Ethernet Switching
Ethernet Switching

jddosd warning on multiple fpc(s)

[ Edited ]
‎04-14-2019 07:56 PM

Hi all,

When looking at the following errors on EX switches in VC, is about TTL, L3MTU and IPMCAST. These messages are time-to-time have been generating... What troublesthooting approach should be taken to idetify the case and resolving? Any ideas please?

 

DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception TTL:aggregate exceeded its allowed bandwidth at fpc 0 for 30 times, started at xxxx
DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception L3MTU-fail:aggregate exceeded its allowed bandwidth at fpc 0 for 30 times, started at xxxx
DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception IPMCAST-miss:aggregate exceeded its allowed bandwidth at fpc 1 for 252 times, started at xxxx

 

Thanks,

Arix...

3 REPLIES 3
Highlighted
Ethernet Switching

Re: jddosd warning on multiple fpc(s)

‎04-15-2019 02:31 AM

Hi Arix,

 

Which EX platform and Junos version are you working with? These messages are indicating that the device is protecting it's routing-engine from excess of such packets from causing issues.  The default thresholds and the violation times can be troubleshoot as follows:

 

https://forums.juniper.net/t5/Ethernet-Switching/EX-DDOS-explanation/td-p/460382

show ddos-protection protocols statistics terse
show ddos-protection protocols statistics | find "Protocol Group: TTL"

 

Hope this helps.

 

Regards,
-r.

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated Smiley Happy.


show ddos-protection protocols statistics | find "Protocol Group: L3MTU"
show ddos-protection protocols statistics | find "Protocol Group: IPMCAST"

 

Based on the timing of log messages, you can check for actual packets hitting the routing engine of the device using:

monitor traffic interface <intf_name> no-resolve extensive
OR

monitor traffic interface <intf_name> no-resolve extensive write-file /var/tmp/DDOS.pcap --------> remember to stop this, copy out the file "DDOS.pcap" from /var/tmp/ and delete it before its too big.

 

Note that you'll need to make an educated guess on which interface to monitor based on your network and interface usage, as to which device is likely to send host-bound traffic to this EX.  If all the traffic you see is legit, and still seeing these logs, try to play around with the ddos-protection threshold:
Example:
set system ddos-protection protocols ttl aggregate bandwidth 1000

set system ddos-protection protocols ttl aggregate burst 500

Ethernet Switching

Re: jddosd warning on multiple fpc(s)

‎05-09-2019 08:18 PM

hi,

The following red one is not "ok". Its "viol"... I am not sure where to start to troubleshooting as there is no any ddos configuration on the 9200 series ex. Another concern is how junos knows ddos traffic on ex as there is no any active ddos related configuration on the ex. This is really strange...!

Here,

>show configuration system ddos-protection | display set ----->>not thing configured on ex when check the ddos!

.....

........

 

>show ddos-protection protocols statistics terse
Packet types: 120, Received traffic: 26, Currently violated: 1

Protocol Packet Received Dropped Rate Violation State
group type (packets) (packets) (pps) counts
igmp aggregate 61209693 20838 2 3 ok
ospf aggregate 61085001 0 3 0 ok
rsvp aggregate 4031996 0 0 0 ok
rip aggregate 61085001 0 3 0 ok
ldp aggregate 4031996 0 0 0 ok
bgp aggregate 4031996 0 0 0 ok
lacp aggregate 236916994 0 13 0 ok
stp aggregate 31856830 0 0 0 ok
lldp aggregate 31856830 0 0 0 ok
arp aggregate 262337147 3062040 13 33 ok
pvstp aggregate 31856830 0 0 0 ok
ttl aggregate 202070303 6050376 34 41 ok
redirect aggregate 81025 0 0 0 ok
ndpv6 aggregate 3130832 160179 0 2 ok
localnh aggregate 72086686 0 2 0 ok
vcipc-udp aggregate 441532473 0 24 0 ok
l3mtu-fail aggregate 202070303 6050376 34 41 ok
garp-reply aggregate 191372 0 0 0 ok
ipmc-reserved aggregate 251803630 0 14 0 ok
resolve aggregate 170064650 1849 14 6 ok
l3nhop aggregate 12038944 391588 15 9 ok
martian-address aggregate 15067782 0 2 0 ok
ipmcast-miss aggregate 18209537219 684989339 1068 267 viol
unknown-l2mc aggregate 61085001 0 3 0 ok
ospf-hello aggregate 7744316 0 0 0 ok
dhcpv4v6 aggregate 285812684 13416 18 3 ok

 

Thx

Arix

Ethernet Switching

Re: jddosd warning on multiple fpc(s)

‎05-10-2019 03:28 AM

@ARIX there are built-in DDOS protections for most Junos based platforms.  For EX9200, think MX.  See below:

 

https://www.juniper.net/documentation/en_US/junos/topics/concept/subscriber-management-ddos-protecti...

 

as potential starting place.

 

HTH