[j-nsp] Syslog getting spammed by DDOS_PROTOCOL_VIOLATION_SET

Luis Balbinot luis at luisbalbinot.com
Tue Nov 21 07:56:01 EST 2017


Sorry, I meant the opposite (i.e. the defaults are too high).

One that is specially high is the IGMP at 20k. Multicast loops on
large layer-2 fabrics (IXPs) will bring down first-gen Trios very
easily (can't say the same for the newer ones up to Eagle).

On Tue, Nov 21, 2017 at 10:19 AM, Saku Ytti <saku at ytti.fi> wrote:
> On 21 November 2017 at 14:12, Luis Balbinot <luis at luisbalbinot.com> wrote:
>
>> The DDoS protection factory defaults are very low in some cases. The
>> Juniper MX Series book has a nice chapter on that.
>
> Do you have an example? Most of them are like 20kpps, which ismore
> than you need to congest the built-in NPU=>PFE_CPU policer. I.e. they
> are massively too large out-of-the-box.
>
> I doubt anyone has configured them to sensible values, as it would be
> hundreds of lines of ddos-protection config, as you cannot set default
> values which apply to all of them and then more-specific ones to the
> ones you care. Correct configuration needs to manually configure each
> and every one, those which you don't need, as low as you want, like
> 10pps.
>
>
> --
>   ++ytti


More information about the juniper-nsp mailing list