On Mon, Mar 09, 2009 at 05:00:54AM +0530, Ashok Patrick Jude M wrote: > > <While I'm on the subject, is there any way to see and/or modify the > <throttle rate? I know the default changed for some FPC types in some > <recent version of JUNOS, but I don't remember the exact details. > > What platform you are using? Could you please try policer matching ttl > expire packets? > > Firewall filter supports a hidden knob to catch ttl = 0|1 packets > (i.e. ttl-expired packets): > > r...@ghb# show firewall > filter f { > term 0 { > from { > time-exceeded-bit; > } > } > }
This is on a MX960. I had actually tried matching ttl [ 0 1 ] in firewall on border interfaces before as a way to limit traceroutes, but it had some unexpected impact to regularly forwarded traffic when policed which we never fully explain so I had turned it off. Is there anything different about time-exceeded-bit than the ttl math I just mentioned? Is this supported on platforms which can't firewall match on ttl or something like that? I'm getting matches off time-exceeded-bit (including things that are locally terminated like eBGP, as well as things which will generate ttl exceeds), but nothign which accounts for the ttl-exceed traffic I'm receiving after applying it to my border interfaces. Rather than try adding this to every interface manually (which would be time-consuming), would it make sense to appply it to "forwarding-options family inet filter input"? -- Richard A Steenbergen <r...@e-gerbil.net> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp