[j-nsp] Identifying pfe icmp throttled traffic

Richard A Steenbergen ras at e-gerbil.net
Sun Mar 8 20:10:24 EDT 2009


On Mon, Mar 09, 2009 at 05:00:54AM +0530, Ashok Patrick Jude M wrote:
> 
> <While I'm on the subject, is there any way to see and/or modify the
> <throttle rate? I know the default changed for some FPC types in some
> <recent version of JUNOS, but I don't remember the exact details.
> 
> What platform you are using? Could you please try policer matching ttl
> expire packets? 
> 
> Firewall filter supports a hidden knob to catch ttl = 0|1 packets
>   (i.e. ttl-expired packets):
> 
> root at ghb# show firewall 
> filter f {
>     term 0 {
>         from {
>             time-exceeded-bit;
>         }
>     }
> }

This is on a MX960. I had actually tried matching ttl [ 0 1 ] in
firewall on border interfaces before as a way to limit traceroutes, but
it had some unexpected impact to regularly forwarded traffic when
policed which we never fully explain so I had turned it off. Is there 
anything different about time-exceeded-bit than the ttl math I just 
mentioned? Is this supported on platforms which can't firewall match on 
ttl or something like that?

I'm getting matches off time-exceeded-bit (including things that are
locally terminated like eBGP, as well as things which will generate ttl
exceeds), but nothign which accounts for the ttl-exceed traffic I'm
receiving after applying it to my border interfaces. Rather than try
adding this to every interface manually (which would be time-consuming),
would it make sense to appply it to "forwarding-options family inet
filter input"?

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)


More information about the juniper-nsp mailing list