Académique Documents
Professionnel Documents
Culture Documents
DO NOT DISTRIBUTE
Introduction
DDOS protection infrastructure is introduced with the TRIO ASIC which is mainly used to monitor, inspect, classify and
police the host bound traffic flows to avoid any misbehaved flows from causing any unexpected host queue congestion in
different part of the system (ASIC, uKern and RE). This is enabled by default with user-configurable pre-defined threshold
for various packet types.
In this documents, we will go through the implementation of DDOS on MX platform with TRIO MPC and explain the how
the policers are applied on different part of the system. The followings are based on JUNOS 13.3 version.
Once the host bound traffic is received via the PUNT nexthop with different PUNT reasons, it will be tagged to a DDOS
protocol ID according to their packet type. If the packet is control packet, for example, an IPv4/IPv6 packet, the Host
bound classification filter (HBC) (ie. HOSTBOUND_IPv4_FILTER / HOSTBOUND_IPv6_FILTER) filter is used to further
look into the packet content like ip-protocol , source / destination port numbers to determine the packet type and further
classify a DDOS protocol ID for it.
Once the packet is tagged with the DDOS protocol ID, the corresponding policer will be applied to rate limit that specific
packet type. Here is the HOSTBOUND_IPv4_FILTER.
NPC2(Dokinchan-re0 vty)# show filter index 46137345 program
Filter index = 46137345
Optimization flag: 0x0
Filter notify host id = 0
Filter properties: None
Filter state = CONSISTENT
term HOSTBOUND_IGMP_TERM
term priority 0
payload-protocol
2
then
accept
ddos proto 69
term HOSTBOUND_OSPF_TERM
term priority 0
payload-protocol
89
then
accept
ddos proto 70
term HOSTBOUND_RSVP_TERM
term priority 0
payload-protocol
46
then
accept
ddos proto 71
term HOSTBOUND_PIM_TERM
term priority 0
payload-protocol
103
then
accept
ddos proto 72
term HOSTBOUND_DHCP_TERM
term priority 0
payload-protocol
17
destination-port
67-68
then
accept
ddos proto 24
term HOSTBOUND_RIP_TERM
term priority 0
payload-protocol
17
destination-port
520-521
then
accept
ddos proto 73
term HOSTBOUND_PTP_TERM
term priority 0
payload-protocol
17
destination-port
319-320
then
action next-hop, type (set ptp nh)
ddos proto 74
term HOSTBOUND_BFD_TERM1
term priority 0
payload-protocol
17
destination-port
3784-3785
then
action next-hop, type (inline keepalive BFD nh)
ddos proto 75
term HOSTBOUND_BFD_TERM2
term priority 0
payload-protocol
17
destination-port
4784
then
accept
ddos proto 75
term HOSTBOUND_LMP_TERM
term priority 0
payload-protocol
17
destination-port
701
then
accept
ddos proto 76
term HOSTBOUND_ANCP_TERM
term priority 0
payload-protocol
6
destination-port
6068
then
accept
ddos proto 85
term HOSTBOUND_LDP_TERM1
term priority 0
payload-protocol
6
destination-port
646
then
accept
ddos proto 77
term HOSTBOUND_LDP_TERM2
term priority 0
payload-protocol
6
source-port
646
then
accept
ddos proto 77
term HOSTBOUND_LDP_TERM3
term priority 0
payload-protocol
17
destination-port
646
then
accept
ddos proto 77
term HOSTBOUND_LDP_TERM4
term priority 0
payload-protocol
17
source-port
646
then
accept
ddos proto 77
term HOSTBOUND_MSDP_TERM1
term priority 0
payload-protocol
6
destination-port
639
then
accept
ddos proto 78
term HOSTBOUND_MSDP_TERM2
term priority 0
payload-protocol
6
source-port
639
then
accept
ddos proto 78
term HOSTBOUND_BGP_TERM1
term priority 0
payload-protocol
6
destination-port
179
then
accept
ddos proto 79
term HOSTBOUND_BGP_TERM2
term priority 0
payload-protocol
6
source-port
179
then
accept
ddos proto 79
term HOSTBOUND_VRRP_TERM
term priority 0
payload-protocol
112
destination-address
224.0.0.18/32
then
action next-hop, type (inline keepalive VRRP nh)
ddos proto 80
term HOSTBOUND_TELNET_TERM1
term priority 0
payload-protocol
6
destination-port
23
then
accept
ddos proto 81
term HOSTBOUND_TELNET_TERM2
term priority 0
payload-protocol
6
source-port
23
then
accept
ddos proto 81
term HOSTBOUND_FTP_TERM1
term priority 0
payload-protocol
6
destination-port
20-21
then
accept
ddos proto 82
term HOSTBOUND_FTP_TERM2
term priority 0
payload-protocol
6
source-port
20-21
then
accept
ddos proto 82
term HOSTBOUND_SSH_TERM1
term priority 0
payload-protocol
6
destination-port
22
then
accept
ddos proto 83
term HOSTBOUND_SSH_TERM2
term priority 0
payload-protocol
6
source-port
22
then
accept
ddos proto 83
term HOSTBOUND_SNMP_TERM1
term priority 0
payload-protocol
17
destination-port
161
then
accept
ddos proto 84
term HOSTBOUND_SNMP_TERM2
term priority 0
payload-protocol
17
source-port
161
then
accept
ddos proto 84
term HOSTBOUND_DTCP_TERM
term priority 0
payload-protocol
17
destination-port
652
destination-address
224.0.0.36/32
then
accept
ddos proto 148
term HOSTBOUND_RADIUS_TERM_SERVER
term priority 0
payload-protocol
17
destination-port
1812
then
accept
ddos proto 151
term HOSTBOUND_RADIUS_TERM_ACCOUNT
term priority 0
payload-protocol
17
destination-port
1813
then
accept
ddos proto 152
term HOSTBOUND_RADIUS_TERM_AUTH
term priority 0
payload-protocol
17
destination-port
3799
then
accept
ddos proto 153
term HOSTBOUND_NTP_TERM
term priority 0
payload-protocol
17
destination-port
123
destination-address
224.0.1.1/32
then
accept
ddos proto 154
term HOSTBOUND_TACACS_TERM
term priority 0
payload-protocol
17
destination-port
49
then
accept
ddos proto 155
term HOSTBOUND_DNS_TERM1
term priority 0
payload-protocol
6
destination-port
53
then
accept
ddos proto 156
term HOSTBOUND_DNS_TERM2
term priority 0
payload-protocol
17
destination-port
53
then
accept
ddos proto 156
term HOSTBOUND_DIAMETER_TERM1
term priority 0
payload-protocol
6
destination-port
3868
then
accept
ddos proto 157
term HOSTBOUND_DIAMETER_TERM2
term priority 0
payload-protocol
132
destination-port
3868
then
accept
ddos proto 157
term HOSTBOUND_L2TP_TERM
term priority 0
payload-protocol
17
destination-port
1701
then
accept
ddos proto 162
term HOSTBOUND_GRE_TERM
term priority 0
payload-protocol
47
then
accept
ddos proto 163
term HOSTBOUND_ICMP_TERM
term priority 0
payload-protocol
1
then
accept
ddos proto 68
term HOSTBOUND_TCP_FLAGS_TERM_INITIAL
term priority 0
payload-protocol
10
6
tcp-flags
value & 0x12
= 0x02
then
accept
ddos proto 146
term HOSTBOUND_TCP_FLAGS_TERM_ESTAB
term priority 0
payload-protocol
6
tcp-flags
value & 0x14 != 0x00
then
accept
ddos proto 147
term HOSTBOUND_TCP_FLAGS_TERM_UNCLS
term priority 0
payload-protocol
6
tcp-flags
value & 0x3f != 0x00
then
accept
ddos proto 145
term HOSTBOUND_IP_FRAG_TERM_FIRST
term priority 0
is-fragment
value & 0x3fff
= 0x2000
then
accept
ddos proto 160
term HOSTBOUND_IP_FRAG_TERM_TRAIL
term priority 0
is-fragment
value & 0x1fff != 0x0000
then
accept
ddos proto 161
term HOSTBOUND_AMT_TERM1
term priority 0
payload-protocol
17
destination-port
2268
11
then
accept
ddos proto 198
term HOSTBOUND_AMT_TERM2
term priority 0
payload-protocol
17
source-port
2268
then
accept
ddos proto 198
term HOSTBOUND_IPV4_DEFAULT_TERM
term priority 0
then
accept
NPC2(Dokinchan-re0 vty)#
Policer Hierarchy
The DDOS configuration is mainly a combination of three different levels ASIC, uKern and Routing Engine. Each of
them will apply a rate limit on the corresponding packet type. The DDOS is enabled by default. Although it can be disabled
via a configuration knob, thats not recommended.
# set system ddos-protection global ?
Possible completions:
disable-fpc
disable-logging
disable-routing-engine
However, if we disable the DDOS for a specific protocol, it doesnt mean that it will fail thru the other term within the
DDOS filter it just means that we will accept all those packets without policing.
> amtv6
> ancp
> ancpv6
+ apply-groups
+ apply-groups-except
> arp
> atm
12
> bfd
> bfdv6
> bgp
> bgpv6
> demux-autosense
> dhcpv4
> dhcpv6
> diameter
> dns
> dtcp
> dynamic-vlan
> egpv6
> eoam
> esmc
> fab-probe
> firewall-host
> frame-relay
> ftp
> ftpv6
> gre
> icmp
> icmpv6
> igmp
> igmpv4v6
> igmpv6
> inline-ka
> inline-svcs
> ip-fragments
Configure IP-Fragments
> ip-options
> isis
> jfm
> keepalive
> l2pt
> l2tp
> lacp
> ldp
> ldpv6
> lldp
> lmp
> lmpv6
> mac-host
> mcast-snoop
> mlp
> msdp
> msdpv6
> mvrp
> ndpv6
> ntp
> oam-lfm
13
> ospf
> ospfv3v6
> pfe-alive
> pim
> pimv6
> pmvrp
> pos
> ppp
> pppoe
> ptp
> pvstp
> radius
> redirect
> reject
> rejectv6
> rip
> ripv6
> rsvp
> rsvpv6
> sample
> services
Configure services
> snmp
> snmpv6
> ssh
> sshv6
> stp
> tacacs
> tcp-flags
> telnet
> telnetv6
> ttl
> tunnel-fragment
> unclassified
> virtual-chassis
> vrrp
> vrrpv6
Lets take IPv4 unclassified packets (ie. host bound packet which doesnt fall into any of the pre-defined IPv4 protocol type
above) as an example. Under unclassified protocol type, we have separated policer configuration on per-packet host
bound notification type. (Note: The unclassified protocol type should cover IPv6 as well but I take out the IPv6 part to
simplify it a bit. Also, the flow- related configuration will be covered under the SCFD section.)
# set system ddos-protection protocols unclassified ?
Possible completions:
> aggregate
+ apply-groups
+ apply-groups-except
> control-layer2
> control-v4
14
> filter-v4
> fw-host
> host-route-v4
> mcast-copy
> other
> resolve-v4
Under each notif type, we can define the policer rate and the burst size for the whole system (ie. Routing Engine level) or
under each FPC (uKern level). Under each FPC, each PFE (ie. ASIC level) will take the FPC policer configuration and
apply that on the ASIC level under LUchip as well.
# set system ddos-protection protocols unclassified host-route-v4 ?
Possible completions:
bandwidth
burst
bypass-aggregate
disable-fpc
disable-logging
disable-routing-engine
> fpc
recover-time
burst-scale
disable-fpc
20000 pps
Burst:
20000 packets
Recover time:
300 seconds
Enabled:
Yes
15
Packet type: other (all other unclassified packets)
Individual policer configuration:
Bandwidth:
2000 pps
Burst:
10000 packets
Priority:
Low
Recover time:
300 seconds
Enabled:
Yes
Bypass aggregate: No
Routing Engine information:
Bandwidth: 2000 pps, Burst: 10000 packets, enabled
FPC slot 1 information:
Bandwidth: 100% (2000 pps), Burst: 100% (10000 packets), enabled
FPC slot 2 information:
Bandwidth: 100% (2000 pps), Burst: 100% (10000 packets), enabled
FPC slot 3 information:
Bandwidth: 100% (2000 pps), Burst: 100% (10000 packets), enabled
Packet type: resolve-v4 (unclassified v4 resolve packets)
Individual policer configuration:
Bandwidth:
5000 pps
Burst:
10000 packets
Priority:
Low
Recover time:
300 seconds
Enabled:
Yes
Bypass aggregate: No
Routing Engine information:
Bandwidth: 5000 pps, Burst: 10000 packets, enabled
FPC slot 1 information:
Bandwidth: 100% (5000 pps), Burst: 100% (10000 packets), enabled
FPC slot 2 information:
Bandwidth: 100% (5000 pps), Burst: 100% (10000 packets), enabled
FPC slot 3 information:
Bandwidth: 100% (5000 pps), Burst: 100% (10000 packets), enabled
Packet type: resolve-v6 (unclassified v6 resolve packets)
Individual policer configuration:
Bandwidth:
5000 pps
Burst:
10000 packets
Priority:
Low
Recover time:
300 seconds
Enabled:
Yes
Bypass aggregate: No
Routing Engine information:
Bandwidth: 5000 pps, Burst: 10000 packets, enabled
FPC slot 1 information:
Bandwidth: 100% (5000 pps), Burst: 100% (10000 packets), enabled
FPC slot 2 information:
Bandwidth: 100% (5000 pps), Burst: 100% (10000 packets), enabled
FPC slot 3 information:
16
Bandwidth: 100% (5000 pps), Burst: 100% (10000 packets), enabled
Packet type: control-v4 (unclassified v4 control packets)
Individual policer configuration:
Bandwidth:
2000 pps
Burst:
10000 packets
Priority:
Low
Recover time:
300 seconds
Enabled:
Yes
Bypass aggregate: No
Routing Engine information:
Bandwidth: 2000 pps, Burst: 10000 packets, enabled
FPC slot 1 information:
Bandwidth: 100% (2000 pps), Burst: 100% (10000 packets), enabled
FPC slot 2 information:
Bandwidth: 100% (2000 pps), Burst: 100% (10000 packets), enabled
FPC slot 3 information:
Bandwidth: 100% (2000 pps), Burst: 100% (10000 packets), enabled
Packet type: control-v6 (unclassified v6 control packets)
Individual policer configuration:
Bandwidth:
2000 pps
Burst:
10000 packets
Priority:
Low
Recover time:
300 seconds
Enabled:
Yes
Bypass aggregate: No
Routing Engine information:
Bandwidth: 2000 pps, Burst: 10000 packets, enabled
FPC slot 1 information:
Bandwidth: 100% (2000 pps), Burst: 100% (10000 packets), enabled
FPC slot 2 information:
Bandwidth: 100% (2000 pps), Burst: 100% (10000 packets), enabled
FPC slot 3 information:
Bandwidth: 100% (2000 pps), Burst: 100% (10000 packets), enabled
Packet type: host-route-v4 (unclassified v4 routing protocol and host packet)
Individual policer configuration:
Bandwidth:
2000 pps
Burst:
10000 packets
Priority:
Low
Recover time:
300 seconds
Enabled:
Yes
Bypass aggregate: No
Routing Engine information:
Bandwidth: 2000 pps, Burst: 10000 packets, enabled
FPC slot 1 information:
Bandwidth: 100% (2000 pps), Burst: 100% (10000 packets), enabled
FPC slot 2 information:
17
Bandwidth: 100% (2000 pps), Burst: 100% (10000 packets), enabled
FPC slot 3 information:
Bandwidth: 100% (2000 pps), Burst: 100% (10000 packets), enabled
Packet type: host-route-v6 (unclassified v6 routing protocol and host packet)
Individual policer configuration:
Bandwidth:
2000 pps
Burst:
10000 packets
Priority:
Low
Recover time:
300 seconds
Enabled:
Yes
Bypass aggregate: No
Routing Engine information:
Bandwidth: 2000 pps, Burst: 10000 packets, enabled
FPC slot 1 information:
Bandwidth: 100% (2000 pps), Burst: 100% (10000 packets), enabled
FPC slot 2 information:
Bandwidth: 100% (2000 pps), Burst: 100% (10000 packets), enabled
FPC slot 3 information:
Bandwidth: 100% (2000 pps), Burst: 100% (10000 packets), enabled
Packet type: filter-v4 (unclassified v4 filter action packets)
Individual policer configuration:
Bandwidth:
2000 pps
Burst:
10000 packets
Priority:
Low
Recover time:
300 seconds
Enabled:
Yes
Bypass aggregate: No
Routing Engine information:
Bandwidth: 2000 pps, Burst: 10000 packets, enabled
FPC slot 1 information:
Bandwidth: 100% (2000 pps), Burst: 100% (10000 packets), enabled
FPC slot 2 information:
Bandwidth: 100% (2000 pps), Burst: 100% (10000 packets), enabled
FPC slot 3 information:
Bandwidth: 100% (2000 pps), Burst: 100% (10000 packets), enabled
Packet type: filter-v6 (unclassified v6 filter action packets)
Individual policer configuration:
Bandwidth:
2000 pps
Burst:
10000 packets
Priority:
Low
Recover time:
300 seconds
Enabled:
Yes
Bypass aggregate: No
Routing Engine information:
Bandwidth: 2000 pps, Burst: 10000 packets, enabled
FPC slot 1 information:
18
Bandwidth: 100% (2000 pps), Burst: 100% (10000 packets), enabled
FPC slot 2 information:
Bandwidth: 100% (2000 pps), Burst: 100% (10000 packets), enabled
FPC slot 3 information:
Bandwidth: 100% (2000 pps), Burst: 100% (10000 packets), enabled
Packet type: control-layer2 (unclassified layer2 control packets)
Individual policer configuration:
Bandwidth:
2000 pps
Burst:
10000 packets
Priority:
Low
Recover time:
300 seconds
Enabled:
Yes
Bypass aggregate: No
Routing Engine information:
Bandwidth: 2000 pps, Burst: 10000 packets, enabled
FPC slot 1 information:
Bandwidth: 100% (2000 pps), Burst: 100% (10000 packets), enabled
FPC slot 2 information:
Bandwidth: 100% (2000 pps), Burst: 100% (10000 packets), enabled
FPC slot 3 information:
Bandwidth: 100% (2000 pps), Burst: 100% (10000 packets), enabled
Packet type: fw-host (Unclassified send to host fw traffic)
Individual policer configuration:
Bandwidth:
20000 pps
Burst:
20000 packets
Priority:
High
Recover time:
300 seconds
Enabled:
Yes
Bypass aggregate: No
Routing Engine information:
Bandwidth: 20000 pps, Burst: 20000 packets, enabled
FPC slot 1 information:
Bandwidth: 100% (20000 pps), Burst: 100% (20000 packets), enabled
FPC slot 2 information:
Bandwidth: 100% (20000 pps), Burst: 100% (20000 packets), enabled
FPC slot 3 information:
Bandwidth: 100% (20000 pps), Burst: 100% (20000 packets), enabled
Packet type: mcast-copy ( Unclassified host copy due to multicast routing)
Individual policer configuration:
Bandwidth:
2000 pps
Burst:
10000 packets
Priority:
High
Recover time:
300 seconds
Enabled:
Yes
Bypass aggregate: No
Routing Engine information:
19
Bandwidth: 2000 pps, Burst: 10000 packets, enabled
FPC slot 1 information:
Bandwidth: 100% (2000 pps), Burst: 100% (10000 packets), enabled
FPC slot 2 information:
Bandwidth: 100% (2000 pps), Burst: 100% (10000 packets), enabled
FPC slot 3 information:
Bandwidth: 100% (2000 pps), Burst: 100% (10000 packets), enabled
group
UKERN-Config
PFE-Config
rate burst
rate burst
proto on Pri
176 5800
uncls
aggregate
Y Md
20000 20000
177 5801
uncls
other
Y Lo
2000 10000
2000 10000
---
---
178 5802
uncls
resolve-v4
Y Lo
5000 10000
5000 10000
179 5803
uncls
resolve-v6
Y Lo
5000 10000
5000 10000
180 5804
uncls
control-v4
Y Lo
2000 10000
2000 10000
181 5805
uncls
control-v6
Y Lo
2000 10000
2000 10000
182 5806
uncls
host-rt-v4
Y Lo
2000 10000
2000 10000
183 5807
uncls
host-rt-v6
Y Lo
2000 10000
2000 10000
184 5808
uncls
filter-v4
Y Lo
2000 10000
2000 10000
185 5809
uncls
filter-v6
Y Lo
2000 10000
2000 10000
186 580a
uncls
control-l2
Y Lo
2000 10000
2000 10000
187 580b
uncls
fw-host
Y Hi
20000 20000
20000 20000
188 580c
uncls
mcast-copy
Y Hi
2000 10000
2000 10000
We can find exactly the same thing for other protocols. For example, PPP.
# set system ddos-protection protocols ppp ?
Possible completions:
> aggregate
+ apply-groups
+ apply-groups-except
> authentication
> echo-rep
> echo-req
> ipcp
> ipv6cp
> isis
> lcp
> mlppp-lcp
> mplscp
> unclassified
[edit]
lab@Dokinchan-re0# set system ddos-protection protocols ppp echo-req ?
Possible completions:
+ apply-groups
20
+ apply-groups-except
bandwidth
burst
bypass-aggregate
disable-fpc
disable-logging
disable-routing-engine
> fpc
idx prot
---
group
proto on Pri
UKERN-Config
PFE-Config
rate burst
rate burst
400
ppp
aggregate
Y Md
401
ppp
unclass
Y Lo
16000 16000
402
ppp
lcp
Y Lo
403
ppp
auth
Y Md
2000
2000
2000
2000
404
ppp
ipcp
Y Hi
2000
2000
2000
2000
405
ppp
ipv6cp
Y Hi
2000
2000
2000
2000
10
406
ppp
mplscp
Y Hi
2000
2000
2000
2000
11
407
ppp
isis
Y Hi
2000
2000
2000
2000
12
408
ppp
echo-req
Y Lo
12000 12000
12000 12000
13
409
ppp
echo-rep
Y Lo
12000 12000
12000 12000
14
40a
ppp
mlppp-lcp
Y Lo
12000 12000
12000 12000
1000
500
12000 12000
---
---
1000
500
12000 12000
21
We will cover the relationship of the policers in each level under the following sections.
22
ASIC Level
The policer on ASIC is done by the LUchip. The following is a map of protocol type and policer being applied. Under
DDOS, each protocol / frame type will have an index and protocol ID defined (which is NOT the IPv4-protocol ID). The
DDOS policer will map the corresponding protocol / frame type to the corresponding protocol ID for classification.
Here is a list of each protocol type and the corresponding protocol ID and index. For each of them, there are uKern level
and PFE (ie. LUchip) level configurations. There is a priority for each protocol type but its only between the protocols
(For example, lcp, auth, ipcp..etc) under the same group (i.e. PPP).
# show ddos policer configuration all
DDOS Policer Configuration:
idx prot
---
group
proto on Pri
UKERN-Config
PFE-Config
rate burst
rate burst
host-path
aggregate
Y --
100
ipv4-uncls
aggregate
200
ipv6-uncls
aggregate
300
dynvlan
400
5
6
---
---
25000 25000
Y Md
2000 10000
2000 10000
Y Md
2000 10000
2000 10000
aggregate
Y Lo
1000
500
1000
500
ppp
aggregate
Y Md
16000 16000
---
---
401
ppp
unclass
Y Lo
1000
500
402
ppp
lcp
Y Lo
403
ppp
auth
Y Md
2000
2000
2000
2000
404
ppp
ipcp
Y Hi
2000
2000
2000
2000
1000
12000 12000
405
ppp
ipv6cp
Y Hi
2000
2000
2000
2000
10
406
ppp
mplscp
Y Hi
2000
2000
2000
2000
11
407
ppp
isis
Y Hi
2000
2000
2000
2000
12
408
ppp
echo-req
Y Lo
12000 12000
12000 12000
13
409
ppp
echo-rep
Y Lo
12000 12000
12000 12000
14
40a
ppp
mlppp-lcp
Y Lo
12000 12000
12000 12000
15
500
pppoe
aggregate
Y Md
2000
2000
---
---
16
501
pppoe
unclass..
Y --
---
---
17
502
pppoe
padi
Y Lo
500
500
500
500
18
503
pppoe
pado
Y Lo
19
504
pppoe
padr
Y Md
500
500
500
500
20
505
pppoe
pads
Y Lo
21
506
pppoe
padt
Y Hi
1000
1000
1000
1000
22
507
pppoe
padm
Y Lo
23
508
pppoe
padn
Y Lo
24
600
dhcpv4
aggregate
Y Md
5000
5000
5000
5000
25
601
dhcpv4
unclass..
Y Lo
300
150
---
---
26
602
dhcpv4
discover
Y Lo
500
500
---
---
27
603
dhcpv4
offer
Y Lo
1000
1000
---
---
28
604
dhcpv4
request
Y Md
1000
1000
---
---
29
605
dhcpv4
decline
Y Lo
500
500
---
---
30
606
dhcpv4
ack
Y Md
500
500
---
---
31
607
dhcpv4
nak
Y Lo
500
500
---
---
32
608
dhcpv4
release
Y Hi
2000
2000
---
---
33
609
dhcpv4
inform
Y Lo
500
500
---
---
34
60a
dhcpv4
renew
Y Hi
2000
2000
---
---
500
12000 12000
23
35
60b
dhcpv4
forcerenew
Y Hi
2000
2000
---
---
36
60c
dhcpv4
leasequery
Y Hi
2000
2000
---
---
37
60d
dhcpv4
leaseuna..
Y Hi
2000
2000
---
---
38
60e
dhcpv4
leaseunk..
Y Hi
2000
2000
---
---
39
60f
dhcpv4
leaseact..
Y Hi
2000
2000
---
---
40
610
dhcpv4
bootp
Y Lo
300
300
---
---
41
611
dhcpv4
no-msgtype
Y Lo
1000
1000
---
---
42
612
dhcpv4
bad-pack..
Y Lo
---
---
43
700
dhcpv6
aggregate
Y Lo
5000
5000
5000
5000
44
701
dhcpv6
unclass..
Y Lo
3000
3000
---
---
45
702
dhcpv6
solicit
Y Lo
500
500
---
---
46
703
dhcpv6
advertise
Y Lo
500
500
---
---
47
704
dhcpv6
request
Y Md
1000
1000
---
---
48
705
dhcpv6
confirm
Y Md
1000
1000
---
---
49
706
dhcpv6
renew
Y Md
2000
2000
---
---
50
707
dhcpv6
rebind
Y Md
2000
2000
---
---
51
708
dhcpv6
reply
Y Md
1000
1000
---
---
52
709
dhcpv6
release
Y Hi
2000
2000
---
---
53
70a
dhcpv6
decline
Y Lo
1000
1000
---
---
54
70b
dhcpv6
reconfig
Y Lo
1000
1000
---
---
55
70c
dhcpv6
info..req
Y Lo
1000
1000
---
---
56
70d
dhcpv6
relay-for..
Y Lo
1000
1000
---
---
57
70e
dhcpv6
relay-rep..
Y Lo
1000
1000
---
---
58
70f
dhcpv6
leasequery
Y Lo
1000
1000
---
---
59
710
dhcpv6
leaseq..re
Y Lo
1000
1000
---
---
60
711
dhcpv6
leaseq..do
Y Lo
1000
1000
---
---
61
712
dhcpv6
leaseq..da
Y Lo
1000
1000
---
---
62
800
vchassis
aggregate
Y Lo
30000 30000
---
---
63
801
vchassis
unclass..
Y Lo
---
---
64
802
vchassis
control-hi
Y Hi
10000
5000
10000
5000
65
803
vchassis
control-lo
Y Lo
8000
3000
8000
3000
66
804
vchassis
vc-packets
Y Hi
67
805
vchassis
vc-ttl-err
Y Hi
4000 10000
4000 10000
68
900
icmp
aggregate
Y Hi
20000 20000
20000 20000
69
a00
igmp
aggregate
Y Hi
20000 20000
20000 20000
70
b00
ospf
aggregate
Y Hi
20000 20000
20000 20000
71
c00
rsvp
aggregate
Y Hi
20000 20000
20000 20000
72
d00
pim
aggregate
Y Hi
20000 20000
20000 20000
73
e00
rip
aggregate
Y Hi
20000 20000
20000 20000
74
f00
ptp
aggregate
Y Hi
20000 20000
20000 20000
75 1000
bfd
aggregate
Y Hi
20000 20000
20000 20000
76 1100
lmp
aggregate
Y Hi
20000 20000
20000 20000
77 1200
ldp
aggregate
Y Hi
20000 20000
20000 20000
78 1300
msdp
aggregate
Y Hi
20000 20000
20000 20000
79 1400
bgp
aggregate
Y Lo
20000 20000
20000 20000
80 1500
vrrp
aggregate
Y Hi
20000 20000
20000 20000
81 1600
telnet
aggregate
Y Lo
20000 20000
20000 20000
82 1700
ftp
aggregate
Y Lo
20000 20000
20000 20000
83 1800
ssh
aggregate
Y Lo
20000 20000
20000 20000
30000 30000
30000 30000
24
84 1900
snmp
aggregate
Y Lo
20000 20000
20000 20000
85 1a00
ancp
aggregate
Y Lo
20000 20000
20000 20000
86 1b00
igmpv6
aggregate
Y Hi
20000 20000
20000 20000
87 1c00
egpv6
aggregate
Y Hi
20000 20000
20000 20000
88 1d00
rsvpv6
aggregate
Y Hi
20000 20000
20000 20000
89 1e00
igmpv4v6
aggregate
Y Hi
20000 20000
20000 20000
90 1f00
ripv6
aggregate
Y Hi
20000 20000
20000 20000
91 2000
bfdv6
aggregate
Y Hi
20000 20000
20000 20000
92 2100
lmpv6
aggregate
Y Hi
20000 20000
20000 20000
93 2200
ldpv6
aggregate
Y Hi
20000 20000
20000 20000
94 2300
msdpv6
aggregate
Y Hi
20000 20000
20000 20000
95 2400
bgpv6
aggregate
Y Lo
20000 20000
20000 20000
96 2500
vrrpv6
aggregate
Y Hi
20000 20000
20000 20000
97 2600
telnetv6
aggregate
Y Lo
20000 20000
20000 20000
98 2700
ftpv6
aggregate
Y Lo
20000 20000
20000 20000
99 2800
sshv6
aggregate
Y Lo
20000 20000
20000 20000
100 2900
snmpv6
aggregate
Y Lo
20000 20000
20000 20000
101 2a00
ancpv6
aggregate
Y Lo
20000 20000
20000 20000
102 2b00
ospfv3v6
aggregate
Y Hi
20000 20000
20000 20000
103 2c00
lacp
aggregate
Y Hi
20000 20000
20000 20000
104 2d00
stp
aggregate
Y Hi
20000 20000
20000 20000
105 2e00
esmc
aggregate
Y Hi
20000 20000
20000 20000
106 2f00
oam-lfm
aggregate
Y Hi
20000 20000
20000 20000
107 3000
eoam
aggregate
Y Hi
20000 20000
20000 20000
108 3100
lldp
aggregate
Y Hi
20000 20000
20000 20000
109 3200
mvrp
aggregate
Y Hi
20000 20000
20000 20000
110 3300
pmvrp
aggregate
Y Hi
20000 20000
20000 20000
111 3400
arp
aggregate
Y Lo
20000 20000
20000 20000
112 3500
pvstp
aggregate
Y Hi
20000 20000
20000 20000
113 3600
isis
aggregate
Y Hi
20000 20000
20000 20000
114 3700
pos
aggregate
Y Hi
20000 20000
20000 20000
115 3800
mlp
aggregate
Y Lo
2000 10000
116 3801
mlp
unclass..
Y Lo
2000 10000
2000 10000
117 3802
mlp
packets
Y Lo
2000 10000
2000 10000
118 3803
mlp
aging-exc
Y Lo
2000 10000
119 3900
jfm
aggregate
Y Hi
20000 20000
---
---
---
20000 20000
120 3a00
atm
aggregate
Y Hi
20000 20000
20000 20000
121 3b00
pfe-alive
aggregate
Y Hi
20000 20000
20000 20000
2000 10000
122 3c00
ttl
aggregate
Y Hi
2000 10000
123 3d00
ip-opt
aggregate
Y Hi
20000 20000
124 3d01
ip-opt
unclass..
Y Lo
10000 10000
10000 10000
125 3d02
ip-opt
rt-alert
Y Hi
20000 20000
20000 20000
10000 10000
126 3d03
ip-opt
non-v4v6
Y Lo
10000 10000
127 3e00
redirect
aggregate
Y Hi
2000 10000
128 3f00
control
aggregate
Y --
129 4000
mcast-copy
aggregate
130 4100
mac-host
131 4200
tun-frag
132 4300
mcast-snoop
---
---
---
2000 10000
---
20000 20000
Y Hi
2000 10000
2000 10000
aggregate
Y Hi
20000 20000
20000 20000
aggregate
Y Hi
2000 10000
2000 10000
aggregate
Y Hi
20000 20000
20000 20000
---
25
133 4301
mcast-snoop
unclass..
Y --
134 4302
mcast-snoop
igmp
Y Hi
20000 20000
---
20000 20000
135 4303
mcast-snoop
pim
Y Lo
20000 20000
20000 20000
136 4304
mcast-snoop
mld
Y Hi
20000 20000
20000 20000
137 4400
services
aggregate
Y Hi
20000 20000
138 4401
services
unclass..
Y --
139 4402
services
packet
140 4403
services
BSDT
141 4500
demuxauto
142 4600
---
---
---
---
20000 20000
Y Hi
20000 20000
20000 20000
Y Lo
20000 20000
20000 20000
aggregate
Y Hi
2000 10000
2000 10000
reject
aggregate
Y Hi
2000 10000
2000 10000
143 4700
fw-host
aggregate
Y Hi
20000 20000
20000 20000
144 4800
tcp-flags
aggregate
Y Lo
20000 20000
145 4801
tcp-flags
unclass..
Y Lo
20000 20000
20000 20000
146 4802
tcp-flags
initial
Y Lo
20000 20000
20000 20000
147 4803
tcp-flags
establish
Y Lo
20000 20000
20000 20000
148 4900
dtcp
aggregate
Y Hi
20000 20000
20000 20000
149 4a00
radius
aggregate
Y Hi
20000 20000
150 4a01
radius
unclass..
Y --
151 4a02
radius
server
152 4a03
radius
account..
153 4a04
radius
154 4b00
---
---
---
---
---
---
20000 20000
Y Hi
20000 20000
20000 20000
Y Hi
20000 20000
20000 20000
auth..
Y Hi
20000 20000
20000 20000
ntp
aggregate
Y Hi
20000 20000
20000 20000
155 4c00
tacacs
aggregate
Y Hi
20000 20000
20000 20000
156 4d00
dns
aggregate
Y Hi
20000 20000
20000 20000
157 4e00
diameter
aggregate
Y Hi
20000 20000
20000 20000
158 4f00
ip-frag
aggregate
Y Lo
20000 20000
159 4f01
ip-frag
unclass..
Y --
---
20000 20000
160 4f02
ip-frag
first-frag
Y Lo
20000 20000
20000 20000
161 4f03
ip-frag
trail-frag
Y Lo
20000 20000
20000 20000
162 5000
l2tp
aggregate
Y Hi
20000 20000
20000 20000
163 5100
gre
aggregate
Y Hi
20000 20000
164 5200
ipsec
aggregate
Y --
165 5300
pimv6
aggregate
166 5400
icmpv6
aggregate
167 5500
ndpv6
168 5600
sample
169 5601
---
---
---
---
20000 20000
---
20000 20000
Y Hi
20000 20000
20000 20000
Y Hi
20000 20000
20000 20000
aggregate
Y Lo
20000 20000
20000 20000
aggregate
Y Md
1000
1000
---
sample
unclass..
Y --
---
---
170 5602
sample
syslog
Y Md
1000
1000
1000
1000
171 5603
sample
host
Y Md
1000
1000
1000
1000
172 5604
sample
pfe
Y Md
1000
1000
1000
1000
173 5605
sample
tap
Y Md
1000
1000
1000
1000
174 5606
sample
sflow
Y Md
1000
1000
1000
1000
175 5700
fab-probe
aggregate
Y Hi
20000 20000
176 5800
uncls
aggregate
Y Md
20000 20000
177 5801
uncls
other
Y Lo
2000 10000
2000 10000
178 5802
uncls
resolve-v4
Y Lo
5000 10000
5000 10000
179 5803
uncls
resolve-v6
Y Lo
5000 10000
5000 10000
180 5804
uncls
control-v4
Y Lo
2000 10000
2000 10000
181 5805
uncls
control-v6
Y Lo
2000 10000
2000 10000
---
---
20000 20000
---
---
26
182 5806
uncls
host-rt-v4
Y Lo
2000 10000
2000 10000
183 5807
uncls
host-rt-v6
Y Lo
2000 10000
2000 10000
184 5808
uncls
filter-v4
Y Lo
2000 10000
2000 10000
185 5809
uncls
filter-v6
Y Lo
2000 10000
2000 10000
186 580a
uncls
control-l2
Y Lo
2000 10000
2000 10000
187 580b
uncls
fw-host
Y Hi
20000 20000
20000 20000
188 580c
uncls
mcast-copy
Y Hi
2000 10000
2000 10000
189 5900
rejectv6
aggregate
Y Hi
2000 10000
2000 10000
190 5a00
l2pt
aggregate
Y Lo
20000 20000
20000 20000
191 5b00
keepalive
aggregate
Y Hi
20000 20000
20000 20000
192 5c00
inline-ka
aggregate
Y Hi
20000 20000
20000 20000
193 5d00
inline-svcs
aggregate
Y Lo
20000 20000
20000 20000
194 5e00
frame-relay
aggregate
Y Lo
20000 20000
20000 20000
195 5e01
frame-relay
unclass..
Y --
196 5e02
frame-relay
frf15
Y Lo
12000 12000
12000 12000
197 5e03
frame-relay
frf16
Y Lo
12000 12000
12000 12000
198 5f00
amtv4
aggregate
Y Lo
20000 20000
20000 20000
199 6000
amtv6
aggregate
Y Lo
20000 20000
20000 20000
---
---
Each protocol will be associated to different policers under different levels. Here is a nexthop and host bound queue under
MQ mapping for each PUNT traffic type.
# show ddos asic punt-proto-maps
PUNT codes directly mapped to DDOS proto:
code PUNT name
---- -------------------1 PUNT_TTL
3 PUNT_REDIRECT
burst
ttl aggregate
3c00
2000
10000
redirect aggregate
3e00
2000
10000
fab-probe aggregate
5700
20000
20000
7 PUNT_MAC_FWD_TYPE_HOST
mac-host aggregate
4100
20000
20000
8 PUNT_TUNNEL_FRAGMENT
tun-frag aggregate
4200
2000
10000
3802
2000
10000
12 PUNT_IGMP_SNOOP
13 PUNT_VC_TTL_ERROR
14 PUNT_L2PT_ERROR
18 PUNT_PIM_SNOOP
35 PUNT_AUTOSENSE
38 PUNT_SERVICES
39 PUNT_DEMUXAUTOSENSE
mlp packets
mcast-snoop igmp
vchassis vc-ttl-err
l2pt aggregate
mcast-snoop pim
dynvlan aggregate
services BSDT
4302
805
5a00
4303
20000
20000
4000
10000
20000
20000
20000
20000
300
1000
500
4403
20000
20000
demuxauto aggregate
4500
2000
10000
40 PUNT_REJECT
reject aggregate
4600
2000
10000
41 PUNT_SAMPLE_SYSLOG
sample syslog
5602
1000
1000
42 PUNT_SAMPLE_HOST
sample host
5603
1000
1000
43 PUNT_SAMPLE_PFE
sample pfe
5604
1000
1000
44 PUNT_SAMPLE_TAP
sample tap
5605
1000
1000
45 PUNT_PPPOE_PADI
pppoe padi
502
500
500
46 PUNT_PPPOE_PADR
pppoe padr
504
500
500
47 PUNT_PPPOE_PADT
pppoe padt
506
1000
1000
48 PUNT_PPP_LCP
ppp lcp
402
12000
12000
49 PUNT_PPP_AUTH
ppp auth
403
2000
2000
idx q# bwidth
5 PUNT_FAB_OUT_PROBE_PKT
11 PUNT_MLP
group proto
--------- ------
27
50 PUNT_PPP_IPV4CP
ppp ipcp
404
2000
2000
51 PUNT_PPP_IPV6CP
ppp ipv6cp
405
2000
2000
52 PUNT_PPP_MPLSCP
ppp mplscp
406
2000
2000
53 PUNT_PPP_UNCLASSIFIED_CP
ppp unclass
401
1000
500
55 PUNT_VC_HI
vchassis control-hi
802
10000
5000
56 PUNT_VC_LO
vchassis control-lo
803
8000
3000
407
2000
2000
5b00
20000
20000
12000
57 PUNT_PPP_ISIS
ppp isis
58 PUNT_KEEPALIVE
keepalive aggregate
ppp echo-req
inline-ka aggregate
63 PUNT_PPP_LCP_ECHO_REP
64 PUNT_MLPPP_LCP
408
5d00
20000
5c00
20000
20000
ppp echo-rep
409
12000
12000
ppp mlppp-lcp
40a
12000
12000
65 PUNT_MLFR_CONTROL
frame-relay frf15
66 PUNT_MFR_CONTROL
frame-relay frf16
5e02
5e03
12000
12000
12000
12000
68 PUNT_REJECT_V6
rejectv6 aggregate
5900
2000
10000
70 PUNT_SEND_TO_HOST_SVCS
services packet
4402
20000
20000
5606
1000
1000
71 PUNT_SAMPLE_SFLOW
sample sflow
20000
12000
4 PUNT_CONTROL
6 PUNT_HOST_COPY
11 PUNT_MLP
|---------------+
32 PUNT_PROTOCOL
33 PUNT_RESOLVE
34 PUNT_RECEIVE
36 PUNT_REJECT_FW
54 PUNT_SEND_TO_HOST_FW |
69 PUNT_RESOLVE_V6
|
|
|
-----------------------------------------------------------------type
subtype
burst
lacp aggregate
2c00
20000
20000
stp aggregate
2d00
20000
20000
esmc aggregate
2e00
20000
20000
2f00
20000
20000
contrl EOAM
eoam aggregate
3000
20000
20000
contrl LLDP
lldp aggregate
3100
20000
20000
contrl MVRP
contrl PMVRP
contrl ARP
contrl PVSTP
contrl ISIS
mvrp aggregate
3200
20000
20000
pmvrp aggregate
3300
20000
20000
arp aggregate
3400
20000
20000
pvstp aggregate
3500
20000
20000
20000
isis aggregate
3600
20000
contrl POS
pos aggregate
3700
20000
20000
contrl MLP
mlp packets
3802
2000
10000
idx q# bwidth
oam-lfm aggregate
contrl OAM_LFM
group proto
---------- ----------
28
contrl JFM
jfm aggregate
3900
20000
20000
contrl ATM
atm aggregate
3a00
20000
20000
contrl PFE_ALIVE
pfe-alive aggregate
3b00
20000
20000
filter ipv4
dhcpv4 aggregate
600
5000
5000
filter ipv6
dhcpv6 aggregate
700
5000
5000
filter ipv4
icmp aggregate
900
20000
20000
filter ipv4
igmp aggregate
a00
20000
20000
filter ipv4
ospf aggregate
b00
20000
20000
filter ipv4
rsvp aggregate
c00
20000
20000
filter ipv4
pim aggregate
d00
20000
20000
filter ipv4
rip aggregate
e00
20000
20000
filter ipv4
ptp aggregate
f00
20000
20000
filter ipv4
bfd aggregate
1000
20000
20000
filter ipv4
lmp aggregate
1100
20000
20000
filter ipv4
ldp aggregate
1200
20000
20000
filter ipv4
msdp aggregate
1300
20000
20000
filter ipv4
bgp aggregate
1400
20000
20000
filter ipv4
vrrp aggregate
1500
20000
20000
filter ipv4
telnet aggregate
1600
20000
20000
filter ipv4
ftp aggregate
1700
20000
20000
filter ipv4
ssh aggregate
1800
20000
20000
filter ipv4
snmp aggregate
1900
20000
20000
filter ipv4
ancp aggregate
1a00
20000
20000
filter ipv6
igmpv6 aggregate
1b00
20000
20000
filter ipv6
egpv6 aggregate
1c00
20000
20000
filter ipv6
rsvpv6 aggregate
1d00
20000
20000
filter ipv6
igmpv4v6 aggregate
1e00
20000
20000
filter ipv6
ripv6 aggregate
1f00
20000
20000
filter ipv6
bfdv6 aggregate
2000
20000
20000
filter ipv6
lmpv6 aggregate
2100
20000
20000
filter ipv6
ldpv6 aggregate
2200
20000
20000
filter ipv6
msdpv6 aggregate
2300
20000
20000
filter ipv6
bgpv6 aggregate
2400
20000
20000
filter ipv6
vrrpv6 aggregate
2500
20000
20000
filter ipv6
telnetv6 aggregate
2600
20000
20000
filter ipv6
ftpv6 aggregate
2700
20000
20000
filter ipv6
sshv6 aggregate
2800
20000
20000
filter ipv6
snmpv6 aggregate
2900
20000
20000
filter ipv6
ancpv6 aggregate
2a00
20000
20000
filter ipv6
ospfv3v6 aggregate
2b00
20000
20000
filter ipv4
tcp-flags unclass..
4801
20000
20000
filter ipv4
tcp-flags initial
4802
20000
20000
filter ipv4
tcp-flags establish
4803
20000
20000
filter ipv4
dtcp aggregate
4900
20000
20000
filter ipv4
radius server
4a02
20000
20000
filter ipv4
radius account..
4a03
20000
20000
filter ipv4
radius auth..
4a04
20000
20000
filter ipv4
ntp aggregate
4b00
20000
20000
filter ipv4
tacacs aggregate
4c00
20000
20000
29
filter ipv4
dns aggregate
4d00
20000
20000
filter ipv4
diameter aggregate
4e00
20000
20000
filter ipv4
ip-frag first-frag
4f02
20000
20000
filter ipv4
ip-frag trail-frag
4f03
20000
20000
filter ipv4
l2tp aggregate
5000
20000
20000
filter ipv4
gre aggregate
5100
20000
20000
filter ipv4
ipsec aggregate
5200
20000
20000
filter ipv6
pimv6 aggregate
5300
20000
20000
filter ipv6
icmpv6 aggregate
5400
20000
20000
filter ipv6
ndpv6 aggregate
5500
20000
20000
filter ipv4
amtv4 aggregate
5f00
20000
20000
filter ipv6
amtv6 aggregate
6000
20000
20000
option rt-alert
ip-opt rt-alert
3d02
20000
20000
option unclass
ip-opt unclass..
3d01
10000
10000
Here, the violation report message is one of the notification to the PPC. Hence, its also rate limited too 100pps by default.
#define DDOS_VIOL_REPORT_RATE 100 /* 100 reports/sec */
# show ddos asic nexthops
[LU:Prot:Idx]:
policer-nh
ddos-nh p-result
[-----------]:
----------
-------
------- ----
[ 0:----:ind]:
[ 0:
-------
c004017e078c0001
e0145f000010000 4817d180
c0f278
802f viol-report
0:
0]:
c0040096078c1001
0 4817d130
c0f270
[ 0: 100:
1]:
c004016e078c2001
0 4817d0b8
c0f268
802d punt
[ 0: 200:
2]:
c004009e078c3001
0 4817d040
c0f260
8013 punt
[ 0: 300:
3]:
c00400ae078ff001
e01452000010000 4817cfc8
c0f200
8015 punt
[ 0: 400:
4]:
c0040156078fe001
0 4817cf50
c0f208
[ 0: 401:
5]:
c00400b6078c4001
e02eba000010000 4817ced8
c0f210
8016 punt
[ 0: 402:
6]:
c004013e078fd001
e02ea4000010000 4817ce60
c0f258
8027 punt
[ 0: 403:
7]:
c004012e078c5001
e02ea5000010000 4817cde8
c0f218
8025 punt
[ 0: 404:
8]:
c00400be078c6001
e02ebc000010000 4817cd70
c0f220
8017 punt
[ 0: 405:
9]:
c00400ce078fc001
e02ebb000010000 4817ccf8
c0f250
8019 punt
[ 0: 406: 10]:
c004011e078c7001
e02ea6000010000 4817cc80
c0f228
8023 punt
[ 0: 407: 11]:
c0040116078c8001
e02eb4000010000 4817cc08
c0f248
8022 punt
[ 0: 408: 12]:
c004010e078c9001
e023f5800020000 4817cb90
c0f240
8021 punt
[ 0: 409: 13]:
c00400fe078ca001
e023ef800020000 4817cb18
c0f230
801f punt
[ 0: 40a: 14]:
c00400f6078fb001
e02eac000010000 4817caa0
c0f238
801e punt
[ 0: 500: 15]:
c03c0a0e078fa001
0 4817ca28
c0f2f8
[ 0: 501: 16]:
c03c0bf6078f9001
0 4817c9b0
c0f280
[ 0: 502: 17]:
c03c0a1e078f8001
e02ebf000010000 4c3df968
c0f2f0
78143 punt
[ 0: 503: 18]:
c03c0a26078f7001
0 4c3df8f0
c0f288
[ 0: 504: 19]:
c03c0bde078f6001
e02ebe000010000 4c3df878
c0f290
7817b punt
[ 0: 505: 20]:
c03c0bd6078cb001
0 4c3df800
c0f298
[ 0: 506: 21]:
c03c0bc6078f5001
e02ebd000010000 4c3df788
c0f2e8
78178 punt
[ 0: 507: 22]:
c03c0a36078cc001
0 4c3df710
c0f2a0
[ 0: 508: 23]:
c03c0a3e078cd001
0 4c3df698
c0f2e0
[ 0: 600: 24]:
c03c0ba6078ce001
0 4c3df620
c0f2d8
[ 0: 601: 25]:
c03c0b96078cf001
0 4c3df5a8
c0f2a8
30
[ 0: 602: 26]:
c03c0a46078d0001
0 4c3df530
c0f2d0
[ 0: 603: 27]:
c03c0b7e078f4001
0 4c3df4b8
c0f2c8
[ 0: 604: 28]:
c03c0b76078f3001
0 4c3df440
c0f2b0
[ 0: 605: 29]:
c03c0a5e078f2001
0 4c3df3c8
c0f2b8
[ 0: 606: 30]:
c03c0b66078d1001
0 4c3df350
c0f2c0
[ 0: 607: 31]:
c03c0b56078f1001
0 4c3df2d8
c0f300
[ 0: 608: 32]:
c03c0b46078d2001
0 4c3df260
c0f308
[ 0: 609: 33]:
c03c0a66078d3001
0 4c3df1e8
c0f378
[ 0: 60a: 34]:
c03c0a6e078f0001
0 4c3df170
c0f310
[ 0: 60b: 35]:
c03c0a7e078d4001
0 4c3df0f8
c0f370
[ 0: 60c: 36]:
c03c0b26078d5001
0 4c3df080
c0f368
[ 0: 60d: 37]:
c03c0b16078d6001
0 4c3df008
c0f318
[ 0: 60e: 38]:
c03c0a8e078d7001
0 4c3def90
c0f320
[ 0: 60f: 39]:
c03c0b06078d8001
0 4c3def18
c0f328
[ 0: 610: 40]:
c03c0a9e078ef001
0 4c3deea0
c0f330
[ 0: 611: 41]:
c03c0aae078ee001
0 4c3dee28
c0f360
[ 0: 612: 42]:
c03c0af6078ed001
0 4c3dedb0
c0f338
[ 0: 700: 43]:
c03c0ab6078d9001
0 4c3ded38
c0f358
[ 0: 701: 44]:
c03c0abe078ec001
0 4c3decc0
c0f340
[ 0: 702: 45]:
c03c0ad6078da001
0 4c3dec48
c0f350
[ 0: 703: 46]:
c03c0ac6078eb001
0 4c3debd0
c0f348
[ 0: 704: 47]:
c03c0dfe078db001
0 4c3deb58
c0f380
[ 0: 705: 48]:
c03c0c0e078dc001
0 4c3deae0
c0f388
[ 0: 706: 49]:
c03c0c16078dd001
0 4c3dea68
c0f3f8
[ 0: 707: 50]:
c03c0dde078ea001
0 4c3de9f0
c0f390
[ 0: 708: 51]:
c03c0c1e078de001
0 4c3de978
c0f3f0
[ 0: 709: 52]:
c03c0dce078e9001
0 4c3de900
c0f398
[ 0: 70a: 53]:
c03c0c2e078e8001
0 4c3de888
c0f3a0
[ 0: 70b: 54]:
c03c0db6078df001
0 4c3de810
c0f3a8
[ 0: 70c: 55]:
c03c0c3e078e0001
0 4c3de798
c0f3b0
[ 0: 70d: 56]:
c03c0c46078e7001
0 4c3de720
c0f3e8
[ 0: 70e: 57]:
c03c0da6078e1001
0 4c3de6a8
c0f3b8
[ 0: 70f: 58]:
c03c0d96078e6001
0 4c3de630
c0f3e0
[ 0: 710: 59]:
c03c0d8e078e2001
0 4c3de5b8
c0f3d8
[ 0: 711: 60]:
c03c0d7e078e3001
0 4c3de540
c0f3c0
[ 0: 712: 61]:
c03c0c66078e5001
0 4c3de4c8
c0f3c8
[ 0: 800: 62]:
c03c0d6e078e4001
0 4c3de450
c0f3d0
[ 0: 801: 63]:
c03c0c6e07a3f001
0 4c3de3d8
c0f4f8
[ 0: 802: 64]:
c03c0c7607a00001
e02eb6000010000 4c3de360
c0f480
7818e punt
[ 0: 803: 65]:
c03c0d5607a3e001
e02ea9000010000 4c3de2e8
c0f488
781aa punt
[ 0: 804: 66]:
c03c0d4607a3d001
0 4c3de270
c0f490
[ 0: 805: 67]:
c03c0c8e07a01001
e02eb5000010000 4c3de1f8
c0f4f0
78191 punt
[ 0: 900: 68]:
c03c0c9e07a3c001
0 4c3de180
c0f4e8
[ 0: a00: 69]:
c03c0ca607a3b001
0 4c3de108
c0f4e0
[ 0: b00: 70]:
c03c0d2e07a3a001
0 4c3de090
c0f498
[ 0: c00: 71]:
c03c0cae07a39001
0 4c3de018
c0f4a0
[ 0: d00: 72]:
c03c0cbe07a02001
0 4c3ddfa0
c0f4a8
[ 0: e00: 73]:
c03c0cc607a03001
0 4c3ddf28
c0f4d8
[ 0: f00: 74]:
c03c0cd607a04001
0 4c3ddeb0
c0f4b0
31
[ 0:1000: 75]:
c03c0d1607a38001
0 4c3dde38
c0f4b8
[ 0:1100: 76]:
c03c0d0607a37001
0 4c3dddc0
c0f4c0
[ 0:1200: 77]:
c03c0ce607a36001
0 4c3ddd48
c0f4d0
[ 0:1300: 78]:
c03c0cf607a35001
0 4c3ddcd0
c0f4c8
[ 0:1400: 79]:
c03c0ffe07a05001
0 4c3ddc58
c0f500
[ 0:1500: 80]:
c03c0e1607a06001
0 4c3ddbe0
c0f578
[ 0:1600: 81]:
c03c0ff607a34001
0 4c3ddb68
c0f508
[ 0:1700: 82]:
c03c0fe607a33001
0 4c3ddaf0
c0f510
[ 0:1800: 83]:
c03c0fd607a07001
0 4c3dda78
c0f518
[ 0:1900: 84]:
c03c0fc607a08001
0 4c3dda00
c0f570
[ 0:1a00: 85]:
c03c0e2e07a09001
0 4c3eb9d0
c0f568
[ 0:1b00: 86]:
c03c0e3607a32001
0 4c3eb958
c0f560
[ 0:1c00: 87]:
c03c0e3e07a31001
0 4c3eb8e0
c0f558
[ 0:1d00: 88]:
c03c0fae07a0a001
0 4c3eb868
c0f520
[ 0:1e00: 89]:
c03c0f9e07a0b001
0 4c3eb7f0
c0f528
[ 0:1f00: 90]:
c03c0e5607a30001
0 4c3eb778
c0f530
[ 0:2000: 91]:
c03c0e6607a0c001
0 4c3eb700
c0f550
[ 0:2100: 92]:
c03c0e7607a2f001
0 4c3eb688
c0f538
[ 0:2200: 93]:
c03c0f9607a0d001
0 4c3eb610
c0f548
[ 0:2300: 94]:
c03c0f8e07a2e001
0 4c3eb598
c0f540
[ 0:2400: 95]:
c03c0f7e07a2d001
0 4c3eb520
c0f5f8
[ 0:2500: 96]:
c03c0f6e07a0e001
0 4c3eb4a8
c0f5f0
[ 0:2600: 97]:
c03c0f6607a0f001
0 4c3eb430
c0f5e8
[ 0:2700: 98]:
c03c0f5e07a2c001
0 4c3eb3b8
c0f5e0
[ 0:2800: 99]:
c03c0f5607a10001
0 4c3eb340
c0f580
[ 0:2900:100]:
c03c0eae07a11001
0 4c3eb2c8
c0f588
[ 0:2a00:101]:
c03c0f4607a2b001
0 4c3eb250
c0f5d8
[ 0:2b00:102]:
c03c0eb607a12001
0 4c3eb1d8
c0f590
[ 0:2c00:103]:
c03c0f2e07a2a001
0 4c3eb160
c0f5d0
781e5 subtype
[ 0:2d00:104]:
c03c0ebe07a29001
0 4c3eb0e8
c0f598
781d7 subtype
[ 0:2e00:105]:
c03c0f1e07a13001
0 4c3eb070
c0f5a0
781e3 subtype
[ 0:2f00:106]:
c03c0f1607a14001
0 4c3eaff8
c0f5c8
781e2 subtype
[ 0:3000:107]:
c03c0f0e07a15001
0 4c3eaf80
c0f5a8
781e1 subtype
[ 0:3100:108]:
c03c0ee607a28001
0 4c3eaf08
c0f5c0
781dc subtype
[ 0:3200:109]:
c03c0efe07a16001
0 4c3eae90
c0f5b8
781df subtype
[ 0:3300:110]:
c03c0eee07a27001
0 4c3eae18
c0f5b0
781dd subtype
[ 0:3400:111]:
c03c11f607a17001
0 4c3eada0
c0f678
7823e subtype
[ 0:3500:112]:
c03c100e07a18001
0 4c3ead28
c0f670
78201 subtype
[ 0:3600:113]:
c03c11e607a26001
0 4c3eacb0
c0f668
7823c subtype
[ 0:3700:114]:
c03c11de07a25001
0 4c3eac38
c0f660
7823b subtype
[ 0:3800:115]:
c03c102607a19001
0 4c3eabc0
c0f658
[ 0:3801:116]:
c03c11d607a24001
0 4c3eab48
c0f600
[ 0:3802:117]:
c03c11ce07a1a001
e02eb9000010000 4c3eaad0
c0f650
78239 subtype
[ 0:3803:118]:
c03c103e07a1b001
0 4c3eaa58
c0f648
[ 0:3900:119]:
c03c104607a23001
0 4c3ea9e0
c0f640
78208 subtype
[ 0:3a00:120]:
c03c105607a1c001
0 4c3ea968
c0f638
7820a subtype
[ 0:3b00:121]:
c03c11ae07a22001
0 4c3ea8f0
c0f608
78235 subtype
[ 0:3c00:122]:
c03c106607a21001
e01454000010000 4c3ea878
c0f610
7820c punt
[ 0:3d00:123]:
c03c106e07a20001
0 4c3ea800
c0f630
32
[ 0:3d01:124]:
c03c119607a1f001
0 4c3ea788
c0f618
78232 punt
[ 0:3d02:125]:
c03c118e07a1d001
0 4c3ea710
c0f628
78231 punt
[ 0:3d03:126]:
c03c108607a1e001
0 4c3ea698
c0f620
78210 punt
[ 0:3e00:127]:
c03c108e07b7f001
e01455000010000 4c3ea620
c0f700
78211 punt
[ 0:3f00:128]:
c03c117607b40001
0 4c3ea5a8
c0f778
[ 0:4000:129]:
c03c109607b41001
0 4c3ea530
c0f770
[ 0:4100:130]:
c03c109e07b42001
e02ea3000010000 4c3ea4b8
c0f708
78213 punt
[ 0:4200:131]:
c03c115607b7e001
e02ec0000010000 4c3ea440
c0f710
7822a punt
[ 0:4300:132]:
c03c10ae07b7d001
0 4c3ea3c8
c0f718
[ 0:4301:133]:
c03c114e07b43001
0 4c3ea350
c0f720
[ 0:4302:134]:
c03c114607b7c001
e02eb8000010000 4c3ea2d8
c0f728
78228 punt
[ 0:4303:135]:
c03c10c607b44001
e02eb7000010000 4c3ea260
c0f768
78218 punt
[ 0:4304:136]:
c03c113607b45001
0 4c3ea1e8
c0f760
[ 0:4400:137]:
c03c112607b7b001
0 4c3ea170
c0f758
[ 0:4401:138]:
c03c10d607b46001
0 4c3ea0f8
c0f750
[ 0:4402:139]:
c03c10e607b47001
e02f7f000010000 4c3ea080
c0f730
7821c punt
[ 0:4403:140]:
c03c10f607b7a001
e01451000010000 4c3ea008
c0f748
7821e punt
[ 0:4500:141]:
c03c110607b48001
e01450000010000 4c3e9f90
c0f740
78220 punt
[ 0:4600:142]:
c03c111607b79001
e02ea1000010000 4c3e9f18
c0f738
78222 punt
[ 0:4700:143]:
c03c13fe07b78001
0 4c3e9ea0
c0f7f8
[ 0:4800:144]:
c03c120e07b49001
0 4c3e9e28
c0f7f0
[ 0:4801:145]:
c03c121607b77001
0 4c3e9db0
c0f780
[ 0:4802:146]:
c03c122607b4a001
0 4c3e9d38
c0f7e8
[ 0:4803:147]:
c03c13de07b76001
0 4c3e9cc0
c0f788
[ 0:4900:148]:
c03c123607b75001
0 4c3e9c48
c0f790
[ 0:4a00:149]:
c03c124607b74001
0 4c3e9bd0
c0f7e0
[ 0:4a01:150]:
c03c13ce07b4b001
0 4c3e9b58
c0f798
[ 0:4a02:151]:
c03c124e07b4c001
0 4c3e9ae0
c0f7d8
[ 0:4a03:152]:
c03c13be07b73001
0 4c3e9a68
c0f7a0
[ 0:4a04:153]:
c03c125e07b4d001
0 4c3f3a08
c0f7a8
[ 0:4b00:154]:
c03c13a607b72001
0 4c3f3990
c0f7d0
[ 0:4c00:155]:
c03c126e07b4e001
0 4c3f3918
c0f7c8
[ 0:4d00:156]:
c03c139607b4f001
0 4c3f38a0
c0f7c0
[ 0:4e00:157]:
c03c127e07b50001
0 4c3f3828
c0f7b0
[ 0:4f00:158]:
c03c128e07b51001
0 4c3f37b0
c0f7b8
[ 0:4f01:159]:
c03c129e07b71001
0 4c3f3738
c0f878
[ 0:4f02:160]:
c03c12a607b70001
0 4c3f36c0
c0f800
[ 0:4f03:161]:
c03c12b607b52001
0 4c3f3648
c0f870
[ 0:5000:162]:
c03c138607b6f001
0 4c3f35d0
c0f868
[ 0:5100:163]:
c03c12c607b53001
0 4c3f3558
c0f860
[ 0:5200:164]:
c03c136e07b54001
0 4c3f34e0
c0f858
[ 0:5300:165]:
c03c12ce07b55001
0 4c3f3468
c0f850
[ 0:5400:166]:
c03c12de07b6e001
0 4c3f33f0
c0f848
[ 0:5500:167]:
c03c135607b6d001
0 4c3f3378
c0f840
[ 0:5600:168]:
c03c134607b6c001
0 4c3f3300
c0f838
[ 0:5601:169]:
c03c12e607b6b001
0 4c3f3288
c0f830
[ 0:5602:170]:
c03c12f607b6a001
e02eaf000010000 4c3f3210
c0f828
7825e punt
[ 0:5603:171]:
c03c12fe07b69001
e02eb0000010000 4c3f3198
c0f820
7825f punt
[ 0:5604:172]:
c03c130e07b68001
e02eb2000010000 4c3f3120
c0f808
78261 punt
33
[ 0:5605:173]:
c03c131607b56001
e02eb1000010000 4c3f30a8
c0f810
78262 punt
[ 0:5606:174]:
c03c132607b57001
e02f61000010000 4c3f3030
c0f818
78264 punt
[ 0:5700:175]:
c03c15fe07b58001
e02f80000010000 4c3f2fb8
c0f8f8
782bf punt
[ 0:5800:176]:
c03c15f607b59001
0 4c3f2f40
c0f8f0
782be punt
[ 0:5801:177]:
c03c141e07b67001
0 4c3f2ec8
c0f8e8
78283 punt
[ 0:5802:178]:
c03c15ee07b66001
0 4c3f2e50
c0f880
782bd punt
[ 0:5803:179]:
c03c15e607b65001
0 4c3f2dd8
c0f8e0
782bc punt
[ 0:5804:180]:
c03c15d607b5a001
0 4c3f2d60
c0f8d8
782ba punt
[ 0:5805:181]:
c03c143607b64001
0 4c3f2ce8
c0f888
78286 punt
[ 0:5806:182]:
c03c15c607b5b001
0 4c3f2c70
c0f8d0
782b8 punt
[ 0:5807:183]:
c03c144607b63001
0 4c3f2bf8
c0f8c8
78288 punt
[ 0:5808:184]:
c03c15b607b5c001
0 4c3f2b80
c0f890
782b6 punt
[ 0:5809:185]:
c03c15a607b62001
0 4c3f2b08
c0f898
782b4 punt
[ 0:580a:186]:
c03c159607b5d001
0 4c3f2a90
c0f8a0
782b2 punt
[ 0:580b:187]:
c03c145607b5e001
0 4c3f2a18
c0f8a8
7828a punt
[ 0:580c:188]:
c03c158607b61001
0 4c3f29a0
c0f8b0
782b0 punt
[ 0:5900:189]:
c03c146607b5f001
e02ea2000010000 4c3f2928
c0f8b8
7828c punt
[ 0:5a00:190]:
c03c146e07b60001
e01453000010000 4c3f28b0
c0f8c0
7828d punt
[ 0:5b00:191]:
c03c147607cbf001
e02eb3000010000 4c3f2838
c0f9f8
7828e punt
[ 0:5c00:192]:
c03c147e07c80001
e02eab000010000 4c3f27c0
c0f980
7828f punt
[ 0:5d00:193]:
c03c155e07cbe001
e02eaa000010000 4c3f2748
c0f988
782ab punt
[ 0:5e00:194]:
c03c148e07cbd001
0 4c3f26d0
c0f990
[ 0:5e01:195]:
c03c149607cbc001
0 4c3f2658
c0f9f0
[ 0:5e02:196]:
c03c149e07cbb001
e02ead000010000 4c3f25e0
c0f9e8
78293 punt
[ 0:5e03:197]:
c03c153e07c81001
e02eae000010000 4c3f2568
c0f9e0
782a7 punt
[ 0:5f00:198]:
c03c153607c82001
0 4c3f24f0
c0f998
[ 0:6000:199]:
c03c14b607cba001
0 4c3f2478
c0f9a0
Lets trace some of the nexthop here to explain how the policers are associated to each other.
group proto
---- --------------------
--------- ------
1 PUNT_TTL
[LU:Prot:Idx]:
ttl aggregate
policer-nh
[-----------]:
----------
[ 0:3c00:122]:
c03c106607a21001
idx q# bwidth
burst
2000
10000
ddos-nh p-result
-------
------- ----
-------
e01454000010000 4c3ea878
c0f610
7820c punt
If we check the policer nexthop for this type, here is the policer configuration.
# show jnh 0 decode 0xc03c106607a21001
PolicerISSU_NH: Absolute Caddr = 0xc0f442, nextNH = 0x7820c, , type:0, color=0, op=0 use_layer3_len = 0x0,
num_nh = 0x0
NPC2(Dokinchan-re0 vty)# show jnh 0 vread 0xc0f442
34
Addr:0xc0f442, Data = 0xa3d0000047c00000
% bits 13 20 2 3 4 22
0xa3d0000047c00000
Wid
13
20
22
147a
Dec
5242
15
This is a policer with rate = 5242 * 1562.5 = 8,190,625 bps. On LUchip, the packet policer is using a fixed packet size (512
bytes), hence, that becomes 2000 pps which matches the policer configuration.
#define PKT_BASED_POLICER_PKT_SIZE (512)
Furthermore, if we check the ddos-nh, its actually pointing to another policer configuration.
NPC2(Dokinchan-re0 vty)# show jnh 0 decode 0xe01454000010000
CallNH:desc_ptr:0xc028a8, mode=0, rst_stk=0x0, count=0x1
0xc028a6
0 : 0x42f07fffff800f50
0xc028a7
1 : 0xdaf060208180c810
0 : 0x42f07fffff800010
0xc0423e
1 : 0xc0040096078c1001
0xc0423f
2 : 0x127fffffe00003f8
13
20
22
35
Bin 1000000000000 00000000000000000000 10 101 1111 0000000000000000000000
Hex
1000
Dec
4096
15
The above policer is programmed with 4096 * 25000 = 25000 pps. Thats the host-path policer, which is trying to police
an aggregated traffic from some protocols to the host.
NPC2(Dokinchan-re0 vty)# show ddos policer configuration all
DDOS Policer Configuration:
idx prot
--0
group
proto on Pri
UKERN-Config
PFE-Config
rate burst
rate burst
host-path
aggregate
Y --
---
---
25000 25000
[LU:Prot:Idx]:
policer-nh
ddos-nh p-result
[-----------]:
----------
-------
------- ----
[ 0:
0:
0]:
c0040096078c1001
-------
0 4817d130
c0f270
This aggregated policer also applies to multiple protocols. For example, PUNT_REDIRECT, PUNT_REJECT,
PUNT_REJECT_FW, PUNT_RESOLVE etc
PUNT codes directly mapped to DDOS proto:
code PUNT name
group proto
---- --------------------
--------- ------
3 PUNT_REDIRECT
40 PUNT_REJECT
idx q# bwidth
burst
redirect aggregate
3e00
2000
10000
reject aggregate
4600
2000
10000
33 PUNT_RESOLVE
[LU:Prot:Idx]:
policer-nh
ddos-nh p-result
[-----------]:
----------
-------
------- ----
-------
[ 0:3e00:127]:
c03c108e07b7f001
e01455000010000 4c3ea620
c0f700
78211 punt
[ 0:4600:142]:
c03c111607b79001
e02ea1000010000 4c3e9f18
c0f738
78222 punt
PUNT_REDIRECT
NPC2(Dokinchan-re0 vty)#
PolicerISSU_NH: Absolute Caddr = 0xc0f6fe, nextNH = 0x78211, , type:0, color=0, op=0 use_layer3_len = 0x0,
num_nh = 0x0
NPC2(Dokinchan-re0 vty)#
36
0xa3d0000047c00000
Wid
13
20
22
147a
Dec
5242
15
0 : 0x42f07fffff800ff0
0xc028a9
1 : 0xdaf060208180c810
0 : 0x42f07fffff800010
0xc0423e
1 : 0xc0040096078c1001
0xc0423f
2 : 0x127fffffe00003f8
PUNT_REJECT
NPC2(Dokinchan-re0 vty)#
PolicerISSU_NH: Absolute Caddr = 0xc0f6f2, nextNH = 0x78222, , type:0, color=0, op=0 use_layer3_len = 0x0,
num_nh = 0x0
37
NPC2(Dokinchan-re0 vty)#
13
20
22
147a
4af68
34db1e
Dec
5242
307048
15
3463966
0 : 0x42f07fffff8011d0
0xc05d41
1 : 0xdaf060208180c810
0 : 0x42f07fffff800010
0xc0423e
1 : 0xc0040096078c1001
0xc0423f
2 : 0x127fffffe00003f8
PUNT_RESOLVE
NPC2(Dokinchan-re0 vty)# show jnh 0 exceptions terse
Reason
Type
Packets
Bytes
==================================================================
Routing
---------------------resolve route
PUNT(33)
7199596
460774144
0xc04817
0 : 0x127fffffe00003fe
0xc04818
1 : 0x2ffffffe07ca8200
38
0xc04819
2 : 0xda00602d26800b04
0xc0481a
3 : 0xda00602d20800b04
0xc0481b
4 : 0xdaf060208180c810
0 : 0x42f07fffff800010
0xc0423e
1 : 0xc0040096078c1001
0xc0423f
2 : 0x127fffffe00003f8
c004015e07186001
e02e76800020000 4dfbc4a8
c0e3c8
[ 0: 401: 13]:
c0040066071b5001
e02e67800020000 4dfbc408
c0e3c0
[ 0: 402: 14]:
c0040126071a9001
e02e78000020000 4dfbc3b8
c0e3d0
[ 0: 403: 15]:
c00400a6071b1001
e02e79800020000 4dfbc368
c0e400
[ 0: 404: 16]:
c03c0bfe071ad001
e02e75000020000 4dfbc318
c0e478
[ 0: 405: 17]:
c03c0b7e071b9001
e02e7c800020000 4dfc82f8
c0e410
[ 0: 406: 18]:
c03c0b3e071a5001
e02e63000020000 4dfc82a8
c0e468
[ 0: 407: 19]:
c03c0ac607182001
e02f16800020000 4dfc8258
c0e408
[ 0: 408: 20]:
c03c0afe0718a001
e02eae000030000 4dfc8208
c0e418
[ 0: 409: 21]:
c03c0b860719d001
e02eb6000030000 4dfc81b8
c0e470
[ 0: 40a: 22]:
c03c0a7e07195001
e02f0f000020000 4dfc8168
c0e420
[ 0: 502: 25]:
c03c0bb607185001
e02e64800020000 4dfc8078
c0e460
[ 0: 504: 27]:
c03c0b0e071a2001
e02e73800020000 4dfc7fd8
c0e438
[ 0: 506: 29]:
c03c0b36071b4001
e02e7e000020000 4dfc7f38
c0e450
[ 0: 802: 72]:
c03c0c1e07296001
e02f1f800020000 4dfc71c8
c0e630
[ 0: 803: 73]:
c03c0c5e0728e001
e02f06000020000 4dfc7178
c0e628
[ 0: 805: 75]:
c03c0d6607286001
e02f1b000020000 4dfc70d8
c0e648
[ 0:3c00:130]:
c03c10ee073e1001
e02e7f800020000 4dfcffc0
c0e8f0
[ 0:3e00:135]:
c03c1126073f6001
e02e61800020000 4dfcfe30
c0e8d8
[ 0:4100:138]:
c03c1066073f9001
e02e69000020000 4dfcfd40
c0e8c8
[ 0:4200:139]:
c03c11d6073c2001
e02e6f000020000 4dfcfcf0
c0e8a8
[ 0:4302:142]:
c03c10de073d2001
e02e70800020000 4dfcfc00
c0e8b8
[ 0:4303:143]:
c03c109e073d6001
e02f01800020000 4dfcfbb0
c0e978
[ 0:4402:147]:
c03c13be073ea001
e02f19800020000 4dfcfa70
c0e970
[ 0:4403:148]:
c03c1386073c6001
e02e66000020000 4dfcfa20
c0e908
[ 0:4500:149]:
c03c13c6073f2001
e02e72000020000 4dfcf9d0
c0e918
[ 0:4600:150]:
c03c120e073fd001
e02e6d800020000 4dfcf980
c0e920
39
[ 0:5602:178]:
c03c144607537001
e02f18000020000 4dfcf0c0
c0eaf0
[ 0:5603:179]:
c03c14fe07510001
e02f1c800020000 4dfcf070
c0eae0
[ 0:5604:180]:
c03c14be07518001
e02f04800020000 4dfcf020
c0ea90
[ 0:5605:181]:
c03c143e0752f001
e02f1e000020000 4dfcefd0
c0ead8
[ 0:5606:182]:
c03c150607520001
e02f03000020000 4dfcef80
c0ea88
[ 0:5700:183]:
c03c15b607528001
e02f07800020000 4dfcef30
c0eac8
[ 0:5900:197]:
c03c14ae07519001
e02e6a800020000 4dfcead0
c0eb70
[ 0:5a00:198]:
c03c159607526001
e02e7b000020000 4dfcea80
c0eb60
[ 0:5b00:199]:
c03c142e07521001
e02f12000020000 4dfcea30
c0eb58
[ 0:5c00:200]:
c03c15e60751e001
e02f0a800020000 4dfce9e0
c0eb20
[ 0:5d00:201]:
c03c145e07516001
e02f0d800020000 4dfce990
c0eb30
[ 0:5e02:204]:
c03c14de0753d001
e02f09000020000 4dfce8a0
c0eb50
[ 0:5e03:205]:
c03c142607529001
e02f13800020000 4dfce850
c0eb40
group
proto on Pri
UKERN-Config
PFE-Config
rate burst
rate burst
115 3800
mlp
aggregate
Y Lo
2000 10000
116 3801
mlp
unclass..
Y Lo
2000 10000
2000 10000
---
117 3802
mlp
packets
Y Lo
2000 10000
2000 10000
118 3803
mlp
aging-exc
Y Lo
2000 10000
---
---
---
group proto
---- --------------------
--------- ------
11 PUNT_MLP
mlp packets
idx q# bwidth
burst
2000
10000
[LU:Prot:Idx]:
policer-nh
ddos-nh p-result
[-----------]:
----------
-------
------- ----
[ 0:3802:117]:
c03c11ce07a1a001
-------
e02eb9000010000 4c3eaad0
c0f650
78239 subtype
40
Wid
13
20
22
147a
Dec
5242
15
Policer Rate = 5242 * 1562.5 / 512 bytes = 2000 pps. Next it hits the DDOS-nh, which points to the host-path PFE policer.
NPC2(Dokinchan-re0 vty)# show jnh 0 decode e02eb9000010000
CallNH:desc_ptr:0xc05d72, mode=0, rst_stk=0x0, count=0x1
0xc05d70
0 : 0x42f07fffff800eb0
0xc05d71
1 : 0xdaf060208180c810
0 : 0x42f07fffff800010
0xc0423e
1 : 0xc0040096078c1001
0xc0423f
2 : 0x127fffffe00003f8
2 PUNT_OPTIONS
4 PUNT_CONTROL
6 PUNT_HOST_COPY
41
11 PUNT_MLP
|---------------+
32 PUNT_PROTOCOL
33 PUNT_RESOLVE
34 PUNT_RECEIVE
36 PUNT_REJECT_FW
54 PUNT_SEND_TO_HOST_FW |
69 PUNT_RESOLVE_V6
|
|
-----------------------------------------------------------------type
subtype
group proto
------ ----------
idx q# bwidth
---------- ----------
contrl LACP
contrl STP
contrl ESMC
contrl OAM_LFM
burst
lacp aggregate
2c00
20000
stp aggregate
2d00
20000
20000
20000
esmc aggregate
2e00
20000
20000
oam-lfm aggregate
2f00
20000
20000
contrl EOAM
eoam aggregate
3000
20000
20000
contrl LLDP
lldp aggregate
3100
20000
20000
contrl MVRP
mvrp aggregate
3200
20000
20000
pmvrp aggregate
3300
20000
20000
arp aggregate
3400
20000
20000
pvstp aggregate
3500
20000
20000
isis aggregate
3600
20000
20000
contrl POS
pos aggregate
3700
20000
20000
contrl MLP
mlp packets
3802
2000
10000
contrl JFM
jfm aggregate
3900
20000
20000
contrl ATM
atm aggregate
3a00
20000
20000
pfe-alive aggregate
3b00
20000
20000
contrl PMVRP
contrl ARP
contrl PVSTP
contrl ISIS
contrl PFE_ALIVE
[LU:Prot:Idx]:
policer-nh
ddos-nh p-result
[-----------]:
----------
-------
------- ----
[ 0:2c00:103]:
c03c0f2e07a2a001
0 4c3eb160
c0f5d0
781e5 subtype
[ 0:2d00:104]:
c03c0ebe07a29001
0 4c3eb0e8
c0f598
781d7 subtype
-------
group
proto on Pri
UKERN-Config
PFE-Config
rate burst
rate burst
103 2c00
lacp
aggregate
Y Hi
20000 20000
20000 20000
group
proto on Pri
UKERN-Config
PFE-Config
rate burst
rate burst
104 2d00
stp
aggregate
Y Hi
20000 20000
20000 20000
NPC2(Dokinchan-re0 vty)#
42
LACP
NPC2(Dokinchan-re0 vty)# show jnh 0 decode c03c0f2e07a2a001
PolicerISSU_NH: Absolute Caddr = 0xc0f454, nextNH = 0x781e5, , type:0, color=0, op=0 use_layer3_len = 0x0,
num_nh = 0x0
13
20
22
1999
Dec
6553
15
STP
NPC2(Dokinchan-re0 vty)# show jnh 0 decode c03c0ebe07a29001
PolicerISSU_NH: Absolute Caddr = 0xc0f452, nextNH = 0x781d7, , type:0, color=0, op=0 use_layer3_len = 0x0,
num_nh = 0x0
NPC2(Dokinchan-re0 vty)# show jnh 0 vread 0xc0f452
Addr:0xc0f452, Data = 0xccc8000053c00000
NPC2(Dokinchan-re0 vty)#
svl-jtac-tool02% bits 13 20 2 3 4 22
0xccc8000053c00000
Wid
13
20
22
1999
Dec
6553
15
43
---- ------------2 PUNT_OPTIONS
4 PUNT_CONTROL
6 PUNT_HOST_COPY
11 PUNT_MLP
|---------------+
32 PUNT_PROTOCOL
33 PUNT_RESOLVE
34 PUNT_RECEIVE
36 PUNT_REJECT_FW
54 PUNT_SEND_TO_HOST_FW |
69 PUNT_RESOLVE_V6
|
|
|
-----------------------------------------------------------------type
subtype
------ ----------
group proto
---------- ----------
idx q# bwidth
burst
filter ipv4
dhcpv4 aggregate
600
5000
5000
filter ipv6
dhcpv6 aggregate
700
5000
5000
filter ipv4
icmp aggregate
900
20000
20000
filter ipv4
igmp aggregate
a00
20000
20000
filter ipv4
ospf aggregate
b00
20000
20000
filter ipv4
rsvp aggregate
c00
20000
20000
filter ipv4
pim aggregate
d00
20000
20000
filter ipv4
rip aggregate
e00
20000
20000
filter ipv4
ptp aggregate
f00
20000
20000
filter ipv4
bfd aggregate
1000
20000
20000
filter ipv4
lmp aggregate
1100
20000
20000
filter ipv4
ldp aggregate
1200
20000
20000
filter ipv4
msdp aggregate
1300
20000
20000
filter ipv4
bgp aggregate
1400
20000
20000
filter ipv4
vrrp aggregate
1500
20000
20000
filter ipv4
telnet aggregate
1600
20000
20000
filter ipv4
ftp aggregate
1700
20000
20000
filter ipv4
ssh aggregate
1800
20000
20000
filter ipv4
snmp aggregate
1900
20000
20000
filter ipv4
ancp aggregate
1a00
20000
20000
filter ipv6
igmpv6 aggregate
1b00
20000
20000
filter ipv6
egpv6 aggregate
1c00
20000
20000
filter ipv6
rsvpv6 aggregate
1d00
20000
20000
filter ipv6
igmpv4v6 aggregate
1e00
20000
20000
filter ipv6
ripv6 aggregate
1f00
20000
20000
filter ipv6
bfdv6 aggregate
2000
20000
20000
filter ipv6
lmpv6 aggregate
2100
20000
20000
filter ipv6
ldpv6 aggregate
2200
20000
20000
filter ipv6
msdpv6 aggregate
2300
20000
20000
filter ipv6
bgpv6 aggregate
2400
20000
20000
filter ipv6
vrrpv6 aggregate
2500
20000
20000
filter ipv6
telnetv6 aggregate
2600
20000
20000
filter ipv6
ftpv6 aggregate
2700
20000
20000
44
filter ipv6
sshv6 aggregate
2800
20000
20000
filter ipv6
snmpv6 aggregate
2900
20000
20000
filter ipv6
ancpv6 aggregate
2a00
20000
20000
filter ipv6
ospfv3v6 aggregate
2b00
20000
20000
filter ipv4
tcp-flags unclass..
4801
20000
20000
filter ipv4
tcp-flags initial
4802
20000
20000
filter ipv4
tcp-flags establish
4803
20000
20000
filter ipv4
dtcp aggregate
4900
20000
20000
filter ipv4
radius server
4a02
20000
20000
filter ipv4
radius account..
4a03
20000
20000
filter ipv4
radius auth..
20000
4a04
20000
filter ipv4
ntp aggregate
4b00
20000
20000
filter ipv4
tacacs aggregate
4c00
20000
20000
filter ipv4
dns aggregate
4d00
20000
20000
filter ipv4
diameter aggregate
4e00
20000
20000
filter ipv4
ip-frag first-frag
4f02
20000
20000
filter ipv4
ip-frag trail-frag
4f03
20000
20000
l2tp aggregate
5000
20000
20000
filter ipv4
gre aggregate
5100
20000
20000
filter ipv4
ipsec aggregate
5200
20000
20000
filter ipv6
pimv6 aggregate
5300
20000
20000
filter ipv6
icmpv6 aggregate
5400
20000
20000
filter ipv6
ndpv6 aggregate
5500
20000
20000
filter ipv4
amtv4 aggregate
5f00
20000
20000
filter ipv6
amtv6 aggregate
6000
20000
20000
filter ipv4
Take OSPF as an example. As the L2 control traffic, the only policer applied to this is the OSPF one. Once the packet
passes this policer, the packet will be sent to the host queue.
[LU:Prot:Idx]:
policer-nh
ddos-nh p-result
[-----------]:
----------
-------
------- ----
[ 0: b00: 70]:
c03c0d2e07a3a001
-------
0 4c3de090
c0f498
13
20
22
1999
Dec
6553
15
45
4 PUNT_CONTROL
6 PUNT_HOST_COPY
11 PUNT_MLP
|---------------+
32 PUNT_PROTOCOL
33 PUNT_RESOLVE
34 PUNT_RECEIVE
36 PUNT_REJECT_FW
54 PUNT_SEND_TO_HOST_FW |
69 PUNT_RESOLVE_V6
|
|
-----------------------------------------------------------------type
subtype
------ ----------
group proto
idx q# bwidth
---------- ----------
burst
option rt-alert
ip-opt rt-alert
3d02
20000
20000
option unclass
ip-opt unclass..
3d01
10000
10000
[LU:Prot:Idx]:
policer-nh
ddos-nh p-result
[-----------]:
----------
-------
------- ----
[ 0:3d01:124]:
c03c119607a1f001
0 4c3ea788
c0f618
78232 punt
[ 0:3d02:125]:
c03c118e07a1d001
0 4c3ea710
c0f628
78231 punt
-------
13
20
22
1999
Dec
6553
15
46
NPC2(Dokinchan-re0 vty)# show jnh 0 decode c03c118e07a1d001
PolicerISSU_NH: Absolute Caddr = 0xc0f43a, nextNH = 0x78231, , type:0, color=0, op=0 use_layer3_len = 0x0,
num_nh = 0x0
NPC2(Dokinchan-re0 vty)# show jnh 0 vread 0xc0f43a
Addr:0xc0f43a, Data = 0xccc8000053c00000
0xccc8000053c00000
Wid
13
20
22
1999
Dec
6553
15
PUNT( 2)
121976
22902560
0 : 0x127fffffe00003fc
0xc05cf7
1 : 0x2ffffffe07caca00
0xc05cf8
2 : 0xda00602e41000a04
0xc05cf9
3 : 0xda00602d19800a04
0xc05cfa
4 : 0xda00602e47000a04
0xc05cfb
5 : 0xdaf060208080c010
0xdaf060208080c010
0x0e02102000020000
0 : 0x42f07fffff800010
0xc04202
1 : 0xc0040096078fe001
0xc04203
2 : 0x127fffffe00003f8
0xc0040096078fe001
PolicerISSU_NH: Absolute Caddr = 0xc0f1fc, nextNH = 0x8012, , type:0, color=0, op=0 use_layer3_len = 0x0, num_nh
= 0x0
47
DDOS Policer Configuration:
idx prot
---
group
proto on Pri
UKERN-Config
PFE-Config
rate burst
rate burst
123 3d00
ip-opt
aggregate
Y Hi
20000 20000
124 3d01
ip-opt
unclass..
Y Lo
10000 10000
---
---
125 3d02
ip-opt
rt-alert
Y Hi
20000 20000
20000 20000
126 3d03
ip-opt
non-v4v6
Y Lo
10000 10000
10000 10000
10000 10000
[ 0: 101:
2]:
c00401ee071a6001
0 4dfbc7a0
c0e390
[ 0: 102:
3]:
c004015607181001
0 4dfbc750
c0e3f0
[ 0: 103:
4]:
c00401d607189001
0 4dfbc700
c0e388
[ 0: 104:
5]:
c004001e07191001
0 4dfbc6b0
c0e3e0
[ 0: 105:
6]:
c004005e0719e001
0 4dfbc660
c0e398
[ 0: 201:
8]:
c00400ae07196001
0 4dfbc598
c0e3d8
[ 0: 202:
9]:
c004002e071a1001
0 4dfbc548
c0e3b0
[ 0: 203: 10]:
c00401a60718e001
0 4dfbc4f8
c0e3a8
[ 0:3d01:132]:
c03c1096073f1001
0 4dfcff20
c0e8e0
[ 0:3d02:133]:
c03c102e073c7001
0 4dfcfed0
c0e888
[ 0:3d03:134]:
c03c11a6073fe001
0 4dfcfe80
c0e898
[ 0:5800:184]:
c03c15c607527001
0 4dfceee0
c0ea98
[ 0:5801:185]:
c03c140e07530001
0 4dfcee90
c0eaa0
[ 0:5802:186]:
c03c15360751f001
0 4dfcee40
c0eab0
[ 0:5803:187]:
c03c14f607517001
0 4dfcedf0
c0ead0
[ 0:5804:188]:
c03c14b60750f001
0 4dfceda0
c0eac0
[ 0:5805:189]:
c03c154e07507001
0 4dfced50
c0eab8
[ 0:5806:190]:
c03c147607538001
0 4dfced00
c0eaa8
[ 0:5807:191]:
c03c14160753e001
0 4dfcecb0
c0eb00
[ 0:5808:192]:
c03c143607501001
0 4dfcec60
c0eb78
[ 0:5809:193]:
c03c149607509001
0 4dfcec10
c0eb10
[ 0:580a:194]:
c03c156e07511001
0 4dfcebc0
c0eb08
[ 0:580b:195]:
c03c152e07536001
0 4dfceb70
c0eb18
[ 0:580c:196]:
c03c15560752e001
0 4dfceb20
c0eb68
For example, this is for OSPF as we cant (doesnt need to ?) parse it with different types like Hello, LSA requestetc.
NPC2(Dokinchan-re0 vty)# show ddos policer configuration ospf
DDOS Policer Configuration:
idx prot
--70
group
proto on Pri
UKERN-Config
PFE-Config
rate burst
rate burst
ospf
aggregate
Y Hi
20000 20000
20000 20000
48
NPC2(Dokinchan-re0 vty)#
DISC(21)
DISC(22)
For these types of packet, that would go thru the hbc policer.
NPC2(Dokinchan-re0 vty)# show jnh 0 exceptions nh 21 discard
Nexthop Chain:
CallNH:desc_ptr:0xc05c48, mode=0, rst_stk=0x0, count=0x3
0xc05c44
0 : 0x2ffffffe07caba00
0xc05c45
1 : 0xc03c152607cb9001
0xc05c46
2 : 0x127fffffe00003fe
0xc05c47
3 : 0x260081d80000000c
0 : 0x2ffffff800014600
0xc05c49
1 : 0xc03c152607cb9001
0xc05c4a
2 : 0x127fffffe00003fe
0xc05c4b
3 : 0x260081d80000000c
0x4C3F2360
0
49
Aggregate IPv6 policer packet drops: 0
Aggregate IPv6 policer byte drops: 0
NPC2(Dokinchan-re0 vty)# show jnh 0 decode 0xC03C152607CB9001
PolicerISSU_NH: Absolute Caddr = 0xc0f972, nextNH = 0x782a4, , type:0, color=0, op=0 use_layer3_len = 0x0,
num_nh = 0x0
NPC2(Dokinchan-re0 vty)# show jnh 0 vread 0xc0f972
Addr:0xc0f972, Data = 0x29f0000043c00000
NPC2(Dokinchan-re0 vty)#
0x29f0000043c00000
Wid
13
20
22
53e
Dec
1342
15
Rate = 1342 * 781.25 ~= 1Mbps. This will be implemented as packet base policer as well which is = 256 pps.
Here is a table to list down the ASIC policer(s) applied to each host bound packet type.
Group
Protocol
DDOS Protocol
ID
DDOS
Index
Protocol
Policer
host-path
aggregate
0x0
---
Yes
ipv4-unclassifed
aggregate
0x100
Yes
No
ipv6-unclassified
aggregate
0x200
Yes
No
dynamic vlan
aggregate
0x300
Yes
ppp
aggregate
0x400
---
Yes
ppp
unclassified
0x401
Yes
ppp
lcp
0x402
Yes
ppp
auth
0x403
Yes
ppp
ipcp
0x404
Yes
ppp
ipv6cp
0x405
Yes
ppp
mplscp
0x406
10
Yes
ppp
isis
0x407
11
Yes
ppp
echo-req
0x408
12
Yes
ppp
echo-reply
0x409
13
Yes
ppp
mlppp-lcp
0x40a
14
Yes
pppoe
aggregate
0x500
15
Yes
No
50
pppoe
unclassified
0x501
16
DROP
---
pppoe
padi
0x502
17
Yes
pppoe
pado
0x503
18
DROP
---
pppoe
padr
0x504
19
Yes
pppoe
pads
0x505
20
DROP
---
pppoe
padt
0x506
21
Yes
pppoe
padm
0x507
22
DROP
---
pppoe
padn
0x508
23
DROP
---
dhcpv4
aggregate
0x600
24
Yes
No
dhcpv4
unclassified
0x601
25
Yes
No
dhcpv4
discover
0x602
26
Yes
No
dhcpv4
offer
0x603
27
Yes
No
dhcpv4
request
0x604
28
Yes
No
dhcpv4
decline
0x605
29
Yes
No
dhcpv4
ack
0x606
30
Yes
No
dhcpv4
nak
0x607
31
Yes
No
dhcpv4
release
0x608
32
Yes
No
dhcpv4
inform
0x609
33
Yes
No
dhcpv4
renew
0x60a
34
Yes
No
dhcpv4
force-renew
0x60b
35
Yes
No
dhcpv4
lease-query
0x60c
36
Yes
No
dhcpv4
lease-unasigned
0x60d
37
Yes
No
dhcpv4
lease-unknown
0x60e
38
Yes
No
dhcpv4
lease-active
0x60f
39
Yes
No
dhcpv4
bootp
0x610
40
Yes
No
dhcpv4
no-message-type
0x611
41
Yes
No
dhcpv4
bad-packet
0x612
42
DROP
---
dhcpv6
aggregate
0x700
43
Yes
No
dhcpv6
unclassified
0x701
44
Yes
No
dhcpv6
solict
0x702
45
Yes
No
dhcpv6
advertise
0x703
46
Yes
No
dhcpv6
request
0x704
47
Yes
No
dhcpv6
confirm
0x705
48
Yes
No
51
dhcpv6
renew
0x706
49
Yes
No
dhcpv6
rebind
0x707
50
Yes
No
dhcpv6
reply
0x708
51
Yes
No
dhcpv6
release
0x709
52
Yes
No
dhcpv6
decline
0x70a
53
Yes
No
dhcpv6
reconfigure
0x70b
54
Yes
No
dhcpv6
informationrequest
0x70c
55
Yes
No
dhcpv6
relay-forward
0x70d
56
Yes
No
dhcpv6
reply-reply
0x70e
57
Yes
No
dhcpv6
lease-query
0x70f
58
Yes
No
dhcpv6
lease-query-reply
0x710
59
Yes
No
dhcpv6
lease-query-done
0x711
60
Yes
No
dhcpv6
lease-query-data
0x712
61
Yes
No
vchassis
aggregate
0x800
62
Yes
No
vchassis
unclassified
0x801
63
DROP
---
0x802
64
Yes
0x803
65
Yes
vchassis
vchassis
control-highpriority
control-lowpriority
vchassis
vc-packets
0x804
66
Yes
No
vchassis
vc-ttl-errors
0x805
67
Yes
icmp
aggreagte
0x900
68
Yes
No
igmp
aggregate
0xa00
69
Yes
No
ospf
aggregate
0xb00
70
Yes
No
rsvp
aggregate
0xc00
71
Yes
No
pim
aggregate
0xd00
72
Yes
No
rip
aggregate
0xe00
73
Yes
No
ptp
aggregate
0xf00
74
Yes
No
bfd
aggregate
0x1000
75
Yes
No
lmp
aggregate
0x1100
76
Yes
No
ldp
aggregate
0x1200
77
Yes
No
msdp
aggregate
0x1300
78
Yes
No
bgp
aggregate
0x1400
79
Yes
No
vrrp
aggregate
0x1500
80
Yes
No
52
telnet
aggregate
0x1600
81
Yes
No
ftp
aggregate
0x1700
82
Yes
No
ssh
aggregate
0x1800
83
Yes
No
snmp
aggregate
0x1900
84
Yes
No
ancp
aggregate
0x1a00
85
Yes
No
igmpv6
aggregate
0x1b00
86
Yes
No
egpv6
aggregate
0x1c00
87
Yes
No
rsvpv6
aggregate
0x1d00
88
Yes
No
igmpv4v6
aggregate
0x1e00
89
Yes
No
ripv6
aggregate
0x1f00
90
Yes
No
bfdv6
aggregate
0x2000
91
Yes
No
lmpv6
aggregate
0x2100
92
Yes
No
ldpv6
aggregate
0x2200
93
Yes
No
msdpv6
aggregate
0x2300
94
Yes
No
bgpv6
aggregate
0x2400
95
Yes
No
vrrpv6
aggregate
0x2500
96
Yes
No
telentv6
aggregate
0x2600
97
Yes
No
ftpv6
aggregate
0x2700
98
Yes
No
sshv6
aggregate
0x2800
99
Yes
No
snmpv6
aggregate
0x2900
100
Yes
No
ancpv6
aggregate
0x2a00
101
Yes
No
ospfv3v6
aggregate
0x2b00
102
Yes
No
lacp
aggregate
0x2c00
103
Yes
No
stp
aggregate
0x2d00
104
Yes
No
esmc
aggregate
0x2e00
105
Yes
No
oam-lfm
aggregate
0x2f00
106
Yes
No
eoam
aggregate
0x3000
107
Yes
No
lldp
aggregate
0x3100
108
Yes
No
mvrp
aggregate
0x3200
109
Yes
No
pmvrp
aggregate
0x3300
110
Yes
No
arp
aggregate
0x3400
111
Yes
No
pvstp
aggregate
0x3500
112
Yes
No
isis
aggregate
0x3600
113
Yes
No
53
pos
aggregate
0x3700
114
Yes
No
mlp
aggregate
0x3800
115
Yes
No
mlp
unclassified
0x3801
116
Yes
No
mlp
packets
0x3802
117
Yes
mlp
aging-exception
0x3803
118
Yes
No
jfm
aggreagte
0x3900
119
Yes
No
atm
aggregate
0x3a00
120
Yes
No
pfe-alive
aggregate
0x3b00
121
Yes
No
ttl
aggregate
0x3c00
122
Yes
ip-opt
aggregate
0x3d00
123
Yes
No
ip-opt
unclassified
0x3d01
124
Yes
No
ip-opt
rt-alert
0x3d02
125
Yes
No
ip-opt
non-v4v6
0x3d03
126
Yes
No
redirect
aggregate
0x3e00
127
Yes
control
aggreagte
0x3f00
128
Yes
No
mcast-copy
aggregate
0x4000
129
Yes
No
mac-host
aggregate
0x4100
130
Yes
tunnel-fragment
aggregate
0x4200
131
Yes
mcast-snoop
aggregate
0x4300
132
Yes
No
mcast-snoop
unclassified
0x4301
133
DROP
---
mcast-snoop
igmp
0x4302
134
Yes
mcast-snoop
pim
0x4303
135
Yes
mcast-snoop
mld
0x4304
136
Yes
No
services
aggregate
0x4400
137
Yes
No
services
unclassified
0x4401
138
Yes
No
services
packet
0x4402
139
Yes
services
BSDT
0x4403
140
Yes
demuxauto
aggregate
0x4500
141
Yes
reject
aggregate
0x4600
142
Yes
fw-host
aggregate
0x4700
143
Yes
No
tcp-flags
aggregate
0x4800
144
Yes
No
tcp-flags
unclassified
0x4801
145
Yes
No
tcp-flags
initial
0x4802
146
Yes
No
54
tcp-flags
establish
0x4803
147
Yes
No
dtcp
aggregate
0x4900
148
Yes
No
radius
aggregate
0x4a00
149
Yes
No
radius
unclassified
0x4a01
150
Yes
No
radius
server
0x4a02
151
Yes
No
radius
accounting traffic
0x4a03
152
Yes
No
radius
auth
0x4a04
153
Yes
No
ntp
aggregate
0x4b00
154
Yes
No
tacacs
aggregate
0x4c00
155
Yes
No
dns
aggregate
0x4d00
156
Yes
No
diameter
aggregate
0x4e00
157
Yes
No
ip-fragment
aggregate
0x4f00
158
Yes
No
ip-fragment
unclassified
0x4f01
159
Yes
No
ip-fragment
first-fragment
0x4f02
160
Yes
No
ip-fragment
trail-fragment
0x4f03
161
Yes
No
l2tp
aggregate
0x5000
162
Yes
No
gre
aggregate
0x5100
163
Yes
No
ipsec
aggregate
0x5200
164
Yes
No
pimv6
aggregate
0x5300
165
Yes
No
icmpv6
aggregate
0x5400
166
Yes
No
ndpv6
aggregate
0x5500
167
Yes
No
sample
aggregate
0x5600
168
Yes
No
sample
unclassified
0x5601
169
DROP
---
sample
syslog
0x5602
170
Yes
No
sample
host
0x5603
171
Yes
No
sample
pfe
0x5604
172
Yes
No
sample
tap
0x5605
173
Yes
No
sample
sflow
0x5606
174
Yes
No
fab-out-probe-packet
aggregate
0x5700
175
Yes
No
unclassified
aggregate
0x5800
176
Yes
No
unclassified
other
0x5801
177
Yes
No
unclassified
resolve-v4
0x5802
178
Yes
No
unclassified
resolve-v6
0x5803
179
Yes
No
55
unclassified
control-v4
0x5804
180
Yes
No
unclassified
control-v6
0x5805
181
Yes
No
unclassified
host-route-v4
0x5806
182
Yes
No
unclassified
host-route-v6
0x5807
183
Yes
No
unclassified
filter-v4
0x5808
184
Yes
No
unclassified
filter-v6
0x5809
185
Yes
No
unclassified
control-l2
0x580a
186
Yes
No
unclassified
fw-host
0x580b
187
Yes
No
unclassified
mcast-copy
0x580c
188
Yes
No
rejectv6
aggregate
0x5900
189
Yes
l2pt
aggregate
0x5a00
190
Yes
keepalive
aggregate
0x5b00
191
Yes
inline-ka
aggregate
0x5c00
192
Yes
inline-services
aggregate
0x5d00
193
Yes
frame-relay
aggregate
0x5e00
194
Yes
No
frame-relay
unclassified
0x5e01
195
DROP
---
frame-relay
frf15
0x5e02
196
Yes
frame-relay
ftf16
0x5e03
197
Yes
amtv4
aggregate
0x5f00
198
Yes
No
amtv6
aggregate
0x6000
199
Yes
No
= CAT_ROUTING,
.e_code
= PACKET_PUNT_RESOLVE,
.e_name
= "resolve route",
.e_type
= PUNT,
.e_nh
= CNT,
.e_queue
= Q_OTHER_ERRS,
.e_help
Here is a table to list down the host queue being used for packet hitting the exception ucode.
56
Host queue
Protocols
Q0 (Q_L3_LO)
PACKET_PUNT_RECEIVE(34), PACKET_PUNT_PROTOCOL(32),
PACKET_PUNT_REDIRECT(3), PACKET_PUNT_SERVICES(38),
PACKET_PUNT_DEMUXAUTOSENSE(39),
PACKET_PUNT_TUNNEL_FRAGMENT(8)
Q1 (Q_L3_HI)
PACKET_PUNT_LU_NOTIF(17),
PACKET_PUNT_SEND_TO_HOST_SVCS(70)
Q2 (Q_L2_LO)
PACKET_PUNT_L2PT_ERROR(14),
PACKET_PUNT_HOST_COPY(6),
PACKET_PUNT_AUTOSENSE(35),
PACKET_PUNT_MAC_FWD_TYPE_HOST(7),
PACKET_PUNT_PPPOE_PADI(45),
PACKET_PUNT_PPPOE_PADR(46),
PACKET_PUNT_PPPOE_PADT(47),
PACKET_PUNT_PPP_LCP(48),
PACKET_PUNT_LCP_ECHO_REQ(60),
PACKET_PUNT_LCP_ECHO_REP(63),
PACKET_PUNT_PPP_AUTH(49),
PACKET_PUNT_PPP_IPV4CP(50),
PACKET_PUNT_PPP_IPV6CP(51),
PACKET_PUNT_PPP_MPLSCP(52),
PACKET_PUNT_PPP_ISIS(57), PACKET_PUNT_MLPPP_LCP(64),
PACKET_PUNT_PPP_UNCLASSIFIED_CP(53),
PACKET_PUNT_SEND_TO_HOST_FW(54),
PACKET_PUNT_SEND_TO_HOST_FW_INLINE_SVCS(59),
PACKET_PUNT_MLP(11), PACKET_PUNT_MLFR_CONTROL(65),
PACKET_PUNT_MFR_CONTROL(66)
Q3 (Q_L2_HI)
PACKET_PUNT_CONTROL(4), PACKET_PUNT_VC_HI(55),
PACKET_PUNT_KEEPALIVE(58), PACKET_PUNT_INLINE_KA(61),
PACKET_PUNT_DDOS_POLICER_VIOL(15)
Q4 (Q_OPTN)
PACKET_PUNT_OPTIONS(2), PACKET_PUNT_IGMP_SNOOP(12),
PACKET_PUNT_PIM_SNOOP(18),
PACKET_PUNT_MLD_SNOOP(19), PACKET_PUNT_VC_LO(56),
PACKET_PUNT_VC_TTL_ERROR(13)
Q5
(Q_IIF_MMTCH_TTL_EXPR)
PACKET_PUNT_TTL(1)
Q6 (Q_OTHER_ERRS)
PACKET_PUNT_REJECT_FW(36), PACKET_PUNT_REJECT(40),
PACKET_PUNT_REJECT_V6(48), PACKET_PUNT_RESOLVE(33),
PACKET_PUNT_RESOLVE_V6(69),
PACKET_ERR_FRAG_NEED_DF_SET,
PACKET_ERR_MTU_EXCEEDED,
PACKET_ERR_ENUM_CHK_MISMATCH (IIF mismatch)
Q7 (Q_SAMPLE)
PACKET_PUNT_SAMPLE_SYSLOG(41),
PACKET_PUNT_SAMPLE_HOST(42),
PACKET_PUNT_SAMPLE_PFE(43),
57
PACKET_PUNT_SAMPLE_TAP(44),
PACKET_PUNT_SAMPLE_SFLOW(71),
PACKET_PUNT_FAB_OUT_PROBE_PKT(5)
For the exception traffic hitting the HBC policer, its the discard exception type with TRKL tagged.
-
Furthermore, DDOS will classify the packets and apply the corresponding policer before sending to the host via the MQ
host bound queue. There are 8 host bound queues (ie. MQchip Qsys 0 queue 1016-1023) and each of them will carry
different types of traffic.
// Host bound queue offsets
#define Q_HOST_L3_LO_OFF
#define Q_HOST_L3_HI_OFF
#define Q_HOST_L2_LO_OFF
#define Q_HOST_L2_HI_OFF
#define Q_HOST_OPTN_OFF
#define Q_HOST_IIF_MMTCH_TTL_EXPR_OFF
#define Q_HOST_OTHER_ERRS_OFF
#define Q_HOST_SAMPLE_OFF
= Q_HOST_L3_LO_OFF,
Q_L3_HI
= Q_HOST_L3_HI_OFF,
Q_L2_LO
= Q_HOST_L2_LO_OFF,
Q_L2_HI
= Q_HOST_L2_HI_OFF,
Q_OPTN
= Q_HOST_OPTN_OFF,
Q_IIF_MMTCH_TTL_EXPR = Q_HOST_IIF_MMTCH_TTL_EXPR_OFF,
Q_OTHER_ERRS
= Q_HOST_OTHER_ERRS_OFF,
Q_SAMPLE
= Q_HOST_SAMPLE_OFF
} hostbound_q_t;
The following provides a mapping between protocol packets and the host bound queue being used.
src/pfe/common/pfe-arch/trinity/tooklits/jnh_app/jnh_ddos.c - jnh_ddos_setup_asic_proto_id_maps()
Here is a table to list down the mapping between protocols and host bound queue being used after the classification and
policing. For example, once an IP option packet hits the PACKET_PUNT_OPTIONS exception, this PUNT will go thru the
HBC and be classified to either router-alert option (IP_OPT_RT_ALERT Q1) or others (IP_OPT_UNCLS Q4) protocol,
then, be assigned to the correct host bound queue.
Host queue
Protocols
58
Q0 (Q_L3_LO)
Q1 (Q_L3_HI)
IGMP, OSPF, RSVP, PIM, RIP, PTP, BFD, LMP, LDP, MSDP, VRRP,
ANCP, IGMPV6, EGPV6, RSVPV6, PIMV6, IGMPV4V6, RIPV6,
BFDV6, LMPV6, LDPV6, MSDPV6, VRRPV6, ANCPV6, OSPFV3V6,
SEND_TO_HOST_SVCS, ISIS, IP_OPT_RT_ALERT
Q2 (Q_L2_LO)
Q3 (Q_L2_HI)
Q4 (Q_OPTN)
Q5
(Q_IIF_MMTCH_TTL_EXPR)
TTL
Q6 (Q_OTHER_ERRS)
REJECT, REJECT_V6,
Q7 (Q_SAMPLE)
uKern Level
After each PFE policed the host bound traffic, they will hit the uKern on the FPC and the aggregated traffic might be
policed again according to the DDOS policer configuration. The policer implementation on the uKern is a simple token
bucket algorithm policer rate is per-packet policer and the burst is the maximum number of accumulated credits.
Take IP option packets as an example. After each PFE applies a policer to police the corresponding optioned packet,
when the traffic from all PFEs hit the uKern, the corresponding protocol policer will police all the traffic again. As a result,
the packet will have to go through another round of policing.
ip-option unclassified packets from all PFEs within the MPC will hit a policer (10000 pps : uKern-config)
ip-option rt-alert packets from all PFEs within the MPC will hit a policer (20000 pps : uKern-config)
The sum of both ip-option packet types will go thru an aggregate policer on uKern to make sure the sum of them
wont exceed 20000 pps (Ukern-config)
59
NPC2(Dokinchan-re0 vty)# show ddos policer configuration ip-options
DDOS Policer Configuration:
idx prot
---
group
proto on Pri
UKERN-Config
PFE-Config
rate burst
rate burst
123 3d00
ip-opt
aggregate
Y Hi
20000 20000
---
---
124 3d01
ip-opt
unclass..
Y Lo
10000 10000
10000 10000
125 3d02
ip-opt
rt-alert
Y Hi
20000 20000
20000 20000
126 3d03
ip-opt
non-v4v6
Y Lo
10000 10000
10000 10000
NPC2(Dokinchan-re0 vty)#
Here, the priority plays an important role. The priority here becomes a strict priority (until that traffic exceeds its own
policer for sure). Here, we have both rt-alert packets and unclassified ip-option packet. Both hit the same PFE and FPC.
When the rt-alert is hitting the maximum rate, which is the aggregate policer rate on the uKern, none of the rt-alert packet
will be dropped.
NPC2(Dokinchan-re0 vty)# show ddos policer configuration ip-options
DDOS Policer Configuration:
idx prot
---
group
proto on Pri
UKERN-Config
PFE-Config
rate burst
rate burst
123 3d00
ip-opt
aggregate
Y Hi
20000 20000
---
---
124 3d01
ip-opt
unclass..
Y Lo
10000 10000
10000 10000
125 3d02
ip-opt
rt-alert
Y Hi
20000 20000
20000 20000
126 3d03
ip-opt
non-v4v6
Y Lo
10000 10000
10000 10000
group
proto on
loc
pass
drop
----------- --
rate
pass
# of
rate flows
---
-----------
------
--------
--------
123 3d00
ip-opt
aggregate
UKERN
3415601
18227
18227
124 3d01
ip-opt
unclass..
UKERN
249112
PFE-0
2145609
13509618
138885
9993
125 3d02
126 3d03
ip-opt
ip-opt
rt-alert
non-v4v6
Y
Y
UKERN
3166489
18227
18227
PFE-0
3479716
6936119
19607
19607
UKERN
PFE-0
arrival
pass
# of
group
proto on
loc
pass
drop
---
-----------
----------- --
------
--------
--------
123 3d00
ip-opt
aggregate
UKERN
3502478
18191
18191
124 3d01
ip-opt
unclass..
UKERN
249112
PFE-0
2193323
14124657
138890
10013
125 3d02
ip-opt
rt-alert
UKERN
3253366
18191
18191
---
rate
rate flows
60
126 3d03
ip-opt
non-v4v6
PFE-0
3573282
6936119
19608
19608
UKERN
PFE-0
arrival
pass
# of
group
proto on
loc
pass
drop
----------- --
------
--------
--------
UKERN
3668557
---
-----------
123 3d00
ip-opt
aggregate
124 3d01
ip-opt
unclass..
125 3d02
126 3d03
ip-opt
ip-opt
rt-alert
non-v4v6
Y
Y
rate
rate flows
18212
UKERN
249112
PFE-0
2284553
15300091
138812
9983
UKERN
3419445
18212
18212
PFE-0
3752105
6936119
19596
19596
UKERN
PFE-0
NPC2(Dokinchan-re0 vty)#
If we reduce the rt-alert rate a bit, then, can we see the higher rate for the ip-option unclassified packet.
NPC2(Dokinchan-re0 vty)# show ddos policer stats ip-options
DDOS Policer Statistics:
arrival
idx prot
---
group
proto on
loc
pass
drop
----------- --
------
--------
--------
UKERN
4561353
---
-----------
123 3d00
ip-opt
aggregate
124 3d01
ip-opt
unclass..
125 3d02
126 3d03
ip-opt
ip-opt
rt-alert
non-v4v6
Y
Y
rate
pass
# of
rate flows
18222
UKERN
269188
1065
1065
PFE-0
2774347
21530507
138973
10003
UKERN
4292165
17156
17156
PFE-0
4640605
6936119
17166
17166
UKERN
PFE-0
pass
# of
group
proto on
loc
pass
drop
---
-----------
----------- --
------
--------
--------
123 3d00
ip-opt
aggregate
UKERN
4668918
18261
18261
124 3d01
ip-opt
unclass..
UKERN
275697
1103
1103
PFE-0
2833222
22289521
138893
10006
125 3d02
ip-opt
rt-alert
UKERN
4393221
17157
17157
PFE-0
4741638
6936119
17157
17157
126 3d03
ip-opt
non-v4v6
UKERN
PFE-0
---
rate
rate flows
NPC2(Dokinchan-re0 vty)#
61
lab@Dokinchan-re0> show ddos-protection protocols ip-options violations
Packet types: 4, Currently violated: 2
Protocol
Packet
Bandwidth
Arrival
group
type
(pps)
Peak
Policer bandwidth
ip-opt
unclass..
10000
138887
138976
24510
65143
rt-alert
20000
279207038
Arrival rate:
Dropped:
163407 pps
12433919
Arrival rate:
Dropped:
6916 pps
279207038
Arrival rate:
Dropped:
229315487
163407 pps
240374229
Arrival rate:
Dropped:
222044391
138896 pps
1663606
Arrival rate:
Dropped:
0 pps
62
Violation first detected at: 2013-11-20 12:43:02 JST
Violation last seen at:
240374229
Arrival rate:
Dropped:
222044391
138896 pps
222044391
Flow counts:
Aggregation level
Current
Total detected
State
Subscriber
Active
Logical-interface
Active
Physical-interface
Active
38832809
Arrival rate:
Dropped:
7271096
24511 pps
10770313
Arrival rate:
Dropped:
6916 pps
38832809
Arrival rate:
Dropped:
7271096
24511 pps
7271096
Flow counts:
Aggregation level
Current
Total detected
State
Subscriber
Active
Logical-interface
Active
Physical-interface
Active
lab@Dokinchan-re0>
The alarm will go off if the violation is cleared and last for recover time configured.
63
lab@Dokinchan-re0> show ddos-protection protocols ip-options parameters detail
Packet types: 4, Modified: 0
* = User configured value
Protocol Group: IP-Options
Packet type: aggregate (Aggregate for all options traffic)
Aggregate policer configuration:
Bandwidth:
20000 pps
Burst:
20000 packets
Recover time:
300 seconds
Enabled:
Yes
10000 pps
Burst:
10000 packets
Priority:
Low
Recover time:
300 seconds
Enabled:
Yes
Bypass aggregate: No
Routing Engine information:
Bandwidth: 10000 pps, Burst: 10000 packets, enabled
FPC slot 1 information:
Bandwidth: 100% (10000 pps), Burst: 100% (10000 packets), enabled
FPC slot 2 information:
Bandwidth: 100% (10000 pps), Burst: 100% (10000 packets), enabled
FPC slot 3 information:
Bandwidth: 100% (10000 pps), Burst: 100% (10000 packets), enabled
Packet type: router-alert (Router alert options traffic)
Individual policer configuration:
Bandwidth:
20000 pps
Burst:
20000 packets
Priority:
High
Recover time:
300 seconds
Enabled:
Yes
Bypass aggregate: No
Routing Engine information:
Bandwidth: 20000 pps, Burst: 20000 packets, enabled
FPC slot 1 information:
64
Bandwidth: 100% (20000 pps), Burst: 100% (20000 packets), enabled
FPC slot 2 information:
Bandwidth: 100% (20000 pps), Burst: 100% (20000 packets), enabled
FPC slot 3 information:
Bandwidth: 100% (20000 pps), Burst: 100% (20000 packets), enabled
lab@Dokinchan-re0# set system ddos-protection protocols ip-options aggregate recover-time ?
Possible completions:
<recover-time>
[edit]
lab@Dokinchan-re0# set system ddos-protection protocols ip-options router-alert recover-time ?
Possible completions:
<recover-time>
[edit]
lab@Dokinchan-re0#
Taking the ip-option as an example again, the Routing Engine will just police the sum of all ip-option packets using the
aggregate policer rate (20000 pps). Also, the priority of each individual protocol packet still play a role here.
1764000
Arrival rate:
Dropped:
107811
0 pps
288314
Arrival rate:
0 pps
65
Dropped:
47
47
The detail implementation of the policer in Routing Engine could be found under src/junos/bsd/sys/netpfe/ddos_policers.c.
By default, the SCFD is disabled. This can be enabled by the folllwing configuration.
# set system ddos-protection global ?
flow-detection
Once its enabled, the DDOS system will monitor the host bound traffic from 3 levels of flow granularity in LUchip once an
violation happens.
- Subscriber level (SUB)
- IFL level (DDOS protocol ID, IIF, Aggregation-level as key)
- IFD level (DDOS protocol ID, IFD, Aggregation-level as key)
When the DDOS violation happens, the SCFD check all the packets within that protocol. The idea is to use a hash
function to filter out the suspicious flow. Then, the flow is inserted into a LU hardware hash table.
If the flow has rate consistently above its allowed bandwidth for a detect-time period (flow-detect-time 3 secs by
default), we declare the suspicious flow to be a culprit flow. The traffic form it will be dropped consequently unless we
disable the drop. If a flow does not exceed its allowed bandwidth for the detect-time period, we assume that its a false
positive and remove that from the hardware hash table.
Once a suspicious flow rate is below its bandwidth for the recover time period (recover-time 60 secs by default), the
SCFD declares the flow to be normal, removes it from hardware flow table and let traffic resume.
[edit]
lab@Dokinchan-re0# set system ddos-protection protocols ospf aggregate ?
Possible completions:
flow-detect-time
flow-detection-mode
> flow-level-bandwidth
> flow-level-control
> flow-level-detection
flow-recover-time
flow-timeout-time
no-flow-logging
recover-time
timeout-active-flows
66
+ apply-groups-except
logical-interface
physical-interface
subscriber
This is to configure the action once a suspicious flow is detected on different level.
[edit]
lab@Dokinchan-re0# set system ddos-protection protocols ospf aggregate flow-level-control ?
Possible completions:
+ apply-groups
+ apply-groups-except
logical-interface
physical-interface
subscriber
[edit]
lab@Dokinchan-re0# set system ddos-protection protocols ospf aggregate flow-level-control logical-interface ?
Possible completions:
drop
keep
police
[edit]
lab@Dokinchan-re0# set system ddos-protection protocols ospf aggregate flow-level-control physical-interface ?
Possible completions:
drop
keep
police
67
lab@Dokinchan-re0# set system ddos-protection protocols ospf aggregate flow-level-detection ?
Possible completions:
+ apply-groups
+ apply-groups-except
logical-interface
physical-interface
subscriber
[edit]
lab@Dokinchan-re0# set system ddos-protection protocols ospf aggregate flow-level-detection logical-interface ?
Possible completions:
automatic
off
on
[edit]
lab@Dokinchan-re0# set system ddos-protection protocols ospf aggregate flow-level-detection physical-interface ?
Possible completions:
automatic
off
on
[edit]
lab@Dokinchan-re0#
Here is the default SCFD configuration or each protocol. When the SCFD is enabled, by default, the flow detection mode
is auto (op-mode:a) and once the suspicious flow is detected, the action is to drop the packets (fc-mode:d). The detection
rate on all 3 levels is protocol dependent. For example, in OSPF, the sub level is 10pps (which is not being used I
believe), the ifl level is 10pps and the IFD level is 20000pps. When the mode is set to on, the new flow will be added to
the table automatically.
By default, the active-flow-timeout is disabled. If active-flow-timeout is enabled, the flow will be removed from the list when
its there for active-flow-timeout time (300 secs by default). Once its removed, the flow will generate a violation event
again and it will be added back to the list.
NPC2(Dokinchan-re0 vty)# show ddos scfd proto-states all
(sub|ifl|ifd)-cfg: op-mode:fc-mode:bwidth(pps)
op-mode: a=automatic, o=always-on, x=disabled
fc-mode: d=drop-all, k=keep-all, p=police
d-t: detect time, r-t: recover time, t-t: timeout time
aggr-t: last aggregated/deaggreagated time
idx prot
group
--- ----
--------
ifd-cfg
d-t
r-t
t-t
aggr-t
---
---
---
------
ifl-cfg
host-path
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:25000
60
300
100
ipv4-uncls
aggregate auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
200
ipv6-uncls
aggregate auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
300
dynvlan
aggregate auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
400
ppp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:16000
60
300
401
ppp
unclass auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
sub-cfg
68
402
ppp
lcp auto
no
0 a:d:
10 a:d:
10 a:d:12000
60
300
403
ppp
auth auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
404
ppp
ipcp auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
405
ppp
ipv6cp auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
10
406
ppp
mplscp auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
11
407
ppp
isis auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
12
408
ppp
echo-req auto
no
0 a:d:
10 a:d:
10 a:d:12000
60
300
13
409
ppp
echo-rep auto
no
0 a:d:
10 a:d:
10 a:d:12000
60
300
14
40a
ppp
mlppp-lcp auto
no
0 a:d:
10 a:d:
10 a:d:12000
60
300
15
500
pppoe
aggregate auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
16
501
pppoe
unclass.. auto
no
0 a:d:
10 a:d:
10 a:d:
60
300
17
502
pppoe
padi auto
no
0 a:d:
10 a:d:
10 a:d:
500
60
300
18
503
pppoe
pado auto
no
0 a:d:
10 a:d:
10 a:d:
60
300
19
504
pppoe
padr auto
no
0 a:d:
10 a:d:
10 a:d:
500
60
300
20
505
pppoe
pads auto
no
0 a:d:
10 a:d:
10 a:d:
60
300
21
506
pppoe
padt auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
22
507
pppoe
padm auto
no
0 a:d:
10 a:d:
10 a:d:
60
300
23
508
pppoe
padn auto
no
0 a:d:
10 a:d:
10 a:d:
60
300
24
600
dhcpv4
aggregate auto
no
0 a:d:
10 a:d:
10 a:d: 5000
60
300
25
601
dhcpv4
unclass.. auto
no
0 a:d:
10 a:d:
10 a:d:
300
60
300
26
602
dhcpv4
discover auto
no
0 a:d:
10 a:d:
10 a:d:
500
60
300
27
603
dhcpv4
offer auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
28
604
dhcpv4
request auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
29
605
dhcpv4
decline auto
no
0 a:d:
10 a:d:
10 a:d:
500
60
300
30
606
dhcpv4
ack auto
no
0 a:d:
10 a:d:
10 a:d:
500
60
300
31
607
dhcpv4
nak auto
no
0 a:d:
10 a:d:
10 a:d:
500
60
300
32
608
dhcpv4
release auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
33
609
dhcpv4
inform auto
no
0 a:d:
10 a:d:
10 a:d:
500
60
300
34
60a
dhcpv4
renew auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
35
60b
dhcpv4
forcerenew auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
36
60c
dhcpv4
leasequery auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
37
60d
dhcpv4
leaseuna.. auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
38
60e
dhcpv4
leaseunk.. auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
39
60f
dhcpv4
leaseact.. auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
40
610
dhcpv4
bootp auto
no
0 a:d:
10 a:d:
10 a:d:
300
60
300
41
611
dhcpv4
no-msgtype auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
42
612
dhcpv4
bad-pack.. auto
no
0 a:d:
10 a:d:
10 a:d:
60
300
43
700
dhcpv6
aggregate auto
no
0 a:d:
10 a:d:
10 a:d: 5000
60
300
44
701
dhcpv6
unclass.. auto
no
0 a:d:
10 a:d:
10 a:d: 3000
60
300
45
702
dhcpv6
solicit auto
no
0 a:d:
10 a:d:
10 a:d:
500
60
300
46
703
dhcpv6
advertise auto
no
0 a:d:
10 a:d:
10 a:d:
500
60
300
47
704
dhcpv6
request auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
48
705
dhcpv6
confirm auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
49
706
dhcpv6
renew auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
50
707
dhcpv6
rebind auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
51
708
dhcpv6
reply auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
52
709
dhcpv6
release auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
53
70a
dhcpv6
decline auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
54
70b
dhcpv6
reconfig auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
69
55
70c
dhcpv6
info..req auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
56
70d
dhcpv6
relay-for.. auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
57
70e
dhcpv6
relay-rep.. auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
58
70f
dhcpv6
leasequery auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
59
710
dhcpv6
leaseq..re auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
60
711
dhcpv6
leaseq..do auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
61
712
dhcpv6
leaseq..da auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
62
800
vchassis
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:30000
60
300
63
801
vchassis
unclass.. auto
no
0 a:d:
10 a:d:
10 a:d:
60
300
64
802
vchassis
control-hi auto
no
0 a:d:
10 a:d:
10 a:d:10000
60
300
65
803
vchassis
control-lo auto
no
0 a:d:
10 a:d:
10 a:d: 8000
60
300
66
804
vchassis
vc-packets auto
no
0 a:d:
10 a:d:
10 a:d:30000
60
300
67
805
vchassis
vc-ttl-err auto
no
0 a:d:
10 a:d:
10 a:d: 4000
60
300
68
900
icmp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
69
a00
igmp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
70
b00
ospf
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
71
c00
rsvp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
72
d00
pim
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
73
e00
rip
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
74
f00
ptp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
75 1000
bfd
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
76 1100
lmp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
77 1200
ldp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
78 1300
msdp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
79 1400
bgp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
80 1500
vrrp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
81 1600
telnet
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
82 1700
ftp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
83 1800
ssh
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
84 1900
snmp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
85 1a00
ancp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
86 1b00
igmpv6
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
87 1c00
egpv6
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
88 1d00
rsvpv6
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
89 1e00
igmpv4v6
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
90 1f00
ripv6
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
91 2000
bfdv6
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
92 2100
lmpv6
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
93 2200
ldpv6
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
94 2300
msdpv6
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
95 2400
bgpv6
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
96 2500
vrrpv6
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
97 2600
telnetv6
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
98 2700
ftpv6
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
99 2800
sshv6
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
100 2900
snmpv6
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
101 2a00
ancpv6
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
102 2b00
ospfv3v6
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
103 2c00
lacp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
70
104 2d00
stp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
105 2e00
esmc
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
106 2f00
oam-lfm
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
107 3000
eoam
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
108 3100
lldp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
109 3200
mvrp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
110 3300
pmvrp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
111 3400
arp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
112 3500
pvstp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
113 3600
isis
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
114 3700
pos
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
115 3800
mlp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
116 3801
mlp
unclass.. auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
117 3802
mlp
packets auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
118 3803
mlp
aging-exc auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
119 3900
jfm
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
120 3a00
atm
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
121 3b00
pfe-alive
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
122 3c00
ttl
aggregate auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
123 3d00
ip-opt
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
124 3d01
ip-opt
unclass.. auto
no
10 a:d:
10 a:d:
10 a:d:10000
60
300 147024965
125 3d02
ip-opt
rt-alert auto
no
10 a:d:
10 a:d:
10 a:d:20000
60
300 147024965
126 3d03
ip-opt
non-v4v6 auto
no
0 a:d:
10 a:d:
10 a:d:10000
60
300
127 3e00
redirect
aggregate auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
128 3f00
control
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
129 4000
mcast-copy
aggregate auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
130 4100
mac-host
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
131 4200
tun-frag
aggregate auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
unclass.. auto
no
0 a:d:
10 a:d:
10 a:d:
60
300
igmp auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
pim auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
mld auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
137 4400
services
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
138 4401
services
unclass.. auto
no
0 a:d:
0 a:d:
0 a:d:20000
139 4402
services
packet auto
no
0 a:d:
0 a:d:
0 a:d:20000
140 4403
services
BSDT auto
no
0 a:d:
0 a:d:
0 a:d:20000
141 4500
demuxauto
aggregate auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
142 4600
reject
aggregate auto
no
10 a:d:
10 a:d:
10 a:d: 2000
60
300 78193870
143 4700
fw-host
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
144 4800
tcp-flags
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
145 4801
tcp-flags
unclass.. auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
146 4802
tcp-flags
initial auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
147 4803
tcp-flags
establish auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
148 4900
dtcp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
149 4a00
radius
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
150 4a01
radius
unclass.. auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
151 4a02
radius
server auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
152 4a03
radius
account.. auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
71
153 4a04
radius
auth.. auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
154 4b00
ntp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
155 4c00
tacacs
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
156 4d00
dns
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
157 4e00
diameter
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
158 4f00
ip-frag
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
159 4f01
ip-frag
unclass.. auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
160 4f02
ip-frag
first-frag auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
161 4f03
ip-frag
trail-frag auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
162 5000
l2tp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
163 5100
gre
aggregate auto
no
10 a:d:
10 a:d:
10 a:d:20000
60
300 146854970
164 5200
ipsec
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
165 5300
pimv6
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
166 5400
icmpv6
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
167 5500
ndpv6
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
168 5600
sample
aggregate auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
169 5601
sample
unclass.. auto
no
0 a:d:
10 a:d:
10 a:d:
60
300
170 5602
sample
syslog auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
171 5603
sample
host auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
172 5604
sample
pfe auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
173 5605
sample
tap auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
174 5606
sample
sflow auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
175 5700
fab-probe
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
176 5800
uncls
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
177 5801
uncls
other auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
178 5802
uncls
resolve-v4 auto
no
20 a:d:
10 a:d:
10 a:d: 5000
60
300 55243480
179 5803
uncls
resolve-v6 auto
no
0 a:d:
10 a:d:
10 a:d: 5000
60
300
180 5804
uncls
control-v4 auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
181 5805
uncls
control-v6 auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
182 5806
uncls
host-rt-v4 auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
183 5807
uncls
host-rt-v6 auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
184 5808
uncls
filter-v4 auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
185 5809
uncls
filter-v6 auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
186 580a
uncls
control-l2 auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
187 580b
uncls
fw-host auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
188 580c
uncls
mcast-copy auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
189 5900
rejectv6
aggregate auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
190 5a00
l2pt
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
191 5b00
keepalive
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
192 5c00
inline-ka
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
unclass.. auto
no
0 a:d:
10 a:d:
10 a:d:
60
300
frf15 auto
no
0 a:d:
10 a:d:
10 a:d:12000
60
300
frf16 auto
no
0 a:d:
10 a:d:
10 a:d:12000
60
300
198 5f00
amtv4
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
199 6000
amtv6
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
NPC2(Dokinchan-re0 vty)#
72
State
#define DDOS_SCFD_STATE_CLEARING
0x00000001 /* is clearing */
#define DDOS_SCFD_STATE_RATE_MOD
#define DDOS_SCFD_STATE_AGGRED
#define DDOS_SCFD_STATE_DEAGGRED
((((p)->aggr_levels[DDOS_SCFD_AGGR_LEVEL_SUB].flags &
\
\
\
\
0x00
#define DDOS_SCFD_AGGR_LEVEL_SUB
0x00
#define DDOS_SCFD_AGGR_LEVEL_IFL
0x01
#define DDOS_SCFD_AGGR_LEVEL_IFD
0x02
#define DDOS_SCFD_AGGR_LEVEL_INVALID
0x03
Flags
#define SCFD_PROTO_FLAG_LOCAL_MASK 0x0000FFFF
#define SCFD_PROTO_FLAG_RUN_UKERN 0x00000001
#define SCFD_PROTO_FLAG_RUN_ASIC
0x00000002
#define SCFD_PROTO_FLAG_NO_LOG
0x00010000
#define SCFD_PROTO_FLAG_TO_ACTV
Detect time:
Log flows:
Yes
3 seconds
Timeout flows:
No
Aggregation level
Detection mode
Control mode
Flow rate
Subscriber
Automatic
Drop
10 pps
Logical interface
Automatic
Drop
10 pps
Physical interface
Automatic
Drop
20000 pps
73
Packet type: unclassified
Flow detection configuration:
Detection mode: Automatic
Detect time:
Log flows:
Yes
3 seconds
Timeout flows:
No
Detection mode
Control mode
Flow rate
Subscriber
Automatic
Drop
10 pps
Logical interface
Automatic
Drop
10 pps
Physical interface
Automatic
Drop
10000 pps
Detect time:
3 seconds
Log flows:
Yes
Timeout flows:
No
Detection mode
Control mode
Flow rate
Subscriber
Automatic
Drop
10 pps
Logical interface
Automatic
Drop
10 pps
Physical interface
Automatic
Drop
20000 pps
Detect time:
Log flows:
Yes
3 seconds
Timeout flows:
No
Detection mode
Control mode
Flow rate
Subscriber
Automatic
Drop
10 pps
Logical interface
Automatic
Drop
10 pps
Physical interface
Automatic
Drop
10000 pps
Once a suspicious flow is detected, it will be deaggreagted from the subscriber/IFL levels, depending on the rate. With the
flow installed, none of these packets would hit the host as the action is drop by default.
Nov 20 13:57:52.659
Options:router-alert on ge-2/0/0.0 with source addr 192.1.1.2 is found at 2013-11-20 13:57:52 JST
Nov 20 13:57:52.659
Options:unclassified on ge-2/0/0.0 with source addr 192.1.1.2 is found at 2013-11-20 13:57:52 JST
Nov 20 13:57:52.659
74
lab@Dokinchan-re0> show ddos-protection protocols ip-options violations
Packet types: 4, Currently violated: 2
Protocol
Packet
Bandwidth
Arrival
group
type
(pps)
Peak
Policer bandwidth
ip-opt
unclass..
10000
138893
138976
24510
65143
rt-alert
20000
Packet
Arriving
Source Address
group
type
Interface
MAC or IP
ip-opt
unclass..
ge-2/0/0.0
192.1.1.2
rt-alert
ge-2/0/0.0
192.1.1.2
# of
group
proto on
loc
pass
drop
---
-----------
----------- --
------
--------
--------
123 3d00
ip-opt
aggregate
UKERN
76227465
124 3d01
ip-opt
unclass..
UKERN
1880974
PFE-0
42059480
591983015
138910
125 3d02
ip-opt
rt-alert
UKERN
74346491
PFE-0
79020937
29282748
24513
UKERN
PFE-0
---
126 3d03
ip-opt
non-v4v6
rate
pass
rate flows
group
--- ----
--------
123 3d00
ip-opt
aggregate auto
no
0 a:d:
10 a:d:
124 3d01
ip-opt
20 a:d:
125 3d02
ip-opt
126 3d03
ip-opt
non-v4v6 auto
ifd-cfg
d-t
r-t
t-t
aggr-t
---
---
---
------
10 a:d:20000
60
300
10 a:d:
10 a:d:10000
60
300 151310230
20 a:d:
10 a:d:
10 a:d:20000
60
300 151309230
0 a:d:
10 a:d:
10 a:d:10000
60
300
no
sub-cfg
ifl-cfg
75
NPC2(Dokinchan-re0 vty)# show ddos scfd asic-flows 0
pfe
pkts
-------
bytes source-info
-------- ----------
5 3d02
sub
339
12355587
3 3d01
sub
339
70015063
Flow Key:
Proto-ID:
3d02
Key type:
IIF:
339
Src IP addr:
c0010102 (192.1.1.2)
Dst IP addr:
c0010101 (192.1.1.1)
Src port:
Dst port:
Rcvd ack_del:
Flow state:
Aggr level:
Proto idx:
125
Policer idx:
Time inserted:
1944001488
1944507734
Last received:
12408018
Flow Statitics:
Packet Count:
12410556
Byte Count:
968023290
PFE:
Flow Key:
Proto-ID:
3d01
Key type:
IIF:
339
Src IP addr:
c0010102 (192.1.1.2)
Dst IP addr:
c0010101 (192.1.1.1)
Src port:
Dst port:
Rcvd ack_add:
Rcvd ack_del:
Flow state:
Aggr level:
76
Proto idx:
124
Policer idx:
Time inserted:
1944001488
1944508734
Last received:
70451039
Flow Statitics:
Packet Count:
70497989
Byte Count:
4652867208
NPC2(Dokinchan-re0 vty)#
If active-flow-timeout is configured, the active monitoring flow will be removed form the list. If the rate of that flow still
exceeds the protocol DDOS rate, it will genereate another violation event and it will be re-added to the list.
[edit]
lab@Dokinchan-re0# show system ddos-protection
global {
flow-detection;
}
protocols {
ip-options {
aggregate {
timeout-active-flows;
}
unclassified {
timeout-active-flows;
}
router-alert {
timeout-active-flows;
}
}
}
NPC2(Dokinchan-re0 vty)# show ddos scfd proto-states ip-options
(sub|ifl|ifd)-cfg: op-mode:fc-mode:bwidth(pps)
op-mode: a=automatic, o=always-on, x=disabled
fc-mode: d=drop-all, k=keep-all, p=police
d-t: detect time, r-t: recover time, t-t: timeout time
aggr-t: last aggregated/deaggreagated time
idx prot
group
--- ----
--------
ifd-cfg
d-t
r-t
t-t
aggr-t
---
---
---
123 3d00
ip-opt
aggregate auto
no
1 20002
0 a:d:
10 a:d:
------
10 a:d:20000
60
300
124 3d01
ip-opt
1 20002
20 a:d:
10 a:d:
10 a:d:10000
60
300 151310230
125 3d02
ip-opt
1 20002
126 3d03
ip-opt
non-v4v6 auto
20 a:d:
10 a:d:
10 a:d:20000
60
300 151309230
0 a:d:
10 a:d:
10 a:d:10000
60
300
no
sub-cfg
ifl-cfg
NPC2(Dokinchan-re0 vty)#
77
Nov 20 14:34:13.661
Options:router-alert on ge-2/0/0.0 with source addr 192.1.1.2 is timed out. Found at 2013-11-20 14:29:14 JST,
last observed at 2013-11-20 14:29:14 JST
Nov 20 14:34:13.661
Options:unclassified on ge-2/0/0.0 with source addr 192.1.1.2 is timed out. Found at 2013-11-20 14:29:14 JST,
last observed at 2013-11-20 14:29:14 JST
Nov 20 14:34:16.663
Options:router-alert on ge-2/0/0.0 with source addr 192.1.1.2 is found at 2013-11-20 14:34:16 JST
Nov 20 14:34:16.663
Options:unclassified on ge-2/0/0.0 with source addr 192.1.1.2 is found at 2013-11-20 14:34:16 JST
NPC2(Dokinchan-re0 vty)# show ddos scfd asic-flows 0 details
PFE:
12
Flow Key:
Proto-ID:
3d02
Key type:
IIF:
339
Src IP addr:
c0010102 (192.1.1.2)
Dst IP addr:
c0010101 (192.1.1.1)
Src port:
Dst port:
Rcvd ack_del:
Flow state:
Aggr level:
Proto idx:
125
Policer idx:
Time inserted:
1946184735
1946475734
Last received:
7132354
Flow Statitics:
Packet Count:
7152878
Byte Count:
557924406
PFE:
11
Flow Key:
Proto-ID:
3d01
Key type:
IIF:
339
Src IP addr:
c0010102 (192.1.1.2)
Dst IP addr:
c0010101 (192.1.1.1)
Src port:
Dst port:
78
Rcvd ack_add:
Rcvd ack_del:
Flow state:
Aggr level:
Proto idx:
124
Policer idx:
Time inserted:
1946184734
1946476734
Last received:
40555616
Flow Statitics:
Packet Count:
40662069
Byte Count:
2683696488
NPC2(Dokinchan-re0 vty)#
79
The
granularity
can
go
down
to
per-protocol
basis.
[edit]
lab@Dokinchan-re0# set system ddos-protection protocols ospf aggregate ?
Possible completions:
+ apply-groups
Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
bandwidth
Policer bandwidth (1..100000 packets per second)
burst
Policer burst size (1..100000 packets)
disable-fpc
Turn off policing on all fpc's
disable-logging
Disable event logging for protocol violation
disable-routing-engine Turn off policing on routing engine
flow-detect-time
Time to determine a flow is bad (1..60 seconds)
flow-detection-mode Flow detection mode for the packet type
> flow-level-bandwidth Bandwidth for flows at various levels
> flow-level-control
Specify how discovered flows are controlled
> flow-level-detection Specify detection mode at various levels
flow-recover-time
Time to return to normal after last violation (1..3600 seconds)
flow-timeout-time
Time to timeout the flow since found (1..7200 seconds)
> fpc
Flexible PIC Concentrator parameters
no-flow-logging
Disable logging of violating flows
recover-time
Time for protocol to return to normal (1..3600 seconds)
timeout-active-flows Allow timeout active violating flows
[edit]
lab@Dokinchan-re0# set
Possible completions:
+ apply-groups
+ apply-groups-except
bandwidth-scale
burst-scale
disable-fpc
[edit]
lab@Dokinchan-re0#
The
bandwidth-scale/burst-scale
configuration
under
the
FPC
is
used
to
configure
how
much
bandwidth
(bandwidth
*
bandwith-scale%
/
burst
*
burst-scale%)
should
be
applied
on
that
FPC.
For
example,
with
50%
for
both
bandwidth
and
burst
scale,
the
OSPF
protocol
policer
becomes:
[edit]
lab@Dokinchan-re0# run show ddos-protection protocols ospf parameters
Packet types: 1, Modified: 0
* = User configured value
Protocol Group: OSPF
80
81
Statistics/Errors
We can capture the per-protocol statistics before and after the policers being applied on the packets.
lab@Dokinchan-re0> show ddos-protection protocols ip-options unclassified
Currently tracked flows: 1, Total detected flows: 1
* = User configured value
Protocol Group: IP-Options
Packet type: unclassified (Unclassified options traffic)
Individual policer configuration:
Bandwidth:
10000 pps
Burst:
10000 packets
Priority:
Low
Recover time:
300 seconds
Enabled:
Yes
Bypass aggregate: No
Flow detection configuration:
Detection mode: Automatic
Detect time:
Log flows:
Yes
3 seconds
Timeout flows:
No
Detection mode
Control mode
Flow rate
Subscriber
Automatic
Drop
10000 pps*
Logical interface
Automatic
Drop
10000 pps*
Physical interface
Automatic
Drop
10000 pps
System-wide information:
Bandwidth is being violated!
No. of FPCs currently receiving excess traffic: 1
No. of FPCs that have received excess traffic:
134723
Arrival rate:
Dropped:
98645
0 pps
Flow counts:
Aggregation level
Current
Total detected
Subscriber
Total
16963
Arrival rate:
Dropped:
0 pps
82
Duration of violation: 00:00:11 Number of violations: 1
134723 117149 = 17574 sent to host queue
Received:
134723
Arrival rate:
Dropped:
117149
0 pps
5808
92837
Flow counts:
Aggregation level
Current
Total detected
State
Subscriber
Active
Total
group
proto on
loc
pass
drop
----------- --
---
-----------
------
--------
--------
123 3d00
ip-opt
aggregate
UKERN
17574
18504
124 3d01
ip-opt
unclass..
UKERN
36078
rate
pass
# of
rate flows
36078
98645
7841
UKERN
PFE-0
UKERN
PFE-0
ip-opt
rt-alert
ip-opt
non-v4v6
Y
Y
Packets
Pkt Rate
Bytes
Byte Rate
36078
3283098
Dropped (Force)
Dropped (Error)
: 0
83
16963 queued
0 queue drops
0 queue deletes
25 high water mark queued
0 current queued
611 policer drops
84
NPC2(Dokinchan-re0 vty)#
If we check the aggregate policer drop, the system wide statistics will count the uKern aggregate policer drop. Here, we
inject 30K pkts for each ip-frag type. The following might be confusing as the pass count is including the drop pkts.
PR942813 has filed to enhance this command output.
NPC2(Dokinchan-re0 vty)# show ddos policer stats ip-fragments
DDOS Policer Statistics:
arrival
idx prot
group
proto on
loc
pass
drop
---
-----------
----------- --
------
--------
--------
158 4f00
ip-frag
UKERN
12751
---
aggregate
rate
pass
# of
rate flows
47249
ip-frag
unclass..
N/A
---
---
---
---
---
160 4f02
ip-frag
first-frag
UKERN
30000
23484
ip-frag
trail-frag
PFE-0
30000
UKERN
30000
23765
30000
NPC2(Dokinchan-re0 vty)#
Total drop on MPC is 23484 + 23765 = 47249. With 7 pkts drop on RE, the total drop becomes 47256.
lab@Dokinchan-re0> show ddos-protection protocols ip-fragments aggregate
Currently tracked flows: 0, Total detected flows: 0
* = User configured value
Protocol Group: IP-Fragments
Packet type: aggregate (Aggregate for all IP Fragment traffic)
Aggregate policer configuration:
Bandwidth:
3000 pps*
Burst:
3000 packets*
Recover time:
300 seconds
Enabled:
Yes
Detect time:
Log flows:
Yes
3 seconds
Timeout flows:
No
Detection mode
Control mode
Flow rate
Subscriber
Automatic
Drop
10 pps
Logical interface
Automatic
Drop
10 pps
Physical interface
Automatic
Drop
20000 pps
System-wide information:
Aggregate bandwidth is being violated!
No. of FPCs currently receiving excess traffic: 1
85
No. of FPCs that have received excess traffic:
60000
Arrival rate:
Dropped:
47256
0 pps
12751
Arrival rate:
Dropped:
0 pps
60000
Arrival rate:
Dropped:
47249
0 pps
47249 With aggregate statistics, this count includes the drops under
Flow counts:
Aggregation level
Current
Total detected
State
Subscriber
Active
Logical-interface
Active
Physical-interface
Active
0x4C3F2360
0
Hostbound policer packet drops: 0 Sum of HBC policer drop for exception nhs.
Hostbound policer byte drops: 0
Aggregate policer packet drops: 40160393 Sum of all DDOS IPv4 policer drops.
Aggregate policer byte drops: 4871701502
Aggregate IPv6 policer packet drops: 76521499 Sum of all DDOS IPv6 policer drops.
86
NPC2(Dokinchan-re0 vty)#
Here are some DDOS error counters to record errors when it parses the received protocol frames.
NPC2(Dokinchan-re0 vty)# show ddos asic global-rx-errors
DDOS ASIC counters:
Pkts on unsupported reason code: 0
Reason -- Proto-ID Errors:
Code Reason
Error Type
Pkts
---- ------------
----------
----
---
unsupported
PUNT_TTL
mismatch-id
PUNT_OPTIONS
non-exist-id
PUNT_REDIRECT
mismatch-id
PUNT_CONTROL
non-exist-id
PUNT_FAB_OUT_PROBE_PKT
mismatch-id
PUNT_HOST_COPY
non-exist-id
PUNT_MAC_FWD_TYPE_HOST
mismatch-id
PUNT_TUNNEL_FRAGMENT
mismatch-id
---
unsupported
0 PUNT_GIMLET_PKT
10
---
unsupported
11
PUNT_MLP
12
13
PUNT_IGMP_SNOOP
mismatch-id
PUNT_VC_TTL_ERROR
mismatch-id
14
PUNT_L2PT_ERROR
mismatch-id
15
---
unsupported
0 PUNT_DDOS_POLICER_VIOL
16
---
unsupported
0 PUNT_DDOS_SCFD
17
---
unsupported
0 PUNT_LU_NOTIF
18
PUNT_PIM_SNOOP
mismatch-id
19
---
unsupported
0 PUNT_MLD_SNOOP
20
---
unsupported
0 Undefined
21
---
unsupported
0 Undefined
22
---
unsupported
0 Undefined
23
---
unsupported
0 Undefined
24
---
unsupported
0 Undefined
25
---
unsupported
0 Undefined
26
---
unsupported
0 Undefined
27
---
unsupported
0 Undefined
28
---
unsupported
0 Undefined
29
---
unsupported
0 Undefined
30
---
unsupported
0 Undefined
31
---
unsupported
0 Undefined
32
PUNT_PROTOCOL
non-exist-id
33
PUNT_RESOLVE
non-exist-id
34
PUNT_RECEIVE
non-exist-id
0 PUNT_FLOW_REJECT
non-exist-id
87
35
PUNT_AUTOSENSE
mismatch-id
36
PUNT_REJECT_FW
non-exist-id
37
---
unsupported
0 PUNT_UNUSED
38
PUNT_SERVICES
mismatch-id
39
PUNT_DEMUXAUTOSENSE
mismatch-id
40
PUNT_REJECT
mismatch-id
41
PUNT_SAMPLE_SYSLOG
mismatch-id
42
PUNT_SAMPLE_HOST
mismatch-id
43
PUNT_SAMPLE_PFE
mismatch-id
44
PUNT_SAMPLE_TAP
mismatch-id
45
PUNT_PPPOE_PADI
mismatch-id
46
PUNT_PPPOE_PADR
mismatch-id
47
PUNT_PPPOE_PADT
mismatch-id
48
PUNT_PPP_LCP
mismatch-id
49
PUNT_PPP_AUTH
mismatch-id
50
PUNT_PPP_IPV4CP
mismatch-id
51
PUNT_PPP_IPV6CP
mismatch-id
52
PUNT_PPP_MPLSCP
mismatch-id
53
PUNT_PPP_UNCLASSIFIED_CP
54
PUNT_SEND_TO_HOST_FW
55
mismatch-id
non-exist-id
PUNT_VC_HI
mismatch-id
56
PUNT_VC_LO
mismatch-id
57
PUNT_PPP_ISIS
mismatch-id
58
PUNT_KEEPALIVE
mismatch-id
59
PUNT_SEND_TO_HOST_FW_INLINE_SVCS
60
PUNT_PPP_LCP_ECHO_REQ
mismatch-id
mismatch-id
0
0
61
PUNT_INLINE_KA
mismatch-id
62
---
unsupported
0 PUNT_UNUSED
63
PUNT_PPP_LCP_ECHO_REP
mismatch-id
64
PUNT_MLPPP_LCP
mismatch-id
65
PUNT_MLFR_CONTROL
mismatch-id
66
PUNT_MFR_CONTROL
mismatch-id
67
---
unsupported
0 PUNT_UNUSED
68
PUNT_REJECT_V6
mismatch-id
69
PUNT_RESOLVE_V6
non-exist-id
70
PUNT_SEND_TO_HOST_SVCS
mismatch-id
71
PUNT_SAMPLE_SFLOW
mismatch-id
Here are the IPC msg stats between the DDOS module on the MPC and the Routing Engine (jddosd).
NPC2(Dokinchan-re0 vty)# show ddos ipc
DDOS IPC Messages:
Name
Requests
Failures
Duplicates
Tx messages
-----------------------
----------
----------
----------
----------
Unknown
global_ctrl
global_ctrl_rts
global_states
global_states_rts
88
violation set
violation clr
protocol_stats_get
24
protocol_stats_clr
protocol_stats_rts
policer
policer_rts
pstates
pstates_rts
pfe_peer_info
flow_get
flow_clr
scfd_proto_get
Counts
------------------------------------
---------------
95
1
reconnect count
debug string
Here is the global configuration and statistics summary for the SCFD module.
NPC2(Dokinchan-re0 vty)# show ddos scfd global-info
DDOS-SCFD global context
------------------------------------------------------
288/12/8 bytes
Flow scan:
Yes
Yes
No
Default enabled:
No
Enabled:
Yes
Deaggr
89
Next available flow id:
Culprit flows:
Violated protocols:
100(pps)
100(pps)
Scan cookie:
30772
4096
4094
400
400
4096
4221
16384
151310230
0=2
100
100
13
11
false positives:
90
max flow tbl scan time(ms):
debug values:
967586
flow found:
13
flow timeout:
flow cleared:
unknown reports:
967586
Dropped indications:
1203589195
size items
item queue
4096
4094
dequeues
deq-empty
enqueues
enq-fail
15
13
size items
dequeues
deq-empty
enqueues
item queue
1000
1000
28
28
work queue
1000
28
15
28
[ 2] policer scan
enq-fail
has semaphore, no work queue, no item store, has handler, loop is off
[ 3] flow state
has semaphore, has work queue, has item store, has handler, loop is off
queue request stats---------------------------------------------------------queue name
size items
dequeues
deq-empty
enqueues
enq-fail
item queue
4096
4096
43
43
work queue
4096
43
23
43
[ 4] async notif
has semaphore, has work queue, has item store, has handler, loop is off
queue request stats---------------------------------------------------------queue name
size items
dequeues
deq-empty
enqueues
enq-fail
item queue
400
400
12
12
work queue
400
12
12
[ 5] req request
has semaphore, has work queue, has item store, has handler, loop is off
queue request stats---------------------------------------------------------queue name
dequeues
deq-empty
enqueues
enq-fail
item queue
400
400
50
50
work queue
400
50
50
[ 6] flow modify
size items
has semaphore, has work queue, has item store, has handler, loop is off
queue request stats----------------------------------------------------------
91
queue name
item queue
work queue
[ 7] flow message
size items
dequeues
deq-empty
enqueues
enq-fail
400
400
400
has semaphore, has work queue, has item store, has handler, loop is off
queue request stats---------------------------------------------------------queue name
size items
dequeues
deq-empty
enqueues
enq-fail
item queue
4096
4096
1030
1030
work queue
4096
1030
94
1030
[ 8] flow scan
has semaphore, no work queue, no item store, has handler, loop is off
NPC2(Dokinchan-re0 vty)#
92
When we check the DDOS statistics, there is a gap in-between the ASIC and uKern. For example, in the followings, we
could see uKern having arrival rate far less than the once measured on PFE(ASIC). However, between the ASIC and
uKern, the drop could happen in TOE/MQ if the host bound traffic rate is too high. In this case, the drop happens on the
MQ hostbound queue and thats why uKern sees far less traffic volume than the PFE.
NPC2(Dokinchan-re0 vty)# show ddos policer stats ip-fragments
DDOS Policer Statistics:
arrival
idx prot
# of
group
proto on
loc
pass
drop
---
-----------
----------- --
------
--------
--------
158 4f00
ip-frag
aggregate
UKERN
3828251
16623
16623
159 4f01
ip-frag
unclass..
N/A
---
---
---
---
---
160 4f02
ip-frag
first-frag
---
161 4f03
ip-frag
trail-frag
rate
pass
rate flows
UKERN
1913970
8310
8310
PFE-0
4594919
19997
19997
UKERN
1914281
8313
8313
PFE-0
4594921
19998
19998
Packets
Pkt Rate
Bytes
Byte Rate
Forwarded (Rule)
18313974
16661
4513626054
1716045
20014319
23341
4275669611
2404085
9899788
3853013876
Dropped (Force)
Dropped (Error)
: 501881
The same happens on the path between PPC and RE (ie. TTP drop..etc).
93
Indeed, there are cases that the DDOS might not help.
https://gnats.juniper.net/web/default/878789
This PR is related to SCFD flow detection against arp storm. When an arp packet comes in, it will be handled by the
default arp policer (__default_arp_policer__) before it hits the HBC. Since the default arp policer is stateless, it will just
drop arp packets based on the policer rate without considering that the passed arp packets are actually the same. As a
result, the non-attack arp packets might be dropped by the default arp policer and the attack arp storm will be dropped by
the SCFD once it detects the flow.
In order to workaround this, we need to disable the default arp policer by configuring a high arp policer rate, which is the
same as passing all the arp packets to the SCFD. In SCFD, it will identify the attack flow(s) and drop it from there.
https://gnats.juniper.net/web/default/934869
As mentioned above, DDOS requires a steady traffic volume to detect the suspicious flow. In this PR, its related to a
bursty traffic source typical case for start up multicast flow.
In this PR, when we receive multicast packets hitting the resolve nh, the resolve request will come up to the RPD in the
Routing Engine and create a multicast route on the PFE. Starting from that point, the flow hitting the resolve nh will no
longer be there and thats why the DDOS couldnt detect that.
Even if we turn on SCFD, since it requires some time (in the order of secs) to detect the flow, it wont be quick enough to
stop the resolve requests from the same multicast group from entering the resolve queue on the host (resolve_nh -> host
queue -> PPC -> resolve queue -> RPD[RE]) and let other multicast group to enter the resolve queue. Hence, enabling
DDOS wont help much to speed up the multicast route setup time in this case.
https://gnats.juniper.net/web/default/871500
The problem is that the MLP packets are processed differently. The packets do not go through the regular exception
processing path. The MLP packets sent in general at 200 pps directly to host by the learning process. It actually bypasses
most of the DDOS processing. This is why you cannot control it. The MLP is self paced. This means that MLP pose NO
DDOS threats.
94
https://gnats.juniper.net/web/default/832740
This is mainly a code enhancement for DDOS and add the supportability on XM chip. Would suggest a customer to pick
up this fix for DDOS usage.
https://gnats.juniper.net/web/default/924807
This is a major design flaw in DDOS where the packet hitting the resolve/fw reject nexthop will be classified as protocol
control packet as long as the protocol field matches the specific DDOS term. With this fix, we separate the notification
hitting the resolve and reject nexthops to a different DDOS term.
NPC1(currypanman-re0 vty)# show ddos asic punt-proto-maps
PUNT exceptions directly mapped to DDOS proto:
code PUNT name
---- -------------------1 PUNT_TTL
3 PUNT_REDIRECT
group proto
--------- -----ttl aggregate
idx q# bwidth
3c00
2000
10000
redirect aggregate
3e00
2000
10000
fab-probe aggregate
5700
20000
20000
7 PUNT_MAC_FWD_TYPE_HOST
mac-host aggregate
4100
20000
20000
8 PUNT_TUNNEL_FRAGMENT
tun-frag aggregate
4200
2000
10000
12 PUNT_IGMP_SNOOP
13 PUNT_VC_TTL_ERROR
14 PUNT_L2PT_ERROR
35 PUNT_AUTOSENSE
38 PUNT_SERVICES
39 PUNT_DEMUXAUTOSENSE
mlp packets
igmp-snoop aggregate
vchassis vc-ttl-err
l2pt aggregate
3802
2000
10000
4300
20000
20000
805
4000
10000
5a00
20000
20000
dynvlan aggregate
300
1000
500
services aggregate
4400
2000
10000
demuxauto aggregate
4500
2000
10000
40 PUNT_REJECT
reject aggregate
4600
2000
10000
41 PUNT_SAMPLE_SYSLOG
sample syslog
5602
1000
1000
42 PUNT_SAMPLE_HOST
sample host
5603
1000
1000
43 PUNT_SAMPLE_PFE
sample pfe
5604
1000
1000
44 PUNT_SAMPLE_TAP
sample tap
5605
1000
1000
500
45 PUNT_PPPOE_PADI
pppoe padi
502
500
46 PUNT_PPPOE_PADR
pppoe padr
504
500
500
47 PUNT_PPPOE_PADT
pppoe padt
506
1000
1000
48 PUNT_PPP_LCP
ppp lcp
402
12000
12000
49 PUNT_PPP_AUTH
ppp auth
403
2000
2000
50 PUNT_PPP_IPV4CP
ppp ipcp
404
2000
2000
51 PUNT_PPP_IPV6CP
ppp ipv6cp
405
2000
2000
52 PUNT_PPP_MPLSCP
ppp mplscp
406
2000
2000
53 PUNT_PPP_UNCLASSIFIED_CP
401
1000
500
55 PUNT_VC_HI
vchassis control-hi
802
10000
5000
56 PUNT_VC_LO
vchassis control-lo
803
8000
3000
407
2000
2000
5b00
57 PUNT_PPP_ISIS
58 PUNT_KEEPALIVE
ppp unclass
ppp isis
keepalive aggregate
5 PUNT_FAB_OUT_PROBE_PKT
11 PUNT_MLP
burst
20000
5d00
20000
2
20000
20000
95
60 PUNT_PPP_LCP_ECHO_REQ
61 PUNT_INLINE_KA
ppp echo-req
inline-ka aggregate
408
12000
12000
5c00
20000
20000
63 PUNT_PPP_LCP_ECHO_REP
ppp echo-rep
409
12000
12000
64 PUNT_MLPPP_LCP
ppp mlppp-lcp
40a
12000
12000
65 PUNT_MLFR_CONTROL
frame-relay frf15
5e02
12000
12000
66 PUNT_MFR_CONTROL
frame-relay frf16
5e03
12000
12000
68 PUNT_REJECT_V6
rejectv6 aggregate
5900
2000
10000
4 PUNT_CONTROL
6 PUNT_HOST_COPY
11 PUNT_MLP
|---------------+
32 PUNT_PROTOCOL
34 PUNT_RECEIVE
54 PUNT_SEND_TO_HOST_FW |
|
|
-----------------------------------------------------------------type
subtype
burst
2c00
20000
20000
stp aggregate
2d00
20000
20000
esmc aggregate
2e00
20000
20000
oam-lfm aggregate
2f00
20000
20000
contrl EOAM
eoam aggregate
3000
20000
20000
contrl LLDP
lldp aggregate
3100
20000
20000
contrl MVRP
mvrp aggregate
3200
20000
20000
pmvrp aggregate
3300
20000
20000
contrl ESMC
contrl OAM_LFM
contrl PMVRP
contrl ARP
contrl PVSTP
contrl ISIS
contrl POS
arp aggregate
3400
20000
20000
pvstp aggregate
3500
20000
20000
isis aggregate
3600
20000
20000
pos aggregate
3700
20000
20000
contrl MLP
mlp packets
3802
2000
10000
contrl JFM
jfm aggregate
3900
20000
20000
contrl ATM
atm aggregate
3a00
20000
20000
pfe-alive aggregate
3b00
20000
20000
filter ipv4
dhcpv4 aggregate
600
5000
5000
filter ipv6
dhcpv6 aggregate
700
5000
5000
filter ipv4
icmp aggregate
900
20000
20000
filter ipv4
igmp aggregate
a00
20000
20000
filter ipv4
ospf aggregate
b00
20000
20000
filter ipv4
rsvp aggregate
c00
20000
20000
filter ipv4
pim aggregate
d00
8000
16000
filter ipv4
rip aggregate
e00
20000
20000
filter ipv4
ptp aggregate
f00
20000
20000
filter ipv4
bfd aggregate
1000
20000
20000
filter ipv4
lmp aggregate
1100
20000
20000
contrl PFE_ALIVE
idx q# bwidth
lacp aggregate
contrl STP
group proto
---------- ----------
96
filter ipv4
ldp aggregate
1200
20000
20000
filter ipv4
msdp aggregate
1300
20000
20000
filter ipv4
bgp aggregate
1400
20000
20000
filter ipv4
vrrp aggregate
1500
20000
20000
filter ipv4
telnet aggregate
1600
20000
20000
filter ipv4
ftp aggregate
1700
20000
20000
filter ipv4
ssh aggregate
1800
20000
20000
filter ipv4
snmp aggregate
1900
20000
20000
filter ipv4
ancp aggregate
1a00
20000
20000
filter ipv6
igmpv6 aggregate
1b00
20000
20000
filter ipv6
egpv6 aggregate
1c00
20000
20000
filter ipv6
rsvpv6 aggregate
1d00
20000
20000
filter ipv6
igmpv4v6 aggregate
1e00
20000
20000
filter ipv6
ripv6 aggregate
1f00
20000
20000
filter ipv6
bfdv6 aggregate
2000
20000
20000
filter ipv6
lmpv6 aggregate
2100
20000
20000
filter ipv6
ldpv6 aggregate
2200
20000
20000
filter ipv6
msdpv6 aggregate
2300
20000
20000
filter ipv6
bgpv6 aggregate
2400
20000
20000
filter ipv6
vrrpv6 aggregate
2500
20000
20000
filter ipv6
telnetv6 aggregate
2600
20000
20000
filter ipv6
ftpv6 aggregate
2700
20000
20000
filter ipv6
sshv6 aggregate
2800
20000
20000
filter ipv6
snmpv6 aggregate
2900
20000
20000
filter ipv6
ancpv6 aggregate
2a00
20000
20000
filter ipv6
ospfv3v6 aggregate
2b00
20000
20000
filter ipv4
tcp-flags unclass..
4801
20000
20000
filter ipv4
tcp-flags initial
4802
20000
20000
filter ipv4
tcp-flags establish
4803
20000
20000
filter ipv4
dtcp aggregate
4900
20000
20000
20000
filter ipv4
radius server
4a02
20000
filter ipv4
radius account..
4a03
20000
20000
filter ipv4
radius auth..
4a04
20000
20000
20000
20000
filter ipv4
ntp aggregate
4b00
filter ipv4
tacacs aggregate
4c00
20000
20000
filter ipv4
dns aggregate
4d00
20000
20000
filter ipv4
diameter aggregate
4e00
20000
20000
filter ipv4
ip-frag first-frag
4f02
20000
20000
filter ipv4
ip-frag trail-frag
4f03
20000
20000
filter ipv4
l2tp aggregate
5000
20000
20000
filter ipv4
gre aggregate
5100
20000
20000
filter ipv4
ipsec aggregate
5200
20000
20000
filter ipv6
pimv6 aggregate
5300
8000
16000
filter ipv6
icmpv6 aggregate
5400
20000
20000
filter ipv6
ndpv6 aggregate
5500
20000
20000
filter ipv4
amtv4 aggregate
5f00
20000
20000
filter ipv6
6000
20000
20000
option rt-alert
ip-opt rt-alert
amtv6 aggregate
3d02
20000
20000
option unclass
ip-opt unclass..
3d01
10000
10000
97
200 PUNT_RESOLVE_V6
|---------------+
|
-----------------------------------------------------------------resolve aggregate
100
5000
10000
resolve other
101
2000
2000
resolve ucast-v4
102
3000
5000
resolve mcast-v4
103
3000
5000
resolve ucast-v6
104
3000
5000
resolve mcast-v6
105
3000
5000
|---------------+
|
-----------------------------------------------------------------filter-act aggregate
200
10000
filter-act other
201
2000
10000
10000
filter-act filter-v4
202
2000
10000
filter-act filter-v6
203
2000
10000
policer-nh
ddos-nh p-result
-------
------- ----
[-----------]:
----------
[ 0:----:ind]:
c0040086071b9001
e02292000010000 4cc5c9b0
-------
[ 0:
c0e3f8
8010 viol-report
0:
0]:
c004009607182001
0 4cc5c938
c0e3f0
[ 0: 100:
1]:
c004018e07183001
e023fe000030000 4cc5c8e8
c0e3e8
[ 0: 101:
2]:
c00400a6071b8001
0 4cc5c870
c0e3e0
8014 punt
[ 0: 102:
3]:
c00400b607184001
0 4cc5c820
c0e380
8016 punt
[ 0: 103:
4]:
c004017e07185001
0 4cc5c7d0
c0e388
802f punt
[ 0: 104:
5]:
c00400ce071b7001
0 4cc5c780
c0e3d8
8019 punt
[ 0: 105:
6]:
c004016e071b6001
0 4cc5c730
c0e390
802d punt
[ 0: 200:
7]:
c004015e071b5001
e023d7000020000 4cc5c6e0
c0e398
[ 0: 201:
8]:
c00400de07186001
0 4cc5c668
c0e3a0
801b punt
[ 0: 202:
9]:
c004015607187001
0 4cc5c618
c0e3d0
802a punt
[ 0: 203: 10]:
c00400ee07188001
0 4cc5c5c8
c0e3c8
801d punt
[ 0: 300: 11]:
c00400fe07189001
e023d1000020000 4cc5c578
c0e3a8
801f punt
[ 0: 400: 12]:
c0040106071b4001
0 4cc5c528
c0e3c0
[ 0: 401: 13]:
c0040136071b3001
e02e9d000020000 4cc5c4d8
c0e3b8
8026 punt
[ 0: 402: 14]:
c00401260718a001
e02e86800020000 4cc5c488
c0e3b0
8024 punt
[ 0: 403: 15]:
c0040116071b2001
e02e88000020000 4cc5c438
c0e400
8022 punt
[ 0: 404: 16]:
c03c0a06071b1001
e02e9e800020000 4cc5c3e8
c0e478
78140 punt
[ 0: 405: 17]:
c03c0a16071b0001
e02e89800020000 4cc5c398
c0e408
78142 punt
[ 0: 406: 18]:
c03c0a26071af001
e02e8b000020000 4cc5c348
c0e410
78144 punt
[ 0: 407: 19]:
c03c0bf60718b001
e02e8f800020000 4cc5c2f8
c0e418
7817e punt
[ 0: 408: 20]:
c03c0a2e0718c001
e02eb4000030000 4cc5c2a8
c0e420
78145 punt
98
[ 0: 409: 21]:
c03c0be6071ae001
e02eb2000030000 4cc5c258
c0e470
7817c punt
[ 0: 40a: 22]:
c03c0bde071ad001
e02e92800020000 4cc5c208
c0e468
7817b punt
[ 0: 500: 23]:
c03c0bce0718d001
0 4cc5c1b8
c0e460
[ 0: 501: 24]:
c03c0bc60718e001
0 4cc5c168
c0e428
[ 0: 502: 25]:
c03c0bbe0718f001
e02ea0000020000 4cc5c118
c0e458
78177 punt
[ 0: 503: 26]:
c03c0a5e071ac001
0 4cc5c0c8
c0e450
[ 0: 504: 27]:
c03c0bae071ab001
e02e83800020000 4cc5c078
c0e430
78175 punt
[ 0: 505: 28]:
c03c0a6e071aa001
0 4cc5c028
c0e438
[ 0: 506: 29]:
c03c0ba607190001
e02e85000020000 4cc5bfd8
c0e440
78174 punt
[ 0: 507: 30]:
c03c0b96071a9001
0 4cc5bf88
c0e448
[ 0: 508: 31]:
c03c0a8607191001
0 4cc5bf38
c0e4f8
[ 0: 600: 32]:
c03c0a8e07192001
0 4cc5bee8
c0e480
[ 0: 601: 33]:
c03c0a9e071a8001
0 4cc5be98
c0e488
[ 0: 602: 34]:
c03c0b86071a7001
0 4cc5be48
c0e490
[ 0: 603: 35]:
c03c0aae07193001
0 4cc5bdf8
c0e4f0
[ 0: 604: 36]:
c03c0b6e071a6001
0 4cc5bda8
c0e498
[ 0: 605: 37]:
c03c0ab6071a5001
0 4cc5bd58
c0e4e8
[ 0: 606: 38]:
c03c0b56071a4001
0 4cc5bd08
c0e4e0
[ 0: 607: 39]:
c03c0b4e07194001
0 4cc5bcb8
c0e4d8
[ 0: 608: 40]:
c03c0ac6071a3001
0 4cc5bc68
c0e4d0
[ 0: 609: 41]:
c03c0ace071a2001
0 4cc5bc18
c0e4a0
[ 0: 60a: 42]:
c03c0b2e07195001
0 4cc5bbc8
c0e4c8
[ 0: 60b: 43]:
c03c0ade07196001
0 4cc5bb78
c0e4a8
[ 0: 60c: 44]:
c03c0ae6071a1001
0 4cc5bb28
c0e4c0
[ 0: 60d: 45]:
c03c0aee07197001
0 4cc5bad8
c0e4b0
[ 0: 60e: 46]:
c03c0b0e07198001
0 4cc5ba88
c0e4b8
[ 0: 60f: 47]:
c03c0b06071a0001
0 4cc65a50
c0e578
[ 0: 610: 48]:
c03c0c0607199001
0 4cc65a00
c0e570
[ 0: 611: 49]:
c03c0c0e0719a001
0 4cc659b0
c0e568
[ 0: 612: 50]:
c03c0dee0719b001
0 4cc65960
c0e560
[ 0: 700: 51]:
c03c0de60719c001
0 4cc65910
c0e500
[ 0: 701: 52]:
c03c0dd60719f001
0 4cc658c0
c0e508
[ 0: 702: 53]:
c03c0c260719e001
0 4cc65870
c0e558
[ 0: 703: 54]:
c03c0dc60719d001
0 4cc65820
c0e510
[ 0: 704: 55]:
c03c0db6072ff001
0 4cc657d0
c0e550
[ 0: 705: 56]:
c03c0dae072fe001
0 4cc65780
c0e548
[ 0: 706: 57]:
c03c0c36072c0001
0 4cc65730
c0e518
[ 0: 707: 58]:
c03c0d96072c1001
0 4cc656e0
c0e520
[ 0: 708: 59]:
c03c0c3e072fd001
0 4cc65690
c0e540
[ 0: 709: 60]:
c03c0c46072c2001
0 4cc65640
c0e538
[ 0: 70a: 61]:
c03c0c56072c3001
0 4cc655f0
c0e530
[ 0: 70b: 62]:
c03c0c5e072fc001
0 4cc655a0
c0e528
[ 0: 70c: 63]:
c03c0c6e072c4001
0 4cc65550
c0e600
[ 0: 70d: 64]:
c03c0d6e072fb001
0 4cc65500
c0e608
[ 0: 70e: 65]:
c03c0d5e072c5001
0 4cc654b0
c0e678
[ 0: 70f: 66]:
c03c0c7e072fa001
0 4cc65460
c0e670
[ 0: 710: 67]:
c03c0d4e072c6001
0 4cc65410
c0e610
[ 0: 711: 68]:
c03c0d3e072f9001
0 4cc653c0
c0e618
[ 0: 712: 69]:
c03c0c8e072c7001
0 4cc65370
c0e668
99
[ 0: 800: 70]:
c03c0d2e072c8001
0 4cc65320
c0e620
[ 0: 801: 71]:
c03c0c9e072f8001
0 4cc652d0
c0e628
[ 0: 802: 72]:
c03c0d26072f7001
e02e9b800020000 4cc65280
c0e660
781a4 punt
[ 0: 803: 73]:
c03c0d1e072c9001
e02e9a000020000 4cc65230
c0e658
781a3 punt
[ 0: 804: 74]:
c03c0cb6072ca001
0 4cc651e0
c0e630
[ 0: 805: 75]:
c03c0d0e072cb001
e02e98800020000 4cc65190
c0e650
781a1 punt
[ 0: 900: 76]:
c03c0cc6072cc001
0 4cc65140
c0e638
[ 0: a00: 77]:
c03c0cce072f6001
0 4cc650f0
c0e640
[ 0: b00: 78]:
c03c0cd6072f5001
0 4cc650a0
c0e648
[ 0: c00: 79]:
c03c0ce6072cd001
0 4cc65050
c0e6f8
[ 0: d00: 80]:
c03c0ffe072f4001
0 4cc65000
c0e6f0
[ 0: e00: 81]:
c03c0fee072f3001
0 4cc64fb0
c0e6e8
[ 0: f00: 82]:
c03c0e0e072ce001
0 4cc64f60
c0e6e0
[ 0:1000: 83]:
c03c0fe6072cf001
0 4cc64f10
c0e6d8
[ 0:1100: 84]:
c03c0e1e072f2001
0 4cc64ec0
c0e680
[ 0:1200: 85]:
c03c0fd6072f1001
0 4cc64e70
c0e6d0
[ 0:1300: 86]:
c03c0e36072d0001
0 4cc64e20
c0e688
[ 0:1400: 87]:
c03c0fce072f0001
0 4cc64dd0
c0e6c8
[ 0:1500: 88]:
c03c0e46072ef001
0 4cc64d80
c0e6c0
[ 0:1600: 89]:
c03c0e4e072ee001
0 4cc64d30
c0e690
[ 0:1700: 90]:
c03c0e5e072d1001
0 4cc64ce0
c0e698
[ 0:1800: 91]:
c03c0fae072ed001
0 4cc64c90
c0e6a0
[ 0:1900: 92]:
c03c0e66072d2001
0 4cc64c40
c0e6a8
[ 0:1a00: 93]:
c03c0f9e072d3001
0 4cc64bf0
c0e6b8
[ 0:1b00: 94]:
c03c0e7e072d4001
0 4cc64ba0
c0e6b0
[ 0:1c00: 95]:
c03c0e86072d5001
0 4cc64b50
c0e778
[ 0:1d00: 96]:
c03c0e8e072d6001
0 4cc64b00
c0e770
[ 0:1e00: 97]:
c03c0e96072ec001
0 4cc64ab0
c0e768
[ 0:1f00: 98]:
c03c0e9e072eb001
0 4cc64a60
c0e760
[ 0:2000: 99]:
c03c0eae072ea001
0 4cc64a10
c0e700
[ 0:2100:100]:
c03c0f76072e9001
0 4cc649c0
c0e758
[ 0:2200:101]:
c03c0ec6072e8001
0 4cc64970
c0e708
[ 0:2300:102]:
c03c0f66072e7001
0 4cc64920
c0e710
[ 0:2400:103]:
c03c0f5e072e6001
0 4cc648d0
c0e718
[ 0:2500:104]:
c03c0f56072e5001
0 4cc64880
c0e750
[ 0:2600:105]:
c03c0ede072e4001
0 4cc64830
c0e720
[ 0:2700:106]:
c03c0eee072d7001
0 4cc647e0
c0e748
[ 0:2800:107]:
c03c0ef6072d8001
0 4cc64790
c0e728
[ 0:2900:108]:
c03c0f36072d9001
0 4cc64740
c0e740
[ 0:2a00:109]:
c03c0efe072e3001
0 4cc646f0
c0e730
[ 0:2b00:110]:
c03c0f06072da001
0 4cc646a0
c0e738
[ 0:2c00:111]:
c03c0f16072e2001
0 4cc64650
c0e7f8
781e2 subtype
[ 0:2d00:112]:
c03c11fe072db001
0 4cc64600
c0e780
7823f subtype
[ 0:2e00:113]:
c03c11f6072dc001
0 4cc645b0
c0e788
7823e subtype
[ 0:2f00:114]:
c03c100e072e1001
0 4cc64560
c0e7f0
78201 subtype
[ 0:3000:115]:
c03c11e6072dd001
0 4cc64510
c0e7e8
7823c subtype
[ 0:3100:116]:
c03c11de072de001
0 4cc644c0
c0e790
7823b subtype
[ 0:3200:117]:
c03c11ce072df001
0 4cc64470
c0e798
78239 subtype
[ 0:3300:118]:
c03c11c6072e0001
0 4cc64420
c0e7e0
78238 subtype
100
[ 0:3400:119]:
c03c11be0743f001
0 4cc643d0
c0e7d8
78237 subtype
[ 0:3500:120]:
c03c11b607400001
0 4cc64380
c0e7a0
78236 subtype
[ 0:3600:121]:
c03c10460743e001
0 4cc64330
c0e7a8
78208 subtype
[ 0:3700:122]:
c03c11ae0743d001
0 4cc642e0
c0e7b0
78235 subtype
[ 0:3800:123]:
c03c119e07401001
0 4cc64290
c0e7b8
[ 0:3801:124]:
c03c118e0743c001
0 4cc64240
c0e7d0
[ 0:3802:125]:
c03c117e07402001
e02e8c800020000 4cc641f0
c0e7c8
7822f subtype
[ 0:3803:126]:
c03c11760743b001
0 4cc641a0
c0e7c0
[ 0:3900:127]:
c03c11660743a001
0 4cc64150
c0e880
7822c subtype
[ 0:3a00:128]:
c03c115e07439001
0 4cc64100
c0e8f8
7822b subtype
[ 0:3b00:129]:
c03c106607438001
0 4cc640b0
c0e888
7820c subtype
[ 0:3c00:130]:
c03c106e07403001
e023d4000020000 4cc64060
c0e890
7820d punt
[ 0:3d00:131]:
c03c114607404001
0 4cc64010
c0e898
[ 0:3d01:132]:
c03c108607405001
0 4cc63fc0
c0e8a0
78210 punt
[ 0:3d02:133]:
c03c109607406001
0 4cc63f70
c0e8f0
78212 punt
[ 0:3d03:134]:
c03c113607407001
0 4cc63f20
c0e8e8
78226 punt
[ 0:3e00:135]:
c03c112e07408001
e023d5800020000 4cc63ed0
c0e8e0
78225 punt
[ 0:3f00:136]:
c03c111e07409001
0 4cc63e80
c0e8a8
[ 0:4000:137]:
c03c10ae0740a001
0 4cc63e30
c0e8d8
[ 0:4100:138]:
c03c111607437001
e02e82000020000 4cc63de0
c0e8b0
78222 punt
[ 0:4200:139]:
c03c110607436001
e023cb000020000 4cc63d90
c0e8b8
78220 punt
[ 0:4300:140]:
c03c10f607435001
e02e8e000020000 4cc63d40
c0e8d0
7821e punt
[ 0:4400:141]:
c03c10be07434001
e023cf800020000 4cc63cf0
c0e8c0
78217 punt
[ 0:4500:142]:
c03c10e607433001
e023c9800020000 4cc63ca0
c0e8c8
7821c punt
[ 0:4600:143]:
c03c10de0740b001
e023ce000020000 4cc63c50
c0e978
7821b punt
[ 0:4700:144]:
c03c12060740c001
0 4cc63c00
c0e900
[ 0:4800:145]:
c03c13f60740d001
0 4cc63bb0
c0e970
[ 0:4801:146]:
c03c13ee07432001
0 4cc63b60
c0e968
[ 0:4802:147]:
c03c13de0740e001
0 4cc63b10
c0e908
[ 0:4803:148]:
c03c12160740f001
0 4cc63ac0
c0e910
[ 0:4900:149]:
c03c121e07410001
0 4cc6faa0
c0e918
[ 0:4a00:150]:
c03c13c607431001
0 4cc6fa50
c0e920
[ 0:4a01:151]:
c03c13be07411001
0 4cc6fa00
c0e928
[ 0:4a02:152]:
c03c13b607412001
0 4cc6f9b0
c0e960
[ 0:4a03:153]:
c03c123e07430001
0 4cc6f960
c0e930
[ 0:4a04:154]:
c03c124607413001
0 4cc6f910
c0e938
[ 0:4b00:155]:
c03c124e0742f001
0 4cc6f8c0
c0e940
[ 0:4c00:156]:
c03c13960742e001
0 4cc6f870
c0e958
[ 0:4d00:157]:
c03c126607414001
0 4cc6f820
c0e948
[ 0:4e00:158]:
c03c126e0742d001
0 4cc6f7d0
c0e950
[ 0:4f00:159]:
c03c12760742c001
0 4cc6f780
c0e9f8
[ 0:4f01:160]:
c03c137e0742b001
0 4cc6f730
c0e980
[ 0:4f02:161]:
c03c12860742a001
0 4cc6f6e0
c0e988
[ 0:4f03:162]:
c03c136e07429001
0 4cc6f690
c0e990
[ 0:5000:163]:
c03c129e07415001
0 4cc6f640
c0e9f0
[ 0:5100:164]:
c03c12a607416001
0 4cc6f5f0
c0e998
[ 0:5200:165]:
c03c12b607417001
0 4cc6f5a0
c0e9e8
[ 0:5300:166]:
c03c135e07428001
0 4cc6f550
c0e9e0
[ 0:5400:167]:
c03c134e07418001
0 4cc6f500
c0e9a0
101
[ 0:5500:168]:
c03c12c607427001
0 4cc6f4b0
c0e9d8
[ 0:5600:169]:
c03c133e07426001
0 4cc6f460
c0e9a8
[ 0:5601:170]:
c03c12de07425001
0 4cc6f410
c0e9b0
[ 0:5602:171]:
c03c132e07419001
e02f02000020000 4cc6f3c0
c0e9b8
78265 punt
[ 0:5603:172]:
c03c131e07424001
e02f03800020000 4cc6f370
c0e9d0
78263 punt
[ 0:5604:173]:
c03c13160741a001
e02f1e800020000 4cc6f320
c0e9c8
78262 punt
[ 0:5605:174]:
c03c12f60741b001
e02f05000020000 4cc6f2d0
c0e9c0
7825e punt
[ 0:5700:175]:
c03c12fe0741c001
e02f1d000020000 4cc6f280
c0ea78
7825f punt
[ 0:5800:176]:
c03c15fe07423001
0 4cc6f230
c0ea00
782bf punt
[ 0:5801:177]:
c03c15f60741d001
0 4cc6f1e0
c0ea70
782be punt
[ 0:5802:178]:
c03c15ee07422001
0 4cc6f190
c0ea68
782bd punt
[ 0:5803:179]:
c03c14160741e001
0 4cc6f140
c0ea08
78282 punt
[ 0:5804:180]:
c03c15d60741f001
0 4cc6f0f0
c0ea10
782ba punt
[ 0:5805:181]:
c03c15c607420001
0 4cc6f0a0
c0ea60
782b8 punt
[ 0:5806:182]:
c03c141e07421001
0 4cc6f050
c0ea58
78283 punt
[ 0:5807:183]:
c03c14260757f001
0 4cc6f000
c0ea50
78284 punt
[ 0:5808:184]:
c03c15ae07540001
0 4cc6efb0
c0ea48
782b5 punt
[ 0:5809:185]:
c03c15a607541001
0 4cc6ef60
c0ea18
782b4 punt
[ 0:580a:186]:
c03c15960757e001
0 4cc6ef10
c0ea40
782b2 punt
[ 0:580b:187]:
c03c143e07542001
0 4cc6eec0
c0ea20
78287 punt
[ 0:580c:188]:
c03c158607543001
0 4cc6ee70
c0ea38
782b0 punt
[ 0:5900:189]:
c03c14560757d001
e023cc800020000 4cc6ee20
c0ea28
7828a punt
[ 0:5a00:190]:
c03c157e0757c001
e023d2800020000 4cc6edd0
c0ea30
782af punt
[ 0:5b00:191]:
c03c146e07544001
e02e97000020000 4cc6ed80
c0eb78
7828d punt
[ 0:5c00:192]:
c03c147607545001
e02e91000020000 4cc6ed30
c0eb70
7828e punt
[ 0:5d00:193]:
c03c156607546001
e02e95800020000 4cc6ece0
c0eb68
782ac punt
[ 0:5e00:194]:
c03c14860757b001
0 4cc6ec90
c0eb60
[ 0:5e01:195]:
c03c155e07547001
0 4cc6ec40
c0eb58
[ 0:5e02:196]:
c03c149e0757a001
e02e94000020000 4cc6ebf0
c0eb00
78293 punt
[ 0:5e03:197]:
c03c155607548001
e02f20000020000 4cc6eba0
c0eb50
782aa punt
[ 0:5f00:198]:
c03c14ae07549001
0 4cc6eb50
c0eb08
[ 0:6000:199]:
c03c153e0754a001
0 4cc6eb00
c0eb10
[ 1:----:ind]:
[ 1:
c00401fe070fc001
e00a73000010000 4cc76d90
c0e200
803f viol-report
0:
0]:
c00401f6070fb001
0 4cc76d18
c0e278
[ 1: 100:
1]:
c0040026070fa001
e00bc2000030000 4cc76cc8
c0e270
[ 1: 101:
2]:
c0040036070c5001
0 4cc76c50
c0e268
8006 punt
[ 1: 102:
3]:
c00401e6070f9001
0 4cc76c00
c0e208
803c punt
[ 1: 103:
4]:
c004003e070c6001
0 4cc76bb0
c0e210
8007 punt
[ 1: 104:
5]:
c0040046070f8001
0 4cc76b60
c0e218
8008 punt
[ 1: 105:
6]:
c0040056070c7001
0 4cc76b10
c0e220
800a punt
[ 1: 200:
7]:
c004005e070c8001
e00ba9000020000 4cc76ac0
c0e260
[ 1: 201:
8]:
c00401c6070c9001
0 4cc76a48
c0e258
8038 punt
[ 1: 202:
9]:
c004006e070ca001
0 4cc769f8
c0e228
800d punt
[ 1: 203: 10]:
c004007e070f7001
0 4cc769a8
c0e230
800f punt
[ 1: 300: 11]:
c00401ae070f6001
e00bac000020000 4cc76958
c0e238
8035 punt
[ 1: 400: 12]:
c00401a6070cb001
0 4cc76908
c0e250
[ 1: 401: 13]:
c0040096070f5001
e02f99800020000 4cc768b8
c0e240
8012 punt
[ 1: 402: 14]:
c004019e070cc001
e02f84800020000 4cc76868
c0e248
8033 punt
[ 1: 403: 15]:
c00400a6070f4001
e02f9c800020000 4cc76818
c0e2f8
8014 punt
102
[ 1: 404: 16]:
c00400ae070f3001
e02f86000020000 4cc767c8
c0e2f0
8015 punt
[ 1: 405: 17]:
c0040186070f2001
e02f9b000020000 4cc76778
c0e2e8
8030 punt
[ 1: 406: 18]:
c004017e070f1001
e02f87800020000 4cc76728
c0e280
802f punt
[ 1: 407: 19]:
c00400c6070f0001
e02f8d800020000 4cc766d8
c0e2e0
8018 punt
[ 1: 408: 20]:
c00400d6070ef001
e02fae000030000 4cc76688
c0e288
801a punt
[ 1: 409: 21]:
c004016e070ee001
e02fba000030000 4cc76638
c0e2d8
802d punt
[ 1: 40a: 22]:
c004015e070cd001
e02f90800020000 4cc765e8
c0e290
802b punt
[ 1: 500: 23]:
c0040156070ce001
0 4cc76598
c0e298
[ 1: 501: 24]:
c00400f6070ed001
0 4cc76548
c0e2a0
[ 1: 502: 25]:
c0040106070ec001
e02f83000020000 4cc764f8
c0e2d0
8020 punt
[ 1: 503: 26]:
c0040146070eb001
0 4cc764a8
c0e2c8
[ 1: 504: 27]:
c0040136070ea001
e02f9f800020000 4cc76458
c0e2c0
8026 punt
[ 1: 505: 28]:
c004010e070e9001
0 4cc76408
c0e2b8
[ 1: 506: 29]:
c0040126070cf001
e02f9e000020000 4cc763b8
c0e2b0
8024 punt
[ 1: 507: 30]:
c0040406070d0001
0 4cc76368
c0e2a8
[ 1: 508: 31]:
c00405fe070d1001
0 4cc76318
c0e300
[ 1: 600: 32]:
c0040416070e8001
0 4cc762c8
c0e378
[ 1: 601: 33]:
c00405ee070e7001
0 4cc76278
c0e370
[ 1: 602: 34]:
c00405de070d2001
0 4cc76228
c0e368
[ 1: 603: 35]:
c0040426070e6001
0 4cc761d8
c0e308
[ 1: 604: 36]:
c004042e070e5001
0 4cc76188
c0e310
[ 1: 605: 37]:
c004043e070e4001
0 4cc76138
c0e318
[ 1: 606: 38]:
c00405be070d3001
0 4cc760e8
c0e320
[ 1: 607: 39]:
c004044e070d4001
0 4cc76098
c0e360
[ 1: 608: 40]:
c0040456070e3001
0 4cc76048
c0e328
[ 1: 609: 41]:
c00405a6070e2001
0 4cc75ff8
c0e330
[ 1: 60a: 42]:
c004045e070e1001
0 4cc75fa8
c0e338
[ 1: 60b: 43]:
c0040466070e0001
0 4cc75f58
c0e358
[ 1: 60c: 44]:
c004046e070d5001
0 4cc75f08
c0e340
[ 1: 60d: 45]:
c0040476070d6001
0 4cc75eb8
c0e348
[ 1: 60e: 46]:
c004047e070d7001
0 4cc75e68
c0e350
[ 1: 60f: 47]:
c0040576070df001
0 4cc75e18
c0e380
[ 1: 610: 48]:
c004048e070de001
0 4cc75dc8
c0e388
[ 1: 611: 49]:
c0040566070d8001
0 4cc75d78
c0e390
[ 1: 612: 50]:
c004055e070dd001
0 4cc75d28
c0e398
[ 1: 700: 51]:
c00404a6070dc001
0 4cc75cd8
c0e3a0
[ 1: 701: 52]:
c0040546070db001
0 4cc75c88
c0e3a8
[ 1: 702: 53]:
c00404ae070d9001
0 4cc75c38
c0e3b0
[ 1: 703: 54]:
c0040536070da001
0 4cc75be8
c0e3b8
[ 1: 704: 55]:
c004052e07200001
0 4cc75b98
c0e3c0
[ 1: 705: 56]:
c004051e0723f001
0 4cc7fb60
c0e3f8
[ 1: 706: 57]:
c00404ce0723e001
0 4cc7fb10
c0e3c8
[ 1: 707: 58]:
c00404de0723d001
0 4cc7fac0
c0e3d0
[ 1: 708: 59]:
c00404e60723c001
0 4cc7fa70
c0e3f0
[ 1: 709: 60]:
c00405060723b001
0 4cc7fa20
c0e3e8
[ 1: 70a: 61]:
c00404ee0723a001
0 4cc7f9d0
c0e3e0
[ 1: 70b: 62]:
c00407fe07239001
0 4cc7f980
c0e3d8
[ 1: 70c: 63]:
c004060e07238001
0 4cc7f930
c0e4f8
[ 1: 70d: 64]:
c00407ee07237001
0 4cc7f8e0
c0e4f0
103
[ 1: 70e: 65]:
c00407e607201001
0 4cc7f890
c0e4e8
[ 1: 70f: 66]:
c00407d607236001
0 4cc7f840
c0e4e0
[ 1: 710: 67]:
c00407ce07202001
0 4cc7f7f0
c0e480
[ 1: 711: 68]:
c00407c607235001
0 4cc7f7a0
c0e4d8
[ 1: 712: 69]:
c004063607203001
0 4cc7f750
c0e4d0
[ 1: 800: 70]:
c004063e07204001
0 4cc7f700
c0e4c8
[ 1: 801: 71]:
c004064e07205001
0 4cc7f6b0
c0e4c0
[ 1: 802: 72]:
c00407ae07206001
e02f8a800020000 4cc7f660
c0e488
80f5 punt
[ 1: 803: 73]:
c004065607234001
e02f8c000020000 4cc7f610
c0e490
80ca punt
[ 1: 804: 74]:
c004065e07207001
0 4cc7f5c0
c0e4b8
[ 1: 805: 75]:
c004066e07233001
e02f96800020000 4cc7f570
c0e498
80cd punt
[ 1: 900: 76]:
c004067607232001
0 4cc7f520
c0e4b0
[ 1: a00: 77]:
c004067e07231001
0 4cc7f4d0
c0e4a8
[ 1: b00: 78]:
c004077e07208001
0 4cc7f480
c0e4a0
[ 1: c00: 79]:
c004076e07230001
0 4cc7f430
c0e500
[ 1: d00: 80]:
c004068e0722f001
0 4cc7f3e0
c0e508
[ 1: e00: 81]:
c004076607209001
0 4cc7f390
c0e510
[ 1: f00: 82]:
c00407560722e001
0 4cc7f340
c0e578
[ 1:1000: 83]:
c00406a60720a001
0 4cc7f2f0
c0e518
[ 1:1100: 84]:
c00406b60720b001
0 4cc7f2a0
c0e570
[ 1:1200: 85]:
c00407460722d001
0 4cc7f250
c0e520
[ 1:1300: 86]:
c00406be0720c001
0 4cc7f200
c0e528
[ 1:1400: 87]:
c004072e0722c001
0 4cc7f1b0
c0e530
[ 1:1500: 88]:
c00406ce0720d001
0 4cc7f160
c0e568
[ 1:1600: 89]:
c00406de0722b001
0 4cc7f110
c0e560
[ 1:1700: 90]:
c00406ee0720e001
0 4cc7f0c0
c0e558
[ 1:1800: 91]:
c004071e0722a001
0 4cc7f070
c0e538
[ 1:1900: 92]:
c004070e07229001
0 4cc7f020
c0e540
[ 1:1a00: 93]:
c00406f60720f001
0 4cc7efd0
c0e550
[ 1:1b00: 94]:
c00409fe07228001
0 4cc7ef80
c0e548
[ 1:1c00: 95]:
c00409f607227001
0 4cc7ef30
c0e580
[ 1:1d00: 96]:
c004080e07210001
0 4cc7eee0
c0e588
[ 1:1e00: 97]:
c004081e07226001
0 4cc7ee90
c0e590
[ 1:1f00: 98]:
c004082e07225001
0 4cc7ee40
c0e5f8
[ 1:2000: 99]:
c00409de07211001
0 4cc7edf0
c0e598
[ 1:2100:100]:
c004083607224001
0 4cc7eda0
c0e5a0
[ 1:2200:101]:
c004084607223001
0 4cc7ed50
c0e5f0
[ 1:2300:102]:
c00409c607222001
0 4cc7ed00
c0e5a8
[ 1:2400:103]:
c004085607221001
0 4cc7ecb0
c0e5b0
[ 1:2500:104]:
c004085e07212001
0 4cc7ec60
c0e5b8
[ 1:2600:105]:
c00409b607220001
0 4cc7ec10
c0e5c0
[ 1:2700:106]:
c00409ae0721f001
0 4cc7ebc0
c0e5c8
[ 1:2800:107]:
c004087e07213001
0 4cc7eb70
c0e5e8
[ 1:2900:108]:
c004099e0721e001
0 4cc7eb20
c0e5e0
[ 1:2a00:109]:
c004098e0721d001
0 4cc7ead0
c0e5d0
[ 1:2b00:110]:
c004098607214001
0 4cc7ea80
c0e5d8
[ 1:2c00:111]:
c00408960721c001
0 4cc7ea30
c0e600
8112 subtype
[ 1:2d00:112]:
c00408a607215001
0 4cc7e9e0
c0e608
8114 subtype
[ 1:2e00:113]:
c004097e07216001
0 4cc7e990
c0e610
812f subtype
104
[ 1:2f00:114]:
c004097607217001
0 4cc7e940
c0e678
812e subtype
[ 1:3000:115]:
c00408be0721b001
0 4cc7e8f0
c0e618
8117 subtype
[ 1:3100:116]:
c00408c60721a001
0 4cc7e8a0
c0e670
8118 subtype
[ 1:3200:117]:
c00408ce07219001
0 4cc7e850
c0e668
8119 subtype
[ 1:3300:118]:
c00408d607218001
0 4cc7e800
c0e660
811a subtype
[ 1:3400:119]:
c00408e60737f001
0 4cc7e7b0
c0e658
811c subtype
[ 1:3500:120]:
c00409460737e001
0 4cc7e760
c0e650
8128 subtype
[ 1:3600:121]:
c00409360737d001
0 4cc7e710
c0e648
8126 subtype
[ 1:3700:122]:
c00408f60737c001
0 4cc7e6c0
c0e620
811e subtype
[ 1:3800:123]:
c004092607340001
0 4cc7e670
c0e628
[ 1:3801:124]:
c004091e07341001
0 4cc7e620
c0e640
[ 1:3802:125]:
c00409160737b001
e02f98000020000 4cc7e5d0
c0e638
8122 subtype
[ 1:3803:126]:
c0040bfe07342001
0 4cc7e580
c0e630
[ 1:3900:127]:
c0040bf607343001
0 4cc7e530
c0e778
817e subtype
[ 1:3a00:128]:
c0040be607344001
0 4cc7e4e0
c0e770
817c subtype
[ 1:3b00:129]:
c0040bd607345001
0 4cc7e490
c0e700
817a subtype
[ 1:3c00:130]:
c0040a0e0737a001
e00baa800020000 4cc7e440
c0e708
8141 punt
[ 1:3d00:131]:
c0040bbe07379001
0 4cc7e3f0
c0e768
[ 1:3d01:132]:
c0040a1e07346001
0 4cc7e3a0
c0e760
8143 punt
[ 1:3d02:133]:
c0040a2e07347001
0 4cc7e350
c0e758
8145 punt
[ 1:3d03:134]:
c0040a3e07348001
0 4cc7e300
c0e750
8147 punt
[ 1:3e00:135]:
c0040a4e07349001
e00bb6800020000 4cc7e2b0
c0e748
8149 punt
[ 1:3f00:136]:
c0040bae0734a001
0 4cc7e260
c0e710
[ 1:4000:137]:
c0040a5607378001
0 4cc7e210
c0e718
[ 1:4100:138]:
c0040b9607377001
e02f81800020000 4cc7e1c0
c0e720
8172 punt
[ 1:4200:139]:
c0040a5e0734b001
e00bb2000020000 4cc7e170
c0e728
814b punt
[ 1:4300:140]:
c0040a660734c001
e02f89000020000 4cc7e120
c0e730
814c punt
[ 1:4400:141]:
c0040a7607376001
e00bad800020000 4cc7e0d0
c0e738
814e punt
[ 1:4500:142]:
c0040a8607375001
e00bb3800020000 4cc7e080
c0e740
8150 punt
[ 1:4600:143]:
c0040b760734d001
e00baf000020000 4cc7e030
c0e780
816e punt
[ 1:4700:144]:
c0040b6e07374001
0 4cc7dfe0
c0e788
[ 1:4800:145]:
c0040a960734e001
0 4cc7df90
c0e7f8
[ 1:4801:146]:
c0040aa60734f001
0 4cc7df40
c0e7f0
[ 1:4802:147]:
c0040aae07373001
0 4cc7def0
c0e790
[ 1:4803:148]:
c0040b5607372001
0 4cc7dea0
c0e798
[ 1:4900:149]:
c0040b4e07350001
0 4cc7de50
c0e7e8
[ 1:4a00:150]:
c0040ac607371001
0 4cc7de00
c0e7a0
[ 1:4a01:151]:
c0040b3607370001
0 4cc7ddb0
c0e7e0
[ 1:4a02:152]:
c0040b2e07351001
0 4cc7dd60
c0e7d8
[ 1:4a03:153]:
c0040ade07352001
0 4cc7dd10
c0e7d0
[ 1:4a04:154]:
c0040aee0736f001
0 4cc7dcc0
c0e7c8
[ 1:4b00:155]:
c0040b1e07353001
0 4cc7dc70
c0e7c0
[ 1:4c00:156]:
c0040b1607354001
0 4cc7dc20
c0e7a8
[ 1:4d00:157]:
c0040afe0736e001
0 4cc85bd0
c0e7b0
[ 1:4e00:158]:
c0040dfe07355001
0 4cc85b80
c0e7b8
[ 1:4f00:159]:
c0040c060736d001
0 4cc85b30
c0e800
[ 1:4f01:160]:
c0040dee0736c001
0 4cc85ae0
c0e878
[ 1:4f02:161]:
c0040c1e07356001
0 4cc85a90
c0e808
[ 1:4f03:162]:
c0040c260736b001
0 4cc85a40
c0e870
105
[ 1:5000:163]:
c0040dd607357001
0 4cc859f0
c0e810
[ 1:5100:164]:
c0040dce07358001
0 4cc859a0
c0e818
[ 1:5200:165]:
c0040dc607359001
0 4cc85950
c0e868
[ 1:5300:166]:
c0040c460736a001
0 4cc85900
c0e860
[ 1:5400:167]:
c0040c4e0735a001
0 4cc858b0
c0e858
[ 1:5500:168]:
c0040db607369001
0 4cc85860
c0e850
[ 1:5600:169]:
c0040c5e0735b001
0 4cc85810
c0e820
[ 1:5601:170]:
c0040c6607368001
0 4cc857c0
c0e848
[ 1:5602:171]:
c0040c760735c001
e03003000020000 4cc85770
c0e840
818e punt
[ 1:5603:172]:
c0040c860735d001
e03004800020000 4cc85720
c0e828
8190 punt
[ 1:5604:173]:
c0040c8e07367001
e0301f800020000 4cc856d0
c0e830
8191 punt
[ 1:5605:174]:
c0040d8e0735e001
e03006000020000 4cc85680
c0e838
81b1 punt
[ 1:5700:175]:
c0040c9607366001
e03007800020000 4cc85630
c0e880
8192 punt
[ 1:5800:176]:
c0040c9e0735f001
0 4cc855e0
c0e888
8193 punt
[ 1:5801:177]:
c0040ca607365001
0 4cc85590
c0e890
8194 punt
[ 1:5802:178]:
c0040d6e07360001
0 4cc85540
c0e8f8
81ad punt
[ 1:5803:179]:
c0040d6607361001
0 4cc854f0
c0e898
81ac punt
[ 1:5804:180]:
c0040d5e07362001
0 4cc854a0
c0e8a0
81ab punt
[ 1:5805:181]:
c0040d5607364001
0 4cc85450
c0e8f0
81aa punt
[ 1:5806:182]:
c0040cce07363001
0 4cc85400
c0e8a8
8199 punt
[ 1:5807:183]:
c0040cde07480001
0 4cc853b0
c0e8e8
819b punt
[ 1:5808:184]:
c0040ce607481001
0 4cc85360
c0e8e0
819c punt
[ 1:5809:185]:
c0040cee07482001
0 4cc85310
c0e8d8
819d punt
[ 1:580a:186]:
c0040cf607483001
0 4cc852c0
c0e8b0
819e punt
[ 1:580b:187]:
c0040cfe07484001
0 4cc85270
c0e8b8
819f punt
[ 1:580c:188]:
c0040d2607485001
0 4cc85220
c0e8d0
81a4 punt
[ 1:5900:189]:
c0040d16074bf001
e00bb0800020000 4cc851d0
c0e8c0
81a2 punt
[ 1:5a00:190]:
c0040ffe074be001
e00bb5000020000 4cc85180
c0e8c8
81ff punt
[ 1:5b00:191]:
c0040e0e07486001
e02f95000020000 4cc85130
c0e9f8
81c1 punt
[ 1:5c00:192]:
c0040fee07487001
e02f92000020000 4cc850e0
c0e9f0
81fd punt
[ 1:5d00:193]:
c0040fe6074bd001
e02f93800020000 4cc85090
c0e9e8
81fc punt
[ 1:5e00:194]:
c0040e26074bc001
0 4cc85040
c0e9e0
[ 1:5e01:195]:
c0040e3607488001
0 4cc84ff0
c0e980
[ 1:5e02:196]:
c0040e46074bb001
e02f8f000020000 4cc84fa0
c0e9d8
81c8 punt
[ 1:5e03:197]:
c0040e4e07489001
e03001800020000 4cc84f50
c0e9d0
81c9 punt
[ 1:5f00:198]:
c0040fce0748a001
0 4cc84f00
c0e9c8
[ 1:6000:199]:
c0040e5e074ba001
0 4cc84eb0
c0e988
burst
ttl aggregate
3c00
2000
3e00
2000
10000
5 PUNT_FAB_OUT_PROBE_PKT
fab-probe aggregate
5700
20000
20000
7 PUNT_MAC_FWD_TYPE_HOST
mac-host aggregate
4100
20000
20000
8 PUNT_TUNNEL_FRAGMENT
tun-frag aggregate
4200
2000
10000
3802
2000
10000
4300
20000
20000
11 PUNT_MLP
12 PUNT_IGMP_SNOOP
mlp packets
igmp-snoop aggregate
idx q# bwidth
redirect aggregate
3 PUNT_REDIRECT
group proto
--------- ------
10000
106
13 PUNT_VC_TTL_ERROR
14 PUNT_L2PT_ERROR
35 PUNT_AUTOSENSE
38 PUNT_SERVICES
39 PUNT_DEMUXAUTOSENSE
40 PUNT_REJECT
vchassis vc-ttl-err
l2pt aggregate
805
4000
10000
5a00
20000
20000
dynvlan aggregate
300
1000
500
services aggregate
4400
2000
10000
demuxauto aggregate
4500
2000
10000
reject aggregate
4600
2000
10000
41 PUNT_SAMPLE_SYSLOG
sample syslog
5602
1000
1000
42 PUNT_SAMPLE_HOST
sample host
5603
1000
1000
43 PUNT_SAMPLE_PFE
sample pfe
5604
1000
1000
44 PUNT_SAMPLE_TAP
sample tap
5605
1000
1000
500
45 PUNT_PPPOE_PADI
pppoe padi
502
500
46 PUNT_PPPOE_PADR
pppoe padr
504
500
500
47 PUNT_PPPOE_PADT
pppoe padt
506
1000
1000
48 PUNT_PPP_LCP
ppp lcp
402
12000
12000
49 PUNT_PPP_AUTH
ppp auth
403
2000
2000
50 PUNT_PPP_IPV4CP
ppp ipcp
404
2000
2000
51 PUNT_PPP_IPV6CP
ppp ipv6cp
405
2000
2000
52 PUNT_PPP_MPLSCP
ppp mplscp
406
2000
2000
53 PUNT_PPP_UNCLASSIFIED_CP
401
1000
500
55 PUNT_VC_HI
vchassis control-hi
802
10000
5000
56 PUNT_VC_LO
vchassis control-lo
803
8000
3000
407
2000
2000
5b00
57 PUNT_PPP_ISIS
58 PUNT_KEEPALIVE
ppp unclass
ppp isis
keepalive aggregate
20000
ppp echo-req
inline-ka aggregate
5d00
20000
2
20000
408
12000
12000
5c00
20000
20000
63 PUNT_PPP_LCP_ECHO_REP
ppp echo-rep
409
12000
12000
64 PUNT_MLPPP_LCP
ppp mlppp-lcp
40a
12000
12000
65 PUNT_MLFR_CONTROL
frame-relay frf15
5e02
12000
12000
66 PUNT_MFR_CONTROL
frame-relay frf16
5e03
12000
12000
68 PUNT_REJECT_V6
rejectv6 aggregate
5900
2000
20000
10000
NPC1(currypanman-re0 vty)#
https://gnats.juniper.net/web/default/942816
This is the DDOS statistics output after PR942816 fix.
<-- No SCFD
lab@currypanman-re0> show ddos-protection protocols ip-fragments statistics
Packet types: 4, Received traffic: 2, Currently violated: 1
Protocol Group: IP-Fragments
Packet type: aggregate
System-wide information:
Aggregate bandwidth is never violated
Received:
11676370
Arrival rate:
11490 pps
107
Dropped:
9759087
953127
Arrival rate:
Dropped:
5603 pps
11676370
Arrival rate:
Dropped:
9759087
11490 pps
Arrival rate:
Dropped:
0 pps
Arrival rate:
Dropped:
0 pps
Arrival rate:
0 pps
Dropped:
11676370
Arrival rate:
Dropped:
9759087
11490 pps
953127
Arrival rate:
Dropped:
5603 pps
108
Violation last seen at:
11676370
Arrival rate:
11490 pps
9759087
9759087
Flow counts:
Aggregation level
Current
Total detected
State
Subscriber
Active
Logical-interface
Active
Physical-interface
Active
: Present Running
: None
CoS queues
Hold-times
: Up 0 ms, Down 0 ms
bytes
11466195340
0 bps
Output bytes
48
0 bps
packets:
11676370
0 pps
Output packets:
0 pps
Input
Transmit
----------
----------
L2 Packets
L3 Packets
953127
Drops
Netwk Fail
Queue Drops
Unknown
Coalesce
Coalesce Fail
109
Queue 0
Queue 1
Queue 2
----------
----------
----------
----------
Queue 3
L2 Packets
L3 Packets
High
Medium
Low
Discard
----------
----------
----------
----------
----------
L2 Packets
L3 Packets
953127
Drops
Queue Drops
Unknown
Coalesce
Coalesce Fail
: 0 (max is 4473)
Medium
: 0 (max is 4473)
Low
: 0 (max is 2236)
# of
proto on
loc
pass
drop
---
-----------
----------- --
------
--------
--------
159 4f00
ip-frag
aggregate
UKERN
953127
160 4f01
ip-frag
unclass..
N/A
---
---
---
---
---
161 4f02
ip-frag
first-frag
---
rate
pass
group
rate flows
UKERN
PFE-0
PFE-1
ip-frag
trail-frag
UKERN
953127
PFE-0
1917283
9759087
PFE-1
110
PFE Info:
configured: rate=20000 (pps) burst=20000 (pkts)
SCFD Info:
op-mode=automatic, state=normal, flags=0x1(never timeout, log)
detect-time=3000(ms), recover-time=60000(ms), timeout-time=300000(ms)
aggr-level
allowed
active
force
ctrl
sub
yes
yes
no
drop
rate(pps) flow-count
10
ifl
yes
yes
no
drop
10
ifd
yes
yes
no
drop
20000
total
---
---
PFE-0
PFE-1
UKERN
TOTAL
---------
---------
---------
---------
received
11676370
953127
11676370
arrived at policer
11676370
953127
--9759087
-----------------
9759087
---
---
---
---
---
---
---
total dropped
9759087
9759087
final passed
1917283
953127
953127
122585
9998
122585
arrival rate(pps)
max arvl rate(pps)
pass rate(pps)
NPC1(currypanman-re0 vty)#
Global Policer:
policer_nexthop: 0xC03C15360754B001
policer_result:
dropped packets:
0x4CC84D48
0
NPC1(currypanman-re0 vty)#
111
Counter
Packets
Pkt Rate
Bytes
Byte Rate
953127
973142667
9887
10094627
954269
974308649
Dropped (Force)
Dropped (Error)
: 0
: Present Running
: None
CoS queues
Hold-times
: Up 0 ms, Down 0 ms
bytes
5021080894
0 bps
Output bytes
0 bps
packets:
5113117
0 pps
Output packets:
0 pps
Input
112
Packet type: aggregate
System-wide information:
Aggregate bandwidth is never violated
Received:
5113117
Arrival rate:
Dropped:
5066511
0 pps
17786
Arrival rate:
Dropped:
0 pps
5113117
Arrival rate:
Dropped:
5066511
0 pps
4901638
Arrival rate:
Dropped:
0 pps
Arrival rate:
Dropped:
0 pps
Arrival rate:
0 pps
Dropped:
5113117
Arrival rate:
Dropped:
5066511
0 pps
Flow counts:
Aggregation level
Current
Total detected
Subscriber
Total
113
Policer is never violated
Received:
17786
Arrival rate:
0 pps
Dropped:
5113117
Arrival rate:
Dropped:
5066511
0 pps
164873
4901638
Flow counts:
Aggregation level
Current
Total detected
State
Subscriber
Active
Total
lab@currypanman-re0>
NPC1(currypanman-re0 vty)# show ddos policer ip-fragments stats
DDOS Policer Statistics:
arrival
idx prot
---
group
proto on
loc
pass
drop
----------- --
rate
pass
# of
rate flows
---
-----------
------
--------
--------
159 4f00
ip-frag
aggregate
UKERN
17786
160 4f01
ip-frag
unclass..
N/A
---
---
---
---
---
161 4f02
ip-frag
first-frag
UKERN
PFE-0
PFE-1
UKERN
17786
162 4f03
ip-frag
trail-frag
46606
5066511
PFE-1
114
SCFD Info:
op-mode=automatic, state=detect, flags=0x1(never timeout, log)
detect-time=3000(ms), recover-time=60000(ms), timeout-time=300000(ms)
aggr-level
allowed
active
force
ctrl
sub
yes
yes
no
drop
rate(pps) flow-count
10
ifl
yes
no
no
drop
10
ifd
yes
no
no
drop
20000
total
---
---
PFE-0
PFE-1
UKERN
TOTAL
---------
---------
---------
---------
5113117
17786
5113117
17786
---
211479
164873
164873
---
---
4901638
---
4901638
---
---
---
---
5066511
5066511
46606
17786
17786
122657
2159
122657
Packets
Pkt Rate
Bytes
Byte Rate
17786
18159506
8867
9053207
19953
20372013
Dropped (Force)
Dropped (Error)
115
Queue inst depth
: 0
Transmit
----------
----------
L2 Packets
L3 Packets
17786
Drops
Netwk Fail
Queue Drops
Unknown
Coalesce
Coalesce Fail
Queue 0
Queue 1
Queue 2
----------
----------
----------
L2 Packets
---------0
L3 Packets
High
Medium
Low
Discard
----------
----------
----------
----------
----------
L2 Packets
L3 Packets
17786
Drops
Queue Drops
Unknown
Coalesce
Coalesce Fail
: 0 (max is 4473)
Medium
: 0 (max is 4473)
Low
: 0 (max is 2236)
0x4CC84D48
0
116
Hostbound policer byte drops: 0
Aggregate policer packet drops: 164872 <-- ***
Aggregate policer byte drops: 164212512
Aggregate IPv6 policer packet drops: 0
Aggregate IPv6 policer byte drops: 0
NPC1(currypanman-re0 vty)#
The aggregate policer packet drop counter is always 1 less than the actual drop from the above test. Thats because it is
counted as a violation. When a policer is in normal mode (not starting detecting flow yet), and when violation is detected
(we are going to drop), the drop will be converted to a violation report and sent to ukern. This drop is counted at the
violating policer but not at the global counter. These violations are never dropped and not processed as the original
exception, and are only used as an indication of a policer violation. This was introduced in 12.3 with SCFD. Also we could
keep sending these violation reports until host acks the receiving or switching to flow detection. Apparently, in your test
case, the first violation got acked right away and you only lost one packet. The ack feature is just introduced in this PR
fix. We used to keep sending violation reports if we are not doing SCFD.
Type
Packets
Bytes
==================================================================
Packet Exceptions
---------------------DDOS policer violation notifs
PUNT(15)
4224
117
Reference
1. http://www-in.juniper.net/eng/cvs_pdf/sw-projects/platform/trinity/pfe/host/host.doc
2. http://cvs.juniper.net/cgi-bin/viewcvs.cgi/*checkout*/sw-projects/platform/commonedge/arch/RLI15473-
DDOS-SCFD-FS.pdf?rev=1.4
118
Changes
18-Nov-2013
(Rev
0)
Initial
Draft
13-Feb-2014
(Rev
1)
Add
changes
under
PR942816
and
PR924807
26-Mar-2014
(Rev
2)
Add
MLP
exception
119