show ddos-protection protocols parameters
Syntax
show ddos-protection protocols <protocol-group> parameters<brief | detail | terse>
Description
Display DDoS protection configuration information for all protocol groups or for a particular protocol group.
Starting in Junos OS Release 22.3R1, on MX Series
and EX9200 Series devices, we’ve updated the default bandwidth value from 20000 to 100 pps
and burst policer value from 20000 to 100 packets for SNMP
traffic. This enhancement avoids the CPU usage of
eventd and snmpd reaching more than 100%. Earlier to
this release, when the system receives a violated traffic for SNMP along with other
protocols traffic, the CPU usage of eventd and snmpd was
reaching more than 100% with an error.
Starting in Junos OS Evolved Release 23.2R2, on PTX Series devices, the show
ddos-protection protocols statistics displays the Max arrival
rate and Arrival rate output values as expected. Earlier to this
release, the Max arrival rate and Arrival rate output
values were displayed larger than expected.
Options
| none | Display information for all protocol groups. |
| brief | detail | terse | (Optional) Display the specified level of output.
|
| protocol-group | (Optional) Display information for a particular protocol group. See show ddos-protection protocols for a list of available groups. |
Required Privilege Level
view
Output Fields
Table 1 lists the output fields for the show ddos-protection protocols parameters command. Output fields are listed in the approximate order in which they appear.
Field Name |
Field Description |
Level of Output |
|---|---|---|
|
Name of protocol group. |
All levels |
|
Name of packet type in protocol group. |
All levels |
|
Bandwidth policer value; number of packets per second that is allowed before a violation is declared. In the |
All levels |
|
Burst policer value; the maximum number of packets that is allowed in a burst before a violation is declared. In the |
All levels |
|
Priority of the packet type in the event of traffic congestion: In the |
All levels |
|
Time that must pass since the last violation before the traffic flow is considered to have recovered from the attack. A notification is generated when the timer expires. In the |
All levels |
|
State of the policer, enabled ( |
|
|
State of the bypass aggregate configuration:
This field appears only for individual policers. |
|
|
The following configuration information for the card in the indicated slot:
|
|
|
Number of policers that have been changed from the default configuration. An asterisk by a particular value indicates that value has been modified. |
|
|
State of the policer, enabled ( |
|
|
State of the bypass aggregate configuration:
Dashes indicate that the bypass aggregate configuration is not available; this is possible only for aggregate policers. |
|
|
Indicates whether configuration has changed from the default for any line cards.
|
|
Sample Output
- show ddos-protection protocols parameters
- show ddos-protection protocols parameters brief
- show ddos-protection protocols dhcpv4 parameters brief
- show ddos-protection protocols dhcpv4 parameters terse
- show ddos-protection protocols dhcpv4 parameters
- show ddos-protection protocols snmp parameters (Starting in Junos OS Release 22.3R1)
show ddos-protection protocols parameters
user@host> show ddos-protection protocols parameters
Protocol Group: IPv4-Unclassified
Packet type: aggregate (Aggregate for unclassified host-bound IPv4 traffic)
Aggregate policer configuration:
Bandwidth: 20000 pps
Burst: 20000 packets
Priority: medium
Recover time: 300 seconds
Enabled: Yes
FPC slot 1 information:
Bandwidth: 100% (20000 pps), Burst: 100% (20000 packets), enabled
Protocol Group: IPv6-Unclassified
Packet type: aggregate (Aggregate for unclassified host-bound IPv6 traffic)
Aggregate policer configuration:
Bandwidth: 20000 pps
Burst: 20000 packets
Priority: medium
Recover time: 300 seconds
Enabled: Yes
FPC slot 1 information:
Bandwidth: 100% (20000 pps), Burst: 100% (20000 packets), enabled
...
Protocol Group: PPPoE
Packet type: aggregate (Aggregate for all PPPoE control traffic)
Aggregate policer configuration:
Bandwidth: 800 pps
Burst: 2000 packets
Priority: medium
Recover time: 300 seconds
Enabled: Yes
FPC slot 1 information:
Bandwidth: 100% (800 pps), Burst: 100% (2000 packets), enabled
Packet type: padi (PPPoE PADI)
Individual policer configuration:
Bandwidth: 500 pps
Burst: 500 packets
Priority: low
Recover time: 300 seconds
Enabled: Yes
Bypass aggregate: No
FPC slot 1 information:
Bandwidth: 100% (500 pps), Burst: 100% (500 packets), enabled
Packet type: pado (PPPoE PADO)
Individual policer configuration:
Bandwidth: 0 pps
Burst: 0 packets
Priority: low
Recover time: 300 seconds
Enabled: Yes
Bypass aggregate: No
FPC slot 1 information:
Bandwidth: 100% (0 pps), Burst: 100% (0 packets), enabled
Packet type: padr (PPPoE PADR)
Individual policer configuration:
Bandwidth: 500 pps
Burst: 500 packets
Priority: medium
Recover time: 300 seconds
Enabled: Yes
Bypass aggregate: No
FPC slot 1 information:
Bandwidth: 100% (500 pps), Burst: 100% (500 packets), enabled
show ddos-protection protocols parameters brief
user@host> show ddos-protection protocols parameters brief Number of policers modified: 3 Protocol Packet Bandwidth Burst Priority Recover Policer Bypass FPC group type (pps) (pkts) time(sec) enabled aggr. mod ipv4-uncls aggregate 20000 20000 medium 300 yes -- no ipv6-uncls aggregate 20000 20000 medium 300 yes -- no dynvlan aggregate 1000 500 low 300 yes -- no ppp aggregate 16000 16000 medium 300 yes -- no ppp unclass 1000 500 low 300 yes no no ppp lcp 12000 12000 low 300 yes no no ppp auth 2000 2000 medium 300 yes no no ppp ipcp 2000 2000 high 300 yes no no ppp ipv6cp 2000 2000 high 300 yes no no ppp mplscp 2000 2000 high 300 yes no no ppp isis 2000 2000 high 300 yes no no pppoe aggregate 800* 2000 medium 300 part.* -- no pppoe padi 500 500 low 300 part. no no pppoe pado 0 0 low 300 part. no no pppoe padr 500 500 medium 300 part. no no pppoe pads 0 0 low 300 part. no no pppoe padt 1000 1000 high 300 part. no no pppoe padm 0 0 low 300 part. no no pppoe padn 0 0 low 300 part. no no dhcpv4 aggregate 669* 5000 medium 300 yes -- no dhcpv4 unclass.. 300 150 low 300 yes no no dhcpv4 discover 100* 500 low 300 yes no no dhcpv4 offer 1000 1000 low 300 yes no no dhcpv4 request 1000 1000 medium 300 yes no no dhcpv4 decline 500 500 low 300 yes no no dhcpv4 ack 500 500 medium 300 yes no no dhcpv4 nak 500 500 low 300 yes no no dhcpv4 release 2000 2000 high 300 yes no no dhcpv4 inform 500 500 low 300 yes no no dhcpv4 renew 2000 2000 high 300 yes no no dhcpv4 forcerenew 2000 2000 high 300 yes no no dhcpv4 leasequery 2000 2000 high 300 yes no no dhcpv4 leaseuna.. 2000 2000 high 300 yes no no dhcpv4 leaseunk.. 2000 2000 high 300 yes no no dhcpv4 leaseact.. 2000 2000 high 300 yes no no dhcpv4 bootp 300 300 low 300 yes no no dhcpv4 no-msgtype 0 0 low 300 yes no no dhcpv4 bad-pack.. 0 0 low 300 yes no no ... icmp aggregate 20000 20000 high 300 yes -- no igmp aggregate 20000 20000 high 300 yes -- no ospf aggregate 20000 20000 high 300 yes -- no rsvp aggregate 20000 20000 high 300 yes -- no pim aggregate 20000 20000 high 300 yes -- no rip aggregate 20000 20000 high 300 yes -- no ptp aggregate 20000 20000 high 300 yes -- no bfd aggregate 20000 20000 high 300 yes -- no lmp aggregate 20000 20000 high 300 yes -- no ldp aggregate 20000 20000 high 300 yes -- no msdp aggregate 20000 20000 high 300 yes -- no bgp aggregate 20000 20000 low 300 yes -- no vrrp aggregate 20000 20000 high 300 yes -- no telnet aggregate 20000 20000 low 300 yes -- no ftp aggregate 20000 20000 low 300 yes -- no ssh aggregate 20000 20000 low 300 yes -- no snmp aggregate 20000 20000 low 300 yes -- no ancp aggregate 20000 20000 low 300 yes -- no ...
show ddos-protection protocols dhcpv4 parameters brief
user@host> show ddos-protection protocols dhcpv4 parameters brief Number of policers modified: 2 Protocol Packet Bandwidth Burst Priority Recover Policer Bypass FPC group type (pps) (pkts) time(sec) enabled aggr. mod dhcpv4 aggregate 669* 5000 medium 300 yes -- no dhcpv4 unclass.. 300 150 low 300 yes no no dhcpv4 discover 100* 500 low 300 yes no no dhcpv4 offer 1000 1000 low 300 yes no no dhcpv4 request 1000 1000 medium 300 yes no no dhcpv4 decline 500 500 low 300 yes no no dhcpv4 ack 500 500 medium 300 yes no no dhcpv4 nak 500 500 low 300 yes no no dhcpv4 release 2000 2000 high 300 yes no no dhcpv4 inform 500 500 low 300 yes no no dhcpv4 renew 2000 2000 high 300 yes no no dhcpv4 forcerenew 2000 2000 high 300 yes no no dhcpv4 leasequery 2000 2000 high 300 yes no no dhcpv4 leaseuna.. 2000 2000 high 300 yes no no dhcpv4 leaseunk.. 2000 2000 high 300 yes no no dhcpv4 leaseact.. 2000 2000 high 300 yes no no dhcpv4 bootp 300 300 low 300 yes no no dhcpv4 no-msgtype 0 0 low 300 yes no no dhcpv4 bad-pack.. 0 0 low 300 yes no no
show ddos-protection protocols dhcpv4 parameters terse
user@host> show ddos-protection protocols dhcpv4 parameters terse Number of policers modified: 2 Protocol Packet Bandwidth Burst Priority Recover Policer Bypass FPC group type (pps) (pkts) time(sec) enabled aggr. mod dhcpv4 aggregate 669* 5000 medium 300 yes -- no dhcpv4 discover 100* 500 low 300 yes no no
show ddos-protection protocols dhcpv4 parameters
user@host> show ddos-protection protocols dhcpv4 parameters
Protocol Group: DHCPv4
Packet type: aggregate (aggregate for all DHCPv4 traffic)
Aggregate policer configuration:
Bandwidth: 669 pps
Burst: 5000 packets
Priority: medium
Recover time: 300 seconds
Enabled: Yes
FPC slot 1 information:
Bandwidth: 100% (669 pps), Burst: 100% (5000 packets), enabled
Packet type: unclassified (Unclassified DHCPv4 traffic)
Individual policer configuration:
Bandwidth: 300 pps
Burst: 150 packets
Priority: low
Recover time: 300 seconds
Enabled: Yes
Bypass aggregate: No
FPC slot 1 information:
Bandwidth: 100% (300 pps), Burst: 100% (150 packets), enabled
Packet type: discover (DHCPv4 DHCPDISCOVER)
Individual policer configuration:
Bandwidth: 100 pps
Burst: 500 packets
Priority: low
Recover time: 300 seconds
Enabled: Yes
Bypass aggregate: No
FPC slot 1 information:
Bandwidth: 100% (100 pps), Burst: 100% (500 packets), enabled
Packet type: offer (DHCPv4 DHCPOFFER)
Individual policer configuration:
Bandwidth: 1000 pps
Burst: 1000 packets
Priority: low
Recover time: 300 seconds
Enabled: Yes
Bypass aggregate: No
FPC slot 1 information:
Bandwidth: 100% (1000 pps), Burst: 100% (1000 packets), enabled
Packet type: request (DHCPv4 DHCPREQUEST)
Individual policer configuration:
Bandwidth: 1000 pps
Burst: 1000 packets
Priority: medium
Recover time: 300 seconds
Enabled: Yes
Bypass aggregate: No
FPC slot 1 information:
Bandwidth: 100% (1000 pps), Burst: 100% (1000 packets), enabled
...show ddos-protection protocols snmp parameters (Starting in Junos OS Release 22.3R1)
Packet types: 1, Modified: 0
* = User configured value
Protocol Group: SNMP
Packet type: aggregate (Aggregate for all snmp traffic)
Aggregate policer configuration:
Bandwidth: 100 pps
Burst: 100 packets
Priority: Low
Recover time: 300 seconds
Enabled: Yes
Routing Engine information:
Bandwidth: 100 pps, Burst: 100 packets, enabledRelease Information
Command introduced in Junos OS Release 11.2.