Configuring How Flow Detection Operates for Individual Protocol Groups or Packets
By default, flow detection is disabled for all protocol groups and packet types. After you have turned on flow detection globally and configured the global operation mode, you can include the flow-detection-mode statement to configure flow detection to override the global setting for individual protocol groups and packet types. By default, flow detection operates in automatic mode for all packet types, meaning that it monitors control traffic for suspicious flows only after a DDoS policer has been violated. You can also configure flow detection either to never monitor flows or to always monitor flows.
The flow detection mode at the packet level must be either automatic or on for flow detection to operate at individual flow aggregation levels.
To configure how flow detection operates:
Disable suspicious flow detection for a packet type.
[edit system ddos-protection protocols protocol-group packet-type]user@host# set flow-detection-mode offSet flow detection to operate automatically when a policer is violated.
[edit system ddos-protection protocols protocol-group packet-type]user@host# set flow-detection-mode automaticSpecify that flow detection is always on for a packet type.
[edit system ddos-protection protocols protocol-group packet-type]user@host# set flow-detection-mode on