Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Configuring Flow Detection for Control Plane DDoS Protection

 

Flow detection monitors the flows of control traffic for violation of the bandwidth allowed for each flow and manages traffic identified as a culprit flow. Suppression of the traffic is the default management option. Flow detection is typically implemented as part of an overall control plane DDoS protection strategy, but it is also useful for troubleshooting and understanding traffic flow in new configurations. Flow detection is disabled by default.

Enhanced Subscriber Management supports flow detection for DDoS protection as of Junos OS Release 17.3R1.

Before you begin, ensure you have configured DDoS protection appropriately for you network. See Configuring Control Plane DDoS Protection for detailed information about configuring DDoS protection.

To configure flow detection:

  1. Enable flow detection globally for all protocol groups and packet types.

    See Enabling Flow Detection for All Protocol Groups and Packet Types.

  2. (Optional) Set the rate at which culprit flow events are reported for all line cards, protocol groups, and packet types.
  3. Set the rate at which bandwidth violations are reported for all line cards, protocol groups, and packet types.
  4. (Optional) Configure how long a suspicious flow must be in violation of flow bandwidth before being declared a culprit flow.
  5. (Optional) Configure how long a culprit flow must drop to within its allowed bandwidth before being declared normal.
  6. (Optional) Enable and configure how long a culprit flow is suppressed or monitored.
  7. (Optional) Configure the global flow detection operation mode for all protocol groups and packet types.

    See Configuring How Flow Detection Operates Globally.

  8. (Optional) Override the global flow detection operation mode for protocol groups or packet types.

    See Configuring How Flow Detection Operates for Individual Protocol Groups or Packets.

  9. (Optional) Override the global, protocol group, or packet type flow detection operation mode for one or more flow aggregation levels (subscriber, logical interface, and physical interface).
  10. Configure the maximum bandwidth for packet flows at each flow aggregation level (subscriber, logical interface, and physical interface).
  11. (Optional) Configure how traffic for flows that violate their bandwidth is controlled at all flow aggregation levels (subscriber, logical interface, and physical interface) for all protocol groups and packet types.
  12. (Optional) Configure how traffic for flows that violate their bandwidth is controlled at each flow aggregation level (subscriber, logical interface, and physical interface) for specific protocol groups and packet types.
  13. (Optional) Disable automatic logging of suspicious flows.
Release History Table
Release
Description
Enhanced Subscriber Management supports flow detection for DDoS protection as of Junos OS Release 17.3R1.