[j-nsp] Identifying pfe icmp throttled traffic
Richard A Steenbergen
ras at e-gerbil.net
Sun Mar 8 20:10:24 EDT 2009
On Mon, Mar 09, 2009 at 05:00:54AM +0530, Ashok Patrick Jude M wrote:
>
> <While I'm on the subject, is there any way to see and/or modify the
> <throttle rate? I know the default changed for some FPC types in some
> <recent version of JUNOS, but I don't remember the exact details.
>
> What platform you are using? Could you please try policer matching ttl
> expire packets?
>
> Firewall filter supports a hidden knob to catch ttl = 0|1 packets
> (i.e. ttl-expired packets):
>
> root at ghb# show firewall
> filter f {
> term 0 {
> from {
> time-exceeded-bit;
> }
> }
> }
This is on a MX960. I had actually tried matching ttl [ 0 1 ] in
firewall on border interfaces before as a way to limit traceroutes, but
it had some unexpected impact to regularly forwarded traffic when
policed which we never fully explain so I had turned it off. Is there
anything different about time-exceeded-bit than the ttl math I just
mentioned? Is this supported on platforms which can't firewall match on
ttl or something like that?
I'm getting matches off time-exceeded-bit (including things that are
locally terminated like eBGP, as well as things which will generate ttl
exceeds), but nothign which accounts for the ttl-exceed traffic I'm
receiving after applying it to my border interfaces. Rather than try
adding this to every interface manually (which would be time-consuming),
would it make sense to appply it to "forwarding-options family inet
filter input"?
--
Richard A Steenbergen <ras at e-gerbil.net> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
More information about the juniper-nsp
mailing list