[j-nsp] MX480 RE-S-2000 IGMP flood
Abhi
vyaaghrah-eng at yahoo.com
Thu Jan 30 05:05:45 EST 2014
can u check the link below
http://www.juniper.net/techpubs/en_US/junos13.2/topics/task/configuration/subscriber-management-ddos-packet.html
regards
abhijeet.c
On Thursday, January 30, 2014 2:57 PM, Misak Khachatryan <m.khachatryan at gnc.am> wrote:
Hello,
>
>I met very ugly problem yesterday. Consider following scheme:
>
>
> ================ Cisco ASR 1006
> |
>Customer ========| Juniper EX4200 |
> |
> ================ Juniper MX480
>
>Customer connected by one VLAN to both routers and established BGP
>session with both.
>
>Suddenly his router starts to send around 10000 packets per second. Most
>of them are exactly this:
>
>"1","0.000000","0.0.0.0","224.0.0.1","IGMPv3","60","Membership Query,
>general"
>
>MX480 is just dying from this flood of packets, where ASR is fine.
>
>I know that several DDoS policies are preconfigured to protect RE from
>these situations but tresholds didn't trigger, so RE should handle them:
>
>show ddos-protection protocols igmp
>Packet types: 1, Modified: 0, Received traffic: 1, Currently violated: 0
>Currently tracked flows: 0, Total detected flows: 0
>* = User configured value
>
>Protocol Group: IGMP
>
> Packet type: aggregate (Aggregate for all igmp traffic)
> Aggregate policer configuration:
> Bandwidth: 20000 pps
> Burst: 20000 packets
> Recover time: 300 seconds
> Enabled: Yes
> Flow detection configuration:
> Detection mode: Automatic Detect time: 3 seconds
> Log flows: Yes Recover time: 60 seconds
> Timeout flows: No Timeout time: 300 seconds
> Flow aggregation level configuration:
> Aggregation level Detection mode Control mode Flow rate
> Subscriber Automatic Drop 10 pps
> Logical interface Automatic Drop 10 pps
> Physical interface Automatic Drop 20000 pps
> System-wide information:
> Aggregate bandwidth is never violated
> Received: 7268549 Arrival rate: 0 pps
> Dropped: 0 Max arrival rate: 17204 pps
> Routing Engine information:
> Bandwidth: 20000 pps, Burst: 20000 packets, enabled
> Aggregate policer is never violated
> Received: 4270279 Arrival rate: 0 pps
> Dropped: 0 Max arrival rate: 9979 pps
> Dropped by individual policers: 0
> FPC slot 1 information:
> Bandwidth: 100% (20000 pps), Burst: 100% (20000 packets), enabled
> Aggregate policer is never violated
> Received: 1658 Arrival rate: 0 pps
> Dropped: 0 Max arrival rate: 2 pps
> Dropped by individual policers: 0
> Dropped by flow suppression: 0
> FPC slot 2 information:
> Bandwidth: 100% (20000 pps), Burst: 100% (20000 packets), enabled
> Aggregate policer is never violated
> Received: 7266879 Arrival rate: 0 pps
> Dropped: 0 Max arrival rate: 17204 pps
> Dropped by individual policers: 0
> Dropped by flow suppression: 0
> FPC slot 3 information:
> Bandwidth: 100% (20000 pps), Burst: 100% (20000 packets), enabled
> Aggregate policer is never violated
> Received: 12 Arrival rate: 0 pps
> Dropped: 0 Max arrival rate: 0 pps
> Dropped by individual policers: 0
> Dropped by flow suppression: 0
>
>Anybody have experience with configuration of additional mechanisms?
>Anybody nave recommendations for threshold tuning?
>
>I'm gonna to open ticket in JTAC of course, but here i can get faster
>answers. Thank You in advance.
>
>--
>Best regards,
>Misak Khachatryan,
>Head of Network Administration
>and Monitoring Department,
>GNC-Alfa CJSC.
>_______________________________________________
>juniper-nsp mailing list juniper-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>
More information about the juniper-nsp
mailing list