What means the DDOS-PROTECTION sample, coming from pfe, when you aren't using sampling on any interface.
admin@RT> show ddos-protection protocols violationsPacket types: 219, Currently violated: 2
Protocol Packet Bandwidth Arrival Peak Policer bandwidthgroup type (pps) rate(pps) rate(pps) violation detected atsample aggregate 1000 71268 101310 2019-05-28 22:04:42 BRTDetected on: FPC-0sample pfe 1000 71337 101209 2019-05-28 22:04:41 BRTDetected on: FPC-0
admin@RT> show configuration | match sampl
admin@RT> show pfe statistics notification | match sampleSample 35946049 35946049 0 0
Hi rganascimas per the this link https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/show-pfe-statistics-notification.html this is the number of notifications sampled , sample—"Number of notifications sampled." as this command is related to Information about Packet Forwarding Engine notification statistics.
Thanks. But is this high volume targetting the threshold of ddos-protection all the time a normal behavior?
Another application using sampling is port mirror. Do you have that?
Usually these messages are not harmful. They just impact how much traffic is sent to you collection device. You can increase the sampling rate, but you don't have. For port mirror, turn it off if you are not actively collecting transit traffic
There is no port mirror configured.
Our scenario is a MX 104 with ~11k pppoe subscribers. Using LACP + dmux interfaces (some with dot1q and some with qinq).
do you have any firewall filter with syslog/log action?
I disabled all the "log/syslog" action from firewall filters as you said, and the ddos-protection was clean. The problem is solved.
Thanks @mhu !
admin@RT> show ddos-protection protocols violations
Packet types: 219, Currently violated: 0