Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

ON THIS PAGE

Configuring Control Plane DDoS Protection

 

Control plane DDoS protection is enabled by default for all supported protocol groups and packet types. Devices have default values for bandwidth (packet rate in pps), bandwidth scale, burst (number of packets in a burst), burst scale, priority, and recover time. To see the default policer values for all supported protocol groups and packet types, run the show ddos-protection protocols CLI command before modifying any configurable DDoS protection values.

Note

Some EX Series switches might have control plane DDoS protection but don’t support CLI options to show or change the default policer parameters.

You can change the control plane DDoS configuration parameters as follows:

  • For individual packet types supported within a protocol group, you can change bandwidth (pps), burst (packets), and priority policer values.

  • For the aggregate policer for a protocol group, you can change bandwidth (pps) and burst (packets) policer values.

  • When you set bandwidth (pps), burst (packets), and priority values for a protocol group or packet type policer, the same values apply at all policer levels. Change the scaling configuration options to tune those values at the Packet Forwarding Engine level.

Note

On PTX10003 and PTX10008 routers, you can change default bandwidth (pps) and burst (packets) values for aggregate or packet type policers, but not priority values.

You can disable control plane DDoS protection as follows:

  • On most routing devices that have policers at the Routing Engine level, you can disable control plane DDoS protection at the Routing Engine and for all line cards either globally or for individual packet types within a protocol group.

  • On PTX10003 and PTX10008 routers, although these devices include policers at the Routing Engine level, you can disable control plane DDoS protection only at the line card level either globally or for individual packet types within a protocol group.

  • On other PTX Series routers and QFX Series switches, policers are supported only at the line cards, so on these devices you can disable control plane DDoS protection for all line cards either globally or for individual packet types within a protocol group.

Control plane DDoS logging is enabled by default, but you can disable it globally for all control plane DDoS events or for individual packet types within a protocol group. You can also configure tracing operations for monitoring control plane DDoS events.

Note

MX Series routers with MPCs and T4000 routers with FPC5s support control plane DDoS protection. The CLI accepts the configuration if other line cards are also installed on either of these types of routers, but the other line cards are not protected so the router is essentially not protected.

To change default-configured control plane DDoS protection parameters:

  1. (Optional) Configure global control plane DDoS protection settings or disable control plane DDoS protection.
  2. (Optional) Configure control plane DDoS protection settings for the aggregate policer or individual packet types for the desired protocol groups.
  3. (Optional) Configure tracing for control plane DDoS protection operations.

Disabling Control Plane DDoS Protection Policers and Logging Globally

Control plane DDoS protection policers are enabled by default for all supported protocol groups and packet types.

On MX Series routers, T4000 routers, and EX9200 switches, policers are established at the level of the individual line card and the Routing Engine. You can disable the line card policers globally for all MPCs or FPC5s. You can also disable the Routing Engine policer. When you disable either of these policers, the policers at that level for all protocol groups and packet types are disabled.

On PTX Series routers and QFX Series switches, policers are established at the level of individual line cards only. If you disable line-card policers globally, control plane DDoS protection is disabled on the switch.

PTX10003 and PTX10008 routers include policers at the Routing Engine level, but like other PTX Series routers, you can only disable line-card policers.

Control plane DDoS protection logging is also enabled by default. You can disable all control plane DDoS event logging (including flow detection event logging) for all protocol groups and packet types across the router or switch.

Note

The global configuration for disabling policers and logging overrides any local configuration for packet types.

To configure global control plane DDoS protection settings:

  1. (Optional) To disable line card policers:
  2. (Optional) (Not available on PTX Series Routers or QFX Series switches) To disable Routing Engine policers:
  3. (Optional) To disable event logging:

Configuring Control Plane DDoS Protection Aggregate or Individual Packet Type Policers

Control plane DDoS policers are applied to control packet traffic and are enabled by default for all supported protocol groups and packet types. You can change default policer parameters to configure different values for the maximum allowed traffic rate, maximum burst size, traffic priority, and how much time must pass since the last violation before the traffic flow is considered to have recovered from the attack. You can also scale the bandwidth and burst values for individual line cards so that the policers at this level trigger at lower thresholds than the overall protocol or packet thresholds.

Protocol group and packet type support varies across platforms and Junos OS releases, as follows:

You can configure aggregate policer values for any protocol group. The aggregate policer applies to the combination of all types of control packet traffic for that group. For some protocol groups, you can also configure policer values for individual packet types. When you configure aggregate policer values for certain protocol groups, you can optionally bypass that policer for one or more particular packet types in that group.

Best Practice

Although all policers have default parameter values, these values might not accurately reflect the control traffic pattern of your network. We recommend that you model your network to determine the best values for your situation. Before you configure policers for your network, you can quickly view the default values for all packet types from operational mode using the show ddos-protection protocols parameters brief command. You can also use the command to specify a single protocol group of interest. For example, to see default values for the dhcpv4 protocol group, use the show ddos-protection protocols dhcpv4 parameters brief command.

You can disable a packet type policer at either the Routing Engine level (if supported) or at the Packet Forwarding Engine level for a specified line card or for all line cards. You can also disable logging of all control plane DDoS protection events for individual packet types within a protocol group.

To configure the desired aggregate or packet-type DDoS protection policer settings:

  1. Specify the protocol group.

    For example, to specify the DHCPv4 protocol group on MX Series, PTX10003 or PTX10008 routers:

    or, on PTX Series or QFX Series devices, control plane DDoS protection support has a combined DHCPv4 and DHCPv6 option that allows only aggregate policer configuration:

  2. Specify a supported individual packet type or the aggregate option to encompass all packet types in the protocol group.

    or

    For example, to specify only DHCPv4 release packets on devices that support individual DHCPv4 packet types:

  3. (Optional) Configure the maximum traffic rate the policer allows for the packet type (or aggregate).

    For example, to set a bandwidth of 600 packets per second for DHCPv4 release packets:

  4. (Optional) Configure the maximum number of packets of this packet type (or aggregate) that the policer allows in a burst of traffic.

    For example, to set a maximum of 5000 DHCPv4 release packets:

  5. (Optional) Set the traffic priority.Note

    You can’t change default priority values on PTX10003 or PTX10008 routers.

    For example, to specify a medium priority for DHCPv4 release packets:

  6. (Optional) Configure how much time must pass since the last violation before the traffic flow is considered to have recovered from the attack.

    For example, to specify that 600 seconds must have passed since the last violation of the DHCPv4 release packet policer:

  7. (Optional, supported on some devices) Bypass the aggregate policer configuration. This is applicable only when an aggregate policer and an individual policer is configured for the protocol group.

    For example, to bypass the aggregate policer for DHCPv4 renew packets:

  8. (Optional) Disable line card policers for the packet type (or aggregate) on all line cards.
    Note

    When you disable line card policers globally at the [edit system ddos-protection global] hierarchy level, the global setting overrides the per-packet type setting shown in this step. If you subsequently remove the global configuration, then the per-packet type configuration takes effect.

    For example, to disable the line card policer for DHCPv4 bootp packets:

  9. (Optional) Disable control plane DDoS protection event logging for only one packet type (or aggregate).
    Note

    Events disabled for the packet are associated with policer violations; logging of flow detection culprit flow events is not affected by this statement.

    Note

    When you disable control plane DDoS protection event logging globally at the [edit system ddos-protection global] hierarchy level, the global setting overrides the per-packet type setting shown in this step. If you subsequently remove the global configuration, then the per-packet type configuration takes effect.

    For example, to disable control plane DDoS protection event logging on the line card policer for DHCPv4 discover packets:

  10. (Optional, not available on PTX Series Routers or QFX Series switches) Disable the Routing Engine policer for only this packet type.
    Note

    When you disable the Routing Engine policer globally at the [edit system ddos-protection global] hierarchy level, the global setting overrides the per-packet type setting shown in this step. If you subsequently remove the global configuration, then the per-packet type configuration takes effect.

    For example, to disable the Routing Engine policer for DHCPv4 discover packets:

  11. (Optional) Configure packet-level settings for the packet type (or aggregate) on a single line card. On switches with a single, fixed line card (a single FPC considered to be in slot 0 and labeled fpc0), scaling the policer values affects the entire switch.

    For example, to access DHCPv4 discover packet settings on the line card in slot 3:

  12. (Optional) Scale the policer bandwidth for the packet type (or aggregate) on the line card.

    For example, to scale the bandwidth to 80 percent of the all-line-card setting configured for DHCPv4 discover packets on the line card in slot 3:

  13. (Optional) Scale the policer burst size for the packet type (or aggregate) on the line card.

    For example, to scale the maximum bandwidth to 75 percent of the all-line-card setting configured for DHCPv4 discover packets on the line card in slot 3:

  14. (Optional) Disable the line card policer for the packet type (or aggregate) on a particular line card.

    For example, to disable the line card policer for DHCPv4 discover packets on the line card in slot 3:

See also

Verifying and Managing Control Plane DDoS Protection

Purpose

View or clear information about control plane DDoS protection configurations, states, and statistics.

Action

  • To display the control plane DDoS protection policer configuration, violation state, and statistics for all packet types in all protocol groups:

    Run this command before you make any configuration changes to see the default policer values.

  • To display the control plane DDoS protection policer configuration, violation state, and statistics for a particular packet type in a particular protocol group:

  • To display only the number of control plane DDoS protection policer violations for all protocol groups:

  • To display a table of the control plane DDoS protection configuration for all packet types in all protocol groups:

  • To display a complete list of packet statistics and control plane DDoS protection violation statistics for all packet types in all protocol groups:

  • To display global control plane DDoS protection violation statistics:

  • To display the control plane DDoS protection version number:

  • To clear control plane DDoS protection statistics for all packet types in all protocol groups:

  • To clear control plane DDoS protection statistics for all packet types in a particular protocol group:

  • To clear control plane DDoS protection statistics for a particular packet type in a particular protocol group:

  • To clear control plane DDoS protection violation states for all packet types in all protocol groups:

  • To clear control plane DDoS protection violation states for all packet types in a particular protocol group:

  • To clear control plane DDoS protection violation states for a particular packet type in a particular protocol group:

See also