Configuring Control Plane DDoS Protection

Control plane DDoS protection policers are enabled by default for all supported protocol groups and packet types.

On ACX Series routers, you can disable policers globally or for individual protocol groups at the Routing Engine level. Disabling policers globally essentially disables control plane DDoS protection on the device.

On MX Series routers, T4000 routers, and EX9200 switches, policers are established at the level of the individual line card and the Routing Engine. You can disable the line card policers globally for all MPCs or FPC5s. You can also disable the Routing Engine policer. When you disable either of these policers, the policers at that level for all protocol groups and packet types are disabled.

On PTX Series routers and QFX Series switches, policers are established at the level of individual line cards only. If you disable line-card policers globally, control plane DDoS protection is disabled on the switch.

PTX10003, PTX10008 and PTX10016 routers include policers at the Routing Engine level, but like other PTX Series routers, you can only disable line-card policers.

Control plane DDoS protection logging is also enabled by default. You can disable all control plane DDoS event logging (including flow detection event logging) for all protocol groups and packet types across the router or switch.

Note:

The global configuration for disabling policers and logging overrides any local configuration for packet types.

To configure global control plane DDoS protection settings:

Control plane DDoS policers are applied to control packet traffic and are enabled by default for all supported protocol groups and packet types. You can change default policer parameters to configure different values for the maximum allowed traffic rate, maximum burst size, traffic priority, and how much time must pass since the last violation before the traffic flow is considered to have recovered from the attack. You can also scale the bandwidth and burst values for individual line cards so that the policers at this level trigger at lower thresholds than the overall protocol or packet thresholds.

Protocol group and packet type support varies across platforms and Junos OS releases, as follows:

• For most routing devices, see protocols (DDoS).

• For ACX Series routers, PTX Series routers and QFX Series switches, see protocols (DDoS) (ACX Series, PTX Series, and QFX Series).

You can configure aggregate policer values for any protocol group. The aggregate policer applies to the combination of all types of control packet traffic for that group.

Note:

ACX Series routers only support the aggregate policer for any supported protocol groups.

For some protocol groups, you can also configure policer values for individual packet types. When you configure aggregate policer values for certain protocol groups, you can optionally bypass that policer for one or more particular packet types in that group.

Best Practice:

Although all policers have default parameter values, these values might not accurately reflect the control traffic pattern of your network. We recommend that you model your network to determine the best values for your situation. Before you configure policers for your network, you can quickly view the default values for all packet types from operational mode using the show ddos-protection protocols parameters brief command. You can also use the command to specify a single protocol group of interest. For example, to see default values for the dhcpv4 protocol group, use the show ddos-protection protocols dhcpv4 parameters brief command.

You can disable a packet type policer at either the Routing Engine level (if supported) or at the Packet Forwarding Engine level (if supported) for a specified line card or for all line cards. You can also disable logging of all control plane DDoS protection events for individual packet types within a protocol group.

To configure the desired aggregate or packet-type DDoS protection policer settings: