- play_arrow Port Security
- play_arrow Port Security Overview
-
- play_arrow IPSec
- play_arrow Understanding IPsec and Security Associations
- play_arrow IPsec Configurations and Examples
- play_arrow Configuring IPsec Security Associations
- play_arrow Using Digital Certificates for IPsec
- play_arrow Additional IPsec Options
- play_arrow Configuring IPsec Dynamic Endpoints
- play_arrow Additional ES and AS PIC Configuration Examples
- Example: ES PIC Manual SA Configuration
- Example: AS PIC Manual SA Configuration
- Example: ES PIC IKE Dynamic SA Configuration
- Example: AS PIC IKE Dynamic SA Configuration
- Example: IKE Dynamic SA Between an AS PIC and an ES PIC Configuration
- Example: AS PIC IKE Dynamic SA with Digital Certificates Configuration
- Example: Dynamic Endpoint Tunneling Configuration
-
- play_arrow Digital Certificates
- play_arrow Configuring Digital Certificates
- Public Key Cryptography
- Configuring Digital Certificates
- Configuring Digital Certificates for an ES PIC
- IKE Policy for Digital Certificates on an ES PIC
- Configuring Digital Certificates for Adaptive Services Interfaces
- Configuring Auto-Reenrollment of a Router Certificate
- IPsec Tunnel Traffic Configuration
- Tracing Operations for Security Services
- play_arrow Configuring SSH and SSL Router Access
-
- play_arrow Trusted Platform Module
- play_arrow MACsec
- play_arrow Understanding MACsec
- play_arrow MACsec Examples
-
- play_arrow MAC Limiting and Move Limiting
- play_arrow MAC Limiting and Move Limiting Configurations and Examples
- Understanding MAC Limiting and MAC Move Limiting
- Understanding MAC Limiting on Layer 3 Routing Interfaces
- Understanding and Using Persistent MAC Learning
- Configuring MAC Limiting
- Example: Configuring MAC Limiting
- Verifying That MAC Limiting Is Working Correctly
- Override a MAC Limit Applied to All Interfaces
- Configuring MAC Move Limiting (ELS)
- Verifying That MAC Move Limiting Is Working Correctly
- Verifying That the Port Error Disable Setting Is Working Correctly
-
- play_arrow DHCP Protection
- play_arrow DHCPv4 and DHCPv6
- play_arrow DHCP Snooping
- Understanding DHCP Snooping (ELS)
- Understanding DHCP Snooping (non-ELS)
- Understanding DHCP Snooping Trust-All Configuration
- Enabling DHCP Snooping (non-ELS)
- Configuring Static DHCP IP Addresses
- Example: Protecting Against Address Spoofing and Layer 2 DoS Attacks
- Example: Protecting Against DHCP Snooping Database Attacks
- Example: Protecting Against ARP Spoofing Attacks
- Example: Prioritizing Snooped and Inspected Packet
- Configuring DHCP Security with Q-in-Q Tunneling in Service Provider Style
- play_arrow DHCP Option 82
- play_arrow Dynamic ARP Inspection (DAI)
-
- play_arrow IP Source Guard
- play_arrow Understanding IP Source Guard
- play_arrow IP Source Guard Examples
- Example: Configuring IP Source Guard on a Data VLAN That Shares an Interface with a Voice VLAN
- Example: Configuring IP Source Guard with Other EX Series Switch Features to Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces
- Example: Configuring IP Source Guard and Dynamic ARP Inspection to Protect the Switch from IP Spoofing and ARP Spoofing
- Example: Configuring IPv6 Source Guard and Neighbor Discovery Inspection to Protect a Switch from IPv6 Address Spoofing
- Configuring IP Source Guard to Mitigate the Effects of Source IP Address Spoofing and Source MAC Address Spoofing
- Example: Configuring IP Source Guard and Dynamic ARP Inspection on a Specified Bridge Domain to Protect the Devices Against Attacks
- Example: Configuring IPv6 Source Guard and Neighbor Discovery Inspection to Protect a Switch from IPv6 Address Spoofing
-
- play_arrow IPv6 Access Security
- play_arrow Neighbor Discovery Protocol
- play_arrow SLAAC Snooping
- play_arrow Router Advertisement Guard
-
- play_arrow Unicast Forwarding
- play_arrow Unicast Reverse Path Forwarding
- play_arrow Unknown Unicast Forwarding
-
- play_arrow Storm Control
- play_arrow Malware Protection
- play_arrow Juniper Malware Removal Tool
-
- play_arrow Configuration Statements and Operational Commands
ON THIS PAGE
Configuring the Control Plane DDoS Protection Trace Log Filename
Configuring the Number and Size of Control Plane DDoS Protection Log Files
Configuring Access to the Control Plane DDoS Protection Log File
Configuring a Regular Expression for Control Plane DDoS Protection Messages to Be Logged
Configuring the Severity Level to Filter Which Control Plane DDoS Protection Messages Are Logged
Tracing Control Plane DDoS Protection Operations
The Junos OS trace feature tracks control plane DDoS protection operations and records events in a log file. The error descriptions captured in the log file provide detailed information to help you solve problems.
By default, nothing is traced. When you enable the tracing operation, the default tracing behavior is as follows:
Important events are logged in a file located in the
/var/logdirectory. By default, the router uses the filenamejddosd. You can specify a different filename, but you cannot change the directory in which trace files are located.When the trace log file
filenamereaches 128 kilobytes (KB), it is compressed and renamedfilename.0.gz. Subsequent events are logged in a new file calledfilename, until it reaches capacity again. At this point,filename.0.gzis renamedfilename.1.gzandfilenameis compressed and renamedfilename.0.gz. This process repeats until the number of archived files reaches the maximum file number. Then the oldest trace file—the one with the highest number—is overwritten.You can optionally specify the number of trace files to be from 2 through 1000. You can also configure the maximum file size to be from 10 KB through 1 gigabyte (GB). (For more information about how log files are created, see the System Log Explorer.)
By default, only the user who configures the tracing operation can access log files. You can optionally configure read-only access for all users.
This topic describes how you can configure all aspects of control plane DDoS protection tracing operations.
Configuring the Control Plane DDoS Protection Trace Log Filename
By default, the name of the file that records trace output for
control plane DDoS protection is jddosd. You can specify
a different name with the file option.
To configure the filename for subscriber management database tracing operations:
Specify the name of the file used for the trace output.
content_copy zoom_out_map[edit system ddos-protection traceoptions] user@host# set file ddos_logfile_1
Configuring the Number and Size of Control Plane DDoS Protection Log Files
You can optionally specify the number of compressed, archived trace log files to be from 2 through 1000. You can also configure the maximum file size to be from 10 KB through 1 gigabyte (GB); the default size is 128 kilobytes (KB).
The archived files are differentiated by a suffix in the format .number.gz. The newest archived file is .0.gz and the oldest archived file is .(maximum
number)-1.gz. When the current trace log file reaches
the maximum size, it is compressed and renamed, and any existing archived
files are renamed. This process repeats until the maximum number of
archived files is reached, at which point the oldest file is overwritten.
For example, you can set the maximum file size to 2 MB, and
the maximum number of files to 20. When the file that receives the
output of the tracing operation, filename, reaches 2 MB, filename is
compressed and renamed filename.0.gz, and a new file called filename is
created. When the new filename reaches
2 MB, filename.0.gz is renamed filename.1.gz and filename is compressed and renamed filename.0.gz. This process repeats until there are 20 trace files.
Then the oldest file, filename.19.gz, is simply overwritten when the next oldest file, filename.18.gz is compressed and renamed to filename.19.gz.
To configure the number and size of trace files:
Specify the name, number, and size of the file used for the trace output.
content_copy zoom_out_map[edit system ddos-protection traceoptions] user@host# set file ddos_1_logfile_1 files 20 size 2097152
Configuring Access to the Control Plane DDoS Protection Log File
By default, only the user who configures the tracing operation can access the log files. You can enable all users to read the log file and you can explicitly set the default behavior of the log file.
To specify that all users can read the log file:
Configure the log file to be world-readable.
content_copy zoom_out_map[edit system ddos-protection traceoptions] user@host# set file ddos_1 _logfile_1 world-readable
To explicitly set the default behavior, only the user who configured tracing can read the log file:
Configure the log file to be no-world-readable.
content_copy zoom_out_map[edit system ddos-protection traceoptions] user@host# set file ddos_1 _logfile_1 no-world-readable
Configuring a Regular Expression for Control Plane DDoS Protection Messages to Be Logged
By default, the trace operation output includes all messages relevant to the logged events.
You can refine the output by including regular expressions to be matched.
To configure regular expressions to be matched:
Configure the regular expression.
content_copy zoom_out_map[edit system ddos-protection traceoptions] user@host# set file ddos_1 _logfile_1 match regex
Configuring the Control Plane DDoS Protection Tracing Flags
By default, only important events are logged. You can specify which events and operations are logged by specifying one or more tracing flags.
To configure the flags for the events to be logged:
Configure the flags.
content_copy zoom_out_map[edit system ddos-protection traceoptions] user@host# set flag flag
Configuring the Severity Level to Filter Which Control Plane DDoS Protection Messages Are Logged
The messages associated with a logged event are categorized
according to severity level. You can use the severity level to determine
which messages are logged for the event type. The severity level that
you configure depends on the issue that you are trying to resolve.
In some cases you might be interested in seeing all messages relevant
to the logged event, so you specify all or verbose. Either choice generates a large amount of output. You can specify
a more restrictive severity level, such as notice or info to filter the messages . By default, the trace operation
output includes only messages with a severity level of error.
To configure the type of messages to be logged:
Configure the message severity level.
content_copy zoom_out_map[edit system ddos-protection traceoptions] user@host# set level severity
