Jump to content
Калькуляторы

Juniper MX80 падают bgp сессии (срочно!)

Вдруг внезапно начали падать в совершенно произвольном порядке BGP сессии

Jun 9 00:47:01.272328 bgp_hold_timeout:4174: NOTIFICATION sent to x.x.x.x (External AS 00000): code 4 (Hold Timer Expired Error), Reason: holdtime expired for x.x.x.x (External AS 0000), socket buffer sndcc: 76 rcvcc: 0 TCP state: 4, snd_una: 1988541995 snd_nxt: 1988542052 snd_wnd: 16384 rcv_nxt: 548497077 rcv_adv: 548513461, hold timer out 90s, hold timer remain 0s

Jun 9 00:47:01.272729 RPD_BGP_NEIGHBOR_STATE_CHANGED: BGP peer x.x.x.x (External AS 00000) changed state from Established to Idle (event HoldTime) (instance master)

Причем самое интересно что перестают пинговаться соседние пиры...

Потом через некоторое время все восстанавливается...

При этом две BGP сессии стабильно висят...

Куда копать уже незнаю

Share this post


Link to post
Share on other sites

policer? есть фильтр на control-plane? какая загрузка cpu?

Share this post


Link to post
Share on other sites

на контрол плейн толком никаких фильтров нет, загрузка cpu минимальная

last pid: 38907; load averages: 0.16, 0.20, 0.21 up 314+20:06:35 04:55:34

141 processes: 4 running, 109 sleeping, 28 waiting

 

Mem: 1074M Active, 107M Inact, 251M Wired, 112M Cache, 112M Buf, 443M Free

Swap: 2915M Total, 2915M Free

 

 

PID USERNAME THR PRI NICE SIZE RES STATE TIME WCPU COMMAND

11 root 1 171 52 0K 16K RUN 6555.6 84.62% idle

1337 root 11 96 0 17256K 8664K ucond 551.0H 4.98% clksyncd

1420 root 1 4 0 824M 782M kqread 109.1H 2.05% rpd

 

Ситуация просто маразматическая, пока решил вроде проблему... Прописал статический arp на пиров и падать перестало... бред?!

Буду наблюдать.

Share this post


Link to post
Share on other sites

Проверьте не растет ли у вас счетчики для

show policer __default_arp_policer__

 

Если растут , значит кто-то вам флудит arp запросами и с этим нужно бороться

Share this post


Link to post
Share on other sites

Вообще причин может быть несколько, может просто забиться линк между RE и PFE (забиться из-за петли на оборудоваии ниже) . Увидеть это можно , в том числе, по растущим дропам в show system queues.

И вот в это случае очень хорошо может помочь фильтр на контрол-плейне (lo0) , т.к. он программируется на PFE (не весь) и ненужный трафик будет дискардится уже там.

Share this post


Link to post
Share on other sites

Davion

проблемный пир напрямую включен в MX или через транзитные свитчи? (которые тоже могут заполисить arp-шки)

Share this post


Link to post
Share on other sites

Вообще судя по тому что другие тоже перестают пинговаться , то вероятно где-то есть петля ...

Share this post


Link to post
Share on other sites

Походу гдето был или шторм или петля, отключили некоторые VLAN и все стало ок

НАдо подумать как контрол плейн защитить. Может кто нибудь типовым поделиться?

input protocol bytes max packets max drops

arpintrq 0 3000 0 50 643655

Edited by Davion

Share this post


Link to post
Share on other sites

Если есть выжившие сессии, то control plane в защите не нуждался.

При петле, защищай не защищай, но блокируется arp и сессии всё равно посыпятся…

Share this post


Link to post
Share on other sites

Вообще очень рекомендую книжку juniper mx series. Там и про защиту контрол плейна хорошо написано

Share this post


Link to post
Share on other sites

Накатил себе переработку этой статьи года два назад. Как раз была эпоха расцвета амплификаторов. Полёт нормальный!

 

Только от необходимости зашейпить pfe от arp-флуд это все равно не избавит.

Share this post


Link to post
Share on other sites

Кстати, очень быстро выявить проблемный трафик можно monitor traffic. Как-то на EKT-IX были icmp6 флуд-пакеты. Нашлось быстро и отключили vlan. Некоторые операторы до утра валялись из-за этого флуда.

Share this post


Link to post
Share on other sites

У меня был конфликт ip адресов. Ситуация очень похожа на вашу.

Share this post


Link to post
Share on other sites

У меня был конфликт ip адресов. Ситуация очень похожа на вашу.

На это обычно в логах пишет про конфликт

Share this post


Link to post
Share on other sites

У меня Se100 не писал. Писал что то наподобие 2016-04-30 22:27:08 <RMT> peer_12242: Received: Hold timer expired. И догадайся.

Share this post


Link to post
Share on other sites

У меня Se100 не писал. Писал что то наподобие 2016-04-30 22:27:08 <RMT> peer_12242: Received: Hold timer expired. И догадайся.

Mx пишет

Share this post


Link to post
Share on other sites

Коллеги, доброго дня на днях оказался в анлогичной ситуации

Mar 8 00:47:51 br-4 rpd[1116]: bgp_recv: read from peer Х.Х.Х.Х (Internal AS ХХХХХ) failed: Connection reset by peer
Mar 8 00:47:51 br-4 rpd[1116]: bgp_recv: read from peer Х.Х.Х.Х (Internal AS ХХХХХ) failed: Connection reset by peer
Mar 8 00:47:55 br-4 rpd[1116]: bgp_hold_timeout:3675: NOTIFICATION sent to Х.Х.Х.Х (Internal AS ХХХХХ): code 4 (Hold Timer Expired Error),
Reason: holdtime expired for Х.Х.Х.Х (Internal AS ХХХХХ), socket buffer sndcc: 57 rcvcc: 0 TCP state: 4,
snd_una: 219186777 snd_nxt: 219186815 snd_wnd: 12600 rcv_nxt: 1543988835 rcv_adv: 1544005219, hold timer 0
Mar 8 00:47:59 br-4 rpd[1116]: bgp_recv: read from peer Х.Х.Х.1 (Internal AS ХХХХХ) failed: Connection reset by peer
Mar 8 00:47:59 br-4 rpd[1116]: bgp_hold_timeout:3675: NOTIFICATION sent to Х.Х.Х.Х (Internal AS ХХХХХ): code 4 (Hold Timer Expired Error),
Reason: holdtime expired for Х.Х.Х.Х (Internal AS ХХХХХ), socket buffer sndcc: 57 rcvcc: 0 TCP state: 4, snd_una: 426976337 snd_nxt: 426976375 snd_wnd: 14600 rcv_nxt: 796298714 rcv_adv: 796315098, hold timer 0
Mar 8 00:48:01 br-4 rpd[1116]: bgp_hold_timeout:3675: NOTIFICATION sent to Х.Х.Х.2 (External AS YYYYY): code 4 (Hold Timer Expired Error),
Reason: holdtime expired for Х.Х.Х.Х (External AS YYYYY), socket buffer sndcc: 57 rcvcc: 0 TCP state: 4, snd_una: 3815310661 snd_nxt: 3815310699 snd_wnd: 29440 rcv_nxt: 3950147902 rcv_adv: 3950164286, hold timer 0

 

 

Filter: lo0.0-i
Counters:
Name Bytes Packets
DEF-DISCARD-lo0.0-i 7692621845 79818657
ICMP-lo0.0-i 326538 2462
ICMP-Frag-lo0.0-i 0 0
Mgmt-lo0.0-i 19283886030 393523484
NTP-lo0.0-i 3979436 52328
accept-bgp-lo0.0-i 2440549 23955
icmp-is-frag-lo0.0-i 0 0
Policers:
Name Packets
copp-lim-1m-NTP-lo0.0-i 0
icmp-lim-1m-ICMP-ACC-lo0.0-i 159
 
отследили БОМБИЛКУ
15:45:25.115638 In IP 195.59.70.199 > 195.х.х.х: ICMP echo request, id 8167, seq 7, length 64
15:45:25.625413 In IP 195.59.70.199 > 195.х.х.х: ICMP echo request, id 8167, seq 8, length 64
15:45:26.117734 In IP 195.59.70.199 > 195.х.х.х: ICMP echo request, id 8167, seq 9, length 64
15:45:26.625234 In IP 195.59.70.199 > 195.х.х.х: ICMP echo request, id 8167, seq 10, length 64
 
применили политики
admin@br-4# show firewall policer icmp-lim-1m | display set
set firewall policer icmp-lim-1m if-exceeding bandwidth-limit 512k
set firewall policer icmp-lim-1m if-exceeding burst-size-limit 1500
set firewall policer icmp-lim-1m then discard
 
результата не принесло, сессии падают Junic на 10 минут словно замирает, интерфейс управления не отвечает (понятно почему)
 
Прописал статический arp на пирах, но сессии так же падают
image.thumb.png.4f0181c8ef74c2e71f39b19f6d380240.png
 Затем началось что то странное с размером пакетами
15:21:07.818807 In IP X.X.X.X.63286 > X.X.X.Y. bgp: . ack 19 win 32409
15:21:18.362632 In IP X.X.X.X.63286 > X.X.X.Y.bgp: P 1:20(19) ack 19 win 32409: BGP, length: 19
15:21:18.364004 In IP X.X.X.X.63286 > X.X.X.Y.bgp: . 20:1480(1460) ack 19 win 32409: BGP, length: 1460
15:21:18.364052 Out IP X.X.X.Y. bgp > X.X.X.X.63286: . ack 1480 win 14905
15:21:18.365520 In IP X.X.X.X.63286 > X.X.X.Y .bgp: . 1480:2940(1460) ack 19 win 32409: BGP, length: 1460
15:21:18.387723 Out IP X.X.X.Y bgp > X.X.X.X.63286: . ack 2940 win 16384
15:21:18.388728 In IP X.X.X.X.63286 > X.X.X.Y bgp: P 2940:2979(39) ack 19 win 32409: BGP, length: 39
 
выставили MTU Discovery, jambo Frame
 

Все наши действия не привели к желаемому результату, а спустя сутки Junic работал как ни в чем не было.

 

Коллеги нужен совет, каковы мои должны быть действия при следующем апокалипсисе?

 

 

Edited by kvasyan

Share this post


Link to post
Share on other sites
В 11.03.2018 в 21:54, kvasyan сказал:

Коллеги, доброго дня на днях оказался в анлогичной ситуации

Mar 8 00:47:51 br-4 rpd[1116]: bgp_recv: read from peer Х.Х.Х.Х (Internal AS ХХХХХ) failed: Connection reset by peer
Mar 8 00:47:51 br-4 rpd[1116]: bgp_recv: read from peer Х.Х.Х.Х (Internal AS ХХХХХ) failed: Connection reset by peer
Mar 8 00:47:55 br-4 rpd[1116]: bgp_hold_timeout:3675: NOTIFICATION sent to Х.Х.Х.Х (Internal AS ХХХХХ): code 4 (Hold Timer Expired Error),
Reason: holdtime expired for Х.Х.Х.Х (Internal AS ХХХХХ), socket buffer sndcc: 57 rcvcc: 0 TCP state: 4,
snd_una: 219186777 snd_nxt: 219186815 snd_wnd: 12600 rcv_nxt: 1543988835 rcv_adv: 1544005219, hold timer 0
Mar 8 00:47:59 br-4 rpd[1116]: bgp_recv: read from peer Х.Х.Х.1 (Internal AS ХХХХХ) failed: Connection reset by peer
Mar 8 00:47:59 br-4 rpd[1116]: bgp_hold_timeout:3675: NOTIFICATION sent to Х.Х.Х.Х (Internal AS ХХХХХ): code 4 (Hold Timer Expired Error),
Reason: holdtime expired for Х.Х.Х.Х (Internal AS ХХХХХ), socket buffer sndcc: 57 rcvcc: 0 TCP state: 4, snd_una: 426976337 snd_nxt: 426976375 snd_wnd: 14600 rcv_nxt: 796298714 rcv_adv: 796315098, hold timer 0
Mar 8 00:48:01 br-4 rpd[1116]: bgp_hold_timeout:3675: NOTIFICATION sent to Х.Х.Х.2 (External AS YYYYY): code 4 (Hold Timer Expired Error),
Reason: holdtime expired for Х.Х.Х.Х (External AS YYYYY), socket buffer sndcc: 57 rcvcc: 0 TCP state: 4, snd_una: 3815310661 snd_nxt: 3815310699 snd_wnd: 29440 rcv_nxt: 3950147902 rcv_adv: 3950164286, hold timer 0

 

 

Filter: lo0.0-i
Counters:
Name Bytes Packets
DEF-DISCARD-lo0.0-i 7692621845 79818657
ICMP-lo0.0-i 326538 2462
ICMP-Frag-lo0.0-i 0 0
Mgmt-lo0.0-i 19283886030 393523484
NTP-lo0.0-i 3979436 52328
accept-bgp-lo0.0-i 2440549 23955
icmp-is-frag-lo0.0-i 0 0
Policers:
Name Packets
copp-lim-1m-NTP-lo0.0-i 0
icmp-lim-1m-ICMP-ACC-lo0.0-i 159
 
отследили БОМБИЛКУ
15:45:25.115638 In IP 195.59.70.199 > 195.х.х.х: ICMP echo request, id 8167, seq 7, length 64
15:45:25.625413 In IP 195.59.70.199 > 195.х.х.х: ICMP echo request, id 8167, seq 8, length 64
15:45:26.117734 In IP 195.59.70.199 > 195.х.х.х: ICMP echo request, id 8167, seq 9, length 64
15:45:26.625234 In IP 195.59.70.199 > 195.х.х.х: ICMP echo request, id 8167, seq 10, length 64
 
применили политики
admin@br-4# show firewall policer icmp-lim-1m | display set
set firewall policer icmp-lim-1m if-exceeding bandwidth-limit 512k
set firewall policer icmp-lim-1m if-exceeding burst-size-limit 1500
set firewall policer icmp-lim-1m then discard
 
результата не принесло, сессии падают Junic на 10 минут словно замирает, интерфейс управления не отвечает (понятно почему)
 
Прописал статический arp на пирах, но сессии так же падают
image.thumb.png.4f0181c8ef74c2e71f39b19f6d380240.png
 Затем началось что то странное с размером пакетами
15:21:07.818807 In IP X.X.X.X.63286 > X.X.X.Y. bgp: . ack 19 win 32409
15:21:18.362632 In IP X.X.X.X.63286 > X.X.X.Y.bgp: P 1:20(19) ack 19 win 32409: BGP, length: 19
15:21:18.364004 In IP X.X.X.X.63286 > X.X.X.Y.bgp: . 20:1480(1460) ack 19 win 32409: BGP, length: 1460
15:21:18.364052 Out IP X.X.X.Y. bgp > X.X.X.X.63286: . ack 1480 win 14905
15:21:18.365520 In IP X.X.X.X.63286 > X.X.X.Y .bgp: . 1480:2940(1460) ack 19 win 32409: BGP, length: 1460
15:21:18.387723 Out IP X.X.X.Y bgp > X.X.X.X.63286: . ack 2940 win 16384
15:21:18.388728 In IP X.X.X.X.63286 > X.X.X.Y bgp: P 2940:2979(39) ack 19 win 32409: BGP, length: 39
 
выставили MTU Discovery, jambo Frame
 

Все наши действия не привели к желаемому результату, а спустя сутки Junic работал как ни в чем не было.

 

Коллеги нужен совет, каковы мои должны быть действия при следующем апокалипсисе?

 

 

 

ИМХО, действия должны быть сейчас и такие, что б без дальнейших апокалипсисов.

У меня так:

set policy-options prefix-list NTP-servers-v4 apply-path "system ntp server <*.*>"
set policy-options prefix-list LOCALS-v4 apply-path "interfaces <*> unit <*> family inet address <*>"
set policy-options prefix-list SNMP-clients apply-path "snmp client-list <*> <*>"
set policy-options prefix-list SNMP-community-clients apply-path "snmp community <*> clients <*>"
set policy-options prefix-list DNS-servers-v4 apply-path "system name-server <*.*>"
set policy-options prefix-list localhost-v4 127.0.0.0/8
set policy-options prefix-list BGP-locals-v4 apply-path "protocols bgp group <*> neighbor <*.*> local-address <*.*>"
set policy-options prefix-list BGP-neighbors-v4 apply-path "protocols bgp group <*> neighbor <*.*>"
set policy-options prefix-list OSPF-multicast 224.0.0.5/32
set policy-options prefix-list OSPF-multicast 224.0.0.6/32

set firewall policer management-5m if-exceeding bandwidth-limit 5m
set firewall policer management-5m if-exceeding burst-size-limit 625k
set firewall policer management-5m then discard
set firewall policer management-1m if-exceeding bandwidth-limit 1m
set firewall policer management-1m if-exceeding burst-size-limit 625k
set firewall policer management-1m then discard
set firewall policer management-512k if-exceeding bandwidth-limit 512k
set firewall policer management-512k if-exceeding burst-size-limit 25k
set firewall policer management-512k then discard
  
set firewall filter accept-ospf term accept-ospf from source-prefix-list LOCALS-v4
set firewall filter accept-ospf term accept-ospf from destination-prefix-list LOCALS-v4
set firewall filter accept-ospf term accept-ospf from destination-prefix-list OSPF-multicast
set firewall filter accept-ospf term accept-ospf from protocol ospf
set firewall filter accept-ospf term accept-ospf then count accept-ospf
set firewall filter accept-ospf term accept-ospf then accept
set firewall filter accept-bgp interface-specific
set firewall filter accept-bgp term accept-bgp from source-prefix-list BGP-neighbors-v4
set firewall filter accept-bgp term accept-bgp from destination-prefix-list BGP-locals-v4
set firewall filter accept-bgp term accept-bgp from protocol tcp
set firewall filter accept-bgp term accept-bgp from port bgp
set firewall filter accept-bgp term accept-bgp then count accept-bgp
set firewall filter accept-bgp term accept-bgp then accept
  
set firewall filter accept-ssh term accept-ssh from source-prefix-list trusted
set firewall filter accept-ssh term accept-ssh from destination-prefix-list LOCALS-v4
set firewall filter accept-ssh term accept-ssh from protocol tcp
set firewall filter accept-ssh term accept-ssh from destination-port ssh
set firewall filter accept-ssh term accept-ssh then policer management-5m
set firewall filter accept-ssh term accept-ssh then count accept-ssh
set firewall filter accept-ssh term accept-ssh then accept
set firewall filter accept-dns term accept-dns from source-prefix-list DNS-servers-v4
set firewall filter accept-dns term accept-dns from destination-prefix-list LOCALS-v4
set firewall filter accept-dns term accept-dns from protocol udp
set firewall filter accept-dns term accept-dns from source-port 53
set firewall filter accept-dns term accept-dns then policer management-1m
set firewall filter accept-dns term accept-dns then count accept-dns
set firewall filter accept-dns term accept-dns then accept
set firewall filter accept-ntp term accept-ntp from source-prefix-list NTP-servers-v4
set firewall filter accept-ntp term accept-ntp from source-prefix-list localhost-v4
set firewall filter accept-ntp term accept-ntp from destination-prefix-list LOCALS-v4
set firewall filter accept-ntp term accept-ntp from destination-prefix-list localhost-v4
set firewall filter accept-ntp term accept-ntp from protocol udp
set firewall filter accept-ntp term accept-ntp from destination-port ntp
set firewall filter accept-ntp term accept-ntp then policer management-512k
set firewall filter accept-ntp term accept-ntp then count accept-ntp
set firewall filter accept-ntp term accept-ntp then accept
set firewall filter accept-snmp term accept-snmp from source-prefix-list SNMP-clients
set firewall filter accept-snmp term accept-snmp from source-prefix-list SNMP-community-clients
set firewall filter accept-snmp term accept-snmp from source-prefix-list trusted
set firewall filter accept-snmp term accept-snmp from destination-prefix-list LOCALS-v4
set firewall filter accept-snmp term accept-snmp from protocol udp
set firewall filter accept-snmp term accept-snmp from destination-port snmp
set firewall filter accept-snmp term accept-snmp from destination-port snmptrap
set firewall filter accept-snmp term accept-snmp then count accept-snmp
set firewall filter accept-snmp term accept-snmp then accept
set firewall filter accept-icmp term discard-icmp-fragments from destination-prefix-list LOCALS-v4
set firewall filter accept-icmp term discard-icmp-fragments from is-fragment
set firewall filter accept-icmp term discard-icmp-fragments from protocol icmp
set firewall filter accept-icmp term discard-icmp-fragments then count discard-icmp-fragments
set firewall filter accept-icmp term discard-icmp-fragments then discard
set firewall filter accept-icmp term accept-icmp from destination-prefix-list LOCALS-v4
set firewall filter accept-icmp term accept-icmp from icmp-type echo-reply
set firewall filter accept-icmp term accept-icmp from icmp-type echo-request
set firewall filter accept-icmp term accept-icmp from icmp-type time-exceeded
set firewall filter accept-icmp term accept-icmp from icmp-type unreachable
set firewall filter accept-icmp term accept-icmp from icmp-type source-quench
set firewall filter accept-icmp term accept-icmp from icmp-type router-advertisement
set firewall filter accept-icmp term accept-icmp from icmp-type parameter-problem
set firewall filter accept-icmp term accept-icmp then policer management-1m
set firewall filter accept-icmp term accept-icmp then count accept-icmp
set firewall filter accept-icmp term accept-icmp then accept
set firewall filter accept-traceroute term accept-traceroute-udp from destination-prefix-list LOCALS-v4
set firewall filter accept-traceroute term accept-traceroute-udp from protocol udp
set firewall filter accept-traceroute term accept-traceroute-udp from ttl 1
set firewall filter accept-traceroute term accept-traceroute-udp from destination-port 33434-33529
set firewall filter accept-traceroute term accept-traceroute-udp then policer management-1m
set firewall filter accept-traceroute term accept-traceroute-udp then count accept-traceroute-udp
set firewall filter accept-traceroute term accept-traceroute-udp then accept
set firewall filter accept-traceroute term accept-traceroute-icmp from destination-prefix-list LOCALS-v4
set firewall filter accept-traceroute term accept-traceroute-icmp from protocol icmp
set firewall filter accept-traceroute term accept-traceroute-icmp from ttl 1
set firewall filter accept-traceroute term accept-traceroute-icmp from icmp-type echo-request
set firewall filter accept-traceroute term accept-traceroute-icmp from icmp-type timestamp
set firewall filter accept-traceroute term accept-traceroute-icmp from icmp-type time-exceeded
set firewall filter accept-traceroute term accept-traceroute-icmp then policer management-1m
set firewall filter accept-traceroute term accept-traceroute-icmp then count accept-traceroute-icmp
set firewall filter accept-traceroute term accept-traceroute-icmp then accept
set firewall filter accept-traceroute term accept-traceroute-tcp from destination-prefix-list LOCALS-v4
set firewall filter accept-traceroute term accept-traceroute-tcp from protocol tcp
set firewall filter accept-traceroute term accept-traceroute-tcp from ttl 1
set firewall filter accept-traceroute term accept-traceroute-tcp then policer management-1m
set firewall filter accept-traceroute term accept-traceroute-tcp then count accept-traceroute-tcp
set firewall filter accept-traceroute term accept-traceroute-tcp then accept
set firewall filter accept-common-services term protect-SSH filter accept-ssh
set firewall filter accept-common-services term protect-TRACEROUTE filter accept-traceroute
set firewall filter accept-common-services term protect-ICMP filter accept-icmp
set firewall filter accept-common-services term protect-SNMP filter accept-snmp
set firewall filter accept-common-services term protect-NTP filter accept-ntp
set firewall filter accept-common-services term protect-DNS filter accept-dns
  
set firewall filter discard-all-to-locals-v4 term discard-ip-options from destination-prefix-list LOCALS-v4
set firewall filter discard-all-to-locals-v4 term discard-ip-options from ip-options any
set firewall filter discard-all-to-locals-v4 term discard-ip-options then count discard-ip-options
set firewall filter discard-all-to-locals-v4 term discard-ip-options then log
set firewall filter discard-all-to-locals-v4 term discard-ip-options then discard
set firewall filter discard-all-to-locals-v4 term discard-TTL_1-unknown from destination-prefix-list LOCALS-v4
set firewall filter discard-all-to-locals-v4 term discard-TTL_1-unknown from ttl 1
set firewall filter discard-all-to-locals-v4 term discard-TTL_1-unknown then count discard-TTL_1-unknown
set firewall filter discard-all-to-locals-v4 term discard-TTL_1-unknown then log
set firewall filter discard-all-to-locals-v4 term discard-TTL_1-unknown then discard
set firewall filter discard-all-to-locals-v4 term discard-tcp from destination-prefix-list LOCALS-v4
set firewall filter discard-all-to-locals-v4 term discard-tcp from protocol tcp
set firewall filter discard-all-to-locals-v4 term discard-tcp then count discard-tcp
set firewall filter discard-all-to-locals-v4 term discard-tcp then log
set firewall filter discard-all-to-locals-v4 term discard-tcp then discard
set firewall filter discard-all-to-locals-v4 term discard-udp from destination-prefix-list LOCALS-v4
set firewall filter discard-all-to-locals-v4 term discard-udp from protocol udp
set firewall filter discard-all-to-locals-v4 term discard-udp then count discard-udp
set firewall filter discard-all-to-locals-v4 term discard-udp then log
set firewall filter discard-all-to-locals-v4 term discard-udp then discard
set firewall filter discard-all-to-locals-v4 term discard-icmp from destination-prefix-list LOCALS-v4
set firewall filter discard-all-to-locals-v4 term discard-icmp from protocol icmp
set firewall filter discard-all-to-locals-v4 term discard-icmp then count discard-icmp
set firewall filter discard-all-to-locals-v4 term discard-icmp then log
set firewall filter discard-all-to-locals-v4 term discard-icmp then discard
set firewall filter discard-all-to-locals-v4 term discard-unknown from destination-prefix-list LOCALS-v4
set firewall filter discard-all-to-locals-v4 term discard-unknown then count discard-unknown
set firewall filter discard-all-to-locals-v4 term discard-unknown then log
set firewall filter discard-all-to-locals-v4 term discard-unknown then discard
  
set interfaces lo0 unit 0 family inet filter input-list accept-ospf
set interfaces lo0 unit 0 family inet filter input-list accept-bgp
set interfaces lo0 unit 0 family inet filter input-list accept-common-services
set interfaces lo0 unit 0 family inet filter input-list discard-all-to-locals-v4

Пока проблем нет, т.т.т. :)

Share this post


Link to post
Share on other sites

Коллеги, а подскажите пожалуйста, как от этого избавится и о чем это вообще?

MX104-1	DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception  Sample:pfe exceeded its allowed bandwidth at fpc 0 for 22 times, started at 2018-03-13 17:16:33 GMT-3
MX104-1	DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception Sample:pfe has returned to normal. Its allowed bandwith was exceeded at fpc 0 for 22 times, from 2018-03-13 17:16:33 GMT-3 to 2018-03-13 17:16:35 GMT-3
MX104-1	DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception  Sample:pfe exceeded its allowed bandwidth at fpc 0 for 23 times, started at 2018-03-13 17:56:29 GMT-3
MX104-2	DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception  Sample:pfe exceeded its allowed bandwidth at fpc 0 for 480 times, started at 2018-03-13 17:14:21 GMT-3
MX104-2	DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception Sample:pfe has returned to normal. Its allowed bandwith was exceeded at fpc 0 for 480 times, from 2018-03-13 17:14:21 GMT-3 to 2018-03-13 17:14:21 GMT-3
MX104-2	DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception  Sample:pfe exceeded its allowed bandwidth at fpc 0 for 481 times, started at 2018-03-13 17:19:46 GMT-3
MX104-2	DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception Sample:pfe has returned to normal. Its allowed bandwith was exceeded at fpc 0 for 481 times, from 2018-03-13 17:19:46 GMT-3 to 2018-03-13 17:19:46 GMT-3
MX104-2	DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception  Sample:pfe exceeded its allowed bandwidth at fpc 0 for 482 times, started at 2018-03-13 17:32:51 GMT-3
MX104-2	DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception Sample:pfe has returned to normal. Its allowed bandwith was exceeded at fpc 0 for 482 times, from 2018-03-13 17:32:51 GMT-3 to 2018-03-13 17:32:51 GMT-3
MX104-2	DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception  Sample:pfe exceeded its allowed bandwidth at fpc 0 for 483 times, started at 2018-03-13 17:44:51 GMT-3
MX104-2	DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception Sample:pfe has returned to normal. Its allowed bandwith was exceeded at fpc 0 for 483 times, from 2018-03-13 17:44:51 GMT-3 to 2018-03-13 17:44:56 GMT-3

 

Share this post


Link to post
Share on other sites
2 hours ago, mse.rus77 said:

Коллеги, а подскажите пожалуйста, как от этого избавится и о чем это вообще?

возможно jflow/sflow - генерируется с большим рейтом

Edited by Telesis

Share this post


Link to post
Share on other sites
32 минуты назад, Telesis сказал:

возможно jflow/sflow - генерируется с большим рейтом

 

warning: sampling subsystem not running - not needed by configuration.

не настроено ничего такого, а когда было, то иное писал:

DDOS_PROTOCOL_VIOLATION_SET: Protocol Sample:pfe is violated at fpc 0 for 19635 times, started at 2018-03-04 00:01:31 GMT-3
DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Sample:pfe has returned to normal. Violated at fpc 0 for 19635 times, from 2018-03-04 00:01:31 GMT-3 to 2018-03-04 00:06:36 GMT-3

Но это было на МХ80, на МХ104 сэмплинг не настраивался.

Share this post


Link to post
Share on other sites

@mse.rus77 

может по умолчанию включено.

> show ddos-protection protocols violations

смотри протокол, узнавай что в ограничениях и почему сработало

Share this post


Link to post
Share on other sites
show ddos-protection protocols sample statistics terse 
show ddos-protection protocols parameters brief | match "Protocol|pps|sample"

 

Share this post


Link to post
Share on other sites

vvertexx, Telesis - коллеги, спасибо, да, дефолтовая протекция работает.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this