Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Announcement: Try the Ask AI chatbot for answers to your technical questions about Juniper products and solutions.

close
header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions discuss ongoing efforts to support digital transformation on campus.
Watch now
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Retail experts Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; Jack Stratten of Insider Trends; and Christian Gilby, Senior Director of Product Marketing at Juniper Networks, discuss customer experiences.
See the future

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Explore events
AINN AI Innovation Impact Virtual Event

AI-Native NOW: AI Innovation and Impact

Register NOW
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Explore Pathfinder Apps
CLI Explorer
Feature Explorer
Hardware Compatibility Tool
Port Checker
Browse All
Collapse

Pathfinder Apps

All

By Software

By Hardware

Learn More
Pathfinder HomeCLI ExplorerCompliance AdvisorFeature ExplorerHardware Compatibility ToolJunos XML API ExplorerJunos YANG Data Model ExplorerPort CheckerPower CalculatorSNMP MIB ExplorerSystem Log Explorer
CLI ExplorerFeature ExplorerJunos XML API ExplorerJunos YANG Data Model ExplorerSNMP MIB ExplorerSystem Log Explorer
Compliance AdvisorFeature ExplorerHardware Compatibility ToolPort CheckerPower Calculator
Home Documentation Junos OS Security Services Administration Guide Control Plane Distributed Denial-of-Service (DDoS) Protection and Flow Detection Control Plane DDoS Protection

Security Services Administration Guide

keyboard_arrow_up
close
keyboard_arrow_left
Security Services Administration Guide
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

Configuring Control Plane DDoS Protection

date_range 11-Nov-24
arrow_backward
arrow_forward

Control plane DDoS protection is enabled by default for all supported protocol groups and packet types. Devices have default values for bandwidth (packet rate in pps), bandwidth scale, burst (number of packets in a burst), burst scale, priority, and recover time. To see the default policer values for all supported protocol groups and packet types, run the show ddos-protection protocols CLI command before modifying any configurable DDoS protection values.

Note:

EX2300 and EX2300-C switches might have control plane DDoS protection but don’t support CLI options to show or change the default policer parameters.

Starting in Junos OS Release 24.2R1 the EX4100 and EX4400 devices and starting in Junos OS Release 24.4R1 the EX3400 and EX4300-MP devices support CLI options to show or change the default policer parameters.

You can change the control plane DDoS configuration parameters as follows:

  • For individual packet types supported within a protocol group, you can change bandwidth (pps), burst (packets), and priority policer values.

    Note:

    On PTX10003 and PTX10008 routers, you can change default bandwidth (pps) and burst (packets) values for aggregate or packet type policers, but not priority values.

  • For the aggregate policer for a protocol group, you can change bandwidth (pps) and burst (packets) policer values.

  • When you set bandwidth (pps), burst (packets), and priority values for a protocol group or packet type policer, the same values apply at all policer levels. Change the scaling configuration options to tune those values at the Packet Forwarding Engine level.

    Note:

    ACX Series routers with control plane DDoS protection support changing policer values at the Routing Engine level, which propagates down to the PFE chipset level. They don’t support the line card scaling configuration options at the [edit system ddos-protection protocols protocol-group aggregate fpc statement hierarchy.

You can disable control plane DDoS protection as follows:

  • On most routing devices that have policers at the Routing Engine level, you can disable control plane DDoS protection at the Routing Engine and for all line cards either globally or for individual packet types within a protocol group.

  • PTX10003, PTX10008 and PTX10016 routers include policers at the Routing Engine level, but like other PTX Series routers, you can only disable line-card policers.

  • On other PTX Series routers and QFX Series switches, policers are supported only at the line cards, so on these devices you can disable control plane DDoS protection for all line cards either globally or for individual packet types within a protocol group.

Control plane DDoS logging is enabled by default, but you can disable it globally for all control plane DDoS events or for individual packet types within a protocol group. You can also configure tracing operations for monitoring control plane DDoS events.

Note:

MX Series routers with MPCs and T4000 routers with FPC5s support control plane DDoS protection. The CLI accepts the configuration if other line cards are also installed on either of these types of routers, but the other line cards are not protected so the router is essentially not protected.

To change default-configured control plane DDoS protection parameters:

  1. (Optional) Configure global control plane DDoS protection settings or disable control plane DDoS protection.

  2. (Optional) Configure control plane DDoS protection settings for the aggregate policer or individual packet types for the desired protocol groups.

  3. (Optional) Configure tracing for control plane DDoS protection operations.

Disabling Control Plane DDoS Protection Policers and Logging Globally

Control plane DDoS protection policers are enabled by default for all supported protocol groups and packet types.

On ACX Series routers, you can disable policers globally or for individual protocol groups at the Routing Engine level. Disabling policers globally essentially disables control plane DDoS protection on the device.

On MX Series routers, T4000 routers, and EX9200 switches, policers are established at the level of the individual line card and the Routing Engine. You can disable the line card policers globally for all MPCs or FPC5s. You can also disable the Routing Engine policer. When you disable either of these policers, the policers at that level for all protocol groups and packet types are disabled.

On PTX Series routers and QFX Series switches, policers are established at the level of individual line cards only. If you disable line-card policers globally, control plane DDoS protection is disabled on the switch.

PTX10003, PTX10008 and PTX10016 routers include policers at the Routing Engine level, but like other PTX Series routers, you can only disable line-card policers.

Control plane DDoS protection logging is also enabled by default. You can disable all control plane DDoS event logging (including flow detection event logging) for all protocol groups and packet types across the router or switch.

Note:

The global configuration for disabling policers and logging overrides any local configuration for packet types.

To configure global control plane DDoS protection settings:

  1. (Optional) (Not available on ACX Series routers) To disable line card policers:
    content_copy zoom_out_map
    [edit system ddos-protection global]
user@host# set disable-fpc
  2. (Optional) (Not available on PTX Series Routers or QFX Series switches) To disable Routing Engine policers:
    content_copy zoom_out_map
    [edit system ddos-protection global]
user@host# set disable-routing-engine
  3. (Optional) To disable event logging:
    content_copy zoom_out_map
    [edit system ddos-protection global]
user@host# set disable-logging

Configuring Control Plane DDoS Protection Aggregate or Individual Packet Type Policers

Control plane DDoS policers are applied to control packet traffic and are enabled by default for all supported protocol groups and packet types. You can change default policer parameters to configure different values for the maximum allowed traffic rate, maximum burst size, traffic priority, and how much time must pass since the last violation before the traffic flow is considered to have recovered from the attack. You can also scale the bandwidth and burst values for individual line cards so that the policers at this level trigger at lower thresholds than the overall protocol or packet thresholds.

Protocol group and packet type support varies across platforms and Junos OS releases, as follows:

You can configure aggregate policer values for any protocol group. The aggregate policer applies to the combination of all types of control packet traffic for that group.

Note:

ACX Series routers only support the aggregate policer for any supported protocol groups.

For some protocol groups, you can also configure policer values for individual packet types. When you configure aggregate policer values for certain protocol groups, you can optionally bypass that policer for one or more particular packet types in that group.

Best Practice:

Although all policers have default parameter values, these values might not accurately reflect the control traffic pattern of your network. We recommend that you model your network to determine the best values for your situation. Before you configure policers for your network, you can quickly view the default values for all packet types from operational mode using the show ddos-protection protocols parameters brief command. You can also use the command to specify a single protocol group of interest. For example, to see default values for the dhcpv4 protocol group, use the show ddos-protection protocols dhcpv4 parameters brief command.

You can disable a packet type policer at either the Routing Engine level (if supported) or at the Packet Forwarding Engine level (if supported) for a specified line card or for all line cards. You can also disable logging of all control plane DDoS protection events for individual packet types within a protocol group.

To configure the desired aggregate or packet-type DDoS protection policer settings:

  1. Specify the protocol group.
    content_copy zoom_out_map
    [edit system ddos-protection protocols]
user@host# edit protocol-group

    For example, to specify the DHCPv4 protocol group on MX Series, PTX10003 or PTX10008 routers:

    content_copy zoom_out_map
    [edit system ddos-protection protocols]
user@host# edit dhcpv4

    or, on ACX Series, PTX Series, and QFX Series devices, control plane DDoS protection support has a combined DHCPv4 and DHCPv6 option that allows only aggregate policer configuration:

    content_copy zoom_out_map
    [edit system ddos-protection protocols]
user@host# edit dhcpv4v6
  2. Specify a supported individual packet type or the aggregate option to encompass all packet types in the protocol group.
    content_copy zoom_out_map
    [edit system ddos-protection protocols protocol-group]
user@host# set packet-type

    or

    content_copy zoom_out_map
    [edit system ddos-protection protocols protocol-group]
user@host# set aggregate

    For example, to specify only DHCPv4 release packets on devices that support individual DHCPv4 packet types:

    content_copy zoom_out_map
    [edit system ddos-protection protocols dhcpv4]
user@host# edit release
  3. (Optional) Configure the maximum traffic rate the policer allows for the packet type (or aggregate).
    content_copy zoom_out_map
    [edit system ddos-protection protocols protocol-group (aggregate | packet-type)]
user@host# set bandwidth packets-per-second

    For example, to set a bandwidth of 600 packets per second for DHCPv4 release packets:

    content_copy zoom_out_map
    [edit system ddos-protection protocols dhcpv4 release]
user@host# set bandwidth 600
  4. (Optional) Configure the maximum number of packets of this packet type (or aggregate) that the policer allows in a burst of traffic.
    content_copy zoom_out_map
    [edit system ddos-protection protocols protocol-group (aggregate | packet-type)]
user@host# set burst size

    For example, to set a maximum of 5000 DHCPv4 release packets:

    content_copy zoom_out_map
    [edit system ddos-protection protocols dhcpv4 release]
user@host# set burst 5000
  5. (Optional) Set the traffic priority.
    Note:

    You can’t change default priority values on PTX10003 or PTX10008 routers.

    content_copy zoom_out_map
    [edit system ddos-protection protocols protocol-group (aggregate | packet-type)]
user@host# set priority level

    For example, to specify a medium priority for DHCPv4 release packets:

    content_copy zoom_out_map
    [edit system ddos-protection protocols dhcpv4 release]
user@host# set priority medium
  6. (Optional) Configure how much time must pass since the last violation before the traffic flow is considered to have recovered from the attack.
    content_copy zoom_out_map
    [edit system ddos-protection protocols protocol-group (aggregate | packet-type)]
user@host# set recover-time seconds

    For example, to specify that 600 seconds must have passed since the last violation of the DHCPv4 release packet policer:

    content_copy zoom_out_map
    [edit system ddos-protection protocols dhcpv4 release]
user@host# set recover-time 600
  7. (Optional, supported on some devices) Bypass the aggregate policer configuration. This is applicable only when an aggregate policer and an individual policer is configured for the protocol group.
    content_copy zoom_out_map
    [edit system ddos-protection protocols protocol-group packet-type]
user@host# set bypass-aggregate

    For example, to bypass the aggregate policer for DHCPv4 renew packets:

    content_copy zoom_out_map
    [edit system ddos-protection protocols dhcpv4 renew]
user@host# set bypass-aggregate
  8. (Optional, supported on some devices) Disable line card policers for the packet type (or aggregate) on all line cards.
    content_copy zoom_out_map
    [edit system ddos-protection protocols protocol-group (aggregate | packet-type)]
user@host# set disable-fpc
    Note:

    When you disable line card policers globally at the [edit system ddos-protection global] hierarchy level, the global setting overrides the per-packet type setting shown in this step. If you subsequently remove the global configuration, then the per-packet type configuration takes effect.

    For example, to disable the line card policer for DHCPv4 bootp packets:

    content_copy zoom_out_map
    [edit system ddos-protection protocols dhcpv4 bootp]
user@host# set disable-fpc
  9. (Optional) Disable control plane DDoS protection event logging for only one packet type (or aggregate).
    content_copy zoom_out_map
    [edit system ddos-protection protocols protocol-group (aggregate | packet-type)]
user@host# set disable-logging
    Note:

    Events disabled for the packet are associated with policer violations; logging of flow detection culprit flow events is not affected by this statement.

    Note:

    When you disable control plane DDoS protection event logging globally at the [edit system ddos-protection global] hierarchy level, the global setting overrides the per-packet type setting shown in this step. If you subsequently remove the global configuration, then the per-packet type configuration takes effect.

    For example, to disable control plane DDoS protection event logging on the line card policer for DHCPv4 discover packets:

    content_copy zoom_out_map
    [edit system ddos-protection protocols dhcpv4 discover]
user@host# set disable-logging
  10. (Optional, not available on PTX Series Routers or QFX Series switches) Disable the Routing Engine policer for only this packet type.
    content_copy zoom_out_map
    [edit system ddos-protection protocols protocol-group packet-type]
user@host# set disable-routing-engine
    Note:

    When you disable the Routing Engine policer globally at the [edit system ddos-protection global] hierarchy level, the global setting overrides the per-packet type setting shown in this step. If you subsequently remove the global configuration, then the per-packet type configuration takes effect.

    For example, to disable the Routing Engine policer for DHCPv4 discover packets:

    content_copy zoom_out_map
    [edit system ddos-protection protocols dhcpv4 discover]
user@host# set disable-routing-engine
  11. (Optional, not supported on ACX Series routers) Configure packet-level settings for the packet type (or aggregate) on a single line card. On switches with a single, fixed line card (a single FPC considered to be in slot 0 and labeled fpc0), scaling the policer values affects the entire switch.
    content_copy zoom_out_map
    [edit system ddos-protection protocols protocol-group (aggregate | packet-type)]
user@host# edit fpc slot-number

    For example, to access DHCPv4 discover packet settings on the line card in slot 3:

    content_copy zoom_out_map
    [edit system ddos-protection protocols dhcpv4 discover]
user@host# edit fpc 3
  12. (Optional, not supported on ACX Series routers) Scale the policer bandwidth for the packet type (or aggregate) on the line card.
    content_copy zoom_out_map
    [edit system ddos-protection protocols protocol-group (aggregate | packet-type) fpc slot-number]
user@host# set bandwidth-scale percentage

    For example, to scale the bandwidth to 80 percent of the all-line-card setting configured for DHCPv4 discover packets on the line card in slot 3:

    content_copy zoom_out_map
    [edit system ddos-protection protocols dhcpv4 discover fpc 3]
user@host# edit bandwidth-scale 80
  13. (Optional, not supported on ACX Series routers) Scale the policer burst size for the packet type (or aggregate) on the line card.
    content_copy zoom_out_map
    [edit system ddos-protection protocols protocol-group (aggregate | packet-type) fpc slot-number]
user@host# set burst-scale percentage

    For example, to scale the maximum bandwidth to 75 percent of the all-line-card setting configured for DHCPv4 discover packets on the line card in slot 3:

    content_copy zoom_out_map
    [edit system ddos-protection protocols dhcpv4 discover fpc 3]
user@host# edit burst-scale 75
  14. (Optional, not supported on ACX Series routers) Disable the line card policer for the packet type (or aggregate) on a particular line card.
    content_copy zoom_out_map
    [edit system ddos-protection protocols protocol-group (aggregate | packet-type) fpc slot-number]
user@host# set disable-fpc

    For example, to disable the line card policer for DHCPv4 discover packets on the line card in slot 3:

    content_copy zoom_out_map
    [edit system ddos-protection protocols dhcpv4 discover fpc 3]
user@host# edit disable-fpc

See Also

Verifying and Managing Control Plane DDoS Protection

Purpose

View or clear information about control plane DDoS protection configurations, states, and statistics.

Action

  • To display the control plane DDoS protection policer configuration, violation state, and statistics for all packet types in all protocol groups:

    content_copy zoom_out_map
    user@host> show ddos-protection protocols

    Run this command before you make any configuration changes to see the default policer values.

  • To display the control plane DDoS protection policer configuration, violation state, and statistics for a particular packet type in a particular protocol group:

    content_copy zoom_out_map
    user@host> show ddos-protection protocols protocol-group packet-type

  • To display only the number of control plane DDoS protection policer violations for all protocol groups:

    content_copy zoom_out_map
    user@host> show ddos-protection protocols violations

  • To display a table of the control plane DDoS protection configuration for all packet types in all protocol groups:

    content_copy zoom_out_map
    user@host> show ddos-protection protocols parameters brief

  • To display a complete list of packet statistics and control plane DDoS protection violation statistics for all packet types in all protocol groups:

    content_copy zoom_out_map
    user@host> show ddos-protection protocols statistics detail

  • To display global control plane DDoS protection violation statistics:

    content_copy zoom_out_map
    user@host> show ddos-protection statistics

  • To display the control plane DDoS protection version number:

    content_copy zoom_out_map
    user@host> show ddos-protection version

  • To clear control plane DDoS protection statistics for all packet types in all protocol groups:

    content_copy zoom_out_map
    user@host> clear ddos-protection protocols statistics

  • To clear control plane DDoS protection statistics for all packet types in a particular protocol group:

    content_copy zoom_out_map
    user@host> clear ddos-protection protocols protocol-group statistics

  • To clear control plane DDoS protection statistics for a particular packet type in a particular protocol group:

    content_copy zoom_out_map
    user@host> clear ddos-protection protocols protocol-group packet-type  statistics

  • To clear control plane DDoS protection violation states for all packet types in all protocol groups:

    content_copy zoom_out_map
    user@host> clear ddos-protection protocols states

  • To clear control plane DDoS protection violation states for all packet types in a particular protocol group:

    content_copy zoom_out_map
    user@host> clear ddos-protection protocols protocol-group states

  • To clear control plane DDoS protection violation states for a particular packet type in a particular protocol group:

    content_copy zoom_out_map
    user@host> clear ddos-protection protocols protocol-group packet-type  states

See Also

arrow_backward PREVIOUS Control Plane Distributed Denial-of-Service (DDoS) Protection Overview
NEXT arrow_forward Tracing Control Plane DDoS Protection Operations
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top