Configuring DS-Lite Per Subnet Session Limitation to Prevent Denial of Service Attacks
You can configure the DS-Lite per subnet limitation on MX Series routers equipped with MS-DPCs. Starting in Junos OS Release 18.2R1, MS-MPCs and MS-MICs also support the subnet limitation feature. Starting in Junos OS Release 20.2R1, the Next Gen Services MX-SPC3 security services card supports the subnet limitation feature.
Starting in Junos OS Release 19.2R1, MX Virtual Chassis and MX Broadband Network Gateway (BNG) routers also support the subnet limitation feature.
To configure DS-Lite per subnet session limitation:
- Configure the size of the subnet
prefix to which limiting is applied. Specify a prefix length of 56,
64, 96, or 128.[edit}user@host# set services service-set service-set-name softwire-options dslite-ipv6-prefix-length dslite-ipv6-prefix-length
Ensure that all mappings are cleared before changing the prefix length.
- If you are using a next-hop service set on an AMS interface
for DS-Lite, set the AMS inside interface’s IPv6 source prefix
length to the same value you use for the subnet prefix in Step 1.[edit interfaces interface-name unit interface-unit-number load-balancing-options hash-keys]user@host# set ipv6-source-prefix-length ipv6-source-prefix-length
- Configure the maximum number of subscriber sessions allowed
per prefix. You can configure from 0 through 16,384 sessions.[edit}user@host# set services softwire softwire-concentrator dslite dslite-concentrator-name session-limit-per-prefix 12
For Next Gen Services DS-Lite, MAP-E and V6rd softwires, configure the maximum number of subscriber sessions allowed per prefix:[edit}user@host# set services softwires softwire-types ds-lite | map-e | v6rd session-limit-per-prefix limit
You cannot use flow-limit and session-limit-per-prefix in the same dslite configuration.