show ddos-protection protocols parameters
Syntax
show ddos-protection protocols <protocol-group> parameters
<brief | detail | terse>
Description
Display DDoS protection configuration information for all protocol groups or for a particular protocol group.
Starting in Junos OS Release 22.3R1, on MX Series
and EX9200 Series devices, we’ve updated the default bandwidth value from 20000 to 100 pps
and burst policer value from 20000 to 100 packets. This enhancement avoids the CPU usage of
eventd
and snmpd
reaching more than 100%. Earlier to
this release, when the system receives a violated traffic for SNMP along with other
protocols traffic, the CPU usage of eventd
and snmpd
was
reaching more than 100% with an error.
Starting in Junos OS Evolved Release 23.2R2, on PTX Series devices, the show
ddos-protection protocols statistics
displays the Max arrival
rate
and Arrival rate
output values as expected. Earlier to this
release, the Max arrival rate
and Arrival rate
output
values were displayed larger than expected.
Options
none | Display information for all protocol groups. |
brief | detail | terse | (Optional) Display the specified level of output.
|
protocol-group | (Optional) Display information for a particular protocol group. See show ddos-protection protocols for a list of available groups. |
Required Privilege Level
view
Output Fields
Table 1 lists the output fields for the show ddos-protection protocols parameters
command. Output fields are listed in the approximate order in which they appear.
Field Name |
Field Description |
Level of Output |
---|---|---|
|
Name of protocol group. |
All levels |
|
Name of packet type in protocol group. |
All levels |
|
Bandwidth policer value; number of packets per second that is allowed before a violation is declared. In the |
All levels |
|
Burst policer value; the maximum number of packets that is allowed in a burst before a violation is declared. In the |
All levels |
|
Priority of the packet type in the event of traffic congestion: In the |
All levels |
|
Time that must pass since the last violation before the traffic flow is considered to have recovered from the attack. A notification is generated when the timer expires. In the |
All levels |
|
State of the policer, enabled ( |
|
|
State of the bypass aggregate configuration:
This field appears only for individual policers. |
|
|
The following configuration information for the card in the indicated slot:
|
|
|
Number of policers that have been changed from the default configuration. An asterisk by a particular value indicates that value has been modified. |
|
|
State of the policer, enabled ( |
|
|
State of the bypass aggregate configuration:
Dashes indicate that the bypass aggregate configuration is not available; this is possible only for aggregate policers. |
|
|
Indicates whether configuration has changed from the default for any line cards.
|
|
Sample Output
- show ddos-protection protocols parameters
- show ddos-protection protocols parameters brief
- show ddos-protection protocols dhcpv4 parameters brief
- show ddos-protection protocols dhcpv4 parameters terse
- show ddos-protection protocols dhcpv4 parameters
- show ddos-protection protocols snmp parameters (Starting in Junos OS Release 22.3R1)
show ddos-protection protocols parameters
user@host> show ddos-protection protocols parameters Protocol Group: IPv4-Unclassified Packet type: aggregate (Aggregate for unclassified host-bound IPv4 traffic) Aggregate policer configuration: Bandwidth: 20000 pps Burst: 20000 packets Priority: medium Recover time: 300 seconds Enabled: Yes FPC slot 1 information: Bandwidth: 100% (20000 pps), Burst: 100% (20000 packets), enabled Protocol Group: IPv6-Unclassified Packet type: aggregate (Aggregate for unclassified host-bound IPv6 traffic) Aggregate policer configuration: Bandwidth: 20000 pps Burst: 20000 packets Priority: medium Recover time: 300 seconds Enabled: Yes FPC slot 1 information: Bandwidth: 100% (20000 pps), Burst: 100% (20000 packets), enabled ... Protocol Group: PPPoE Packet type: aggregate (Aggregate for all PPPoE control traffic) Aggregate policer configuration: Bandwidth: 800 pps Burst: 2000 packets Priority: medium Recover time: 300 seconds Enabled: Yes FPC slot 1 information: Bandwidth: 100% (800 pps), Burst: 100% (2000 packets), enabled Packet type: padi (PPPoE PADI) Individual policer configuration: Bandwidth: 500 pps Burst: 500 packets Priority: low Recover time: 300 seconds Enabled: Yes Bypass aggregate: No FPC slot 1 information: Bandwidth: 100% (500 pps), Burst: 100% (500 packets), enabled Packet type: pado (PPPoE PADO) Individual policer configuration: Bandwidth: 0 pps Burst: 0 packets Priority: low Recover time: 300 seconds Enabled: Yes Bypass aggregate: No FPC slot 1 information: Bandwidth: 100% (0 pps), Burst: 100% (0 packets), enabled Packet type: padr (PPPoE PADR) Individual policer configuration: Bandwidth: 500 pps Burst: 500 packets Priority: medium Recover time: 300 seconds Enabled: Yes Bypass aggregate: No FPC slot 1 information: Bandwidth: 100% (500 pps), Burst: 100% (500 packets), enabled
show ddos-protection protocols parameters brief
user@host> show ddos-protection protocols parameters brief Number of policers modified: 3 Protocol Packet Bandwidth Burst Priority Recover Policer Bypass FPC group type (pps) (pkts) time(sec) enabled aggr. mod ipv4-uncls aggregate 20000 20000 medium 300 yes -- no ipv6-uncls aggregate 20000 20000 medium 300 yes -- no dynvlan aggregate 1000 500 low 300 yes -- no ppp aggregate 16000 16000 medium 300 yes -- no ppp unclass 1000 500 low 300 yes no no ppp lcp 12000 12000 low 300 yes no no ppp auth 2000 2000 medium 300 yes no no ppp ipcp 2000 2000 high 300 yes no no ppp ipv6cp 2000 2000 high 300 yes no no ppp mplscp 2000 2000 high 300 yes no no ppp isis 2000 2000 high 300 yes no no pppoe aggregate 800* 2000 medium 300 part.* -- no pppoe padi 500 500 low 300 part. no no pppoe pado 0 0 low 300 part. no no pppoe padr 500 500 medium 300 part. no no pppoe pads 0 0 low 300 part. no no pppoe padt 1000 1000 high 300 part. no no pppoe padm 0 0 low 300 part. no no pppoe padn 0 0 low 300 part. no no dhcpv4 aggregate 669* 5000 medium 300 yes -- no dhcpv4 unclass.. 300 150 low 300 yes no no dhcpv4 discover 100* 500 low 300 yes no no dhcpv4 offer 1000 1000 low 300 yes no no dhcpv4 request 1000 1000 medium 300 yes no no dhcpv4 decline 500 500 low 300 yes no no dhcpv4 ack 500 500 medium 300 yes no no dhcpv4 nak 500 500 low 300 yes no no dhcpv4 release 2000 2000 high 300 yes no no dhcpv4 inform 500 500 low 300 yes no no dhcpv4 renew 2000 2000 high 300 yes no no dhcpv4 forcerenew 2000 2000 high 300 yes no no dhcpv4 leasequery 2000 2000 high 300 yes no no dhcpv4 leaseuna.. 2000 2000 high 300 yes no no dhcpv4 leaseunk.. 2000 2000 high 300 yes no no dhcpv4 leaseact.. 2000 2000 high 300 yes no no dhcpv4 bootp 300 300 low 300 yes no no dhcpv4 no-msgtype 0 0 low 300 yes no no dhcpv4 bad-pack.. 0 0 low 300 yes no no ... icmp aggregate 20000 20000 high 300 yes -- no igmp aggregate 20000 20000 high 300 yes -- no ospf aggregate 20000 20000 high 300 yes -- no rsvp aggregate 20000 20000 high 300 yes -- no pim aggregate 20000 20000 high 300 yes -- no rip aggregate 20000 20000 high 300 yes -- no ptp aggregate 20000 20000 high 300 yes -- no bfd aggregate 20000 20000 high 300 yes -- no lmp aggregate 20000 20000 high 300 yes -- no ldp aggregate 20000 20000 high 300 yes -- no msdp aggregate 20000 20000 high 300 yes -- no bgp aggregate 20000 20000 low 300 yes -- no vrrp aggregate 20000 20000 high 300 yes -- no telnet aggregate 20000 20000 low 300 yes -- no ftp aggregate 20000 20000 low 300 yes -- no ssh aggregate 20000 20000 low 300 yes -- no snmp aggregate 20000 20000 low 300 yes -- no ancp aggregate 20000 20000 low 300 yes -- no ...
show ddos-protection protocols dhcpv4 parameters brief
user@host> show ddos-protection protocols dhcpv4 parameters brief Number of policers modified: 2 Protocol Packet Bandwidth Burst Priority Recover Policer Bypass FPC group type (pps) (pkts) time(sec) enabled aggr. mod dhcpv4 aggregate 669* 5000 medium 300 yes -- no dhcpv4 unclass.. 300 150 low 300 yes no no dhcpv4 discover 100* 500 low 300 yes no no dhcpv4 offer 1000 1000 low 300 yes no no dhcpv4 request 1000 1000 medium 300 yes no no dhcpv4 decline 500 500 low 300 yes no no dhcpv4 ack 500 500 medium 300 yes no no dhcpv4 nak 500 500 low 300 yes no no dhcpv4 release 2000 2000 high 300 yes no no dhcpv4 inform 500 500 low 300 yes no no dhcpv4 renew 2000 2000 high 300 yes no no dhcpv4 forcerenew 2000 2000 high 300 yes no no dhcpv4 leasequery 2000 2000 high 300 yes no no dhcpv4 leaseuna.. 2000 2000 high 300 yes no no dhcpv4 leaseunk.. 2000 2000 high 300 yes no no dhcpv4 leaseact.. 2000 2000 high 300 yes no no dhcpv4 bootp 300 300 low 300 yes no no dhcpv4 no-msgtype 0 0 low 300 yes no no dhcpv4 bad-pack.. 0 0 low 300 yes no no
show ddos-protection protocols dhcpv4 parameters terse
user@host> show ddos-protection protocols dhcpv4 parameters terse Number of policers modified: 2 Protocol Packet Bandwidth Burst Priority Recover Policer Bypass FPC group type (pps) (pkts) time(sec) enabled aggr. mod dhcpv4 aggregate 669* 5000 medium 300 yes -- no dhcpv4 discover 100* 500 low 300 yes no no
show ddos-protection protocols dhcpv4 parameters
user@host> show ddos-protection protocols dhcpv4 parameters Protocol Group: DHCPv4 Packet type: aggregate (aggregate for all DHCPv4 traffic) Aggregate policer configuration: Bandwidth: 669 pps Burst: 5000 packets Priority: medium Recover time: 300 seconds Enabled: Yes FPC slot 1 information: Bandwidth: 100% (669 pps), Burst: 100% (5000 packets), enabled Packet type: unclassified (Unclassified DHCPv4 traffic) Individual policer configuration: Bandwidth: 300 pps Burst: 150 packets Priority: low Recover time: 300 seconds Enabled: Yes Bypass aggregate: No FPC slot 1 information: Bandwidth: 100% (300 pps), Burst: 100% (150 packets), enabled Packet type: discover (DHCPv4 DHCPDISCOVER) Individual policer configuration: Bandwidth: 100 pps Burst: 500 packets Priority: low Recover time: 300 seconds Enabled: Yes Bypass aggregate: No FPC slot 1 information: Bandwidth: 100% (100 pps), Burst: 100% (500 packets), enabled Packet type: offer (DHCPv4 DHCPOFFER) Individual policer configuration: Bandwidth: 1000 pps Burst: 1000 packets Priority: low Recover time: 300 seconds Enabled: Yes Bypass aggregate: No FPC slot 1 information: Bandwidth: 100% (1000 pps), Burst: 100% (1000 packets), enabled Packet type: request (DHCPv4 DHCPREQUEST) Individual policer configuration: Bandwidth: 1000 pps Burst: 1000 packets Priority: medium Recover time: 300 seconds Enabled: Yes Bypass aggregate: No FPC slot 1 information: Bandwidth: 100% (1000 pps), Burst: 100% (1000 packets), enabled ...
show ddos-protection protocols snmp parameters (Starting in Junos OS Release 22.3R1)
Packet types: 1, Modified: 0 * = User configured value Protocol Group: SNMP Packet type: aggregate (Aggregate for all snmp traffic) Aggregate policer configuration: Bandwidth: 100 pps Burst: 100 packets Priority: Low Recover time: 300 seconds Enabled: Yes Routing Engine information: Bandwidth: 100 pps, Burst: 100 packets, enabled
Release Information
Command introduced in Junos OS Release 11.2.