Junos
Highlighted
Junos

junos ddos-protection with flow-detection

‎03-26-2020 02:23 PM

Gang I am digging into the default control plane ddos-protection configurations within in JunOs on MX. I need to utilize flow-detection to try and determine some of the violations we see to the default policy. Everything is default right now so no ddos-protection configurations.

 

My question is when flow-detection is enabled and configured to "keep" and thus allow flows will the hierarchal policers of the ddos-protection policy still limit traffic with their policy? Or does turning on flow-detection remove that decision from there and move it into flow-detection section only?

3 REPLIES 3
Highlighted
Junos

Re: junos ddos-protection with flow-detection

‎03-26-2020 10:47 PM

Hello,

 

When flow-detection is ON, the flows are still subject to aggregate policers, if that's Your question.

HTH

Thx

Alex 

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Highlighted
Junos

Re: junos ddos-protection with flow-detection

‎03-27-2020 07:17 AM

Yes that is what I am trying to understand.  But I think I am getting lost in the terminology.   So when you say aggregate policers you mean both the individual and aggregate policers of this feature:

 

https://www.juniper.net/documentation/en_US/junos/topics/concept/subscriber-management-ddos-protecti...

 

correct?

 

It's just a bit confusing because flow-detection, which bolts onto the ddos-protection feature also talks about policers as well:

https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/ddos-protection-global-f...

 

 

So I just want to make sure that these separate places to "stop" traffic if I choose....    

 

Highlighted
Junos

Re: junos ddos-protection with flow-detection

[ Edited ]
‎03-27-2020 09:28 PM

Hello,

 

Trio DDOS protection supports masses of protocols, all of them have aggregate policers but few have "individual" policers which is a misnoner since "individual" means "a separate policer for a subclass of given protocol' messages".

To give You an example: 

- following protocols have own aggregate policer but no "individual" policers:

 

regress@R6> show ddos-protection protocols parameters brief                  
Packet types: 216, Modified: 0
* = User configured value

Protocol    Packet      Bandwidth Burst  Priority Recover   Policer  Bypass FPC
group       type        (pps)     (pkts)          time(sec) enabled  aggr.  mod
arp         aggregate   20000     20000  --       300       yes      --     no 
icmp        aggregate   20000     20000  --       300       yes      --     no 
igmp        aggregate   20000     20000  --       300       yes      --     no 
ospf        aggregate   20000     20000  --       300       yes      --     no 
rsvp        aggregate   20000     20000  --       300       yes      --     no 
pim         aggregate   8000      16000  --       300       yes      --     no 
rip         aggregate   20000     20000  --       300       yes      --     no 
ptp         aggregate   20000     20000  --       300       yes      --     no 
bfd         aggregate   20000     20000  --       300       yes      --     no 
lmp         aggregate   20000     20000  --       300       yes      --     no 
ldp         aggregate   20000     20000  --       300       yes      --     no 
msdp        aggregate   20000     20000  --       300       yes      --     no 
bgp         aggregate   20000     20000  --       300       yes      --     no 
vrrp        aggregate   20000     20000  --       300       yes      --     no 
telnet      aggregate   20000     20000  --       300       yes      --     no 
ftp         aggregate   20000     20000  --       300       yes      --     no 
ssh         aggregate   20000     20000  --       300       yes      --     no 
snmp        aggregate   20000     20000  --       300       yes      --     no 
lacp        aggregate   20000     20000  --       300       yes      --     no 
stp         aggregate   20000     20000  --       300       yes      --     no 
esmc        aggregate   20000     20000  --       300       yes      --     no 
oam-lfm     aggregate   20000     20000  --       300       yes      --     no 
eoam        aggregate   20000     20000  --       300       yes      --     no 
lldp        aggregate   20000     20000  --       300       yes      --     no 
pvstp       aggregate   20000     20000  --       300       yes      --     no 
isis        aggregate   20000     20000  --       300       yes      --     no 

 

- DHCPv4 has an aggregate policer and a bunch of "individual" policers:

 

regress@R6> show ddos-protection protocols parameters brief | grep dhcpv4 
dhcpv4      aggregate   5000      5000   --       300       yes      --     no 
dhcpv4      unclass..   300       150    Low      300       yes      no     no 
dhcpv4      discover    500       500    Low      300       yes      no     no 
dhcpv4      offer       1000      1000   Low      300       yes      no     no 
dhcpv4      request     1000      1000   Medium   300       yes      no     no 
dhcpv4      decline     500       500    Low      300       yes      no     no 
dhcpv4      ack         500       500    Medium   300       yes      no     no 
dhcpv4      nak         500       500    Low      300       yes      no     no 
dhcpv4      release     2000      2000   High     300       yes      no     no 
dhcpv4      inform      500       500    Low      300       yes      no     no 
dhcpv4      renew       2000      2000   High     300       yes      no     no 
dhcpv4      forcerenew  2000      2000   High     300       yes      no     no 
dhcpv4      leasequery  2000      2000   High     300       yes      no     no 
dhcpv4      leaseuna..  2000      2000   High     300       yes      no     no 
dhcpv4      leaseunk..  2000      2000   High     300       yes      no     no 
dhcpv4      leaseact..  2000      2000   High     300       yes      no     no 
dhcpv4      bootp       300       300    Low      300       yes      no     no 
dhcpv4      no-msgtype  1000      1000   Low      300       yes      no     no 
dhcpv4      bad-pack..  0         0      Low      300       yes      no     no 
dhcpv4      rebind      2000      2000   High     300       yes      no     no 

 

So, You can "stop" the protocols which don't have "individual" policers only by tweaking the aggregate policer.

You can "stop" certain message subclasses of a given protocol by tweakingtheir "individual" policers.

But the real power comes when You enable flow-detection since then You'd get additional policers to play with on phy.interface level, logical interface level and "subscriber" level ("subscriber" means either source MAC/48 or source IP/32 depending on whether the protocol is L2 like ARP or L3 like OSPF|BGP|LDP|ICMP etc).

 

HTH

Thx

Alex

 

 

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Feedback