Ddos

JUNIPER NETWORKS CONFIDENTIAL
DO NOT DISTRIBUTE

DDOS Implementation on MX Platform

- Steven Wong (JTAC)
Rev 2 (02-May-2014)
Introduction ........................................................................................................................................................................... 2
DDOS System Hierarchy ......................................................................................................................................................... 2
Policer Hierarchy .............................................................................................................................................................. 12
1. PUNT traffic with punt type ...................................................................................................................................... 34
2. PUNT traffic with subtype type ................................................................................................................................. 40
3. HBC traffic with subtype type ................................................................................................................................... 41
4. HBC traffic with hbc & other type ............................................................................................................................. 43
5. HBC type to PUNT type ............................................................................................................................................. 46
6. Aggregated policer under the same group ............................................................................................................... 48
7. HBC policer with exception traffic ............................................................................................................................ 49
Host Bound Queue Mapping ............................................................................................................................................ 56
uKern Level ....................................................................................................................................................................... 59
Routing Engine Level ........................................................................................................................................................ 65
Suspicious Control Flow Detection (SCFD) ...................................................................................................................... 66
DDOS Configuration Hierarchy ............................................................................................................................................. 80
Statistics/Errors .................................................................................................................................................................... 82
When DDOS Doesnt Seem To Work. ................................................................................................................................ 93
Major Upcoming Changes ................................................................................................................................................. 95
Reference ........................................................................................................................................................................... 118
Changes .............................................................................................................................................................................. 119

JUNIPER NETWORKS CONFIDENTIAL DO NOT DISTRIBUTE
Juniper Networks, Inc.
Introduction
DDOS protection infrastructure is introduced with the TRIO ASIC which is mainly used to monitor, inspect, classify and
police the host bound traffic flows to avoid any misbehaved flows from causing any unexpected host queue congestion in
different part of the system (ASIC, uKern and RE). This is enabled by default with user-configurable pre-defined threshold
for various packet types.
In this documents, we will go through the implementation of DDOS on MX platform with TRIO MPC and explain the how
the policers are applied on different part of the system. The followings are based on JUNOS 13.3 version.
DDOS System Hierarchy

Basically, the policer is being implemented on three different levels ASIC, uKern and Routing Engine. With Suspicious
Control Flow Detection (SCFD), we can even drop/policer on per-flow basis. In the followings, we will use a TRIO board
as an example.
Once the host bound traffic is received via the PUNT nexthop with different PUNT reasons, it will be tagged to a DDOS
protocol ID according to their packet type. If the packet is control packet, for example, an IPv4/IPv6 packet, the Host
bound classification filter (HBC) (ie. HOSTBOUND_IPv4_FILTER / HOSTBOUND_IPv6_FILTER) filter is used to further
look into the packet content like ip-protocol , source / destination port numbers to determine the packet type and further
classify a DDOS protocol ID for it.
Once the packet is tagged with the DDOS protocol ID, the corresponding policer will be applied to rate limit that specific
packet type. Here is the HOSTBOUND_IPv4_FILTER.
NPC2(Dokinchan-re0 vty)# show filter index 46137345 program
Filter index = 46137345
Optimization flag: 0x0
Filter notify host id = 0
Filter properties: None
Filter state = CONSISTENT
term HOSTBOUND_IGMP_TERM
term priority 0
payload-protocol
2
then
accept
ddos proto 69
term HOSTBOUND_OSPF_TERM
term priority 0
payload-protocol
89
then
accept
ddos proto 70

term HOSTBOUND_RSVP_TERM
term priority 0
payload-protocol
46
then
accept
ddos proto 71
term HOSTBOUND_PIM_TERM
term priority 0
payload-protocol
103
then
accept
ddos proto 72
term HOSTBOUND_DHCP_TERM
term priority 0
payload-protocol
17
destination-port
67-68
then
accept
ddos proto 24
term HOSTBOUND_RIP_TERM
term priority 0
payload-protocol
17
destination-port
520-521
then
accept
ddos proto 73
term HOSTBOUND_PTP_TERM
term priority 0
payload-protocol
17
destination-port
319-320
then
action next-hop, type (set ptp nh)
ddos proto 74
term HOSTBOUND_BFD_TERM1
term priority 0

payload-protocol
17
destination-port
3784-3785
then
action next-hop, type (inline keepalive BFD nh)
ddos proto 75
term HOSTBOUND_BFD_TERM2
term priority 0
payload-protocol
17
destination-port
4784
then
accept
ddos proto 75
term HOSTBOUND_LMP_TERM
term priority 0
payload-protocol
17
destination-port
701
then
accept
ddos proto 76
term HOSTBOUND_ANCP_TERM
term priority 0
payload-protocol
6
destination-port
6068
then
accept
ddos proto 85
term HOSTBOUND_LDP_TERM1
term priority 0
payload-protocol
6
destination-port
646
then
accept
ddos proto 77

term priority 0
payload-protocol
6
source-port
646
then
accept
ddos proto 77
term priority 0
payload-protocol
17
destination-port
646
then
accept
ddos proto 77
term priority 0
payload-protocol
17
source-port
646
then
accept
ddos proto 77
term HOSTBOUND_MSDP_TERM1
term priority 0
payload-protocol
6
destination-port
639
then
accept
ddos proto 78
term HOSTBOUND_MSDP_TERM2
term priority 0
payload-protocol
6
source-port
639
then
accept

ddos proto 78
term HOSTBOUND_BGP_TERM1
term priority 0
payload-protocol
6
destination-port
179
then
accept
ddos proto 79
term HOSTBOUND_BGP_TERM2
term priority 0
payload-protocol
6
source-port
179
then
accept
ddos proto 79
term HOSTBOUND_VRRP_TERM
term priority 0
payload-protocol
112
destination-address
224.0.0.18/32
then
action next-hop, type (inline keepalive VRRP nh)
ddos proto 80
term HOSTBOUND_TELNET_TERM1
term priority 0
payload-protocol
6
destination-port
23
then
accept
ddos proto 81
term HOSTBOUND_TELNET_TERM2
term priority 0
payload-protocol
6
source-port
23

then
accept
ddos proto 81
term HOSTBOUND_FTP_TERM1
term priority 0
payload-protocol
6
destination-port
20-21
then
accept
ddos proto 82
term HOSTBOUND_FTP_TERM2
term priority 0
payload-protocol
6
source-port
20-21
then
accept
ddos proto 82
term HOSTBOUND_SSH_TERM1
term priority 0
payload-protocol
6
destination-port
22
then
accept
ddos proto 83
term HOSTBOUND_SSH_TERM2
term priority 0
payload-protocol
6
source-port
22
then
accept
ddos proto 83
term HOSTBOUND_SNMP_TERM1
term priority 0
payload-protocol
17
destination-port
161
then
accept
ddos proto 84
term HOSTBOUND_SNMP_TERM2
term priority 0
payload-protocol
17
source-port
161
then
accept
ddos proto 84
term HOSTBOUND_DTCP_TERM
term priority 0
payload-protocol
17
destination-port
652
destination-address
224.0.0.36/32
then
accept
ddos proto 148
term HOSTBOUND_RADIUS_TERM_SERVER
term priority 0
payload-protocol
17
destination-port
1812
then
accept
ddos proto 151
term HOSTBOUND_RADIUS_TERM_ACCOUNT
term priority 0
payload-protocol
17
destination-port
1813
then
accept
ddos proto 152
term HOSTBOUND_RADIUS_TERM_AUTH
term priority 0
payload-protocol

17
destination-port
3799
then
accept
ddos proto 153
term HOSTBOUND_NTP_TERM
term priority 0
payload-protocol
17
destination-port
123
destination-address
224.0.1.1/32
then
accept
ddos proto 154
term HOSTBOUND_TACACS_TERM
term priority 0
payload-protocol
17
destination-port
49
then
accept
ddos proto 155
term HOSTBOUND_DNS_TERM1
term priority 0
payload-protocol
6
destination-port
53
then
accept
ddos proto 156
term HOSTBOUND_DNS_TERM2
term priority 0
payload-protocol
17
destination-port
53
then
accept
ddos proto 156

term HOSTBOUND_DIAMETER_TERM1
term priority 0
payload-protocol
6
destination-port
3868
then
accept
ddos proto 157
term HOSTBOUND_DIAMETER_TERM2
term priority 0
payload-protocol
132
destination-port
3868
then
accept
ddos proto 157
term HOSTBOUND_L2TP_TERM
term priority 0
payload-protocol
17
destination-port
1701
then
accept
ddos proto 162
term HOSTBOUND_GRE_TERM
term priority 0
payload-protocol
47
then
accept
ddos proto 163
term HOSTBOUND_ICMP_TERM
term priority 0
payload-protocol
1
then
accept
ddos proto 68
term HOSTBOUND_TCP_FLAGS_TERM_INITIAL
term priority 0
payload-protocol
10

6
tcp-flags
value & 0x12
= 0x02
then
accept
ddos proto 146
term HOSTBOUND_TCP_FLAGS_TERM_ESTAB
term priority 0
payload-protocol
6
tcp-flags
value & 0x14 != 0x00
then
accept
ddos proto 147
term HOSTBOUND_TCP_FLAGS_TERM_UNCLS
term priority 0
payload-protocol
6
tcp-flags
value & 0x3f != 0x00
then
accept
ddos proto 145
term HOSTBOUND_IP_FRAG_TERM_FIRST
term priority 0
is-fragment
value & 0x3fff
= 0x2000
then
accept
ddos proto 160
term HOSTBOUND_IP_FRAG_TERM_TRAIL
term priority 0
is-fragment
value & 0x1fff != 0x0000
then
accept
ddos proto 161
term HOSTBOUND_AMT_TERM1
term priority 0
payload-protocol
17
destination-port
2268
11
then
accept
ddos proto 198
term HOSTBOUND_AMT_TERM2
term priority 0
payload-protocol
17
source-port
2268
then
accept
ddos proto 198
term HOSTBOUND_IPV4_DEFAULT_TERM
term priority 0
then
accept
NPC2(Dokinchan-re0 vty)#
Policer Hierarchy
The DDOS configuration is mainly a combination of three different levels ASIC, uKern and Routing Engine. Each of
them will apply a rate limit on the corresponding packet type. The DDOS is enabled by default. Although it can be disabled
via a configuration knob, thats not recommended.
# set system ddos-protection global ?
Possible completions:
disable-fpc
Disable FPC policing for all protocols
disable-logging
Disable event logging for all protocols
disable-routing-engine
Disable Routing Engine policing for all protocols
However, if we disable the DDOS for a specific protocol, it doesnt mean that it will fail thru the other term within the
DDOS filter it just means that we will accept all those packets without policing.
Here are the protocols defined under the DDOS infrastructure.

# set system ddos-protection protocols ?
> amtv4
Configure AMT v4 control packets
> amtv6
Configure AMT v6 control packets
> ancp
Configure ANCP traffic
> ancpv6
Configure ANCPv6 traffic
+ apply-groups
Groups from which to inherit configuration data
+ apply-groups-except
Don't inherit configuration data from these groups
> arp
Configure ARP traffic
> atm
Configure ATM traffic
12

> bfd
Configure BFD traffic
> bfdv6
Configure BFDv6 traffic
> bgp
Configure BGP traffic
> bgpv6
Configure BGPv6 traffic
> demux-autosense
Configure demux autosense traffic
> dhcpv4
Configure DHCPv4 traffic
> dhcpv6
Configure DHCPv6 traffic
> diameter
Configure Diameter/Gx+ traffic
> dns
Configure DNS traffic
> dtcp
Configure dtcp traffic
> dynamic-vlan
Configure dynamic vlan exceptions
> egpv6
Configure EGPv6 traffic
> eoam
Configure EOAM traffic
> esmc
Configure ESMC traffic
> fab-probe
Configure fab out probe packets
> firewall-host
Configure packets via firewall 'send-to-host' action
> frame-relay
Configure frame relay control packets
> ftp
Configure FTP traffic
> ftpv6
Configure FTPv6 traffic
> gre
Configure GRE traffic
> icmp
Configure ICMP traffic
> icmpv6
Configure ICMPv6 traffic
> igmp
Configure IGMP traffic
> igmpv4v6
Configure IGMPv4-v6 traffic
> igmpv6
Configure IGMPv6 traffic
> inline-ka
Configure inline keepalive packets
> inline-svcs
Configure inline services
> ip-fragments
Configure IP-Fragments
> ip-options
Configure ip options traffic
> isis
Configure ISIS traffic
> jfm
Configure JFM traffic
> keepalive
Configure keepalive packets
> l2pt
Configure Layer 2 protocol tunneling
> l2tp
Configure l2tp traffic
> lacp
Configure LACP traffic
> ldp
Configure LDP traffic
> ldpv6
Configure LDPv6 traffic
> lldp
Configure LLDP traffic
> lmp
Configure LMP traffic
> lmpv6
Configure LMPv6 traffic
> mac-host
Configure L2-MAC configured 'send-to-host'
> mcast-snoop
Configure snooped multicast control traffic
> mlp
Configure MLP traffic
> msdp
Configure MSDP traffic
> msdpv6
Configure MSDPv6 traffic
> mvrp
Configure MVRP traffic
> ndpv6
Configure NDPv6 traffic
> ntp
Configure NTP traffic
> oam-lfm
Configure OAM-LFM traffic
13

> ospf
Configure OSPF traffic
> ospfv3v6
Configure OSPFv3v6 traffic
> pfe-alive
Configure pfe alive traffic
> pim
Configure PIM traffic
> pimv6
Configure PIMv6 traffic
> pmvrp
Configure PMVRP traffic
> pos
Configure POS traffic
> ppp
Configure PPP control traffic
> pppoe
Configure PPPoE control traffic
> ptp
Configure PTP traffic
> pvstp
Configure PVSTP traffic
> radius
Configure Radius traffic
> redirect
Configure packets to trigger ICMP redirect
> reject
Configure packets via 'reject' action
> rejectv6
Configure packets via 'rejectv6' action
> rip
Configure RIP traffic
> ripv6
Configure RIPv6 traffic
> rsvp
Configure RSVP traffic
> rsvpv6
Configure RSVPv6 traffic
> sample
Configure sampled traffic
> services
Configure services
> snmp
Configure SNMP traffic
> snmpv6
Configure SNMPv6 traffic
> ssh
Configure SSH traffic
> sshv6
Configure SSHv6 traffic
> stp
Configure STP traffic
> tacacs
Configure TACACS traffic
> tcp-flags
Configure packets with tcp flags
> telnet
Configure telnet traffic
> telnetv6
Configure telnet-v6 traffic
> ttl
Configure ttl traffic
> tunnel-fragment
Configure tunnel fragment
> unclassified
Configure unclassified host-bound traffic
> virtual-chassis
Configure virtual chassis traffic
> vrrp
Configure VRRP traffic
> vrrpv6
Configure VRRPv6 traffic
Lets take IPv4 unclassified packets (ie. host bound packet which doesnt fall into any of the pre-defined IPv4 protocol type
above) as an example. Under unclassified protocol type, we have separated policer configuration on per-packet host
bound notification type. (Note: The unclassified protocol type should cover IPv6 as well but I take out the IPv6 part to
simplify it a bit. Also, the flow- related configuration will be covered under the SCFD section.)
# set system ddos-protection protocols unclassified ?
> aggregate
Configure aggregate for all unclassified host-bound traffic
+ apply-groups
> control-layer2
Configure unclassified layer2 control packets
> control-v4
Configure unclassified v4 control packets
14

> filter-v4
Configure unclassified v4 filter action packets
> fw-host
Configure Unclassified send to host fw traffic
> host-route-v4
Configure unclassified v4 routing protocol and host packets
> mcast-copy
Configure Unclassified host copy due to multicast routing
> other
Configure all other unclassified packets
> resolve-v4
Configure unclassified v4 resolve packets
Under each notif type, we can define the policer rate and the burst size for the whole system (ie. Routing Engine level) or
under each FPC (uKern level). Under each FPC, each PFE (ie. ASIC level) will take the FPC policer configuration and
apply that on the ASIC level under LUchip as well.
# set system ddos-protection protocols unclassified host-route-v4 ?
bandwidth
Policer bandwidth (1..100000 packets per second)
burst
Policer burst size (1..100000 packets)
bypass-aggregate
Bypass aggregate policer
disable-fpc
Turn off policing on all fpc's
disable-logging
Disable event logging for protocol violation
> fpc
Turn off policing on routing engine
Flexible PIC Concentrator parameters
recover-time
Time for protocol to return to normal (1..3600 seconds)
# set system ddos-protection protocols unclassified host-route-v4 fpc 0 ?

bandwidth-scale
Bandwidth scale from 1% to 100% (1..100 percent)
burst-scale
Burst scale from 1% to 100% (1..100 percent)
disable-fpc
Turn off policing on this slot
> show ddos-protection protocols unclassified parameters

Packet types: 13, Modified: 0
* = User configured value
Protocol Group: Unclassified
Packet type: aggregate (Aggregate for unclassified host-bound traffic)
Aggregate policer configuration:
Bandwidth:
20000 pps
Burst:
20000 packets
Recover time:
300 seconds
Enabled:
Yes
Routing Engine information:

Bandwidth: 20000 pps, Burst: 20000 packets, enabled
FPC slot 1 information:
Bandwidth: 100% (20000 pps), Burst: 100% (20000 packets), enabled
15

Packet type: other (all other unclassified packets)
Individual policer configuration:
Bandwidth:
2000 pps
Burst:
10000 packets
Priority:
Low
Recover time:
300 seconds
Enabled:
Yes
Bypass aggregate: No
Packet type: resolve-v4 (unclassified v4 resolve packets)
Bandwidth:
5000 pps
Burst:
10000 packets
Priority:
Low
Recover time:
300 seconds
Enabled:
Yes
Packet type: resolve-v6 (unclassified v6 resolve packets)
Bandwidth:
5000 pps
Burst:
10000 packets
Priority:
Low
Recover time:
300 seconds
Enabled:
Yes
16

Packet type: control-v4 (unclassified v4 control packets)
Bandwidth:
2000 pps
Burst:
10000 packets
Priority:
Low
Recover time:
300 seconds
Enabled:
Yes
Packet type: control-v6 (unclassified v6 control packets)
Bandwidth:
2000 pps
Burst:
10000 packets
Priority:
Low
Recover time:
300 seconds
Enabled:
Yes
Packet type: host-route-v4 (unclassified v4 routing protocol and host packet)
Bandwidth:
2000 pps
Burst:
10000 packets
Priority:
Low
Recover time:
300 seconds
Enabled:
Yes
17

Packet type: host-route-v6 (unclassified v6 routing protocol and host packet)
Bandwidth:
2000 pps
Burst:
10000 packets
Priority:
Low
Recover time:
300 seconds
Enabled:
Yes
Packet type: filter-v4 (unclassified v4 filter action packets)
Bandwidth:
2000 pps
Burst:
10000 packets
Priority:
Low
Recover time:
300 seconds
Enabled:
Yes
Packet type: filter-v6 (unclassified v6 filter action packets)
Bandwidth:
2000 pps
Burst:
10000 packets
Priority:
Low
Recover time:
300 seconds
Enabled:
Yes
18

Packet type: control-layer2 (unclassified layer2 control packets)
Bandwidth:
2000 pps
Burst:
10000 packets
Priority:
Low
Recover time:
300 seconds
Enabled:
Yes
Packet type: fw-host (Unclassified send to host fw traffic)
Bandwidth:
20000 pps
Burst:
20000 packets
Priority:
High
Recover time:
300 seconds
Enabled:
Yes
Packet type: mcast-copy ( Unclassified host copy due to multicast routing)
Bandwidth:
2000 pps
Burst:
10000 packets
Priority:
High
Recover time:
300 seconds
Enabled:
Yes
19

Here is the policer configuration under PFE.

# # show ddos policer configuration unclassified
DDOS Policer Configuration:
idx prot
---
group
UKERN-Config
PFE-Config
rate burst
rate burst
proto on Pri
--- ------------ ------------ -- -- ------ ----- ------ -----
176 5800
uncls
aggregate
Y Md
20000 20000
177 5801
uncls
other
Y Lo
2000 10000
2000 10000
---
---
178 5802
uncls
resolve-v4
Y Lo
5000 10000
5000 10000
179 5803
uncls
resolve-v6
Y Lo
5000 10000
5000 10000
180 5804
uncls
control-v4
Y Lo
2000 10000
2000 10000
181 5805
uncls
control-v6
Y Lo
2000 10000
2000 10000
182 5806
uncls
host-rt-v4
Y Lo
2000 10000
2000 10000
183 5807
uncls
host-rt-v6
Y Lo
2000 10000
2000 10000
184 5808
uncls
filter-v4
Y Lo
2000 10000
2000 10000
185 5809
uncls
filter-v6
Y Lo
2000 10000
2000 10000
186 580a
uncls
control-l2
Y Lo
2000 10000
2000 10000
187 580b
uncls
fw-host
Y Hi
20000 20000
20000 20000
188 580c
uncls
mcast-copy
Y Hi
2000 10000
2000 10000
We can find exactly the same thing for other protocols. For example, PPP.
# set system ddos-protection protocols ppp ?
> aggregate
Configure aggregate for all PPP control traffic
+ apply-groups
> authentication
Configure Authentication Protocol
> echo-rep
Configure LCP Echo Reply
> echo-req
Configure LCP Echo Request
> ipcp
Configure IP Control Protocol
> ipv6cp
Configure IPv6 Control Protocol
> isis
Configure ISIS Protocol
> lcp
Configure Link Control Protocol
> mlppp-lcp
Configure MLPPP LCP
> mplscp
Configure MPLS Control Protocol
> unclassified
Configure unclassified PPP control traffic
[edit]
lab@Dokinchan-re0# set system ddos-protection protocols ppp echo-req ?
+ apply-groups
20

bandwidth

burst
bypass-aggregate
Bypass aggregate policer
disable-fpc
disable-logging
> fpc
Turn off policing on routing engine
# show ddos policer configuration ppp

idx prot
---
group
proto on Pri
UKERN-Config
PFE-Config
rate burst
rate burst
--- ------------ ------------ -- -- ------ ----- ------ -----
400
ppp
aggregate
Y Md
401
ppp
unclass
Y Lo
16000 16000
402
ppp
lcp
Y Lo
403
ppp
auth
Y Md
2000
2000
2000
2000
404
ppp
ipcp
Y Hi
2000
2000
2000
2000
405
ppp
ipv6cp
Y Hi
2000
2000
2000
2000
10
406
ppp
mplscp
Y Hi
2000
2000
2000
2000
11
407
ppp
isis
Y Hi
2000
2000
2000
2000
12
408
ppp
echo-req
Y Lo
12000 12000
12000 12000
13
409
ppp
echo-rep
Y Lo
12000 12000
12000 12000
14
40a
ppp
mlppp-lcp
Y Lo
12000 12000
12000 12000
1000
500
12000 12000
---
---
1000
500
12000 12000
21

We will cover the relationship of the policers in each level under the following sections.
22

ASIC Level
The policer on ASIC is done by the LUchip. The following is a map of protocol type and policer being applied. Under
DDOS, each protocol / frame type will have an index and protocol ID defined (which is NOT the IPv4-protocol ID). The
DDOS policer will map the corresponding protocol / frame type to the corresponding protocol ID for classification.
Here is a list of each protocol type and the corresponding protocol ID and index. For each of them, there are uKern level
and PFE (ie. LUchip) level configurations. There is a priority for each protocol type but its only between the protocols
(For example, lcp, auth, ipcp..etc) under the same group (i.e. PPP).
# show ddos policer configuration all
idx prot
---
group
proto on Pri
UKERN-Config
PFE-Config
rate burst
rate burst
--- ------------ ------------ -- -- ------ ----- ------ -----
host-path
aggregate
Y --
100
ipv4-uncls
aggregate
200
ipv6-uncls
aggregate
300
dynvlan
400
5
6
---
---
25000 25000
Y Md
2000 10000
2000 10000
Y Md
2000 10000
2000 10000
aggregate
Y Lo
1000
500
1000
500
ppp
aggregate
Y Md
16000 16000
---
---
401
ppp
unclass
Y Lo
1000
500
402
ppp
lcp
Y Lo
403
ppp
auth
Y Md
2000
2000
2000
2000
404
ppp
ipcp
Y Hi
2000
2000
2000
2000
1000
12000 12000
405
ppp
ipv6cp
Y Hi
2000
2000
2000
2000
10
406
ppp
mplscp
Y Hi
2000
2000
2000
2000
11
407
ppp
isis
Y Hi
2000
2000
2000
2000
12
408
ppp
echo-req
Y Lo
12000 12000
12000 12000
13
409
ppp
echo-rep
Y Lo
12000 12000
12000 12000
14
40a
ppp
mlppp-lcp
Y Lo
12000 12000
12000 12000
15
500
pppoe
aggregate
Y Md
2000
2000
---
---
16
501
pppoe
unclass..
Y --
---
---
17
502
pppoe
padi
Y Lo
500
500
500
500
18
503
pppoe
pado
Y Lo
19
504
pppoe
padr
Y Md
500
500
500
500
20
505
pppoe
pads
Y Lo
21
506
pppoe
padt
Y Hi
1000
1000
1000
1000
22
507
pppoe
padm
Y Lo
23
508
pppoe
padn
Y Lo
24
600
dhcpv4
aggregate
Y Md
5000
5000
5000
5000
25
601
dhcpv4
unclass..
Y Lo
300
150
---
---
26
602
dhcpv4
discover
Y Lo
500
500
---
---
27
603
dhcpv4
offer
Y Lo
1000
1000
---
---
28
604
dhcpv4
request
Y Md
1000
1000
---
---
29
605
dhcpv4
decline
Y Lo
500
500
---
---
30
606
dhcpv4
ack
Y Md
500
500
---
---
31
607
dhcpv4
nak
Y Lo
500
500
---
---
32
608
dhcpv4
release
Y Hi
2000
2000
---
---
33
609
dhcpv4
inform
Y Lo
500
500
---
---
34
60a
dhcpv4
renew
Y Hi
2000
2000
---
---
500
12000 12000
23
35
60b
dhcpv4
forcerenew
Y Hi
2000
2000
---
---
36
60c
dhcpv4
leasequery
Y Hi
2000
2000
---
---
37
60d
dhcpv4
leaseuna..
Y Hi
2000
2000
---
---
38
60e
dhcpv4
leaseunk..
Y Hi
2000
2000
---
---
39
60f
dhcpv4
leaseact..
Y Hi
2000
2000
---
---
40
610
dhcpv4
bootp
Y Lo
300
300
---
---
41
611
dhcpv4
no-msgtype
Y Lo
1000
1000
---
---
42
612
dhcpv4
bad-pack..
Y Lo
---
---
43
700
dhcpv6
aggregate
Y Lo
5000
5000
5000
5000
44
701
dhcpv6
unclass..
Y Lo
3000
3000
---
---
45
702
dhcpv6
solicit
Y Lo
500
500
---
---
46
703
dhcpv6
advertise
Y Lo
500
500
---
---
47
704
dhcpv6
request
Y Md
1000
1000
---
---
48
705
dhcpv6
confirm
Y Md
1000
1000
---
---
49
706
dhcpv6
renew
Y Md
2000
2000
---
---
50
707
dhcpv6
rebind
Y Md
2000
2000
---
---
51
708
dhcpv6
reply
Y Md
1000
1000
---
---
52
709
dhcpv6
release
Y Hi
2000
2000
---
---
53
70a
dhcpv6
decline
Y Lo
1000
1000
---
---
54
70b
dhcpv6
reconfig
Y Lo
1000
1000
---
---
55
70c
dhcpv6
info..req
Y Lo
1000
1000
---
---
56
70d
dhcpv6
relay-for..
Y Lo
1000
1000
---
---
57
70e
dhcpv6
relay-rep..
Y Lo
1000
1000
---
---
58
70f
dhcpv6
leasequery
Y Lo
1000
1000
---
---
59
710
dhcpv6
leaseq..re
Y Lo
1000
1000
---
---
60
711
dhcpv6
leaseq..do
Y Lo
1000
1000
---
---
61
712
dhcpv6
leaseq..da
Y Lo
1000
1000
---
---
62
800
vchassis
aggregate
Y Lo
30000 30000
---
---
63
801
vchassis
unclass..
Y Lo
---
---
64
802
vchassis
control-hi
Y Hi
10000
5000
10000
5000
65
803
vchassis
control-lo
Y Lo
8000
3000
8000
3000
66
804
vchassis
vc-packets
Y Hi
67
805
vchassis
vc-ttl-err
Y Hi
4000 10000
4000 10000
68
900
icmp
aggregate
Y Hi
20000 20000
20000 20000
69
a00
igmp
aggregate
Y Hi
20000 20000
20000 20000
70
b00
ospf
aggregate
Y Hi
20000 20000
20000 20000
71
c00
rsvp
aggregate
Y Hi
20000 20000
20000 20000
72
d00
pim
aggregate
Y Hi
20000 20000
20000 20000
73
e00
rip
aggregate
Y Hi
20000 20000
20000 20000
74
f00
ptp
aggregate
Y Hi
20000 20000
20000 20000
75 1000
bfd
aggregate
Y Hi
20000 20000
20000 20000
76 1100
lmp
aggregate
Y Hi
20000 20000
20000 20000
77 1200
ldp
aggregate
Y Hi
20000 20000
20000 20000
78 1300
msdp
aggregate
Y Hi
20000 20000
20000 20000
79 1400
bgp
aggregate
Y Lo
20000 20000
20000 20000
80 1500
vrrp
aggregate
Y Hi
20000 20000
20000 20000
81 1600
telnet
aggregate
Y Lo
20000 20000
20000 20000
82 1700
ftp
aggregate
Y Lo
20000 20000
20000 20000
83 1800
ssh
aggregate
Y Lo
20000 20000
20000 20000
30000 30000
30000 30000
24
84 1900
snmp
aggregate
Y Lo
20000 20000
20000 20000
85 1a00
ancp
aggregate
Y Lo
20000 20000
20000 20000
86 1b00
igmpv6
aggregate
Y Hi
20000 20000
20000 20000
87 1c00
egpv6
aggregate
Y Hi
20000 20000
20000 20000
88 1d00
rsvpv6
aggregate
Y Hi
20000 20000
20000 20000
89 1e00
igmpv4v6
aggregate
Y Hi
20000 20000
20000 20000
90 1f00
ripv6
aggregate
Y Hi
20000 20000
20000 20000
91 2000
bfdv6
aggregate
Y Hi
20000 20000
20000 20000
92 2100
lmpv6
aggregate
Y Hi
20000 20000
20000 20000
93 2200
ldpv6
aggregate
Y Hi
20000 20000
20000 20000
94 2300
msdpv6
aggregate
Y Hi
20000 20000
20000 20000
95 2400
bgpv6
aggregate
Y Lo
20000 20000
20000 20000
96 2500
vrrpv6
aggregate
Y Hi
20000 20000
20000 20000
97 2600
telnetv6
aggregate
Y Lo
20000 20000
20000 20000
98 2700
ftpv6
aggregate
Y Lo
20000 20000
20000 20000
99 2800
sshv6
aggregate
Y Lo
20000 20000
20000 20000
100 2900
snmpv6
aggregate
Y Lo
20000 20000
20000 20000
101 2a00
ancpv6
aggregate
Y Lo
20000 20000
20000 20000
102 2b00
ospfv3v6
aggregate
Y Hi
20000 20000
20000 20000
103 2c00
lacp
aggregate
Y Hi
20000 20000
20000 20000
104 2d00
stp
aggregate
Y Hi
20000 20000
20000 20000
105 2e00
esmc
aggregate
Y Hi
20000 20000
20000 20000
106 2f00
oam-lfm
aggregate
Y Hi
20000 20000
20000 20000
107 3000
eoam
aggregate
Y Hi
20000 20000
20000 20000
108 3100
lldp
aggregate
Y Hi
20000 20000
20000 20000
109 3200
mvrp
aggregate
Y Hi
20000 20000
20000 20000
110 3300
pmvrp
aggregate
Y Hi
20000 20000
20000 20000
111 3400
arp
aggregate
Y Lo
20000 20000
20000 20000
112 3500
pvstp
aggregate
Y Hi
20000 20000
20000 20000
113 3600
isis
aggregate
Y Hi
20000 20000
20000 20000
114 3700
pos
aggregate
Y Hi
20000 20000
20000 20000
115 3800
mlp
aggregate
Y Lo
2000 10000
116 3801
mlp
unclass..
Y Lo
2000 10000
2000 10000
117 3802
mlp
packets
Y Lo
2000 10000
2000 10000
118 3803
mlp
aging-exc
Y Lo
2000 10000
119 3900
jfm
aggregate
Y Hi
20000 20000
---
---
---
20000 20000
120 3a00
atm
aggregate
Y Hi
20000 20000
20000 20000
121 3b00
pfe-alive
aggregate
Y Hi
20000 20000
20000 20000
2000 10000
122 3c00
ttl
aggregate
Y Hi
2000 10000
123 3d00
ip-opt
aggregate
Y Hi
20000 20000
124 3d01
ip-opt
unclass..
Y Lo
10000 10000
10000 10000
125 3d02
ip-opt
rt-alert
Y Hi
20000 20000
20000 20000
10000 10000
126 3d03
ip-opt
non-v4v6
Y Lo
10000 10000
127 3e00
redirect
aggregate
Y Hi
2000 10000
128 3f00
control
aggregate
Y --
129 4000
mcast-copy
aggregate
130 4100
mac-host
131 4200
tun-frag
132 4300
mcast-snoop
---
---
---
2000 10000
---
20000 20000
Y Hi
2000 10000
2000 10000
aggregate
Y Hi
20000 20000
20000 20000
aggregate
Y Hi
2000 10000
2000 10000
aggregate
Y Hi
20000 20000
20000 20000
---
25
133 4301
mcast-snoop
unclass..
Y --
134 4302
mcast-snoop
igmp
Y Hi
20000 20000
---
20000 20000
135 4303
mcast-snoop
pim
Y Lo
20000 20000
20000 20000
136 4304
mcast-snoop
mld
Y Hi
20000 20000
20000 20000
137 4400
services
aggregate
Y Hi
20000 20000
138 4401
services
unclass..
Y --
139 4402
services
packet
140 4403
services
BSDT
141 4500
demuxauto
142 4600
---
---
---
---
20000 20000
Y Hi
20000 20000
20000 20000
Y Lo
20000 20000
20000 20000
aggregate
Y Hi
2000 10000
2000 10000
reject
aggregate
Y Hi
2000 10000
2000 10000
143 4700
fw-host
aggregate
Y Hi
20000 20000
20000 20000
144 4800
tcp-flags
aggregate
Y Lo
20000 20000
145 4801
tcp-flags
unclass..
Y Lo
20000 20000
20000 20000
146 4802
tcp-flags
initial
Y Lo
20000 20000
20000 20000
147 4803
tcp-flags
establish
Y Lo
20000 20000
20000 20000
148 4900
dtcp
aggregate
Y Hi
20000 20000
20000 20000
149 4a00
radius
aggregate
Y Hi
20000 20000
150 4a01
radius
unclass..
Y --
151 4a02
radius
server
152 4a03
radius
account..
153 4a04
radius
154 4b00
---
---
---
---
---
---
20000 20000
Y Hi
20000 20000
20000 20000
Y Hi
20000 20000
20000 20000
auth..
Y Hi
20000 20000
20000 20000
ntp
aggregate
Y Hi
20000 20000
20000 20000
155 4c00
tacacs
aggregate
Y Hi
20000 20000
20000 20000
156 4d00
dns
aggregate
Y Hi
20000 20000
20000 20000
157 4e00
diameter
aggregate
Y Hi
20000 20000
20000 20000
158 4f00
ip-frag
aggregate
Y Lo
20000 20000
159 4f01
ip-frag
unclass..
Y --
---
20000 20000
160 4f02
ip-frag
first-frag
Y Lo
20000 20000
20000 20000
161 4f03
ip-frag
trail-frag
Y Lo
20000 20000
20000 20000
162 5000
l2tp
aggregate
Y Hi
20000 20000
20000 20000
163 5100
gre
aggregate
Y Hi
20000 20000
164 5200
ipsec
aggregate
Y --
165 5300
pimv6
aggregate
166 5400
icmpv6
aggregate
167 5500
ndpv6
168 5600
sample
169 5601
---
---
---
---
20000 20000
---
20000 20000
Y Hi
20000 20000
20000 20000
Y Hi
20000 20000
20000 20000
aggregate
Y Lo
20000 20000
20000 20000
aggregate
Y Md
1000
1000
---
sample
unclass..
Y --
---
---
170 5602
sample
syslog
Y Md
1000
1000
1000
1000
171 5603
sample
host
Y Md
1000
1000
1000
1000
172 5604
sample
pfe
Y Md
1000
1000
1000
1000
173 5605
sample
tap
Y Md
1000
1000
1000
1000
174 5606
sample
sflow
Y Md
1000
1000
1000
1000
175 5700
fab-probe
aggregate
Y Hi
20000 20000
176 5800
uncls
aggregate
Y Md
20000 20000
177 5801
uncls
other
Y Lo
2000 10000
2000 10000
178 5802
uncls
resolve-v4
Y Lo
5000 10000
5000 10000
179 5803
uncls
resolve-v6
Y Lo
5000 10000
5000 10000
180 5804
uncls
control-v4
Y Lo
2000 10000
2000 10000
181 5805
uncls
control-v6
Y Lo
2000 10000
2000 10000
---
---
20000 20000
---
---
26

182 5806
uncls
host-rt-v4
Y Lo
2000 10000
2000 10000
183 5807
uncls
host-rt-v6
Y Lo
2000 10000
2000 10000
184 5808
uncls
filter-v4
Y Lo
2000 10000
2000 10000
185 5809
uncls
filter-v6
Y Lo
2000 10000
2000 10000
186 580a
uncls
control-l2
Y Lo
2000 10000
2000 10000
187 580b
uncls
fw-host
Y Hi
20000 20000
20000 20000
188 580c
uncls
mcast-copy
Y Hi
2000 10000
2000 10000
189 5900
rejectv6
aggregate
Y Hi
2000 10000
2000 10000
190 5a00
l2pt
aggregate
Y Lo
20000 20000
20000 20000
191 5b00
keepalive
aggregate
Y Hi
20000 20000
20000 20000
192 5c00
inline-ka
aggregate
Y Hi
20000 20000
20000 20000
193 5d00
inline-svcs
aggregate
Y Lo
20000 20000
20000 20000
194 5e00
frame-relay
aggregate
Y Lo
20000 20000
20000 20000
195 5e01
frame-relay
unclass..
Y --
196 5e02
frame-relay
frf15
Y Lo
12000 12000
12000 12000
197 5e03
frame-relay
frf16
Y Lo
12000 12000
12000 12000
198 5f00
amtv4
aggregate
Y Lo
20000 20000
20000 20000
199 6000
amtv6
aggregate
Y Lo
20000 20000
20000 20000
---
---
Each protocol will be associated to different policers under different levels. Here is a nexthop and host bound queue under
MQ mapping for each PUNT traffic type.
# show ddos asic punt-proto-maps
PUNT codes directly mapped to DDOS proto:
code PUNT name
---- -------------------1 PUNT_TTL
3 PUNT_REDIRECT
burst
ttl aggregate
3c00
2000
10000
redirect aggregate
3e00
2000
10000
fab-probe aggregate
5700
20000
20000
7 PUNT_MAC_FWD_TYPE_HOST
mac-host aggregate
4100
20000
20000
8 PUNT_TUNNEL_FRAGMENT
tun-frag aggregate
4200
2000
10000
3802
2000
10000
12 PUNT_IGMP_SNOOP
13 PUNT_VC_TTL_ERROR
14 PUNT_L2PT_ERROR
18 PUNT_PIM_SNOOP
35 PUNT_AUTOSENSE
38 PUNT_SERVICES
39 PUNT_DEMUXAUTOSENSE
mlp packets
mcast-snoop igmp
vchassis vc-ttl-err
l2pt aggregate
mcast-snoop pim
dynvlan aggregate
services BSDT
4302
805
5a00
4303
20000
20000
4000
10000
20000
20000
20000
20000
300
1000
500
4403
20000
20000
demuxauto aggregate
4500
2000
10000
40 PUNT_REJECT
reject aggregate
4600
2000
10000
41 PUNT_SAMPLE_SYSLOG
sample syslog
5602
1000
1000
42 PUNT_SAMPLE_HOST
sample host
5603
1000
1000
43 PUNT_SAMPLE_PFE
sample pfe
5604
1000
1000
44 PUNT_SAMPLE_TAP
sample tap
5605
1000
1000
45 PUNT_PPPOE_PADI
pppoe padi
502
500
500
46 PUNT_PPPOE_PADR
pppoe padr
504
500
500
47 PUNT_PPPOE_PADT
pppoe padt
506
1000
1000
48 PUNT_PPP_LCP
ppp lcp
402
12000
12000
49 PUNT_PPP_AUTH
ppp auth
403
2000
2000
idx q# bwidth
---- -- ------ ------
5 PUNT_FAB_OUT_PROBE_PKT
11 PUNT_MLP
group proto
--------- ------
27

50 PUNT_PPP_IPV4CP
ppp ipcp
404
2000
2000
51 PUNT_PPP_IPV6CP
ppp ipv6cp
405
2000
2000
52 PUNT_PPP_MPLSCP
ppp mplscp
406
2000
2000
53 PUNT_PPP_UNCLASSIFIED_CP
ppp unclass
401
1000
500
55 PUNT_VC_HI
vchassis control-hi
802
10000
5000
56 PUNT_VC_LO
vchassis control-lo
803
8000
3000
407
2000
2000
5b00
20000
20000
12000
57 PUNT_PPP_ISIS
ppp isis
58 PUNT_KEEPALIVE
keepalive aggregate
59 PUNT_SEND_TO_HOST_FW_INLINE_SVCS inline-svcs aggregate

60 PUNT_PPP_LCP_ECHO_REQ
61 PUNT_INLINE_KA
ppp echo-req
inline-ka aggregate
63 PUNT_PPP_LCP_ECHO_REP
64 PUNT_MLPPP_LCP
408
5d00
20000
5c00
20000
20000
ppp echo-rep
409
12000
12000
ppp mlppp-lcp
40a
12000
12000
65 PUNT_MLFR_CONTROL
frame-relay frf15
66 PUNT_MFR_CONTROL
frame-relay frf16
5e02
5e03
12000
12000
12000
12000
68 PUNT_REJECT_V6
rejectv6 aggregate
5900
2000
10000
70 PUNT_SEND_TO_HOST_SVCS
services packet
4402
20000
20000
5606
1000
1000
71 PUNT_SAMPLE_SFLOW
sample sflow
20000
12000
PUNT's that go through HBC. See following parsed proto

code PUNT name
---- ------------2 PUNT_OPTIONS
4 PUNT_CONTROL
6 PUNT_HOST_COPY
11 PUNT_MLP
|---------------+
32 PUNT_PROTOCOL
33 PUNT_RESOLVE
34 PUNT_RECEIVE
36 PUNT_REJECT_FW
54 PUNT_SEND_TO_HOST_FW |
69 PUNT_RESOLVE_V6
|
|
|
-----------------------------------------------------------------type
subtype
------ ---------contrl LACP

contrl STP
contrl ESMC
burst
lacp aggregate
2c00
20000
20000
stp aggregate
2d00
20000
20000
esmc aggregate
2e00
20000
20000
2f00
20000
20000
contrl EOAM
eoam aggregate
3000
20000
20000
contrl LLDP
lldp aggregate
3100
20000
20000
contrl MVRP
contrl PMVRP
contrl ARP
contrl PVSTP
contrl ISIS
mvrp aggregate
3200
20000
20000
pmvrp aggregate
3300
20000
20000
arp aggregate
3400
20000
20000
pvstp aggregate
3500
20000
20000
20000
isis aggregate
3600
20000
contrl POS
pos aggregate
3700
20000
20000
contrl MLP
mlp packets
3802
2000
10000
idx q# bwidth
---- -- ------ ------
oam-lfm aggregate
contrl OAM_LFM
group proto
---------- ----------
28

contrl JFM
jfm aggregate
3900
20000
20000
contrl ATM
atm aggregate
3a00
20000
20000
contrl PFE_ALIVE
pfe-alive aggregate
3b00
20000
20000
filter ipv4
dhcpv4 aggregate
600
5000
5000
filter ipv6
dhcpv6 aggregate
700
5000
5000
filter ipv4
icmp aggregate
900
20000
20000
filter ipv4
igmp aggregate
a00
20000
20000
filter ipv4
ospf aggregate
b00
20000
20000
filter ipv4
rsvp aggregate
c00
20000
20000
filter ipv4
pim aggregate
d00
20000
20000
filter ipv4
rip aggregate
e00
20000
20000
filter ipv4
ptp aggregate
f00
20000
20000
filter ipv4
bfd aggregate
1000
20000
20000
filter ipv4
lmp aggregate
1100
20000
20000
filter ipv4
ldp aggregate
1200
20000
20000
filter ipv4
msdp aggregate
1300
20000
20000
filter ipv4
bgp aggregate
1400
20000
20000
filter ipv4
vrrp aggregate
1500
20000
20000
filter ipv4
telnet aggregate
1600
20000
20000
filter ipv4
ftp aggregate
1700
20000
20000
filter ipv4
ssh aggregate
1800
20000
20000
filter ipv4
snmp aggregate
1900
20000
20000
filter ipv4
ancp aggregate
1a00
20000
20000
filter ipv6
igmpv6 aggregate
1b00
20000
20000
filter ipv6
egpv6 aggregate
1c00
20000
20000
filter ipv6
rsvpv6 aggregate
1d00
20000
20000
filter ipv6
igmpv4v6 aggregate
1e00
20000
20000
filter ipv6
ripv6 aggregate
1f00
20000
20000
filter ipv6
bfdv6 aggregate
2000
20000
20000
filter ipv6
lmpv6 aggregate
2100
20000
20000
filter ipv6
ldpv6 aggregate
2200
20000
20000
filter ipv6
msdpv6 aggregate
2300
20000
20000
filter ipv6
bgpv6 aggregate
2400
20000
20000
filter ipv6
vrrpv6 aggregate
2500
20000
20000
filter ipv6
telnetv6 aggregate
2600
20000
20000
filter ipv6
ftpv6 aggregate
2700
20000
20000
filter ipv6
sshv6 aggregate
2800
20000
20000
filter ipv6
snmpv6 aggregate
2900
20000
20000
filter ipv6
ancpv6 aggregate
2a00
20000
20000
filter ipv6
ospfv3v6 aggregate
2b00
20000
20000
filter ipv4
tcp-flags unclass..
4801
20000
20000
filter ipv4
tcp-flags initial
4802
20000
20000
filter ipv4
tcp-flags establish
4803
20000
20000
filter ipv4
dtcp aggregate
4900
20000
20000
filter ipv4
radius server
4a02
20000
20000
filter ipv4
radius account..
4a03
20000
20000
filter ipv4
radius auth..
4a04
20000
20000
filter ipv4
ntp aggregate
4b00
20000
20000
filter ipv4
tacacs aggregate
4c00
20000
20000
29

filter ipv4
dns aggregate
4d00
20000
20000
filter ipv4
diameter aggregate
4e00
20000
20000
filter ipv4
ip-frag first-frag
4f02
20000
20000
filter ipv4
ip-frag trail-frag
4f03
20000
20000
filter ipv4
l2tp aggregate
5000
20000
20000
filter ipv4
gre aggregate
5100
20000
20000
filter ipv4
ipsec aggregate
5200
20000
20000
filter ipv6
pimv6 aggregate
5300
20000
20000
filter ipv6
icmpv6 aggregate
5400
20000
20000
filter ipv6
ndpv6 aggregate
5500
20000
20000
filter ipv4
amtv4 aggregate
5f00
20000
20000
filter ipv6
amtv6 aggregate
6000
20000
20000
option rt-alert
ip-opt rt-alert
3d02
20000
20000
option unclass
ip-opt unclass..
3d01
10000
10000
Here, the violation report message is one of the notification to the PPC. Hence, its also rate limited too 100pps by default.
#define DDOS_VIOL_REPORT_RATE 100 /* 100 reports/sec */
# show ddos asic nexthops
[LU:Prot:Idx]:
policer-nh
ddos-nh p-result
cntr-nh ctr-addr type
[-----------]:
----------
-------
------- ----
[ 0:----:ind]:
[ 0:
-------
c004017e078c0001
e0145f000010000 4817d180
c0f278
802f viol-report
0:
0]:
c0040096078c1001
0 4817d130
c0f270
8012 hbc & others
[ 0: 100:
1]:
c004016e078c2001
0 4817d0b8
c0f268
802d punt
[ 0: 200:
2]:
c004009e078c3001
0 4817d040
c0f260
8013 punt
[ 0: 300:
3]:
c00400ae078ff001
e01452000010000 4817cfc8
c0f200
8015 punt
[ 0: 400:
4]:
c0040156078fe001
0 4817cf50
c0f208
802a hbc & others
[ 0: 401:
5]:
c00400b6078c4001
e02eba000010000 4817ced8
c0f210
8016 punt
[ 0: 402:
6]:
c004013e078fd001
e02ea4000010000 4817ce60
c0f258
8027 punt
[ 0: 403:
7]:
c004012e078c5001
e02ea5000010000 4817cde8
c0f218
8025 punt
[ 0: 404:
8]:
c00400be078c6001
e02ebc000010000 4817cd70
c0f220
8017 punt
[ 0: 405:
9]:
c00400ce078fc001
e02ebb000010000 4817ccf8
c0f250
8019 punt
[ 0: 406: 10]:
c004011e078c7001
e02ea6000010000 4817cc80
c0f228
8023 punt
[ 0: 407: 11]:
c0040116078c8001
e02eb4000010000 4817cc08
c0f248
8022 punt
[ 0: 408: 12]:
c004010e078c9001
e023f5800020000 4817cb90
c0f240
8021 punt
[ 0: 409: 13]:
c00400fe078ca001
e023ef800020000 4817cb18
c0f230
801f punt
[ 0: 40a: 14]:
c00400f6078fb001
e02eac000010000 4817caa0
c0f238
801e punt
[ 0: 500: 15]:
c03c0a0e078fa001
0 4817ca28
c0f2f8
78141 hbc & others
[ 0: 501: 16]:
c03c0bf6078f9001
0 4817c9b0
c0f280
7817e hbc & others
[ 0: 502: 17]:
c03c0a1e078f8001
e02ebf000010000 4c3df968
c0f2f0
78143 punt
[ 0: 503: 18]:
c03c0a26078f7001
0 4c3df8f0
c0f288
78144 hbc & others
[ 0: 504: 19]:
c03c0bde078f6001
e02ebe000010000 4c3df878
c0f290
7817b punt
[ 0: 505: 20]:
c03c0bd6078cb001
0 4c3df800
c0f298
7817a hbc & others
[ 0: 506: 21]:
c03c0bc6078f5001
e02ebd000010000 4c3df788
c0f2e8
78178 punt
[ 0: 507: 22]:
c03c0a36078cc001
0 4c3df710
c0f2a0
78146 hbc & others
[ 0: 508: 23]:
c03c0a3e078cd001
0 4c3df698
c0f2e0
78147 hbc & others
[ 0: 600: 24]:
c03c0ba6078ce001
0 4c3df620
c0f2d8
78174 hbc & others
[ 0: 601: 25]:
c03c0b96078cf001
0 4c3df5a8
c0f2a8
78172 hbc & others
30

[ 0: 602: 26]:
c03c0a46078d0001
0 4c3df530
c0f2d0
78148 hbc & others
[ 0: 603: 27]:
c03c0b7e078f4001
0 4c3df4b8
c0f2c8
7816f hbc & others
[ 0: 604: 28]:
c03c0b76078f3001
0 4c3df440
c0f2b0
7816e hbc & others
[ 0: 605: 29]:
c03c0a5e078f2001
0 4c3df3c8
c0f2b8
7814b hbc & others
[ 0: 606: 30]:
c03c0b66078d1001
0 4c3df350
c0f2c0
7816c hbc & others
[ 0: 607: 31]:
c03c0b56078f1001
0 4c3df2d8
c0f300
7816a hbc & others
[ 0: 608: 32]:
c03c0b46078d2001
0 4c3df260
c0f308
78168 hbc & others
[ 0: 609: 33]:
c03c0a66078d3001
0 4c3df1e8
c0f378
7814c hbc & others
[ 0: 60a: 34]:
c03c0a6e078f0001
0 4c3df170
c0f310
7814d hbc & others
[ 0: 60b: 35]:
c03c0a7e078d4001
0 4c3df0f8
c0f370
7814f hbc & others
[ 0: 60c: 36]:
c03c0b26078d5001
0 4c3df080
c0f368
78164 hbc & others
[ 0: 60d: 37]:
c03c0b16078d6001
0 4c3df008
c0f318
78162 hbc & others
[ 0: 60e: 38]:
c03c0a8e078d7001
0 4c3def90
c0f320
78151 hbc & others
[ 0: 60f: 39]:
c03c0b06078d8001
0 4c3def18
c0f328
78160 hbc & others
[ 0: 610: 40]:
c03c0a9e078ef001
0 4c3deea0
c0f330
78153 hbc & others
[ 0: 611: 41]:
c03c0aae078ee001
0 4c3dee28
c0f360
78155 hbc & others
[ 0: 612: 42]:
c03c0af6078ed001
0 4c3dedb0
c0f338
7815e hbc & others
[ 0: 700: 43]:
c03c0ab6078d9001
0 4c3ded38
c0f358
78156 hbc & others
[ 0: 701: 44]:
c03c0abe078ec001
0 4c3decc0
c0f340
78157 hbc & others
[ 0: 702: 45]:
c03c0ad6078da001
0 4c3dec48
c0f350
7815a hbc & others
[ 0: 703: 46]:
c03c0ac6078eb001
0 4c3debd0
c0f348
78158 hbc & others
[ 0: 704: 47]:
c03c0dfe078db001
0 4c3deb58
c0f380
781bf hbc & others
[ 0: 705: 48]:
c03c0c0e078dc001
0 4c3deae0
c0f388
78181 hbc & others
[ 0: 706: 49]:
c03c0c16078dd001
0 4c3dea68
c0f3f8
78182 hbc & others
[ 0: 707: 50]:
c03c0dde078ea001
0 4c3de9f0
c0f390
781bb hbc & others
[ 0: 708: 51]:
c03c0c1e078de001
0 4c3de978
c0f3f0
78183 hbc & others
[ 0: 709: 52]:
c03c0dce078e9001
0 4c3de900
c0f398
781b9 hbc & others
[ 0: 70a: 53]:
c03c0c2e078e8001
0 4c3de888
c0f3a0
78185 hbc & others
[ 0: 70b: 54]:
c03c0db6078df001
0 4c3de810
c0f3a8
781b6 hbc & others
[ 0: 70c: 55]:
c03c0c3e078e0001
0 4c3de798
c0f3b0
78187 hbc & others
[ 0: 70d: 56]:
c03c0c46078e7001
0 4c3de720
c0f3e8
78188 hbc & others
[ 0: 70e: 57]:
c03c0da6078e1001
0 4c3de6a8
c0f3b8
781b4 hbc & others
[ 0: 70f: 58]:
c03c0d96078e6001
0 4c3de630
c0f3e0
781b2 hbc & others
[ 0: 710: 59]:
c03c0d8e078e2001
0 4c3de5b8
c0f3d8
781b1 hbc & others
[ 0: 711: 60]:
c03c0d7e078e3001
0 4c3de540
c0f3c0
781af hbc & others
[ 0: 712: 61]:
c03c0c66078e5001
0 4c3de4c8
c0f3c8
7818c hbc & others
[ 0: 800: 62]:
c03c0d6e078e4001
0 4c3de450
c0f3d0
781ad hbc & others
[ 0: 801: 63]:
c03c0c6e07a3f001
0 4c3de3d8
c0f4f8
7818d hbc & others
[ 0: 802: 64]:
c03c0c7607a00001
e02eb6000010000 4c3de360
c0f480
7818e punt
[ 0: 803: 65]:
c03c0d5607a3e001
e02ea9000010000 4c3de2e8
c0f488
781aa punt
[ 0: 804: 66]:
c03c0d4607a3d001
0 4c3de270
c0f490
781a8 hbc & others
[ 0: 805: 67]:
c03c0c8e07a01001
e02eb5000010000 4c3de1f8
c0f4f0
78191 punt
[ 0: 900: 68]:
c03c0c9e07a3c001
0 4c3de180
c0f4e8
78193 hbc & others
[ 0: a00: 69]:
c03c0ca607a3b001
0 4c3de108
c0f4e0
78194 hbc & others
[ 0: b00: 70]:
c03c0d2e07a3a001
0 4c3de090
c0f498
781a5 hbc & others
[ 0: c00: 71]:
c03c0cae07a39001
0 4c3de018
c0f4a0
78195 hbc & others
[ 0: d00: 72]:
c03c0cbe07a02001
0 4c3ddfa0
c0f4a8
78197 hbc & others
[ 0: e00: 73]:
c03c0cc607a03001
0 4c3ddf28
c0f4d8
78198 hbc & others
[ 0: f00: 74]:
c03c0cd607a04001
0 4c3ddeb0
c0f4b0
7819a hbc & others
31

[ 0:1000: 75]:
c03c0d1607a38001
0 4c3dde38
c0f4b8
781a2 hbc & others
[ 0:1100: 76]:
c03c0d0607a37001
0 4c3dddc0
c0f4c0
781a0 hbc & others
[ 0:1200: 77]:
c03c0ce607a36001
0 4c3ddd48
c0f4d0
7819c hbc & others
[ 0:1300: 78]:
c03c0cf607a35001
0 4c3ddcd0
c0f4c8
7819e hbc & others
[ 0:1400: 79]:
c03c0ffe07a05001
0 4c3ddc58
c0f500
781ff hbc & others
[ 0:1500: 80]:
c03c0e1607a06001
0 4c3ddbe0
c0f578
781c2 hbc & others
[ 0:1600: 81]:
c03c0ff607a34001
0 4c3ddb68
c0f508
781fe hbc & others
[ 0:1700: 82]:
c03c0fe607a33001
0 4c3ddaf0
c0f510
781fc hbc & others
[ 0:1800: 83]:
c03c0fd607a07001
0 4c3dda78
c0f518
781fa hbc & others
[ 0:1900: 84]:
c03c0fc607a08001
0 4c3dda00
c0f570
781f8 hbc & others
[ 0:1a00: 85]:
c03c0e2e07a09001
0 4c3eb9d0
c0f568
781c5 hbc & others
[ 0:1b00: 86]:
c03c0e3607a32001
0 4c3eb958
c0f560
781c6 hbc & others
[ 0:1c00: 87]:
c03c0e3e07a31001
0 4c3eb8e0
c0f558
781c7 hbc & others
[ 0:1d00: 88]:
c03c0fae07a0a001
0 4c3eb868
c0f520
781f5 hbc & others
[ 0:1e00: 89]:
c03c0f9e07a0b001
0 4c3eb7f0
c0f528
781f3 hbc & others
[ 0:1f00: 90]:
c03c0e5607a30001
0 4c3eb778
c0f530
781ca hbc & others
[ 0:2000: 91]:
c03c0e6607a0c001
0 4c3eb700
c0f550
781cc hbc & others
[ 0:2100: 92]:
c03c0e7607a2f001
0 4c3eb688
c0f538
781ce hbc & others
[ 0:2200: 93]:
c03c0f9607a0d001
0 4c3eb610
c0f548
781f2 hbc & others
[ 0:2300: 94]:
c03c0f8e07a2e001
0 4c3eb598
c0f540
781f1 hbc & others
[ 0:2400: 95]:
c03c0f7e07a2d001
0 4c3eb520
c0f5f8
781ef hbc & others
[ 0:2500: 96]:
c03c0f6e07a0e001
0 4c3eb4a8
c0f5f0
781ed hbc & others
[ 0:2600: 97]:
c03c0f6607a0f001
0 4c3eb430
c0f5e8
781ec hbc & others
[ 0:2700: 98]:
c03c0f5e07a2c001
0 4c3eb3b8
c0f5e0
781eb hbc & others
[ 0:2800: 99]:
c03c0f5607a10001
0 4c3eb340
c0f580
781ea hbc & others
[ 0:2900:100]:
c03c0eae07a11001
0 4c3eb2c8
c0f588
781d5 hbc & others
[ 0:2a00:101]:
c03c0f4607a2b001
0 4c3eb250
c0f5d8
781e8 hbc & others
[ 0:2b00:102]:
c03c0eb607a12001
0 4c3eb1d8
c0f590
781d6 hbc & others
[ 0:2c00:103]:
c03c0f2e07a2a001
0 4c3eb160
c0f5d0
781e5 subtype
[ 0:2d00:104]:
c03c0ebe07a29001
0 4c3eb0e8
c0f598
781d7 subtype
[ 0:2e00:105]:
c03c0f1e07a13001
0 4c3eb070
c0f5a0
781e3 subtype
[ 0:2f00:106]:
c03c0f1607a14001
0 4c3eaff8
c0f5c8
781e2 subtype
[ 0:3000:107]:
c03c0f0e07a15001
0 4c3eaf80
c0f5a8
781e1 subtype
[ 0:3100:108]:
c03c0ee607a28001
0 4c3eaf08
c0f5c0
781dc subtype
[ 0:3200:109]:
c03c0efe07a16001
0 4c3eae90
c0f5b8
781df subtype
[ 0:3300:110]:
c03c0eee07a27001
0 4c3eae18
c0f5b0
781dd subtype
[ 0:3400:111]:
c03c11f607a17001
0 4c3eada0
c0f678
7823e subtype
[ 0:3500:112]:
c03c100e07a18001
0 4c3ead28
c0f670
78201 subtype
[ 0:3600:113]:
c03c11e607a26001
0 4c3eacb0
c0f668
7823c subtype
[ 0:3700:114]:
c03c11de07a25001
0 4c3eac38
c0f660
7823b subtype
[ 0:3800:115]:
c03c102607a19001
0 4c3eabc0
c0f658
78204 hbc & others
[ 0:3801:116]:
c03c11d607a24001
0 4c3eab48
c0f600
7823a hbc & others
[ 0:3802:117]:
c03c11ce07a1a001
e02eb9000010000 4c3eaad0
c0f650
78239 subtype
[ 0:3803:118]:
c03c103e07a1b001
0 4c3eaa58
c0f648
78207 hbc & others
[ 0:3900:119]:
c03c104607a23001
0 4c3ea9e0
c0f640
78208 subtype
[ 0:3a00:120]:
c03c105607a1c001
0 4c3ea968
c0f638
7820a subtype
[ 0:3b00:121]:
c03c11ae07a22001
0 4c3ea8f0
c0f608
78235 subtype
[ 0:3c00:122]:
c03c106607a21001
e01454000010000 4c3ea878
c0f610
7820c punt
[ 0:3d00:123]:
c03c106e07a20001
0 4c3ea800
c0f630
7820d hbc & others
32

[ 0:3d01:124]:
c03c119607a1f001
0 4c3ea788
c0f618
78232 punt
[ 0:3d02:125]:
c03c118e07a1d001
0 4c3ea710
c0f628
78231 punt
[ 0:3d03:126]:
c03c108607a1e001
0 4c3ea698
c0f620
78210 punt
[ 0:3e00:127]:
c03c108e07b7f001
e01455000010000 4c3ea620
c0f700
78211 punt
[ 0:3f00:128]:
c03c117607b40001
0 4c3ea5a8
c0f778
7822e hbc & others
[ 0:4000:129]:
c03c109607b41001
0 4c3ea530
c0f770
78212 hbc & others
[ 0:4100:130]:
c03c109e07b42001
e02ea3000010000 4c3ea4b8
c0f708
78213 punt
[ 0:4200:131]:
c03c115607b7e001
e02ec0000010000 4c3ea440
c0f710
7822a punt
[ 0:4300:132]:
c03c10ae07b7d001
0 4c3ea3c8
c0f718
78215 hbc & others
[ 0:4301:133]:
c03c114e07b43001
0 4c3ea350
c0f720
78229 hbc & others
[ 0:4302:134]:
c03c114607b7c001
e02eb8000010000 4c3ea2d8
c0f728
78228 punt
[ 0:4303:135]:
c03c10c607b44001
e02eb7000010000 4c3ea260
c0f768
78218 punt
[ 0:4304:136]:
c03c113607b45001
0 4c3ea1e8
c0f760
78226 hbc & others
[ 0:4400:137]:
c03c112607b7b001
0 4c3ea170
c0f758
78224 hbc & others
[ 0:4401:138]:
c03c10d607b46001
0 4c3ea0f8
c0f750
7821a hbc & others
[ 0:4402:139]:
c03c10e607b47001
e02f7f000010000 4c3ea080
c0f730
7821c punt
[ 0:4403:140]:
c03c10f607b7a001
e01451000010000 4c3ea008
c0f748
7821e punt
[ 0:4500:141]:
c03c110607b48001
e01450000010000 4c3e9f90
c0f740
78220 punt
[ 0:4600:142]:
c03c111607b79001
e02ea1000010000 4c3e9f18
c0f738
78222 punt
[ 0:4700:143]:
c03c13fe07b78001
0 4c3e9ea0
c0f7f8
7827f hbc & others
[ 0:4800:144]:
c03c120e07b49001
0 4c3e9e28
c0f7f0
78241 hbc & others
[ 0:4801:145]:
c03c121607b77001
0 4c3e9db0
c0f780
78242 hbc & others
[ 0:4802:146]:
c03c122607b4a001
0 4c3e9d38
c0f7e8
78244 hbc & others
[ 0:4803:147]:
c03c13de07b76001
0 4c3e9cc0
c0f788
7827b hbc & others
[ 0:4900:148]:
c03c123607b75001
0 4c3e9c48
c0f790
78246 hbc & others
[ 0:4a00:149]:
c03c124607b74001
0 4c3e9bd0
c0f7e0
78248 hbc & others
[ 0:4a01:150]:
c03c13ce07b4b001
0 4c3e9b58
c0f798
78279 hbc & others
[ 0:4a02:151]:
c03c124e07b4c001
0 4c3e9ae0
c0f7d8
78249 hbc & others
[ 0:4a03:152]:
c03c13be07b73001
0 4c3e9a68
c0f7a0
78277 hbc & others
[ 0:4a04:153]:
c03c125e07b4d001
0 4c3f3a08
c0f7a8
7824b hbc & others
[ 0:4b00:154]:
c03c13a607b72001
0 4c3f3990
c0f7d0
78274 hbc & others
[ 0:4c00:155]:
c03c126e07b4e001
0 4c3f3918
c0f7c8
7824d hbc & others
[ 0:4d00:156]:
c03c139607b4f001
0 4c3f38a0
c0f7c0
78272 hbc & others
[ 0:4e00:157]:
c03c127e07b50001
0 4c3f3828
c0f7b0
7824f hbc & others
[ 0:4f00:158]:
c03c128e07b51001
0 4c3f37b0
c0f7b8
78251 hbc & others
[ 0:4f01:159]:
c03c129e07b71001
0 4c3f3738
c0f878
78253 hbc & others
[ 0:4f02:160]:
c03c12a607b70001
0 4c3f36c0
c0f800
78254 hbc & others
[ 0:4f03:161]:
c03c12b607b52001
0 4c3f3648
c0f870
78256 hbc & others
[ 0:5000:162]:
c03c138607b6f001
0 4c3f35d0
c0f868
78270 hbc & others
[ 0:5100:163]:
c03c12c607b53001
0 4c3f3558
c0f860
78258 hbc & others
[ 0:5200:164]:
c03c136e07b54001
0 4c3f34e0
c0f858
7826d hbc & others
[ 0:5300:165]:
c03c12ce07b55001
0 4c3f3468
c0f850
78259 hbc & others
[ 0:5400:166]:
c03c12de07b6e001
0 4c3f33f0
c0f848
7825b hbc & others
[ 0:5500:167]:
c03c135607b6d001
0 4c3f3378
c0f840
7826a hbc & others
[ 0:5600:168]:
c03c134607b6c001
0 4c3f3300
c0f838
78268 hbc & others
[ 0:5601:169]:
c03c12e607b6b001
0 4c3f3288
c0f830
7825c hbc & others
[ 0:5602:170]:
c03c12f607b6a001
e02eaf000010000 4c3f3210
c0f828
7825e punt
[ 0:5603:171]:
c03c12fe07b69001
e02eb0000010000 4c3f3198
c0f820
7825f punt
[ 0:5604:172]:
c03c130e07b68001
e02eb2000010000 4c3f3120
c0f808
78261 punt
33

[ 0:5605:173]:
c03c131607b56001
e02eb1000010000 4c3f30a8
c0f810
78262 punt
[ 0:5606:174]:
c03c132607b57001
e02f61000010000 4c3f3030
c0f818
78264 punt
[ 0:5700:175]:
c03c15fe07b58001
e02f80000010000 4c3f2fb8
c0f8f8
782bf punt
[ 0:5800:176]:
c03c15f607b59001
0 4c3f2f40
c0f8f0
782be punt
[ 0:5801:177]:
c03c141e07b67001
0 4c3f2ec8
c0f8e8
78283 punt
[ 0:5802:178]:
c03c15ee07b66001
0 4c3f2e50
c0f880
782bd punt
[ 0:5803:179]:
c03c15e607b65001
0 4c3f2dd8
c0f8e0
782bc punt
[ 0:5804:180]:
c03c15d607b5a001
0 4c3f2d60
c0f8d8
782ba punt
[ 0:5805:181]:
c03c143607b64001
0 4c3f2ce8
c0f888
78286 punt
[ 0:5806:182]:
c03c15c607b5b001
0 4c3f2c70
c0f8d0
782b8 punt
[ 0:5807:183]:
c03c144607b63001
0 4c3f2bf8
c0f8c8
78288 punt
[ 0:5808:184]:
c03c15b607b5c001
0 4c3f2b80
c0f890
782b6 punt
[ 0:5809:185]:
c03c15a607b62001
0 4c3f2b08
c0f898
782b4 punt
[ 0:580a:186]:
c03c159607b5d001
0 4c3f2a90
c0f8a0
782b2 punt
[ 0:580b:187]:
c03c145607b5e001
0 4c3f2a18
c0f8a8
7828a punt
[ 0:580c:188]:
c03c158607b61001
0 4c3f29a0
c0f8b0
782b0 punt
[ 0:5900:189]:
c03c146607b5f001
e02ea2000010000 4c3f2928
c0f8b8
7828c punt
[ 0:5a00:190]:
c03c146e07b60001
e01453000010000 4c3f28b0
c0f8c0
7828d punt
[ 0:5b00:191]:
c03c147607cbf001
e02eb3000010000 4c3f2838
c0f9f8
7828e punt
[ 0:5c00:192]:
c03c147e07c80001
e02eab000010000 4c3f27c0
c0f980
7828f punt
[ 0:5d00:193]:
c03c155e07cbe001
e02eaa000010000 4c3f2748
c0f988
782ab punt
[ 0:5e00:194]:
c03c148e07cbd001
0 4c3f26d0
c0f990
78291 hbc & others
[ 0:5e01:195]:
c03c149607cbc001
0 4c3f2658
c0f9f0
78292 hbc & others
[ 0:5e02:196]:
c03c149e07cbb001
e02ead000010000 4c3f25e0
c0f9e8
78293 punt
[ 0:5e03:197]:
c03c153e07c81001
e02eae000010000 4c3f2568
c0f9e0
782a7 punt
[ 0:5f00:198]:
c03c153607c82001
0 4c3f24f0
c0f998
782a6 hbc & others
[ 0:6000:199]:
c03c14b607cba001
0 4c3f2478
c0f9a0
78296 hbc & others
Lets trace some of the nexthop here to explain how the policers are associated to each other.
1. PUNT traffic with punt type

There are some punt traffic using punt type nexthop. For example.
code PUNT name
group proto
---- --------------------
--------- ------
1 PUNT_TTL
[LU:Prot:Idx]:
ttl aggregate
policer-nh
[-----------]:
----------
[ 0:3c00:122]:
c03c106607a21001
idx q# bwidth
burst
---- -- ------ -----3c00
2000
10000
ddos-nh p-result
-------
------- ----
-------
e01454000010000 4c3ea878
c0f610
7820c punt
If we check the policer nexthop for this type, here is the policer configuration.
# show jnh 0 decode 0xc03c106607a21001
PolicerISSU_NH: Absolute Caddr = 0xc0f442, nextNH = 0x7820c, , type:0, color=0, op=0 use_layer3_len = 0x0,
num_nh = 0x0
NPC2(Dokinchan-re0 vty)# show jnh 0 vread 0xc0f442
34

Addr:0xc0f442, Data = 0xa3d0000047c00000
% bits 13 20 2 3 4 22
0xa3d0000047c00000
Wid
13
20
22
Bin 1010001111010 00000000000000000000 10 001 1111 0000000000000000000000

Hex
147a
Dec
5242
15
This is a policer with rate = 5242 * 1562.5 = 8,190,625 bps. On LUchip, the packet policer is using a fixed packet size (512
bytes), hence, that becomes 2000 pps which matches the policer configuration.
#define PKT_BASED_POLICER_PKT_SIZE (512)
Furthermore, if we check the ddos-nh, its actually pointing to another policer configuration.
NPC2(Dokinchan-re0 vty)# show jnh 0 decode 0xe01454000010000
CallNH:desc_ptr:0xc028a8, mode=0, rst_stk=0x0, count=0x1
0xc028a6
0 : 0x42f07fffff800f50
0xc028a7
1 : 0xdaf060208180c810
NPC2(Dokinchan-re0 vty)# show jnh 0 decode 0xdaf060208180c810

IndexNH:key_ptr:0xbc/0, desc_ptr=0xc04103, max=200, nbits=16
NPC2(Dokinchan-re0 vty)# show jnh 0 vread 0xc04103

Addr:0xc04103, Data = 0x0e02120000020000
NPC2(Dokinchan-re0 vty)# show jnh 0 decode 0x0e02120000020000
CallNH:desc_ptr:0xc04240, mode=0, rst_stk=0x0, count=0x2
0xc0423d
0 : 0x42f07fffff800010
0xc0423e
1 : 0xc0040096078c1001
0xc0423f
2 : 0x127fffffe00003f8
NPC2(Dokinchan-re0 vty)# show jnh 0 decode 0xc0040096078c1001

PolicerISSU_NH: Absolute Caddr = 0xc0f182, nextNH = 0x8012, , type:0, color=0, op=0 use_layer3_len = 0x0, num_nh
= 0x0
Addr:0xc0f182, Data = 0x8000000057c00000
0x8000000057c00000
Wid
13
20
22
35

Bin 1000000000000 00000000000000000000 10 101 1111 0000000000000000000000
Hex
1000
Dec
4096
15
The above policer is programmed with 4096 * 25000 = 25000 pps. Thats the host-path policer, which is trying to police
an aggregated traffic from some protocols to the host.
NPC2(Dokinchan-re0 vty)# show ddos policer configuration all
idx prot
--0
group
proto on Pri
UKERN-Config
PFE-Config
rate burst
rate burst
--- ------------ ------------ -- -- ------ ----- ------ ----0
host-path
aggregate
Y --
---
---
25000 25000
[LU:Prot:Idx]:
policer-nh
ddos-nh p-result
[-----------]:
----------
-------
------- ----
[ 0:
0:
0]:
c0040096078c1001
-------
0 4817d130
c0f270
8012 hbc & others
NPC2(Dokinchan-re0 vty)# show jnh 0 dec c0040096078c1001

= 0x0
This aggregated policer also applies to multiple protocols. For example, PUNT_REDIRECT, PUNT_REJECT,
PUNT_REJECT_FW, PUNT_RESOLVE etc
code PUNT name
group proto
---- --------------------
--------- ------
3 PUNT_REDIRECT
40 PUNT_REJECT
idx q# bwidth
burst
---- -- ------ ------
redirect aggregate
3e00
2000
10000
reject aggregate
4600
2000
10000
33 PUNT_RESOLVE
[LU:Prot:Idx]:
policer-nh
ddos-nh p-result
[-----------]:
----------
-------
------- ----
-------
[ 0:3e00:127]:
c03c108e07b7f001
e01455000010000 4c3ea620
c0f700
78211 punt
[ 0:4600:142]:
c03c111607b79001
e02ea1000010000 4c3e9f18
c0f738
78222 punt
PUNT_REDIRECT
show jnh 0 decode c03c108e07b7f001
PolicerISSU_NH: Absolute Caddr = 0xc0f6fe, nextNH = 0x78211, , type:0, color=0, op=0 use_layer3_len = 0x0,
num_nh = 0x0
show jnh 0 vread 0xc0f6fe
Addr:0xc0f6fe, Data = 0xa3d0000047c00000
36
0xa3d0000047c00000
Wid
13
20
22
Bin 1010001111010 00000000000000000000 10 001 1111 0000000000000000000000

Hex
147a
Dec
5242
15
Here, RU[2,1] corresponds to value 1562.5.

static const struct jnh_fw_ru trinity_ru[JNH_POL_MAX_RU_PRODUCTS] = {
{24.414062,3,0}, {48.828125,3,1}, {97.65625,3,2}, {195.3125,3,3},
{390.625,3,4}, {781.25,2,0}, {781.25,3,5}, {1562.5,2,1}, {1562.5,3,6},
{3125,2,2}, {3125,3,7}, {6250,2,3}, {12500,2,4}, {25000,1,0}, {25000,2,5},
{50000,1,1}, {50000,2,6}, {100000,1,2}, {100000,2,7}, {200000,1,3},
{400000,1,4}, {800000,0,0}, {800000,1,5}, {1600000,0,1}, {1600000,1,6},
{3200000,0,2}, {3200000,1,7}, {6400000,0,3}, {12800000,0,4},
{25600000,0,5}, {51200000,0,6}, {102400000,0,7}
};
, hence, the rate is 5242 * 1562.5 / 8 / 512 = 2000 pps

NPC2(Dokinchan-re0 vty)# show jnh 0 decode 0xe01455000010000
CallNH:desc_ptr:0xc028aa, mode=0, rst_stk=0x0, count=0x1
0xc028a8
0 : 0x42f07fffff800ff0
0xc028a9
1 : 0xdaf060208180c810

Addr:0xc04103, Data = 0x0e02120000020000
0xc0423d
0 : 0x42f07fffff800010
0xc0423e
1 : 0xc0040096078c1001
0xc0423f
2 : 0x127fffffe00003f8

= 0x0
PUNT_REJECT
show jnh 0 decode c03c111607b79001
PolicerISSU_NH: Absolute Caddr = 0xc0f6f2, nextNH = 0x78222, , type:0, color=0, op=0 use_layer3_len = 0x0,
num_nh = 0x0
37
show jnh 0 vread 0xc0f6f2
Addr:0xc0f6f2, Data = 0xa3d257b447f4db1e

0xa3d257b447f4db1e
Wid
13
20
22
Bin 1010001111010 01001010111101101000 10 001 1111 1101001101101100011110

Hex
147a
4af68
34db1e
Dec
5242
307048
15
3463966
Rate = 5242 * 1562.5 / 8 / 512 = 2000pps

NPC2(Dokinchan-re0 vty)# show jnh 0 decode 0xe02ea1000010000
CallNH:desc_ptr:0xc05d42, mode=0, rst_stk=0x0, count=0x1
0xc05d40
0 : 0x42f07fffff8011d0
0xc05d41
1 : 0xdaf060208180c810

Addr:0xc04103, Data = 0x0e02120000020000
0xc0423d
0 : 0x42f07fffff800010
0xc0423e
1 : 0xc0040096078c1001
0xc0423f
2 : 0x127fffffe00003f8

= 0x0
PUNT_RESOLVE
NPC2(Dokinchan-re0 vty)# show jnh 0 exceptions terse
Reason
Type
Packets
Bytes
==================================================================
Routing
---------------------resolve route
PUNT(33)
7199596
460774144
NPC2(Dokinchan-re0 vty)# show jnh 0 exceptions nh 33 punt

Nexthop Chain:
CallNH:desc_ptr:0xc0481c, mode=0, rst_stk=0x0, count=0x4
0xc04817
0 : 0x127fffffe00003fe
0xc04818
1 : 0x2ffffffe07ca8200
38

0xc04819
2 : 0xda00602d26800b04
0xc0481a
3 : 0xda00602d20800b04
0xc0481b
4 : 0xdaf060208180c810

Addr:0xc04103, Data = 0x0e02120000020000
0xc0423d
0 : 0x42f07fffff800010
0xc0423e
1 : 0xc0040096078c1001
0xc0423f
2 : 0x127fffffe00003f8

= 0x0
[ 0: 300: 11]:
c004015e07186001
e02e76800020000 4dfbc4a8
c0e3c8
802b punt : dynvlan:aggregate
[ 0: 401: 13]:
c0040066071b5001
e02e67800020000 4dfbc408
c0e3c0
800c punt : ppp:unclassified
[ 0: 402: 14]:
c0040126071a9001
e02e78000020000 4dfbc3b8
c0e3d0
8024 punt : ppp:lcp
[ 0: 403: 15]:
c00400a6071b1001
e02e79800020000 4dfbc368
c0e400
8014 punt : ppp:auth
[ 0: 404: 16]:
c03c0bfe071ad001
e02e75000020000 4dfbc318
c0e478
7817f punt : ppp:ipcp
[ 0: 405: 17]:
c03c0b7e071b9001
e02e7c800020000 4dfc82f8
c0e410
7816f punt : ppp:ipv6cp
[ 0: 406: 18]:
c03c0b3e071a5001
e02e63000020000 4dfc82a8
c0e468
78167 punt : ppp:mplscp
[ 0: 407: 19]:
c03c0ac607182001
e02f16800020000 4dfc8258
c0e408
78158 punt : ppp:isis
[ 0: 408: 20]:
c03c0afe0718a001
e02eae000030000 4dfc8208
c0e418
7815f punt : ppp:echo-req
[ 0: 409: 21]:
c03c0b860719d001
e02eb6000030000 4dfc81b8
c0e470
78170 punt : ppp:echo-rep
[ 0: 40a: 22]:
c03c0a7e07195001
e02f0f000020000 4dfc8168
c0e420
7814f punt : ppp:mlppp-lcp
[ 0: 502: 25]:
c03c0bb607185001
e02e64800020000 4dfc8078
c0e460
78176 punt : pppoe:padi
[ 0: 504: 27]:
c03c0b0e071a2001
e02e73800020000 4dfc7fd8
c0e438
78161 punt : pppoe:padr
[ 0: 506: 29]:
c03c0b36071b4001
e02e7e000020000 4dfc7f38
c0e450
78166 punt : pppoe:padt
[ 0: 802: 72]:
c03c0c1e07296001
e02f1f800020000 4dfc71c8
c0e630
78183 punt : vchassis:control-high
[ 0: 803: 73]:
c03c0c5e0728e001
e02f06000020000 4dfc7178
c0e628
7818b punt : vchassis:control-low
[ 0: 805: 75]:
c03c0d6607286001
e02f1b000020000 4dfc70d8
c0e648
781ac punt : vchassis:vc-ttl-err
[ 0:3c00:130]:
c03c10ee073e1001
e02e7f800020000 4dfcffc0
c0e8f0
7821d punt : ttl:aggregate
[ 0:3e00:135]:
c03c1126073f6001
e02e61800020000 4dfcfe30
c0e8d8
78224 punt : redirect:aggregate
[ 0:4100:138]:
c03c1066073f9001
e02e69000020000 4dfcfd40
c0e8c8
7820c punt : mac-host:aggregate
[ 0:4200:139]:
c03c11d6073c2001
e02e6f000020000 4dfcfcf0
c0e8a8
7823a punt : tun-frag:aggregate
[ 0:4302:142]:
c03c10de073d2001
e02e70800020000 4dfcfc00
c0e8b8
7821b punt : mcast-snoop:igmp
[ 0:4303:143]:
c03c109e073d6001
e02f01800020000 4dfcfbb0
c0e978
78213 punt : mcast-snoop:pim
[ 0:4402:147]:
c03c13be073ea001
e02f19800020000 4dfcfa70
c0e970
78277 punt : services:packet
[ 0:4403:148]:
c03c1386073c6001
e02e66000020000 4dfcfa20
c0e908
78270 punt : services:BSDT
[ 0:4500:149]:
c03c13c6073f2001
e02e72000020000 4dfcf9d0
c0e918
78278 punt : demuxauto:aggregate
[ 0:4600:150]:
c03c120e073fd001
e02e6d800020000 4dfcf980
c0e920
78241 punt : reject:aggregate
39

[ 0:5602:178]:
c03c144607537001
e02f18000020000 4dfcf0c0
c0eaf0
78288 punt : sample:syslog
[ 0:5603:179]:
c03c14fe07510001
e02f1c800020000 4dfcf070
c0eae0
7829f punt : sample:host
[ 0:5604:180]:
c03c14be07518001
e02f04800020000 4dfcf020
c0ea90
78297 punt : sample:pfe
[ 0:5605:181]:
c03c143e0752f001
e02f1e000020000 4dfcefd0
c0ead8
78287 punt : sample:tap
[ 0:5606:182]:
c03c150607520001
e02f03000020000 4dfcef80
c0ea88
782a0 punt : sample:sflow
[ 0:5700:183]:
c03c15b607528001
e02f07800020000 4dfcef30
c0eac8
782b6 punt : fab-probe:aggregate
[ 0:5900:197]:
c03c14ae07519001
e02e6a800020000 4dfcead0
c0eb70
78295 punt : rejectv6:aggregate
[ 0:5a00:198]:
c03c159607526001
e02e7b000020000 4dfcea80
c0eb60
782b2 punt : l2pt:aggregate
[ 0:5b00:199]:
c03c142e07521001
e02f12000020000 4dfcea30
c0eb58
78285 punt : keepalive:aggregate
[ 0:5c00:200]:
c03c15e60751e001
e02f0a800020000 4dfce9e0
c0eb20
782bc punt : inline-ka:aggregate
[ 0:5d00:201]:
c03c145e07516001
e02f0d800020000 4dfce990
c0eb30
7828b punt : inline-svcs:aggregate
[ 0:5e02:204]:
c03c14de0753d001
e02f09000020000 4dfce8a0
c0eb50
7829b punt : frame-relay:frf15
[ 0:5e03:205]:
c03c142607529001
e02f13800020000 4dfce850
c0eb40
78284 punt : frame-relay:frf16
2. PUNT traffic with subtype type

For example, MLP packet is under this category. (PR871500)
NPC2(Dokinchan-re0 vty)# show ddos policer configuration mlp
idx prot
---
group
proto on Pri
UKERN-Config
PFE-Config
rate burst
rate burst
--- ------------ ------------ -- -- ------ ----- ------ -----
115 3800
mlp
aggregate
Y Lo
2000 10000
116 3801
mlp
unclass..
Y Lo
2000 10000
2000 10000
---
117 3802
mlp
packets
Y Lo
2000 10000
2000 10000
118 3803
mlp
aging-exc
Y Lo
2000 10000
---
---
---

code PUNT name
group proto
---- --------------------
--------- ------
11 PUNT_MLP
mlp packets
idx q# bwidth
burst
---- -- ------ -----3802
2000
10000
[LU:Prot:Idx]:
policer-nh
ddos-nh p-result
[-----------]:
----------
-------
------- ----
[ 0:3802:117]:
c03c11ce07a1a001
-------
e02eb9000010000 4c3eaad0
c0f650
78239 subtype
First, it hits the configure policer under MLP frame.

NPC2(Dokinchan-re0 vty)# show jnh 0 decode 0xc03c11ce07a1a001
PolicerISSU_NH: Absolute Caddr = 0xc0f434, nextNH = 0x78239, , type:0, color=0, op=0 use_layer3_len = 0x0,
num_nh = 0x0
Addr:0xc0f434, Data = 0xa3d0000047c00000
svl-jtac-tool02% bits 13 20 2 3 4 22
0xa3d0000047c00000
40

Wid
13
20
22
Bin 1010001111010 00000000000000000000 10 001 1111 0000000000000000000000

Hex
147a
Dec
5242
15
Policer Rate = 5242 * 1562.5 / 512 bytes = 2000 pps. Next it hits the DDOS-nh, which points to the host-path PFE policer.
NPC2(Dokinchan-re0 vty)# show jnh 0 decode e02eb9000010000
CallNH:desc_ptr:0xc05d72, mode=0, rst_stk=0x0, count=0x1
0xc05d70
0 : 0x42f07fffff800eb0
0xc05d71
1 : 0xdaf060208180c810


Addr:0xc04103, Data = 0x0e02120000020000
NPC2(Dokinchan-re0 vty)# show jnh 0 dec 0x0e02120000020000

0xc0423d
0 : 0x42f07fffff800010
0xc0423e
1 : 0xc0040096078c1001
0xc0423f
2 : 0x127fffffe00003f8
NPC2(Dokinchan-re0 vty)# show jnh 0 dec 0xc0040096078c1001

= 0x0
3. HBC traffic with subtype type

The subtype traffic is mainly for the L2 control traffic. For example, LACP and STP. Doesnt like the above traffic, it will be
policed by its own policer and no more ASIC policer will be applied to these control traffic. (The policer on uKern level will
be discussed later).
code PUNT name
---- -------------
2 PUNT_OPTIONS
4 PUNT_CONTROL
6 PUNT_HOST_COPY
41

11 PUNT_MLP
|---------------+
32 PUNT_PROTOCOL
33 PUNT_RESOLVE
34 PUNT_RECEIVE
36 PUNT_REJECT_FW
69 PUNT_RESOLVE_V6
|
|
-----------------------------------------------------------------type
subtype
group proto
------ ----------
idx q# bwidth
---------- ----------
contrl LACP
contrl STP
contrl ESMC
contrl OAM_LFM
burst
---- -- ------ ------
lacp aggregate
2c00
20000
stp aggregate
2d00
20000
20000
20000
esmc aggregate
2e00
20000
20000
oam-lfm aggregate
2f00
20000
20000
contrl EOAM
eoam aggregate
3000
20000
20000
contrl LLDP
lldp aggregate
3100
20000
20000
contrl MVRP
mvrp aggregate
3200
20000
20000
pmvrp aggregate
3300
20000
20000
arp aggregate
3400
20000
20000
pvstp aggregate
3500
20000
20000
isis aggregate
3600
20000
20000
contrl POS
pos aggregate
3700
20000
20000
contrl MLP
mlp packets
3802
2000
10000
contrl JFM
jfm aggregate
3900
20000
20000
contrl ATM
atm aggregate
3a00
20000
20000
pfe-alive aggregate
3b00
20000
20000
contrl PMVRP
contrl ARP
contrl PVSTP
contrl ISIS
contrl PFE_ALIVE
[LU:Prot:Idx]:
policer-nh
ddos-nh p-result
[-----------]:
----------
-------
------- ----
[ 0:2c00:103]:
c03c0f2e07a2a001
0 4c3eb160
c0f5d0
781e5 subtype
[ 0:2d00:104]:
c03c0ebe07a29001
0 4c3eb0e8
c0f598
781d7 subtype
-------
NPC2(Dokinchan-re0 vty)# show ddos policer configuration lacp

idx prot
---
group
proto on Pri
UKERN-Config
PFE-Config
rate burst
rate burst
--- ------------ ------------ -- -- ------ ----- ------ -----
103 2c00
lacp
aggregate
Y Hi
20000 20000
20000 20000
NPC2(Dokinchan-re0 vty)# show ddos policer configuration stp

idx prot
---
group
proto on Pri
UKERN-Config
PFE-Config
rate burst
rate burst
--- ------------ ------------ -- -- ------ ----- ------ -----
104 2d00
stp
aggregate
Y Hi
20000 20000
20000 20000
42

LACP
NPC2(Dokinchan-re0 vty)# show jnh 0 decode c03c0f2e07a2a001
PolicerISSU_NH: Absolute Caddr = 0xc0f454, nextNH = 0x781e5, , type:0, color=0, op=0 use_layer3_len = 0x0,
num_nh = 0x0

Addr:0xc0f454, Data = 0xccc8000053c00000
0xccc8000053c00000
Wid
13
20
22
Bin 1100110011001 00000000000000000000 10 100 1111 0000000000000000000000

Hex
1999
Dec
6553
15
Rate = 6553 * 12500 / 8 / 512 = 20000pps
STP
NPC2(Dokinchan-re0 vty)# show jnh 0 decode c03c0ebe07a29001
PolicerISSU_NH: Absolute Caddr = 0xc0f452, nextNH = 0x781d7, , type:0, color=0, op=0 use_layer3_len = 0x0,
num_nh = 0x0
0xccc8000053c00000
Wid
13
20
22
Bin 1100110011001 00000000000000000000 10 100 1111 0000000000000000000000

Hex
1999
Dec
6553
15
Rate = 6553 * 12500 / 8 / 512 = 20000pps
4. HBC traffic with hbc & other type

Each of the pre-defined L3 control protocol packets would have their own policer term as well.
code PUNT name
43

---- ------------2 PUNT_OPTIONS
4 PUNT_CONTROL
6 PUNT_HOST_COPY
11 PUNT_MLP
|---------------+
32 PUNT_PROTOCOL
33 PUNT_RESOLVE
34 PUNT_RECEIVE
36 PUNT_REJECT_FW
69 PUNT_RESOLVE_V6
|
|
|
-----------------------------------------------------------------type
subtype
------ ----------
group proto
---------- ----------
idx q# bwidth
burst
---- -- ------ ------
filter ipv4
dhcpv4 aggregate
600
5000
5000
filter ipv6
dhcpv6 aggregate
700
5000
5000
filter ipv4
icmp aggregate
900
20000
20000
filter ipv4
igmp aggregate
a00
20000
20000
filter ipv4
ospf aggregate
b00
20000
20000
filter ipv4
rsvp aggregate
c00
20000
20000
filter ipv4
pim aggregate
d00
20000
20000
filter ipv4
rip aggregate
e00
20000
20000
filter ipv4
ptp aggregate
f00
20000
20000
filter ipv4
bfd aggregate
1000
20000
20000
filter ipv4
lmp aggregate
1100
20000
20000
filter ipv4
ldp aggregate
1200
20000
20000
filter ipv4
msdp aggregate
1300
20000
20000
filter ipv4
bgp aggregate
1400
20000
20000
filter ipv4
vrrp aggregate
1500
20000
20000
filter ipv4
telnet aggregate
1600
20000
20000
filter ipv4
ftp aggregate
1700
20000
20000
filter ipv4
ssh aggregate
1800
20000
20000
filter ipv4
snmp aggregate
1900
20000
20000
filter ipv4
ancp aggregate
1a00
20000
20000
filter ipv6
igmpv6 aggregate
1b00
20000
20000
filter ipv6
egpv6 aggregate
1c00
20000
20000
filter ipv6
rsvpv6 aggregate
1d00
20000
20000
filter ipv6
igmpv4v6 aggregate
1e00
20000
20000
filter ipv6
ripv6 aggregate
1f00
20000
20000
filter ipv6
bfdv6 aggregate
2000
20000
20000
filter ipv6
lmpv6 aggregate
2100
20000
20000
filter ipv6
ldpv6 aggregate
2200
20000
20000
filter ipv6
msdpv6 aggregate
2300
20000
20000
filter ipv6
bgpv6 aggregate
2400
20000
20000
filter ipv6
vrrpv6 aggregate
2500
20000
20000
filter ipv6
telnetv6 aggregate
2600
20000
20000
filter ipv6
ftpv6 aggregate
2700
20000
20000
44

filter ipv6
sshv6 aggregate
2800
20000
20000
filter ipv6
snmpv6 aggregate
2900
20000
20000
filter ipv6
ancpv6 aggregate
2a00
20000
20000
filter ipv6
ospfv3v6 aggregate
2b00
20000
20000
filter ipv4
tcp-flags unclass..
4801
20000
20000
filter ipv4
tcp-flags initial
4802
20000
20000
filter ipv4
tcp-flags establish
4803
20000
20000
filter ipv4
dtcp aggregate
4900
20000
20000
filter ipv4
radius server
4a02
20000
20000
filter ipv4
radius account..
4a03
20000
20000
filter ipv4
radius auth..
20000
4a04
20000
filter ipv4
ntp aggregate
4b00
20000
20000
filter ipv4
tacacs aggregate
4c00
20000
20000
filter ipv4
dns aggregate
4d00
20000
20000
filter ipv4
diameter aggregate
4e00
20000
20000
filter ipv4
ip-frag first-frag
4f02
20000
20000
filter ipv4
ip-frag trail-frag
4f03
20000
20000
l2tp aggregate
5000
20000
20000
filter ipv4
gre aggregate
5100
20000
20000
filter ipv4
ipsec aggregate
5200
20000
20000
filter ipv6
pimv6 aggregate
5300
20000
20000
filter ipv6
icmpv6 aggregate
5400
20000
20000
filter ipv6
ndpv6 aggregate
5500
20000
20000
filter ipv4
amtv4 aggregate
5f00
20000
20000
filter ipv6
amtv6 aggregate
6000
20000
20000
filter ipv4
Take OSPF as an example. As the L2 control traffic, the only policer applied to this is the OSPF one. Once the packet
passes this policer, the packet will be sent to the host queue.
[LU:Prot:Idx]:
policer-nh
ddos-nh p-result
[-----------]:
----------
-------
------- ----
[ 0: b00: 70]:
c03c0d2e07a3a001
-------
0 4c3de090
c0f498
781a5 hbc & others
NPC2(Dokinchan-re0 vty)# show jnh 0 decode c03c0d2e07a3a001

PolicerISSU_NH: Absolute Caddr = 0xc0f474, nextNH = 0x781a5, , type:0, color=0, op=0 use_layer3_len = 0x0,
num_nh = 0x0
0xccc8000053c00000
Wid
13
20
22
Bin 1100110011001 00000000000000000000 10 100 1111 0000000000000000000000

Hex
1999
Dec
6553
15
45
Rate = 6553 * 12500 / 8 / 512 = 20000pps
5. HBC type to PUNT type

Another traffic types being classified as control traffic is the one with option. Once it passes the policer from its type, no
more policer under the ASIC level will be applied.
code PUNT name
---- ------------2 PUNT_OPTIONS
4 PUNT_CONTROL
6 PUNT_HOST_COPY
11 PUNT_MLP
|---------------+
32 PUNT_PROTOCOL
33 PUNT_RESOLVE
34 PUNT_RECEIVE
36 PUNT_REJECT_FW
69 PUNT_RESOLVE_V6
|
|
-----------------------------------------------------------------type
subtype
------ ----------
group proto
idx q# bwidth
---------- ----------
burst
---- -- ------ ------
option rt-alert
ip-opt rt-alert
3d02
20000
20000
option unclass
ip-opt unclass..
3d01
10000
10000
[LU:Prot:Idx]:
policer-nh
ddos-nh p-result
[-----------]:
----------
-------
------- ----
[ 0:3d01:124]:
c03c119607a1f001
0 4c3ea788
c0f618
78232 punt
[ 0:3d02:125]:
c03c118e07a1d001
0 4c3ea710
c0f628
78231 punt
-------
NPC2(Dokinchan-re0 vty)# show jnh 0 decode c03c119607a1f001

PolicerISSU_NH: Absolute Caddr = 0xc0f43e, nextNH = 0x78232, , type:0, color=0, op=0 use_layer3_len = 0x0,
num_nh = 0x0
NPC2(Dokinchan-re0 vty)# show jnh 0 vread 0xc0f43e
Addr:0xc0f43e, Data = 0xccc800004fc00000
0xccc800004fc00000
Wid
13
20
22
Bin 1100110011001 00000000000000000000 10 011 1111 0000000000000000000000

Hex
1999
Dec
6553
15
Rate = 6553 * 6250 / 8 / 512 = 10000 pps
46

NPC2(Dokinchan-re0 vty)# show jnh 0 decode c03c118e07a1d001
PolicerISSU_NH: Absolute Caddr = 0xc0f43a, nextNH = 0x78231, , type:0, color=0, op=0 use_layer3_len = 0x0,
num_nh = 0x0
NPC2(Dokinchan-re0 vty)# show jnh 0 vread 0xc0f43a
Addr:0xc0f43a, Data = 0xccc8000053c00000
0xccc8000053c00000
Wid
13
20
22
Bin 1100110011001 00000000000000000000 10 100 1111 0000000000000000000000

Hex
1999
Dec
6553
15
Rate = 6553 * 12500 / 8 / 512 = 20000 pps

From the DDOS policer configuration, we see a protocol under the same group (ip-opt) as non-v4v6 and unclassified. The
unclassified is for the packet holding options which is not rt-alert and the non-v4v6 is for the non-v4v6 packet being sent
up with the PUNT_OPTION, which will be policed by the option punt nh policer.
Packet Exceptions
---------------------IP options
PUNT( 2)
121976
22902560
NPC3(zenith-re0 vty)# show jnh 0 exceptions nh 2 punt

Nexthop Chain:
CallNH:desc_ptr:0xc05cfc, mode=0, rst_stk=0x0, count=0x5
0xc05cf6
0 : 0x127fffffe00003fc
0xc05cf7
1 : 0x2ffffffe07caca00
0xc05cf8
2 : 0xda00602e41000a04
0xc05cf9
3 : 0xda00602d19800a04
0xc05cfa
4 : 0xda00602e47000a04
0xc05cfb
5 : 0xdaf060208080c010
NPC3(zenith-re0 vty)# show jnh 0 dec
0xdaf060208080c010

NPC3(zenith-re0 vty)# show jnh 0 vread 0xc04101
Addr:0xc04101, Data = 0x0e02102000020000
0x0e02102000020000

0xc04201
0 : 0x42f07fffff800010
0xc04202
1 : 0xc0040096078fe001
0xc04203
2 : 0x127fffffe00003f8
0xc0040096078fe001
PolicerISSU_NH: Absolute Caddr = 0xc0f1fc, nextNH = 0x8012, , type:0, color=0, op=0 use_layer3_len = 0x0, num_nh
= 0x0
47

idx prot
---
group
proto on Pri
UKERN-Config
PFE-Config
rate burst
rate burst
--- ------------ ------------ -- -- ------ ----- ------ -----
123 3d00
ip-opt
aggregate
Y Hi
20000 20000
124 3d01
ip-opt
unclass..
Y Lo
10000 10000
---
---
125 3d02
ip-opt
rt-alert
Y Hi
20000 20000
20000 20000
126 3d03
ip-opt
non-v4v6
Y Lo
10000 10000
10000 10000
10000 10000
[ 0: 101:
2]:
c00401ee071a6001
0 4dfbc7a0
c0e390
803d punt : resolve:other
[ 0: 102:
3]:
c004015607181001
0 4dfbc750
c0e3f0
802a punt : resolve:ucast-v4
[ 0: 103:
4]:
c00401d607189001
0 4dfbc700
c0e388
803a punt : resolve:mcast-v4
[ 0: 104:
5]:
c004001e07191001
0 4dfbc6b0
c0e3e0
8003 punt : resolve:ucast-v6
[ 0: 105:
6]:
c004005e0719e001
0 4dfbc660
c0e398
800b punt : resolve-mcast-v6
[ 0: 201:
8]:
c00400ae07196001
0 4dfbc598
c0e3d8
8015 punt : filter-act:other
[ 0: 202:
9]:
c004002e071a1001
0 4dfbc548
c0e3b0
8005 punt : filter-act:filter-v4
[ 0: 203: 10]:
c00401a60718e001
0 4dfbc4f8
c0e3a8
[ 0:3d01:132]:
c03c1096073f1001
0 4dfcff20
c0e8e0
78212 punt : ip-opt:uncassified
[ 0:3d02:133]:
c03c102e073c7001
0 4dfcfed0
c0e888
78205 punt : ip-opt:rt-alert
[ 0:3d03:134]:
c03c11a6073fe001
0 4dfcfe80
c0e898
78234 punt : ip-opt:non-v4v6
[ 0:5800:184]:
c03c15c607527001
0 4dfceee0
c0ea98
782b8 punt : uncls:aggregate
[ 0:5801:185]:
c03c140e07530001
0 4dfcee90
c0eaa0
78281 punt : uncls:other
[ 0:5802:186]:
c03c15360751f001
0 4dfcee40
c0eab0
782a6 punt : uncls:resolve-v4
[ 0:5803:187]:
c03c14f607517001
0 4dfcedf0
c0ead0
7829e punt : uncls:resolve-v6
[ 0:5804:188]:
c03c14b60750f001
0 4dfceda0
c0eac0
78296 punt : uncls:control-v4
[ 0:5805:189]:
c03c154e07507001
0 4dfced50
c0eab8
782a9 punt : uncls:control-v6
[ 0:5806:190]:
c03c147607538001
0 4dfced00
c0eaa8
7828e punt : uncls:host-rt-v4
[ 0:5807:191]:
c03c14160753e001
0 4dfcecb0
c0eb00
78282 punt : uncls:host-rt-v6
[ 0:5808:192]:
c03c143607501001
0 4dfcec60
c0eb78
78286 punt : uncls:filter-v4
[ 0:5809:193]:
c03c149607509001
0 4dfcec10
c0eb10
78292 punt : uncls:filter-v6
[ 0:580a:194]:
c03c156e07511001
0 4dfcebc0
c0eb08
782ad punt : uncls:control-l2
[ 0:580b:195]:
c03c152e07536001
0 4dfceb70
c0eb18
782a5 punt : uncls:fw-host
[ 0:580c:196]:
c03c15560752e001
0 4dfceb20
c0eb68
782aa punt : uncls:mcast-copy
8034 punt : filter-act:filter-v6
6. Aggregated policer under the same group

Some protocols have an aggregate policer applied in the HBC filter, for example, DHCPv4/v6 and REJECT. However, for
the others, they dont point to that. The rule is that, if we can parse the packet to get individual types, we will not have an
aggregate policer at ASIC level (ie. LUchip) and the aggregate will be placed in uKern. Otherwise, we will have an
aggregate policer at ASIC level and uKern level.
For example, this is for OSPF as we cant (doesnt need to ?) parse it with different types like Hello, LSA requestetc.
NPC2(Dokinchan-re0 vty)# show ddos policer configuration ospf
idx prot
--70
group
proto on Pri
UKERN-Config
PFE-Config
rate burst
rate burst
--- ------------ ------------ -- -- ------ ----- ------ ----b00
ospf
aggregate
Y Hi
20000 20000
20000 20000
48
7. HBC policer with exception traffic

There are exceptions with DISC type but still need to send up to the host for further processing. For example.
Packet Exceptions
---------------------mtu exceeded
DISC(21)
frag needed but DF set
DISC(22)
For these types of packet, that would go thru the hbc policer.
NPC2(Dokinchan-re0 vty)# show jnh 0 exceptions nh 21 discard
Nexthop Chain:
CallNH:desc_ptr:0xc05c48, mode=0, rst_stk=0x0, count=0x3
0xc05c44
0 : 0x2ffffffe07caba00
0xc05c45
1 : 0xc03c152607cb9001
0xc05c46
0xc05c47
3 : 0x260081d80000000c
NPC2(Dokinchan-re0 vty)# show jnh 0 decode 0xc03c152607cb9001

num_nh = 0x0
NPC2(Dokinchan-re0 vty)# show jnh 0 exceptions nh 22 discard
Nexthop Chain:
CallNH:desc_ptr:0xc05c4c, mode=0, rst_stk=0x0, count=0x3
0xc05c48
0 : 0x2ffffff800014600
0xc05c49
1 : 0xc03c152607cb9001
0xc05c4a
0xc05c4b
3 : 0x260081d80000000c
NPC2(Dokinchan-re0 vty)# show jnh 0 decode 0xc03c152607cb9001

num_nh = 0x0
NPC2(Dokinchan-re0 vty)# show jnh 0 exception hbc policers
Global Policer:
policer_nexthop: 0xC03C152607CB9001
policer_result:
dropped packets:
0x4C3F2360
0
Hostbound policer packet drops: 0

Hostbound policer byte drops: 0
Aggregate policer packet drops: 206974807
Aggregate policer byte drops: 16144034946
49

Aggregate IPv6 policer packet drops: 0
Aggregate IPv6 policer byte drops: 0
NPC2(Dokinchan-re0 vty)# show jnh 0 decode 0xC03C152607CB9001
num_nh = 0x0
Addr:0xc0f972, Data = 0x29f0000043c00000
0x29f0000043c00000
Wid
13
20
22
Bin 0010100111110 00000000000000000000 10 000 1111 0000000000000000000000

Hex
53e
Dec
1342
15
Rate = 1342 * 781.25 ~= 1Mbps. This will be implemented as packet base policer as well which is = 256 pps.
Here is a table to list down the ASIC policer(s) applied to each host bound packet type.
Group
Protocol
DDOS Protocol
ID
DDOS
Index
Protocol
Policer
ASIC Aggregate Policer
host-path
aggregate
0x0
---
Yes
ipv4-unclassifed
aggregate
0x100
Yes
No
ipv6-unclassified
aggregate
0x200
Yes
No
dynamic vlan
aggregate
0x300
Yes
Yes ( DDOS index 0)
ppp
aggregate
0x400
---
Yes
ppp
unclassified
0x401
Yes
Yes ( DDOS index 0)
ppp
lcp
0x402
Yes
Yes ( DDOS index 0)
ppp
auth
0x403
Yes
Yes ( DDOS index 0)
ppp
ipcp
0x404
Yes
Yes ( DDOS index 0)
ppp
ipv6cp
0x405
Yes
Yes ( DDOS index 0)
ppp
mplscp
0x406
10
Yes
Yes ( DDOS index 0)
ppp
isis
0x407
11
Yes
Yes ( DDOS index 0)
ppp
echo-req
0x408
12
Yes
Yes ( DDOS index 0)
ppp
echo-reply
0x409
13
Yes
Yes ( DDOS index 0)
ppp
mlppp-lcp
0x40a
14
Yes
Yes ( DDOS index 0)
pppoe
aggregate
0x500
15
Yes
No
50
pppoe
unclassified
0x501
16
DROP
---
pppoe
padi
0x502
17
Yes
Yes ( DDOS index 0)
pppoe
pado
0x503
18
DROP
---
pppoe
padr
0x504
19
Yes
Yes ( DDOS index 0)
pppoe
pads
0x505
20
DROP
---
pppoe
padt
0x506
21
Yes
Yes ( DDOS index 0)
pppoe
padm
0x507
22
DROP
---
pppoe
padn
0x508
23
DROP
---
dhcpv4
aggregate
0x600
24
Yes
No
dhcpv4
unclassified
0x601
25
Yes
No
dhcpv4
discover
0x602
26
Yes
No
dhcpv4
offer
0x603
27
Yes
No
dhcpv4
request
0x604
28
Yes
No
dhcpv4
decline
0x605
29
Yes
No
dhcpv4
ack
0x606
30
Yes
No
dhcpv4
nak
0x607
31
Yes
No
dhcpv4
release
0x608
32
Yes
No
dhcpv4
inform
0x609
33
Yes
No
dhcpv4
renew
0x60a
34
Yes
No
dhcpv4
force-renew
0x60b
35
Yes
No
dhcpv4
lease-query
0x60c
36
Yes
No
dhcpv4
lease-unasigned
0x60d
37
Yes
No
dhcpv4
lease-unknown
0x60e
38
Yes
No
dhcpv4
lease-active
0x60f
39
Yes
No
dhcpv4
bootp
0x610
40
Yes
No
dhcpv4
no-message-type
0x611
41
Yes
No
dhcpv4
bad-packet
0x612
42
DROP
---
dhcpv6
aggregate
0x700
43
Yes
No
dhcpv6
unclassified
0x701
44
Yes
No
dhcpv6
solict
0x702
45
Yes
No
dhcpv6
advertise
0x703
46
Yes
No
dhcpv6
request
0x704
47
Yes
No
dhcpv6
confirm
0x705
48
Yes
No
51

dhcpv6
renew
0x706
49
Yes
No
dhcpv6
rebind
0x707
50
Yes
No
dhcpv6
reply
0x708
51
Yes
No
dhcpv6
release
0x709
52
Yes
No
dhcpv6
decline
0x70a
53
Yes
No
dhcpv6
reconfigure
0x70b
54
Yes
No
dhcpv6
informationrequest
0x70c
55
Yes
No
dhcpv6
relay-forward
0x70d
56
Yes
No
dhcpv6
reply-reply
0x70e
57
Yes
No
dhcpv6
lease-query
0x70f
58
Yes
No
dhcpv6
lease-query-reply
0x710
59
Yes
No
dhcpv6
lease-query-done
0x711
60
Yes
No
dhcpv6
lease-query-data
0x712
61
Yes
No
vchassis
aggregate
0x800
62
Yes
No
vchassis
unclassified
0x801
63
DROP
---
0x802
64
Yes
Yes ( DDOS index 0)
0x803
65
Yes
Yes ( DDOS index 0)
vchassis
vchassis
control-highpriority
control-lowpriority
vchassis
vc-packets
0x804
66
Yes
No
vchassis
vc-ttl-errors
0x805
67
Yes
Yes ( DDOS index 0)
icmp
aggreagte
0x900
68
Yes
No
igmp
aggregate
0xa00
69
Yes
No
ospf
aggregate
0xb00
70
Yes
No
rsvp
aggregate
0xc00
71
Yes
No
pim
aggregate
0xd00
72
Yes
No
rip
aggregate
0xe00
73
Yes
No
ptp
aggregate
0xf00
74
Yes
No
bfd
aggregate
0x1000
75
Yes
No
lmp
aggregate
0x1100
76
Yes
No
ldp
aggregate
0x1200
77
Yes
No
msdp
aggregate
0x1300
78
Yes
No
bgp
aggregate
0x1400
79
Yes
No
vrrp
aggregate
0x1500
80
Yes
No
52
telnet
aggregate
0x1600
81
Yes
No
ftp
aggregate
0x1700
82
Yes
No
ssh
aggregate
0x1800
83
Yes
No
snmp
aggregate
0x1900
84
Yes
No
ancp
aggregate
0x1a00
85
Yes
No
igmpv6
aggregate
0x1b00
86
Yes
No
egpv6
aggregate
0x1c00
87
Yes
No
rsvpv6
aggregate
0x1d00
88
Yes
No
igmpv4v6
aggregate
0x1e00
89
Yes
No
ripv6
aggregate
0x1f00
90
Yes
No
bfdv6
aggregate
0x2000
91
Yes
No
lmpv6
aggregate
0x2100
92
Yes
No
ldpv6
aggregate
0x2200
93
Yes
No
msdpv6
aggregate
0x2300
94
Yes
No
bgpv6
aggregate
0x2400
95
Yes
No
vrrpv6
aggregate
0x2500
96
Yes
No
telentv6
aggregate
0x2600
97
Yes
No
ftpv6
aggregate
0x2700
98
Yes
No
sshv6
aggregate
0x2800
99
Yes
No
snmpv6
aggregate
0x2900
100
Yes
No
ancpv6
aggregate
0x2a00
101
Yes
No
ospfv3v6
aggregate
0x2b00
102
Yes
No
lacp
aggregate
0x2c00
103
Yes
No
stp
aggregate
0x2d00
104
Yes
No
esmc
aggregate
0x2e00
105
Yes
No
oam-lfm
aggregate
0x2f00
106
Yes
No
eoam
aggregate
0x3000
107
Yes
No
lldp
aggregate
0x3100
108
Yes
No
mvrp
aggregate
0x3200
109
Yes
No
pmvrp
aggregate
0x3300
110
Yes
No
arp
aggregate
0x3400
111
Yes
No
pvstp
aggregate
0x3500
112
Yes
No
isis
aggregate
0x3600
113
Yes
No
53
pos
aggregate
0x3700
114
Yes
No
mlp
aggregate
0x3800
115
Yes
No
mlp
unclassified
0x3801
116
Yes
No
mlp
packets
0x3802
117
Yes
Yes ( DDOS index 0)
mlp
aging-exception
0x3803
118
Yes
No
jfm
aggreagte
0x3900
119
Yes
No
atm
aggregate
0x3a00
120
Yes
No
pfe-alive
aggregate
0x3b00
121
Yes
No
ttl
aggregate
0x3c00
122
Yes
Yes ( DDOS index 0)
ip-opt
aggregate
0x3d00
123
Yes
No
ip-opt
unclassified
0x3d01
124
Yes
No
ip-opt
rt-alert
0x3d02
125
Yes
No
ip-opt
non-v4v6
0x3d03
126
Yes
No
redirect
aggregate
0x3e00
127
Yes
Yes ( DDOS index 0)
control
aggreagte
0x3f00
128
Yes
No
mcast-copy
aggregate
0x4000
129
Yes
No
mac-host
aggregate
0x4100
130
Yes
Yes ( DDOS index 0)
tunnel-fragment
aggregate
0x4200
131
Yes
Yes ( DDOS index 0)
mcast-snoop
aggregate
0x4300
132
Yes
No
mcast-snoop
unclassified
0x4301
133
DROP
---
mcast-snoop
igmp
0x4302
134
Yes
Yes ( DDOS index 0)
mcast-snoop
pim
0x4303
135
Yes
Yes ( DDOS index 0)
mcast-snoop
mld
0x4304
136
Yes
No
services
aggregate
0x4400
137
Yes
No
services
unclassified
0x4401
138
Yes
No
services
packet
0x4402
139
Yes
Yes ( DDOS index 0)
services
BSDT
0x4403
140
Yes
Yes ( DDOS index 0)
demuxauto
aggregate
0x4500
141
Yes
Yes ( DDOS index 0)
reject
aggregate
0x4600
142
Yes
Yes ( DDOS index 0)
fw-host
aggregate
0x4700
143
Yes
No
tcp-flags
aggregate
0x4800
144
Yes
No
tcp-flags
unclassified
0x4801
145
Yes
No
tcp-flags
initial
0x4802
146
Yes
No
54
tcp-flags
establish
0x4803
147
Yes
No
dtcp
aggregate
0x4900
148
Yes
No
radius
aggregate
0x4a00
149
Yes
No
radius
unclassified
0x4a01
150
Yes
No
radius
server
0x4a02
151
Yes
No
radius
accounting traffic
0x4a03
152
Yes
No
radius
auth
0x4a04
153
Yes
No
ntp
aggregate
0x4b00
154
Yes
No
tacacs
aggregate
0x4c00
155
Yes
No
dns
aggregate
0x4d00
156
Yes
No
diameter
aggregate
0x4e00
157
Yes
No
ip-fragment
aggregate
0x4f00
158
Yes
No
ip-fragment
unclassified
0x4f01
159
Yes
No
ip-fragment
first-fragment
0x4f02
160
Yes
No
ip-fragment
trail-fragment
0x4f03
161
Yes
No
l2tp
aggregate
0x5000
162
Yes
No
gre
aggregate
0x5100
163
Yes
No
ipsec
aggregate
0x5200
164
Yes
No
pimv6
aggregate
0x5300
165
Yes
No
icmpv6
aggregate
0x5400
166
Yes
No
ndpv6
aggregate
0x5500
167
Yes
No
sample
aggregate
0x5600
168
Yes
No
sample
unclassified
0x5601
169
DROP
---
sample
syslog
0x5602
170
Yes
No
sample
host
0x5603
171
Yes
No
sample
pfe
0x5604
172
Yes
No
sample
tap
0x5605
173
Yes
No
sample
sflow
0x5606
174
Yes
No
fab-out-probe-packet
aggregate
0x5700
175
Yes
No
unclassified
aggregate
0x5800
176
Yes
No
unclassified
other
0x5801
177
Yes
No
unclassified
resolve-v4
0x5802
178
Yes
No
unclassified
resolve-v6
0x5803
179
Yes
No
55

unclassified
control-v4
0x5804
180
Yes
No
unclassified
control-v6
0x5805
181
Yes
No
unclassified
host-route-v4
0x5806
182
Yes
No
unclassified
host-route-v6
0x5807
183
Yes
No
unclassified
filter-v4
0x5808
184
Yes
No
unclassified
filter-v6
0x5809
185
Yes
No
unclassified
control-l2
0x580a
186
Yes
No
unclassified
fw-host
0x580b
187
Yes
No
unclassified
mcast-copy
0x580c
188
Yes
No
rejectv6
aggregate
0x5900
189
Yes
Yes ( DDOS index 0)
l2pt
aggregate
0x5a00
190
Yes
Yes ( DDOS index 0)
keepalive
aggregate
0x5b00
191
Yes
Yes ( DDOS index 0)
inline-ka
aggregate
0x5c00
192
Yes
Yes ( DDOS index 0)
inline-services
aggregate
0x5d00
193
Yes
Yes ( DDOS index 0)
frame-relay
aggregate
0x5e00
194
Yes
No
frame-relay
unclassified
0x5e01
195
DROP
---
frame-relay
frf15
0x5e02
196
Yes
Yes ( DDOS index 0)
frame-relay
ftf16
0x5e03
197
Yes
Yes ( DDOS index 0)
amtv4
aggregate
0x5f00
198
Yes
No
amtv6
aggregate
0x6000
199
Yes
No
Host Bound Queue Mapping

For all the exception traffic (PUNT type), the mapping is under src/pfe/common/pfearch/trinity/toolkits/jnh/jnh_exception.h. For example, this is a route hitting resolve nh and it uses Q_OTHER_ERRS host
bound queue.
{
.e_category
= CAT_ROUTING,
.e_code
= PACKET_PUNT_RESOLVE,
.e_name
= "resolve route",
.e_type
= PUNT,
.e_nh
= CNT,
.e_queue
= Q_OTHER_ERRS,
.e_help
"Packet is punted to host as it hit an RNH_RESOLV nexthop."

},
Here is a table to list down the host queue being used for packet hitting the exception ucode.
56
Host queue
Protocols
Q0 (Q_L3_LO)
PACKET_PUNT_RECEIVE(34), PACKET_PUNT_PROTOCOL(32),
PACKET_PUNT_REDIRECT(3), PACKET_PUNT_SERVICES(38),
PACKET_PUNT_DEMUXAUTOSENSE(39),
PACKET_PUNT_TUNNEL_FRAGMENT(8)
Q1 (Q_L3_HI)
PACKET_PUNT_LU_NOTIF(17),
PACKET_PUNT_SEND_TO_HOST_SVCS(70)
Q2 (Q_L2_LO)
PACKET_PUNT_L2PT_ERROR(14),
PACKET_PUNT_HOST_COPY(6),
PACKET_PUNT_AUTOSENSE(35),
PACKET_PUNT_MAC_FWD_TYPE_HOST(7),
PACKET_PUNT_PPPOE_PADI(45),
PACKET_PUNT_PPPOE_PADR(46),
PACKET_PUNT_PPPOE_PADT(47),
PACKET_PUNT_PPP_LCP(48),
PACKET_PUNT_LCP_ECHO_REQ(60),
PACKET_PUNT_LCP_ECHO_REP(63),
PACKET_PUNT_PPP_AUTH(49),
PACKET_PUNT_PPP_IPV4CP(50),
PACKET_PUNT_PPP_IPV6CP(51),
PACKET_PUNT_PPP_MPLSCP(52),
PACKET_PUNT_PPP_ISIS(57), PACKET_PUNT_MLPPP_LCP(64),
PACKET_PUNT_PPP_UNCLASSIFIED_CP(53),
PACKET_PUNT_SEND_TO_HOST_FW(54),
PACKET_PUNT_SEND_TO_HOST_FW_INLINE_SVCS(59),
PACKET_PUNT_MLP(11), PACKET_PUNT_MLFR_CONTROL(65),
PACKET_PUNT_MFR_CONTROL(66)
Q3 (Q_L2_HI)
PACKET_PUNT_CONTROL(4), PACKET_PUNT_VC_HI(55),
PACKET_PUNT_KEEPALIVE(58), PACKET_PUNT_INLINE_KA(61),
PACKET_PUNT_DDOS_POLICER_VIOL(15)
Q4 (Q_OPTN)
PACKET_PUNT_OPTIONS(2), PACKET_PUNT_IGMP_SNOOP(12),
PACKET_PUNT_PIM_SNOOP(18),
PACKET_PUNT_MLD_SNOOP(19), PACKET_PUNT_VC_LO(56),
PACKET_PUNT_VC_TTL_ERROR(13)
Q5
(Q_IIF_MMTCH_TTL_EXPR)
PACKET_PUNT_TTL(1)
Q6 (Q_OTHER_ERRS)
PACKET_PUNT_REJECT_FW(36), PACKET_PUNT_REJECT(40),
PACKET_PUNT_REJECT_V6(48), PACKET_PUNT_RESOLVE(33),
PACKET_PUNT_RESOLVE_V6(69),
PACKET_ERR_FRAG_NEED_DF_SET,
PACKET_ERR_MTU_EXCEEDED,
PACKET_ERR_ENUM_CHK_MISMATCH (IIF mismatch)
Q7 (Q_SAMPLE)
PACKET_PUNT_SAMPLE_SYSLOG(41),
PACKET_PUNT_SAMPLE_HOST(42),
PACKET_PUNT_SAMPLE_PFE(43),
57

PACKET_PUNT_SAMPLE_TAP(44),
PACKET_PUNT_SAMPLE_SFLOW(71),
PACKET_PUNT_FAB_OUT_PROBE_PKT(5)
For the exception traffic hitting the HBC policer, its the discard exception type with TRKL tagged.
-
PACKET_ERR_ENUM_CHK_MISMATCH (mcast rpf mismatch)
PACKET_ERR_MTU_EXCEEDED (mtu exceeded)
PACKET_ERR_FRAG_NEED_DF_SET (frag needed but DF set)
Furthermore, DDOS will classify the packets and apply the corresponding policer before sending to the host via the MQ
host bound queue. There are 8 host bound queues (ie. MQchip Qsys 0 queue 1016-1023) and each of them will carry
different types of traffic.
// Host bound queue offsets
#define Q_HOST_L3_LO_OFF
#define Q_HOST_L3_HI_OFF
#define Q_HOST_L2_LO_OFF
#define Q_HOST_L2_HI_OFF
#define Q_HOST_OPTN_OFF
#define Q_HOST_IIF_MMTCH_TTL_EXPR_OFF
#define Q_HOST_OTHER_ERRS_OFF
#define Q_HOST_SAMPLE_OFF
typedef enum hostbound_q_ {

Q_L3_LO
= Q_HOST_L3_LO_OFF,
Q_L3_HI
= Q_HOST_L3_HI_OFF,
Q_L2_LO
= Q_HOST_L2_LO_OFF,
Q_L2_HI
= Q_HOST_L2_HI_OFF,
Q_OPTN
= Q_HOST_OPTN_OFF,
Q_IIF_MMTCH_TTL_EXPR = Q_HOST_IIF_MMTCH_TTL_EXPR_OFF,
Q_OTHER_ERRS
= Q_HOST_OTHER_ERRS_OFF,
Q_SAMPLE
= Q_HOST_SAMPLE_OFF
} hostbound_q_t;
The following provides a mapping between protocol packets and the host bound queue being used.
src/pfe/common/pfe-arch/trinity/tooklits/jnh_app/jnh_ddos.c - jnh_ddos_setup_asic_proto_id_maps()
Here is a table to list down the mapping between protocols and host bound queue being used after the classification and
policing. For example, once an IP option packet hits the PACKET_PUNT_OPTIONS exception, this PUNT will go thru the
HBC and be classified to either router-alert option (IP_OPT_RT_ALERT Q1) or others (IP_OPT_UNCLS Q4) protocol,
then, be assigned to the correct host bound queue.
Host queue
Protocols
58

Q0 (Q_L3_LO)
ICMP, DHCPV4, BGP, TELNET, FTP, SSH, SNMP, DHCPV6,

BGPV6, TELNETV6, FTPV6, SSHV6, SNMPV6, ICMPV6, NDPV6,
TCP_FLAGS_UNCLS, TCP_FLAGS_INITIAL, TCP_FLAGS_ESTAB,
DTCP, RADIUS_SERVER, RADIUS_ACCOUNT, RADIUS_AUTH,
NTP, TACACS, DNS, DIAMETER, IP_FRAG_FIRST,
IP_FRAG_TRAIL, L2TP, GRE, IPSEC, AMTV4, AMTV6, REDIRECT,
TUNNEL_FRAGMENT, SERVICES, DEMUXAUTOSENSE,
FAB_OUT_PROBE_PKT
Q1 (Q_L3_HI)
IGMP, OSPF, RSVP, PIM, RIP, PTP, BFD, LMP, LDP, MSDP, VRRP,
ANCP, IGMPV6, EGPV6, RSVPV6, PIMV6, IGMPV4V6, RIPV6,
BFDV6, LMPV6, LDPV6, MSDPV6, VRRPV6, ANCPV6, OSPFV3V6,
SEND_TO_HOST_SVCS, ISIS, IP_OPT_RT_ALERT
Q2 (Q_L2_LO)
AUTOSENSE, PPPOE_PADI, PPP_LCP, PPP_LCP_ECHO_REQ,

PPP_LCP_ECHO_REP, PPP_UNCLASSIFIED_CP, MLPPP_LCP,
VC_LO, VC_TTL_ERROR, MAC_FWD_TYPE_HOST, MLP,
L2PT_ERROR, SEND_TO_HOST_FW_INLINE_SVCS,
MLFR_CONTROL, MFR_CONTROL, ARP, MLP
Q3 (Q_L2_HI)
PPPOE_PADR, PPPOE_PADT, PPP_AUTH, PPP_IPV4CP,

PPP_IPV6CP, PPP_MPLSCP, PPP_ISIS, VC_HI, KEEPALIVE,
INLINE_KA, LACP, STP, ESMC, OAM_LFM, EOAM, LLDP, MVRP,
PMVRP, PVSTP, POS, JFM, ATM, PFE_ALIVE
Q4 (Q_OPTN)
IGMP_SNOOP, PIM_SNOOP, IP_OPT_UNCLS,

IP_OPT_NON_V4V6
Q5
(Q_IIF_MMTCH_TTL_EXPR)
TTL
Q6 (Q_OTHER_ERRS)
REJECT, REJECT_V6,
Q7 (Q_SAMPLE)
SAMPLE_SYSLOG, SAMPLE_HOST, SAMPLE_PFE,

SAMPLE_TAP, SAMPLE_SFLOW
uKern Level
After each PFE policed the host bound traffic, they will hit the uKern on the FPC and the aggregated traffic might be
policed again according to the DDOS policer configuration. The policer implementation on the uKern is a simple token
bucket algorithm policer rate is per-packet policer and the burst is the maximum number of accumulated credits.
Take IP option packets as an example. After each PFE applies a policer to police the corresponding optioned packet,
when the traffic from all PFEs hit the uKern, the corresponding protocol policer will police all the traffic again. As a result,
the packet will have to go through another round of policing.
ip-option unclassified packets from all PFEs within the MPC will hit a policer (10000 pps : uKern-config)
ip-option rt-alert packets from all PFEs within the MPC will hit a policer (20000 pps : uKern-config)
The sum of both ip-option packet types will go thru an aggregate policer on uKern to make sure the sum of them
wont exceed 20000 pps (Ukern-config)
59

NPC2(Dokinchan-re0 vty)# show ddos policer configuration ip-options
idx prot
---
group
proto on Pri
UKERN-Config
PFE-Config
rate burst
rate burst
--- ------------ ------------ -- -- ------ ----- ------ -----
123 3d00
ip-opt
aggregate
Y Hi
20000 20000
---
---
124 3d01
ip-opt
unclass..
Y Lo
10000 10000
10000 10000
125 3d02
ip-opt
rt-alert
Y Hi
20000 20000
20000 20000
126 3d03
ip-opt
non-v4v6
Y Lo
10000 10000
10000 10000
Here, the priority plays an important role. The priority here becomes a strict priority (until that traffic exceeds its own
policer for sure). Here, we have both rt-alert packets and unclassified ip-option packet. Both hit the same PFE and FPC.
When the rt-alert is hitting the maximum rate, which is the aggregate policer rate on the uKern, none of the rt-alert packet
will be dropped.
NPC2(Dokinchan-re0 vty)# show ddos policer configuration ip-options
idx prot
---
group
proto on Pri
UKERN-Config
PFE-Config
rate burst
rate burst
--- ------------ ------------ -- -- ------ ----- ------ -----
123 3d00
ip-opt
aggregate
Y Hi
20000 20000
---
---
124 3d01
ip-opt
unclass..
Y Lo
10000 10000
10000 10000
125 3d02
ip-opt
rt-alert
Y Hi
20000 20000
20000 20000
126 3d03
ip-opt
non-v4v6
Y Lo
10000 10000
10000 10000
NPC2(Dokinchan-re0 vty)# show ddos policer stats ip-options

DDOS Policer Statistics:
arrival
idx prot
---
group
proto on
loc
pass
drop
----------- --
rate
pass
# of
rate flows
---
-----------
------
--------
--------
123 3d00
ip-opt
aggregate
UKERN
3415601
18227
18227
124 3d01
ip-opt
unclass..
UKERN
249112
PFE-0
2145609
13509618
138885
9993
125 3d02
126 3d03
ip-opt
ip-opt
rt-alert
non-v4v6
Y
Y
------ ------ ----0
UKERN
3166489
18227
18227
PFE-0
3479716
6936119
19607
19607
UKERN
PFE-0
arrival
pass
# of

idx prot
group
proto on
loc
pass
drop
---
-----------
----------- --
------
--------
--------
123 3d00
ip-opt
aggregate
UKERN
3502478
18191
18191
124 3d01
ip-opt
unclass..
UKERN
249112
PFE-0
2193323
14124657
138890
10013
125 3d02
ip-opt
rt-alert
UKERN
3253366
18191
18191
---
rate
rate flows
------ ------ -----
60
126 3d03
ip-opt
non-v4v6
PFE-0
3573282
6936119
19608
19608
UKERN
PFE-0
arrival
pass
# of

idx prot
---
group
proto on
loc
pass
drop
----------- --
------
--------
--------
UKERN
3668557
---
-----------
123 3d00
ip-opt
aggregate
124 3d01
ip-opt
unclass..
125 3d02
126 3d03
ip-opt
ip-opt
rt-alert
non-v4v6
Y
Y
rate
rate flows
------ ------ ----18212
18212
UKERN
249112
PFE-0
2284553
15300091
138812
9983
UKERN
3419445
18212
18212
PFE-0
3752105
6936119
19596
19596
UKERN
PFE-0
If we reduce the rt-alert rate a bit, then, can we see the higher rate for the ip-option unclassified packet.
arrival
idx prot
---
group
proto on
loc
pass
drop
----------- --
------
--------
--------
UKERN
4561353
---
-----------
123 3d00
ip-opt
aggregate
124 3d01
ip-opt
unclass..
125 3d02
126 3d03
ip-opt
ip-opt
rt-alert
non-v4v6
Y
Y
rate
pass
# of
rate flows
------ ------ ----18222
18222
UKERN
269188
1065
1065
PFE-0
2774347
21530507
138973
10003
UKERN
4292165
17156
17156
PFE-0
4640605
6936119
17166
17166
UKERN
PFE-0
pass
# of

arrival
idx prot
group
proto on
loc
pass
drop
---
-----------
----------- --
------
--------
--------
123 3d00
ip-opt
aggregate
UKERN
4668918
18261
18261
124 3d01
ip-opt
unclass..
UKERN
275697
1103
1103
PFE-0
2833222
22289521
138893
10006
125 3d02
ip-opt
rt-alert
UKERN
4393221
17157
17157
PFE-0
4741638
6936119
17157
17157
126 3d03
ip-opt
non-v4v6
UKERN
PFE-0
---
rate
rate flows
------ ------ -----
61

lab@Dokinchan-re0> show ddos-protection protocols ip-options violations
Packet types: 4, Currently violated: 2
Protocol
Packet
Bandwidth
Arrival
group
type
(pps)
rate(pps) rate(pps) violation detected at
Peak
Policer bandwidth
ip-opt
unclass..
10000
138887
138976
2013-11-20 12:43:02 JST
24510
65143
2013-11-20 13:17:04 JST
Detected on: FPC-2

ip-opt
rt-alert
20000
Detected on: FPC-2

lab@Dokinchan-re0> show ddos-protection protocols ip-options statistics detail
Packet types: 4, Received traffic: 3, Currently violated: 2
Protocol Group: IP-Options
Packet type: aggregate
System-wide information:
Aggregate bandwidth is never violated
Received:
279207038
Arrival rate:
Dropped:
Max arrival rate: 163554 pps
163407 pps

Aggregate policer is never violated
Received:
12433919
Arrival rate:
Dropped:
6916 pps
Dropped by individual policers: 0

Received:
279207038
Arrival rate:
Dropped:
229315487
163407 pps

Dropped by flow suppression:
Packet type: unclassified

Bandwidth is being violated!
No. of FPCs currently receiving excess traffic: 1
No. of FPCs that have received excess traffic:
Violation first detected at: 2013-11-20 12:43:02 JST

Violation last seen at:
2013-11-20 13:18:19 JST
Duration of violation: 00:35:17 Number of violations: 1

Received:
240374229
Arrival rate:
Dropped:
222044391
138896 pps

Policer is never violated
Received:
1663606
Arrival rate:
Dropped:
0 pps
Dropped by aggregate policer: 0

Policer is currently being violated!
62

2013-11-20 13:18:19 JST

Received:
240374229
Arrival rate:
Dropped:
222044391
Dropped by this policer:
138896 pps
222044391

Flow counts:
Aggregation level
Current
Total detected
State
Subscriber
Active
Logical-interface
Active
Physical-interface
Active
Packet type: router-alert


2013-11-20 13:18:19 JST

Received:
38832809
Arrival rate:
Dropped:
7271096
24511 pps

Received:
10770313
Arrival rate:
Dropped:
6916 pps

2013-11-20 13:18:19 JST

Received:
38832809
Arrival rate:
Dropped:
7271096
24511 pps
7271096

Flow counts:
Aggregation level
Current
Total detected
State
Subscriber
Active
Logical-interface
Active
Physical-interface
Active
lab@Dokinchan-re0>
The alarm will go off if the violation is cleared and last for recover time configured.
63

lab@Dokinchan-re0> show ddos-protection protocols ip-options parameters detail
Packet type: aggregate (Aggregate for all options traffic)
Bandwidth:
20000 pps
Burst:
20000 packets
Recover time:
300 seconds
Enabled:
Yes

Packet type: unclassified (Unclassified options traffic)
Bandwidth:
10000 pps
Burst:
10000 packets
Priority:
Low
Recover time:
300 seconds
Enabled:
Yes
Packet type: router-alert (Router alert options traffic)
Bandwidth:
20000 pps
Burst:
20000 packets
Priority:
High
Recover time:
300 seconds
Enabled:
Yes
64

lab@Dokinchan-re0# set system ddos-protection protocols ip-options aggregate recover-time ?
<recover-time>
[edit]
lab@Dokinchan-re0# set system ddos-protection protocols ip-options router-alert recover-time ?
<recover-time>
[edit]
lab@Dokinchan-re0#
The implementation details could be found from src/pfe/common/pfe-arch/trinity/toolkits/jnh_host/jnh_packet.c
Routing Engine Level

The policer implementation on the Routing Engine is pretty much the same as in the uKern. However, it will just police the
aggregated traffic for each group of traffic instead of looking into each protocol policer.
Taking the ip-option as an example again, the Routing Engine will just police the sum of all ip-option packets using the
aggregate policer rate (20000 pps). Also, the priority of each individual protocol packet still play a role here.
lab@Dokinchan-re0> show ddos-protection protocols ip-fragments statistics detail

Protocol Group: IP-Fragments
Aggregate bandwidth is no longer being violated
No. of FPCs that have received excess traffic: 1
Last violation started at: 2013-11-25 16:57:17 JST
Last violation ended at:
2013-11-25 17:04:54 JST
Duration of last violation: 00:07:37 Number of violations: 7

Received:
1764000
Arrival rate:
Dropped:
107811
0 pps

Aggregate policer is no longer being violated
Last violation started at: 2013-11-25 17:03:21 JST
Last violation ended at:
2013-11-25 17:04:48 JST
Duration of last violation: 00:01:27 Number of violations: 3

Received:
288314
Arrival rate:
0 pps
65

Dropped:
47

Dropped by aggregate policer:
47
The detail implementation of the policer in Routing Engine could be found under src/junos/bsd/sys/netpfe/ddos_policers.c.
Suspicious Control Flow Detection (SCFD)

This is a new feature introduced since 12.3 under RLI15473. With this new feature, other than policing the protocol
packets according to their protocol type, we can also detect/identify a possible attack flow, then, apply another policer or
even drop those packets in order to have a better protection for the host bound queue.
By default, the SCFD is disabled. This can be enabled by the folllwing configuration.
# set system ddos-protection global ?
flow-detection
Enable flow detection for all protocols
Once its enabled, the DDOS system will monitor the host bound traffic from 3 levels of flow granularity in LUchip once an
violation happens.
- Subscriber level (SUB)
- IFL level (DDOS protocol ID, IIF, Aggregation-level as key)
- IFD level (DDOS protocol ID, IFD, Aggregation-level as key)
When the DDOS violation happens, the SCFD check all the packets within that protocol. The idea is to use a hash
function to filter out the suspicious flow. Then, the flow is inserted into a LU hardware hash table.
If the flow has rate consistently above its allowed bandwidth for a detect-time period (flow-detect-time 3 secs by
default), we declare the suspicious flow to be a culprit flow. The traffic form it will be dropped consequently unless we
disable the drop. If a flow does not exceed its allowed bandwidth for the detect-time period, we assume that its a false
positive and remove that from the hardware hash table.
Once a suspicious flow rate is below its bandwidth for the recover time period (recover-time 60 secs by default), the
SCFD declares the flow to be normal, removes it from hardware flow table and let traffic resume.
[edit]
lab@Dokinchan-re0# set system ddos-protection protocols ospf aggregate ?
flow-detect-time
Time to determine a flow is bad (1..60 seconds)
flow-detection-mode
Flow detection mode for the packet type
> flow-level-bandwidth
> flow-level-control
> flow-level-detection
Specify detection mode at various levels
flow-recover-time
Time to return to normal after last violation (1..3600 seconds)
flow-timeout-time
Time to timeout the flow since found (1..7200 seconds)
no-flow-logging
Disable logging of violating flows
recover-time
timeout-active-flows
Bandwidth for flows at various levels

Specify how discovered flows are controlled
Allow timeout active violating flows
66
This is to configure the aggregate policer rate.

[edit]
lab@Dokinchan-re0# set system ddos-protection protocols ospf aggregate flow-level-bandwidth ?
+ apply-groups
logical-interface
Bandwidth for logical interface flows (1..30000 packets per second)
physical-interface
Bandwidth for physical interface flows (1..50000 packets per second)
subscriber
Bandwidth for subscriber flows (1..10000 packets per second)
This is to configure the SCFD IFL level policer rate

[edit]
lab@Dokinchan-re0# set system ddos-protection protocols ospf aggregate flow-level-bandwidth logical-interface ?
<logical-interface>
Bandwidth for logical interface flows (1..30000 packets per second)
This is to configure the SCFD IFD level policer rate

[edit]
lab@Dokinchan-re0# set system ddos-protection protocols ospf aggregate flow-level-bandwidth physical-interface ?
<physical-interface>
Bandwidth for physical interface flows (1..50000 packets per second)
This is to configure the action once a suspicious flow is detected on different level.
[edit]
lab@Dokinchan-re0# set system ddos-protection protocols ospf aggregate flow-level-control ?
+ apply-groups
logical-interface
Specify how logical-interface flows are controlled
physical-interface
Specify how physical-interface flows are controlled
subscriber
Specify how subscriber flows are controlled
[edit]
lab@Dokinchan-re0# set system ddos-protection protocols ospf aggregate flow-level-control logical-interface ?
drop
Drop all traffic of flows of this level
keep
Keep all traffic of flows of this level
police
Police flows to within the bandwidth of this level
[edit]
lab@Dokinchan-re0# set system ddos-protection protocols ospf aggregate flow-level-control physical-interface ?
drop
Drop all traffic of flows of this level
keep
Keep all traffic of flows of this level
police
Police flows to within the bandwidth of this level
This is to enable/disable the SCFD flow detection on different level.

[edit]
67

lab@Dokinchan-re0# set system ddos-protection protocols ospf aggregate flow-level-detection ?
+ apply-groups
logical-interface
Specify detection mode at logical-interface level
physical-interface
Specify detection mode at physical-interface level
subscriber
Specify detection mode at subscriber level
[edit]
lab@Dokinchan-re0# set system ddos-protection protocols ospf aggregate flow-level-detection logical-interface ?
automatic
Detect flows at logical-interface level if needed
off
Do not detect flows at logical-interface level
on
Always detect flows at logical-interface level
[edit]
lab@Dokinchan-re0# set system ddos-protection protocols ospf aggregate flow-level-detection physical-interface ?
automatic
Detect flows at physical-interface level if needed
off
Do not detect flows at physical-interface level
on
Always detect flows at physical-interface level
[edit]
lab@Dokinchan-re0#
Here is the default SCFD configuration or each protocol. When the SCFD is enabled, by default, the flow detection mode
is auto (op-mode:a) and once the suspicious flow is detected, the action is to drop the packets (fc-mode:d). The detection
rate on all 3 levels is protocol dependent. For example, in OSPF, the sub level is 10pps (which is not being used I
believe), the ifl level is 10pps and the IFD level is 20000pps. When the mode is set to on, the new flow will be added to
the table automatically.
By default, the active-flow-timeout is disabled. If active-flow-timeout is enabled, the flow will be removed from the list when
its there for active-flow-timeout time (300 secs by default). Once its removed, the flow will generate a violation event
again and it will be added back to the list.
NPC2(Dokinchan-re0 vty)# show ddos scfd proto-states all
(sub|ifl|ifd)-cfg: op-mode:fc-mode:bwidth(pps)
op-mode: a=automatic, o=always-on, x=disabled
fc-mode: d=drop-all, k=keep-all, p=police
d-t: detect time, r-t: recover time, t-t: timeout time
aggr-t: last aggregated/deaggreagated time
idx prot
group
--- ----
--------
ifd-cfg
d-t
r-t
t-t
aggr-t
-------- ---- ------ --- ----- ----- --------- --------- ---------
proto mode detect agg flags state
---
---
---
------
ifl-cfg
host-path
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:25000
60
300
100
ipv4-uncls
aggregate auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
200
ipv6-uncls
aggregate auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
300
dynvlan
aggregate auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
400
ppp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:16000
60
300
401
ppp
unclass auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
sub-cfg
68
402
ppp
lcp auto
no
0 a:d:
10 a:d:
10 a:d:12000
60
300
403
ppp
auth auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
404
ppp
ipcp auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
405
ppp
ipv6cp auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
10
406
ppp
mplscp auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
11
407
ppp
isis auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
12
408
ppp
echo-req auto
no
0 a:d:
10 a:d:
10 a:d:12000
60
300
13
409
ppp
echo-rep auto
no
0 a:d:
10 a:d:
10 a:d:12000
60
300
14
40a
ppp
mlppp-lcp auto
no
0 a:d:
10 a:d:
10 a:d:12000
60
300
15
500
pppoe
aggregate auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
16
501
pppoe
unclass.. auto
no
0 a:d:
10 a:d:
10 a:d:
60
300
17
502
pppoe
padi auto
no
0 a:d:
10 a:d:
10 a:d:
500
60
300
18
503
pppoe
pado auto
no
0 a:d:
10 a:d:
10 a:d:
60
300
19
504
pppoe
padr auto
no
0 a:d:
10 a:d:
10 a:d:
500
60
300
20
505
pppoe
pads auto
no
0 a:d:
10 a:d:
10 a:d:
60
300
21
506
pppoe
padt auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
22
507
pppoe
padm auto
no
0 a:d:
10 a:d:
10 a:d:
60
300
23
508
pppoe
padn auto
no
0 a:d:
10 a:d:
10 a:d:
60
300
24
600
dhcpv4
aggregate auto
no
0 a:d:
10 a:d:
10 a:d: 5000
60
300
25
601
dhcpv4
unclass.. auto
no
0 a:d:
10 a:d:
10 a:d:
300
60
300
26
602
dhcpv4
discover auto
no
0 a:d:
10 a:d:
10 a:d:
500
60
300
27
603
dhcpv4
offer auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
28
604
dhcpv4
request auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
29
605
dhcpv4
decline auto
no
0 a:d:
10 a:d:
10 a:d:
500
60
300
30
606
dhcpv4
ack auto
no
0 a:d:
10 a:d:
10 a:d:
500
60
300
31
607
dhcpv4
nak auto
no
0 a:d:
10 a:d:
10 a:d:
500
60
300
32
608
dhcpv4
release auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
33
609
dhcpv4
inform auto
no
0 a:d:
10 a:d:
10 a:d:
500
60
300
34
60a
dhcpv4
renew auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
35
60b
dhcpv4
forcerenew auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
36
60c
dhcpv4
leasequery auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
37
60d
dhcpv4
leaseuna.. auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
38
60e
dhcpv4
leaseunk.. auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
39
60f
dhcpv4
leaseact.. auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
40
610
dhcpv4
bootp auto
no
0 a:d:
10 a:d:
10 a:d:
300
60
300
41
611
dhcpv4
no-msgtype auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
42
612
dhcpv4
bad-pack.. auto
no
0 a:d:
10 a:d:
10 a:d:
60
300
43
700
dhcpv6
aggregate auto
no
0 a:d:
10 a:d:
10 a:d: 5000
60
300
44
701
dhcpv6
unclass.. auto
no
0 a:d:
10 a:d:
10 a:d: 3000
60
300
45
702
dhcpv6
solicit auto
no
0 a:d:
10 a:d:
10 a:d:
500
60
300
46
703
dhcpv6
advertise auto
no
0 a:d:
10 a:d:
10 a:d:
500
60
300
47
704
dhcpv6
request auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
48
705
dhcpv6
confirm auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
49
706
dhcpv6
renew auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
50
707
dhcpv6
rebind auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
51
708
dhcpv6
reply auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
52
709
dhcpv6
release auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
53
70a
dhcpv6
decline auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
54
70b
dhcpv6
reconfig auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
69
55
70c
dhcpv6
info..req auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
56
70d
dhcpv6
relay-for.. auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
57
70e
dhcpv6
relay-rep.. auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
58
70f
dhcpv6
leasequery auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
59
710
dhcpv6
leaseq..re auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
60
711
dhcpv6
leaseq..do auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
61
712
dhcpv6
leaseq..da auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
62
800
vchassis
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:30000
60
300
63
801
vchassis
unclass.. auto
no
0 a:d:
10 a:d:
10 a:d:
60
300
64
802
vchassis
control-hi auto
no
0 a:d:
10 a:d:
10 a:d:10000
60
300
65
803
vchassis
control-lo auto
no
0 a:d:
10 a:d:
10 a:d: 8000
60
300
66
804
vchassis
vc-packets auto
no
0 a:d:
10 a:d:
10 a:d:30000
60
300
67
805
vchassis
vc-ttl-err auto
no
0 a:d:
10 a:d:
10 a:d: 4000
60
300
68
900
icmp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
69
a00
igmp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
70
b00
ospf
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
71
c00
rsvp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
72
d00
pim
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
73
e00
rip
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
74
f00
ptp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
75 1000
bfd
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
76 1100
lmp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
77 1200
ldp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
78 1300
msdp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
79 1400
bgp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
80 1500
vrrp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
81 1600
telnet
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
82 1700
ftp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
83 1800
ssh
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
84 1900
snmp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
85 1a00
ancp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
86 1b00
igmpv6
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
87 1c00
egpv6
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
88 1d00
rsvpv6
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
89 1e00
igmpv4v6
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
90 1f00
ripv6
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
91 2000
bfdv6
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
92 2100
lmpv6
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
93 2200
ldpv6
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
94 2300
msdpv6
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
95 2400
bgpv6
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
96 2500
vrrpv6
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
97 2600
telnetv6
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
98 2700
ftpv6
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
99 2800
sshv6
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
100 2900
snmpv6
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
101 2a00
ancpv6
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
102 2b00
ospfv3v6
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
103 2c00
lacp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
70
104 2d00
stp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
105 2e00
esmc
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
106 2f00
oam-lfm
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
107 3000
eoam
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
108 3100
lldp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
109 3200
mvrp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
110 3300
pmvrp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
111 3400
arp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
112 3500
pvstp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
113 3600
isis
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
114 3700
pos
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
115 3800
mlp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
116 3801
mlp
unclass.. auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
117 3802
mlp
packets auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
118 3803
mlp
aging-exc auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
119 3900
jfm
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
120 3a00
atm
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
121 3b00
pfe-alive
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
122 3c00
ttl
aggregate auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
123 3d00
ip-opt
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
124 3d01
ip-opt
unclass.. auto
no
10 a:d:
10 a:d:
10 a:d:10000
60
300 147024965
125 3d02
ip-opt
rt-alert auto
no
10 a:d:
10 a:d:
10 a:d:20000
60
300 147024965
126 3d03
ip-opt
non-v4v6 auto
no
0 a:d:
10 a:d:
10 a:d:10000
60
300
127 3e00
redirect
aggregate auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
128 3f00
control
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
129 4000
mcast-copy
aggregate auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
130 4100
mac-host
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
131 4200
tun-frag
aggregate auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
132 4300 mcast-snoop
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
unclass.. auto
no
0 a:d:
10 a:d:
10 a:d:
60
300
igmp auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
pim auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
mld auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
137 4400
services
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
138 4401
services
unclass.. auto
no
0 a:d:
0 a:d:
0 a:d:20000
139 4402
services
packet auto
no
0 a:d:
0 a:d:
0 a:d:20000
140 4403
services
BSDT auto
no
0 a:d:
0 a:d:
0 a:d:20000
141 4500
demuxauto
aggregate auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
142 4600
reject
aggregate auto
no
10 a:d:
10 a:d:
10 a:d: 2000
60
300 78193870
143 4700
fw-host
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
144 4800
tcp-flags
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
145 4801
tcp-flags
unclass.. auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
146 4802
tcp-flags
initial auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
147 4803
tcp-flags
establish auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
148 4900
dtcp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
149 4a00
radius
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
150 4a01
radius
unclass.. auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
151 4a02
radius
server auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
152 4a03
radius
account.. auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
71
153 4a04
radius
auth.. auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
154 4b00
ntp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
155 4c00
tacacs
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
156 4d00
dns
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
157 4e00
diameter
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
158 4f00
ip-frag
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
159 4f01
ip-frag
unclass.. auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
160 4f02
ip-frag
first-frag auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
161 4f03
ip-frag
trail-frag auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
162 5000
l2tp
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
163 5100
gre
aggregate auto
no
10 a:d:
10 a:d:
10 a:d:20000
60
300 146854970
164 5200
ipsec
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
165 5300
pimv6
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
166 5400
icmpv6
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
167 5500
ndpv6
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
168 5600
sample
aggregate auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
169 5601
sample
unclass.. auto
no
0 a:d:
10 a:d:
10 a:d:
60
300
170 5602
sample
syslog auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
171 5603
sample
host auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
172 5604
sample
pfe auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
173 5605
sample
tap auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
174 5606
sample
sflow auto
no
0 a:d:
10 a:d:
10 a:d: 1000
60
300
175 5700
fab-probe
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
176 5800
uncls
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
177 5801
uncls
other auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
178 5802
uncls
resolve-v4 auto
no
20 a:d:
10 a:d:
10 a:d: 5000
60
300 55243480
179 5803
uncls
resolve-v6 auto
no
0 a:d:
10 a:d:
10 a:d: 5000
60
300
180 5804
uncls
control-v4 auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
181 5805
uncls
control-v6 auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
182 5806
uncls
host-rt-v4 auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
183 5807
uncls
host-rt-v6 auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
184 5808
uncls
filter-v4 auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
185 5809
uncls
filter-v6 auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
186 580a
uncls
control-l2 auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
187 580b
uncls
fw-host auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
188 580c
uncls
mcast-copy auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
189 5900
rejectv6
aggregate auto
no
0 a:d:
10 a:d:
10 a:d: 2000
60
300
190 5a00
l2pt
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
191 5b00
keepalive
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
192 5c00
inline-ka
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
193 5d00 inline-svcs
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
194 5e00 frame-relay
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
unclass.. auto
no
0 a:d:
10 a:d:
10 a:d:
60
300
frf15 auto
no
0 a:d:
10 a:d:
10 a:d:12000
60
300
frf16 auto
no
0 a:d:
10 a:d:
10 a:d:12000
60
300
198 5f00
amtv4
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
199 6000
amtv6
aggregate auto
no
0 a:d:
10 a:d:
10 a:d:20000
60
300
72
State
#define DDOS_SCFD_STATE_CLEARING
0x00000001 /* is clearing */
#define DDOS_SCFD_STATE_RATE_MOD
0x00000002 /* on rate mod list */
#define DDOS_SCFD_STATE_AGGRED
0x00000010 /* prev op is aggr */
#define DDOS_SCFD_STATE_DEAGGRED
0x00000020 /* prev op is de-aggr */
#define DDOS_SCFD_STATE_AGGR_MASK 0x00000030 /* prev aggr op mask */

Agg
#define DDOS_SCFD_AGGR_ON_MAP(p)
((((p)->aggr_levels[DDOS_SCFD_AGGR_LEVEL_SUB].flags &
SCFD_AGGR_FLAG_ACTIVE) ? (1 << DDOS_SCFD_AGGR_LEVEL_SUB) : 0) |

(((p)->aggr_levels[DDOS_SCFD_AGGR_LEVEL_IFL].flags &
\
\
SCFD_AGGR_FLAG_ACTIVE) ? (1 << DDOS_SCFD_AGGR_LEVEL_IFL) : 0) |

(((p)->aggr_levels[DDOS_SCFD_AGGR_LEVEL_IFD].flags &
\
\
SCFD_AGGR_FLAG_ACTIVE) ? (1 << DDOS_SCFD_AGGR_LEVEL_IFD) : 0))

#define DDOS_SCFD_AGGR_LEVEL_1ST
0x00
#define DDOS_SCFD_AGGR_LEVEL_SUB
0x00
#define DDOS_SCFD_AGGR_LEVEL_IFL
0x01
#define DDOS_SCFD_AGGR_LEVEL_IFD
0x02
#define DDOS_SCFD_AGGR_LEVEL_INVALID
0x03
Flags
#define SCFD_PROTO_FLAG_LOCAL_MASK 0x0000FFFF
#define SCFD_PROTO_FLAG_RUN_UKERN 0x00000001
#define SCFD_PROTO_FLAG_RUN_ASIC
0x00000002
#define SCFD_PROTO_FLAG_NO_LOG
0x00010000
#define SCFD_PROTO_FLAG_TO_ACTV
0x00020000 /* Allow timeout of flow */
Here is an example with ip-option flows.

lab@Dokinchan-re0> show ddos-protection protocols ip-options flow-detection
Flow detection configuration:
Detection mode: Automatic
Detect time:
Log flows:
Yes
Recover time: 60 seconds
3 seconds
Timeout flows:
No
Timeout time: 300 seconds
Flow aggregation level configuration:
Aggregation level
Detection mode
Control mode
Flow rate
Subscriber
Automatic
Drop
10 pps
Logical interface
Automatic
Drop
10 pps
Physical interface
Automatic
Drop
20000 pps
73

Packet type: unclassified
Detect time:
Log flows:
Yes
3 seconds
Timeout flows:
No

Aggregation level
Detection mode
Control mode
Flow rate
Subscriber
Automatic
Drop
10 pps
Logical interface
Automatic
Drop
10 pps
Physical interface
Automatic
Drop
10000 pps
Packet type: router-alert

Detect time:
3 seconds
Log flows:
Yes
Timeout flows:
No

Aggregation level
Detection mode
Control mode
Flow rate
Subscriber
Automatic
Drop
10 pps
Logical interface
Automatic
Drop
10 pps
Physical interface
Automatic
Drop
20000 pps
Packet type: non-v4v6

Detect time:
Log flows:
Yes
3 seconds
Timeout flows:
No

Aggregation level
Detection mode
Control mode
Flow rate
Subscriber
Automatic
Drop
10 pps
Logical interface
Automatic
Drop
10 pps
Physical interface
Automatic
Drop
10000 pps
Once a suspicious flow is detected, it will be deaggreagted from the subscriber/IFL levels, depending on the rate. With the
flow installed, none of these packets would hit the host as the action is drop by default.
Nov 20 13:57:52.659
Dokinchan-re0 jddosd[1723]: %DAEMON-4-DDOS_SCFD_FLOW_FOUND: A new flow of protocol IP-
Options:unclassified on ge-2/0/0.0 with source addr -- -- -- is found at 2013-11-20 13:57:52 JST

Nov 20 13:57:52.659
Options:router-alert on ge-2/0/0.0 with source addr -- -- -- is found at 2013-11-20 13:57:52 JST

Nov 20 13:57:52.659
Options:router-alert on ge-2/0/0.0 with source addr 192.1.1.2 is found at 2013-11-20 13:57:52 JST
Nov 20 13:57:52.659
Options:unclassified on ge-2/0/0.0 with source addr 192.1.1.2 is found at 2013-11-20 13:57:52 JST
Nov 20 13:57:52.659
Options:unclassified on ge-2/0/0 with source addr -- -- -- is found at 2013-11-20 13:57:52 JST

Nov 20 13:57:54.597
Dokinchan-re0 jddosd[1723]: %DAEMON-4-DDOS_SCFD_FLOW_DEAGGREGATED: Flows of protocol IP-
Options:router-alert on slot fpc 2 are deaggregated to subscriber, logical-interface level(s)
74

lab@Dokinchan-re0> show ddos-protection protocols ip-options violations
Packet types: 4, Currently violated: 2
Protocol
Packet
Bandwidth
Arrival
group
type
(pps)
rate(pps) rate(pps) violation detected at
Peak
Policer bandwidth
ip-opt
unclass..
10000
138893
138976
2013-11-20 12:43:02 JST
24510
65143
2013-11-20 13:17:04 JST
Detected on: FPC-2

ip-opt
rt-alert
20000
Detected on: FPC-2

lab@Dokinchan-re0> show ddos-protection protocols ip-options culprit-flows
Currently tracked flows: 2, Total detected flows: 7
Protocol
Packet
Arriving
Source Address
group
type
Interface
MAC or IP
ip-opt
unclass..
ge-2/0/0.0
192.1.1.2
sub:0002000000000008 2013-11-20 14:29:14 JST pps:138890 pkts:18334191

ip-opt
rt-alert
ge-2/0/0.0
192.1.1.2
sub:0002000000000007 2013-11-20 14:29:14 JST pps:24510 pkts:3235435

lab@Dokinchan-re0>
arrival
idx prot
# of
group
proto on
loc
pass
drop
---
-----------
----------- --
------
--------
--------
123 3d00
ip-opt
aggregate
UKERN
76227465
124 3d01
ip-opt
unclass..
UKERN
1880974
PFE-0
42059480
591983015
138910
125 3d02
ip-opt
rt-alert
UKERN
74346491
PFE-0
79020937
29282748
24513
UKERN
PFE-0
---
126 3d03
ip-opt
non-v4v6
rate
pass
rate flows
------ ------ -----
NPC2(Dokinchan-re0 vty)# show ddos scfd proto-states ip-options

idx prot
group
--- ----
--------
123 3d00
ip-opt
aggregate auto
no
0 a:d:
10 a:d:
124 3d01
ip-opt
unclass.. auto detect
20 a:d:
125 3d02
ip-opt
rt-alert auto detect
126 3d03
ip-opt
non-v4v6 auto
ifd-cfg
d-t
r-t
t-t
aggr-t
-------- ---- ------ --- ----- ----- --------- --------- ---------
---
---
---
------
10 a:d:20000
60
300
10 a:d:
10 a:d:10000
60
300 151310230
20 a:d:
10 a:d:
10 a:d:20000
60
300 151309230
0 a:d:
10 a:d:
10 a:d:10000
60
300
no
sub-cfg
ifl-cfg
75

NPC2(Dokinchan-re0 vty)# show ddos scfd asic-flows 0
pfe
idx rindex prot aggr IIF/IFD
pkts
--- ---- ------ ---- ---- -------
-------
bytes source-info
-------- ----------
5 3d02
sub
339
12355587
963735708 c0010102 c0010101
3 3d01
sub
339
70015063
4620994092 c0010102 c0010101
NPC2(Dokinchan-re0 vty)# show ddos scfd asic-flows 0 details

PFE:
Flow Record Index:
Flow Key:
Proto-ID:
3d02
Key type:
IIF:
339
Src IP addr:
c0010102 (192.1.1.2)
Dst IP addr:
c0010101 (192.1.1.1)
Src port:
Dst port:
Flow Context Data:

Rcvd ack_add:
Rcvd ack_del:
Rcvd last flow op:
Flow state:
Aggr level:
Proto idx:
125
Policer idx:
Time inserted:
1944001488
Time last violated:
1944507734
Last received:
12408018
Flow Statitics:
Packet Count:
12410556
Byte Count:
968023290
PFE:
Flow Record Index:
Flow Key:
Proto-ID:
3d01
Key type:
IIF:
339
Src IP addr:
c0010102 (192.1.1.2)
Dst IP addr:
c0010101 (192.1.1.1)
Src port:
Dst port:
Flow Context Data:
Rcvd ack_add:
Rcvd ack_del:
Rcvd last flow op:
Flow state:
Aggr level:
76

Proto idx:
124
Policer idx:
Time inserted:
1944001488
Time last violated:
1944508734
Last received:
70451039
Flow Statitics:
Packet Count:
70497989
Byte Count:
4652867208
If active-flow-timeout is configured, the active monitoring flow will be removed form the list. If the rate of that flow still
exceeds the protocol DDOS rate, it will genereate another violation event and it will be re-added to the list.
[edit]
lab@Dokinchan-re0# show system ddos-protection
global {
flow-detection;
}
protocols {
ip-options {
aggregate {
timeout-active-flows;
}
unclassified {
}
router-alert {
}
}
}
NPC2(Dokinchan-re0 vty)# show ddos scfd proto-states ip-options
idx prot
group
--- ----
--------
ifd-cfg
d-t
r-t
t-t
aggr-t
-------- ---- ------ --- ----- ----- --------- --------- ---------
---
---
---
123 3d00
ip-opt
aggregate auto
no
1 20002
0 a:d:
10 a:d:
------
10 a:d:20000
60
300
124 3d01
ip-opt
unclass.. auto detect
1 20002
20 a:d:
10 a:d:
10 a:d:10000
60
300 151310230
125 3d02
ip-opt
rt-alert auto detect
1 20002
126 3d03
ip-opt
non-v4v6 auto
20 a:d:
10 a:d:
10 a:d:20000
60
300 151309230
0 a:d:
10 a:d:
10 a:d:10000
60
300
no
sub-cfg
ifl-cfg
77

Nov 20 14:34:13.661
Dokinchan-re0 jddosd[1723]: %DAEMON-4-DDOS_SCFD_FLOW_TIMEOUT: A flow of protocol IP-
Options:router-alert on ge-2/0/0.0 with source addr 192.1.1.2 is timed out. Found at 2013-11-20 14:29:14 JST,
last observed at 2013-11-20 14:29:14 JST
Nov 20 14:34:13.661
Dokinchan-re0 jddosd[1723]: %DAEMON-4-DDOS_SCFD_FLOW_TIMEOUT: A flow of protocol IP-
Options:unclassified on ge-2/0/0.0 with source addr 192.1.1.2 is timed out. Found at 2013-11-20 14:29:14 JST,
last observed at 2013-11-20 14:29:14 JST
Nov 20 14:34:16.663
Options:router-alert on ge-2/0/0.0 with source addr 192.1.1.2 is found at 2013-11-20 14:34:16 JST
Nov 20 14:34:16.663
Options:unclassified on ge-2/0/0.0 with source addr 192.1.1.2 is found at 2013-11-20 14:34:16 JST
NPC2(Dokinchan-re0 vty)# show ddos scfd asic-flows 0 details
PFE:
Flow Record Index:
12
Flow Key:
Proto-ID:
3d02
Key type:
IIF:
339
Src IP addr:
c0010102 (192.1.1.2)
Dst IP addr:
c0010101 (192.1.1.1)
Src port:
Dst port:
Flow Context Data:

Rcvd ack_add:
Rcvd ack_del:
Rcvd last flow op:
Flow state:
Aggr level:
Proto idx:
125
Policer idx:
Time inserted:
1946184735
Time last violated:
1946475734
Last received:
7132354
Flow Statitics:
Packet Count:
7152878
Byte Count:
557924406
PFE:
Flow Record Index:
11
Flow Key:
Proto-ID:
3d01
Key type:
IIF:
339
Src IP addr:
c0010102 (192.1.1.2)
Dst IP addr:
c0010101 (192.1.1.1)
Src port:
Dst port:
Flow Context Data:
78

Rcvd ack_add:
Rcvd ack_del:
Rcvd last flow op:
Flow state:
Aggr level:
Proto idx:
124
Policer idx:
Time inserted:
1946184734
Time last violated:
1946476734
Last received:
40555616
Flow Statitics:
Packet Count:
40662069
Byte Count:
2683696488
79
DDOS Configuration Hierarchy

Although disabling the DDOS is not recommended, however, it can still be disabled via configuration. We can disable the
DDOS on Routing Engine level or/and FPC level. We can also control the flow-report-rate and violation-report-rate.

[edit]
lab@Dokinchan-re0# set system ddos-protection global ?
+ apply-groups
+ apply-groups-except Don't inherit configuration data from these groups
disable-fpc
Disable FPC policing for all protocols
disable-logging
Disable event logging for all protocols
disable-routing-engine Disable Routing Engine policing for all protocols
flow-detection
Enable flow detection for all protocols
flow-report-rate
Set the rate of reporting flows for all FPC's (1..50000 reports per second)
violation-report-rate Set the rate of reporting protocol violations for all FPC's (1..50000 reports per
second)
[edit]
lab@Dokinchan-re0#

The granularity can go down to per-protocol basis.

[edit]
lab@Dokinchan-re0# set system ddos-protection protocols ospf aggregate ?
+ apply-groups
+ apply-groups-except Don't inherit configuration data from these groups
bandwidth
burst
disable-fpc
disable-logging
disable-routing-engine Turn off policing on routing engine
flow-detect-time
Time to determine a flow is bad (1..60 seconds)
flow-detection-mode Flow detection mode for the packet type
> flow-level-bandwidth Bandwidth for flows at various levels
> flow-level-control
Specify how discovered flows are controlled
> flow-level-detection Specify detection mode at various levels
flow-recover-time
Time to return to normal after last violation (1..3600 seconds)
flow-timeout-time
Time to timeout the flow since found (1..7200 seconds)
> fpc
no-flow-logging
Disable logging of violating flows
recover-time
timeout-active-flows Allow timeout active violating flows
[edit]
lab@Dokinchan-re0# set
+ apply-groups
bandwidth-scale
burst-scale
disable-fpc
system ddos-protection protocols ospf aggregate fpc 0 ?

Bandwidth scale from 1% to 100% (1..100 percent)
Burst scale from 1% to 100% (1..100 percent)
Turn off policing on this slot
[edit]
lab@Dokinchan-re0#

The bandwidth-scale/burst-scale configuration under the FPC is used to configure how much bandwidth (bandwidth *
bandwith-scale% / burst * burst-scale%) should be applied on that FPC. For example, with 50% for both bandwidth and
burst scale, the OSPF protocol policer becomes:

[edit]
lab@Dokinchan-re0# run show ddos-protection protocols ospf parameters
Protocol Group: OSPF
80
Packet type: aggregate (Aggregate for all ospf traffic)

Bandwidth:
20000 pps
Burst:
20000 packets
Recover time:
300 seconds
Enabled:
Yes
[edit]
lab@Dokinchan-re0# set system ddos-protection protocols ospf aggregate fpc 2 bandwidth-scale 50
[edit]
lab@Dokinchan-re0# set system ddos-protection protocols ospf aggregate fpc 2 burst-scale 50
[edit]
lab@Dokinchan-re0# commit
commit complete
[edit]
lab@Dokinchan-re0# run show ddos-protection protocols ospf parameters
Protocol Group: OSPF
Packet type: aggregate (Aggregate for all ospf traffic)
Bandwidth:
20000 pps
Burst:
20000 packets
Recover time:
300 seconds
Enabled:
Yes
[edit]
lab@Dokinchan-re0#
81
Statistics/Errors
We can capture the per-protocol statistics before and after the policers being applied on the packets.
lab@Dokinchan-re0> show ddos-protection protocols ip-options unclassified
Packet type: unclassified (Unclassified options traffic)
Bandwidth:
10000 pps
Burst:
10000 packets
Priority:
Low
Recover time:
300 seconds
Enabled:
Yes
Detect time:
Log flows:
Yes
3 seconds
Timeout flows:
No

Aggregation level
Detection mode
Control mode
Flow rate
Subscriber
Automatic
Drop
10000 pps*
Logical interface
Automatic
Drop
10000 pps*
Physical interface
Automatic
Drop
10000 pps

2013-11-20 17:15:31 JST

Received:
134723
Arrival rate:
Dropped:
98645
0 pps
Flow counts:
Drop doesnt count the uKern Agg policer.

(92837 + 5808 = 98645). This is PR942816.
Aggregation level
Current
Total detected
Subscriber
Total

Received:
16963
Arrival rate:
Dropped:
0 pps
17574 611 = 16963 sent to Routing Engine

2013-11-20 17:15:31 JST
82

134723 117149 = 17574 sent to host queue
Received:
134723
Arrival rate:
Dropped:
117149
0 pps
5808 + 18504 + 92837 = 117149
Drop by protocol policer
5808
Drop by aggregate policer on uKern
Drop by SCFD policer
92837
Flow counts:
Aggregation level
Current
Total detected
State
Subscriber
Active
Total

arrival
idx prot
---
group
proto on
loc
pass
drop
----------- --
---
-----------
------
--------
--------
123 3d00
ip-opt
aggregate
UKERN
17574
18504
124 3d01
ip-opt
unclass..
UKERN
36078
rate
pass
# of
rate flows
------ ------ ----0
^^^^^ Agg Policer + Protocol Policer in uKern

18504
^^^^^ Protocol Policer in uKern

PFE-0
36078
98645
7841
UKERN
PFE-0
UKERN
PFE-0
^^^^^ Protocol Policer + SCFD drops

125 3d02
126 3d03
ip-opt
rt-alert
ip-opt
non-v4v6
Y
Y
NPC2(Dokinchan-re0 vty)# show mqchip 0 dstat stats 0 1020

QSYS 0 QUEUE 1020 colormap 2 stats index 48:
Counter
Packets
Pkt Rate
Bytes
Byte Rate
------------------------ ---------------- ------------ ---------------- -----------Forwarded (NoRule)

Forwarded (Rule)
36078
3283098
^^^^^^^ Packet sent via the option queue to uKern

Color 0 Dropped (WRED)
Color 0 Dropped (TAIL)
Dropped (Force)
Dropped (Error)
Queue inst depth
: 0
Queue avg len (taql): 0
83
NPC2(Dokinchan-re0 vty)# show options statistics

IP Option Values:
LSRR/SSRR forwarding disabled
IP Option Statistics:
0 loose source routes
0 strict source routes
0 record routes
0 router alerts
16963 other options
IP Option Errors:
0 runts
0 bad versions
0 runt header lengths
0 giant header lengths
0 null frames
0 bad option lengths
0 duplicate options
0 bad option pointers
0 source route frames dropped
IP Option Queue Stats:
16963 queued
0 queue drops
0 queue deletes
25 high water mark queued
0 current queued
611 policer drops
IP option protocol queue stats:
Protocol Other
max number tokens 025
16963 queued
0 queue drops
0 queue deletes
0 current queued
611 policer drops
Option queue policer drop
IGMP Queue Stats:

0 queued
0 queue drops
0 queue deletes
0 current queued
0 policer drops
84

If we check the aggregate policer drop, the system wide statistics will count the uKern aggregate policer drop. Here, we
inject 30K pkts for each ip-frag type. The following might be confusing as the pass count is including the drop pkts.
PR942813 has filed to enhance this command output.
NPC2(Dokinchan-re0 vty)# show ddos policer stats ip-fragments
arrival
idx prot
group
proto on
loc
pass
drop
---
-----------
----------- --
------
--------
--------
158 4f00
ip-frag
UKERN
12751
---
aggregate
rate
pass
# of
rate flows
------ ------ -----
47249
^^^^^ Sum of the drop below

159 4f01
ip-frag
unclass..
N/A
---
---
---
---
---
160 4f02
ip-frag
first-frag
UKERN
30000
23484
^^^^^ Drop by uKern Agg policer. This is PR942813

161 4f03
ip-frag
trail-frag
PFE-0
30000
UKERN
30000
23765
^^^^^ Drop by uKern Agg policer. This is PR942813

PFE-0
30000
Total drop on MPC is 23484 + 23765 = 47249. With 7 pkts drop on RE, the total drop becomes 47256.
lab@Dokinchan-re0> show ddos-protection protocols ip-fragments aggregate
Packet type: aggregate (Aggregate for all IP Fragment traffic)
Bandwidth:
3000 pps*
Burst:
3000 packets*
Recover time:
300 seconds
Enabled:
Yes

Detect time:
Log flows:
Yes
3 seconds
Timeout flows:
No

Aggregation level
Detection mode
Control mode
Flow rate
Subscriber
Automatic
Drop
10 pps
Logical interface
Automatic
Drop
10 pps
Physical interface
Automatic
Drop
20000 pps
Aggregate bandwidth is being violated!
85


2013-11-22 12:28:57 JST

Received:
60000
Arrival rate:
Dropped:
47256
Max arrival rate: 6933 pps 47249 + 7 = 47256
0 pps

Aggregate policer is currently being violated!
2013-11-22 12:28:51 JST

Received:
12751
Arrival rate:
Dropped:
0 pps


Aggregate policer is currently being violated!
2013-11-22 12:28:57 JST

Received:
60000
Arrival rate:
Dropped:
47249
0 pps

47249 With aggregate statistics, this count includes the drops under
flow suppression which is incorrect. This is PR942816.
Flow counts:
Aggregation level
Current
Total detected
State
Subscriber
Active
Logical-interface
Active
Physical-interface
Active
This shows us a summary of drop statistics.

NPC2(Dokinchan-re0 vty)# show jnh 0 exceptions hbc policers
Global Policer:
policer_nexthop: 0xC03C152607CB9001
policer_result:
dropped packets:
0x4C3F2360
0
Hostbound policer packet drops: 0 Sum of HBC policer drop for exception nhs.
Aggregate policer packet drops: 40160393 Sum of all DDOS IPv4 policer drops.
Aggregate IPv6 policer packet drops: 76521499 Sum of all DDOS IPv6 policer drops.
86
Here are some DDOS error counters to record errors when it parses the received protocol frames.
NPC2(Dokinchan-re0 vty)# show ddos asic global-rx-errors
DDOS ASIC counters:
Pkts on unsupported reason code: 0
Reason -- Proto-ID Errors:
Code Reason
Error Type
Pkts
---- ------------
----------
----
---
unsupported
PUNT_TTL
mismatch-id
PUNT_OPTIONS
non-exist-id
PUNT_REDIRECT
mismatch-id
PUNT_CONTROL
non-exist-id
PUNT_FAB_OUT_PROBE_PKT
mismatch-id
PUNT_HOST_COPY
non-exist-id
PUNT_MAC_FWD_TYPE_HOST
mismatch-id
PUNT_TUNNEL_FRAGMENT
mismatch-id
---
unsupported
0 PUNT_GIMLET_PKT
10
---
unsupported
11
PUNT_MLP
12
13
PUNT_IGMP_SNOOP
mismatch-id
PUNT_VC_TTL_ERROR
mismatch-id
14
PUNT_L2PT_ERROR
mismatch-id
15
---
unsupported
0 PUNT_DDOS_POLICER_VIOL
16
---
unsupported
0 PUNT_DDOS_SCFD
17
---
unsupported
0 PUNT_LU_NOTIF
18
PUNT_PIM_SNOOP
mismatch-id
19
---
unsupported
0 PUNT_MLD_SNOOP
20
---
unsupported
0 Undefined
21
---
unsupported
0 Undefined
22
---
unsupported
0 Undefined
23
---
unsupported
0 Undefined
24
---
unsupported
0 Undefined
25
---
unsupported
0 Undefined
26
---
unsupported
0 Undefined
27
---
unsupported
0 Undefined
28
---
unsupported
0 Undefined
29
---
unsupported
0 Undefined
30
---
unsupported
0 Undefined
31
---
unsupported
0 Undefined
32
PUNT_PROTOCOL
non-exist-id
33
PUNT_RESOLVE
non-exist-id
34
PUNT_RECEIVE
non-exist-id
0 PUNT_FLOW_REJECT
non-exist-id
87

35
PUNT_AUTOSENSE
mismatch-id
36
PUNT_REJECT_FW
non-exist-id
37
---
unsupported
0 PUNT_UNUSED
38
PUNT_SERVICES
mismatch-id
39
PUNT_DEMUXAUTOSENSE
mismatch-id
40
PUNT_REJECT
mismatch-id
41
PUNT_SAMPLE_SYSLOG
mismatch-id
42
PUNT_SAMPLE_HOST
mismatch-id
43
PUNT_SAMPLE_PFE
mismatch-id
44
PUNT_SAMPLE_TAP
mismatch-id
45
PUNT_PPPOE_PADI
mismatch-id
46
PUNT_PPPOE_PADR
mismatch-id
47
PUNT_PPPOE_PADT
mismatch-id
48
PUNT_PPP_LCP
mismatch-id
49
PUNT_PPP_AUTH
mismatch-id
50
PUNT_PPP_IPV4CP
mismatch-id
51
PUNT_PPP_IPV6CP
mismatch-id
52
PUNT_PPP_MPLSCP
mismatch-id
53
PUNT_PPP_UNCLASSIFIED_CP
54
PUNT_SEND_TO_HOST_FW
55
mismatch-id
non-exist-id
PUNT_VC_HI
mismatch-id
56
PUNT_VC_LO
mismatch-id
57
PUNT_PPP_ISIS
mismatch-id
58
PUNT_KEEPALIVE
mismatch-id
59
PUNT_SEND_TO_HOST_FW_INLINE_SVCS
60
PUNT_PPP_LCP_ECHO_REQ
mismatch-id
mismatch-id
0
0
61
PUNT_INLINE_KA
mismatch-id
62
---
unsupported
0 PUNT_UNUSED
63
PUNT_PPP_LCP_ECHO_REP
mismatch-id
64
PUNT_MLPPP_LCP
mismatch-id
65
PUNT_MLFR_CONTROL
mismatch-id
66
PUNT_MFR_CONTROL
mismatch-id
67
---
unsupported
0 PUNT_UNUSED
68
PUNT_REJECT_V6
mismatch-id
69
PUNT_RESOLVE_V6
non-exist-id
70
PUNT_SEND_TO_HOST_SVCS
mismatch-id
71
PUNT_SAMPLE_SFLOW
mismatch-id
Here are the IPC msg stats between the DDOS module on the MPC and the Routing Engine (jddosd).
NPC2(Dokinchan-re0 vty)# show ddos ipc
DDOS IPC Messages:
Name
Requests
Failures
Duplicates
Tx messages
-----------------------
----------
----------
----------
----------
Unknown
global_ctrl
global_ctrl_rts
global_states
global_states_rts
88

violation set
violation clr
protocol_stats_get
24
protocol_stats_clr
protocol_stats_rts
policer
policer_rts
pstates
pstates_rts
pfe_peer_info
flow_get
flow_clr
scfd_proto_get
NPC2(Dokinchan-re0 vty)# show ddos socket

DDOS PFE-to-JDDOSD Socket Stats:
Name
Counts
------------------------------------
---------------
total request pkts
total response pkts
total ipc writes to RE

retry count for last connection
95
1
max retrys for a connection to RE
reconnect count
max length of pipe write queue
timer events with NULL timer
packet read length errors
packet read type errors
msg version errors
msg subtype errors
msg write failures
packet write failures
packet allocation failures
pipe write failures
pipe queue overflow errors
debug string
Here is the global configuration and statistics summary for the SCFD module.
NPC2(Dokinchan-re0 vty)# show ddos scfd global-info
DDOS-SCFD global context
------------------------------------------------------
FLow entry/state/hash size:
288/12/8 bytes
Flow scan:
Yes
Send async msg to RE:
Yes
Send periodic update to RE:
No
Default enabled:
No
Enabled:
Yes
Last aggr op is:
Deaggr
89

Next available flow id:
Culprit flows:
Culprit flows on scan:
Violated protocols:
Violated protocols on scan:
Violation report rate:
100(pps)
Flow change report rate:
100(pps)
Scan cookie:
30772
Free SCFD states:
4096
Free flow entries:
4094
Free notif blocks:
400
Free re request blocks:
400
Free flow msg blocks:
4096
Free flow policers:
4221
Socket notif queue size:
Has queued work state items:
Has queued re requests:
Has queued flow rate modifies:
Has queued flow messages:
Send packet size:
16384
Send batch size:
Last aggr op time:
151310230
Per PFE flows:
0=2
Run out of flows:
Reuse an entry not freed yet:
Run out of state items:
Bad proto ID:
rindex changed for same flow:
Remove flow on an empty proto:
Remove non-exist flow:
Read ASIC failed:
Failed tries write flow params: 0

Failed change flow params:
Run out of policers:
Run out of msg blocks:
Run out of mod flow blocks:
SCFD stats for PFE 0

Global configuration
violation report rate:
100
flow report rate:
100
Flow counters read from LU

current suspicious flows:
current culprit flows:
discovered suspicious flows: 15
discovered culprit flows:
13
deleted culprit flows:
11
false positives:
hash insertion errors:
hash deletion errors:
90

max flow tbl scan time(ms):
debug values:
Flow reports received through PUNT

policer violation:
967586
flow found:
13
flow timeout:
flow return to normal:
flow cleared:
unknown reports:
bad flow type:
Violation indication policer stats

Passed indications:
967586
Dropped indications:
1203589195
NPC2(Dokinchan-re0 vty)# show ddos work-queues

[ 0] flow entry
called 0 times, discarded 0 items
no semaphore, no work queue, has item store, no handler, loop is off

queue request stats---------------------------------------------------------queue name
size items
item queue
4096
4094
dequeues
deq-empty
enqueues
enq-fail
15
13
[ 1] flow update asic called 15 times, discarded 0 items

has semaphore, has work queue, has item store, has handler, loop is off
size items
dequeues
deq-empty
enqueues
item queue
1000
1000
28
28
work queue
1000
28
15
28
[ 2] policer scan
enq-fail
has semaphore, no work queue, no item store, has handler, loop is off
[ 3] flow state
size items
dequeues
deq-empty
enqueues
enq-fail
item queue
4096
4096
43
43
work queue
4096
43
23
43
[ 4] async notif
size items
dequeues
deq-empty
enqueues
enq-fail
item queue
400
400
12
12
work queue
400
12
12
[ 5] req request
dequeues
deq-empty
enqueues
enq-fail
item queue
400
400
50
50
work queue
400
50
50
[ 6] flow modify
size items
queue request stats----------------------------------------------------------
91

queue name
item queue
work queue
[ 7] flow message
size items
dequeues
deq-empty
enqueues
enq-fail
400
400
400
size items
dequeues
deq-empty
enqueues
enq-fail
item queue
4096
4096
1030
1030
work queue
4096
1030
94
1030
[ 8] flow scan
has semaphore, no work queue, no item store, has handler, loop is off
92
When DDOS Doesnt Seem To Work.

Although the DDOS feature can help us to identify an attack flow and drop it, it still takes some time for the system to
detect such flows which means that the flow have to be steady.
When we check the DDOS statistics, there is a gap in-between the ASIC and uKern. For example, in the followings, we
could see uKern having arrival rate far less than the once measured on PFE(ASIC). However, between the ASIC and
uKern, the drop could happen in TOE/MQ if the host bound traffic rate is too high. In this case, the drop happens on the
MQ hostbound queue and thats why uKern sees far less traffic volume than the PFE.
NPC2(Dokinchan-re0 vty)# show ddos policer stats ip-fragments
arrival
idx prot
# of
group
proto on
loc
pass
drop
---
-----------
----------- --
------
--------
--------
158 4f00
ip-frag
aggregate
UKERN
3828251
16623
16623
159 4f01
ip-frag
unclass..
N/A
---
---
---
---
---
160 4f02
ip-frag
first-frag
---
161 4f03
ip-frag
trail-frag
rate
pass
rate flows
------ ------ -----
UKERN
1913970
8310
8310
PFE-0
4594919
19997
19997
UKERN
1914281
8313
8313
PFE-0
4594921
19998
19998
NPC2(Dokinchan-re0 vty)# show mqchip 0 dstat stats 0 1016

Counter
Packets
Pkt Rate
Bytes
Byte Rate
Forwarded (Rule)
18313974
16661
4513626054
1716045
20014319
23341
4275669611
2404085
9899788
3853013876
Dropped (Force)
Dropped (Error)
Queue inst depth
: 501881

The same happens on the path between PPC and RE (ie. TTP drop..etc).
93

Indeed, there are cases that the DDOS might not help.
https://gnats.juniper.net/web/default/878789
This PR is related to SCFD flow detection against arp storm. When an arp packet comes in, it will be handled by the
default arp policer (__default_arp_policer__) before it hits the HBC. Since the default arp policer is stateless, it will just
drop arp packets based on the policer rate without considering that the passed arp packets are actually the same. As a
result, the non-attack arp packets might be dropped by the default arp policer and the attack arp storm will be dropped by
the SCFD once it detects the flow.
In order to workaround this, we need to disable the default arp policer by configuring a high arp policer rate, which is the
same as passing all the arp packets to the SCFD. In SCFD, it will identify the attack flow(s) and drop it from there.
As mentioned above, DDOS requires a steady traffic volume to detect the suspicious flow. In this PR, its related to a
bursty traffic source typical case for start up multicast flow.
In this PR, when we receive multicast packets hitting the resolve nh, the resolve request will come up to the RPD in the
Routing Engine and create a multicast route on the PFE. Starting from that point, the flow hitting the resolve nh will no
longer be there and thats why the DDOS couldnt detect that.
Even if we turn on SCFD, since it requires some time (in the order of secs) to detect the flow, it wont be quick enough to
stop the resolve requests from the same multicast group from entering the resolve queue on the host (resolve_nh -> host
queue -> PPC -> resolve queue -> RPD[RE]) and let other multicast group to enter the resolve queue. Hence, enabling
DDOS wont help much to speed up the multicast route setup time in this case.
The problem is that the MLP packets are processed differently. The packets do not go through the regular exception
processing path. The MLP packets sent in general at 200 pps directly to host by the learning process. It actually bypasses
most of the DDOS processing. This is why you cannot control it. The MLP is self paced. This means that MLP pose NO
DDOS threats.
94
Major Upcoming Changes

Here are some enhancement being done / on progress for the DDOS module.
This is mainly a code enhancement for DDOS and add the supportability on XM chip. Would suggest a customer to pick
up this fix for DDOS usage.
This is a major design flaw in DDOS where the packet hitting the resolve/fw reject nexthop will be classified as protocol
control packet as long as the protocol field matches the specific DDOS term. With this fix, we separate the notification
hitting the resolve and reject nexthops to a different DDOS term.
NPC1(currypanman-re0 vty)# show ddos asic punt-proto-maps
PUNT exceptions directly mapped to DDOS proto:
code PUNT name
---- -------------------1 PUNT_TTL
3 PUNT_REDIRECT
group proto
--------- -----ttl aggregate
idx q# bwidth
3c00
2000
10000
redirect aggregate
3e00
2000
10000
fab-probe aggregate
5700
20000
20000
mac-host aggregate
4100
20000
20000
tun-frag aggregate
4200
2000
10000
12 PUNT_IGMP_SNOOP
14 PUNT_L2PT_ERROR
35 PUNT_AUTOSENSE
38 PUNT_SERVICES
mlp packets
igmp-snoop aggregate
vchassis vc-ttl-err
l2pt aggregate
3802
2000
10000
4300
20000
20000
805
4000
10000
5a00
20000
20000
dynvlan aggregate
300
1000
500
services aggregate
4400
2000
10000
demuxauto aggregate
4500
2000
10000
40 PUNT_REJECT
reject aggregate
4600
2000
10000
sample syslog
5602
1000
1000
42 PUNT_SAMPLE_HOST
sample host
5603
1000
1000
43 PUNT_SAMPLE_PFE
sample pfe
5604
1000
1000
44 PUNT_SAMPLE_TAP
sample tap
5605
1000
1000
500
45 PUNT_PPPOE_PADI
pppoe padi
502
500
46 PUNT_PPPOE_PADR
pppoe padr
504
500
500
47 PUNT_PPPOE_PADT
pppoe padt
506
1000
1000
48 PUNT_PPP_LCP
ppp lcp
402
12000
12000
49 PUNT_PPP_AUTH
ppp auth
403
2000
2000
50 PUNT_PPP_IPV4CP
ppp ipcp
404
2000
2000
51 PUNT_PPP_IPV6CP
ppp ipv6cp
405
2000
2000
52 PUNT_PPP_MPLSCP
ppp mplscp
406
2000
2000
401
1000
500
55 PUNT_VC_HI
vchassis control-hi
802
10000
5000
56 PUNT_VC_LO
vchassis control-lo
803
8000
3000
407
2000
2000
5b00
57 PUNT_PPP_ISIS
58 PUNT_KEEPALIVE
ppp unclass
ppp isis
keepalive aggregate
11 PUNT_MLP
burst
---- -- ------ ------
20000
5d00
20000
2
20000
20000
95

61 PUNT_INLINE_KA
ppp echo-req
inline-ka aggregate
408
12000
12000
5c00
20000
20000
ppp echo-rep
409
12000
12000
64 PUNT_MLPPP_LCP
ppp mlppp-lcp
40a
12000
12000
frame-relay frf15
5e02
12000
12000
66 PUNT_MFR_CONTROL
frame-relay frf16
5e03
12000
12000
68 PUNT_REJECT_V6
rejectv6 aggregate
5900
2000
10000
PUNT exceptions that go through HBC. See following parsed proto

code PUNT name
---- ------------2 PUNT_OPTIONS
4 PUNT_CONTROL
6 PUNT_HOST_COPY
11 PUNT_MLP
|---------------+
32 PUNT_PROTOCOL
34 PUNT_RECEIVE
|
|
-----------------------------------------------------------------type
subtype
------ ---------contrl LACP
burst
2c00
20000
20000
stp aggregate
2d00
20000
20000
esmc aggregate
2e00
20000
20000
oam-lfm aggregate
2f00
20000
20000
contrl EOAM
eoam aggregate
3000
20000
20000
contrl LLDP
lldp aggregate
3100
20000
20000
contrl MVRP
mvrp aggregate
3200
20000
20000
pmvrp aggregate
3300
20000
20000
contrl ESMC
contrl OAM_LFM
contrl PMVRP
contrl ARP
contrl PVSTP
contrl ISIS
contrl POS
arp aggregate
3400
20000
20000
pvstp aggregate
3500
20000
20000
isis aggregate
3600
20000
20000
pos aggregate
3700
20000
20000
contrl MLP
mlp packets
3802
2000
10000
contrl JFM
jfm aggregate
3900
20000
20000
contrl ATM
atm aggregate
3a00
20000
20000
pfe-alive aggregate
3b00
20000
20000
filter ipv4
dhcpv4 aggregate
600
5000
5000
filter ipv6
dhcpv6 aggregate
700
5000
5000
filter ipv4
icmp aggregate
900
20000
20000
filter ipv4
igmp aggregate
a00
20000
20000
filter ipv4
ospf aggregate
b00
20000
20000
filter ipv4
rsvp aggregate
c00
20000
20000
filter ipv4
pim aggregate
d00
8000
16000
filter ipv4
rip aggregate
e00
20000
20000
filter ipv4
ptp aggregate
f00
20000
20000
filter ipv4
bfd aggregate
1000
20000
20000
filter ipv4
lmp aggregate
1100
20000
20000
contrl PFE_ALIVE
idx q# bwidth
---- -- ------ ------
lacp aggregate
contrl STP
group proto
---------- ----------
96

filter ipv4
ldp aggregate
1200
20000
20000
filter ipv4
msdp aggregate
1300
20000
20000
filter ipv4
bgp aggregate
1400
20000
20000
filter ipv4
vrrp aggregate
1500
20000
20000
filter ipv4
telnet aggregate
1600
20000
20000
filter ipv4
ftp aggregate
1700
20000
20000
filter ipv4
ssh aggregate
1800
20000
20000
filter ipv4
snmp aggregate
1900
20000
20000
filter ipv4
ancp aggregate
1a00
20000
20000
filter ipv6
igmpv6 aggregate
1b00
20000
20000
filter ipv6
egpv6 aggregate
1c00
20000
20000
filter ipv6
rsvpv6 aggregate
1d00
20000
20000
filter ipv6
igmpv4v6 aggregate
1e00
20000
20000
filter ipv6
ripv6 aggregate
1f00
20000
20000
filter ipv6
bfdv6 aggregate
2000
20000
20000
filter ipv6
lmpv6 aggregate
2100
20000
20000
filter ipv6
ldpv6 aggregate
2200
20000
20000
filter ipv6
msdpv6 aggregate
2300
20000
20000
filter ipv6
bgpv6 aggregate
2400
20000
20000
filter ipv6
vrrpv6 aggregate
2500
20000
20000
filter ipv6
telnetv6 aggregate
2600
20000
20000
filter ipv6
ftpv6 aggregate
2700
20000
20000
filter ipv6
sshv6 aggregate
2800
20000
20000
filter ipv6
snmpv6 aggregate
2900
20000
20000
filter ipv6
ancpv6 aggregate
2a00
20000
20000
filter ipv6
ospfv3v6 aggregate
2b00
20000
20000
filter ipv4
tcp-flags unclass..
4801
20000
20000
filter ipv4
tcp-flags initial
4802
20000
20000
filter ipv4
tcp-flags establish
4803
20000
20000
filter ipv4
dtcp aggregate
4900
20000
20000
20000
filter ipv4
radius server
4a02
20000
filter ipv4
radius account..
4a03
20000
20000
filter ipv4
radius auth..
4a04
20000
20000
20000
20000
filter ipv4
ntp aggregate
4b00
filter ipv4
tacacs aggregate
4c00
20000
20000
filter ipv4
dns aggregate
4d00
20000
20000
filter ipv4
diameter aggregate
4e00
20000
20000
filter ipv4
ip-frag first-frag
4f02
20000
20000
filter ipv4
ip-frag trail-frag
4f03
20000
20000
filter ipv4
l2tp aggregate
5000
20000
20000
filter ipv4
gre aggregate
5100
20000
20000
filter ipv4
ipsec aggregate
5200
20000
20000
filter ipv6
pimv6 aggregate
5300
8000
16000
filter ipv6
icmpv6 aggregate
5400
20000
20000
filter ipv6
ndpv6 aggregate
5500
20000
20000
filter ipv4
amtv4 aggregate
5f00
20000
20000
filter ipv6
6000
20000
20000
option rt-alert
ip-opt rt-alert
amtv6 aggregate
3d02
20000
20000
option unclass
ip-opt unclass..
3d01
10000
10000
97
PUNT exceptions parsed by their own parsers

code PUNT name
---- ------------200 PUNT_RESOLVE
200 PUNT_RESOLVE_V6
|---------------+
|
-----------------------------------------------------------------resolve aggregate
100
5000
10000
resolve other
101
2000
2000
resolve ucast-v4
102
3000
5000
resolve mcast-v4
103
3000
5000
resolve ucast-v6
104
3000
5000
resolve mcast-v6
105
3000
5000
REJECT_FW exception mapped to DHCPv4/6 and filter-act. Only filter-act shown

7 PUNT_REJECT_FW
|---------------+
|
-----------------------------------------------------------------filter-act aggregate
200
10000
filter-act other
201
2000
10000
10000
filter-act filter-v4
202
2000
10000
filter-act filter-v6
203
2000
10000
NPC1(currypanman-re0 vty)# show ddos asic nexthops

[LU:Prot:Idx]:
policer-nh
ddos-nh p-result
-------
------- ----
[-----------]:
----------
[ 0:----:ind]:
c0040086071b9001
e02292000010000 4cc5c9b0
-------
[ 0:
c0e3f8
8010 viol-report
0:
0]:
c004009607182001
0 4cc5c938
c0e3f0
8012 hbc & others
[ 0: 100:
1]:
c004018e07183001
e023fe000030000 4cc5c8e8
c0e3e8
8031 hbc & others
[ 0: 101:
2]:
c00400a6071b8001
0 4cc5c870
c0e3e0
8014 punt
[ 0: 102:
3]:
c00400b607184001
0 4cc5c820
c0e380
8016 punt
[ 0: 103:
4]:
c004017e07185001
0 4cc5c7d0
c0e388
802f punt
[ 0: 104:
5]:
c00400ce071b7001
0 4cc5c780
c0e3d8
8019 punt
[ 0: 105:
6]:
c004016e071b6001
0 4cc5c730
c0e390
802d punt
[ 0: 200:
7]:
c004015e071b5001
e023d7000020000 4cc5c6e0
c0e398
802b hbc & others
[ 0: 201:
8]:
c00400de07186001
0 4cc5c668
c0e3a0
801b punt
[ 0: 202:
9]:
c004015607187001
0 4cc5c618
c0e3d0
802a punt
[ 0: 203: 10]:
c00400ee07188001
0 4cc5c5c8
c0e3c8
801d punt
[ 0: 300: 11]:
c00400fe07189001
e023d1000020000 4cc5c578
c0e3a8
801f punt
[ 0: 400: 12]:
c0040106071b4001
0 4cc5c528
c0e3c0
8020 hbc & others
[ 0: 401: 13]:
c0040136071b3001
e02e9d000020000 4cc5c4d8
c0e3b8
8026 punt
[ 0: 402: 14]:
c00401260718a001
e02e86800020000 4cc5c488
c0e3b0
8024 punt
[ 0: 403: 15]:
c0040116071b2001
e02e88000020000 4cc5c438
c0e400
8022 punt
[ 0: 404: 16]:
c03c0a06071b1001
e02e9e800020000 4cc5c3e8
c0e478
78140 punt
[ 0: 405: 17]:
c03c0a16071b0001
e02e89800020000 4cc5c398
c0e408
78142 punt
[ 0: 406: 18]:
c03c0a26071af001
e02e8b000020000 4cc5c348
c0e410
78144 punt
[ 0: 407: 19]:
c03c0bf60718b001
e02e8f800020000 4cc5c2f8
c0e418
7817e punt
[ 0: 408: 20]:
c03c0a2e0718c001
e02eb4000030000 4cc5c2a8
c0e420
78145 punt
98

[ 0: 409: 21]:
c03c0be6071ae001
e02eb2000030000 4cc5c258
c0e470
7817c punt
[ 0: 40a: 22]:
c03c0bde071ad001
e02e92800020000 4cc5c208
c0e468
7817b punt
[ 0: 500: 23]:
c03c0bce0718d001
0 4cc5c1b8
c0e460
78179 hbc & others
[ 0: 501: 24]:
c03c0bc60718e001
0 4cc5c168
c0e428
78178 hbc & others
[ 0: 502: 25]:
c03c0bbe0718f001
e02ea0000020000 4cc5c118
c0e458
78177 punt
[ 0: 503: 26]:
c03c0a5e071ac001
0 4cc5c0c8
c0e450
7814b hbc & others
[ 0: 504: 27]:
c03c0bae071ab001
e02e83800020000 4cc5c078
c0e430
78175 punt
[ 0: 505: 28]:
c03c0a6e071aa001
0 4cc5c028
c0e438
7814d hbc & others
[ 0: 506: 29]:
c03c0ba607190001
e02e85000020000 4cc5bfd8
c0e440
78174 punt
[ 0: 507: 30]:
c03c0b96071a9001
0 4cc5bf88
c0e448
78172 hbc & others
[ 0: 508: 31]:
c03c0a8607191001
0 4cc5bf38
c0e4f8
78150 hbc & others
[ 0: 600: 32]:
c03c0a8e07192001
0 4cc5bee8
c0e480
78151 hbc & others
[ 0: 601: 33]:
c03c0a9e071a8001
0 4cc5be98
c0e488
78153 hbc & others
[ 0: 602: 34]:
c03c0b86071a7001
0 4cc5be48
c0e490
78170 hbc & others
[ 0: 603: 35]:
c03c0aae07193001
0 4cc5bdf8
c0e4f0
78155 hbc & others
[ 0: 604: 36]:
c03c0b6e071a6001
0 4cc5bda8
c0e498
7816d hbc & others
[ 0: 605: 37]:
c03c0ab6071a5001
0 4cc5bd58
c0e4e8
78156 hbc & others
[ 0: 606: 38]:
c03c0b56071a4001
0 4cc5bd08
c0e4e0
7816a hbc & others
[ 0: 607: 39]:
c03c0b4e07194001
0 4cc5bcb8
c0e4d8
78169 hbc & others
[ 0: 608: 40]:
c03c0ac6071a3001
0 4cc5bc68
c0e4d0
78158 hbc & others
[ 0: 609: 41]:
c03c0ace071a2001
0 4cc5bc18
c0e4a0
78159 hbc & others
[ 0: 60a: 42]:
c03c0b2e07195001
0 4cc5bbc8
c0e4c8
78165 hbc & others
[ 0: 60b: 43]:
c03c0ade07196001
0 4cc5bb78
c0e4a8
7815b hbc & others
[ 0: 60c: 44]:
c03c0ae6071a1001
0 4cc5bb28
c0e4c0
7815c hbc & others
[ 0: 60d: 45]:
c03c0aee07197001
0 4cc5bad8
c0e4b0
7815d hbc & others
[ 0: 60e: 46]:
c03c0b0e07198001
0 4cc5ba88
c0e4b8
78161 hbc & others
[ 0: 60f: 47]:
c03c0b06071a0001
0 4cc65a50
c0e578
78160 hbc & others
[ 0: 610: 48]:
c03c0c0607199001
0 4cc65a00
c0e570
78180 hbc & others
[ 0: 611: 49]:
c03c0c0e0719a001
0 4cc659b0
c0e568
78181 hbc & others
[ 0: 612: 50]:
c03c0dee0719b001
0 4cc65960
c0e560
781bd hbc & others
[ 0: 700: 51]:
c03c0de60719c001
0 4cc65910
c0e500
781bc hbc & others
[ 0: 701: 52]:
c03c0dd60719f001
0 4cc658c0
c0e508
781ba hbc & others
[ 0: 702: 53]:
c03c0c260719e001
0 4cc65870
c0e558
78184 hbc & others
[ 0: 703: 54]:
c03c0dc60719d001
0 4cc65820
c0e510
781b8 hbc & others
[ 0: 704: 55]:
c03c0db6072ff001
0 4cc657d0
c0e550
781b6 hbc & others
[ 0: 705: 56]:
c03c0dae072fe001
0 4cc65780
c0e548
781b5 hbc & others
[ 0: 706: 57]:
c03c0c36072c0001
0 4cc65730
c0e518
78186 hbc & others
[ 0: 707: 58]:
c03c0d96072c1001
0 4cc656e0
c0e520
781b2 hbc & others
[ 0: 708: 59]:
c03c0c3e072fd001
0 4cc65690
c0e540
78187 hbc & others
[ 0: 709: 60]:
c03c0c46072c2001
0 4cc65640
c0e538
78188 hbc & others
[ 0: 70a: 61]:
c03c0c56072c3001
0 4cc655f0
c0e530
7818a hbc & others
[ 0: 70b: 62]:
c03c0c5e072fc001
0 4cc655a0
c0e528
7818b hbc & others
[ 0: 70c: 63]:
c03c0c6e072c4001
0 4cc65550
c0e600
7818d hbc & others
[ 0: 70d: 64]:
c03c0d6e072fb001
0 4cc65500
c0e608
781ad hbc & others
[ 0: 70e: 65]:
c03c0d5e072c5001
0 4cc654b0
c0e678
781ab hbc & others
[ 0: 70f: 66]:
c03c0c7e072fa001
0 4cc65460
c0e670
7818f hbc & others
[ 0: 710: 67]:
c03c0d4e072c6001
0 4cc65410
c0e610
781a9 hbc & others
[ 0: 711: 68]:
c03c0d3e072f9001
0 4cc653c0
c0e618
781a7 hbc & others
[ 0: 712: 69]:
c03c0c8e072c7001
0 4cc65370
c0e668
78191 hbc & others
99

[ 0: 800: 70]:
c03c0d2e072c8001
0 4cc65320
c0e620
781a5 hbc & others
[ 0: 801: 71]:
c03c0c9e072f8001
0 4cc652d0
c0e628
78193 hbc & others
[ 0: 802: 72]:
c03c0d26072f7001
e02e9b800020000 4cc65280
c0e660
781a4 punt
[ 0: 803: 73]:
c03c0d1e072c9001
e02e9a000020000 4cc65230
c0e658
781a3 punt
[ 0: 804: 74]:
c03c0cb6072ca001
0 4cc651e0
c0e630
78196 hbc & others
[ 0: 805: 75]:
c03c0d0e072cb001
e02e98800020000 4cc65190
c0e650
781a1 punt
[ 0: 900: 76]:
c03c0cc6072cc001
0 4cc65140
c0e638
78198 hbc & others
[ 0: a00: 77]:
c03c0cce072f6001
0 4cc650f0
c0e640
78199 hbc & others
[ 0: b00: 78]:
c03c0cd6072f5001
0 4cc650a0
c0e648
7819a hbc & others
[ 0: c00: 79]:
c03c0ce6072cd001
0 4cc65050
c0e6f8
7819c hbc & others
[ 0: d00: 80]:
c03c0ffe072f4001
0 4cc65000
c0e6f0
781ff hbc & others
[ 0: e00: 81]:
c03c0fee072f3001
0 4cc64fb0
c0e6e8
781fd hbc & others
[ 0: f00: 82]:
c03c0e0e072ce001
0 4cc64f60
c0e6e0
781c1 hbc & others
[ 0:1000: 83]:
c03c0fe6072cf001
0 4cc64f10
c0e6d8
781fc hbc & others
[ 0:1100: 84]:
c03c0e1e072f2001
0 4cc64ec0
c0e680
781c3 hbc & others
[ 0:1200: 85]:
c03c0fd6072f1001
0 4cc64e70
c0e6d0
781fa hbc & others
[ 0:1300: 86]:
c03c0e36072d0001
0 4cc64e20
c0e688
781c6 hbc & others
[ 0:1400: 87]:
c03c0fce072f0001
0 4cc64dd0
c0e6c8
781f9 hbc & others
[ 0:1500: 88]:
c03c0e46072ef001
0 4cc64d80
c0e6c0
781c8 hbc & others
[ 0:1600: 89]:
c03c0e4e072ee001
0 4cc64d30
c0e690
781c9 hbc & others
[ 0:1700: 90]:
c03c0e5e072d1001
0 4cc64ce0
c0e698
781cb hbc & others
[ 0:1800: 91]:
c03c0fae072ed001
0 4cc64c90
c0e6a0
781f5 hbc & others
[ 0:1900: 92]:
c03c0e66072d2001
0 4cc64c40
c0e6a8
781cc hbc & others
[ 0:1a00: 93]:
c03c0f9e072d3001
0 4cc64bf0
c0e6b8
781f3 hbc & others
[ 0:1b00: 94]:
c03c0e7e072d4001
0 4cc64ba0
c0e6b0
781cf hbc & others
[ 0:1c00: 95]:
c03c0e86072d5001
0 4cc64b50
c0e778
781d0 hbc & others
[ 0:1d00: 96]:
c03c0e8e072d6001
0 4cc64b00
c0e770
781d1 hbc & others
[ 0:1e00: 97]:
c03c0e96072ec001
0 4cc64ab0
c0e768
781d2 hbc & others
[ 0:1f00: 98]:
c03c0e9e072eb001
0 4cc64a60
c0e760
781d3 hbc & others
[ 0:2000: 99]:
c03c0eae072ea001
0 4cc64a10
c0e700
781d5 hbc & others
[ 0:2100:100]:
c03c0f76072e9001
0 4cc649c0
c0e758
781ee hbc & others
[ 0:2200:101]:
c03c0ec6072e8001
0 4cc64970
c0e708
781d8 hbc & others
[ 0:2300:102]:
c03c0f66072e7001
0 4cc64920
c0e710
781ec hbc & others
[ 0:2400:103]:
c03c0f5e072e6001
0 4cc648d0
c0e718
781eb hbc & others
[ 0:2500:104]:
c03c0f56072e5001
0 4cc64880
c0e750
781ea hbc & others
[ 0:2600:105]:
c03c0ede072e4001
0 4cc64830
c0e720
781db hbc & others
[ 0:2700:106]:
c03c0eee072d7001
0 4cc647e0
c0e748
781dd hbc & others
[ 0:2800:107]:
c03c0ef6072d8001
0 4cc64790
c0e728
781de hbc & others
[ 0:2900:108]:
c03c0f36072d9001
0 4cc64740
c0e740
781e6 hbc & others
[ 0:2a00:109]:
c03c0efe072e3001
0 4cc646f0
c0e730
781df hbc & others
[ 0:2b00:110]:
c03c0f06072da001
0 4cc646a0
c0e738
781e0 hbc & others
[ 0:2c00:111]:
c03c0f16072e2001
0 4cc64650
c0e7f8
781e2 subtype
[ 0:2d00:112]:
c03c11fe072db001
0 4cc64600
c0e780
7823f subtype
[ 0:2e00:113]:
c03c11f6072dc001
0 4cc645b0
c0e788
7823e subtype
[ 0:2f00:114]:
c03c100e072e1001
0 4cc64560
c0e7f0
78201 subtype
[ 0:3000:115]:
c03c11e6072dd001
0 4cc64510
c0e7e8
7823c subtype
[ 0:3100:116]:
c03c11de072de001
0 4cc644c0
c0e790
7823b subtype
[ 0:3200:117]:
c03c11ce072df001
0 4cc64470
c0e798
78239 subtype
[ 0:3300:118]:
c03c11c6072e0001
0 4cc64420
c0e7e0
78238 subtype
100

[ 0:3400:119]:
c03c11be0743f001
0 4cc643d0
c0e7d8
78237 subtype
[ 0:3500:120]:
c03c11b607400001
0 4cc64380
c0e7a0
78236 subtype
[ 0:3600:121]:
c03c10460743e001
0 4cc64330
c0e7a8
78208 subtype
[ 0:3700:122]:
c03c11ae0743d001
0 4cc642e0
c0e7b0
78235 subtype
[ 0:3800:123]:
c03c119e07401001
0 4cc64290
c0e7b8
78233 hbc & others
[ 0:3801:124]:
c03c118e0743c001
0 4cc64240
c0e7d0
78231 hbc & others
[ 0:3802:125]:
c03c117e07402001
e02e8c800020000 4cc641f0
c0e7c8
7822f subtype
[ 0:3803:126]:
c03c11760743b001
0 4cc641a0
c0e7c0
7822e hbc & others
[ 0:3900:127]:
c03c11660743a001
0 4cc64150
c0e880
7822c subtype
[ 0:3a00:128]:
c03c115e07439001
0 4cc64100
c0e8f8
7822b subtype
[ 0:3b00:129]:
c03c106607438001
0 4cc640b0
c0e888
7820c subtype
[ 0:3c00:130]:
c03c106e07403001
e023d4000020000 4cc64060
c0e890
7820d punt
[ 0:3d00:131]:
c03c114607404001
0 4cc64010
c0e898
78228 hbc & others
[ 0:3d01:132]:
c03c108607405001
0 4cc63fc0
c0e8a0
78210 punt
[ 0:3d02:133]:
c03c109607406001
0 4cc63f70
c0e8f0
78212 punt
[ 0:3d03:134]:
c03c113607407001
0 4cc63f20
c0e8e8
78226 punt
[ 0:3e00:135]:
c03c112e07408001
e023d5800020000 4cc63ed0
c0e8e0
78225 punt
[ 0:3f00:136]:
c03c111e07409001
0 4cc63e80
c0e8a8
78223 hbc & others
[ 0:4000:137]:
c03c10ae0740a001
0 4cc63e30
c0e8d8
78215 hbc & others
[ 0:4100:138]:
c03c111607437001
e02e82000020000 4cc63de0
c0e8b0
78222 punt
[ 0:4200:139]:
c03c110607436001
e023cb000020000 4cc63d90
c0e8b8
78220 punt
[ 0:4300:140]:
c03c10f607435001
e02e8e000020000 4cc63d40
c0e8d0
7821e punt
[ 0:4400:141]:
c03c10be07434001
e023cf800020000 4cc63cf0
c0e8c0
78217 punt
[ 0:4500:142]:
c03c10e607433001
e023c9800020000 4cc63ca0
c0e8c8
7821c punt
[ 0:4600:143]:
c03c10de0740b001
e023ce000020000 4cc63c50
c0e978
7821b punt
[ 0:4700:144]:
c03c12060740c001
0 4cc63c00
c0e900
78240 hbc & others
[ 0:4800:145]:
c03c13f60740d001
0 4cc63bb0
c0e970
7827e hbc & others
[ 0:4801:146]:
c03c13ee07432001
0 4cc63b60
c0e968
7827d hbc & others
[ 0:4802:147]:
c03c13de0740e001
0 4cc63b10
c0e908
7827b hbc & others
[ 0:4803:148]:
c03c12160740f001
0 4cc63ac0
c0e910
78242 hbc & others
[ 0:4900:149]:
c03c121e07410001
0 4cc6faa0
c0e918
78243 hbc & others
[ 0:4a00:150]:
c03c13c607431001
0 4cc6fa50
c0e920
78278 hbc & others
[ 0:4a01:151]:
c03c13be07411001
0 4cc6fa00
c0e928
78277 hbc & others
[ 0:4a02:152]:
c03c13b607412001
0 4cc6f9b0
c0e960
78276 hbc & others
[ 0:4a03:153]:
c03c123e07430001
0 4cc6f960
c0e930
78247 hbc & others
[ 0:4a04:154]:
c03c124607413001
0 4cc6f910
c0e938
78248 hbc & others
[ 0:4b00:155]:
c03c124e0742f001
0 4cc6f8c0
c0e940
78249 hbc & others
[ 0:4c00:156]:
c03c13960742e001
0 4cc6f870
c0e958
78272 hbc & others
[ 0:4d00:157]:
c03c126607414001
0 4cc6f820
c0e948
7824c hbc & others
[ 0:4e00:158]:
c03c126e0742d001
0 4cc6f7d0
c0e950
7824d hbc & others
[ 0:4f00:159]:
c03c12760742c001
0 4cc6f780
c0e9f8
7824e hbc & others
[ 0:4f01:160]:
c03c137e0742b001
0 4cc6f730
c0e980
7826f hbc & others
[ 0:4f02:161]:
c03c12860742a001
0 4cc6f6e0
c0e988
78250 hbc & others
[ 0:4f03:162]:
c03c136e07429001
0 4cc6f690
c0e990
7826d hbc & others
[ 0:5000:163]:
c03c129e07415001
0 4cc6f640
c0e9f0
78253 hbc & others
[ 0:5100:164]:
c03c12a607416001
0 4cc6f5f0
c0e998
78254 hbc & others
[ 0:5200:165]:
c03c12b607417001
0 4cc6f5a0
c0e9e8
78256 hbc & others
[ 0:5300:166]:
c03c135e07428001
0 4cc6f550
c0e9e0
7826b hbc & others
[ 0:5400:167]:
c03c134e07418001
0 4cc6f500
c0e9a0
78269 hbc & others
101

[ 0:5500:168]:
c03c12c607427001
0 4cc6f4b0
c0e9d8
78258 hbc & others
[ 0:5600:169]:
c03c133e07426001
0 4cc6f460
c0e9a8
78267 hbc & others
[ 0:5601:170]:
c03c12de07425001
0 4cc6f410
c0e9b0
7825b hbc & others
[ 0:5602:171]:
c03c132e07419001
e02f02000020000 4cc6f3c0
c0e9b8
78265 punt
[ 0:5603:172]:
c03c131e07424001
e02f03800020000 4cc6f370
c0e9d0
78263 punt
[ 0:5604:173]:
c03c13160741a001
e02f1e800020000 4cc6f320
c0e9c8
78262 punt
[ 0:5605:174]:
c03c12f60741b001
e02f05000020000 4cc6f2d0
c0e9c0
7825e punt
[ 0:5700:175]:
c03c12fe0741c001
e02f1d000020000 4cc6f280
c0ea78
7825f punt
[ 0:5800:176]:
c03c15fe07423001
0 4cc6f230
c0ea00
782bf punt
[ 0:5801:177]:
c03c15f60741d001
0 4cc6f1e0
c0ea70
782be punt
[ 0:5802:178]:
c03c15ee07422001
0 4cc6f190
c0ea68
782bd punt
[ 0:5803:179]:
c03c14160741e001
0 4cc6f140
c0ea08
78282 punt
[ 0:5804:180]:
c03c15d60741f001
0 4cc6f0f0
c0ea10
782ba punt
[ 0:5805:181]:
c03c15c607420001
0 4cc6f0a0
c0ea60
782b8 punt
[ 0:5806:182]:
c03c141e07421001
0 4cc6f050
c0ea58
78283 punt
[ 0:5807:183]:
c03c14260757f001
0 4cc6f000
c0ea50
78284 punt
[ 0:5808:184]:
c03c15ae07540001
0 4cc6efb0
c0ea48
782b5 punt
[ 0:5809:185]:
c03c15a607541001
0 4cc6ef60
c0ea18
782b4 punt
[ 0:580a:186]:
c03c15960757e001
0 4cc6ef10
c0ea40
782b2 punt
[ 0:580b:187]:
c03c143e07542001
0 4cc6eec0
c0ea20
78287 punt
[ 0:580c:188]:
c03c158607543001
0 4cc6ee70
c0ea38
782b0 punt
[ 0:5900:189]:
c03c14560757d001
e023cc800020000 4cc6ee20
c0ea28
7828a punt
[ 0:5a00:190]:
c03c157e0757c001
e023d2800020000 4cc6edd0
c0ea30
782af punt
[ 0:5b00:191]:
c03c146e07544001
e02e97000020000 4cc6ed80
c0eb78
7828d punt
[ 0:5c00:192]:
c03c147607545001
e02e91000020000 4cc6ed30
c0eb70
7828e punt
[ 0:5d00:193]:
c03c156607546001
e02e95800020000 4cc6ece0
c0eb68
782ac punt
[ 0:5e00:194]:
c03c14860757b001
0 4cc6ec90
c0eb60
78290 hbc & others
[ 0:5e01:195]:
c03c155e07547001
0 4cc6ec40
c0eb58
782ab hbc & others
[ 0:5e02:196]:
c03c149e0757a001
e02e94000020000 4cc6ebf0
c0eb00
78293 punt
[ 0:5e03:197]:
c03c155607548001
e02f20000020000 4cc6eba0
c0eb50
782aa punt
[ 0:5f00:198]:
c03c14ae07549001
0 4cc6eb50
c0eb08
78295 hbc & others
[ 0:6000:199]:
c03c153e0754a001
0 4cc6eb00
c0eb10
782a7 hbc & others
[ 1:----:ind]:
[ 1:
c00401fe070fc001
e00a73000010000 4cc76d90
c0e200
803f viol-report
0:
0]:
c00401f6070fb001
0 4cc76d18
c0e278
803e hbc & others
[ 1: 100:
1]:
c0040026070fa001
e00bc2000030000 4cc76cc8
c0e270
8004 hbc & others
[ 1: 101:
2]:
c0040036070c5001
0 4cc76c50
c0e268
8006 punt
[ 1: 102:
3]:
c00401e6070f9001
0 4cc76c00
c0e208
803c punt
[ 1: 103:
4]:
c004003e070c6001
0 4cc76bb0
c0e210
8007 punt
[ 1: 104:
5]:
c0040046070f8001
0 4cc76b60
c0e218
8008 punt
[ 1: 105:
6]:
c0040056070c7001
0 4cc76b10
c0e220
800a punt
[ 1: 200:
7]:
c004005e070c8001
e00ba9000020000 4cc76ac0
c0e260
800b hbc & others
[ 1: 201:
8]:
c00401c6070c9001
0 4cc76a48
c0e258
8038 punt
[ 1: 202:
9]:
c004006e070ca001
0 4cc769f8
c0e228
800d punt
[ 1: 203: 10]:
c004007e070f7001
0 4cc769a8
c0e230
800f punt
[ 1: 300: 11]:
c00401ae070f6001
e00bac000020000 4cc76958
c0e238
8035 punt
[ 1: 400: 12]:
c00401a6070cb001
0 4cc76908
c0e250
8034 hbc & others
[ 1: 401: 13]:
c0040096070f5001
e02f99800020000 4cc768b8
c0e240
8012 punt
[ 1: 402: 14]:
c004019e070cc001
e02f84800020000 4cc76868
c0e248
8033 punt
[ 1: 403: 15]:
c00400a6070f4001
e02f9c800020000 4cc76818
c0e2f8
8014 punt
102

[ 1: 404: 16]:
c00400ae070f3001
e02f86000020000 4cc767c8
c0e2f0
8015 punt
[ 1: 405: 17]:
c0040186070f2001
e02f9b000020000 4cc76778
c0e2e8
8030 punt
[ 1: 406: 18]:
c004017e070f1001
e02f87800020000 4cc76728
c0e280
802f punt
[ 1: 407: 19]:
c00400c6070f0001
e02f8d800020000 4cc766d8
c0e2e0
8018 punt
[ 1: 408: 20]:
c00400d6070ef001
e02fae000030000 4cc76688
c0e288
801a punt
[ 1: 409: 21]:
c004016e070ee001
e02fba000030000 4cc76638
c0e2d8
802d punt
[ 1: 40a: 22]:
c004015e070cd001
e02f90800020000 4cc765e8
c0e290
802b punt
[ 1: 500: 23]:
c0040156070ce001
0 4cc76598
c0e298
802a hbc & others
[ 1: 501: 24]:
c00400f6070ed001
0 4cc76548
c0e2a0
801e hbc & others
[ 1: 502: 25]:
c0040106070ec001
e02f83000020000 4cc764f8
c0e2d0
8020 punt
[ 1: 503: 26]:
c0040146070eb001
0 4cc764a8
c0e2c8
8028 hbc & others
[ 1: 504: 27]:
c0040136070ea001
e02f9f800020000 4cc76458
c0e2c0
8026 punt
[ 1: 505: 28]:
c004010e070e9001
0 4cc76408
c0e2b8
8021 hbc & others
[ 1: 506: 29]:
c0040126070cf001
e02f9e000020000 4cc763b8
c0e2b0
8024 punt
[ 1: 507: 30]:
c0040406070d0001
0 4cc76368
c0e2a8
8080 hbc & others
[ 1: 508: 31]:
c00405fe070d1001
0 4cc76318
c0e300
80bf hbc & others
[ 1: 600: 32]:
c0040416070e8001
0 4cc762c8
c0e378
8082 hbc & others
[ 1: 601: 33]:
c00405ee070e7001
0 4cc76278
c0e370
80bd hbc & others
[ 1: 602: 34]:
c00405de070d2001
0 4cc76228
c0e368
80bb hbc & others
[ 1: 603: 35]:
c0040426070e6001
0 4cc761d8
c0e308
8084 hbc & others
[ 1: 604: 36]:
c004042e070e5001
0 4cc76188
c0e310
8085 hbc & others
[ 1: 605: 37]:
c004043e070e4001
0 4cc76138
c0e318
8087 hbc & others
[ 1: 606: 38]:
c00405be070d3001
0 4cc760e8
c0e320
80b7 hbc & others
[ 1: 607: 39]:
c004044e070d4001
0 4cc76098
c0e360
8089 hbc & others
[ 1: 608: 40]:
c0040456070e3001
0 4cc76048
c0e328
808a hbc & others
[ 1: 609: 41]:
c00405a6070e2001
0 4cc75ff8
c0e330
80b4 hbc & others
[ 1: 60a: 42]:
c004045e070e1001
0 4cc75fa8
c0e338
808b hbc & others
[ 1: 60b: 43]:
c0040466070e0001
0 4cc75f58
c0e358
808c hbc & others
[ 1: 60c: 44]:
c004046e070d5001
0 4cc75f08
c0e340
808d hbc & others
[ 1: 60d: 45]:
c0040476070d6001
0 4cc75eb8
c0e348
808e hbc & others
[ 1: 60e: 46]:
c004047e070d7001
0 4cc75e68
c0e350
808f hbc & others
[ 1: 60f: 47]:
c0040576070df001
0 4cc75e18
c0e380
80ae hbc & others
[ 1: 610: 48]:
c004048e070de001
0 4cc75dc8
c0e388
8091 hbc & others
[ 1: 611: 49]:
c0040566070d8001
0 4cc75d78
c0e390
80ac hbc & others
[ 1: 612: 50]:
c004055e070dd001
0 4cc75d28
c0e398
80ab hbc & others
[ 1: 700: 51]:
c00404a6070dc001
0 4cc75cd8
c0e3a0
8094 hbc & others
[ 1: 701: 52]:
c0040546070db001
0 4cc75c88
c0e3a8
80a8 hbc & others
[ 1: 702: 53]:
c00404ae070d9001
0 4cc75c38
c0e3b0
8095 hbc & others
[ 1: 703: 54]:
c0040536070da001
0 4cc75be8
c0e3b8
80a6 hbc & others
[ 1: 704: 55]:
c004052e07200001
0 4cc75b98
c0e3c0
80a5 hbc & others
[ 1: 705: 56]:
c004051e0723f001
0 4cc7fb60
c0e3f8
80a3 hbc & others
[ 1: 706: 57]:
c00404ce0723e001
0 4cc7fb10
c0e3c8
8099 hbc & others
[ 1: 707: 58]:
c00404de0723d001
0 4cc7fac0
c0e3d0
809b hbc & others
[ 1: 708: 59]:
c00404e60723c001
0 4cc7fa70
c0e3f0
809c hbc & others
[ 1: 709: 60]:
c00405060723b001
0 4cc7fa20
c0e3e8
80a0 hbc & others
[ 1: 70a: 61]:
c00404ee0723a001
0 4cc7f9d0
c0e3e0
809d hbc & others
[ 1: 70b: 62]:
c00407fe07239001
0 4cc7f980
c0e3d8
80ff hbc & others
[ 1: 70c: 63]:
c004060e07238001
0 4cc7f930
c0e4f8
80c1 hbc & others
[ 1: 70d: 64]:
c00407ee07237001
0 4cc7f8e0
c0e4f0
80fd hbc & others
103

[ 1: 70e: 65]:
c00407e607201001
0 4cc7f890
c0e4e8
80fc hbc & others
[ 1: 70f: 66]:
c00407d607236001
0 4cc7f840
c0e4e0
80fa hbc & others
[ 1: 710: 67]:
c00407ce07202001
0 4cc7f7f0
c0e480
80f9 hbc & others
[ 1: 711: 68]:
c00407c607235001
0 4cc7f7a0
c0e4d8
80f8 hbc & others
[ 1: 712: 69]:
c004063607203001
0 4cc7f750
c0e4d0
80c6 hbc & others
[ 1: 800: 70]:
c004063e07204001
0 4cc7f700
c0e4c8
80c7 hbc & others
[ 1: 801: 71]:
c004064e07205001
0 4cc7f6b0
c0e4c0
80c9 hbc & others
[ 1: 802: 72]:
c00407ae07206001
e02f8a800020000 4cc7f660
c0e488
80f5 punt
[ 1: 803: 73]:
c004065607234001
e02f8c000020000 4cc7f610
c0e490
80ca punt
[ 1: 804: 74]:
c004065e07207001
0 4cc7f5c0
c0e4b8
80cb hbc & others
[ 1: 805: 75]:
c004066e07233001
e02f96800020000 4cc7f570
c0e498
80cd punt
[ 1: 900: 76]:
c004067607232001
0 4cc7f520
c0e4b0
80ce hbc & others
[ 1: a00: 77]:
c004067e07231001
0 4cc7f4d0
c0e4a8
80cf hbc & others
[ 1: b00: 78]:
c004077e07208001
0 4cc7f480
c0e4a0
80ef hbc & others
[ 1: c00: 79]:
c004076e07230001
0 4cc7f430
c0e500
80ed hbc & others
[ 1: d00: 80]:
c004068e0722f001
0 4cc7f3e0
c0e508
80d1 hbc & others
[ 1: e00: 81]:
c004076607209001
0 4cc7f390
c0e510
80ec hbc & others
[ 1: f00: 82]:
c00407560722e001
0 4cc7f340
c0e578
80ea hbc & others
[ 1:1000: 83]:
c00406a60720a001
0 4cc7f2f0
c0e518
80d4 hbc & others
[ 1:1100: 84]:
c00406b60720b001
0 4cc7f2a0
c0e570
80d6 hbc & others
[ 1:1200: 85]:
c00407460722d001
0 4cc7f250
c0e520
80e8 hbc & others
[ 1:1300: 86]:
c00406be0720c001
0 4cc7f200
c0e528
80d7 hbc & others
[ 1:1400: 87]:
c004072e0722c001
0 4cc7f1b0
c0e530
80e5 hbc & others
[ 1:1500: 88]:
c00406ce0720d001
0 4cc7f160
c0e568
80d9 hbc & others
[ 1:1600: 89]:
c00406de0722b001
0 4cc7f110
c0e560
80db hbc & others
[ 1:1700: 90]:
c00406ee0720e001
0 4cc7f0c0
c0e558
80dd hbc & others
[ 1:1800: 91]:
c004071e0722a001
0 4cc7f070
c0e538
80e3 hbc & others
[ 1:1900: 92]:
c004070e07229001
0 4cc7f020
c0e540
80e1 hbc & others
[ 1:1a00: 93]:
c00406f60720f001
0 4cc7efd0
c0e550
80de hbc & others
[ 1:1b00: 94]:
c00409fe07228001
0 4cc7ef80
c0e548
813f hbc & others
[ 1:1c00: 95]:
c00409f607227001
0 4cc7ef30
c0e580
813e hbc & others
[ 1:1d00: 96]:
c004080e07210001
0 4cc7eee0
c0e588
8101 hbc & others
[ 1:1e00: 97]:
c004081e07226001
0 4cc7ee90
c0e590
8103 hbc & others
[ 1:1f00: 98]:
c004082e07225001
0 4cc7ee40
c0e5f8
8105 hbc & others
[ 1:2000: 99]:
c00409de07211001
0 4cc7edf0
c0e598
813b hbc & others
[ 1:2100:100]:
c004083607224001
0 4cc7eda0
c0e5a0
8106 hbc & others
[ 1:2200:101]:
c004084607223001
0 4cc7ed50
c0e5f0
8108 hbc & others
[ 1:2300:102]:
c00409c607222001
0 4cc7ed00
c0e5a8
8138 hbc & others
[ 1:2400:103]:
c004085607221001
0 4cc7ecb0
c0e5b0
810a hbc & others
[ 1:2500:104]:
c004085e07212001
0 4cc7ec60
c0e5b8
810b hbc & others
[ 1:2600:105]:
c00409b607220001
0 4cc7ec10
c0e5c0
8136 hbc & others
[ 1:2700:106]:
c00409ae0721f001
0 4cc7ebc0
c0e5c8
8135 hbc & others
[ 1:2800:107]:
c004087e07213001
0 4cc7eb70
c0e5e8
810f hbc & others
[ 1:2900:108]:
c004099e0721e001
0 4cc7eb20
c0e5e0
8133 hbc & others
[ 1:2a00:109]:
c004098e0721d001
0 4cc7ead0
c0e5d0
8131 hbc & others
[ 1:2b00:110]:
c004098607214001
0 4cc7ea80
c0e5d8
8130 hbc & others
[ 1:2c00:111]:
c00408960721c001
0 4cc7ea30
c0e600
8112 subtype
[ 1:2d00:112]:
c00408a607215001
0 4cc7e9e0
c0e608
8114 subtype
[ 1:2e00:113]:
c004097e07216001
0 4cc7e990
c0e610
812f subtype
104

[ 1:2f00:114]:
c004097607217001
0 4cc7e940
c0e678
812e subtype
[ 1:3000:115]:
c00408be0721b001
0 4cc7e8f0
c0e618
8117 subtype
[ 1:3100:116]:
c00408c60721a001
0 4cc7e8a0
c0e670
8118 subtype
[ 1:3200:117]:
c00408ce07219001
0 4cc7e850
c0e668
8119 subtype
[ 1:3300:118]:
c00408d607218001
0 4cc7e800
c0e660
811a subtype
[ 1:3400:119]:
c00408e60737f001
0 4cc7e7b0
c0e658
811c subtype
[ 1:3500:120]:
c00409460737e001
0 4cc7e760
c0e650
8128 subtype
[ 1:3600:121]:
c00409360737d001
0 4cc7e710
c0e648
8126 subtype
[ 1:3700:122]:
c00408f60737c001
0 4cc7e6c0
c0e620
811e subtype
[ 1:3800:123]:
c004092607340001
0 4cc7e670
c0e628
8124 hbc & others
[ 1:3801:124]:
c004091e07341001
0 4cc7e620
c0e640
8123 hbc & others
[ 1:3802:125]:
c00409160737b001
e02f98000020000 4cc7e5d0
c0e638
8122 subtype
[ 1:3803:126]:
c0040bfe07342001
0 4cc7e580
c0e630
817f hbc & others
[ 1:3900:127]:
c0040bf607343001
0 4cc7e530
c0e778
817e subtype
[ 1:3a00:128]:
c0040be607344001
0 4cc7e4e0
c0e770
817c subtype
[ 1:3b00:129]:
c0040bd607345001
0 4cc7e490
c0e700
817a subtype
[ 1:3c00:130]:
c0040a0e0737a001
e00baa800020000 4cc7e440
c0e708
8141 punt
[ 1:3d00:131]:
c0040bbe07379001
0 4cc7e3f0
c0e768
8177 hbc & others
[ 1:3d01:132]:
c0040a1e07346001
0 4cc7e3a0
c0e760
8143 punt
[ 1:3d02:133]:
c0040a2e07347001
0 4cc7e350
c0e758
8145 punt
[ 1:3d03:134]:
c0040a3e07348001
0 4cc7e300
c0e750
8147 punt
[ 1:3e00:135]:
c0040a4e07349001
e00bb6800020000 4cc7e2b0
c0e748
8149 punt
[ 1:3f00:136]:
c0040bae0734a001
0 4cc7e260
c0e710
8175 hbc & others
[ 1:4000:137]:
c0040a5607378001
0 4cc7e210
c0e718
814a hbc & others
[ 1:4100:138]:
c0040b9607377001
e02f81800020000 4cc7e1c0
c0e720
8172 punt
[ 1:4200:139]:
c0040a5e0734b001
e00bb2000020000 4cc7e170
c0e728
814b punt
[ 1:4300:140]:
c0040a660734c001
e02f89000020000 4cc7e120
c0e730
814c punt
[ 1:4400:141]:
c0040a7607376001
e00bad800020000 4cc7e0d0
c0e738
814e punt
[ 1:4500:142]:
c0040a8607375001
e00bb3800020000 4cc7e080
c0e740
8150 punt
[ 1:4600:143]:
c0040b760734d001
e00baf000020000 4cc7e030
c0e780
816e punt
[ 1:4700:144]:
c0040b6e07374001
0 4cc7dfe0
c0e788
816d hbc & others
[ 1:4800:145]:
c0040a960734e001
0 4cc7df90
c0e7f8
8152 hbc & others
[ 1:4801:146]:
c0040aa60734f001
0 4cc7df40
c0e7f0
8154 hbc & others
[ 1:4802:147]:
c0040aae07373001
0 4cc7def0
c0e790
8155 hbc & others
[ 1:4803:148]:
c0040b5607372001
0 4cc7dea0
c0e798
816a hbc & others
[ 1:4900:149]:
c0040b4e07350001
0 4cc7de50
c0e7e8
8169 hbc & others
[ 1:4a00:150]:
c0040ac607371001
0 4cc7de00
c0e7a0
8158 hbc & others
[ 1:4a01:151]:
c0040b3607370001
0 4cc7ddb0
c0e7e0
8166 hbc & others
[ 1:4a02:152]:
c0040b2e07351001
0 4cc7dd60
c0e7d8
8165 hbc & others
[ 1:4a03:153]:
c0040ade07352001
0 4cc7dd10
c0e7d0
815b hbc & others
[ 1:4a04:154]:
c0040aee0736f001
0 4cc7dcc0
c0e7c8
815d hbc & others
[ 1:4b00:155]:
c0040b1e07353001
0 4cc7dc70
c0e7c0
8163 hbc & others
[ 1:4c00:156]:
c0040b1607354001
0 4cc7dc20
c0e7a8
8162 hbc & others
[ 1:4d00:157]:
c0040afe0736e001
0 4cc85bd0
c0e7b0
815f hbc & others
[ 1:4e00:158]:
c0040dfe07355001
0 4cc85b80
c0e7b8
81bf hbc & others
[ 1:4f00:159]:
c0040c060736d001
0 4cc85b30
c0e800
8180 hbc & others
[ 1:4f01:160]:
c0040dee0736c001
0 4cc85ae0
c0e878
81bd hbc & others
[ 1:4f02:161]:
c0040c1e07356001
0 4cc85a90
c0e808
8183 hbc & others
[ 1:4f03:162]:
c0040c260736b001
0 4cc85a40
c0e870
8184 hbc & others
105

[ 1:5000:163]:
c0040dd607357001
0 4cc859f0
c0e810
81ba hbc & others
[ 1:5100:164]:
c0040dce07358001
0 4cc859a0
c0e818
81b9 hbc & others
[ 1:5200:165]:
c0040dc607359001
0 4cc85950
c0e868
81b8 hbc & others
[ 1:5300:166]:
c0040c460736a001
0 4cc85900
c0e860
8188 hbc & others
[ 1:5400:167]:
c0040c4e0735a001
0 4cc858b0
c0e858
8189 hbc & others
[ 1:5500:168]:
c0040db607369001
0 4cc85860
c0e850
81b6 hbc & others
[ 1:5600:169]:
c0040c5e0735b001
0 4cc85810
c0e820
818b hbc & others
[ 1:5601:170]:
c0040c6607368001
0 4cc857c0
c0e848
818c hbc & others
[ 1:5602:171]:
c0040c760735c001
e03003000020000 4cc85770
c0e840
818e punt
[ 1:5603:172]:
c0040c860735d001
e03004800020000 4cc85720
c0e828
8190 punt
[ 1:5604:173]:
c0040c8e07367001
e0301f800020000 4cc856d0
c0e830
8191 punt
[ 1:5605:174]:
c0040d8e0735e001
e03006000020000 4cc85680
c0e838
81b1 punt
[ 1:5700:175]:
c0040c9607366001
e03007800020000 4cc85630
c0e880
8192 punt
[ 1:5800:176]:
c0040c9e0735f001
0 4cc855e0
c0e888
8193 punt
[ 1:5801:177]:
c0040ca607365001
0 4cc85590
c0e890
8194 punt
[ 1:5802:178]:
c0040d6e07360001
0 4cc85540
c0e8f8
81ad punt
[ 1:5803:179]:
c0040d6607361001
0 4cc854f0
c0e898
81ac punt
[ 1:5804:180]:
c0040d5e07362001
0 4cc854a0
c0e8a0
81ab punt
[ 1:5805:181]:
c0040d5607364001
0 4cc85450
c0e8f0
81aa punt
[ 1:5806:182]:
c0040cce07363001
0 4cc85400
c0e8a8
8199 punt
[ 1:5807:183]:
c0040cde07480001
0 4cc853b0
c0e8e8
819b punt
[ 1:5808:184]:
c0040ce607481001
0 4cc85360
c0e8e0
819c punt
[ 1:5809:185]:
c0040cee07482001
0 4cc85310
c0e8d8
819d punt
[ 1:580a:186]:
c0040cf607483001
0 4cc852c0
c0e8b0
819e punt
[ 1:580b:187]:
c0040cfe07484001
0 4cc85270
c0e8b8
819f punt
[ 1:580c:188]:
c0040d2607485001
0 4cc85220
c0e8d0
81a4 punt
[ 1:5900:189]:
c0040d16074bf001
e00bb0800020000 4cc851d0
c0e8c0
81a2 punt
[ 1:5a00:190]:
c0040ffe074be001
e00bb5000020000 4cc85180
c0e8c8
81ff punt
[ 1:5b00:191]:
c0040e0e07486001
e02f95000020000 4cc85130
c0e9f8
81c1 punt
[ 1:5c00:192]:
c0040fee07487001
e02f92000020000 4cc850e0
c0e9f0
81fd punt
[ 1:5d00:193]:
c0040fe6074bd001
e02f93800020000 4cc85090
c0e9e8
81fc punt
[ 1:5e00:194]:
c0040e26074bc001
0 4cc85040
c0e9e0
81c4 hbc & others
[ 1:5e01:195]:
c0040e3607488001
0 4cc84ff0
c0e980
81c6 hbc & others
[ 1:5e02:196]:
c0040e46074bb001
e02f8f000020000 4cc84fa0
c0e9d8
81c8 punt
[ 1:5e03:197]:
c0040e4e07489001
e03001800020000 4cc84f50
c0e9d0
81c9 punt
[ 1:5f00:198]:
c0040fce0748a001
0 4cc84f00
c0e9c8
81f9 hbc & others
[ 1:6000:199]:
c0040e5e074ba001
0 4cc84eb0
c0e988
81cb hbc & others
NPC1(currypanman-re0 vty)# show ddos asic punt-proto-maps

PUNT exceptions directly mapped to DDOS proto:
code PUNT name
---- -------------------1 PUNT_TTL
burst
ttl aggregate
3c00
2000
3e00
2000
10000
fab-probe aggregate
5700
20000
20000
mac-host aggregate
4100
20000
20000
tun-frag aggregate
4200
2000
10000
3802
2000
10000
4300
20000
20000
11 PUNT_MLP
12 PUNT_IGMP_SNOOP
mlp packets
igmp-snoop aggregate
idx q# bwidth
---- -- ------ ------
redirect aggregate
3 PUNT_REDIRECT
group proto
--------- ------
10000
106

14 PUNT_L2PT_ERROR
35 PUNT_AUTOSENSE
38 PUNT_SERVICES
40 PUNT_REJECT
vchassis vc-ttl-err
l2pt aggregate
805
4000
10000
5a00
20000
20000
dynvlan aggregate
300
1000
500
services aggregate
4400
2000
10000
demuxauto aggregate
4500
2000
10000
reject aggregate
4600
2000
10000
sample syslog
5602
1000
1000
42 PUNT_SAMPLE_HOST
sample host
5603
1000
1000
43 PUNT_SAMPLE_PFE
sample pfe
5604
1000
1000
44 PUNT_SAMPLE_TAP
sample tap
5605
1000
1000
500
45 PUNT_PPPOE_PADI
pppoe padi
502
500
46 PUNT_PPPOE_PADR
pppoe padr
504
500
500
47 PUNT_PPPOE_PADT
pppoe padt
506
1000
1000
48 PUNT_PPP_LCP
ppp lcp
402
12000
12000
49 PUNT_PPP_AUTH
ppp auth
403
2000
2000
50 PUNT_PPP_IPV4CP
ppp ipcp
404
2000
2000
51 PUNT_PPP_IPV6CP
ppp ipv6cp
405
2000
2000
52 PUNT_PPP_MPLSCP
ppp mplscp
406
2000
2000
401
1000
500
55 PUNT_VC_HI
vchassis control-hi
802
10000
5000
56 PUNT_VC_LO
vchassis control-lo
803
8000
3000
407
2000
2000
5b00
57 PUNT_PPP_ISIS
58 PUNT_KEEPALIVE
ppp unclass
ppp isis
keepalive aggregate
20000

61 PUNT_INLINE_KA
ppp echo-req
inline-ka aggregate
5d00
20000
2
20000
408
12000
12000
5c00
20000
20000
ppp echo-rep
409
12000
12000
64 PUNT_MLPPP_LCP
ppp mlppp-lcp
40a
12000
12000
frame-relay frf15
5e02
12000
12000
66 PUNT_MFR_CONTROL
frame-relay frf16
5e03
12000
12000
68 PUNT_REJECT_V6
rejectv6 aggregate
5900
2000
20000
10000
NPC1(currypanman-re0 vty)#
This is the DDOS statistics output after PR942816 fix.
<-- No SCFD
lab@currypanman-re0> show ddos-protection protocols ip-fragments statistics
Received:
11676370
Arrival rate:
11490 pps
107

Dropped:
9759087

Received:
953127
Arrival rate:
Dropped:
5603 pps

Received:
11676370
Arrival rate:
Dropped:
9759087
11490 pps

Packet type: first-fragment

Bandwidth is never violated
Received:
Arrival rate:
Dropped:
0 pps

Received:
Arrival rate:
Dropped:
0 pps

Received:
Arrival rate:
0 pps
Dropped:

Packet type: trail-fragment


2014-02-13 12:24:29 JST

Received:
11676370
Arrival rate:
Dropped:
9759087
11490 pps

<-- Pkt received by the RE (NOT considering the drop on hostbound queue and ttp queue)
Received:
953127
Arrival rate:
Dropped:
5603 pps

108

2014-02-13 12:24:29 JST

<-- Total received
Received:
11676370
Arrival rate:
11490 pps
<-- Dropped by the tail-fragment policer on PFE

Dropped:
9759087
9759087

Flow counts:
Aggregation level
Current
Total detected
State
Subscriber
Active
Logical-interface
Active
Physical-interface
Active
lab@currypanman-re0> show interfaces ge-1/0/0 extensive

Physical interface: ge-1/0/0, Enabled, Physical link is Up
Interface index: 169, SNMP ifIndex: 0, Generation: 172
Link-level type: Ethernet, MTU: 1514, Speed: 1000mbps, BPDU Error: None, MAC-REWRITE Error: None, Loopback:
Disabled, Source filtering: Disabled,
Flow control: Enabled, Auto-negotiation: Enabled, Remote fault: Online
Device flags
: Present Running
Interface flags: SNMP-Traps Internal: 0x4000

Link flags
: None
CoS queues
: 8 supported, 8 maximum usable queues
Hold-times
: Up 0 ms, Down 0 ms
Current address: 00:24:dc:90:2a:95, Hardware address: 00:24:dc:90:2a:95

Last flapped
: 2014-02-13 11:57:08 JST (00:35:49 ago)
Statistics last cleared: Never

Traffic statistics:
Input
bytes
11466195340
0 bps
Output bytes
48
0 bps
packets:
11676370
0 pps
Output packets:
0 pps
Input
NPC1(currypanman-re0 vty)# show ttp statistics

TTP Statistics:
Receive
Transmit
----------
----------
L2 Packets
L3 Packets
953127
Drops
Netwk Fail
Queue Drops
Unknown
Coalesce
Coalesce Fail
TTP Transmit Statistics:
109

Queue 0
Queue 1
Queue 2
----------
----------
----------
----------
Queue 3
L2 Packets
L3 Packets
TTP Receive Statistics:

Control
High
Medium
Low
Discard
----------
----------
----------
----------
----------
L2 Packets
L3 Packets
953127
Drops
Queue Drops
Unknown
Coalesce
Coalesce Fail
TTP Receive Queue Sizes:

Control Plane : 0 (max is 4473)
High
: 0 (max is 4473)
Medium
: 0 (max is 4473)
Low
: 0 (max is 2236)
TTP Transmit Queue Size: 0 (max is 6710)

NPC1(currypanman-re0 vty)# show ddos policer stats ip-fragments
arrival
idx prot
# of
proto on
loc
pass
drop
---
-----------
----------- --
------
--------
--------
159 4f00
ip-frag
aggregate
UKERN
953127
160 4f01
ip-frag
unclass..
N/A
---
---
---
---
---
161 4f02
ip-frag
first-frag
---
rate
pass
group
rate flows
------ ------ -----
UKERN
PFE-0
PFE-1
<-- 964156 is missing.

162 4f03
ip-frag
trail-frag
UKERN
953127
PFE-0
1917283
9759087
PFE-1
NPC1(currypanman-re0 vty)# show ddos policer 0x4f03

Basic Protocol/Policer Info:
Name: IP-Fragments-trail-fragment, Proto: 0x4f03, flags: 0x78, states: 0x20002
Time to recover: 300000, first violated: 1653545, last violated: 1753280
UKERN Info:
configured: rate=20000(pps) burst=20000(pkts)
configured: max-credits=81920000 priority=Lo
actual used: rate=20000.00(pps) (m, n)=(128, 16)
current credits=0
110

PFE Info:
configured: rate=20000 (pps) burst=20000 (pkts)
SCFD Info:
op-mode=automatic, state=normal, flags=0x1(never timeout, log)
detect-time=3000(ms), recover-time=60000(ms), timeout-time=300000(ms)
aggr-level
allowed
active
force
ctrl
sub
yes
yes
no
drop
rate(pps) flow-count
10
ifl
yes
yes
no
drop
10
ifd
yes
yes
no
drop
20000
total
---
---
flow drop rate=0, flow drop trend=ff, pol viol trend=0

Packet Statistics:
stats
PFE-0
PFE-1
UKERN
TOTAL
---------
---------
---------
---------
received
11676370
953127
11676370
arrived at policer
11676370
953127
--9759087
-----------------
dropped: indv pol
9759087
dropped: aggr pol
---
---
dropped: indv flow
---
dropped: aggr flow
---
---
---
---
total dropped
9759087
9759087
final passed
1917283
953127
953127
122585
9998
122585
arrival rate(pps)
max arvl rate(pps)
pass rate(pps)
show jnh 0 exceptions hbc policers
Global Policer:
policer_nexthop: 0xC03C15360754B001
policer_result:
dropped packets:
0x4CC84D48
0

Aggregate policer packet drops: 9759086 <-- ***
show mqchip 0 dstat stats 0 1016
111

Counter
Packets
Pkt Rate
Bytes
Byte Rate

Forwarded (Rule)
953127
973142667
<-- Dropped here

<-- 9887 + 954269 = 964156
9887
10094627
954269
974308649
Dropped (Force)
Dropped (Error)
Queue inst depth
: 0

<-- With SCFD
lab@currypanman-re0> show interfaces ge-1/0/0 extensive
Physical interface: ge-1/0/0, Enabled, Physical link is Up
Interface index: 169, SNMP ifIndex: 0, Generation: 199
Link-level type: Ethernet, MTU: 1514, Speed: 1000mbps, BPDU Error: None, MAC-REWRITE Error: None, Loopback:
Disabled, Source filtering: Disabled,
Flow control: Enabled, Auto-negotiation: Enabled, Remote fault: Online
Device flags
: Present Running
Interface flags: SNMP-Traps Internal: 0x4000

Link flags
: None
CoS queues
: 8 supported, 8 maximum usable queues
Hold-times
: Up 0 ms, Down 0 ms
Current address: 00:24:dc:90:2a:95, Hardware address: 00:24:dc:90:2a:95

Last flapped
: 2014-02-13 12:46:16 JST (00:02:38 ago)
Statistics last cleared: Never

Traffic statistics:
Input
bytes
5021080894
0 bps
Output bytes
0 bps
packets:
5113117
0 pps
Output packets:
0 pps
Input
lab@currypanman-re0> show ddos-protection protocols ip-fragments statistics

112

Received:
5113117
Arrival rate:
Dropped:
5066511
0 pps

Received:
17786
Arrival rate:
Dropped:
0 pps

Received:
5113117
Arrival rate:
Dropped:
5066511
0 pps

4901638
Packet type: first-fragment

Bandwidth is never violated
Received:
Arrival rate:
Dropped:
0 pps

Received:
Arrival rate:
Dropped:
0 pps

Received:
Arrival rate:
0 pps
Dropped:

Packet type: trail-fragment


2014-02-13 12:48:51 JST

Received:
5113117
Arrival rate:
Dropped:
5066511
0 pps
Flow counts:
Aggregation level
Current
Total detected
Subscriber
Total
113

Received:
17786
Arrival rate:
0 pps
Dropped:

2014-02-13 12:48:51 JST

Received:
5113117
Arrival rate:
Dropped:
5066511
0 pps
164873

4901638
Flow counts:
Aggregation level
Current
Total detected
State
Subscriber
Active
Total
lab@currypanman-re0>
NPC1(currypanman-re0 vty)# show ddos policer ip-fragments stats
arrival
idx prot
---
group
proto on
loc
pass
drop
----------- --
rate
pass
# of
rate flows
---
-----------
------
--------
--------
159 4f00
ip-frag
aggregate
UKERN
17786
160 4f01
ip-frag
unclass..
N/A
---
---
---
---
---
161 4f02
ip-frag
first-frag
UKERN
PFE-0
PFE-1
UKERN
17786
162 4f03
ip-frag
trail-frag
------ ------ -----
<-- 5066511 = SCFD + DDOS policer drop

PFE-0
46606
5066511
PFE-1
NPC1(currypanman-re0 vty)# show ddos policer 0x4f03

Basic Protocol/Policer Info:
Name: IP-Fragments-trail-fragment, Proto: 0x4f03, flags: 0x78, states: 0x2000e
Time to recover: 300000, first violated: 222210, last violated: 267820
UKERN Info:
configured: rate=20000(pps) burst=20000(pkts)
configured: max-credits=81920000 priority=Lo
actual used: rate=20000.00(pps) (m, n)=(128, 16)
current credits=0
PFE Info:
configured: rate=20000 (pps) burst=20000 (pkts)
114

SCFD Info:
op-mode=automatic, state=detect, flags=0x1(never timeout, log)
detect-time=3000(ms), recover-time=60000(ms), timeout-time=300000(ms)
aggr-level
allowed
active
force
ctrl
sub
yes
yes
no
drop
rate(pps) flow-count
10
ifl
yes
no
no
drop
10
ifd
yes
no
no
drop
20000
total
---
---
flow drop rate=0, flow drop trend=ff, pol viol trend=0

Packet Statistics:
stats
-----------------
PFE-0
PFE-1
UKERN
TOTAL
---------
---------
---------
---------
<-- pkt can reach ukern = 46606 - 28820 = 17786

received
5113117
17786
5113117
17786
---
<-- After SCFD

arrived at policer
211479
<-- 211479 - 164873 = 46606 = final pass up to ukern

dropped: indv pol
164873
164873
dropped: aggr pol
---
---
<-- 5113117 - 4901638 = 211479 = pkt sent to DDOS policer term

dropped: indv flow
dropped: aggr flow
total dropped
final passed
arrival rate(pps)
max arvl rate(pps)
pass rate(pps)
4901638
---
4901638
---
---
---
---
5066511
5066511
46606
17786
17786
122657
2159
122657
NPC1(currypanman-re0 vty)# show mqchip 0 dstat stats 0 1016

Counter
Packets
Pkt Rate
Bytes
Byte Rate

Forwarded (Rule)
17786
18159506
<-- total queue drop = 8867 + 19953 = 28820
8867
9053207
19953
20372013
Dropped (Force)
Dropped (Error)
115

Queue inst depth
: 0

NPC1(currypanman-re0 vty)# show ttp statistics
TTP Statistics:
Receive
Transmit
----------
----------
L2 Packets
L3 Packets
17786
Drops
Netwk Fail
Queue Drops
Unknown
Coalesce
Coalesce Fail
Queue 0
Queue 1
Queue 2
TTP Transmit Statistics:

Queue 3
----------
----------
----------
L2 Packets
---------0
L3 Packets
TTP Receive Statistics:

Control
High
Medium
Low
Discard
----------
----------
----------
----------
----------
L2 Packets
L3 Packets
17786
Drops
Queue Drops
Unknown
Coalesce
Coalesce Fail
TTP Receive Queue Sizes:

Control Plane : 0 (max is 4473)
High
: 0 (max is 4473)
Medium
: 0 (max is 4473)
Low
: 0 (max is 2236)
TTP Transmit Queue Size: 0 (max is 6710)

NPC1(currypanman-re0 vty)# show jnh 0 exceptions hbc policers
Global Policer:
policer_nexthop: 0xC03C15360754B001
policer_result:
dropped packets:
0x4CC84D48
0
116

Aggregate policer packet drops: 164872 <-- ***
The aggregate policer packet drop counter is always 1 less than the actual drop from the above test. Thats because it is
counted as a violation. When a policer is in normal mode (not starting detecting flow yet), and when violation is detected
(we are going to drop), the drop will be converted to a violation report and sent to ukern. This drop is counted at the
violating policer but not at the global counter. These violations are never dropped and not processed as the original
exception, and are only used as an indication of a policer violation. This was introduced in 12.3 with SCFD. Also we could
keep sending these violation reports until host acks the receiving or switching to flow detection. Apparently, in your test
case, the first violation got acked right away and you only lost one packet. The ack feature is just introduced in this PR
fix. We used to keep sending violation reports if we are not doing SCFD.
NPC1(abc vty)# sh jnh 1 exceptions terse

Reason
Type
Packets
Bytes
==================================================================
Packet Exceptions
---------------------DDOS policer violation notifs
PUNT(15)
4224
117
Reference
1. http://www-in.juniper.net/eng/cvs_pdf/sw-projects/platform/trinity/pfe/host/host.doc
2. http://cvs.juniper.net/cgi-bin/viewcvs.cgi/*checkout*/sw-projects/platform/commonedge/arch/RLI15473-
DDOS-SCFD-FS.pdf?rev=1.4

118
Changes
18-Nov-2013 (Rev 0) Initial Draft
13-Feb-2014 (Rev 1) Add changes under PR942816 and PR924807
26-Mar-2014 (Rev 2) Add MLP exception

119

Ddos

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Ddos

Transféré par

Droits d'auteur :

Formats disponibles

JUNIPER NETWORKS CONFIDENTIAL

DDOS Implementation on MX Platform

JUNIPER NETWORKS CONFIDENTIAL DO NOT DISTRIBUTE

Juniper Networks, Inc.

DDOS System Hierarchy

JUNIPER NETWORKS CONFIDENTIAL DO NOT DISTRIBUTE

Juniper Networks, Inc.

JUNIPER NETWORKS CONFIDENTIAL DO NOT DISTRIBUTE

Juniper Networks, Inc.

JUNIPER NETWORKS CONFIDENTIAL DO NOT DISTRIBUTE

Juniper Networks, Inc.

JUNIPER NETWORKS CONFIDENTIAL DO NOT DISTRIBUTE

Juniper Networks, Inc.

JUNIPER NETWORKS CONFIDENTIAL DO NOT DISTRIBUTE

Juniper Networks, Inc.

JUNIPER NETWORKS CONFIDENTIAL DO NOT DISTRIBUTE

Juniper Networks, Inc.

JUNIPER NETWORKS CONFIDENTIAL DO NOT DISTRIBUTE

Juniper Networks, Inc.

JUNIPER NETWORKS CONFIDENTIAL DO NOT DISTRIBUTE

Juniper Networks, Inc.

JUNIPER NETWORKS CONFIDENTIAL DO NOT DISTRIBUTE

Juniper Networks, Inc.

JUNIPER NETWORKS CONFIDENTIAL DO NOT DISTRIBUTE

Juniper Networks, Inc.

Disable FPC policing for all protocols

Disable event logging for all protocols

Disable Routing Engine policing for all protocols

Here are the protocols defined under the DDOS infrastructure.

Configure AMT v4 control packets

Configure AMT v6 control packets

Configure ANCP traffic

Configure ANCPv6 traffic

Groups from which to inherit configuration data

Don't inherit configuration data from these groups

Configure ARP traffic

Configure ATM traffic

JUNIPER NETWORKS CONFIDENTIAL DO NOT DISTRIBUTE

Juniper Networks, Inc.

Configure BFD traffic

Configure BFDv6 traffic

Configure BGP traffic

Configure BGPv6 traffic

Configure demux autosense traffic

Configure DHCPv4 traffic

Configure DHCPv6 traffic

Configure Diameter/Gx+ traffic

Configure DNS traffic

Configure dtcp traffic

Configure dynamic vlan exceptions

Configure EGPv6 traffic

Configure EOAM traffic

Configure ESMC traffic

Configure fab out probe packets

Configure packets via firewall 'send-to-host' action

Configure frame relay control packets

Configure FTP traffic

Configure FTPv6 traffic

Configure GRE traffic

Configure ICMP traffic

Configure ICMPv6 traffic

Configure IGMP traffic

Configure IGMPv4-v6 traffic

Configure IGMPv6 traffic