Remember that on QFX platform some protocols shares same queue and
policers. When you got routing loops and TTL=0 packets excceeds its ddos
detection limits, also l3mtu-fail will be false triggered.
PR1211911
Some DDOS protocols shares same hardware policer
The following control packets share the same policer (burst and
bandwidth) in hardware, so changing one in the DDoS protection CLI also
changes the DDoS parameter for other protocols:
o STP, PVSTP, and LLDP share DDoS parameters
o l3mtu-fail, TTL, and ip-opt share DDoS parameters
o RSVP, LDP, and BGP share DDoS parameters
o unknown-l2mc, RIP, and OSPF share DDoS parameters
11.11.2018 10:59, Saku Ytti пишет:
Hey,
These are not related to your issue.,
The first one is complaining that you got bunch of packets to your
device with TTL==1, you need to punt these and generate TTL exceeded
message. Because it's done in software, it's limited to certain amount
of packets.
This is operationally normal during convergence due to microloops and such.
The second one is complaining that packet came in which wanted to go
out via interface which has smaller MTU, these also need to be punted
so we can generate fragmentation needed but DF set message. Doesn't
indicate anything to help with your original problem, but you might
want to know why do you have such an small egress MTU, ideally you
wouldn't ever decrease MTU inside your network.
What ever your problem is, no one can help you with these messages.
On Sat, 10 Nov 2018 at 23:07, Rodrigo 1telecom <rodr...@1telecom.com.br> wrote:
Hi folks.... recently we have some trouble with some mpls tunnels.... sometime
these tunnels goes down:
Follow out logfiles:
Nov 9 20:03:42 PE-REC-A01-BKB-SW-001 jddosd[1769]:
DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception
TTL:aggregate exceeded its allowed bandwidth at fpc 0 for 212 times, started
at 2018-11-09 20:03:41 BRT
Nov 9 20:03:42 PE-REC-A01-BKB-SW-001 jddosd[1769]:
DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception
L3MTU-fail:aggregate exceeded its allowed bandwidth at fpc 0 for 212 times,
started at 2018-11-09 20:03:41 BRT
Can someone help us?
Enviado via iPhone
Grupo Connectoway
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
--
С уважением,
Иван Малярчук
"ИНТЕР-ТЕЛЕКОМ" Цифра
Украина, Киев
(044) 206-77-33 доб.155
www.cyfra.ua
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
