Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

protocols (DDoS) (PTX Series and QFX Series)

 

Syntax

Hierarchy Level

Release Information

Statement introduced in Junos OS Release 11.2.

Statement introduced in Junos OS Release 14.1X53 on QFX Series switches.

Statement introduced in Junos OS Release 17.4R1 on PTX Series routers.

Description

Change default configurable DDoS policer parameters for all packet types within a protocol group or for a particular packet type within a protocol group.

Note

PTX10003 routers don’t support the priority option to change default priority values for aggregate or individual packet type policers.

QFX10002-60C switches and PTX Series routers other than PTX10003 routers do not support the bypass-aggregate option.

Not all protocol groups and packet types listed in Table 1 or Table 2 below are supported on all devices. Exceptions include:

  • PTX10003 routers do not support the following DDoS policer protocol group options: all-fiber-channel-enode, bridge-control, diameter, garp-reply, l2pt, ptp, radius, and tacacs.

  • Other PTX Series routers do not support the following DDoS policer protocol group options: all-fiber-channel-enode, arp-snoop, bridge-control, dhcpv4v6, diameter, garp-reply, martian-address, proto-802-1x, ptp, pvstp, radius, stp, and tacacs

  • QFX10002-60C switches do not support the following DDoS policer protocol group options: all-fiber-channel-enode, arp-snoop, bridge-control, dhcpv4v6, diameter, garp-reply, martian-address, proto-802-1x, ptp, radius, and tacacs

Options

aggregateConfigure parameters for the policer that polices all control packets belonging to the specified protocol as a combined group. An aggregate policer exists for all protocol groups.
packet-typeConfigure policer values for the specified individual control packet type within a protocol group.

On some devices, you can configure the packet-type policers in the protocol groups listed in Table 1. For all other protocol groups not listed in Table 1, only aggregate policers are available.

Table 1 lists the protocol groups with packet-type policers available on some devices, and common values for default-configured parameters. Default values can differ among supporting devices and across different Junos OS releases; you can run the show ddos-protection protocols CLI command before modifying any configurable values to see the default policer values for all supported protocol groups and packet types. Each of these protocol groups also support the aggregate policer. (See Table 2 for the default aggregate policer values for all protocol groups.)

Table 1: Packet Types Supported by DDoS Protection on PTX Series routers and QFX Series Switches

Protocol Group

Packet Type

Description

Default Bandwidth

Default Burst

Default Priority

arp

arp-snoop

ARP snooping traffic

500

1024 or 2048

High

unclassified

Unclassified ARP packets

500

1024

High

bfd

bundle-bfd

(PTX 10003 only) Link bundle BFD traffic

30000

10000

High

multihop-bfd

Multihop BFD traffic

1500 or 30000

2048 or 10000

High

unclassified

Unclassified BFD packets

1000, 6000, 10000 or 250000

2048

High

dhcpv4

(PTX10003 routers only; for rate-limiting at line card and RE levels)

ack

DHCPACK packets

500

500

Medium

bad-packets

DHCPv4 packets with bad formats

0

0

Low

bootp

DHCPBOOTP packets

300

300

Low

decline

DHCPDECLINE packets

500

500

Low

discover

DHCPDISCOVER packets

500

500

Low

force-renew

DHCPFORCERENEW packets

2000

2000

High

inform

DHCPINFORM packets

500

500

Low

lease-active

DHCPLEASEACTIVE packets

2000

2000

High

lease-query

DHCPLEASEQUERYpackets

2000

2000

High

lease-unassigned

DHCPLEASEUNASSIGNED packets

2000

2000

High

lease-unknown

DHCPLEASEUNKNOWN packets

2000

2000

High

nak

DHCPNAK packets

500

500

Low

no-message-type

DHCP packets that are missing the message type

1000

1000

Low

offer

DHCPOFFER packets

1000

1000

Low

rebind

DHCPv4 REBIND packets

2000

2000

High

release

DHCPRELEASE packets

2000

2000

High

renew

DHCPRENEW packets

2000

2000

High

request

DHCPREQUEST packets

1000

1000

Medium

unclassified

All unclassified DHCPv4 packets

300

150

Low

dhcpv6

(PTX10003 routers only; for rate-limiting at line card and RE levels)

advertise

DHCPv6 ADVERTISE packets

500

500

Low

confirm

DHCPv6 CONFIRM packets

1000

1000

Medium

decline

DHCPv6 DECLINE packets

1000

1000

Low

information-request

DHCPv6 INFORMATION-REQUEST packets

1000

1000

Low

leasequery

DHCPv6 LEASEQUERY packets

1000

1000

Low

leasequery-data

DHCPv6 LEASEQUERY-DATA packets

1000

1000

Low

leasequery-done

LEASEQUERY-DONE packets

1000

1000

Low

leasequery-reply

DHCPv6 LEASEQUERY-REPLY packets

1000

1000

Low

rebind

DHCPv6 REBIND packets

2000

2000

Medium

reconfigure

DHCPv6 RECONFIGURE packets

1000

1000

Low

relay-forward

DHCPv6 RELAY-FORWARD packets

1000

1000

Low

relay-reply

DHCPv6 RELAY-REPLY packets

1000

1000

Low

release

DHCPv6 RELEASE packets

2000

2000

High

renew

DHCPv6 RENEW packets

2000

2000

Medium

reply

DHCPv6 REPLY packets

1000

1000

Medium

request

DHCPv6 REQUEST packets

1000

1000

Medium

solicit

DHCPv6 SOLICIT packets

500

500

Low

unclassified

All unclassified DHCPv6 packets

3000

3000

Low

eoam

oam-cfm

Ethernet OAM CFM traffic

200 or 1000

1024 or 2048

High

unclassified

Unclassified Ethernet OAM traffic

100000

1024 or 2048

High

igmpv6

mld

MLD traffic

1000

1024 or 2048

High

unclassified

Unclassified IGMPv6 packets

1000 or 90000

1024 or 2048

High

ldp

(PTX10003 routers only)

aggregate

All LDP packets

5000

2048

High

ldp-hello

LDP HELLO traffic

1000

1024

High

mcast-snoop

igmp

Control packets for IGMP snooping

500 or 20000

2048 or 5000

High

mld

Control packets for MLD snooping

500 or 2000

2048

High

pim

Control packets for PIM snooping

500 or 2000

2048

High

unclassified

Unclassified multicast snooping control packets

500

2048

High

radius

accounting

RADIUS accounting packets

200

2048

High

authorization

RADIUS authorization packets

200

2048

High

server

RADIUS server traffic

200

2048

High

unclassified

Unclassified RADIUS traffic

200

2048

High

tcc

ethernet-tcc

TCC-encapsulated Ethernet traffic

100

100, 1024 or 2048

High

iso-tcc

TCC-encapsulated ISO traffic

100

100, 1024 or 2048

High

unclassified

Unclassified TCC-encapsulated traffic

100

1024 or 2048

High

protocol-groupConfigure policer values for the specified protocol group. You can configure the aggregate policer for any of the following protocol groups listed in Table 2. The table shows the aggregate policer default-configured parameters for each protocol group. Default values can differ among supporting devices and across different Junos OS releases; you can run the show ddos-protection protocols CLI command before modifying any configurable values to see the default policer values for all supported protocol groups and packet types. Protocol groups in Table 2 that also support individual packet-type policers are listed in Table 1.

Table 2: Protocol Groups Supported by DDoS Protection on QFX Switches

Protocol Group

Description

Default Bandwidth

Default Burst

all-fiber-channel-enode

Fiber channel ENode traffic

10

1024 or 2048

arp

ARP traffic

500 or 2000

1024 or 2048

arp-snoop

ARP snooping traffic

Note: The arp protocol group option encompasses this as a packet type option on some devices.

500

2048

bfd

Single-hop BFD traffic

1000, 10000, 30000, or 250000

2048 or 10000

bfdv6

BFDv6 traffic

3000 or 250000

2048 or 10000

bgp

BGP traffic

1500, 3000, 5000, or 250000

2048 or 4096

bridge-control

Bridge Control traffic

10

2048

dhcpv4

(PTX10003 routers only)

Aggregate for all DHCPv4 traffic (priority Medium)

Note: On PTX10003 routers, use this option for rate-limiting at PFE line card and RE levels. Use aggregate option dhcpv4v6 for rate-limiting at PFE chip level.

5000

5000

dhcpv6

(PTX10003 routers only)

Aggregate for all DHCPv6 traffic (priority Low)

Note: On PTX10003 routers, use this option for rate-limiting at PFE line card and RE levels. Use aggregate option dhcpv4v6 for rate-limiting at PFE chip level.

5000

5000

dhcpv4v6

DHCPv4 and DHCPv6 traffic (limits apply to combined traffic)

Note: On PTX10003 routers, use this aggregate option for rate-limiting at PFE chip level only (priority is Low). Use dhcpv4 and dhcpv6 protocol group and individual packet type options for rate-limiting at line card and RE levels.

500 or 5000

2048 or 5000

diameter

Diameter and Gx-Plus traffic

200

2048

dns

DNS traffic

200

200 or 2048

dtcp

DTCP traffic

200

200 or 2048

egpv6

EGPv6 traffic

10

10 or 2048

eoam

Ethernet OAM traffic

Note: On PTX10003 routers, the aggregate eoam protocol group option includes OAM-CFM packets (no oam-cfm individual packet type option).

200, 1000, 20000, or 100000

102, 2048, or 10000

ethernet-tcc

TCC-encapsulated Ethernet traffic

Note: The tcc protocol group option encompasses this as a packet type option on some devices.

100

100 or 2048

ftp

FTP traffic

500 or 1500

1500 or 2048

garp-reply

Gratuitous ARP reply traffic

100

2048

gre

GRE traffic

500

500 or 2048

icmp

ICMP traffic

500

500 or 2048

igmp

IGMPv4 and IGMPv6 traffic

Note: Use this option on PTX Series and QFX10002-60C devices for IGMPv4 traffic only, and igmpv6 option for IGMPv6 traffic. On PTX10003 routers, this option encompasses aggregated IGMP and MLD traffic.

1000, 20000, or 90000

2048 or 5000

igmpv6

IGMPv6 traffic

20000 or 90000

2048 or 5000

ip-options

IP traffic with IP packet header options

100

100 or 2048

isis

IS-IS traffic

1000 or 5000

2048 or 4096

iso-tcc

TCC-encapsulated ISO traffic

Note: The tcc protocol group option encompasses this as a packet type option on some devices.

100

100 or 2048

l2pt

Layer 2 protocol tunneling traffic

500

2048

l2tp

Layer 2 tunneling protocol traffic

500

500 or 2048

lacp

LACP traffic

300

300 or 2048

ldp

LDP traffic

1000 or 5000

200 or 2048

ldp-hello

LDP hello packets

Note: On PTX10003 routers, the ldp protocol group encompasses this as an individual packet type option.

1000

2048

lldp

LLDP traffic

60 or 300

300 or 2048

lmp

LMP traffic

100

100 or 2048

martian-address

Martian address

200

20

mcast-snoop

Control traffic for multicast snooping

500 or 22000

2048 or 6000

mld

MLD traffic

Note: The igmpv6 protocol group option encompasses this as a packet type option on some devices.

1000

2048

msdp

MSDP traffic

300

300 or 2048

multihop-bfd

Multihop BFD traffic

Note: The bfd protocol group option encompasses this as a packet type option on some devices.

1500

2048

ndpv6

NDPv6 traffic

100 or 500

1024

ntp

NTP traffic

200

200 or 2048

oam-cfm

OAM CFM traffic

Note: The eoam protocol group option encompasses this as a packet type option on some devices. On PTX10003 routers, the aggregate eoam protocol group option includes OAM-CFM packets (no oam-cfm individual packet type option).

200

2048

oam-lfm

OAM LFM traffic

200 or 1000

1000 or 2048

ospf

OSPF traffic

1000 or 5000

200, 2048, or 4096

ospf-hello

OSPF hello packets

1000, 1500, or 5000

2048 or 4096

pim-ctrl

PIM control packets

1000 or 1500

200 or 2048

pim-data

PIM data

2000 or 3000

1024 or 2048

proto-802-1x

802.1X traffic

200

200 or 2048

ptp

PTP traffic

100

2048

pvstp

PVSTP traffic

2000

2048

radius

RADIUS traffic

200

2048

reject

Packets rejected by a next-hop forwarding decision

100

100 or 2048

resolve

Unclassified IPv4 and IPv6 resolve packets sent to the host because of a traffic request resolve action

100 or 500

100 or 2048

rip

RIP traffic

100

100 or 2048

rsvp

RSVP traffic

1000 or 20000

2048 or 10000

snmp

SNMP traffic

500

500 or 2048

ssh

SSH traffic

500

500 or 2048

stp

STP traffic

2000

2000 or 2048

tacacs

TACACS+ traffic

200

2048

tcc

Transitional Cross-connect encapsulated traffic

100 or 200

200, 1024, or 2048

telnet

Telnet traffic

500

500 or 2048

ttl

Time to Live packets

100 or 2000

2048

unclassified

Traffic that cannot be classified into one of the other available protocol groups

100 or 10000

2048 or 10000

vrrp

VRRP traffic

1000

1000 or 2048

The remaining statements are explained separately. See CLI Explorer.

Required Privilege Level

admin—To view this statement in the configuration.

admin-control—To add this statement to the configuration.

Related Documentation