I assume you'd see BGP down on the first example as well, just lower probability to see down event.
Out of box ddos-protection isn't doing much useful, you need to configure every protocol. http://blog.ip.fi/2014/03/quick-look-at-trio-ddos-protection-with.html may give some ideas how to start On Fri, 4 Jan 2019 at 23:45, Jason Lixfeld <[email protected]> wrote: > > > > > On Jan 4, 2019, at 3:06 PM, Jason Lixfeld <[email protected]> wrote: > > > > Hi, > > > > Before I go too far down the rabbit hole of looking into the DDoS > > Protection parent feature on MX, does anyone know if it’s supported on > > MX204? > > So it’s a shallow rabbit hole; it’s enabled by default and after poking > around with it a bit, it seems to be supported. > > But, I’m seeing behaviour that doesn’t quite compute. > > No RE filter configured, just the default DDoS protection. Sending about 22k > pps of bogus BGP packets. > > FPC is in violation, but RE isn’t. Remaining BGP sessions are still up. > > jlixfeld@r# run show ddos-protection protocols bgp statistics > Packet types: 1, Received traffic: 1, Currently violated: 1 > Protocol Group: BGP > > Packet type: aggregate > System-wide information: > Aggregate bandwidth is being violated! > No. of FPCs currently receiving excess traffic: 1 > No. of FPCs that have received excess traffic: 1 > Violation first detected at: 2019-01-04 16:13:28 EST > Violation last seen at: 2019-01-04 16:32:51 EST > Duration of violation: 00:19:23 Number of violations: 5 > Received: 67923912 Arrival rate: 22925 pps > Dropped: 46234805 Max arrival rate: 190065 pps > Routing Engine information: > Aggregate policer is no longer being violated > Last violation started at: 2019-01-04 16:13:33 EST > Last violation ended at: 2019-01-04 16:13:34 EST > Duration of last violation: 00:00:01 Number of violations: 1 > Received: 21663099 Arrival rate: 19952 pps > Dropped: 0 Max arrival rate: 22228 pps > Dropped by individual policers: 0 > Dropped by aggregate policer: 0 > FPC slot 0 information: > Aggregate policer is currently being violated! > Violation first detected at: 2019-01-04 16:13:29 EST > Violation last seen at: 2019-01-04 16:32:51 EST > Duration of violation: 00:19:22 Number of violations: 4 > Received: 67923912 Arrival rate: 22925 pps > Dropped: 46234805 Max arrival rate: 190065 pps > Dropped by individual policers: 0 > Dropped by aggregate policer: 46234805 > Dropped by flow suppression: 0 > Flow counts: > Aggregation level Current Total detected State > Subscriber 0 0 Active > > [edit] > jlixfeld@r# > > If I send 188k pps, RE is still not in violation, but BGP sessions die. > > jlixfeld@r# run show ddos-protection protocols bgp statistics > Packet types: 1, Received traffic: 1, Currently violated: 1 > Protocol Group: BGP > > Packet type: aggregate > System-wide information: > Aggregate bandwidth is being violated! > No. of FPCs currently receiving excess traffic: 1 > No. of FPCs that have received excess traffic: 1 > Violation first detected at: 2019-01-04 16:13:28 EST > Violation last seen at: 2019-01-04 16:24:13 EST > Duration of violation: 00:10:45 Number of violations: 5 > Received: 30565770 Arrival rate: 188433 pps > Dropped: 19208137 Max arrival rate: 189414 pps > Routing Engine information: > Aggregate policer is no longer being violated > Last violation started at: 2019-01-04 16:13:33 EST > Last violation ended at: 2019-01-04 16:13:34 EST > Duration of last violation: 00:00:01 Number of violations: 1 > Received: 11423775 Arrival rate: 19857 pps > Dropped: 0 Max arrival rate: 22100 pps > Dropped by individual policers: 0 > Dropped by aggregate policer: 0 > FPC slot 0 information: > Aggregate policer is currently being violated! > Violation first detected at: 2019-01-04 16:13:28 EST > Violation last seen at: 2019-01-04 16:24:13 EST > Duration of violation: 00:10:45 Number of violations: 4 > Received: 30565770 Arrival rate: 188433 pps > Dropped: 19208137 Max arrival rate: 189414 pps > Dropped by individual policers: 0 > Dropped by aggregate policer: 19208137 > Dropped by flow suppression: 0 > Flow counts: > Aggregation level Current Total detected State > Subscriber 0 0 Active > > [edit] > jlixfeld@r# > > If the same policer is doing the same job whether it’s 22kpps or 188kpps, I’d > expect no difference in the affects the different rates would have on the BGP > session. > > Am I missing something? > _______________________________________________ > juniper-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/juniper-nsp -- ++ytti _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
