPPoE traffic. |
Starting in Junos OS Evolved Release 23.1R1, on QFX5220, QFX5130, and QFX5700 Series devices, the default DDoS localnh aggregate bandwidth value is 1500 pps. Earlier to Junos OS Evolved Release 23.1R1, you can configure the bandwidth value using the [set system ddos-protection protocols localnh aggregate bandwidth 1500 burst 200] CLI command. This configuration enables you to prevent LAG interface down time during the heavy local IP traffic.
Starting in Junos OS Release 23.3R1, on QFX Series devices, we've added the ip-option protocol support at the [edit ddos-protection protocols] hierarchy level.
- DHCP (IP-DEMUX lite) & PPPoE subscribers (IPv4, IPV6, and Dual stack) with CoS Lawful Intercept and filter support.
- DVLAN (Single and dual tag) with L2TP (LAC) DDOS policers configuration for BBE protocols. Individual BBE protocol and DDOS protocol group configuration is enabled.
Support for protocol groups DHCPv6, L2TP, PPP, and PPPoE
- Only the aggregate DDOS protocol group
dhcpv4v6is active. - Subscriber scale qualification with Class of Support (CoS) for Layer 2 Tunneling Protocol (L2TP), L2TP access concentrator (LAC) subscriber interfaces for IPV4, IPV6 and dual stack. The remaining statements are explained separately. Search for a statement in CLI Explorer or click a linked statement in the Syntax section for details.
Required Privilege Level
admin—To view this statement in the configuration.
admin-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 11.2.