- play_arrow Port Security
- play_arrow Port Security Overview
-
- play_arrow IPSec
- play_arrow Understanding IPsec and Security Associations
- play_arrow IPsec Configurations and Examples
- play_arrow Configuring IPsec Security Associations
- play_arrow Using Digital Certificates for IPsec
- play_arrow Additional IPsec Options
- play_arrow Configuring IPsec Dynamic Endpoints
- play_arrow Additional ES and AS PIC Configuration Examples
- Example: ES PIC Manual SA Configuration
- Example: AS PIC Manual SA Configuration
- Example: ES PIC IKE Dynamic SA Configuration
- Example: AS PIC IKE Dynamic SA Configuration
- Example: IKE Dynamic SA Between an AS PIC and an ES PIC Configuration
- Example: AS PIC IKE Dynamic SA with Digital Certificates Configuration
- Example: Dynamic Endpoint Tunneling Configuration
-
- play_arrow Digital Certificates
- play_arrow Configuring Digital Certificates
- Public Key Cryptography
- Configuring Digital Certificates
- Configuring Digital Certificates for an ES PIC
- IKE Policy for Digital Certificates on an ES PIC
- Configuring Digital Certificates for Adaptive Services Interfaces
- Configuring Auto-Reenrollment of a Router Certificate
- IPsec Tunnel Traffic Configuration
- Tracing Operations for Security Services
- play_arrow Configuring SSH and SSL Router Access
-
- play_arrow Trusted Platform Module
- play_arrow MACsec
- play_arrow Understanding MACsec
- play_arrow MACsec Examples
-
- play_arrow MAC Limiting and Move Limiting
- play_arrow MAC Limiting and Move Limiting Configurations and Examples
- Understanding MAC Limiting and MAC Move Limiting
- Understanding MAC Limiting on Layer 3 Routing Interfaces
- Understanding and Using Persistent MAC Learning
- Configuring MAC Limiting
- Example: Configuring MAC Limiting
- Verifying That MAC Limiting Is Working Correctly
- Override a MAC Limit Applied to All Interfaces
- Configuring MAC Move Limiting (ELS)
- Verifying That MAC Move Limiting Is Working Correctly
- Verifying That the Port Error Disable Setting Is Working Correctly
-
- play_arrow DHCP Protection
- play_arrow DHCPv4 and DHCPv6
- play_arrow DHCP Snooping
- Understanding DHCP Snooping (ELS)
- Understanding DHCP Snooping (non-ELS)
- Understanding DHCP Snooping Trust-All Configuration
- Enabling DHCP Snooping (non-ELS)
- Configuring Static DHCP IP Addresses
- Example: Protecting Against Address Spoofing and Layer 2 DoS Attacks
- Example: Protecting Against DHCP Snooping Database Attacks
- Example: Protecting Against ARP Spoofing Attacks
- Example: Prioritizing Snooped and Inspected Packet
- Configuring DHCP Security with Q-in-Q Tunneling in Service Provider Style
- play_arrow DHCP Option 82
- play_arrow Dynamic ARP Inspection (DAI)
-
- play_arrow IP Source Guard
- play_arrow Understanding IP Source Guard
- play_arrow IP Source Guard Examples
- Example: Configuring IP Source Guard on a Data VLAN That Shares an Interface with a Voice VLAN
- Example: Configuring IP Source Guard with Other EX Series Switch Features to Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces
- Example: Configuring IP Source Guard and Dynamic ARP Inspection to Protect the Switch from IP Spoofing and ARP Spoofing
- Example: Configuring IPv6 Source Guard and Neighbor Discovery Inspection to Protect a Switch from IPv6 Address Spoofing
- Configuring IP Source Guard to Mitigate the Effects of Source IP Address Spoofing and Source MAC Address Spoofing
- Example: Configuring IP Source Guard and Dynamic ARP Inspection on a Specified Bridge Domain to Protect the Devices Against Attacks
- Example: Configuring IPv6 Source Guard and Neighbor Discovery Inspection to Protect a Switch from IPv6 Address Spoofing
-
- play_arrow IPv6 Access Security
- play_arrow Neighbor Discovery Protocol
- play_arrow SLAAC Snooping
- play_arrow Router Advertisement Guard
-
- play_arrow Unicast Forwarding
- play_arrow Unicast Reverse Path Forwarding
- play_arrow Unknown Unicast Forwarding
-
- play_arrow Storm Control
- play_arrow Malware Protection
- play_arrow Juniper Malware Removal Tool
-
- play_arrow Configuration Statements and Operational Commands
Configuring How Flow Detection Operates Globally
Flow detection is disabled globally for all protocol groups
and packet types by default. After you have turned on flow detection
globally with the flow-detection statement at the [edit system ddos-protection global] hierarchy level, you can
include the flow-detection-mode statement to configure how flow detection operates globally for all protocol
groups and packet types. By default, flow detection operates in automatic
mode for all packet types, meaning that it monitors control traffic
for suspicious flows only after a DDoS policer has been violated.
You can also configure flow detection either to never monitor flows
or to always monitor flows.
When flow detection is turned on, traffic flows are monitored
by default for all protocol groups and packet types. You can override
the global configuration by including the flow-detection-mode statement at the [edit system ddos-protection protocols protocol-group packet-type] hierarchy level to configure how flow detection works for a protocol
group or a packet type. You can also use the flow-level-detection statement to specify the behavior for one or more traffic
flow aggregation levels (subscriber, logical interface, or physical
interface).
In a virtual chassis configuration, we recommend that you override
flow detection for all Virtual Chassis control packets. The flow is
based on the MAC address of the module in the FPC slot. If the virtual-chassis control-low flow is in violation, then all
control traffic is lost, resulting in unexpected behavior. This behavior
can include DHCP and PPPoE control traffic loss, loss of ARP requests,
routing protocol flaps, and more.
To override flow detection for Virtual Chassis control packets when you have enabled global flow detection:
Disable flow detection for each packet type.
content_copy zoom_out_map[edit] user@host# set system ddos-protection protocols virtual-chassis control-low flow-detection-mode off user@host# set system ddos-protection protocols virtual-chassis control-high flow-detection-mode off user@host# set system ddos-protection protocols virtual-chassis unclassified flow-detection-mode off user@host# set system ddos-protection protocols virtual-chassis vc-packets flow-detection-mode off user@host# set system ddos-protection protocols virtual-chassis vc-ttl-errors flow-detection-mode off
Flow detection supports the following three modes:
automatic—When a control plane DDoS protection policer is violated, traffic flows where the violation occurred are monitored for suspicious behavior. Each suspicious flow is examined to determine whether it is the culprit flow that caused the violation.
off—Traffic flows are never monitored for any protocol group or packet type.
on—Traffic flows for all protocol groups and packet types are monitored for suspicious flows even when no DDoS protection policer is currently being violated.
The detection mode is set to automatic by default.
This means that if you enable global flow-detection and do not specify
a mode, then flows are detected only when the policer is being violated.
To configure how flow detection operates at each flow aggregation level:
Specify the detection mode.
content_copy zoom_out_map[edit system ddos-protection protocols global] user@host# set flow-detection-mode flow-detection-mode
For example, to configure flow detection to always monitor and detect flows for all protocol groups and packet types at all flow aggregation levels:
[edit system ddos-protection global] user@host# set flow-detection-mode on
