ON THIS PAGE
Example: Configuring Control Plane DDoS Protection on QFX Series Switches
This example shows how to configure control plane DDoS protection so a switch can quickly identify an attack and prevent a flood of malicious control packets from exhausting system resources.
Requirements
Control plane DDoS protection requires the following hardware and software:
QFX Series switch that supports control plane DDoS protection
Junos OS Release 15.1X53-D10 or later
No special configuration beyond device initialization is required before you can configure this feature.
Overview
Distributed denial-of-service (DDoS) attacks use multiple sources to flood a network with protocol control packets. This malicious traffic triggers a large number of exceptions in the network and attempts to exhaust the system resources to deny valid users access to the network or server.
Control plane DDoS protection is enabled by default on a supported QFX Series switch. This example describes how you can modify the default configuration for the rate-limiting policers that identify excess control traffic and drop the packets before the switch is adversely affected. Sample tasks include configuring an aggregate policer for a protocol group, configuring policers for particular control packet types within a protocol group, and specifying trace options for control plane DDoS protection operations.
This example show how to change some of the default policer
parameters and behavior for the radius protocol group and
the Radius accounting packet type. You can use the same
commands to change policer limits for other supported protocol groups
and packet types. See the ddos-protection configuration statement
at the [edit system] hierarchy level for all available
configuration options.
Topology
Configuration
Procedure
CLI Quick Configuration
To quickly configure control plane DDoS protection
for protocol groups and particular control packet types, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration
mode.
[edit] edit system set ddos-protection protocols radius aggregate bandwidth 150 set ddos-protection protocols radius aggregate burst 2000 set ddos-protection protocols radius accounting bandwidth 100 burst 150 set ddos-protection protocols radius accounting priority low set ddos-protection protocols radius server bypass-aggregate set ddos-protection traceoptions file ddos-trace size 10m set ddos-protection traceoptions flag all top
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.
To configure control plane DDoS protection:
Specify a protocol group.
[edit system ddos-protection protocols] user@host# edit radius
Configure the maximum traffic rate for the RADIUS aggregate policer; that is, for the combination of all RADIUS packets.
Note:You change the traffic rate using the
bandwidthoption. Although the term bandwidth usually refers to bits per second (bps), this feature’sbandwidthoption represents a packets per second (pps) value.[edit system ddos-protection protocols radius] user@host# set aggregate bandwidth 150
Configure the maximum burst size (number of packets) for the RADIUS aggregate policer.
[edit system ddos-protection protocols radius] user@host# set aggregate burst 2000
Configure a different maximum traffic rate (pps) and burst size (packets) for RADIUS accounting packets.
[edit system ddos-protection protocols radius] user@host# set accounting bandwidth 100 burst 1500
Decrease the priority for RADIUS accounting packets.
[edit system ddos-protection protocols radius] user@host# set accounting priority low
Prevent RADIUS server control packets from being included in the aggregate bandwidth (pps); that is, server packets do not contribute toward the combined RADIUS traffic to determine whether the aggregate bandwidth is exceeded. However, the server packets are still included in traffic rate statistics.
[edit system ddos-protection protocol radius] user@host# set server bypass-aggregate
(On switches with multiple line cards only) Reduce the bandwidth (pps) and burst size (packets) allowed before a violation is declared for the RADIUS policer on the FPC in slot 1.
[edit system ddos-protection protocols radius] user@host# set aggregate fpc 1 bandwidth-scale 80 user@host# set aggregate fpc 1 burst-scale 75
Configure tracing for all control plane DDoS protection protocol processing events.
[edit system ddos-protection traceoptions] user@host# set file ddos-log user@host# set file size 10m user@host# set flag all
Results
From configuration mode, confirm your configuration
by entering the show ddos-protection command at the system hierarchy level.
[edit system]
user@host# show ddos-protection
traceoptions {
file ddos-log size 10m;
flag all;
}
protocols {
radius {
aggregate {
bandwidth 150;
burst 2000;
}
server {
bypass-aggregate;
}
accounting {
bandwidth 100;
burst 1500;
priority low;
}
}
} If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the control plane DDoS protection configuration is working properly, perform these tasks:
Verifying the control plane DDoS Protection Configuration
Purpose
Verify that the RADIUS policer values have changed from the default.
Action
From operational mode, enter the show ddos-protection
protocols radius parameters command.
user@host> show ddos-protection protocols radius parameters
Packet types: 5, Modified: 3
* = User configured value
Protocol Group: Radius
Packet type: aggregate (Aggregate for all Radius traffic)
Aggregate policer configuration:
Bandwidth: 150 pps*
Burst: 2000 packets*
Recover time: 300 seconds
Enabled: Yes
Routing Engine information:
Bandwidth: 150 pps, Burst: 2000 packets, enabled
FPC slot 0 information:
Bandwidth: 100% (150 pps), Burst: 100% (2000 packets), enabled
Packet type: server (Radius server traffic)
Individual policer configuration:
Bandwidth: 200 pps
Burst: 2048 packets
Priority: High
Recover time: 300 seconds
Enabled: Yes
Bypass aggregate: Yes*
Routing Engine information:
Bandwidth: 200 pps, Burst: 2048 packets, enabled
FPC slot 0 information:
Bandwidth: 100% (200 pps), Burst: 100% (2048 packets), enabled
Packet type: accounting (Radius accounting traffic)
Individual policer configuration:
Bandwidth: 100 pps*
Burst: 1500 packets*
Priority: Low*
Recover time: 300 seconds
Enabled: Yes
Bypass aggregate: No
Routing Engine information:
Bandwidth: 100 pps, Burst: 1500 packets, enabled
FPC slot 0 information:
Bandwidth: 100% (100 pps), Burst: 100% (1500 packets), enabled
Packet type: authorization (Radius authorization traffic)
Individual policer configuration:
Bandwidth: 200 pps
Burst: 2048 packets
Priority: High
Recover time: 300 seconds
Enabled: Yes
Bypass aggregate: No
Routing Engine information:
Bandwidth: 200 pps, Burst: 2048 packets, enabled
FPC slot 0 information:
Bandwidth: 100% (200 pps), Burst: 100% (2048 packets), enabled
Meaning
The command output shows the current configuration of the RADIUS aggregate policer and the RADIUS accounting, server, and authorization control packet policers. Policer values that have been modified from the default values are marked with an asterisk. The output shows that the RADIUS policer configuration has been modified correctly.