[j-nsp] RE CPU DoS Filters
Harry Reynolds
harry at juniper.net
Wed Aug 5 14:12:14 EDT 2009
There is option packet rate limiting in the pfe. The "filter" is, I believe, standard tcp dump Op indicating that the packets passed whatever user supplied regex filter expression (in your case null), a function that is broken in junos and in theory evoked with the "matching" keyword to monitor traffic.
Unlike the default arp policer I do not believe you can view the optioned packets rate limiting directly. I just posted to this forum w/some info on the rate limit and how to confirm.
Regards
-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Marlon Duksa
Sent: Wednesday, August 05, 2009 11:07 AM
To: Juniper-Nsp
Subject: [j-nsp] RE CPU DoS Filters
Hi - is there any way to look at he default filters that are applied on the RE? Or see what's being queued on the RE for processing, say RSVP packets, or BGP packets, or IGMP packets, something along the 'netstat' command.
We are dropping some control traffic into the RE. When we run the command "run monitor traffic interface xxx' we see that we receive only 533 packets by "filter". Which filter? We are sending 1000 packets but only receiving 533. We know that we do not have any filter on the interfaces. So this filter, is it a control plane filter? How do we see it or change it?
1:03:09.553047 In IP 20.1.1.2 > 224.0.0.22: igmp v3 report, 1 group
record(s)
11:03:09.553048 In IP 20.1.1.2 > 224.0.0.22: igmp v3 report, 1 group
record(s)
11:03:09.553049 In IP 20.1.1.2 > 224.0.0.22: igmp v3 report, 1 group
record(s)
11:03:09.553051 In IP 20.1.1.2 > 224.0.0.22: igmp v3 report, 1 group
record(s)
^C^C
533 packets received by filter
0 packets dropped by kernel
Thanks,
Marlon
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list