Hello,
I met very ugly problem yesterday. Consider following scheme:
================ Cisco ASR 1006
|
Customer ========| Juniper EX4200 |
|
================ Juniper MX480
Customer connected by one VLAN to both routers and established BGP
session with both.
Suddenly his router starts to send around 10000 packets per second. Most
of them are exactly this:
"1","0.000000","0.0.0.0","224.0.0.1","IGMPv3","60","Membership Query,
general"
MX480 is just dying from this flood of packets, where ASR is fine.
I know that several DDoS policies are preconfigured to protect RE from
these situations but tresholds didn't trigger, so RE should handle them:
show ddos-protection protocols igmp
Packet types: 1, Modified: 0, Received traffic: 1, Currently violated: 0
Currently tracked flows: 0, Total detected flows: 0
* = User configured value
Protocol Group: IGMP
Packet type: aggregate (Aggregate for all igmp traffic)
Aggregate policer configuration:
Bandwidth: 20000 pps
Burst: 20000 packets
Recover time: 300 seconds
Enabled: Yes
Flow detection configuration:
Detection mode: Automatic Detect time: 3 seconds
Log flows: Yes Recover time: 60 seconds
Timeout flows: No Timeout time: 300 seconds
Flow aggregation level configuration:
Aggregation level Detection mode Control mode Flow rate
Subscriber Automatic Drop 10 pps
Logical interface Automatic Drop 10 pps
Physical interface Automatic Drop 20000 pps
System-wide information:
Aggregate bandwidth is never violated
Received: 7268549 Arrival rate: 0 pps
Dropped: 0 Max arrival rate: 17204 pps
Routing Engine information:
Bandwidth: 20000 pps, Burst: 20000 packets, enabled
Aggregate policer is never violated
Received: 4270279 Arrival rate: 0 pps
Dropped: 0 Max arrival rate: 9979 pps
Dropped by individual policers: 0
FPC slot 1 information:
Bandwidth: 100% (20000 pps), Burst: 100% (20000 packets), enabled
Aggregate policer is never violated
Received: 1658 Arrival rate: 0 pps
Dropped: 0 Max arrival rate: 2 pps
Dropped by individual policers: 0
Dropped by flow suppression: 0
FPC slot 2 information:
Bandwidth: 100% (20000 pps), Burst: 100% (20000 packets), enabled
Aggregate policer is never violated
Received: 7266879 Arrival rate: 0 pps
Dropped: 0 Max arrival rate: 17204 pps
Dropped by individual policers: 0
Dropped by flow suppression: 0
FPC slot 3 information:
Bandwidth: 100% (20000 pps), Burst: 100% (20000 packets), enabled
Aggregate policer is never violated
Received: 12 Arrival rate: 0 pps
Dropped: 0 Max arrival rate: 0 pps
Dropped by individual policers: 0
Dropped by flow suppression: 0
Anybody have experience with configuration of additional mechanisms?
Anybody nave recommendations for threshold tuning?
I'm gonna to open ticket in JTAC of course, but here i can get faster
answers. Thank You in advance.
--
Best regards,
Misak Khachatryan,
Head of Network Administration
and Monitoring Department,
GNC-Alfa CJSC.
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
