Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

protocols (DDoS)

Syntax

Hierarchy Level

Description

(MX Series routers with only MPCs, T4000 Core Routers with only FPC5s, or EX9200 switches) Configure control plane DDoS protection policers for all supported packet types within a protocol group or for a particular supported packet type within a protocol group.

Starting in Junos OS Release 22.2R1, we’ve enabled support for following DDoS protocol statements for MX10008 devices also. In earlier releases, the MX10008 devices did not support these DDoS protocol statements.

  • Filter-action
  • Virtual-chassis
  • Ttl
  • Redirect
  • Re-services
  • Re-services-v6
  • Rejectv6
  • L2pt
  • Syslog
  • Vxlan
Note:

For the available control plane DDoS protection policer configuration options on PTX Series routers and QFX Series switches, which are different from the options described here, see protocols (DDoS) (ACX Series, PTX Series, and QFX Series).

Note:

Although the term bandwidth usually refers to bits per second (bps), this feature’s bandwidth option represents a packets per second (pps) value, and the burst option represents number of packets in a burst. These options are explained separately.

Options

aggregate

Configure the policer to monitor all control packets within the protocol group. You can configure an aggregate policer for any protocol group.
packet-type

(Optional) Name of the control packet type to be policed. You can configure a specific policer for only the following packet types and protocol groups:

  • arp—The following ARP packet types are available:

    • aggregate—Applies to the combination of all types of control packet traffic for this protocol group.

    On MX Series devices, prior to Junos OS Release 23.2R1, the ARP request and reply traffic had a single DDoS protocol. Starting in Junos OS Release 23.2R1, you can configure separate DDoS protocol packet-types, bcast and ucast, at the [edit ddos-protection protocols arp] hierarchy level for ARP request and reply traffic. The separate DDoS policers provide an improved packet rate limiting and priority handling for ARP traffic.

  • bgp—The following BGP packet types are available:

    • aggregate—Applies to the combination of all types of control packet traffic for this protocol group.

  • bgpv6—The following BGPv6 packet types are available:

    • aggregate—Applies to the combination of all types of control packet traffic for this protocol group.

  • dhcpv4—The following packet types are available for DHCPv4 traffic:

    • ack—DHCPACK packets.

    • bad-packets—DHCPv4 packets with bad formats.

    • bootp—DHCPBOOTP packets.

    • decline—DHCPDECLINE packets.

    • discover—DHCPDISCOVER packets.

    • force-renew—DHCPFORCERENEW packets.

    • inform—DHCPINFORM packets.

    • lease-active—DHCPLEASEACTIVE packets.

    • lease-query—DHCPLEASEQUERYpackets.

    • lease-unassigned—DHCPLEASEUNASSIGNED packets.

    • lease-unknown—DHCPLEASEUNKNOWN packets.

    • nak—DHCPNAK packets.

    • no-message-type—DHCP packets that are missing the message type.

    • offer—DHCPOFFER packets.

    • release—DHCPRELEASE packets.

    • renew—DHCPRENEW packets.

    • request—DHCPREQUEST packets.

    • unclassified—All unclassified packets in the protocol group.

  • dhcpv6—The following packet types are available for DHCPv6 traffic:

    • advertise—ADVERTISE packets.

    • confirm—CONFIRM packets.

    • decline—DECLINE packets.

    • information-request—INFORMATION-REQUEST packets.

    • leasequery—LEASEQUERY packets.

    • leasequery-data—LEASEQUERY-DATA packets.

    • leasequery-done—LEASEQUERY-DONE packets.

    • leasequery-reply—LEASEQUERY-REPLY packets.

    • rebind—REBIND packets.

    • reconfigure—RECONFIGURE packets.

    • relay-forward—RELAY-FORWARD packets.

    • relay-reply—RELAY-REPLY packets.

    • release—RELEASE packets.

    • renew—RENEW packets.

    • reply—REPLY packets.

    • request—REQUEST packets.

    • solicit—SOLICIT packets.

    • unclassified—All unclassified packets in the protocol group.

  • filter-action—The following packet types are available for unclassified firewall filter action packets, sent to the host because of reject terms in firewall filters:

    • filter-v4—Unclassified IPv4 filter action packets.

    • filter-v6—Unclassified IPv6 filter action packets.

    • other—All other unclassified filter action packets that are not IPv4 or IPv6.

  • frame-relay—The following packet types are available for Frame Relay traffic:

    • frf15—Multilink frame relay FRF.15 packets.

    • frf16—Multilink frame relay FRF.16 packets.

  • ip-fragments—The following packet types are available for IP fragments:

    • first-fragment—First IP fragment.

    • trail-fragment—Last IP fragment.

  • ip-options—The following packet types are available for IP option traffic:

    • non-v4v6—Options packets other than IPv4/v6.

    • router-alert—Router alert options packets.

    • unclassified—All unclassified packets in the protocol group.

  • l2tp—The following packet types are available for L2TP LNS subscriber management network environments in Junos OS releases 13.3R5 and 14.1X50 (this option has been obsoleted by L2TP ERA in current Enhanced Subscriber Management environments):

    • cdn—Call-Disconnect-Notify message packets.

    • hello—Hello message packets.

    • iccn—Incoming-Call-Connected message packets.

    • icrq—Incoming-Call-Request message packets.

    • scccn—Start-Control-Connection-Connected message packets.

    • sccrq—Start-Control-Connection-Request message packets.

    • stopccn—Stop-Control-Connection-Notification message packets.

    • unclassified—All unclassified packets in the protocol group.

  • mcast-snoop—Control traffic for multicast snooping.

    • igmp—Snooped IGMP traffic.

    • mld—Snooped MLD traffic.

    • pim—Snooped PIM control traffic.

  • mlp—The following MLP packet types are available:

    • aggregate—Applies to the combination of all types of control packet traffic for this protocol group.

    • add—Add requests; internal MAC address learning request packets sent to the host.

    • delete—Delete requests; internal MAC address learning request packets sent to the host.

    • lookup—Lookup requests; internal MAC address learning request packets sent to the host.

    • unclassified—All unclassified packets in the protocol group.

    • macpin-exception—Exceptions to MAC address pinning (wherein dynamically learned MAC addresses are pinned to prevent looping caused by MAC moves from duplicate MAC detection).

  • ndpv6—The following NDPv6 packet types are available, except where noted, starting in 14.1R8, 14.2R8, 15.1R5, 15.1F7, and 16.1R1:

    • aggregate—Applies to the combination of all types of control packet traffic for this protocol group.

    • invalid-hop-limit—(Starting in 16.1R2) Invalid hop limit packets. These messages might represent crafted packets in a malicious network-based packet flood.

    • neighbor-advertisement—Neighbor advertisement packets. These are messages used for duplicate address detection and to test reachability of neighbors. Neighbor advertisements are sent in response to neighbor solicitation messages.

    • neighbor-solicitation—Neighbor solicitation packets. These are messages used for duplicate address detection and to test reachability of neighbors.

    • redirect—Redirect packets.

    • router-advertisement—Router advertisement packets. These are messages sent to announce the presence of the router, advertise prefixes, assist in address configuration, and share other link information such as MTU size and hop limit. The IPv6 nodes on the link can use this information to configure themselves with an IPv6 address and routing information such as the default gateway.

    • router-solicitation—Router solicitation packets. These are messages sent by IPv6 nodes when they come online to solicit immediate router advertisements from the router.

  • ppp—The following PPP packet types are available:

    • authentication—PPP authentication protocol packets.

    • echo-rep—LCP echo reply packets.

    • echo-req—LCP echo request packets.

    • ipcp—IP Control Protocol packets.

    • ipv6cp—IPv6 Control Protocol packets.

    • isis—IS-IS packets.

    • lcp—Link Control Protocol packets.

    • mlppp-lcp—MLPPP LCP packets.

    • mplscp—MPLS Control Protocol packets.

    • unclassified—All unclassified packets in the protocol group.

  • pppoe—The following PPPoE packet types are available:

    • padi—PADI packets.

    • padm—PADM packets.

    • padn—PADN packets.

    • pado—PADO packets.

    • padr—PADR packets.

    • pads—PADS packets.

    • padt—PADT packets.

  • radius—The following RADIUS packet types are available:

    • accounting—RADIUS accounting packets.

    • authorization—RADIUS authorization packets.

    • server—RADIUS server traffic.

    • unclassified—All unclassified packets in the protocol group.

  • re-services—The following packet type is available for Routing Engine-based HTTP redirect IPv4 traffic:

    • captive-portal—Routing Engine-based captive portal content delivery packets.

  • re-services-v6—The following packet type is available for Routing Engine-based HTTP redirect IPv6 traffic:

    • captive-portal—Routing Engine-based captive portal content delivery packets.

  • resolve—The following packet types are available for unclassified resolve packets, which are sent to the host because of a traffic request resolve action:

    • mcast-v4—Unclassified IPv4 multicast resolve packets.

    • mcast-v6—Unclassified IPv6 multicast resolve packets.

    • ucast-v4—Unclassified IPv4 unicast resolve packets.

    • ucast-v6—Unclassified IPv6 unicast resolve packets.

    • other—All other unclassified resolve packets.

  • sample—The following sample packet types are available:

    • host—Host packets.

    • pfe—Packet Forwarding Engine packets.

    • syslog—System log message packets.

    • tap—TAP packets.

  • tcp-flags—The following TCP-flagged packet types are available:

    • established—TCP packets with ACK or RST flags set.

    • initial—TCP packets with SYN flag set and ACK flag not set.

    • unclassified—TCP packets with flags set any other way than the established and initial packets.

  • unclassified—The following unclassified packet types are available:

    • control-layer2—Unclassified layer 2 control packets.

    • control-v4—Unclassified IPv4 control packets.

    • control-v6—Unclassified IPv6 control packets.

    • fw-host—Unclassified send-to-host firewall packets.

    • host-route-v4—Unclassified IPv4 routing protocol and host packets in traffic sent to the router local interface address.

    • host-route-v6—Unclassified IPv6 routing protocol and host packets in traffic sent to the router local interface address.

    • other—All unclassified packets that do not belong to another type.

  • virtual-chassis—The following packet types are available for virtual chassis packets:

    • control-low—Low-priority control packets.

    • control-high—High-priority control packets.

    • unclassified—All unclassified packets in the protocol group.

    • vc-packets—All exception packets on the virtual chassis link.

    • vc-ttl-errors—Virtual chassis TTL error packets.
protocol-group

Name of the protocol group for which traffic is policed. You can configure a policer for any of the following protocol groups:

  • amtv4—IPv4 AMT traffic.

  • amtv6—IPv6 AMT traffic.

  • ancp—ANCP traffic.

  • ancpv6—ANCPv6 traffic.

  • arp—ARP traffic.

  • atm—ATM traffic.

  • bfd—BFD traffic.

  • bfdv6—BFDv6 traffic.

  • bgp—BGP traffic.

  • bgpv6—BGPv6 traffic.

  • control—Control traffic.

  • demux-autosense—Demux autosensing traffic.

  • dhcpv4—DHCPv4 traffic.

  • dhcpv6—DHCPv6 traffic.

  • diameter—Diameter and Gx-Plus traffic.

  • dns—DNS traffic.

  • dtcp—DTCP traffic.

  • dynamic-vlan—Dynamic VLAN exception traffic.

  • egpv6—EGPv6 traffic.

  • eoam—EOAM traffic.

  • esmc—ESMC traffic.

  • fab-probe—Fab out probe packets.

  • filter-action—IPv4 and IPv6 firewall filter action packets sent to the host because of reject terms in firewall filters

  • frame-relay—Frame relay traffic.

  • ftp—FTP traffic.

  • ftpv6—FTPv6 traffic.

  • gre—GRE traffic.

  • gtp-path-mgmt—GTP path management traffic.

  • icmp—ICMP traffic.

  • igmp—IGMP traffic

  • igmpv4v6—IGMP v4/v6 traffic.

  • igmpv6—IGMPv6 traffic.

  • inline-ka—Inline service interfaces keepalive traffic.

  • inline-svcs—Inline services traffic.

  • ip-fragments—IP fragments traffic.

  • ip-options–IP traffic with IP packet header options.

  • isis—IS-IS traffic.

  • jfm—JFM traffic.

  • l2pt—Layer 2 protocol tunneling traffic.

  • lacp—LACP traffic.

  • ldp—LDP traffic.

  • ldpv6—LDPv6 traffic.

  • lldp—LLDP traffic.

  • lmp—LMP traffic.

  • lmpv6—LMPv6 traffic.

  • mac-host—Layer 2 MAC send-to-host traffic.

  • mcast-snoop—Control traffic for multicast snooping.

  • mlp—MLP traffic.

  • msdp—MSDP traffic.

  • msdpv6—MSDPv6 traffic.

  • multicast-copy—Host copy traffic due to multicast routing.

  • mvrp—MVRP traffic.

  • ndpv6—NDPv6 traffic.

  • ntp—NTP traffic.

  • oam-lfm—OAM-LFM traffic.

  • ospf—OSPF traffic.

    Starting in Junos OS Release 23.2R1, the ospf protocol has two sub protocols: ospf-hello to classify the DDOS high priority OSPF traffic and ospf-unclassified to classify the DDOS low priority OSPF traffic.

  • ospfv3v6—OSPFv3/IPv6 traffic.

    Starting in Junos OS Release 23.2R1, the ospfv3v6 protocol has two sub protocols: ospfv3v6-hello to classify the DDOS high priority OSPF traffic and ospfv3v6-unclassified to classify the DDOS low priority OSPF traffic.

  • pfcp—Packet Forwarding Control Protocol (PFCP) traffic.

  • pfe-alive—Packet Forwarding Engine keepalive traffic.

  • pim—PIM traffic.

  • pimv6—PIMv6 traffic.

  • pmvrp—PMVRP traffic.

  • pos—POS traffic.

  • ppp—PPP traffic.

  • pppoe—PPPoE traffic.

  • ptp—PTP traffic.

  • pvstp—PVSTP traffic.

  • radius—RADIUS traffic.

  • re-services—Captive portal content delivery IPv4 traffic for Routing Engine HTTP redirect.

  • re-services-v6—Captive portal content delivery IPv6 traffic for Routing Engine HTTP redirect.

  • redirect—Traffic that triggers ICMP redirects.

  • reject—Packets rejected by a next-hop forwarding decision.

  • rejectv6—V6 packets rejected by a next-hop forwarding decision.

  • resolve—Unclassified IPv4 and IPv6 resolve packets sent to the host because of a traffic request resolve action.

  • rip—RIP traffic.

  • ripv6—RIPv6 traffic.

  • rsvp—RSVP traffic.

    Starting in Junos OS Release 23.2R1, the rsvp protocol has two sub protocols: rsvp-hello to classify the DDOS high priority RSVP traffic and ospfv3v6-unclassified to classify the DDOS low priority RSVP traffic.

  • rsvpv6—RSVPv6 traffic.

  • services–Service traffic.

  • snmp—SNMP traffic.

  • snmpv6—SNMPv6 traffic.

  • ssh—SSH traffic.

  • sshv6—SSHv6 traffic.

  • stp—STP traffic.

  • syslog—System log messages UDP traffic on port 6333 for the Routing Engine syslog server.

  • tacacs—TACACS traffic.

  • tcp-flags—Traffic with TCP flags.

  • telnet—TELNET traffic.

  • telnetv6—TELNETv6 traffic.

  • ttl—TTL traffic.

  • tunnel-fragment—Tunnel fragments traffic.

  • tunnel-ka—Tunnel keepalive traffic.

  • unclassified—Unclassified traffic.

    Starting in Junos OS Release 23.2R1, the unclassified protocol has two sub protocols: host-route-tcp-v4 and host-route-udp-v4 to classify the DDOS low priority TCP and UDP traffic.

  • virtual-chassis—Virtual chassis traffic.

  • vrrp—VRRP traffic.

  • vrrpv6—VRRPv6 traffic.

  • vxlan—VXLAN Layer 2 and Layer 3 traffic.

The remaining statements are explained separately. Search for a statement in CLI Explorer or click a linked statement in the Syntax section for details.

Required Privilege Level

admin—To view this statement in the configuration.

admin-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 11.2.

Support for Enhanced Subscriber Management added in Junos OS Release 17.3R1.

Related Documentation