[j-nsp] Junipers and broadcast storm issues
Dennis Woods
dwoods at juniper.net
Thu Feb 10 18:12:16 EST 2005
Mark,
Try using either sampling or "monitor traffic interface ge-x/y/z" to see
what exception traffic is making it to the RE. Ctrl-c will stop the
monitor command. Once you have an idea of the traffic you can make an
input policer to cut down that type of traffic. In general you might
consider an input filter that rate-limits VRRP, and OSPF since they are
the most likely packets to see if an attached switch gets looped. PIM
would be another to police or maybe just generic 224.0.0.0/24,
224.0.1.0/24 catch-all terms.
-------------------------------------------------
sampling config
-------------------------------------------------
guest at paper# show interfaces ge-0/0/0
unit 0 {
family inet {
sampling {
input;
}
address 3.4.5.1/30;
}
}
guest at paper# show forwarding-options
sampling {
input {
family inet {
rate 1000;
}
}
output {
file filename input_samples size 1m;
}
}
guest at paper# run file show /var/tmp/input?
Possible completions:
<filename> Filename to show
/var/tmp/input_samples Size: 178, Last changed: Feb 10 18:42:43
------------------------------------------------------------------------
-----
check that file to see the packet types coming in
in sampling, "rate n" means 1 packet out of n (1 of 1000 in this case)
------------------------------------------------------------------------
-----
------------------------------------------------------------------------
-----
example input filter to rate limit exception traffic that uses mcast
------------------------------------------------------------------------
-----
guest at paper# show firewall
policer ospf_policer {
if-exceeding {
bandwidth-limit 800k;
burst-size-limit 6k;
}
then discard;
}
policer vrrp_policer {
if-exceeding {
bandwidth-limit 32k;
burst-size-limit 1500;
}
then discard;
}
filter police_input {
term ospf {
from {
protocol ospf;
}
then {
policer ospf_policer;
count OSPF_PACKETS;
next term;
}
}
term vrrp {
from {
protocol vrrp;
}
then {
policer vrrp_policer;
count VRRP_PACKETS;
next term;
}
} <----------you can add any other input filter stuff after
the policer terms
term rest {
then accept;
}
}
-----------------------------------------------
filtered interface
-----------------------------------------------
guest at paper# show interfaces ge-0/0/0
unit 0 {
family inet {
filter {
input police_input;
}
sampling {
input;
}
address 3.4.5.1/24;
}
}
Hope this helps,
Dennis
More information about the juniper-nsp
mailing list