[j-nsp] exception traffic types for Juniper routers

Alexander Arseniev arseniev at btinternet.com
Thu Oct 1 06:11:17 EDT 2015

For the "punted ICMP" stats, use "show system statistics icmp|icmp6".
For the "non-punted" ICMP stats, use "show pfe statistics ip|ip6 icmp".
As a general guidance for ICMP without IP options:
- ICMP error replies are generated on linecards, they are rate-limited 
to 50pps per subinterface and 500pps per linecard, this is not configurable
- ICMP non-error replies are generated on RE (Echo, Timestamp, etc),
- ICMP requests are generated on RE, or, in case of RPM, on Services cards.
- by default outgoing ICMP/ICMPv6 packets on RE are rate-limited using 
leaky bucket algo, this is configurable:
net.inet.icmp.bucketsize: 5
net.inet.icmp.tokenrate: 1000
net.inet6.icmp6.bucketsize: 5
net.inet6.icmp6.tokenrate: 1000

On 30/09/2015 23:20, Martin T wrote:
> David,
> thanks for the "show pfe statistics exceptions" command! It seems to
> be supported only on newer MX series routers(?). According to this
> command packets with for example "ttl expired", "IP options", "tunnel
> hdr needs reassembly", "IGMP snooping control packet", "PIM snooping
> control packet", "MLD snooping control packet", "Tunnel keepalives"
> etc are punted. What about ICMP traffic? How much does it depend on
> platform which traffic is punted and which traffic is not?
> Akash,
> could you please show an example?
> Brandon,
> of course, sorry! So ASIC(probably platform dependent, but at least in
> the past it was called "I/O manager ASIC") on PFE will look into
> IP/IPv6 header and if destination IP/IPv6 address is configured to
> router, then the packet is sent to RE. What about traffic destioned to
> router which does not have IP/IPv6 header? IS-IS traffic should be one
> example.
> regards,
> Martin
> On Tue, Sep 29, 2015 at 11:57 PM, Brandon Ross <bross at pobox.com> wrote:
>> On Tue, 29 Sep 2015, Martin T wrote:
>>> as I understand, there are several different exception traffic types:
>>> 1) unicast traffic addressed to router itselt. For example telnet, SSH
>>> or SNMP traffic. I guess it is technically correct to say that
>>> "incoming frames which have one of the router interfaces MAC addresses
>>> as a destination MAC address are exception traffic"?
>> I certainly hope not, that would mean that every packet routed by the router
>> would be punted to the processor.
>> It would have to have an IP address that matches one of the addresses
>> assigned the the router, not the MAC.
>> --
>> Brandon Ross                                      Yahoo & AIM:  BrandonNRoss
>> +1-404-635-6667                                                ICQ:  2269442
>>                                                           Skype:  brandonross
>> Schedule a meeting:  http://www.doodle.com/bross
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list