Description
(MX Series routers with only MPCs, T4000 Core Routers
with only FPC5s, or EX9200 switches) Configure control plane DDoS
protection policers for all supported packet types within a protocol
group or for a particular supported packet type within a protocol
group.
Starting in Junos OS Release 22.2R1, we’ve enabled support for following DDoS
protocol statements for MX10008 devices also. In earlier releases, the MX10008
devices did not support these DDoS protocol statements.
Filter-action
Virtual-chassis
Ttl
Redirect
Re-services
Re-services-v6
Rejectv6
L2pt
Syslog
Vxlan
Note: Although the term bandwidth usually refers to bits per
second (bps), this feature’s bandwidth
option represents
a packets per second (pps) value, and the burst
option
represents number of packets in a burst. These options are explained
separately.
Options
aggregate |
Configure the policer to monitor all control packets within the protocol
group. You can configure an aggregate policer for any protocol group.
|
packet-type |
(Optional) Name of the control packet type to be policed.
You can configure a specific policer for only the following packet
types and protocol groups:
arp —The following ARP packet types are
available:
bgp —The following BGP packet types are
available:
bgpv6 —The following BGPv6 packet types
are available:
dhcpv4 —The following packet types are
available for DHCPv4 traffic:
ack —DHCPACK packets.
bad-packets —DHCPv4 packets with bad formats.
bootp —DHCPBOOTP packets.
decline —DHCPDECLINE packets.
discover —DHCPDISCOVER packets.
force-renew —DHCPFORCERENEW packets.
inform —DHCPINFORM packets.
lease-active —DHCPLEASEACTIVE packets.
lease-query —DHCPLEASEQUERYpackets.
lease-unassigned —DHCPLEASEUNASSIGNED
packets.
lease-unknown —DHCPLEASEUNKNOWN packets.
nak —DHCPNAK packets.
no-message-type —DHCP packets that are
missing the message type.
offer —DHCPOFFER packets.
release —DHCPRELEASE packets.
renew —DHCPRENEW packets.
request —DHCPREQUEST packets.
unclassified —All unclassified packets
in the protocol group.
dhcpv6 —The following packet types are
available for DHCPv6 traffic:
advertise —ADVERTISE packets.
confirm —CONFIRM packets.
decline —DECLINE packets.
information-request —INFORMATION-REQUEST
packets.
leasequery —LEASEQUERY packets.
leasequery-data —LEASEQUERY-DATA packets.
leasequery-done —LEASEQUERY-DONE packets.
leasequery-reply —LEASEQUERY-REPLY packets.
rebind —REBIND packets.
reconfigure —RECONFIGURE packets.
relay-forward —RELAY-FORWARD packets.
relay-reply —RELAY-REPLY packets.
release —RELEASE packets.
renew —RENEW packets.
reply —REPLY packets.
request —REQUEST packets.
solicit —SOLICIT packets.
unclassified —All unclassified packets
in the protocol group.
filter-action —The following packet types
are available for unclassified firewall filter action packets, sent
to the host because of reject terms in firewall filters:
filter-v4 —Unclassified IPv4 filter action
packets.
filter-v6 —Unclassified IPv6 filter action
packets.
other —All other unclassified filter action
packets that are not IPv4 or IPv6.
frame-relay —The following packet types
are available for Frame Relay traffic:
ip-fragments —The following packet types
are available for IP fragments:
ip-options —The following packet types
are available for IP option traffic:
non-v4v6 —Options packets other than IPv4/v6.
router-alert —Router alert options packets.
unclassified —All unclassified packets
in the protocol group.
l2tp —The following packet types are available
for L2TP LNS subscriber management network environments in Junos OS
releases 13.3R5 and 14.1X50 (this option has been obsoleted by L2TP
ERA in current Enhanced Subscriber Management environments):
cdn —Call-Disconnect-Notify message packets.
hello —Hello message packets.
iccn —Incoming-Call-Connected message
packets.
icrq —Incoming-Call-Request message packets.
scccn —Start-Control-Connection-Connected
message packets.
sccrq —Start-Control-Connection-Request
message packets.
stopccn —Stop-Control-Connection-Notification
message packets.
unclassified —All unclassified packets
in the protocol group.
mcast-snoop —Control traffic for multicast
snooping.
mlp —The following MLP packet types are
available:
aggregate —Applies to the combination
of all types of control packet traffic for this protocol group.
add —Add requests; internal MAC address
learning request packets sent to the host.
delete —Delete requests; internal MAC
address learning request packets sent to the host.
lookup —Lookup requests; internal MAC
address learning request packets sent to the host.
unclassified —All unclassified packets
in the protocol group.
macpin-exception —Exceptions to MAC address
pinning (wherein dynamically learned MAC addresses are pinned to prevent
looping caused by MAC moves from duplicate MAC detection).
ndpv6 —The following NDPv6 packet types
are available, except where noted, starting in 14.1R8, 14.2R8, 15.1R5,
15.1F7, and 16.1R1:
aggregate —Applies to the combination
of all types of control packet traffic for this protocol group.
invalid-hop-limit —(Starting in 16.1R2) Invalid
hop limit packets. These messages might represent crafted packets
in a malicious network-based packet flood.
neighbor-advertisement —Neighbor advertisement
packets. These are messages used for duplicate address detection and
to test reachability of neighbors. Neighbor advertisements are sent
in response to neighbor solicitation messages.
neighbor-solicitation —Neighbor solicitation
packets. These are messages used for duplicate address detection and
to test reachability of neighbors.
redirect —Redirect packets.
router-advertisement —Router advertisement
packets. These are messages sent to announce the presence of the router,
advertise prefixes, assist in address configuration, and share other
link information such as MTU size and hop limit. The IPv6 nodes on
the link can use this information to configure themselves with an
IPv6 address and routing information such as the default gateway.
router-solicitation —Router solicitation
packets. These are messages sent by IPv6 nodes when they come online
to solicit immediate router advertisements from the router.
ppp —The following PPP packet types are
available:
authentication —PPP authentication protocol
packets.
echo-rep —LCP echo reply packets.
echo-req —LCP echo request packets.
ipcp —IP Control Protocol packets.
ipv6cp —IPv6 Control Protocol packets.
isis —IS-IS packets.
lcp —Link Control Protocol packets.
mlppp-lcp —MLPPP LCP packets.
mplscp —MPLS Control Protocol packets.
unclassified —All unclassified packets
in the protocol group.
pppoe —The following PPPoE packet types
are available:
padi —PADI packets.
padm —PADM packets.
padn —PADN packets.
pado —PADO packets.
padr —PADR packets.
pads —PADS packets.
padt —PADT packets.
radius —The following RADIUS packet types
are available:
accounting —RADIUS accounting packets.
authorization —RADIUS authorization packets.
server —RADIUS server traffic.
unclassified —All unclassified packets
in the protocol group.
re-services —The following packet type
is available for Routing Engine-based HTTP redirect IPv4 traffic:
re-services-v6 —The following packet type
is available for Routing Engine-based HTTP redirect IPv6 traffic:
resolve —The following packet types are
available for unclassified resolve packets, which are sent to the
host because of a traffic request resolve action:
mcast-v4 —Unclassified IPv4 multicast
resolve packets.
mcast-v6 —Unclassified IPv6 multicast
resolve packets.
ucast-v4 —Unclassified IPv4 unicast resolve
packets.
ucast-v6 —Unclassified IPv6 unicast resolve
packets.
other —All other unclassified resolve
packets.
sample —The following sample packet types
are available:
tcp-flags —The following TCP-flagged packet
types are available:
established —TCP packets with ACK or RST
flags set.
initial —TCP packets with SYN flag set
and ACK flag not set.
unclassified —TCP packets with flags set
any other way than the established and initial packets.
unclassified —The following unclassified
packet types are available:
control-layer2 —Unclassified layer 2 control
packets.
control-v4 —Unclassified IPv4 control
packets.
control-v6 —Unclassified IPv6 control
packets.
fw-host —Unclassified send-to-host firewall
packets.
host-route-v4 —Unclassified IPv4 routing
protocol and host packets in traffic sent to the router local interface
address.
host-route-v6 —Unclassified IPv6 routing
protocol and host packets in traffic sent to the router local interface
address.
other —All unclassified packets that do
not belong to another type.
virtual-chassis —The following packet
types are available for virtual chassis packets:
control-low —Low-priority control packets.
control-high —High-priority control packets.
unclassified —All unclassified packets
in the protocol group.
vc-packets —All exception packets on the
virtual chassis link.
vc-ttl-errors —Virtual chassis TTL error
packets.
|
protocol-group |
Name of the protocol group for which traffic
is policed. You can configure a policer for any of the following protocol
groups:
amtv4 —IPv4 AMT traffic.
amtv6 —IPv6 AMT traffic.
ancp —ANCP traffic.
ancpv6 —ANCPv6 traffic.
arp —ARP traffic.
atm —ATM traffic.
bfd —BFD traffic.
bfdv6 —BFDv6 traffic.
bgp —BGP traffic.
bgpv6 —BGPv6 traffic.
control —Control traffic.
demux-autosense —Demux autosensing traffic.
dhcpv4 —DHCPv4 traffic.
dhcpv6 —DHCPv6 traffic.
diameter —Diameter and Gx-Plus traffic.
dns —DNS traffic.
dtcp —DTCP traffic.
dynamic-vlan —Dynamic VLAN exception traffic.
egpv6 —EGPv6 traffic.
eoam —EOAM traffic.
esmc —ESMC traffic.
fab-probe —Fab out probe packets.
filter-action —IPv4 and IPv6 firewall
filter action packets sent to the host because of reject terms in
firewall filters
frame-relay —Frame relay traffic.
ftp —FTP traffic.
ftpv6 —FTPv6 traffic.
gre —GRE traffic.
gtp-path-mgmt —GTP path management traffic.
icmp —ICMP traffic.
igmp —IGMP traffic
igmpv4v6 —IGMP v4/v6 traffic.
igmpv6 —IGMPv6 traffic.
inline-ka —Inline service interfaces keepalive
traffic.
inline-svcs —Inline services traffic.
ip-fragments —IP fragments traffic.
ip-options –IP traffic with IP packet
header options.
isis —IS-IS traffic.
jfm —JFM traffic.
l2pt —Layer 2 protocol tunneling traffic.
lacp —LACP traffic.
ldp —LDP traffic.
ldpv6 —LDPv6 traffic.
lldp —LLDP traffic.
lmp —LMP traffic.
lmpv6 —LMPv6 traffic.
mac-host —Layer 2 MAC send-to-host traffic.
mcast-snoop —Control traffic for multicast
snooping.
mlp —MLP traffic.
msdp —MSDP traffic.
msdpv6 —MSDPv6 traffic.
multicast-copy —Host copy traffic due
to multicast routing.
mvrp —MVRP traffic.
ndpv6 —NDPv6 traffic.
ntp —NTP traffic.
oam-lfm —OAM-LFM traffic.
ospf —OSPF traffic.
ospfv3v6 —OSPFv3/IPv6 traffic.
pfcp —Packet Forwarding Control Protocol
(PFCP) traffic.
pfe-alive —Packet Forwarding Engine keepalive
traffic.
pim —PIM traffic.
pimv6 —PIMv6 traffic.
pmvrp —PMVRP traffic.
pos —POS traffic.
ppp —PPP traffic.
pppoe —PPPoE traffic.
ptp —PTP traffic.
pvstp —PVSTP traffic.
radius —RADIUS traffic.
re-services —Captive portal content delivery
IPv4 traffic for Routing Engine HTTP redirect.
re-services-v6 —Captive portal content
delivery IPv6 traffic for Routing Engine HTTP redirect.
redirect —Traffic that triggers ICMP redirects.
reject —Packets rejected by a next-hop
forwarding decision.
rejectv6 —V6 packets rejected by a next-hop
forwarding decision.
resolve —Unclassified IPv4 and IPv6 resolve
packets sent to the host because of a traffic request resolve action.
rip —RIP traffic.
ripv6 —RIPv6 traffic.
rsvp —RSVP traffic.
rsvpv6 —RSVPv6 traffic.
services –Service traffic.
snmp —SNMP traffic.
snmpv6 —SNMPv6 traffic.
ssh —SSH traffic.
sshv6 —SSHv6 traffic.
stp —STP traffic.
syslog —System log messages UDP traffic
on port 6333 for the Routing Engine syslog server.
tacacs —TACACS traffic.
tcp-flags —Traffic with TCP flags.
telnet —TELNET traffic.
telnetv6 —TELNETv6 traffic.
ttl —TTL traffic.
tunnel-fragment —Tunnel fragments traffic.
tunnel-ka —Tunnel keepalive traffic.
unclassified —Unclassified traffic.
virtual-chassis —Virtual chassis traffic.
vrrp —VRRP traffic.
vrrpv6 —VRRPv6 traffic.
vxlan —VXLAN Layer 2 and Layer 3
traffic.
|
The remaining statements are explained separately. Search for
a statement in CLI Explorer or click a linked statement in the Syntax section
for details.
Required Privilege Level
admin—To view this statement in the configuration.
admin-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release
11.2.
Support for Enhanced Subscriber Management added in Junos OS
Release 17.3R1.