show ddos-protection protocols
구문
show ddos-protection protocols <protocol-group (aggregate | packet-type)>
설명
지원되는 프로토콜 그룹 또는 개별 패킷 유형에 대한 컨트롤 플레인 DDoS 보호 구성 및 통계를 표시합니다.
옵션
none | 모든 프로토콜 그룹의 모든 패킷 유형에 대한 정보를 표시합니다. |
aggregate |
(선택 사항) 통합 폴리서에 대한 컨트롤 플레인 디도스(DDoS) 공격 보호 정보를 표시합니다. 이 |
packet-type | (선택 사항) 지정된 프로토콜 그룹의 지정된 패킷 유형에 대한 컨트롤 플레인 DDoS 보호 정보를 표시합니다. 사용 가능한 패킷 유형은 프로토콜 그룹에 따라 다르며, 일부 프로토콜 그룹만 개별 패킷 유형에 대한 폴리서를 가질 수 있습니다. |
protocol-group | (선택 사항) 프로토콜 그룹에 대한 컨트롤 플레인 DDoS 보호 정보를 표시합니다. |
기본 폴리서 구성을 변경하는 데 사용하는 지원 옵션과 동일한 이 명령과 함께 사용할 수 있는 다양한 디바이스에서 사용 가능한 protocol-group packet-type 옵션 목록은 다음 구성 문을 참조하십시오.
PTX 시리즈 라우터를 제외한 라우팅 디바이스의 경우 프로토콜(DDoS)을 참조하십시오.
PTX 시리즈 라우터 및 QFX 시리즈 스위치의 경우 프로토콜(DDoS)(ACX 시리즈, PTX 시리즈 및 QFX 시리즈)을 참조하십시오.
필요한 권한 수준
보기
출력 필드
표 1 에는 명령의 출력 필드가 나열되어 있습니다 show ddos-protection protocols
. 출력 필드는 나타나는 대략적인 순서대로 나열됩니다.
필드 이름 |
필드 설명 |
---|---|
|
패킷 유형 수 |
|
폴리서 값이 기본값에서 수정된 패킷 수. |
|
수신된 트래픽 플로우 수입니다. |
|
현재 플로우 대역폭 제한을 위반하고 있는 플로우 수. |
|
플로우 감지에 의해 범인 플로우로 추적되고 있는 활성 플로우의 수입니다. |
|
복구되거나 시간 초과된 흐름을 포함하여 감지된 총 원인 흐름 수입니다. |
|
프로토콜 그룹의 이름입니다. |
|
프로토콜 그룹의 패킷 유형 이름입니다. |
|
대역폭 폴리서 값; 위반이 선언되기 전에 허용되는 초당 패킷 수입니다. |
|
버스트 폴리서 값; 위반이 선언되기 전에 버스트에서 허용되는 최대 패킷 수입니다. |
|
트래픽 혼잡 시 더 중요한 트래픽이 통과할 수 있도록 하는 개별 패킷 폴리서에 대한 패킷 유형의 우선 순위: |
|
트래픽 흐름이 공격에서 복구된 것으로 간주되기 전에 마지막 위반 이후 경과해야 하는 시간입니다. 타이머가 만료되면 알림이 생성됩니다. |
|
폴리서의 상태:
비활성화는 계층 수준에서 모든 패킷 유형, 계층 수준에서 특정 패킷 유형 |
|
우회 집계 구성 상태:
이 필드는 개별 폴리서에 대해서만 나타납니다. |
|
라우터에 구성된 플로우 탐지 상태:
|
|
라우터에 대해 수집되는 정보는 다음과 같습니다.
|
|
라우팅 엔진에 대해 수집되는 정보는 다음과 같습니다.
|
|
표시된 슬롯의 카드에 대해 수집된 다음 정보:
참고:
|
|
우회 집계 구성 상태:
대시는 우회 집계 구성을 사용할 수 없음을 나타냅니다. 이는 집계 폴리서에만 가능합니다. |
|
라인 카드의 구성이 기본값에서 변경되었는지 여부를 나타냅니다.
|
|
패킷 유형에 대한 의심스러운 플로우 감지를 위한 작동 모드: always-on(), () 또는 disabled( |
|
대역폭 폴리서 값; 위반이 선언되기 전에 허용되는 초당 패킷 수입니다. |
|
각 트래픽 플로우 어그리게이션 레벨에서 패킷 유형의 트래픽에 대한 플로우 작동 모드, 플로우 제어 모드 및 플로우 대역폭: 가입자(), 논리적 인터페이스(), 물리적 인터페이스( |
|
패킷 유형에 대한 의심스러운 트래픽 흐름의 자동 로깅 상태: 켜기() 또는 끄기( |
|
패킷 유형에 대한 원인 플로우 타임아웃 동작 상태: 구성된 타임아웃 기간 동안 플로우가 억제 또는 모니터링되거나() 더 이상 위반되지 않을 때까지 플로우가 억제 또는 모니터링됩니다( |
샘플 출력
- 디도스-프로텍션 프로토콜 표시
- show ddos-protection protocols(플로우 탐지가 비활성화된 특정 패킷 유형)
- show ddos-protection protocols(플로우 탐지가 활성화되고 자동인 특정 패킷 유형)
- show ddos-protection protocols(대역폭 위반이 있는 특정 패킷 유형)
- show ddos-protection protocols(ARP 브로드캐스트)
- show ddos-protection protocols(ARP 유니캐스트)
- show ddos-protection protocols ip-options 매개 변수
디도스-프로텍션 프로토콜 표시
user@host> show ddos-protection protocols Packet types: 190, Modified: 0, Received traffic: 12, Currently violated: 3 Currently tracked flows: 0, Total detected flows: 0 * = User configured value Protocol Group: IPv4-Unclassified Packet type: aggregate (Aggregate for unclassified host-bound IPv4 traffic) Aggregate policer configuration: Bandwidth: 2000 pps Burst: 10000 packets Recover time: 300 seconds Enabled: Yes Flow detection configuration: Detection mode: Automatic Detect time: 3 seconds Log flows: No Recover time: 60 seconds Timeout flows: No Timeout time: 300 seconds Flow aggregation level configuration: Aggregation level Detection mode Control mode Flow rate Subscriber Automatic Drop 10 pps Logical interface Automatic Drop 10 pps Physical interface Automatic Drop 2000 pps System-wide information: Aggregate bandwidth is never violated Received: 0 Arrival rate: 0 pps Dropped: 0 Max arrival rate: 0 pps Routing Engine information: Bandwidth: 2000 pps, Burst: 10000 packets, enabled Aggregate policer is never violated Received: 0 Arrival rate: 0 pps Dropped: 0 Max arrival rate: 0 pps Dropped by individual policers: 0 FPC slot 1 information: Bandwidth: 100% (2000 pps), Burst: 100% (10000 packets), enabled Aggregate policer is never violated Received: 0 Arrival rate: 0 pps Dropped: 0 Max arrival rate: 0 pps Dropped by individual policers: 0 Dropped by flow suppression: 0 … Protocol Group: PPPoE Packet type: aggregate (Aggregate for all PPPoE control traffic) Aggregate policer configuration: Bandwidth: 2000 pps Burst: 2000 packets Recover time: 300 seconds Enabled: Yes Flow detection configuration: Detection mode: Automatic Detect time: 3 seconds Log flows: No Recover time: 60 seconds Timeout flows: No Timeout time: 300 seconds Flow aggregation level configuration: Aggregation level Detection mode Control mode Flow rate Subscriber Automatic Drop 10 pps Logical interface Automatic Drop 10 pps Physical interface Automatic Drop 2000 pps System-wide information: Aggregate bandwidth is never violated Received: 0 Arrival rate: 0 pps Dropped: 0 Max arrival rate: 0 pps Routing Engine information: Bandwidth: 2000 pps, Burst: 2000 packets, enabled Aggregate policer is never violated Received: 0 Arrival rate: 0 pps Dropped: 0 Max arrival rate: 0 pps Dropped by individual policers: 0 FPC slot 1 information: Bandwidth: 100% (2000 pps), Burst: 100% (2000 packets), enabled Aggregate policer is never violated Received: 0 Arrival rate: 0 pps Dropped: 0 Max arrival rate: 0 pps Dropped by individual policers: 0 Dropped by flow suppression: 0 Packet type: padi (PPPoE PADI) Individual policer configuration: Bandwidth: 500 pps Burst: 500 packets Priority: Low Recover time: 300 seconds Enabled: Yes Bypass aggregate: No Flow detection configuration: Detection mode: Automatic Detect time: 3 seconds Log flows: No Recover time: 60 seconds Timeout flows: No Timeout time: 300 seconds Flow aggregation level configuration: Aggregation level Detection mode Control mode Flow rate Subscriber Automatic Drop 10 pps Logical interface Automatic Drop 10 pps Physical interface Automatic Drop 500 pps System-wide information: Bandwidth is never violated Received: 0 Arrival rate: 0 pps Dropped: 0 Max arrival rate: 0 pps Routing Engine information: Bandwidth: 500 pps, Burst: 500 packets, enabled Policer is never violated Received: 0 Arrival rate: 0 pps Dropped: 0 Max arrival rate: 0 pps Dropped by aggregate policer: 0 FPC slot 1 information: Bandwidth: 100% (500 pps), Burst: 100% (500 packets), enabled Policer is never violated Received: 0 Arrival rate: 0 pps Dropped: 0 Max arrival rate: 0 pps Dropped by aggregate policer: 0 Dropped by flow suppression: 0 ...
show ddos-protection protocols(플로우 탐지가 비활성화된 특정 패킷 유형)
user@host> show ddos-protection protocols pppoe padi Currently tracked flows: 0, Total detected flows: 0 * = User configured value Protocol Group: PPPoE Packet type: padi (PPPoE PADI) Individual policer configuration: Bandwidth: 500 pps Burst: 500 packets Priority: Low Recover time: 300 seconds Enabled: Yes Bypass aggregate: No Flow detection configuration: Detection mode: Off* Detect time: 3 seconds Log flows: No Recover time: 60 seconds Timeout flows: No Timeout time: 300 seconds Flow aggregation level configuration: Aggregation level Detection mode Control mode Flow rate Subscriber Automatic Drop 10 pps Logical interface Automatic Drop 10 pps Physical interface Automatic Drop 500 pps System-wide information: Bandwidth is never violated Received: 0 Arrival rate: 0 pps Dropped: 0 Max arrival rate: 0 pps Routing Engine information: Bandwidth: 500 pps, Burst: 500 packets, enabled Policer is never violated Received: 0 Arrival rate: 0 pps Dropped: 0 Max arrival rate: 0 pps Dropped by aggregate policer: 0 FPC slot 1 information: Bandwidth: 100% (500 pps), Burst: 100% (500 packets), enabled Policer is never violated Received: 0 Arrival rate: 0 pps Dropped: 0 Max arrival rate: 0 pps Dropped by aggregate policer: 0 Dropped by flow suppression: 0
show ddos-protection protocols(플로우 탐지가 활성화되고 자동인 특정 패킷 유형)
user@host> show ddos-protection protocols pppoe padi Currently tracked flows: 0, Total detected flows: 0 * = User configured value Protocol Group: PPPoE Packet type: padi (PPPoE PADI) Individual policer configuration: Bandwidth: 500 pps Burst: 500 packets Priority: Low Recover time: 300 seconds Enabled: Yes Bypass aggregate: No Flow detection configuration: Detection mode: Automatic Detect time: 3 seconds Log flows: No Recover time: 60 seconds Timeout flows: No Timeout time: 300 seconds Flow aggregation level configuration: Aggregation level Detection mode Control mode Flow rate Subscriber Automatic Drop 10 pps Logical interface Automatic Drop 10 pps Physical interface Automatic Drop 500 pps System-wide information: Bandwidth is never violated Received: 0 Arrival rate: 0 pps Dropped: 0 Max arrival rate: 0 pps Routing Engine information: Bandwidth: 500 pps, Burst: 500 packets, enabled Policer is never violated Received: 0 Arrival rate: 0 pps Dropped: 0 Max arrival rate: 0 pps Dropped by aggregate policer: 0 FPC slot 1 information: Bandwidth: 100% (500 pps), Burst: 100% (500 packets), enabled Policer is never violated Received: 0 Arrival rate: 0 pps Dropped: 0 Max arrival rate: 0 pps Dropped by aggregate policer: 0 Dropped by flow suppression: 0
show ddos-protection protocols(대역폭 위반이 있는 특정 패킷 유형)
user@host> show ddos-protection protocols bfd Packet types: 1, Modified: 0, Received traffic: 1, Currently violated: 1 Currently tracked flows: 1, Total detected flows: 1 * = User configured value Protocol Group: BFD Packet type: aggregate (Aggregate for all bfd traffic) Aggregate policer configuration: Bandwidth: 20000 pps Burst: 20000 packets Recover time: 300 seconds Enabled: Yes Flow detection configuration: Detection mode: Automatic Detect time: 3 seconds Log flows: No Recover time: 60 seconds Timeout flows: No Timeout time: 300 seconds Flow aggregation level configuration: Aggregation level Detection mode Control mode Flow rate Subscriber Automatic Drop 10 pps Logical interface Automatic Drop 10 pps Physical interface Automatic Drop 20000 pps System-wide information: Aggregate bandwidth is being violated! No. of FPCs currently receiving excess traffic: 1 No. of FPCs that have received excess traffic: 1 Violation first detected at: 2012-10-24 23:40:20 EDT Violation last seen at: 2012-10-25 10:25:48 EDT Duration of violation: 10:45:28 Number of violations: 1 Received: 1173471731 Arrival rate: 30304 pps Dropped: 399135607 Max arrival rate: 30331 pps Flow counts: Aggregation level Current Total detected Subscriber 1 1 Total 1 1 Routing Engine information: Bandwidth: 20000 pps, Burst: 20000 packets, enabled Aggregate policer is never violated Received: 366831604 Arrival rate: 0 pps Dropped: 0 Max arrival rate: 9522 pps Dropped by individual policers: 0 FPC slot 1 information: Bandwidth: 100% (20000 pps), Burst: 100% (20000 packets), enabled Aggregate policer is currently being violated! Violation first detected at: 2012-10-24 23:40:21 EDT Violation last seen at: 2012-10-25 10:25:48 EDT Duration of violation: 10:45:27 Number of violations: 1 Received: 1173471731 Arrival rate: 30304 pps Dropped: 399135607 Max arrival rate: 30331 pps Dropped by individual policers: 0 Dropped by aggregate policer: 398854530 Dropped by flow suppression: 281077 Flow counts: Aggregation level Current Total detected State Subscriber 1 1 Active Logical-interface 0 0 Active Physical-interface 0 0 Active Total 1 1
show ddos-protection protocols(ARP 브로드캐스트)
user@host> show ddos-protection protocols arp bcast Currently tracked flows: 0, Total detected flows: 0 * = User configured value Protocol Group: ARP Packet type: bcast (Arp broadcast) Aggregate policer configuration: Bandwidth: 10000 pps Burst: 10000 packets Priority: Low Recover time: 300 seconds Enabled: Yes Flow detection configuration: Flow detection system is off Detection mode: Automatic Detect time: 3 seconds Log flows: Yes Recover time: 60 seconds Timeout flows: No Timeout time: 300 seconds Flow aggregation level configuration: Aggregation level Detection mode Control mode Flow rate Subscriber Automatic Drop 10 pps Logical interface Automatic Drop 10 pps Physical interface Automatic Drop 10000 pps System-wide information: Aggregate bandwidth is never violated Received: 0 Arrival rate: 0 pps Dropped: 0 Max arrival rate: 0 pps Routing Engine information: Bandwidth: 10000 pps, Burst: 10000 packets, enabled Aggregate policer is never violated Received: 0 Arrival rate: 0 pps Dropped: 0 Max arrival rate: 0 pps Dropped by individual policers: 0 FPC slot 2 information: Bandwidth: 100% (10000 pps), Burst: 100% (10000 packets), enabled Hostbound queue 2 Aggregate policer is never violated Received: 0 Arrival rate: 0 pps Dropped: 0 Max arrival rate: 0 pps Dropped by individual policers: 0 Dropped by flow suppression: 0
show ddos-protection protocols(ARP 유니캐스트)
user@host> show ddos-protection protocols arp ucast Currently tracked flows: 0, Total detected flows: 0 * = User configured value Protocol Group: ARP Packet type: ucast (Arp unicast) Aggregate policer configuration: Bandwidth: 10000 pps Burst: 10000 packets Priority: High Recover time: 300 seconds Enabled: Yes Bypass aggregate: No Flow detection configuration: Flow detection system is off Detection mode: Automatic Detect time: 3 seconds Log flows: Yes Recover time: 60 seconds Timeout flows: No Timeout time: 300 seconds Flow aggregation level configuration: Aggregation level Detection mode Control mode Flow rate Subscriber Automatic Drop 10 pps Logical interface Automatic Drop 10 pps Physical interface Automatic Drop 10000 pps System-wide information: Aggregate bandwidth is never violated Received: 0 Arrival rate: 0 pps Dropped: 0 Max arrival rate: 0 pps Routing Engine information: Bandwidth: 10000 pps, Burst: 10000 packets, enabled Aggregate policer is never violated Received: 0 Arrival rate: 0 pps Dropped: 0 Max arrival rate: 0 pps Dropped by individual policers: 0 FPC slot 2 information: Bandwidth: 100% (10000 pps), Burst: 100% (10000 packets), enabled Hostbound queue 3 Aggregate policer is never violated Received: 0 Arrival rate: 0 pps Dropped: 0 Max arrival rate: 0 pps Dropped by aggregate policer: 0 Dropped by flow suppression: 0
show ddos-protection protocols ip-options 매개 변수
user@host> show ddos-protection protocols ip-options parameters Packet types: 1, Modified: 0 * = User configured value Protocol Group: IP-Options Packet type: aggregate (Aggregate for all options traffic) Aggregate policer configuration: Bandwidth: 100 pps Burst: 100 packets Priority: Medium Recover time: 300 seconds Enabled: Yes Routing Engine information: Bandwidth: 100 pps, Burst: 100 packets, enabled FPC slot 0 information: Bandwidth: 100% (100 pps), Burst: 100% (100 packets), enabled Hostbound queue 255 FPC slot 1 information: Bandwidth: 100% (100 pps), Burst: 100% (100 packets), enabled Hostbound queue 255 FPC slot 7 information: Bandwidth: 100% (100 pps), Burst: 100% (100 packets), enabled Hostbound queue 255
릴리스 정보
Junos OS 릴리스 11.2에서 소개된 명령입니다.
향상된 가입자 관리에 대한 지원이 Junos OS 릴리스 17.3R1에 추가되었습니다.
ARP 브로드캐스트 및 유니캐스트 프로토콜에 대한 지원이 Junos OS 릴리스 23.2R1에 추가되었습니다.