> On Jan 4, 2019, at 3:06 PM, Jason Lixfeld <jason-j...@lixfeld.ca> wrote: > > Hi, > > Before I go too far down the rabbit hole of looking into the DDoS Protection > parent feature on MX, does anyone know if it’s supported on MX204?
So it’s a shallow rabbit hole; it’s enabled by default and after poking around with it a bit, it seems to be supported. But, I’m seeing behaviour that doesn’t quite compute. No RE filter configured, just the default DDoS protection. Sending about 22k pps of bogus BGP packets. FPC is in violation, but RE isn’t. Remaining BGP sessions are still up. jlixfeld@r# run show ddos-protection protocols bgp statistics Packet types: 1, Received traffic: 1, Currently violated: 1 Protocol Group: BGP Packet type: aggregate System-wide information: Aggregate bandwidth is being violated! No. of FPCs currently receiving excess traffic: 1 No. of FPCs that have received excess traffic: 1 Violation first detected at: 2019-01-04 16:13:28 EST Violation last seen at: 2019-01-04 16:32:51 EST Duration of violation: 00:19:23 Number of violations: 5 Received: 67923912 Arrival rate: 22925 pps Dropped: 46234805 Max arrival rate: 190065 pps Routing Engine information: Aggregate policer is no longer being violated Last violation started at: 2019-01-04 16:13:33 EST Last violation ended at: 2019-01-04 16:13:34 EST Duration of last violation: 00:00:01 Number of violations: 1 Received: 21663099 Arrival rate: 19952 pps Dropped: 0 Max arrival rate: 22228 pps Dropped by individual policers: 0 Dropped by aggregate policer: 0 FPC slot 0 information: Aggregate policer is currently being violated! Violation first detected at: 2019-01-04 16:13:29 EST Violation last seen at: 2019-01-04 16:32:51 EST Duration of violation: 00:19:22 Number of violations: 4 Received: 67923912 Arrival rate: 22925 pps Dropped: 46234805 Max arrival rate: 190065 pps Dropped by individual policers: 0 Dropped by aggregate policer: 46234805 Dropped by flow suppression: 0 Flow counts: Aggregation level Current Total detected State Subscriber 0 0 Active [edit] jlixfeld@r# If I send 188k pps, RE is still not in violation, but BGP sessions die. jlixfeld@r# run show ddos-protection protocols bgp statistics Packet types: 1, Received traffic: 1, Currently violated: 1 Protocol Group: BGP Packet type: aggregate System-wide information: Aggregate bandwidth is being violated! No. of FPCs currently receiving excess traffic: 1 No. of FPCs that have received excess traffic: 1 Violation first detected at: 2019-01-04 16:13:28 EST Violation last seen at: 2019-01-04 16:24:13 EST Duration of violation: 00:10:45 Number of violations: 5 Received: 30565770 Arrival rate: 188433 pps Dropped: 19208137 Max arrival rate: 189414 pps Routing Engine information: Aggregate policer is no longer being violated Last violation started at: 2019-01-04 16:13:33 EST Last violation ended at: 2019-01-04 16:13:34 EST Duration of last violation: 00:00:01 Number of violations: 1 Received: 11423775 Arrival rate: 19857 pps Dropped: 0 Max arrival rate: 22100 pps Dropped by individual policers: 0 Dropped by aggregate policer: 0 FPC slot 0 information: Aggregate policer is currently being violated! Violation first detected at: 2019-01-04 16:13:28 EST Violation last seen at: 2019-01-04 16:24:13 EST Duration of violation: 00:10:45 Number of violations: 4 Received: 30565770 Arrival rate: 188433 pps Dropped: 19208137 Max arrival rate: 189414 pps Dropped by individual policers: 0 Dropped by aggregate policer: 19208137 Dropped by flow suppression: 0 Flow counts: Aggregation level Current Total detected State Subscriber 0 0 Active [edit] jlixfeld@r# If the same policer is doing the same job whether it’s 22kpps or 188kpps, I’d expect no difference in the affects the different rates would have on the BGP session. Am I missing something? _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp