[j-nsp] EX3400 DDOS protection strangeness

Jason Healy jhealy at logn.net
Mon Sep 22 19:24:16 EDT 2025 

I'm trying to troubleshoot an issue with DDOS protection (which has given me headaches in the past).  I have several variables in play, so as I try to narrow it down I'm throwing this out to the list to see if anyone else has bumped into this.

I'm replacing older (EX4200) switches with newer (EX3400) models.  After an initial replacement in a few buildings, I'm getting DDOS violations.  I know these are twitchy, but trying to figure out what the trigger is to make adjustments.  Here's what's weird: I'm getting simultaneous violations across (nearly) all protocols on the switch that appear to be in lock step with each other.  It's making it really tough to figure out what's actually happening.  A sample output is at the end of this message.

An awful lot of the dropped/received counters have the same value (187062 in the sample below), making me think that it's counting everything in a shared queue as the same?  Not really sure.  I'm starting to look at the rows that are different from these values, but a lot of those don't make sense in my environment: this switch isn't in a VC stack, I'm not running OSFP or RIP, I'm IPv6-only so no ARP, etc, yet all those counters are showing higher packet counts.

I'm running an analyzer on the management VLAN right now to see if I can find any spikes.  Meanwhile, just curious if anyone has seen this.  I'm running 24.4R1-S3.6 on an ex3400-48p, which is pretty recent, so maybe this is a bug?

Switch is primarily L2 with an L3 management interface on an IRB (no other L3 interfaces).  L3 interface is v6-only; "show system statistics arp" confirms 0 datagrams received so I don't think ARP is the culprit.

Just as a reality check, DDOS protection should only kick in on CPU-bound packets, so the only possible source would be traffic on the management vlan (I don't have to worry about any other vlans), right?

Thanks for any help!

Jason

> show ddos-protection protocols statistics brief    
Packet types: 47, Received traffic: 46, Currently violated: 0

Protocol    Packet      Received        Dropped        Rate     Violation State
group       type        (packets)       (packets)      (pps)    counts
vchassis    aggregate   187062          374124         0        40        ok   
vchassis    unclass..   191112          187062         0        40        ok   
igmp        aggregate   191004          187062         0        40        ok   
ospf        aggregate   263272          187062         4        40        ok   
rsvp        aggregate   187062          187062         0        40        ok   
rip         aggregate   263272          187062         4        40        ok   
bfd         aggregate   187062          187062         0        40        ok   
ldp         aggregate   187062          187062         0        40        ok   
bgp         aggregate   187062          187062         0        40        ok   
lacp        aggregate   202250          187062         1        40        ok   
stp         aggregate   192766          187062         0        40        ok   
lldp        aggregate   192766          187062         0        40        ok   
arp         aggregate   211195          187062         0        40        ok   
pvstp       aggregate   192766          187062         0        40        ok   
isis        aggregate   187062          187062         0        40        ok   
ttl         aggregate   187062          187062         0        40        ok   
ip-opt      aggregate   0               0              0        0         ok   
redirect    aggregate   187214          187062         0        40        ok   
fw-host     aggregate   187062          187062         0        40        ok   
ntp         aggregate   187462          187062         0        40        ok   
ndpv6       aggregate   187062          187062         0        40        ok   
uncls       aggregate   187062          187062         0        40        ok   
l2pt        aggregate   187062          187062         0        40        ok   
vxlan       aggregate   187062          187062         0        40        ok   
localnh     aggregate   188454          187062         0        40        ok   
vcipc-udp   aggregate   261111          187062         0        40        ok   
sample-source aggregate 187062          187062         0        40        ok   
sample-dest aggregate   187062          187062         0        40        ok   
l3mtu-fail  aggregate   187062          187062         0        40        ok   
garp-reply  aggregate   189276          187062         0        40        ok   
ipmc-reserved aggregate 341901          187062         8        40        ok   
resolve     aggregate   187062          187062         0        40        ok   
l3dest-miss aggregate   187062          187062         0        40        ok   
l3nhop      aggregate   187062          187062         0        40        ok   
l3mc-sgvhit-icl aggregate 187062        187062         0        40        ok   
martian-address aggregate 187062        187062         0        40        ok   
urpf-fail   aggregate   187062          187062         0        40        ok   
ipmcast-miss aggregate  187062          187062         0        40        ok   
nonucast-switch aggregate 187062        187062         0        40        ok   
unknown-l2mc aggregate  263272          187062         4        40        ok   
fip-snooping aggregate  187062          187062         0        40        ok   
pim-data    aggregate   187062          187062         0        40        ok   
pim-ctrl    aggregate   250894          187062         4        40        ok   
ospf-hello  aggregate   187062          187062         0        40        ok   
dhcpv4v6    aggregate   187062          187062         0        40        ok   
overlay     arp         187062          374124         0        40        ok   
overlay     ndpv6       187062          187062         0        40        ok

More information about the juniper-nsp mailing list