[j-nsp] 答复: Filtering rib-group imported direct routes?
Hi, Mark
I have a such configure, it works as I wise, just a month ago!
Here is my config:
routing-options {
interface-routes {
rib-group inet CT;
}
static {
route 0.0.0.0/0 next-hop 58.215.51.1;
}
rib-groups {
CNC {
import-rib [ inet.0 cnc.inet.0 ];
import-policy test;
}
CT {
import-rib [ inet.0 cnc.inet.0 ];
import-policy test;
}
}
}
policy-options {
policy-statement test {
term 1 {
from {
route-filter 192.168.2.0/24 orlonger;
route-filter 192.168.3.0/24 orlonger;
}
then accept;
}
term default {
then reject;
}
}
}
Best Regards,
Jack Xu
Senior Engineer
Tel:(86)-13524613903
QQ:838178533
-邮件原件-
发件人: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] 代表 Mark Tees
发送时间: 2014年11月16日 6:45
收件人: Chris Woodfield
抄送: juniper-nsp@puck.nether.net
主题: Re: [j-nsp] Filtering rib-group imported direct routes?
Hi Chris,
In my lab environment (GNS3+Olives) I can apply an import-policy to the
rib-group that appears to achieve the effect you are after. I vaguely remember
trying this on an SRX a few years ago and it not working though.
root show configuration policy-options
policy-statement rib_filter {
term 1 {
from {
protocol direct;
route-filter 10.1.2.0/30 exact;
}
then accept;
}
term else {
then reject;
}
}
root show configuration routing-options
interface-routes {
rib-group inet TEST;
}
rib-groups {
TEST {
import-rib [ inet.0 test.inet.0 ];
import-policy rib_filter;
}
}
root show configuration routing-instances
test {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 10.1.2.2;
}
}
}
root show route
inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.1.1.0/30*[Direct/0] 00:34:34
via em0.0
10.1.1.1/32*[Local/0] 00:34:34
Local via em0.0
10.1.2.0/30*[Direct/0] 00:34:34
via em1.0
10.1.2.1/32*[Local/0] 00:34:34
Local via em1.0
10.10.10.1/32 *[Direct/0] 00:34:34
via lo0.0
test.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 00:04:23
to 10.1.2.2 via em1.0
10.1.2.0/30*[Direct/0] 00:04:23
via em1.0
Hope that works for you.
Mark
On Sun, Nov 16, 2014 at 6:27 AM, Chris Woodfield rek...@semihuman.com wrote:
Hi,
I’m currently managing a setup where we’re at our edge, we're punting packets
to a routing-instance based on firewall matches in order to separate traffic
between outside client traffic (which needs to be routed through the LB on
return) and other internet-facing outbound. We have rib-groups configured for
our routing-instances to import the direct and local routes, like the below
(simplified) config example:
routing-options {
interface-routes {
rib-group {
inet fbf-groups;
}
}
...
rib-groups {
fbf-groups {
import-rib [ inet.0 lb1.inet.0 ]
}
}
}
...
firewall {
family inet {
filter BOUNCE_TO_LB
from {
protocol tcp;
source-port [ 80 443 ];
}
then {
routing-instance lb1;
}
}
}
}
...
routing-instances {
lb1 {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 1.2.3.4;
}
}
}
}
The lb1 routing-instance is simply a default route to the LB's gateway IP
which is a directly connected interface to the router.
(This design is documented here:
https://www.juniper.net/documentation/en_US/junos12.3/topics/example/l
ogical-systems-filter-based-forwarding.html)
The problem I'm having is that because this setup imports all direct and
local routes into the routing instance, packets that are punted to the
routing instance that are destined for other directly connected hosts bypass
the default route and get forwarded directly to the end host. For example, if
I have a host hanging off of interface xe-2/0/0 with address 2.2.3.4/24, and
I look in the routing-instance's table, I see:
edge-rtr show route table lb1.inet.0
lb.inet.0: XXX destinations, XXX routes (XXX active, 0 holddown, X
hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 37w1d 15:53:29
to 1.2.3.4 via xe-1/0/0
2.2.3.4/24 *[Direct/0] 11w3d 10:42:47
via
[j-nsp] DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate
Just wondering if anyone has ever seen these DDOS messages before and what i should be looking at to resolve. Dec 10 11:10:24 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 931 times, from 2014-12-10 11:05:23 EST to 2014-12-10 11:05:23 EST Dec 10 11:23:44 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 932 times, started at 2014-12-10 11:23:43 EST Dec 10 11:28:49 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 932 times, from 2014-12-10 11:23:43 EST to 2014-12-10 11:23:43 EST Dec 10 12:50:55 re0.edge2 xntpd[2681]: kernel time sync enabled 6001 Dec 10 13:08:00 re0.edge2 xntpd[2681]: kernel time sync enabled 2001 Dec 10 15:01:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 933 times, started at 2014-12-10 15:01:33 EST Dec 10 15:06:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 933 times, from 2014-12-10 15:01:33 EST to 2014-12-10 15:01:33 EST ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate
You can find more information running show ddos-protection protocols violations. 2014-12-10 20:16 GMT-02:00 Brendan Mannella bmanne...@teraswitch.com: Just wondering if anyone has ever seen these DDOS messages before and what i should be looking at to resolve. Dec 10 11:10:24 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 931 times, from 2014-12-10 11:05:23 EST to 2014-12-10 11:05:23 EST Dec 10 11:23:44 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 932 times, started at 2014-12-10 11:23:43 EST Dec 10 11:28:49 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 932 times, from 2014-12-10 11:23:43 EST to 2014-12-10 11:23:43 EST Dec 10 12:50:55 re0.edge2 xntpd[2681]: kernel time sync enabled 6001 Dec 10 13:08:00 re0.edge2 xntpd[2681]: kernel time sync enabled 2001 Dec 10 15:01:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 933 times, started at 2014-12-10 15:01:33 EST Dec 10 15:06:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 933 times, from 2014-12-10 15:01:33 EST to 2014-12-10 15:01:33 EST ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Eduardo Schoedler ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX80 Sampling - High CPU
I found the issue still present in 12.3R8.7 running on an MX80. In 11.4R7.5 with sampling enabled it was taking upwards of 12 minutes for routes to propagate to the FIB when taking in a full ipv4 with ~250k active-paths, in 12.3R8.7 I measured it closer to 3 minutes. Seems to be improved, but still unacceptable. On Tue, Dec 2, 2014 at 10:12 AM, Scott Granados sc...@granados-llc.net wrote: I have 12.3R8.7 running on 2 MX-80s and 2 MX-480s with mixed results. The good news is the routers will reconverge with sampling enabled now and the PFE programming won’t block hard. The process is still slow however and while we did some testing it still seems that the processes hang during large updates although they do eventually un-wedge and complete. The CPU spikes though seem pretty few and far between so that is an improvement. I’m hoping the rewrite of the sampled and PFE programming in the 13.3 code is improved. With sampling enabled these boxes reconverge to slowly, especially for modern hardware. On Dec 1, 2014, at 6:09 PM, Jordan Whited jwhited0...@gmail.com wrote: Has anyone else made the jump to 12.3R8 yet? On Wed, Oct 1, 2014 at 8:35 AM, Justin M. Streiner strei...@cluebyfour.org wrote: On Wed, 1 Oct 2014, Sebastian Wiesinger wrote: * Graham Brown juniper-...@grahambrown.info [2014-09-23 22:33]: 12.3R8 and 13.3R4 are due out anytime now with the fixes in place. I think there are many people waiting for these two releases... So, 12.3R8 is out. Any practical experiences if inline jflow / sampling is faster now? Not sure yet. I need to load it on my lab routers, but I won't know how it behaves at full scale until I load it in production. jms ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate
Hi, Make sure that you have a discard next-hop instead of default reject in your aggregate routes. That should help. Regards, Wojciech 2014-12-10 23:16 GMT+01:00 Brendan Mannella bmanne...@teraswitch.com: Just wondering if anyone has ever seen these DDOS messages before and what i should be looking at to resolve. Dec 10 11:10:24 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 931 times, from 2014-12-10 11:05:23 EST to 2014-12-10 11:05:23 EST Dec 10 11:23:44 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 932 times, started at 2014-12-10 11:23:43 EST Dec 10 11:28:49 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 932 times, from 2014-12-10 11:23:43 EST to 2014-12-10 11:23:43 EST Dec 10 12:50:55 re0.edge2 xntpd[2681]: kernel time sync enabled 6001 Dec 10 13:08:00 re0.edge2 xntpd[2681]: kernel time sync enabled 2001 Dec 10 15:01:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 933 times, started at 2014-12-10 15:01:33 EST Dec 10 15:06:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 933 times, from 2014-12-10 15:01:33 EST to 2014-12-10 15:01:33 EST ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate
Can you put an exame of this configuration Janiszewski?! Enviado via iPhone Grupo Connectoway Em 10/12/2014, às 23:54, Wojciech Janiszewski wojciech.janiszew...@gmail.com escreveu: Hi, Make sure that you have a discard next-hop instead of default reject in your aggregate routes. That should help. Regards, Wojciech 2014-12-10 23:16 GMT+01:00 Brendan Mannella bmanne...@teraswitch.com: Just wondering if anyone has ever seen these DDOS messages before and what i should be looking at to resolve. Dec 10 11:10:24 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 931 times, from 2014-12-10 11:05:23 EST to 2014-12-10 11:05:23 EST Dec 10 11:23:44 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 932 times, started at 2014-12-10 11:23:43 EST Dec 10 11:28:49 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 932 times, from 2014-12-10 11:23:43 EST to 2014-12-10 11:23:43 EST Dec 10 12:50:55 re0.edge2 xntpd[2681]: kernel time sync enabled 6001 Dec 10 13:08:00 re0.edge2 xntpd[2681]: kernel time sync enabled 2001 Dec 10 15:01:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 933 times, started at 2014-12-10 15:01:33 EST Dec 10 15:06:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 933 times, from 2014-12-10 15:01:33 EST to 2014-12-10 15:01:33 EST ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate
Hi Rodrigo, It is as simple as set routing-options aggregate route destination discard Regards, Wojciech 2014-12-11 4:22 GMT+01:00 Rodrigo 1telecom rodr...@1telecom.com.br: Can you put an exame of this configuration Janiszewski?! Enviado via iPhone Grupo Connectoway Em 10/12/2014, às 23:54, Wojciech Janiszewski wojciech.janiszew...@gmail.com escreveu: Hi, Make sure that you have a discard next-hop instead of default reject in your aggregate routes. That should help. Regards, Wojciech 2014-12-10 23:16 GMT+01:00 Brendan Mannella bmanne...@teraswitch.com: Just wondering if anyone has ever seen these DDOS messages before and what i should be looking at to resolve. Dec 10 11:10:24 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 931 times, from 2014-12-10 11:05:23 EST to 2014-12-10 11:05:23 EST Dec 10 11:23:44 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 932 times, started at 2014-12-10 11:23:43 EST Dec 10 11:28:49 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 932 times, from 2014-12-10 11:23:43 EST to 2014-12-10 11:23:43 EST Dec 10 12:50:55 re0.edge2 xntpd[2681]: kernel time sync enabled 6001 Dec 10 13:08:00 re0.edge2 xntpd[2681]: kernel time sync enabled 2001 Dec 10 15:01:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 933 times, started at 2014-12-10 15:01:33 EST Dec 10 15:06:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 933 times, from 2014-12-10 15:01:33 EST to 2014-12-10 15:01:33 EST ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate
On 12/10/2014 09:54 PM, Wojciech Janiszewski wrote:
Hi,
Make sure that you have a discard next-hop instead of default reject in
your aggregate routes.
That should help.
ick, that ddos protection stuff in JunOS is broken...you should just
disable it:
system {
ddos-protection {
global {
disable-routing-engine;
disable-fpc;
disable-logging;
}
}
}
2014-12-10 23:16 GMT+01:00 Brendan Mannella bmanne...@teraswitch.com:
Just wondering if anyone has ever seen these DDOS messages before and
what i should be looking at to resolve.
Dec 10 11:10:24 re0.edge2 jddosd[2710]:
DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned
to normal. Violated at fpc 1 for 931 times, from 2014-12-10 11:05:23
EST to 2014-12-10 11:05:23 EST
Dec 10 11:23:44 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET:
Protocol Reject:aggregate is violated at fpc 1 for 932 times, started
at 2014-12-10 11:23:43 EST
Dec 10 11:28:49 re0.edge2 jddosd[2710]:
DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned
to normal. Violated at fpc 1 for 932 times, from 2014-12-10 11:23:43
EST to 2014-12-10 11:23:43 EST
Dec 10 12:50:55 re0.edge2 xntpd[2681]: kernel time sync enabled 6001
Dec 10 13:08:00 re0.edge2 xntpd[2681]: kernel time sync enabled 2001
Dec 10 15:01:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET:
Protocol Reject:aggregate is violated at fpc 1 for 933 times, started
at 2014-12-10 15:01:33 EST
Dec 10 15:06:34 re0.edge2 jddosd[2710]:
DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned
to normal. Violated at fpc 1 for 933 times, from 2014-12-10 15:01:33
EST to 2014-12-10 15:01:33 EST
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate
Chris
The best option is to disable the feature ?
And about to configure it ?
If you have a protect-re firewall filter applied in loopback ... Can this be
done ?
Is it safe ?
Some documents from juniper showing the best way ?
And about to disable the process ?
Thanks a lot
Sent from my iPhone
On Dec 11, 2014, at 01:20, Chris Morrow morr...@ops-netman.net wrote:
On 12/10/2014 09:54 PM, Wojciech Janiszewski wrote:
Hi,
Make sure that you have a discard next-hop instead of default reject in
your aggregate routes.
That should help.
ick, that ddos protection stuff in JunOS is broken...you should just
disable it:
system {
ddos-protection {
global {
disable-routing-engine;
disable-fpc;
disable-logging;
}
}
}
2014-12-10 23:16 GMT+01:00 Brendan Mannella bmanne...@teraswitch.com:
Just wondering if anyone has ever seen these DDOS messages before and
what i should be looking at to resolve.
Dec 10 11:10:24 re0.edge2 jddosd[2710]:
DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned
to normal. Violated at fpc 1 for 931 times, from 2014-12-10 11:05:23
EST to 2014-12-10 11:05:23 EST
Dec 10 11:23:44 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET:
Protocol Reject:aggregate is violated at fpc 1 for 932 times, started
at 2014-12-10 11:23:43 EST
Dec 10 11:28:49 re0.edge2 jddosd[2710]:
DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned
to normal. Violated at fpc 1 for 932 times, from 2014-12-10 11:23:43
EST to 2014-12-10 11:23:43 EST
Dec 10 12:50:55 re0.edge2 xntpd[2681]: kernel time sync enabled 6001
Dec 10 13:08:00 re0.edge2 xntpd[2681]: kernel time sync enabled 2001
Dec 10 15:01:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET:
Protocol Reject:aggregate is violated at fpc 1 for 933 times, started
at 2014-12-10 15:01:33 EST
Dec 10 15:06:34 re0.edge2 jddosd[2710]:
DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned
to normal. Violated at fpc 1 for 933 times, from 2014-12-10 15:01:33
EST to 2014-12-10 15:01:33 EST
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate
On 12/10/2014 11:21 PM, Giuliano (WZTECH) wrote:
Chris
The best option is to disable the feature ?
I think it's the best option.. juniper tried to do something 'nice' for
you by setting some low (I think) limits on things you might actually
care to see and deal with elsewhere...
And about to configure it ?
If you have a protect-re firewall filter applied in loopback ... Can this be
done ?
all devices on the public network should have clear policies in place to
protect themselves from the rest of the world. Your juniper loopback
filter should permit the routing protocols you care about and your
management access... and everything else should be discarded. Cymru's
templates are decent for this actually.
-chris
Is it safe ?
Some documents from juniper showing the best way ?
And about to disable the process ?
Thanks a lot
Sent from my iPhone
On Dec 11, 2014, at 01:20, Chris Morrow morr...@ops-netman.net wrote:
On 12/10/2014 09:54 PM, Wojciech Janiszewski wrote:
Hi,
Make sure that you have a discard next-hop instead of default reject in
your aggregate routes.
That should help.
ick, that ddos protection stuff in JunOS is broken...you should just
disable it:
system {
ddos-protection {
global {
disable-routing-engine;
disable-fpc;
disable-logging;
}
}
}
2014-12-10 23:16 GMT+01:00 Brendan Mannella bmanne...@teraswitch.com:
Just wondering if anyone has ever seen these DDOS messages before and
what i should be looking at to resolve.
Dec 10 11:10:24 re0.edge2 jddosd[2710]:
DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned
to normal. Violated at fpc 1 for 931 times, from 2014-12-10 11:05:23
EST to 2014-12-10 11:05:23 EST
Dec 10 11:23:44 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET:
Protocol Reject:aggregate is violated at fpc 1 for 932 times, started
at 2014-12-10 11:23:43 EST
Dec 10 11:28:49 re0.edge2 jddosd[2710]:
DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned
to normal. Violated at fpc 1 for 932 times, from 2014-12-10 11:23:43
EST to 2014-12-10 11:23:43 EST
Dec 10 12:50:55 re0.edge2 xntpd[2681]: kernel time sync enabled 6001
Dec 10 13:08:00 re0.edge2 xntpd[2681]: kernel time sync enabled 2001
Dec 10 15:01:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET:
Protocol Reject:aggregate is violated at fpc 1 for 933 times, started
at 2014-12-10 15:01:33 EST
Dec 10 15:06:34 re0.edge2 jddosd[2710]:
DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned
to normal. Violated at fpc 1 for 933 times, from 2014-12-10 15:01:33
EST to 2014-12-10 15:01:33 EST
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX80 Sampling - High CPU
Em quarta-feira, 10 de dezembro de 2014, Jordan Whited jwhited0...@gmail.com escreveu: I found the issue still present in 12.3R8.7 running on an MX80. In 11.4R7.5 with sampling enabled it was taking upwards of 12 minutes for routes to propagate to the FIB when taking in a full ipv4 with ~250k active-paths, in 12.3R8.7 I measured it closer to 3 minutes. Seems to be improved, but still unacceptable. What do you expect from a PowerPC processor that's used for mikrotik's routerboards? Thake a look in dmesg. -- Eduardo Schoedler -- Eduardo Schoedler ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
