Group Parameters

DoS protection groups support the following set of parameters:

• Protocol-to-priority mapping enables you to map a protocol to one of four priorities.
• Protocol burst enables you to configure the burst level for the protocol. The burst is configurable in packets, and defaults to a value in packets that is one half of the maximum rate.
• Protocol maximum rate limit (per line module) enables you to map a protocol to a maximum rate limit. This rate limit applies to all packets for a particular protocol for interfaces belonging to this particular DoS protection group on a line module. By having a DoS protection group on a single line module, the total maximum rate for a protocol can be up to the sum of the four rates configured, depending on the DoS group attached to an interface. You can set a maximum rate of zero for protocols that are not used. The actual rate never exceeds the maximum rate, but the actual rate allowed can be less than the configured maximum rate because of the weighting of protocols within a DoS protection group and the use of multiple DoS protection groups.
• Protocol weight with respect to other protocols in the DoS protection group enables you to balance the priority of the protocols. For each priority grouping, weight determines the effective minimum rate that each protocol receives. Within each priority, the sum of the minimum rates for all protocols using that priority is equal to or less than the priority rate times the over-subscription value. Each priority has a separate rate for each DoS protection group.
• Protocol drop probability for suspicious packets enables you to map a protocol to a specific drop probability. The drop probability is the percentage probability that a suspicious packet is dropped.
• Protocol skip priority rate limiter enables you to configure the system so that the specified protocol is not subject to the priority rate limiter for the priority and DoS protection group selected. The default is off—the protocol is subject to priority rate limiting.
• Priority rate sets the rate of the priority in packets per second for the line module. If this rate is exceeded, it triggers DoS suspicious control flow detection.
• Priority burst enables you to set the number of packets allowed to exceed the maximum rate before packets are dropped and DoS suspicious control flow detection is triggered.
• Priority oversubscription enables you to set an oversubscription factor for the priority rate limiter. In addition to the priority rate, it calculates the minimum rate limits for protocols with a priority grouping and allows for oversubscription of the priority rate. The value indicates a percentage that the priority rate limiter is allowed to be oversubscribed, in the range 100–1000.

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.