Log in to ask questions, share your expertise, or stay connected to content you value. Don’t have a login? Learn how to become a member.
We are experiencing some VXLAN DDoS violations (e.g. Mar 7 15:55:15 XXXXX-QFX-L3 jddosd: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception VXLAN:aggregate exceeded its allowed bandwidth at fpc 0 for 642 times, started at 2023-03-07 15:55:14 MST).
We are currently evaluating documentation about what could cause the VXLAN DDoS violation, however, the documentation is quite cryptic about what actually triggers the VXLAN DDoS events. The main source I'm reading is: CEC Juniper Community. It mentions the following:
1) Overlay ARP packets (All ARP packets hitting on local CE VXLAN enabled port and VTEPs )
2) Any vxlan packets received over VTEP & Access ports (Local CE vxlan enabled ports) which are not classified into any protocol Queue will make it to Q 7
I'm puzzeled on what "Overlay ARP packets" means. It is not an industry standard term and does not to appear anywhere on the Juniper documentation. Does anyone have a clue what "Overlay ARP packets" exactly means? If anyone else has a clue what could trigger the VXLAN DDoS violation that would also be of great help.
Hi,I think Overlay ARP packets means that the ARP packets is flood to all other leaf's with a VXLAN header when the incoming ARP message to the leaf has no match in EVPN database.A trigger is if you have IP addresses that is reachable but no client connected.
Do you mean the switch will drop/not sent the ARP packet to another leaf (VTEP)? Because if an ARP packet is received on a VTEP interface how can a switch tell the difference between a normal VXLAN (data) transit packet and a ARP VXLAN packet. Both have as destination a VTEP IP.
With ARP suppression and the target address is present in the leaf cache, the switch responds to the broadcast or unicast ARP request. If the target IP/MAC is not present, the switch forwards ARP request over the VXLAN data plane to all VTEPs (with the VLAN configured) for neighbor resolution.So if you have a silent client or no client for an certain IP, the origin leaf should send the ARP request over the VXLAN fabric to.
Original Message:Sent: 08-15-2023 08:19From: AnonymousSubject: Overlay ARP packet (DDoS Protection)This message was posted by a user wishing to remain anonymous