[j-nsp] Mpls down qfx 5100

Ivan Malyarchuk malyarchuk at cyfra.ua
Mon Nov 12 10:19:45 EST 2018 

Remember that on QFX platform some protocols shares same queue and 
policers. When you got routing loops and TTL=0 packets excceeds its ddos 
detection limits, also l3mtu-fail will be false triggered.

PR1211911
Some DDOS protocols shares same hardware policer

The following control packets share the same policer (burst and 
bandwidth) in hardware, so changing one in the DDoS protection CLI also 
changes the DDoS parameter for other protocols:
o STP, PVSTP, and LLDP share DDoS parameters
o l3mtu-fail, TTL, and ip-opt share DDoS parameters
o RSVP, LDP, and BGP share DDoS parameters
o unknown-l2mc, RIP, and OSPF share DDoS parameters

11.11.2018 10:59, Saku Ytti пишет:
> Hey,
> 
> These are not related to your issue.,
> 
> The first one is complaining that you got bunch of packets to your
> device with TTL==1, you need to punt these and generate TTL exceeded
> message. Because it's done in software, it's limited to certain amount
> of packets.
> This is operationally normal during convergence due to microloops and such.
> 
> 
> The second one is complaining that packet came in which wanted to go
> out via interface which has smaller MTU, these also need to be punted
> so we can generate fragmentation needed but DF set message. Doesn't
> indicate anything to help with your original problem, but you might
> want to know why do you have such an small egress MTU, ideally you
> wouldn't ever decrease MTU inside your network.
> 
> What ever your problem is, no one can help you with these messages.
> 
> On Sat, 10 Nov 2018 at 23:07, Rodrigo 1telecom <rodrigo at 1telecom.com.br> wrote:
>>
>>
>> Hi folks.... recently we have some trouble with some mpls tunnels.... sometime these tunnels goes down:
>> Follow out logfiles:
>>
>> Nov  9 20:03:42  PE-REC-A01-BKB-SW-001 jddosd[1769]: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception  TTL:aggregate exceeded its allowed bandwidth at fpc 0 for 212 times, started at 2018-11-09 20:03:41 BRT
>> Nov  9 20:03:42  PE-REC-A01-BKB-SW-001 jddosd[1769]: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception  L3MTU-fail:aggregate exceeded its allowed bandwidth at fpc 0 for 212 times, started at 2018-11-09 20:03:41 BRT
>> Can someone help us?
>> Enviado via iPhone 
>> Grupo Connectoway
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 
> 
> 

-- 
С уважением,
Иван Малярчук
"ИНТЕР-ТЕЛЕКОМ" Цифра
Украина, Киев
(044) 206-77-33 доб.155
www.cyfra.ua

More information about the juniper-nsp mailing list