protocols (DDoS) (PTX Series and QFX Series)

 

Syntax

Hierarchy Level

Release Information

Statement introduced in Junos OS Release 11.2.

Statement introduced in Junos OS Release 14.1X53 on QFX Series switches.

Statement introduced in Junos OS Release 17.4R1 on PTX Series routers.

Description

Configure DDoS policers for all packet types within a protocol group or for a particular packet type within a protocol group.

Note

PTX Series routers and QFX10002-60C switches do not support the bypass-aggregate option.

Not all protocol groups and packet types listed in Table 1 or Table 2 below are supported on all devices. Exceptions include:

  • PTX Series routers do not support the following DDoS policer protocol group options: all-fiber-channel-enode, arp-snoop, bridge-control, dhcpv4v6, diameter, garp-reply, martian-address, proto-802-1x, ptp, pvstp, radius, stp, and tacacs

  • QFX10002-60C switches do not support the following DDoS policer protocol group options: all-fiber-channel-enode, arp-snoop, bridge-control, dhcpv4v6, diameter, garp-reply, martian-address, proto-802-1x, ptp, radius, and tacacs

Options

aggregateConfigure the policer that polices all control packets belonging to the specified protocol as a combined group. An aggregate policer exists for all protocol groups.
packet-typeName of the control packet type to be policed.

On some devices, you can configure packet-type policers for the protocol groups listed in Table 1. For all other protocol groups not listed in Table 1, only aggregate policers are available.

Table 1 lists the protocol groups with packet-type policers available on some devices, and their default-configured parameters. Each of these protocol groups also support the aggregate policer. (See Table 2 for the default aggregate policer parameters for these protocol groups.)

Table 1: Packet Types Supported by DDoS Protection on PTX Series routers and QFX Series Switches

Protocol Group

Packet Type

Description

Default Bandwidth

Default Burst

Default Priority

arp

arp-snoop

ARP snooping traffic

500

2048

High

unclassified

Unclassified ARP packets

500

1024

High

bfd

multihop-bfd

Multihop BFD traffic

1500

2048

High

unclassified

Unclassified BFD packets

1000

2048

High

eoam

oam-cfm

Ethernet OAM CFM traffic

200

2048

High

unclassified

Unclassified Ethernet OAM traffic

100000

2048

High

igmpv6

mld

MLD traffic

1000

2048

High

unclassified

Unclassified IGMPv6 packets

90000

2048

High

mcast-snoop

igmp

Control packets for IGMP snooping

500

2048

High

mld

Control packets for MLD snooping

500

2048

High

pim

Control packets for PIM snooping

500

2048

High

unclassified

Unclassified multicast snooping control packets

500

2048

High

radius

accounting

RADIUS accounting packets

200

2048

High

authorization

RADIUS authorization packets

200

2048

High

server

RADIUS server traffic

200

2048

High

unclassified

Unclassified RADIUS traffic

200

2048

High

tcc

ethernet-tcc

TCC-encapsulated Ethernet traffic

100

2048

High

iso-tcc

TCC-encapsulated ISO traffic

100

2048

High

unclassified

Unclassified TCC-encapsulated traffic

100

2048

High

protocol-groupName of the protocol group for which traffic is policed. You can configure the aggregate policer for any of the following protocol groups listed in Table 2. The table shows the aggregate policer default-configured parameters for each protocol group. Some protocol groups listed in the table can also have individual packet-type policers, which are listed in Table 2.

Table 2: Protocol Groups Supported by DDoS Protection on QFX Switches

Protocol Group

Description

Default Bandwidth

Default Burst

all-fiber-channel-enode

Fiber channel ENode traffic

10

2048

arp

ARP traffic

500

1024

arp-snoop

ARP snooping traffic

Note: The arp protocol group option encompasses this as a packet type on some devices.

500

2048

bfd

Single-hop BFD traffic

1000

2048

bfdv6

BFDv6 traffic

3000

10000

bgp

BGP traffic

1500

2048

bridge-control

Bridge Control traffic

10

2048

dhcpv4v6

DHCPv4 and DHCPv6 traffic (limits apply to combined traffic)

500

2048

diameter

Diameter and Gx-Plus traffic

200

2048

dns

DNS traffic

200

2048

dtcp

DTCP traffic

200

2048

egpv6

EGPv6 traffic

10

2048

eoam

Ethernet OAM traffic

100000

2048

ethernet-tcc

TCC-encapsulated Ethernet traffic

Note: The tcc protocol group option encompasses this as a packet type some devices.

100

2048

ftp

FTP traffic

500

2048

garp-reply

Gratuitous ARP reply traffic

100

2048

gre

GRE traffic

500

2048

icmp

ICMP traffic

500

2048

igmp

IGMPv4 and IGMPv6 traffic

Note: Use this option on PTX Series and QFX10002-60C devices for IGMPv4 traffic only, and igmpv6 option for IGMPv6 traffic.

1000

2048

igmpv6

IGMPv6 traffic

90000

2048

ip-options

IP traffic with IP packet header options

100

2048

isis

IS-IS traffic

1000

2048

iso-tcc

TCC-encapsulated ISO traffic

Note: The tcc protocol group option encompasses this as a packet type on some devices.

100

2048

l2pt

Layer 2 protocol tunneling traffic

500

2048

l2tp

Layer 2 tunneling protocol traffic

500

2048

lacp

LACP traffic

300

2048

ldp

LDP traffic

1000

200

ldp-hello

LDP hello packets

1000

2048

lldp

LLDP traffic

60

2048

lmp

LMP traffic

100

2048

martian-address

Martian address

200

20

mcast-snoop

Control traffic for multicast snooping

500

2048

mld

MLD traffic

Note: The igmpv6 protocol group option encompasses this as a packet type on some devices.

1000

2048

msdp

MSDP traffic

300

2048

multihop-bfd

Multihop BFD traffic

Note: The bfd protocol group option encompasses this as a packet type on some devices.

1500

2048

ndpv6

NDPv6 traffic

500

1024

ntp

NTP traffic

200

2048

oam-cfm

OAM CFM traffic

Note: The eoam protocol group option encompasses this as a packet type on some devices.

200

2048

oam-lfm

OAM LFM traffic

200

2048

ospf

OSPF traffic

1000

200

ospf-hello

OSPF hello packets

1500

2048

pim-ctrl

PIM control packets

1000

2048

pim-data

PIM data

2000

2048

proto-802-1x

802.1X traffic

200

2048

ptp

PTP traffic

100

2048

pvstp

PVSTP traffic

2000

2048

radius

RADIUS traffic

200

2048

reject

Packets rejected by a next-hop forwarding decision

100

2048

resolve

Unclassified IPv4 and IPv6 resolve packets sent to the host because of a traffic request resolve action

500

2048

rip

RIP traffic

100

2048

rsvp

RSVP traffic

1000

2048

snmp

SNMP traffic

500

2048

ssh

SSH traffic

500

2048

stp

STP traffic

2000

2048

tacacs

TACACS+ traffic

200

2048

tcc

Transitional Cross-connect encapsulated traffic

100

2048

telnet

Telnet traffic

500

2048

ttl

Time to Live packets

100

2048

unclassified

Traffic that cannot be classified into one of the other available protocol groups

100

2048

vrrp

VRRP traffic

1000

2048

The remaining statements are explained separately. See CLI Explorer.

Required Privilege Level

admin—To view this statement in the configuration.

admin-control—To add this statement to the configuration.

Related Documentation