Davion Posted June 8, 2016 Вдруг внезапно начали падать в совершенно произвольном порядке BGP сессии Jun 9 00:47:01.272328 bgp_hold_timeout:4174: NOTIFICATION sent to x.x.x.x (External AS 00000): code 4 (Hold Timer Expired Error), Reason: holdtime expired for x.x.x.x (External AS 0000), socket buffer sndcc: 76 rcvcc: 0 TCP state: 4, snd_una: 1988541995 snd_nxt: 1988542052 snd_wnd: 16384 rcv_nxt: 548497077 rcv_adv: 548513461, hold timer out 90s, hold timer remain 0s Jun 9 00:47:01.272729 RPD_BGP_NEIGHBOR_STATE_CHANGED: BGP peer x.x.x.x (External AS 00000) changed state from Established to Idle (event HoldTime) (instance master) Причем самое интересно что перестают пинговаться соседние пиры... Потом через некоторое время все восстанавливается... При этом две BGP сессии стабильно висят... Куда копать уже незнаю Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
dmvy Posted June 8, 2016 policer? есть фильтр на control-plane? какая загрузка cpu? Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
Davion Posted June 8, 2016 на контрол плейн толком никаких фильтров нет, загрузка cpu минимальная last pid: 38907; load averages: 0.16, 0.20, 0.21 up 314+20:06:35 04:55:34 141 processes: 4 running, 109 sleeping, 28 waiting Mem: 1074M Active, 107M Inact, 251M Wired, 112M Cache, 112M Buf, 443M Free Swap: 2915M Total, 2915M Free PID USERNAME THR PRI NICE SIZE RES STATE TIME WCPU COMMAND 11 root 1 171 52 0K 16K RUN 6555.6 84.62% idle 1337 root 11 96 0 17256K 8664K ucond 551.0H 4.98% clksyncd 1420 root 1 4 0 824M 782M kqread 109.1H 2.05% rpd Ситуация просто маразматическая, пока решил вроде проблему... Прописал статический arp на пиров и падать перестало... бред?! Буду наблюдать. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
orlik Posted June 9, 2016 Проверьте не растет ли у вас счетчики для show policer __default_arp_policer__ Если растут , значит кто-то вам флудит arp запросами и с этим нужно бороться Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
orlik Posted June 9, 2016 Вообще причин может быть несколько, может просто забиться линк между RE и PFE (забиться из-за петли на оборудоваии ниже) . Увидеть это можно , в том числе, по растущим дропам в show system queues. И вот в это случае очень хорошо может помочь фильтр на контрол-плейне (lo0) , т.к. он программируется на PFE (не весь) и ненужный трафик будет дискардится уже там. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
s.lobanov Posted June 9, 2016 Davion проблемный пир напрямую включен в MX или через транзитные свитчи? (которые тоже могут заполисить arp-шки) Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
orlik Posted June 9, 2016 Вообще судя по тому что другие тоже перестают пинговаться , то вероятно где-то есть петля ... Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
Davion Posted June 9, 2016 (edited) Походу гдето был или шторм или петля, отключили некоторые VLAN и все стало ок НАдо подумать как контрол плейн защитить. Может кто нибудь типовым поделиться? input protocol bytes max packets max drops arpintrq 0 3000 0 50 643655 Edited June 9, 2016 by Davion Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
rdc Posted June 9, 2016 Если есть выжившие сессии, то control plane в защите не нуждался. При петле, защищай не защищай, но блокируется arp и сессии всё равно посыпятся… Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
rdntw Posted June 10, 2016 НАдо подумать как контрол плейн защитить. Может кто нибудь типовым поделиться? https://habrahabr.ru/post/186566/ Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
orlik Posted June 10, 2016 Вообще очень рекомендую книжку juniper mx series. Там и про защиту контрол плейна хорошо написано Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
snvoronkov Posted June 10, 2016 https://habrahabr.ru/post/186566/ Накатил себе переработку этой статьи года два назад. Как раз была эпоха расцвета амплификаторов. Полёт нормальный! Только от необходимости зашейпить pfe от arp-флуд это все равно не избавит. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
dmvy Posted June 12, 2016 Кстати, очень быстро выявить проблемный трафик можно monitor traffic. Как-то на EKT-IX были icmp6 флуд-пакеты. Нашлось быстро и отключили vlan. Некоторые операторы до утра валялись из-за этого флуда. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
loschikatilos Posted June 15, 2016 У меня был конфликт ip адресов. Ситуация очень похожа на вашу. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
orlik Posted June 15, 2016 У меня был конфликт ip адресов. Ситуация очень похожа на вашу. На это обычно в логах пишет про конфликт Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
loschikatilos Posted June 17, 2016 У меня Se100 не писал. Писал что то наподобие 2016-04-30 22:27:08 <RMT> peer_12242: Received: Hold timer expired. И догадайся. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
orlik Posted June 17, 2016 У меня Se100 не писал. Писал что то наподобие 2016-04-30 22:27:08 <RMT> peer_12242: Received: Hold timer expired. И догадайся. Mx пишет Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
kvasyan Posted March 11, 2018 (edited) Коллеги, доброго дня на днях оказался в анлогичной ситуации Mar 8 00:47:51 br-4 rpd[1116]: bgp_recv: read from peer Х.Х.Х.Х (Internal AS ХХХХХ) failed: Connection reset by peer Mar 8 00:47:51 br-4 rpd[1116]: bgp_recv: read from peer Х.Х.Х.Х (Internal AS ХХХХХ) failed: Connection reset by peer Mar 8 00:47:55 br-4 rpd[1116]: bgp_hold_timeout:3675: NOTIFICATION sent to Х.Х.Х.Х (Internal AS ХХХХХ): code 4 (Hold Timer Expired Error), Reason: holdtime expired for Х.Х.Х.Х (Internal AS ХХХХХ), socket buffer sndcc: 57 rcvcc: 0 TCP state: 4, snd_una: 219186777 snd_nxt: 219186815 snd_wnd: 12600 rcv_nxt: 1543988835 rcv_adv: 1544005219, hold timer 0 Mar 8 00:47:59 br-4 rpd[1116]: bgp_recv: read from peer Х.Х.Х.1 (Internal AS ХХХХХ) failed: Connection reset by peer Mar 8 00:47:59 br-4 rpd[1116]: bgp_hold_timeout:3675: NOTIFICATION sent to Х.Х.Х.Х (Internal AS ХХХХХ): code 4 (Hold Timer Expired Error), Reason: holdtime expired for Х.Х.Х.Х (Internal AS ХХХХХ), socket buffer sndcc: 57 rcvcc: 0 TCP state: 4, snd_una: 426976337 snd_nxt: 426976375 snd_wnd: 14600 rcv_nxt: 796298714 rcv_adv: 796315098, hold timer 0 Mar 8 00:48:01 br-4 rpd[1116]: bgp_hold_timeout:3675: NOTIFICATION sent to Х.Х.Х.2 (External AS YYYYY): code 4 (Hold Timer Expired Error), Reason: holdtime expired for Х.Х.Х.Х (External AS YYYYY), socket buffer sndcc: 57 rcvcc: 0 TCP state: 4, snd_una: 3815310661 snd_nxt: 3815310699 snd_wnd: 29440 rcv_nxt: 3950147902 rcv_adv: 3950164286, hold timer 0 Filter: lo0.0-i Counters: Name Bytes Packets DEF-DISCARD-lo0.0-i 7692621845 79818657 ICMP-lo0.0-i 326538 2462 ICMP-Frag-lo0.0-i 0 0 Mgmt-lo0.0-i 19283886030 393523484 NTP-lo0.0-i 3979436 52328 accept-bgp-lo0.0-i 2440549 23955 icmp-is-frag-lo0.0-i 0 0 Policers: Name Packets copp-lim-1m-NTP-lo0.0-i 0 icmp-lim-1m-ICMP-ACC-lo0.0-i 159 отследили БОМБИЛКУ 15:45:25.115638 In IP 195.59.70.199 > 195.х.х.х: ICMP echo request, id 8167, seq 7, length 64 15:45:25.625413 In IP 195.59.70.199 > 195.х.х.х: ICMP echo request, id 8167, seq 8, length 64 15:45:26.117734 In IP 195.59.70.199 > 195.х.х.х: ICMP echo request, id 8167, seq 9, length 64 15:45:26.625234 In IP 195.59.70.199 > 195.х.х.х: ICMP echo request, id 8167, seq 10, length 64 применили политики admin@br-4# show firewall policer icmp-lim-1m | display set set firewall policer icmp-lim-1m if-exceeding bandwidth-limit 512k set firewall policer icmp-lim-1m if-exceeding burst-size-limit 1500 set firewall policer icmp-lim-1m then discard результата не принесло, сессии падают Junic на 10 минут словно замирает, интерфейс управления не отвечает (понятно почему) Прописал статический arp на пирах, но сессии так же падают Затем началось что то странное с размером пакетами 15:21:07.818807 In IP X.X.X.X.63286 > X.X.X.Y. bgp: . ack 19 win 32409 15:21:18.362632 In IP X.X.X.X.63286 > X.X.X.Y.bgp: P 1:20(19) ack 19 win 32409: BGP, length: 19 15:21:18.364004 In IP X.X.X.X.63286 > X.X.X.Y.bgp: . 20:1480(1460) ack 19 win 32409: BGP, length: 1460 15:21:18.364052 Out IP X.X.X.Y. bgp > X.X.X.X.63286: . ack 1480 win 14905 15:21:18.365520 In IP X.X.X.X.63286 > X.X.X.Y .bgp: . 1480:2940(1460) ack 19 win 32409: BGP, length: 1460 15:21:18.387723 Out IP X.X.X.Y bgp > X.X.X.X.63286: . ack 2940 win 16384 15:21:18.388728 In IP X.X.X.X.63286 > X.X.X.Y bgp: P 2940:2979(39) ack 19 win 32409: BGP, length: 39 выставили MTU Discovery, jambo Frame Все наши действия не привели к желаемому результату, а спустя сутки Junic работал как ни в чем не было. Коллеги нужен совет, каковы мои должны быть действия при следующем апокалипсисе? Edited March 11, 2018 by kvasyan Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
smart85 Posted March 13, 2018 В 11.03.2018 в 21:54, kvasyan сказал: Коллеги, доброго дня на днях оказался в анлогичной ситуации Mar 8 00:47:51 br-4 rpd[1116]: bgp_recv: read from peer Х.Х.Х.Х (Internal AS ХХХХХ) failed: Connection reset by peer Mar 8 00:47:51 br-4 rpd[1116]: bgp_recv: read from peer Х.Х.Х.Х (Internal AS ХХХХХ) failed: Connection reset by peer Mar 8 00:47:55 br-4 rpd[1116]: bgp_hold_timeout:3675: NOTIFICATION sent to Х.Х.Х.Х (Internal AS ХХХХХ): code 4 (Hold Timer Expired Error), Reason: holdtime expired for Х.Х.Х.Х (Internal AS ХХХХХ), socket buffer sndcc: 57 rcvcc: 0 TCP state: 4, snd_una: 219186777 snd_nxt: 219186815 snd_wnd: 12600 rcv_nxt: 1543988835 rcv_adv: 1544005219, hold timer 0 Mar 8 00:47:59 br-4 rpd[1116]: bgp_recv: read from peer Х.Х.Х.1 (Internal AS ХХХХХ) failed: Connection reset by peer Mar 8 00:47:59 br-4 rpd[1116]: bgp_hold_timeout:3675: NOTIFICATION sent to Х.Х.Х.Х (Internal AS ХХХХХ): code 4 (Hold Timer Expired Error), Reason: holdtime expired for Х.Х.Х.Х (Internal AS ХХХХХ), socket buffer sndcc: 57 rcvcc: 0 TCP state: 4, snd_una: 426976337 snd_nxt: 426976375 snd_wnd: 14600 rcv_nxt: 796298714 rcv_adv: 796315098, hold timer 0 Mar 8 00:48:01 br-4 rpd[1116]: bgp_hold_timeout:3675: NOTIFICATION sent to Х.Х.Х.2 (External AS YYYYY): code 4 (Hold Timer Expired Error), Reason: holdtime expired for Х.Х.Х.Х (External AS YYYYY), socket buffer sndcc: 57 rcvcc: 0 TCP state: 4, snd_una: 3815310661 snd_nxt: 3815310699 snd_wnd: 29440 rcv_nxt: 3950147902 rcv_adv: 3950164286, hold timer 0 Filter: lo0.0-i Counters: Name Bytes Packets DEF-DISCARD-lo0.0-i 7692621845 79818657 ICMP-lo0.0-i 326538 2462 ICMP-Frag-lo0.0-i 0 0 Mgmt-lo0.0-i 19283886030 393523484 NTP-lo0.0-i 3979436 52328 accept-bgp-lo0.0-i 2440549 23955 icmp-is-frag-lo0.0-i 0 0 Policers: Name Packets copp-lim-1m-NTP-lo0.0-i 0 icmp-lim-1m-ICMP-ACC-lo0.0-i 159 отследили БОМБИЛКУ 15:45:25.115638 In IP 195.59.70.199 > 195.х.х.х: ICMP echo request, id 8167, seq 7, length 64 15:45:25.625413 In IP 195.59.70.199 > 195.х.х.х: ICMP echo request, id 8167, seq 8, length 64 15:45:26.117734 In IP 195.59.70.199 > 195.х.х.х: ICMP echo request, id 8167, seq 9, length 64 15:45:26.625234 In IP 195.59.70.199 > 195.х.х.х: ICMP echo request, id 8167, seq 10, length 64 применили политики admin@br-4# show firewall policer icmp-lim-1m | display set set firewall policer icmp-lim-1m if-exceeding bandwidth-limit 512k set firewall policer icmp-lim-1m if-exceeding burst-size-limit 1500 set firewall policer icmp-lim-1m then discard результата не принесло, сессии падают Junic на 10 минут словно замирает, интерфейс управления не отвечает (понятно почему) Прописал статический arp на пирах, но сессии так же падают Затем началось что то странное с размером пакетами 15:21:07.818807 In IP X.X.X.X.63286 > X.X.X.Y. bgp: . ack 19 win 32409 15:21:18.362632 In IP X.X.X.X.63286 > X.X.X.Y.bgp: P 1:20(19) ack 19 win 32409: BGP, length: 19 15:21:18.364004 In IP X.X.X.X.63286 > X.X.X.Y.bgp: . 20:1480(1460) ack 19 win 32409: BGP, length: 1460 15:21:18.364052 Out IP X.X.X.Y. bgp > X.X.X.X.63286: . ack 1480 win 14905 15:21:18.365520 In IP X.X.X.X.63286 > X.X.X.Y .bgp: . 1480:2940(1460) ack 19 win 32409: BGP, length: 1460 15:21:18.387723 Out IP X.X.X.Y bgp > X.X.X.X.63286: . ack 2940 win 16384 15:21:18.388728 In IP X.X.X.X.63286 > X.X.X.Y bgp: P 2940:2979(39) ack 19 win 32409: BGP, length: 39 выставили MTU Discovery, jambo Frame Все наши действия не привели к желаемому результату, а спустя сутки Junic работал как ни в чем не было. Коллеги нужен совет, каковы мои должны быть действия при следующем апокалипсисе? ИМХО, действия должны быть сейчас и такие, что б без дальнейших апокалипсисов. У меня так: set policy-options prefix-list NTP-servers-v4 apply-path "system ntp server <*.*>" set policy-options prefix-list LOCALS-v4 apply-path "interfaces <*> unit <*> family inet address <*>" set policy-options prefix-list SNMP-clients apply-path "snmp client-list <*> <*>" set policy-options prefix-list SNMP-community-clients apply-path "snmp community <*> clients <*>" set policy-options prefix-list DNS-servers-v4 apply-path "system name-server <*.*>" set policy-options prefix-list localhost-v4 127.0.0.0/8 set policy-options prefix-list BGP-locals-v4 apply-path "protocols bgp group <*> neighbor <*.*> local-address <*.*>" set policy-options prefix-list BGP-neighbors-v4 apply-path "protocols bgp group <*> neighbor <*.*>" set policy-options prefix-list OSPF-multicast 224.0.0.5/32 set policy-options prefix-list OSPF-multicast 224.0.0.6/32 set firewall policer management-5m if-exceeding bandwidth-limit 5m set firewall policer management-5m if-exceeding burst-size-limit 625k set firewall policer management-5m then discard set firewall policer management-1m if-exceeding bandwidth-limit 1m set firewall policer management-1m if-exceeding burst-size-limit 625k set firewall policer management-1m then discard set firewall policer management-512k if-exceeding bandwidth-limit 512k set firewall policer management-512k if-exceeding burst-size-limit 25k set firewall policer management-512k then discard set firewall filter accept-ospf term accept-ospf from source-prefix-list LOCALS-v4 set firewall filter accept-ospf term accept-ospf from destination-prefix-list LOCALS-v4 set firewall filter accept-ospf term accept-ospf from destination-prefix-list OSPF-multicast set firewall filter accept-ospf term accept-ospf from protocol ospf set firewall filter accept-ospf term accept-ospf then count accept-ospf set firewall filter accept-ospf term accept-ospf then accept set firewall filter accept-bgp interface-specific set firewall filter accept-bgp term accept-bgp from source-prefix-list BGP-neighbors-v4 set firewall filter accept-bgp term accept-bgp from destination-prefix-list BGP-locals-v4 set firewall filter accept-bgp term accept-bgp from protocol tcp set firewall filter accept-bgp term accept-bgp from port bgp set firewall filter accept-bgp term accept-bgp then count accept-bgp set firewall filter accept-bgp term accept-bgp then accept set firewall filter accept-ssh term accept-ssh from source-prefix-list trusted set firewall filter accept-ssh term accept-ssh from destination-prefix-list LOCALS-v4 set firewall filter accept-ssh term accept-ssh from protocol tcp set firewall filter accept-ssh term accept-ssh from destination-port ssh set firewall filter accept-ssh term accept-ssh then policer management-5m set firewall filter accept-ssh term accept-ssh then count accept-ssh set firewall filter accept-ssh term accept-ssh then accept set firewall filter accept-dns term accept-dns from source-prefix-list DNS-servers-v4 set firewall filter accept-dns term accept-dns from destination-prefix-list LOCALS-v4 set firewall filter accept-dns term accept-dns from protocol udp set firewall filter accept-dns term accept-dns from source-port 53 set firewall filter accept-dns term accept-dns then policer management-1m set firewall filter accept-dns term accept-dns then count accept-dns set firewall filter accept-dns term accept-dns then accept set firewall filter accept-ntp term accept-ntp from source-prefix-list NTP-servers-v4 set firewall filter accept-ntp term accept-ntp from source-prefix-list localhost-v4 set firewall filter accept-ntp term accept-ntp from destination-prefix-list LOCALS-v4 set firewall filter accept-ntp term accept-ntp from destination-prefix-list localhost-v4 set firewall filter accept-ntp term accept-ntp from protocol udp set firewall filter accept-ntp term accept-ntp from destination-port ntp set firewall filter accept-ntp term accept-ntp then policer management-512k set firewall filter accept-ntp term accept-ntp then count accept-ntp set firewall filter accept-ntp term accept-ntp then accept set firewall filter accept-snmp term accept-snmp from source-prefix-list SNMP-clients set firewall filter accept-snmp term accept-snmp from source-prefix-list SNMP-community-clients set firewall filter accept-snmp term accept-snmp from source-prefix-list trusted set firewall filter accept-snmp term accept-snmp from destination-prefix-list LOCALS-v4 set firewall filter accept-snmp term accept-snmp from protocol udp set firewall filter accept-snmp term accept-snmp from destination-port snmp set firewall filter accept-snmp term accept-snmp from destination-port snmptrap set firewall filter accept-snmp term accept-snmp then count accept-snmp set firewall filter accept-snmp term accept-snmp then accept set firewall filter accept-icmp term discard-icmp-fragments from destination-prefix-list LOCALS-v4 set firewall filter accept-icmp term discard-icmp-fragments from is-fragment set firewall filter accept-icmp term discard-icmp-fragments from protocol icmp set firewall filter accept-icmp term discard-icmp-fragments then count discard-icmp-fragments set firewall filter accept-icmp term discard-icmp-fragments then discard set firewall filter accept-icmp term accept-icmp from destination-prefix-list LOCALS-v4 set firewall filter accept-icmp term accept-icmp from icmp-type echo-reply set firewall filter accept-icmp term accept-icmp from icmp-type echo-request set firewall filter accept-icmp term accept-icmp from icmp-type time-exceeded set firewall filter accept-icmp term accept-icmp from icmp-type unreachable set firewall filter accept-icmp term accept-icmp from icmp-type source-quench set firewall filter accept-icmp term accept-icmp from icmp-type router-advertisement set firewall filter accept-icmp term accept-icmp from icmp-type parameter-problem set firewall filter accept-icmp term accept-icmp then policer management-1m set firewall filter accept-icmp term accept-icmp then count accept-icmp set firewall filter accept-icmp term accept-icmp then accept set firewall filter accept-traceroute term accept-traceroute-udp from destination-prefix-list LOCALS-v4 set firewall filter accept-traceroute term accept-traceroute-udp from protocol udp set firewall filter accept-traceroute term accept-traceroute-udp from ttl 1 set firewall filter accept-traceroute term accept-traceroute-udp from destination-port 33434-33529 set firewall filter accept-traceroute term accept-traceroute-udp then policer management-1m set firewall filter accept-traceroute term accept-traceroute-udp then count accept-traceroute-udp set firewall filter accept-traceroute term accept-traceroute-udp then accept set firewall filter accept-traceroute term accept-traceroute-icmp from destination-prefix-list LOCALS-v4 set firewall filter accept-traceroute term accept-traceroute-icmp from protocol icmp set firewall filter accept-traceroute term accept-traceroute-icmp from ttl 1 set firewall filter accept-traceroute term accept-traceroute-icmp from icmp-type echo-request set firewall filter accept-traceroute term accept-traceroute-icmp from icmp-type timestamp set firewall filter accept-traceroute term accept-traceroute-icmp from icmp-type time-exceeded set firewall filter accept-traceroute term accept-traceroute-icmp then policer management-1m set firewall filter accept-traceroute term accept-traceroute-icmp then count accept-traceroute-icmp set firewall filter accept-traceroute term accept-traceroute-icmp then accept set firewall filter accept-traceroute term accept-traceroute-tcp from destination-prefix-list LOCALS-v4 set firewall filter accept-traceroute term accept-traceroute-tcp from protocol tcp set firewall filter accept-traceroute term accept-traceroute-tcp from ttl 1 set firewall filter accept-traceroute term accept-traceroute-tcp then policer management-1m set firewall filter accept-traceroute term accept-traceroute-tcp then count accept-traceroute-tcp set firewall filter accept-traceroute term accept-traceroute-tcp then accept set firewall filter accept-common-services term protect-SSH filter accept-ssh set firewall filter accept-common-services term protect-TRACEROUTE filter accept-traceroute set firewall filter accept-common-services term protect-ICMP filter accept-icmp set firewall filter accept-common-services term protect-SNMP filter accept-snmp set firewall filter accept-common-services term protect-NTP filter accept-ntp set firewall filter accept-common-services term protect-DNS filter accept-dns set firewall filter discard-all-to-locals-v4 term discard-ip-options from destination-prefix-list LOCALS-v4 set firewall filter discard-all-to-locals-v4 term discard-ip-options from ip-options any set firewall filter discard-all-to-locals-v4 term discard-ip-options then count discard-ip-options set firewall filter discard-all-to-locals-v4 term discard-ip-options then log set firewall filter discard-all-to-locals-v4 term discard-ip-options then discard set firewall filter discard-all-to-locals-v4 term discard-TTL_1-unknown from destination-prefix-list LOCALS-v4 set firewall filter discard-all-to-locals-v4 term discard-TTL_1-unknown from ttl 1 set firewall filter discard-all-to-locals-v4 term discard-TTL_1-unknown then count discard-TTL_1-unknown set firewall filter discard-all-to-locals-v4 term discard-TTL_1-unknown then log set firewall filter discard-all-to-locals-v4 term discard-TTL_1-unknown then discard set firewall filter discard-all-to-locals-v4 term discard-tcp from destination-prefix-list LOCALS-v4 set firewall filter discard-all-to-locals-v4 term discard-tcp from protocol tcp set firewall filter discard-all-to-locals-v4 term discard-tcp then count discard-tcp set firewall filter discard-all-to-locals-v4 term discard-tcp then log set firewall filter discard-all-to-locals-v4 term discard-tcp then discard set firewall filter discard-all-to-locals-v4 term discard-udp from destination-prefix-list LOCALS-v4 set firewall filter discard-all-to-locals-v4 term discard-udp from protocol udp set firewall filter discard-all-to-locals-v4 term discard-udp then count discard-udp set firewall filter discard-all-to-locals-v4 term discard-udp then log set firewall filter discard-all-to-locals-v4 term discard-udp then discard set firewall filter discard-all-to-locals-v4 term discard-icmp from destination-prefix-list LOCALS-v4 set firewall filter discard-all-to-locals-v4 term discard-icmp from protocol icmp set firewall filter discard-all-to-locals-v4 term discard-icmp then count discard-icmp set firewall filter discard-all-to-locals-v4 term discard-icmp then log set firewall filter discard-all-to-locals-v4 term discard-icmp then discard set firewall filter discard-all-to-locals-v4 term discard-unknown from destination-prefix-list LOCALS-v4 set firewall filter discard-all-to-locals-v4 term discard-unknown then count discard-unknown set firewall filter discard-all-to-locals-v4 term discard-unknown then log set firewall filter discard-all-to-locals-v4 term discard-unknown then discard set interfaces lo0 unit 0 family inet filter input-list accept-ospf set interfaces lo0 unit 0 family inet filter input-list accept-bgp set interfaces lo0 unit 0 family inet filter input-list accept-common-services set interfaces lo0 unit 0 family inet filter input-list discard-all-to-locals-v4 Пока проблем нет, т.т.т. :) Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
smart85 Posted March 13, 2018 Коллеги, а подскажите пожалуйста, как от этого избавится и о чем это вообще? MX104-1 DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception Sample:pfe exceeded its allowed bandwidth at fpc 0 for 22 times, started at 2018-03-13 17:16:33 GMT-3 MX104-1 DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception Sample:pfe has returned to normal. Its allowed bandwith was exceeded at fpc 0 for 22 times, from 2018-03-13 17:16:33 GMT-3 to 2018-03-13 17:16:35 GMT-3 MX104-1 DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception Sample:pfe exceeded its allowed bandwidth at fpc 0 for 23 times, started at 2018-03-13 17:56:29 GMT-3 MX104-2 DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception Sample:pfe exceeded its allowed bandwidth at fpc 0 for 480 times, started at 2018-03-13 17:14:21 GMT-3 MX104-2 DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception Sample:pfe has returned to normal. Its allowed bandwith was exceeded at fpc 0 for 480 times, from 2018-03-13 17:14:21 GMT-3 to 2018-03-13 17:14:21 GMT-3 MX104-2 DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception Sample:pfe exceeded its allowed bandwidth at fpc 0 for 481 times, started at 2018-03-13 17:19:46 GMT-3 MX104-2 DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception Sample:pfe has returned to normal. Its allowed bandwith was exceeded at fpc 0 for 481 times, from 2018-03-13 17:19:46 GMT-3 to 2018-03-13 17:19:46 GMT-3 MX104-2 DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception Sample:pfe exceeded its allowed bandwidth at fpc 0 for 482 times, started at 2018-03-13 17:32:51 GMT-3 MX104-2 DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception Sample:pfe has returned to normal. Its allowed bandwith was exceeded at fpc 0 for 482 times, from 2018-03-13 17:32:51 GMT-3 to 2018-03-13 17:32:51 GMT-3 MX104-2 DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception Sample:pfe exceeded its allowed bandwidth at fpc 0 for 483 times, started at 2018-03-13 17:44:51 GMT-3 MX104-2 DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception Sample:pfe has returned to normal. Its allowed bandwith was exceeded at fpc 0 for 483 times, from 2018-03-13 17:44:51 GMT-3 to 2018-03-13 17:44:56 GMT-3 Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
Telesis Posted March 13, 2018 (edited) 2 hours ago, mse.rus77 said: Коллеги, а подскажите пожалуйста, как от этого избавится и о чем это вообще? возможно jflow/sflow - генерируется с большим рейтом Edited March 13, 2018 by Telesis Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
smart85 Posted March 13, 2018 32 минуты назад, Telesis сказал: возможно jflow/sflow - генерируется с большим рейтом warning: sampling subsystem not running - not needed by configuration. не настроено ничего такого, а когда было, то иное писал: DDOS_PROTOCOL_VIOLATION_SET: Protocol Sample:pfe is violated at fpc 0 for 19635 times, started at 2018-03-04 00:01:31 GMT-3 DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Sample:pfe has returned to normal. Violated at fpc 0 for 19635 times, from 2018-03-04 00:01:31 GMT-3 to 2018-03-04 00:06:36 GMT-3 Но это было на МХ80, на МХ104 сэмплинг не настраивался. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
vvertexx Posted March 13, 2018 @mse.rus77 может по умолчанию включено. > show ddos-protection protocols violations смотри протокол, узнавай что в ограничениях и почему сработало Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
Telesis Posted March 14, 2018 show ddos-protection protocols sample statistics terse show ddos-protection protocols parameters brief | match "Protocol|pps|sample" Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
smart85 Posted March 14, 2018 vvertexx, Telesis - коллеги, спасибо, да, дефолтовая протекция работает. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
