Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

show ddos-protection protocols

 

Syntax

Release Information

Command introduced in Junos OS Release 11.2.

Command introduced in Junos OS Release 12.3R2 on EX9200 switches and T4000 routers.

Command introduced in Junos OS Release 14.1X53 on QFX Series switches.

Support for Enhanced Subscriber Management added in Junos OS Release 17.3R1.

Command introduced in Junos OS Release 17.4R1 on PTX Series switches.

Description

Display control plane DDoS protection configuration and statistics for supported protocol groups or individual packet types.

Options

noneDisplay information for all packet types in all protocol groups.
aggregate(Optional) Display control plane DDoS protection information for the aggregate policer. The aggregate option is available for all supported protocol groups.
packet-type(Optional) Display control plane DDoS protection information for the specified packet type in the specified protocol group. The available packet types vary by protocol group, and only some protocol groups can have policers for individual packet types.
protocol-group(Optional) Display control plane DDoS protection information for a protocol group.

See the following configuration statements for the list of available protocol-group and packet-type options on different devices that you can use with this command, which are the same as the supported options you use to change default policer configurations:

Required Privilege Level

view

List of Sample Output

show ddos-protection protocols

show ddos-protection protocols (Specific Packet Type with Flow Detection Disabled)

show ddos-protection protocols (Specific Packet Type with Flow Detection Enabled and Automatic)

show ddos-protection protocols (Specific Packet Type with Bandwidth Violation)

Output Fields

Table 1 lists the output fields for the show ddos-protection protocols command. Output fields are listed in the approximate order in which they appear.

Table 1: show ddos-protection protocols Output Fields

Field Name

Field Description

Packet types

Number of packet types

Modified

Number of packets for which policer values have been modified from the default.

Received traffic

Number of traffic flows received.

Currently violated

Number of flows that are currently violating the flow bandwidth limit.

Currently tracked flows

Number of active flows that are being tracked as culprit flows by flow detection.

Total detected flows

Total number of culprit flows that have been detected, including those that have recovered or timed out.

Protocol Group

Name of protocol group.

Packet type

Name of packet type in protocol group.

Bandwidth

Bandwidth policer value; number of packets per second that is allowed before a violation is declared.

Burst

Burst policer value; the maximum number of packets that is allowed in a burst before a violation is declared.

Priority

Priority of the packet type for individual packet policers that enables more important traffic to pass through in the event of traffic congestion: low, medium, or high. Lower priority packets can be dropped when insufficient bandwidth is available.

Recover time

Time that must pass since the last violation before the traffic flow is considered to have recovered from the attack. A notification is generated when the timer expires.

Enabled

State of the policer:

  • Yes—The policer is enabled on both the Routing Engine and the FPC (line card). This is the default state.

  • No—The policer is disabled on both the Routing Engine and the FPC by global configuration. It is not disabled by the packet type level configuration.

  • No*—The policer is disabled on both the Routing Engine and the FPC. The asterisk (*) indicates that one or both of these instances is disabled at the packet type level; it may also be disabled globally.

  • Partial—The policer is disabled on either the Routing Engine or the FPC, but not both. It is disabled by global configuration. It is not disabled by the packet type level configuration.

  • Partial*—The policer is disabled on either the Routing Engine or the FPC, but not both. The asterisk (*) indicates that the instance is disabled by the packet type level configuration; it may also be disabled globally.

Disabling can occur globally for all packet types at the [edit system ddos-protection global] hierarchy level, for a specific packet type at the [edit system ddos-protection protocols protocol-group (aggregate | packet-type] hierarchy level, or at both levels.

Bypass aggregate

State of the bypass aggregate configuration:

  • Yes—The aggregate policer is bypassed.

  • No—The aggregate policer is enforced.

This field appears only for individual policers.

Flow detection configuration

State of flow detection configured on the router:

  • Detection mode—Mode of operation for suspicious flow detection: automatic, off, or on.

  • Log flows—State of automatic logging of suspicious traffic flows: on (Yes) or off (No).

  • Timeout flows—State of culprit flow timeout behavior: flow is suppressed for a configured timeout period (Yes) or flow is suppressed until it is no longer in violation (No).

  • Detect time—Time in seconds that must pass before a suspicious flow that has exceeded the bandwidth allowed for the packet type is considered to be a culprit flow.

  • Recover time—Time in seconds that must pass before a culprit flow is considered to have returned to normal. The period starts when the flow drops below the threshold that triggered the last violation.

  • Timeout time—Time in seconds that a culprit flow is suppressed, if timeouts have been enabled.

  • Flow aggregation level configuration—Flow detection mode, flow control mode, and flow bandwidth for traffic at each of the traffic flow aggregation levels: subscriber, logical interface, and physical interface.

    • Detection mode—State of flow detection: automatic, off, or on.

      Control mode—Mode of controlling culprit traffic: dropped, kept, or policed back to within the allowed bandwidth.

      Flow rate—Bandwidth allowed for the control traffic in packets per second.

System-wide information

The following information collected for the router:

  • A message indicates whether the policer has been violated.

  • No. of FPCs currently receiving excess traffic—Number of cards that are currently in violation of a policer.

  • No. of FPCs that have received excess traffic—Number of cards that have at some point been in violation of a policer.

  • Violation first detected at—Timestamp of the first violation.

  • Violation last seen at—Timestamp of the last observed violation.

  • Duration of violation—Length of the violation.

  • Number of violations—Number of times the violation has occurred.

  • Received—Number of packets received at all card slots and the Routing Engine.

  • Dropped—Number of packets dropped regardless of where they were dropped.

  • Arrival rate—Current traffic rate for packets arriving from all cards and at the Routing Engine.

  • Max arrival rate—Highest traffic rate for packets arriving from all cards and at the Routing Engine.

Routing Engine information

The following information collected for the Routing Engine:

  • Bandwidth—Maximum number of packets per second that is allowed.

  • Burst—Maximum number of packets that is allowed in a burst.

  • State of the policer:

    • enabled—The Routing Engine policer is enabled. This is the default state.

    • disabled—The Routing Engine policer is disabled globally. It is not disabled by the packet type level configuration.

    • disabled*—The Routing Engine policer is disabled by the packet type level configuration; it may also be disabled globally.

  • A message indicates whether the policer has been violated; the policer might be passed at the individual cards, but the combined rate of packets arriving at the Routing Engine can exceed the configured policer value.

  • Violation first detected at—Timestamp of the first violation.

  • Violation last seen at—Timestamp of the last observed violation.

  • Duration of violation—Length of the violation.

  • Number of violations—Number of times the violation has occurred.

  • Received—Number of packets received at the Routing Engine from all cards.

  • Dropped—Number of packets dropped at the Routing Engine; includes packets dropped by the aggregate policer and by individual protocol policers.

  • Arrival rate—Current traffic rate for packets arriving at the Routing Engine from all cards.

  • Max arrival rate—Highest traffic rate for packets arriving at the Routing Engine from all cards.

  • Dropped by aggregate policer—Number of packets dropped by the aggregate policer.

  • Dropped by individual policers—Number of packets dropped by individual policer.

FPC slot information

The following information collected for the card in the indicated slot:

  • Bandwidth—Bandwidth scaling percentage and the number of packets per second that is allowed before a violation is declared.

  • Burst—Burst scaling percentage and the maximum number of packets that is allowed in a burst before a violation is declared.

  • State of the policer:

    • enabled—The FPC policer is enabled. This is the default state.

    • disabled—The FPC policer is disabled globally. It is not disabled by the packet type level configuration.

    • disabled*—The FPC policer is disabled by the packet type level configuration; it may also be disabled globally.

  • A message indicates whether the policer has been violated.

  • Violation first detected at—Timestamp of the first violation.

  • Violation last seen at—Timestamp of the last observed violation.

  • Duration of violation—Length of the violation.

  • Number of violations—Number of times the violation has occurred.

  • Received—Number of packets received on the line card.

  • Dropped—Number of packets dropped at the line card; includes packets dropped by the aggregate policer and by individual protocol policers.

  • Arrival rate—Current traffic rate for packets arriving at the line card.

  • Max arrival rate—Highest traffic rate for packets arriving at the line card.

  • Dropped by this policer—Number of packets dropped by the individual policer.

  • Dropped by aggregate policer—Number of packets dropped by the aggregate policer.

Note: On MX Series routers with built-in MPCs—the MX5, MX10, MX40, MX80, and MX104 routers—this field actually displays information for tfeb0 because these routers have no Flexible PIC Concentrator (FPC) slots. Instead, the Packet Forwarding Engine has two “pseudo” FPCs (FPC 0 and FPC1).

Bypass aggr.

State of the bypass aggregate configuration:

  • Yes—The aggregate policer configuration is bypassed.

  • No—The aggregate policer configuration is enforced.

Dashes indicate that the bypass aggregate configuration is not available; this is possible only for aggregate policers.

FPC Mod

Indicates whether configuration has changed from the default for any line cards.

  • No—The default configuration has not changed from the default for the packet type.

  • Yes—The default configuration has changed from the default for the packet type

Op mode

Mode of operation for suspicious flow detection for the packet type: always-on (on), (auto), or disabled (off).

Policer BW (pps)

Bandwidth policer value; number of packets per second that is allowed before a violation is declared.

Aggr level Op:Fc:Bwidth (pps)

Flow operation mode, flow control mode, and flow bandwidth for traffic of the packet type at each traffic flow aggregation level: subscriber (sub), logical interface (ifl), and physical interface (ifd).

Log flow

State of automatic logging of suspicious traffic flows for the packet type: on (Yes) or off (No).

Time out

State of culprit flow timeout behavior for the packet type: flow is suppressed or monitored for a configured timeout period (Yes) or flow is suppressed or monitored until it is no longer in violation (No).

Sample Output

show ddos-protection protocols

user@host> show ddos-protection protocols

show ddos-protection protocols (Specific Packet Type with Flow Detection Disabled)

user@host> show ddos-protection protocols pppoe padi

show ddos-protection protocols (Specific Packet Type with Flow Detection Enabled and Automatic)

user@host> show ddos-protection protocols pppoe padi

show ddos-protection protocols (Specific Packet Type with Bandwidth Violation)

user@host> show ddos-protection protocols bfd