Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    DoS Protection Group Configuration Example

    The examples in this section illustrate how to configure a denial-of-service (DoS) protection group.

    Requirements

    This example uses the following software and hardware components:

    • JunosE Release 8.1.0 or higher-numbered releases
    • E Series router (ERX7xx models, ERX14xx models, the ERX310 router, the E120 router, or the E320 router)
    • ASIC-based line modules that support Fast Ethernet or Gigabit Ethernet

    Overview of Denial of Service Protection

    A denial-of-service (DoS) attack is any attempt to deny valid users access to network or server resources by using up all the resources of the network element or server. Denial of service protection provides reactive prevention from attack and determines whether the source of traffic is valid or invalid. DoS protection includes diagnostic tools and configuration options. DoS protection groups provide a simple policy that can be applied to interfaces, which can specify a set of parameters to tune behavior.

    Configuring DoS Protection Group

    Configuration Example

    Step-by-Step Procedure

    To configure a DoS protection group for an interface:

    1. Enter DoS Protection Group Configuration mode.
      host1(config)#dos-protection-group default

      Note: Beginning with JunosE Release 10.0.0, you can configure up to three DoS protection groups in addition to the one DoS protection group that is available by default. You can associate any of the configured DoS protection groups to an interface.

    2. Set the maximum rates for the protocols.
      host1(config-dos-protection)#protocol AtmOam rate 512 host1(config-dos-protection)#protocol PppoeControl rate 512 host1(config-dos-protection)#protocol IpLocalOther rate 512
    3. Set the burst size for the protocols.
      host1(config-dos-protection)#protocol AtmOam burst 512 host1(config-dos-protection)#protocol PppoeControl burst 512 host1(config-dos-protection)#protocol IpLocalOther burst 512
    4. Set the weight for the protocols.
      host1(config-dos-protection)#protocol AtmOam weight 100 host1(config-dos-protection)#protocol PppoeControl weight 100 host1(config-dos-protection)#protocol IpLocalOther weight 100
    5. Set the priority for the protocols.
      host1(config-dos-protection)#protocol AtmOam priority Lo-Green host1(config-dos-protection)#protocol PppoeControl priority Hi-Yellow host1(config-dos-protection)#protocol IpLocalOther priority dataPath
    6. (Optional) You can also use a preconfigured (canned) set of parameters.
      host1(config-dos-protection)#use canned-group default

    Monitoring DoS Protection Groups

    Monitoring Example

    Purpose

    Display the configuration of the default DoS protection group.

    Action

    To display configuration of the default DoS protection group:

    host1#show dos-protection-group default
            default (canned-group: defaultCanned)  *modified -- no references
     
          Protocol         Dest Mod Rate  Burst Weight DropProb Priority  Skip
    --------------------   ---- --- ----- ----- ------ -------- --------- ----
    Ppp Echo Request       IC     -  2048  1024    100      100 HI green  Y
    Ppp Echo Reply         IC     -  2048  1024    100      100 HI green  Y
    Ppp Echo Reply Fastp   FC     -     0     0    100      100 Data path Y
    path
    Ppp Control            IC     -  2048  1024    100      100 HI green  N
    Atm Control (ILMI)     IC     -  2048  1024    100      100 HI green  Y
    Atm OAM                IC     *   512   512    100      100 LO green  N
    Atm Dynamic Interface  IC     -  1024   512    100      100 HI yellow N
    Column Creation
    Atm Inverse ARP        IC     -   256   128    100      100 LO yellow N
    Frame Relay Control    IC     -  2048  1024    100      100 HI green  Y
    (LMI)
    Frame Relay Inverse    IC     -   256   128    100      100 LO yellow N
    Arp
    Pppoe Control          IC     *   512   512    100      100 HI yellow N
    Pppoe Ppp Config Dyn   IC     -  1024   512    100      100 HI yellow N
    amic Interface Colum
    n Creation
    Ethernet ARP Miss      IC     -   256   128    100      100 LO yellow N
    Ethernet ARP           IC     -   256   128    100      100 LO yellow N

    Meaning

    Table 1 lists the show dos-protection-group default command output fields.

    Table 1: show dos-protection-group default Output Fields

    Field Name

    Field Description

    Protocol

    Names of the protocols configured for the default DoS protection groups

    Dest

    Destination of a protocol

    Mod

    • *—Indicates that the group or protocol within the group has changed from the preprogrammed value of the associated group
    • - —Indicates no references

    Rate

    Maximum rate limit of a protocol

    Burst

    Burst level of a protocol

    Weight

    Protocol weight. For each priority grouping, weight determines the effective minimum rate that each protocol receives

    DropProb

    Protocol drop probability. The drop probability is the percentage probability that a suspicious packet is dropped

    Priority

    Maps a protocol to one of four priorities

    Skip

    Protocol skip priority rate limiter

    Published: 2014-08-12