Switching

last person joined: 3 days ago 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.
  • 1.  jddosd warning on multiple fpc(s)

     
    Posted 04-14-2019 19:57

    Hi all,

    When looking at the following errors on EX switches in VC, is about TTL, L3MTU and IPMCAST. These messages are time-to-time have been generating... What troublesthooting approach should be taken to idetify the case and resolving? Any ideas please?

     

    DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception TTL:aggregate exceeded its allowed bandwidth at fpc 0 for 30 times, started at xxxx
    DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception L3MTU-fail:aggregate exceeded its allowed bandwidth at fpc 0 for 30 times, started at xxxx
    DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception IPMCAST-miss:aggregate exceeded its allowed bandwidth at fpc 1 for 252 times, started at xxxx

     

    Thanks,

    Arix...



  • 2.  RE: jddosd warning on multiple fpc(s)

     
    Posted 04-15-2019 02:31

    Hi Arix,

     

    Which EX platform and Junos version are you working with? These messages are indicating that the device is protecting it's routing-engine from excess of such packets from causing issues.  The default thresholds and the violation times can be troubleshoot as follows:

     

    https://forums.juniper.net/t5/Ethernet-Switching/EX-DDOS-explanation/td-p/460382

    show ddos-protection protocols statistics terse
    show ddos-protection protocols statistics | find "Protocol Group: TTL"

     

    Hope this helps.

     

    Regards,
    -r.

    --------------------------------------------------

    If this solves your problem, please mark this post as "Accepted Solution."
    Kudos are always appreciated :).


    show ddos-protection protocols statistics | find "Protocol Group: L3MTU"
    show ddos-protection protocols statistics | find "Protocol Group: IPMCAST"

     

    Based on the timing of log messages, you can check for actual packets hitting the routing engine of the device using:

    monitor traffic interface <intf_name> no-resolve extensive
    OR

    monitor traffic interface <intf_name> no-resolve extensive write-file /var/tmp/DDOS.pcap --------> remember to stop this, copy out the file "DDOS.pcap" from /var/tmp/ and delete it before its too big.

     

    Note that you'll need to make an educated guess on which interface to monitor based on your network and interface usage, as to which device is likely to send host-bound traffic to this EX.  If all the traffic you see is legit, and still seeing these logs, try to play around with the ddos-protection threshold:
    Example:
    set system ddos-protection protocols ttl aggregate bandwidth 1000

    set system ddos-protection protocols ttl aggregate burst 500



  • 3.  RE: jddosd warning on multiple fpc(s)

     
    Posted 05-09-2019 20:18

    hi,

    The following red one is not "ok". Its "viol"... I am not sure where to start to troubleshooting as there is no any ddos configuration on the 9200 series ex. Another concern is how junos knows ddos traffic on ex as there is no any active ddos related configuration on the ex. This is really strange...!

    Here,

    >show configuration system ddos-protection | display set ----->>not thing configured on ex when check the ddos!

    .....

    ........

     

    >show ddos-protection protocols statistics terse
    Packet types: 120, Received traffic: 26, Currently violated: 1

    Protocol Packet Received Dropped Rate Violation State
    group type (packets) (packets) (pps) counts
    igmp aggregate 61209693 20838 2 3 ok
    ospf aggregate 61085001 0 3 0 ok
    rsvp aggregate 4031996 0 0 0 ok
    rip aggregate 61085001 0 3 0 ok
    ldp aggregate 4031996 0 0 0 ok
    bgp aggregate 4031996 0 0 0 ok
    lacp aggregate 236916994 0 13 0 ok
    stp aggregate 31856830 0 0 0 ok
    lldp aggregate 31856830 0 0 0 ok
    arp aggregate 262337147 3062040 13 33 ok
    pvstp aggregate 31856830 0 0 0 ok
    ttl aggregate 202070303 6050376 34 41 ok
    redirect aggregate 81025 0 0 0 ok
    ndpv6 aggregate 3130832 160179 0 2 ok
    localnh aggregate 72086686 0 2 0 ok
    vcipc-udp aggregate 441532473 0 24 0 ok
    l3mtu-fail aggregate 202070303 6050376 34 41 ok
    garp-reply aggregate 191372 0 0 0 ok
    ipmc-reserved aggregate 251803630 0 14 0 ok
    resolve aggregate 170064650 1849 14 6 ok
    l3nhop aggregate 12038944 391588 15 9 ok
    martian-address aggregate 15067782 0 2 0 ok
    ipmcast-miss aggregate 18209537219 684989339 1068 267 viol
    unknown-l2mc aggregate 61085001 0 3 0 ok
    ospf-hello aggregate 7744316 0 0 0 ok
    dhcpv4v6 aggregate 285812684 13416 18 3 ok

     

    Thx

    Arix



  • 4.  RE: jddosd warning on multiple fpc(s)

     
    Posted 05-10-2019 03:29

    @ARIX there are built-in DDOS protections for most Junos based platforms.  For EX9200, think MX.  See below:

     

    https://www.juniper.net/documentation/en_US/junos/topics/concept/subscriber-management-ddos-protection.html

     

    as potential starting place.

     

    HTH