Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

show ddos-protection protocols statistics

 

Syntax

Release Information

Command introduced in Junos OS Release 11.2.

Command introduced in Junos OS Release 12.3R2 on EX9200 switches and T4000 routers.

Command introduced in Junos OS Release 14.1X53 on QFX Series switches.

Description

Display traffic statistics and DDoS policer violation statistics for all protocol groups or for a particular protocol group.

Note

DDoS protection policers act on the system’s traffic queues. The QFX5100 and QFX5200 lines of switches manage traffic for more protocols than the number of queues, so the system often must map more than one protocol to the same queue. When traffic for one protocol shares a queue with other protocols and violates DDoS protection policer limits, this command reports a violation on that queue for all mapped protocols because the system doesn’t distinguish which protocol’s traffic specifically caused the violation. You can use what you know about the types of traffic flowing through your network to identify which of the reported protocols actually triggered the violation.

Options

noneDisplay information for all protocol groups.
brief | detail | terse(Optional) Display the specified level of output.
  • brief—Display basic function information.

  • detail—Add information to the brief output; it is identical to the output displayed when you choose no option. The brief and detail options display information for all protocol groups, which can be a long list.

  • terse—Display the same level of information as the brief option but only for active protocol groups—groups that show traffic in the Received (packets) column.

protocol-group(Optional) Display information for a particular protocol group. See show ddos-protection protocols for a list of available groups.

Required Privilege Level

view

List of Sample Output

show ddos-protection protocols statistics

show ddos-protection protocols statistics brief

show ddos-protection protocols statistics terse

show ddos-protection protocols pppoe statistics

show ddos-protection protocols pppoe statistics brief

Output Fields

Table 1 lists the output fields for the show ddos-protection protocols statistics command. Output fields are listed in the approximate order in which they appear.

Table 1: show ddos-protection protocols statistics Output Fields

Field Name

Field Description

Level of Output

Protocol Group

Name of protocol group.

All levels

Packet type

Name of packet type in protocol group.

All levels

System-wide information

The following information collected for the router:

  • A message indicates whether the policer has been violated.

  • No. of FPCs currently receiving excess traffic—Number of cards that are currently in violation of a policer.

  • No. of FPCs that have received excess traffic—Number of cards that have at some point been in violation of a policer.

  • Violation first detected at—Timestamp of the first violation.

  • Violation last seen at—Timestamp of the last observed violation.

  • Duration of violation—Length of the violation.

  • Number of violations—Number of times the violation has occurred.

  • Received—Number of packets received at all card slots and the Routing Engine.

  • Dropped—Number of packets dropped regardless of where they were dropped.

  • Arrival rate—Current traffic rate for packets arriving from all cards and at the Routing Engine.

  • Max arrival rate—Highest traffic rate for packets arriving from all cards and at the Routing Engine.

detail none

Routing Engine information

The following information collected for the Routing Engine:

  • A message indicates whether the policer has been violated; the policer might be passed at the individual cards, but the combined rate of packets arriving at the Routing Engine can exceed the configured policer value.

  • Violation first detected at—Timestamp of the first violation.

  • Violation last seen at—Timestamp of the last observed violation.

  • Duration of violation—Length of the violation.

  • Number of violations—Number of times the violation has occurred.

  • Received—Number of packets received at the Routing Engine from all cards.

  • Dropped—Number of packets dropped at the Routing Engine; includes packets dropped by the aggregate policer and by individual protocol policers.

  • Arrival rate—Current traffic rate for packets arriving at the Routing Engine from all cards.

  • Max arrival rate—Highest traffic rate for packets arriving at the Routing Engine from all cards.

  • Dropped by aggregate policer—Number of packets dropped by the aggregate policer.

  • Dropped by individual policers—Number of packets dropped by individual policer.

detail none

FPC slot information

The following information collected for the card in the indicated slot:

  • A message indicates whether the policer has been violated

  • Violation first detected at—Timestamp of the first violation

  • Violation last seen at—Timestamp of the last observed violation

  • Duration of violation—Length of the violation

  • Number of violations—Number of times the violation has occurred

  • Received—Number of packets received on the line card

  • Dropped—Number of packets dropped at the line card; includes packets dropped by the aggregate policer and by individual protocol policers

  • Arrival rate—Current traffic rate for packets arriving at the line card

  • Max arrival rate—Highest traffic rate for packets arriving at the line card

  • Dropped by this policer—Number of packets dropped by the individual policer

  • Dropped by aggregate policer—Number of packets dropped by the aggregate policer

detail none

Received (packets)

Number of packets of this packet type or protocol group received at all cards and the Routing Engine.

brief terse

Dropped (packets)

Number of packets dropped for this packet type or protocol group, regardless of where the packets were dropped.

brief terse

Rate (pps)

Highest observed traffic rate for this packet type or protocol group.

brief terse

Violation counts

Number of violations of the policer bandwidth.

brief terse

State

Violation state of the packet type:

  • ok—Policer has not been violated for this packet type

  • viol—Policer has been violated for this packet type

brief terse

Sample Output

show ddos-protection protocols statistics

user@host> show ddos-protection protocols statistics

show ddos-protection protocols statistics brief

user@host> show ddos-protection protocols statistics brief

show ddos-protection protocols statistics terse

user@host> show ddos-protection protocols statistics terse

show ddos-protection protocols pppoe statistics

user@host> show ddos-protection protocols pppoe statistics

show ddos-protection protocols pppoe statistics brief

user@host> show ddos-protection protocols pppoe statistics brief