Data Center

Greetings,

We are experiencing some VXLAN DDoS violations (e.g. Mar 7 15:55:15 XXXXX-QFX-L3 jddosd[12206]: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception VXLAN:aggregate exceeded its allowed bandwidth at fpc 0 for 642 times, started at 2023-03-07 15:55:14 MST). 

We are currently evaluating documentation about what could cause the VXLAN DDoS violation, however, the documentation is quite cryptic about what actually triggers the VXLAN DDoS events. The main source I'm reading is: CEC Juniper Community. It mentions the following: 

1) Overlay ARP packets (All ARP packets hitting on local CE VXLAN enabled port and VTEPs )

2) Any vxlan packets received over VTEP & Access ports (Local CE vxlan enabled ports) which are not classified into any protocol Queue will make it to Q 7

I'm puzzeled on what "Overlay ARP packets" means. It is not an industry standard term and does not to appear anywhere on the Juniper documentation. Does anyone have a clue what "Overlay ARP packets" exactly means? If anyone else has a clue what could trigger the VXLAN DDoS violation that would also be of great help.

Kind regards,

Hi,
I think Overlay ARP packets means that the ARP packets is flood  to all other leaf's with a VXLAN header when the incoming ARP message to the leaf has no match in EVPN database.
A trigger is if you have IP addresses that is reachable but no client connected.

Greetings,

We are experiencing some VXLAN DDoS violations (e.g. Mar 7 15:55:15 XXXXX-QFX-L3 jddosd[12206]: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception VXLAN:aggregate exceeded its allowed bandwidth at fpc 0 for 642 times, started at 2023-03-07 15:55:14 MST). 

We are currently evaluating documentation about what could cause the VXLAN DDoS violation, however, the documentation is quite cryptic about what actually triggers the VXLAN DDoS events. The main source I'm reading is: CEC Juniper Community. It mentions the following: 

1) Overlay ARP packets (All ARP packets hitting on local CE VXLAN enabled port and VTEPs )

2) Any vxlan packets received over VTEP & Access ports (Local CE vxlan enabled ports) which are not classified into any protocol Queue will make it to Q 7

I'm puzzeled on what "Overlay ARP packets" means. It is not an industry standard term and does not to appear anywhere on the Juniper documentation. Does anyone have a clue what "Overlay ARP packets" exactly means? If anyone else has a clue what could trigger the VXLAN DDoS violation that would also be of great help.

Kind regards,

Hi,  

Do you mean the switch will drop/not sent the ARP packet to another leaf (VTEP)? Because if an ARP packet is received on a VTEP interface how can a switch tell the difference between a normal VXLAN (data) transit packet and a ARP VXLAN packet. Both have as destination a VTEP IP. 

Kind regards,

Original Message:
Sent: 08-15-2023 08:19
From: Anonymous
Subject: Overlay ARP packet (DDoS Protection)

This message was posted by a user wishing to remain anonymous

Hi,
I think Overlay ARP packets means that the ARP packets is flood  to all other leaf's with a VXLAN header when the incoming ARP message to the leaf has no match in EVPN database.
A trigger is if you have IP addresses that is reachable but no client connected.

Greetings,

We are experiencing some VXLAN DDoS violations (e.g. Mar 7 15:55:15 XXXXX-QFX-L3 jddosd[12206]: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception VXLAN:aggregate exceeded its allowed bandwidth at fpc 0 for 642 times, started at 2023-03-07 15:55:14 MST). 

We are currently evaluating documentation about what could cause the VXLAN DDoS violation, however, the documentation is quite cryptic about what actually triggers the VXLAN DDoS events. The main source I'm reading is: CEC Juniper Community. It mentions the following: 

1) Overlay ARP packets (All ARP packets hitting on local CE VXLAN enabled port and VTEPs )

2) Any vxlan packets received over VTEP & Access ports (Local CE vxlan enabled ports) which are not classified into any protocol Queue will make it to Q 7

I'm puzzeled on what "Overlay ARP packets" means. It is not an industry standard term and does not to appear anywhere on the Juniper documentation. Does anyone have a clue what "Overlay ARP packets" exactly means? If anyone else has a clue what could trigger the VXLAN DDoS violation that would also be of great help.

Kind regards,