Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

show ddos-protection protocols isis

Syntax

Description

Display the ISIS data traffic information for all protocol groups or individual packet types.

Options

none

Display information for all protocol groups and packet types.
protocol-group

(Optional) Display control plane DDoS protection information for a protocol group.
packet-type

(Optional) Display control plane DDoS protection information for the specified packet type in the specified protocol group. The available packet types vary by protocol group, and only some protocol groups can have policers for individual packet types.

aggregate

(Optional) Display control plane DDoS protection information for the aggregate policer. The aggregate option is available for all ISIS data traffic information.
isis-data

(Optional) Display ISIS Data traffic information.
isis-hello

(Optional) Display ISIS Hello traffic information.

Required Privilege Level

view

Output Fields

Table 1 lists the output fields for the show ddos-protection protocols isis command. Output fields are listed in the approximate order in which they appear.

Table 1: show ddos-protection protocols isis Output Fields

Field Name

Field Description

Packet types

Number of packet types

Modified

Number of packets for which policer values have been modified from the default.

Received traffic

Number of traffic flows received.

Currently violated

Number of flows that are currently violating the flow bandwidth limit.

Currently tracked flows

Number of active flows that are being tracked as culprit flows by flow detection.

Total detected flows

Total number of culprit flows that have been detected, including those that have recovered or timed out.

Protocol Group

Name of protocol group.

Packet type

Name of packet type in protocol group.

Bandwidth

Bandwidth policer value; number of packets per second that is allowed before a violation is declared.

Burst

Burst policer value; the maximum number of packets that is allowed in a burst before a violation is declared.

Priority

Priority of the packet type for individual packet policers that enables more important traffic to pass through in the event of traffic congestion: low, medium, or high. Lower priority packets are dropped when insufficient bandwidth is available.

Recover time

Time in seconds that must pass before the traffic flow is considered to have recovered from the attack. A notification is generated when the timer expires.

Enabled

State of the policer:

  • Yes—The policer is enabled on both the Routing Engine and the FPC (line card). This is the default state.

  • No—The policer is disabled on both the Routing Engine and the FPC by global configuration. The policer is not disabled by the packet type level configuration.

  • No*—The policer is disabled on both the Routing Engine and the FPC. The asterisk (*) indicates that one or both of these instances are disabled at the packet type level; the policer can also be disabled globally.

  • Partial—The policer is disabled on either the Routing Engine or the FPC, but not both. It is disabled by global configuration. The policer is not disabled by the packet type level configuration.

  • Partial*—The policer is disabled on either the Routing Engine or the FPC, but not both. The asterisk (*) indicates that the instance is disabled by the packet type level configuration; the policer can also be disabled globally.

Disabling to occurs globally for all packet types at the [edit system ddos-protection global] hierarchy level, for a specific packet type at the [edit system ddos-protection protocols protocol-group (aggregate | packet-type] hierarchy level, or at both levels.

Bypass aggregate

State of the bypass aggregate configuration:

  • Yes—The aggregate policer is bypassed.

  • No—The aggregate policer is enforced.

This field appears only for individual policers.

Flow detection configuration

State of flow detection configured on the router:

  • Detection mode—Mode of operation for suspicious flow detection: automatic, off, or on.

  • Log flows—State of automatic logging of suspicious traffic flows: on (Yes) or off (No).

  • Timeout flows—State of culprit flow timeout behavior: flow is suppressed for a configured timeout period (Yes) or flow is suppressed until it is no longer in violation (No).

  • Detect time—Time in seconds that must pass before a suspicious flow that has exceeded the bandwidth allowed for the packet type is considered to be a culprit flow.

  • Recover time—Time in seconds that must pass before a culprit flow is considered to have returned to normal. The period starts when the flow drops below the threshold that triggered the last violation.

  • Timeout time—Time in seconds that a culprit flow is suppressed, if timeouts have been enabled.

  • Flow aggregation level configuration—Flow detection mode, flow control mode, and flow bandwidth for traffic at each of the traffic flow aggregation levels: subscriber, logical interface, and physical interface.

    • Aggregation level— Flow detection mode, flow control mode, and flow bandwidth for traffic at each of the traffic flow aggregation levels: subscriber, logical interface, and physical interface.

    • Detection mode—State of flow detection: automatic, off, or on.

    • Control mode—Mode of controlling culprit traffic: dropped, kept, or policed back to within the allowed bandwidth.

    • Flow rate—Bandwidth allowed for the control traffic in packets per second.

System-wide information

The following information is collected for the router:

  • A message indicates whether the policer has been violated.

  • No. of FPCs currently receiving excess traffic—Number of cards that are currently in violation of a policer.

  • No. of FPCs that have received excess traffic—Number of cards that have at some point been in violation of a policer.

  • Violation first detected at—Timestamp of the first violation.

  • Violation last seen at—Timestamp of the last observed violation.

  • Duration of violation—Length of the violation.

  • Number of violations—Number of times the violation has occurred.

  • Received—Number of packets received at all card slots and the Routing Engine.

  • Dropped—Number of packets dropped regardless of where they were dropped.

  • Arrival rate—Current traffic rate for packets arriving from all cards and at the Routing Engine.

  • Max arrival rate—Highest traffic rate for packets arriving from all cards and at the Routing Engine.

Routing Engine information

The following information is collected for the Routing Engine:

  • Bandwidth—Maximum number of packets per second that is allowed.

  • Burst—Maximum number of packets that is allowed in a burst.

  • State of the policer:

    • enabled—The Routing Engine policer is enabled. This is the default state.

    • disabled—The Routing Engine policer is disabled globally. It is not disabled by the packet type level configuration.

    • disabled*—The Routing Engine policer is disabled by the packet type level configuration; it can also be disabled globally.

  • A message indicates whether the policer has been violated; the policer might be passed at the individual cards, but the combined rate of packets arriving at the Routing Engine can exceed the configured policer value.

  • Violation first detected at—Timestamp of the first violation.

  • Violation last seen at—Timestamp of the last observed violation.

  • Duration of violation—Length of the violation.

  • Number of violations—Number of times the violation has occurred.

  • Received—Number of packets received at the Routing Engine from all cards.

  • Dropped—Number of packets dropped at the Routing Engine; includes packets dropped by the aggregate policer and by individual protocol policers.

  • Arrival rate—Current traffic rate for packets arriving at the Routing Engine from all cards.

  • Max arrival rate—Highest traffic rate for packets arriving at the Routing Engine from all cards.

  • Dropped by aggregate policer—Number of packets dropped by the aggregate policer.

  • Dropped by individual policers—Number of packets dropped by individual policer.

FPC slot information

The following information is collected for the line card in the indicated slot:

  • Bandwidth—Bandwidth scaling percentage and the number of packets per second that is allowed before a violation is declared.

  • Burst—Burst scaling percentage and the maximum number of packets that is allowed in a burst before a violation is declared.

  • State of the policer:

    • enabled—The FPC policer is enabled. This is the default state.

    • disabled—The FPC policer is disabled globally. It is not disabled by the packet type level configuration.

    • disabled*—The FPC policer is disabled by the packet type level configuration; it may also be disabled globally.

  • A message indicates whether the policer has been violated.

  • Violation first detected at—Timestamp of the first violation.

  • Violation last seen at—Timestamp of the last observed violation.

  • Duration of violation—Length of the violation.

  • Number of violations—Number of times the violation has occurred.

  • Received—Number of packets received on the line card.

  • Dropped—Number of packets dropped at the line card; includes packets dropped by the aggregate policer and by individual protocol policers.

  • Arrival rate—Current traffic rate for packets arriving at the line card.

  • Max arrival rate—Highest traffic rate for packets arriving at the line card.

  • Dropped by this policer—Number of packets dropped by the individual policer.

  • Dropped by aggregate policer—Number of packets dropped by the aggregate policer.

Sample Output

show ddos-protection protocols isis

show ddos-protection protocols isis aggregate

show ddos-protection protocols isis isis-data

show ddos-protection protocols isis isis-hello

Release Information

Command introduced in Junos OS Release 21.4R1.

Related Documentation