Log in to ask questions, share your expertise, or stay connected to content you value. Don’t have a login? Learn how to become a member.
See matching posts in thread - EX4100 + Junos 23.x
See matching posts in thread - JNCIS-SP Open Learning subscription showing only...
See matching posts in thread - 10-23-2017 Invitation to Partic...
See matching posts in thread - EX4200 VC port options are only 0-23...
Example Output 1 jnpr@srx210> file show /var/tmp/pseudo-event-output 2 [2011-11-23 03:39:08 UTC] <SYSTEM> "STP handler: index=7, op=get-next, state=0, tc-generation=0" 3 [2011-11-23 03:39:08 UTC] <SYSTEM> "STP Add" 4 [2011-11-23 03:39:08 UTC] <SYSTEM> "STP handler: index=8, op=get-next, state=0, tc-generation=0" 5 [2011-11-23 03:54:40 UTC] <KERNEL> "pfe listener disconnect: conn dropped: listener idx=0, tnpaddr=0x1, reason: reconnect timeout" 6 [2011-11-23 03:54:40 UTC] <KERNEL> "pfe peer update mgmt state: type 10, index 0, vks 0, old state Valid new state Closed mastership 1" 7 [2011-11-23 03:54:40 UTC] <KERNEL> "pfe peer clear timeout: clearing timo 0x80576e84" 8 [2011-11-23 04:02:26 UTC] <PFE> "srx210 Registered network packet handlers" 9 [2011-11-23 04:02:26 UTC] <PFE> "srx210 if notify init: IF notify list already initialized" To Enable Copy script into /var/run/scripts/event on all routing engines
root@server:/home/anindac# cd vrnetlab/ root@server:/home/anindac/vrnetlab# ls -l total 144 -rw-r--r-- 1 root root 94 Oct 23 05:36 CODE OF CONDUCT.md -rw-r--r-- 1 root root 706 Oct 23 05:36 CONTRIBUTING.md -rw-r--r-- 1 root root 1109 Oct 23 05:36 LICENSE -rw-r--r-- 1 root root 342 Oct 23 05:36 Makefile -rw-r--r-- 1 root root 4013 Oct 23 05:36 README.md drwxr-xr-x 3 root root 4096 Oct 23 05:36 aoscx drwxr-xr-x 2 root root 4096 Oct 23 05:36 ci-builder-image drwxr-xr-x 2 root root 4096 Oct 23 05:36 common drwxr-xr-x 3 root root 4096 Oct 23 05:36 config-engine-lite drwxr-xr-x 3 root root 4096 Oct 23 05:36 csr drwxr-xr-x 3 root root 4096 Oct 23 05:36 ftosv -rwxr-xr-x 1 root root 5210 Oct 23 05:36 git-lfs-repo.sh -rw-r--r-- 1 root root 3158 Oct 23 05:36 makefile-install.include -rw-r--r-- 1 root root 370 Oct 23 05:36 makefile-sanity.include -rw-r--r-- 1 root root 1898 Oct 23 05:36 makefile.include drwxr-xr-x 3 root root 4096 Oct 23 05:36 n9kv drwxr-xr-x 3 root root 4096 Oct 23 05:36 nxos drwxr-xr-x 3 root root 4096 Oct 23 05:36 ocnos drwxr-xr-x 3 root root 4096 Oct 23 05:36 openwrt drwxr-xr-x 3 root root 4096 Oct 23 05:36 pan drwxr-xr-x 3 root root 4096 Oct 23 05:36 routeros drwxr-xr-x 3 root root 4096 Oct 23 05:36 sros drwxr-xr-x 2 root root 4096 Oct 23 05:36 topology-machine drwxr-xr-x 3 root root 4096 Oct 23 05:36 veos drwxr-xr-x 3 root root 4096 Oct 23 05:36 vjunosswitch drwxr-xr-x 3 root root 4096 Oct 23 05:36 vmx drwxr-xr-x 3 root root 4096 Oct 23 05:36 vqfx drwxr-xr-x 3 root root 4096 Oct 23 05:36 vr-bgp drwxr-xr-x 2 root root 4096 Oct 23 05:36 vr-xcon -rw-r--r-- 1 root root 1135 Oct 23 05:36 vrnetlab.sh drwxr-xr-x 3 root root 4096 Oct 23 05:36 vrp drwxr-xr-x 3 root root 4096 Oct 23 05:36 vsr1000 drwxr-xr-x 3 root root 4096 Oct 23 05:36 vsrx drwxr-xr-x 3 root root 4096 Oct 23 05:36 xrv drwxr-xr-x 3 root root 4096 Oct 23 05:36 xrv9k This folder has a Makefile and a Dockerfile (within the docker folder), that facilitates building of the vJunos-switch docker image. root@server:/home/anindac/vrnetlab# cd vjunosswitch/ root@server:/home/anindac/vrnetlab/vjunosswitch# ls -l total 12 -rw-r--r-- 1 root root 346 Oct 23 05:36 Makefile -rw-r--r-- 1 root root 513 Oct 23 05:36 README.md drwxr-xr-x 2 root root 4096 Oct 23 05:36 docker The user simply needs to copy the vJunos-switch images to this folder and initiate the make command
language=en US Another method would be VRF filter: set routing-instances VRF-A forwarding-options family inet filter input FW VRF With the focus of this article being MX DDoS protection, let's turn our attention back to: SCFD MX ddos-protection in SCFD (Suspicious Control Flow Detection) mode Configure: [edit] mnayman@PE2# set system ddos-protection global flow-detection Example of a BFD attack: mnayman@PE2> show ddos-protection protocols violations Packet types: 246, Currently violated: 1 Protocol Packet Bandwidth Arrival Peak Policer bandwidth group type (pps) rate(pps) rate(pps) violation detected at bfd aggregate 20000 1 30049 2023-07-24 23:13:26 EDT Detected on: FPC-3 mnayman@PE2> show ddos-protection protocols culprit-flows Currently tracked flows: 1, Total detected flows: 2955 Protocol Packet Arriving Source Address group type Interface MAC or IP bfd aggregate ae1.0 10.144.0.208 sub:00030000000006c9 2023-07-24 23:14:35 EDT pps:1 pkts:85 mnayman@PE2> show ddos-protection protocols culprit-flows detail Currently tracked flows: 1, Total detected flows: 2957 Protocol Packet Arriving Aggr Flow Id group type Interface level bfd aggregate lsi.411 sub 00030000000006ca Source Address: 13.13.0.10 Destination Address: 20.20.0.2 Source Port: 3784 Destination Port: 3784 Found at: 2023-07-24 23:15:44 EDT Last Violation: 2023-07-24 23:15:46 EDT Rate: 0 pps received packets: 165389 Now, what happens with the same attack coming from multiple sources: mnayman@PE2> show ddos-protection protocols culprit-flows Currently tracked flows: 1000, Total detected flows: 3969 Protocol Packet Arriving Source Address group type Interface MAC or IP uncls host-rt-v4 lsi.411 13.13.0.95 sub:00030000000006d8 2023-07-24 23:22:27 EDT pps:235 pkts:5914 uncls host-rt-v4 lsi.411 13.13.1.95 sub:00030000000006d9 2023-07-24 23:22:27 EDT pps:235 pkts:5915 uncls host-rt-v4 lsi.411 13.13.2.154 sub:00030000000006da 2023-07-24 23:22:27 EDT pps:235 pkts:5907 uncls host-rt-v4 lsi.411 13.13.2.220 sub:00030000000006db 2023-07-24 23:22:27 EDT pps:235 pkts:5915 uncls host-rt-v4 lsi.411 13.13.0.132 sub:00030000000006dc 2023-07-24 23:22:27 EDT pps:235 pkts:5912 … uncls host-rt-v4 lsi.411 13.13.2.92 sub:0003000000000abf 2023-07-24 23:22:27 EDT pps:235 pkts:5927 And this is where the brilliance of the MX router shines. When facing a massive attack from thousands of sources, it initiates mitigation on a per-flow basis: mnayman@PE2> show ddos-protection protocols culprit-flows Currently tracked flows: 3036, Total detected flows: 15970 Protocol Packet Arriving Source Address group type Interface MAC or IP uncls host-rt-v4 lsi.411 13.13.15.63 sub:0003000000002dc5 2023-07-24 23:25:05 EDT pps:0 pkts:185 uncls host-rt-v4 lsi.411 13.13.3.82 sub:0003000000002dc6 2023-07-24 23:25:05 EDT pps:0 pkts:183 uncls host-rt-v4 lsi.411 13.13.5.208 sub:0003000000002dc7 2023-07-24 23:25:05 EDT pps:0 pkts:187 uncls host-rt-v4 lsi.411 13.13.15.47 sub:0003000000002dc8 2023-07-24 23:25:05 EDT pps:0 pkts:184 uncls host-rt-v4 lsi.411 13.13.18.20 sub:0003000000002dc9 2023-07-24 23:25:05 EDT pps:0 pkts:185 The MX platform intelligently condenses the attack into a single flow, automatically assigning it one Flow ID. This resource-saving approach is enabled due to the attack's consistent signature: mnayman@PE2> show ddos-protection protocols culprit-flows Currently tracked flows: 1, Total detected flows: 17933 Protocol Packet Arriving Source Address group type Interface MAC or IP uncls host-rt-v4 lsi.411 -- -- -- ifl:0003000000003e36 2023-07-24 23:25:20 EDT pps:234964 pkts:14609202 mnayman@PE2> show ddos-protection protocols culprit-flows detail Currently tracked flows: 1, Total detected flows: 17933 Protocol Packet Arriving Aggr Flow Id group type Interface level uncls host-rt-v4 lsi.411 ifl 0003000000003e36 Found at: 2023-07-24 23:25:20 EDT Last Violation: 2023-07-24 23:29:43 EDT Rate: 234967 pps received packets: 61602109 Most deployments don't require any specific tweaking of the feature
You could craft a template that makes a best-effort conversion from a Junos XML configuration to a Junos OS CLI configuration as shown in the following example: From: <protocols> <bgp> <group> <name>23</name> <import>policy1</import> </group> </bgp> </protocols> To: protocols ( bgp ( group 23 ( import policy1; ) ) ) Alternatively, you could load the Junos XML configuration into a device running Junos OS and pull out the Junos OS CLI configuration