show ddos-protection protocols

Number of packet types

Number of packets for which policer values have been modified from the default.

Number of traffic flows received.

Number of flows that are currently violating the flow bandwidth limit.

Number of active flows that are being tracked as culprit flows by flow detection.

Total number of culprit flows that have been detected, including those that have recovered or timed out.

Name of protocol group.

Name of packet type in protocol group.

Bandwidth policer value; number of packets per second that is allowed before a violation is declared.

Burst policer value; the maximum number of packets that is allowed in a burst before a violation is declared.

Priority of the packet type for individual packet policers that enables more important traffic to pass through in the event of traffic congestion: low, medium, or high. Lower priority packets can be dropped when insufficient bandwidth is available.

Time that must pass since the last violation before the traffic flow is considered to have recovered from the attack. A notification is generated when the timer expires.

State of the policer:

• Yes—The policer is enabled on both the Routing Engine and the FPC (line card). This is the default state.

• No—The policer is disabled on both the Routing Engine and the FPC by global configuration. It is not disabled by the packet type level configuration.

• No*—The policer is disabled on both the Routing Engine and the FPC. The asterisk (*) indicates that one or both of these instances is disabled at the packet type level; it may also be disabled globally.

• Partial—The policer is disabled on either the Routing Engine or the FPC, but not both. It is disabled by global configuration. It is not disabled by the packet type level configuration.

• Partial*—The policer is disabled on either the Routing Engine or the FPC, but not both. The asterisk (*) indicates that the instance is disabled by the packet type level configuration; it may also be disabled globally.

Disabling can occur globally for all packet types at the [edit system ddos-protection global] hierarchy level, for a specific packet type at the [edit system ddos-protection protocols protocol-group (aggregate | packet-type] hierarchy level, or at both levels.

State of the bypass aggregate configuration:

• Yes—The aggregate policer is bypassed.

• No—The aggregate policer is enforced.

This field appears only for individual policers.

State of flow detection configured on the router:

• Detection mode—Mode of operation for suspicious flow detection: automatic, off, or on.

• Log flows—State of automatic logging of suspicious traffic flows: on (Yes) or off (No).

• Timeout flows—State of culprit flow timeout behavior: flow is suppressed for a configured timeout period (Yes) or flow is suppressed until it is no longer in violation (No).

• Detect time—Time in seconds that must pass before a suspicious flow that has exceeded the bandwidth allowed for the packet type is considered to be a culprit flow.

• Recover time—Time in seconds that must pass before a culprit flow is considered to have returned to normal. The period starts when the flow drops below the threshold that triggered the last violation.

• Timeout time—Time in seconds that a culprit flow is suppressed, if timeouts have been enabled.

• Flow aggregation level configuration—Flow detection mode, flow control mode, and flow bandwidth for traffic at each of the traffic flow aggregation levels: subscriber, logical interface, and physical interface.

  • Detection mode—State of flow detection: automatic, off, or on.

    Control mode—Mode of controlling culprit traffic: dropped, kept, or policed back to within the allowed bandwidth.

    Flow rate—Bandwidth allowed for the control traffic in packets per second.

The following information collected for the router:

• A message indicates whether the policer has been violated.

• No. of FPCs currently receiving excess traffic—Number of cards that are currently in violation of a policer.

• No. of FPCs that have received excess traffic—Number of cards that have at some point been in violation of a policer.

• Violation first detected at—Timestamp of the first violation.

• Violation last seen at—Timestamp of the last observed violation.

• Duration of violation—Length of the violation.

• Number of violations—Number of times the violation has occurred.

• Received—Number of packets received at all card slots and the Routing Engine.

• Dropped—Number of packets dropped regardless of where they were dropped.

• Arrival rate—Current traffic rate for packets arriving from all cards and at the Routing Engine.

• Max arrival rate—Highest traffic rate for packets arriving from all cards and at the Routing Engine.

The following information collected for the Routing Engine:

• Bandwidth—Maximum number of packets per second that is allowed.

• Burst—Maximum number of packets that is allowed in a burst.

• State of the policer:

  • enabled—The Routing Engine policer is enabled. This is the default state.

  • disabled—The Routing Engine policer is disabled globally. It is not disabled by the packet type level configuration.

  • disabled*—The Routing Engine policer is disabled by the packet type level configuration; it may also be disabled globally.

• A message indicates whether the policer has been violated; the policer might be passed at the individual cards, but the combined rate of packets arriving at the Routing Engine can exceed the configured policer value.

• Violation first detected at—Timestamp of the first violation.

• Violation last seen at—Timestamp of the last observed violation.

• Duration of violation—Length of the violation.

• Number of violations—Number of times the violation has occurred.

• Received—Number of packets received at the Routing Engine from all cards.

• Dropped—Number of packets dropped at the Routing Engine; includes packets dropped by the aggregate policer and by individual protocol policers.

• Arrival rate—Current traffic rate for packets arriving at the Routing Engine from all cards.

• Max arrival rate—Highest traffic rate for packets arriving at the Routing Engine from all cards.

• Dropped by aggregate policer—Number of packets dropped by the aggregate policer.

• Dropped by individual policers—Number of packets dropped by individual policer.

The following information collected for the card in the indicated slot:

• Bandwidth—Bandwidth scaling percentage and the number of packets per second that is allowed before a violation is declared.

• Burst—Burst scaling percentage and the maximum number of packets that is allowed in a burst before a violation is declared.

• State of the policer:

  • enabled—The FPC policer is enabled. This is the default state.

  • disabled—The FPC policer is disabled globally. It is not disabled by the packet type level configuration.

  • disabled*—The FPC policer is disabled by the packet type level configuration; it may also be disabled globally.

• A message indicates whether the policer has been violated.

• Violation first detected at—Timestamp of the first violation.

• Violation last seen at—Timestamp of the last observed violation.

• Duration of violation—Length of the violation.

• Number of violations—Number of times the violation has occurred.

• Received—Number of packets received on the line card.

• Dropped—Number of packets dropped at the line card; includes packets dropped by the aggregate policer and by individual protocol policers.

• Arrival rate—Current traffic rate for packets arriving at the line card.

• Max arrival rate—Highest traffic rate for packets arriving at the line card.

• Dropped by this policer—Number of packets dropped by the individual policer.

• Dropped by aggregate policer—Number of packets dropped by the aggregate policer.

State of the bypass aggregate configuration:

• Yes—The aggregate policer configuration is bypassed.

• No—The aggregate policer configuration is enforced.

Dashes indicate that the bypass aggregate configuration is not available; this is possible only for aggregate policers.

Indicates whether configuration has changed from the default for any line cards.

• No—The default configuration has not changed from the default for the packet type.

• Yes—The default configuration has changed from the default for the packet type

Mode of operation for suspicious flow detection for the packet type: always-on (on), (auto), or disabled (off).

Bandwidth policer value; number of packets per second that is allowed before a violation is declared.

Flow operation mode, flow control mode, and flow bandwidth for traffic of the packet type at each traffic flow aggregation level: subscriber (sub), logical interface (ifl), and physical interface (ifd).

State of automatic logging of suspicious traffic flows for the packet type: on (Yes) or off (No).

State of culprit flow timeout behavior for the packet type: flow is suppressed or monitored for a configured timeout period (Yes) or flow is suppressed or monitored until it is no longer in violation (No).