Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Configuring DS-Lite Per Subnet Session Limitation to Prevent Denial of Service Attacks

 

You can configure the DS-Lite per subnet limitation on MX Series routers equipped with MS-DPCs. Starting in Junos OS Release 18.2R1, MS-MPCs and MS-MICs also support the subnet limitation feature. Starting in Junos OS Release 20.2R1, the Next Gen Services MX-SPC3 security services card supports the subnet limitation feature.

Starting in Junos OS Release 19.2R1, MX Virtual Chassis and MX Broadband Network Gateway (BNG) routers also support the subnet limitation feature.

To configure DS-Lite per subnet session limitation:

  1. Configure the size of the subnet prefix to which limiting is applied. Specify a prefix length of 56, 64, 96, or 128.
    Note

    Ensure that all mappings are cleared before changing the prefix length.

  2. If you are using a next-hop service set on an AMS interface for DS-Lite, set the AMS inside interface’s IPv6 source prefix length to the same value you use for the subnet prefix in Step 1.
  3. Configure the maximum number of subscriber sessions allowed per prefix. You can configure from 0 through 16,384 sessions.

    For Next Gen Services DS-Lite, MAP-E and V6rd softwires, configure the maximum number of subscriber sessions allowed per prefix:

    Note

    You cannot use flow-limit and session-limit-per-prefix in the same dslite configuration.

Release History Table
Release
Description
Starting in Junos OS Release 20.2R1, the Next Gen Services MX-SPC3 security services card supports the subnet limitation feature.