DoS Protection Group Configuration Example

The examples in this section illustrate how to configure a denial-of-service (DoS) protection group.

Requirements

This example uses the following software and hardware components:

JunosE Release 8.1.0 or higher-numbered releases
E Series router (ERX7xx models, ERX14xx models, the ERX310 router, the E120 router, or the E320 router)
ASIC-based line modules that support Fast Ethernet or Gigabit Ethernet

Overview of Denial of Service Protection

A denial-of-service (DoS) attack is any attempt to deny valid users access to network or server resources by using up all the resources of the network element or server. Denial of service protection provides reactive prevention from attack and determines whether the source of traffic is valid or invalid. DoS protection includes diagnostic tools and configuration options. DoS protection groups provide a simple policy that can be applied to interfaces, which can specify a set of parameters to tune behavior.

Configuring DoS Protection Group

Configuration Example

Step-by-Step Procedure

To configure a DoS protection group for an interface:

Enter DoS Protection Group Configuration mode.

host1(config)#dos-protection-group default

Note: Beginning with JunosE Release 10.0.0, you can configure up to three DoS protection groups in addition to the one DoS protection group that is available by default. You can associate any of the configured DoS protection groups to an interface.

Set the maximum rates for the protocols.
host1(config-dos-protection)#protocol AtmOam rate 512 host1(config-dos-protection)#protocol PppoeControl rate 512 host1(config-dos-protection)#protocol IpLocalOther rate 512
Set the burst size for the protocols.
host1(config-dos-protection)#protocol AtmOam burst 512 host1(config-dos-protection)#protocol PppoeControl burst 512 host1(config-dos-protection)#protocol IpLocalOther burst 512
Set the weight for the protocols.
host1(config-dos-protection)#protocol AtmOam weight 100 host1(config-dos-protection)#protocol PppoeControl weight 100 host1(config-dos-protection)#protocol IpLocalOther weight 100
Set the priority for the protocols.
host1(config-dos-protection)#protocol AtmOam priority Lo-Green host1(config-dos-protection)#protocol PppoeControl priority Hi-Yellow host1(config-dos-protection)#protocol IpLocalOther priority dataPath
(Optional) You can also use a preconfigured (canned) set of parameters.
host1(config-dos-protection)#use canned-group default

Monitoring DoS Protection Groups

Monitoring Example

Purpose

Display the configuration of the default DoS protection group.

Action

To display configuration of the default DoS protection group:

host1#show dos-protection-group default

        default (canned-group: defaultCanned)  *modified -- no references
 
      Protocol         Dest Mod Rate  Burst Weight DropProb Priority  Skip
--------------------   ---- --- ----- ----- ------ -------- --------- ----
Ppp Echo Request       IC     -  2048  1024    100      100 HI green  Y
Ppp Echo Reply         IC     -  2048  1024    100      100 HI green  Y
Ppp Echo Reply Fastp   FC     -     0     0    100      100 Data path Y
path
Ppp Control            IC     -  2048  1024    100      100 HI green  N
Atm Control (ILMI)     IC     -  2048  1024    100      100 HI green  Y
Atm OAM                IC     *   512   512    100      100 LO green  N
Atm Dynamic Interface  IC     -  1024   512    100      100 HI yellow N
Column Creation
Atm Inverse ARP        IC     -   256   128    100      100 LO yellow N
Frame Relay Control    IC     -  2048  1024    100      100 HI green  Y
(LMI)
Frame Relay Inverse    IC     -   256   128    100      100 LO yellow N
Arp
Pppoe Control          IC     *   512   512    100      100 HI yellow N
Pppoe Ppp Config Dyn   IC     -  1024   512    100      100 HI yellow N
amic Interface Colum
n Creation
Ethernet ARP Miss      IC     -   256   128    100      100 LO yellow N
Ethernet ARP           IC     -   256   128    100      100 LO yellow N

Meaning

Table 101 lists the show dos-protection-group default command output fields.

Table 101: show dos-protection-group default Output Fields

Field Name	Field Description
Protocol	Names of the protocols configured for the default DoS protection groups
Dest	Destination of a protocol
Mod	*—Indicates that the group or protocol within the group has changed from the preprogrammed value of the associated group - —Indicates no references
Rate	Maximum rate limit of a protocol
Burst	Burst level of a protocol
Weight	Protocol weight. For each priority grouping, weight determines the effective minimum rate that each protocol receives
DropProb	Protocol drop probability. The drop probability is the percentage probability that a suspicious packet is dropped
Priority	Maps a protocol to one of four priorities
Skip	Protocol skip priority rate limiter