[j-nsp] EX3400 DDOS protection strangeness
Saku Ytti
saku at ytti.fi
Wed Sep 24 12:43:11 EDT 2025
On Wed, 24 Sept 2025 at 19:01, Jason Healy <jhealy at logn.net> wrote:
> But only where an IRB is present, yes? Example: I have VLANs 10,20,30,40 on the switch, but only irb.10 exists with an L3 interface. I don't have to worry about ARP or other protocols on VLANs 20, 30, 40 because those are forwarded on the data plane only, correct?
There are plenty of reasons to punt L2 frames, regardless of IRB. E.g.
LACP, LLDP, STP, DHCP snooping.
> Either way, I've taken several packet captures on the IRB and uplinks to this switch, and there are no traffic bursts that correlate to the DDOS messages (irb never goes above 50pps). Meanwhile, the uplink captures also show no OSPF/VC/etc traffic whatsoever, and those have increasing ddos counters, so I suspect something is flaky on the hardware. Unless I see this on other switches, I'm going to pop this one out and see if that resolves the issue.
If you capture on the PFE-RE interface (em0 or something like that,
depending on platform) you will have the internal headers, which
include the DDoS classification. This interface will include all
control-plane packets that were punted to the RE CPU (may not include
all punted, as some punted may only be on LC CPU).
The IRB capture is not useful in this case.
Reviewing the DDoS filter on the PFE might give some hints to us about
what is going on, e.g. maybe the terms are using the same counter?
--
++ytti
More information about the juniper-nsp
mailing list