[j-nsp] 答复: Filtering rib-group imported direct routes?
Hi, Mark I have a such configure, it works as I wise, just a month ago! Here is my config: routing-options { interface-routes { rib-group inet CT; } static { route 0.0.0.0/0 next-hop 58.215.51.1; } rib-groups { CNC { import-rib [ inet.0 cnc.inet.0 ]; import-policy test; } CT { import-rib [ inet.0 cnc.inet.0 ]; import-policy test; } } } policy-options { policy-statement test { term 1 { from { route-filter 192.168.2.0/24 orlonger; route-filter 192.168.3.0/24 orlonger; } then accept; } term default { then reject; } } } Best Regards, Jack Xu Senior Engineer Tel:(86)-13524613903 QQ:838178533 -邮件原件- 发件人: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] 代表 Mark Tees 发送时间: 2014年11月16日 6:45 收件人: Chris Woodfield 抄送: juniper-nsp@puck.nether.net 主题: Re: [j-nsp] Filtering rib-group imported direct routes? Hi Chris, In my lab environment (GNS3+Olives) I can apply an import-policy to the rib-group that appears to achieve the effect you are after. I vaguely remember trying this on an SRX a few years ago and it not working though. root show configuration policy-options policy-statement rib_filter { term 1 { from { protocol direct; route-filter 10.1.2.0/30 exact; } then accept; } term else { then reject; } } root show configuration routing-options interface-routes { rib-group inet TEST; } rib-groups { TEST { import-rib [ inet.0 test.inet.0 ]; import-policy rib_filter; } } root show configuration routing-instances test { instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop 10.1.2.2; } } } root show route inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 10.1.1.0/30*[Direct/0] 00:34:34 via em0.0 10.1.1.1/32*[Local/0] 00:34:34 Local via em0.0 10.1.2.0/30*[Direct/0] 00:34:34 via em1.0 10.1.2.1/32*[Local/0] 00:34:34 Local via em1.0 10.10.10.1/32 *[Direct/0] 00:34:34 via lo0.0 test.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 00:04:23 to 10.1.2.2 via em1.0 10.1.2.0/30*[Direct/0] 00:04:23 via em1.0 Hope that works for you. Mark On Sun, Nov 16, 2014 at 6:27 AM, Chris Woodfield rek...@semihuman.com wrote: Hi, I’m currently managing a setup where we’re at our edge, we're punting packets to a routing-instance based on firewall matches in order to separate traffic between outside client traffic (which needs to be routed through the LB on return) and other internet-facing outbound. We have rib-groups configured for our routing-instances to import the direct and local routes, like the below (simplified) config example: routing-options { interface-routes { rib-group { inet fbf-groups; } } ... rib-groups { fbf-groups { import-rib [ inet.0 lb1.inet.0 ] } } } ... firewall { family inet { filter BOUNCE_TO_LB from { protocol tcp; source-port [ 80 443 ]; } then { routing-instance lb1; } } } } ... routing-instances { lb1 { instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop 1.2.3.4; } } } } The lb1 routing-instance is simply a default route to the LB's gateway IP which is a directly connected interface to the router. (This design is documented here: https://www.juniper.net/documentation/en_US/junos12.3/topics/example/l ogical-systems-filter-based-forwarding.html) The problem I'm having is that because this setup imports all direct and local routes into the routing instance, packets that are punted to the routing instance that are destined for other directly connected hosts bypass the default route and get forwarded directly to the end host. For example, if I have a host hanging off of interface xe-2/0/0 with address 2.2.3.4/24, and I look in the routing-instance's table, I see: edge-rtr show route table lb1.inet.0 lb.inet.0: XXX destinations, XXX routes (XXX active, 0 holddown, X hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 37w1d 15:53:29 to 1.2.3.4 via xe-1/0/0 2.2.3.4/24 *[Direct/0] 11w3d 10:42:47 via
[j-nsp] DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate
Just wondering if anyone has ever seen these DDOS messages before and what i should be looking at to resolve. Dec 10 11:10:24 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 931 times, from 2014-12-10 11:05:23 EST to 2014-12-10 11:05:23 EST Dec 10 11:23:44 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 932 times, started at 2014-12-10 11:23:43 EST Dec 10 11:28:49 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 932 times, from 2014-12-10 11:23:43 EST to 2014-12-10 11:23:43 EST Dec 10 12:50:55 re0.edge2 xntpd[2681]: kernel time sync enabled 6001 Dec 10 13:08:00 re0.edge2 xntpd[2681]: kernel time sync enabled 2001 Dec 10 15:01:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 933 times, started at 2014-12-10 15:01:33 EST Dec 10 15:06:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 933 times, from 2014-12-10 15:01:33 EST to 2014-12-10 15:01:33 EST ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate
You can find more information running show ddos-protection protocols violations. 2014-12-10 20:16 GMT-02:00 Brendan Mannella bmanne...@teraswitch.com: Just wondering if anyone has ever seen these DDOS messages before and what i should be looking at to resolve. Dec 10 11:10:24 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 931 times, from 2014-12-10 11:05:23 EST to 2014-12-10 11:05:23 EST Dec 10 11:23:44 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 932 times, started at 2014-12-10 11:23:43 EST Dec 10 11:28:49 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 932 times, from 2014-12-10 11:23:43 EST to 2014-12-10 11:23:43 EST Dec 10 12:50:55 re0.edge2 xntpd[2681]: kernel time sync enabled 6001 Dec 10 13:08:00 re0.edge2 xntpd[2681]: kernel time sync enabled 2001 Dec 10 15:01:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 933 times, started at 2014-12-10 15:01:33 EST Dec 10 15:06:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 933 times, from 2014-12-10 15:01:33 EST to 2014-12-10 15:01:33 EST ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Eduardo Schoedler ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX80 Sampling - High CPU
I found the issue still present in 12.3R8.7 running on an MX80. In 11.4R7.5 with sampling enabled it was taking upwards of 12 minutes for routes to propagate to the FIB when taking in a full ipv4 with ~250k active-paths, in 12.3R8.7 I measured it closer to 3 minutes. Seems to be improved, but still unacceptable. On Tue, Dec 2, 2014 at 10:12 AM, Scott Granados sc...@granados-llc.net wrote: I have 12.3R8.7 running on 2 MX-80s and 2 MX-480s with mixed results. The good news is the routers will reconverge with sampling enabled now and the PFE programming won’t block hard. The process is still slow however and while we did some testing it still seems that the processes hang during large updates although they do eventually un-wedge and complete. The CPU spikes though seem pretty few and far between so that is an improvement. I’m hoping the rewrite of the sampled and PFE programming in the 13.3 code is improved. With sampling enabled these boxes reconverge to slowly, especially for modern hardware. On Dec 1, 2014, at 6:09 PM, Jordan Whited jwhited0...@gmail.com wrote: Has anyone else made the jump to 12.3R8 yet? On Wed, Oct 1, 2014 at 8:35 AM, Justin M. Streiner strei...@cluebyfour.org wrote: On Wed, 1 Oct 2014, Sebastian Wiesinger wrote: * Graham Brown juniper-...@grahambrown.info [2014-09-23 22:33]: 12.3R8 and 13.3R4 are due out anytime now with the fixes in place. I think there are many people waiting for these two releases... So, 12.3R8 is out. Any practical experiences if inline jflow / sampling is faster now? Not sure yet. I need to load it on my lab routers, but I won't know how it behaves at full scale until I load it in production. jms ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate
Hi, Make sure that you have a discard next-hop instead of default reject in your aggregate routes. That should help. Regards, Wojciech 2014-12-10 23:16 GMT+01:00 Brendan Mannella bmanne...@teraswitch.com: Just wondering if anyone has ever seen these DDOS messages before and what i should be looking at to resolve. Dec 10 11:10:24 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 931 times, from 2014-12-10 11:05:23 EST to 2014-12-10 11:05:23 EST Dec 10 11:23:44 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 932 times, started at 2014-12-10 11:23:43 EST Dec 10 11:28:49 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 932 times, from 2014-12-10 11:23:43 EST to 2014-12-10 11:23:43 EST Dec 10 12:50:55 re0.edge2 xntpd[2681]: kernel time sync enabled 6001 Dec 10 13:08:00 re0.edge2 xntpd[2681]: kernel time sync enabled 2001 Dec 10 15:01:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 933 times, started at 2014-12-10 15:01:33 EST Dec 10 15:06:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 933 times, from 2014-12-10 15:01:33 EST to 2014-12-10 15:01:33 EST ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate
Can you put an exame of this configuration Janiszewski?! Enviado via iPhone Grupo Connectoway Em 10/12/2014, às 23:54, Wojciech Janiszewski wojciech.janiszew...@gmail.com escreveu: Hi, Make sure that you have a discard next-hop instead of default reject in your aggregate routes. That should help. Regards, Wojciech 2014-12-10 23:16 GMT+01:00 Brendan Mannella bmanne...@teraswitch.com: Just wondering if anyone has ever seen these DDOS messages before and what i should be looking at to resolve. Dec 10 11:10:24 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 931 times, from 2014-12-10 11:05:23 EST to 2014-12-10 11:05:23 EST Dec 10 11:23:44 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 932 times, started at 2014-12-10 11:23:43 EST Dec 10 11:28:49 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 932 times, from 2014-12-10 11:23:43 EST to 2014-12-10 11:23:43 EST Dec 10 12:50:55 re0.edge2 xntpd[2681]: kernel time sync enabled 6001 Dec 10 13:08:00 re0.edge2 xntpd[2681]: kernel time sync enabled 2001 Dec 10 15:01:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 933 times, started at 2014-12-10 15:01:33 EST Dec 10 15:06:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 933 times, from 2014-12-10 15:01:33 EST to 2014-12-10 15:01:33 EST ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate
Hi Rodrigo, It is as simple as set routing-options aggregate route destination discard Regards, Wojciech 2014-12-11 4:22 GMT+01:00 Rodrigo 1telecom rodr...@1telecom.com.br: Can you put an exame of this configuration Janiszewski?! Enviado via iPhone Grupo Connectoway Em 10/12/2014, às 23:54, Wojciech Janiszewski wojciech.janiszew...@gmail.com escreveu: Hi, Make sure that you have a discard next-hop instead of default reject in your aggregate routes. That should help. Regards, Wojciech 2014-12-10 23:16 GMT+01:00 Brendan Mannella bmanne...@teraswitch.com: Just wondering if anyone has ever seen these DDOS messages before and what i should be looking at to resolve. Dec 10 11:10:24 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 931 times, from 2014-12-10 11:05:23 EST to 2014-12-10 11:05:23 EST Dec 10 11:23:44 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 932 times, started at 2014-12-10 11:23:43 EST Dec 10 11:28:49 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 932 times, from 2014-12-10 11:23:43 EST to 2014-12-10 11:23:43 EST Dec 10 12:50:55 re0.edge2 xntpd[2681]: kernel time sync enabled 6001 Dec 10 13:08:00 re0.edge2 xntpd[2681]: kernel time sync enabled 2001 Dec 10 15:01:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 933 times, started at 2014-12-10 15:01:33 EST Dec 10 15:06:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 933 times, from 2014-12-10 15:01:33 EST to 2014-12-10 15:01:33 EST ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate
On 12/10/2014 09:54 PM, Wojciech Janiszewski wrote: Hi, Make sure that you have a discard next-hop instead of default reject in your aggregate routes. That should help. ick, that ddos protection stuff in JunOS is broken...you should just disable it: system { ddos-protection { global { disable-routing-engine; disable-fpc; disable-logging; } } } 2014-12-10 23:16 GMT+01:00 Brendan Mannella bmanne...@teraswitch.com: Just wondering if anyone has ever seen these DDOS messages before and what i should be looking at to resolve. Dec 10 11:10:24 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 931 times, from 2014-12-10 11:05:23 EST to 2014-12-10 11:05:23 EST Dec 10 11:23:44 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 932 times, started at 2014-12-10 11:23:43 EST Dec 10 11:28:49 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 932 times, from 2014-12-10 11:23:43 EST to 2014-12-10 11:23:43 EST Dec 10 12:50:55 re0.edge2 xntpd[2681]: kernel time sync enabled 6001 Dec 10 13:08:00 re0.edge2 xntpd[2681]: kernel time sync enabled 2001 Dec 10 15:01:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 933 times, started at 2014-12-10 15:01:33 EST Dec 10 15:06:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 933 times, from 2014-12-10 15:01:33 EST to 2014-12-10 15:01:33 EST ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate
Chris The best option is to disable the feature ? And about to configure it ? If you have a protect-re firewall filter applied in loopback ... Can this be done ? Is it safe ? Some documents from juniper showing the best way ? And about to disable the process ? Thanks a lot Sent from my iPhone On Dec 11, 2014, at 01:20, Chris Morrow morr...@ops-netman.net wrote: On 12/10/2014 09:54 PM, Wojciech Janiszewski wrote: Hi, Make sure that you have a discard next-hop instead of default reject in your aggregate routes. That should help. ick, that ddos protection stuff in JunOS is broken...you should just disable it: system { ddos-protection { global { disable-routing-engine; disable-fpc; disable-logging; } } } 2014-12-10 23:16 GMT+01:00 Brendan Mannella bmanne...@teraswitch.com: Just wondering if anyone has ever seen these DDOS messages before and what i should be looking at to resolve. Dec 10 11:10:24 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 931 times, from 2014-12-10 11:05:23 EST to 2014-12-10 11:05:23 EST Dec 10 11:23:44 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 932 times, started at 2014-12-10 11:23:43 EST Dec 10 11:28:49 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 932 times, from 2014-12-10 11:23:43 EST to 2014-12-10 11:23:43 EST Dec 10 12:50:55 re0.edge2 xntpd[2681]: kernel time sync enabled 6001 Dec 10 13:08:00 re0.edge2 xntpd[2681]: kernel time sync enabled 2001 Dec 10 15:01:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 933 times, started at 2014-12-10 15:01:33 EST Dec 10 15:06:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 933 times, from 2014-12-10 15:01:33 EST to 2014-12-10 15:01:33 EST ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate
On 12/10/2014 11:21 PM, Giuliano (WZTECH) wrote: Chris The best option is to disable the feature ? I think it's the best option.. juniper tried to do something 'nice' for you by setting some low (I think) limits on things you might actually care to see and deal with elsewhere... And about to configure it ? If you have a protect-re firewall filter applied in loopback ... Can this be done ? all devices on the public network should have clear policies in place to protect themselves from the rest of the world. Your juniper loopback filter should permit the routing protocols you care about and your management access... and everything else should be discarded. Cymru's templates are decent for this actually. -chris Is it safe ? Some documents from juniper showing the best way ? And about to disable the process ? Thanks a lot Sent from my iPhone On Dec 11, 2014, at 01:20, Chris Morrow morr...@ops-netman.net wrote: On 12/10/2014 09:54 PM, Wojciech Janiszewski wrote: Hi, Make sure that you have a discard next-hop instead of default reject in your aggregate routes. That should help. ick, that ddos protection stuff in JunOS is broken...you should just disable it: system { ddos-protection { global { disable-routing-engine; disable-fpc; disable-logging; } } } 2014-12-10 23:16 GMT+01:00 Brendan Mannella bmanne...@teraswitch.com: Just wondering if anyone has ever seen these DDOS messages before and what i should be looking at to resolve. Dec 10 11:10:24 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 931 times, from 2014-12-10 11:05:23 EST to 2014-12-10 11:05:23 EST Dec 10 11:23:44 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 932 times, started at 2014-12-10 11:23:43 EST Dec 10 11:28:49 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 932 times, from 2014-12-10 11:23:43 EST to 2014-12-10 11:23:43 EST Dec 10 12:50:55 re0.edge2 xntpd[2681]: kernel time sync enabled 6001 Dec 10 13:08:00 re0.edge2 xntpd[2681]: kernel time sync enabled 2001 Dec 10 15:01:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 933 times, started at 2014-12-10 15:01:33 EST Dec 10 15:06:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 933 times, from 2014-12-10 15:01:33 EST to 2014-12-10 15:01:33 EST ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX80 Sampling - High CPU
Em quarta-feira, 10 de dezembro de 2014, Jordan Whited jwhited0...@gmail.com escreveu: I found the issue still present in 12.3R8.7 running on an MX80. In 11.4R7.5 with sampling enabled it was taking upwards of 12 minutes for routes to propagate to the FIB when taking in a full ipv4 with ~250k active-paths, in 12.3R8.7 I measured it closer to 3 minutes. Seems to be improved, but still unacceptable. What do you expect from a PowerPC processor that's used for mikrotik's routerboards? Thake a look in dmesg. -- Eduardo Schoedler -- Eduardo Schoedler ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp