Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Example: Configuring Control Plane DDoS Protection on QFX Series Switches

This example shows how to configure control plane DDoS protection so a switch can quickly identify an attack and prevent a flood of malicious control packets from exhausting system resources.


Control plane DDoS protection requires the following hardware and software:

  • QFX Series switch that supports control plane DDoS protection

  • Junos OS Release 15.1X53-D10 or later

No special configuration beyond device initialization is required before you can configure this feature.


Distributed denial-of-service (DDoS) attacks use multiple sources to flood a network with protocol control packets. This malicious traffic triggers a large number of exceptions in the network and attempts to exhaust the system resources to deny valid users access to the network or server.

Control plane DDoS protection is enabled by default on a supported QFX Series switch. This example describes how you can modify the default configuration for the rate-limiting policers that identify excess control traffic and drop the packets before the switch is adversely affected. Sample tasks include configuring an aggregate policer for a protocol group, configuring policers for particular control packet types within a protocol group, and specifying trace options for control plane DDoS protection operations.

This example show how to change some of the default policer parameters and behavior for the radius protocol group and the Radius accounting packet type. You can use the same commands to change policer limits for other supported protocol groups and packet types. See the ddos-protection configuration statement at the [edit system] hierarchy level for all available configuration options.




CLI Quick Configuration

To quickly configure control plane DDoS protection for protocol groups and particular control packet types, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure control plane DDoS protection:

  1. Specify a protocol group.

  2. Configure the maximum traffic rate for the RADIUS aggregate policer; that is, for the combination of all RADIUS packets.


    You change the traffic rate using the bandwidth option. Although the term bandwidth usually refers to bits per second (bps), this feature’s bandwidth option represents a packets per second (pps) value.

  3. Configure the maximum burst size (number of packets) for the RADIUS aggregate policer.

  4. Configure a different maximum traffic rate (pps) and burst size (packets) for RADIUS accounting packets.

  5. Decrease the priority for RADIUS accounting packets.

  6. Prevent RADIUS server control packets from being included in the aggregate bandwidth (pps); that is, server packets do not contribute toward the combined RADIUS traffic to determine whether the aggregate bandwidth is exceeded. However, the server packets are still included in traffic rate statistics.

  7. (On switches with multiple line cards only) Reduce the bandwidth (pps) and burst size (packets) allowed before a violation is declared for the RADIUS policer on the FPC in slot 1.

  8. Configure tracing for all control plane DDoS protection protocol processing events.


From configuration mode, confirm your configuration by entering the show ddos-protection command at the system hierarchy level.

If you are done configuring the device, enter commit from configuration mode.


To confirm that the control plane DDoS protection configuration is working properly, perform these tasks:

Verifying the control plane DDoS Protection Configuration


Verify that the RADIUS policer values have changed from the default.


From operational mode, enter the show ddos-protection protocols radius parameters command.


The command output shows the current configuration of the RADIUS aggregate policer and the RADIUS accounting, server, and authorization control packet policers. Policer values that have been modified from the default values are marked with an asterisk. The output shows that the RADIUS policer configuration has been modified correctly.