Here it's a short post to explain how you can monitor the control plane activity with ddos-protection's statistics and a simple op-script.
ddos-protection is a default feature only available on MPC cards which allows to secure the linecard's CPU and the Routing-engine's CPU. ddos-protection maintains per protocol, and for some protocols per packet-type, the current and maximum arrival packet rates. Statistics are available per MPC and per chassis (RE point of view).
Sample cli output for ICMP protocol :
sponge@bob> show ddos-protection protocols icmp statistics
Packet types: 1, Received traffic: 1, Currently violated: 0
Protocol Group: ICMP
Packet type: aggregate
System-wide information:
Aggregate bandwidth is no longer being violated
No. of FPCs that have received excess traffic: 1
Last violation started at: 2014-11-21 11:20:33 CET
Last violation ended at: 2014-11-21 11:20:39 CET
Duration of last violation: 00:00:06 Number of violations: 1
Received: 55403 Arrival rate: 0 pps
Dropped: 7 Max arrival rate: 48 pps
Packet-type "aggregate" means "all packet types". Actually, this is the sum. The Max arrival rate is the maximum rate observed since the last clear of the statistics or the last reboot.
I developed a simple op script that displays per protocol/packet-type the current and max observed rates of the routing-engine. Only packet-types with a Max Arrival Rate upper than 0 are displayed.
This command allows you to monitor your control plane in real time and can help you to tune your ddos policers.
Here the chechcp.slax code :
version 1.0;
ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
import "../import/junos.xsl";
/*------------------------------------------------*/
/* This the version 1.0 of the op script checkcp */
/* Written by David roy */
/* door7302@gmail.com */
/*------------------------------------------------*/
match / {
<op-script-results> {
/* Take traces */
var $myrpc = <get-ddos-protocols-statistics> {};
var $myddos = jcs:invoke ($myrpc);
/* Now Display */
<output> "";
<output> "";
<output> "+-------------------------------------------------------------------------+";
<output> jcs:printf('|%-20s |%-20s |%-11s |%-10s\n',"Protocol","Packet Type","Current pps","Max pps Observed");
<output> "+-------------------------------------------------------------------------+";
for-each( $myddos/ddos-protocol-group/ddos-protocol/packet-type ) {
var $name = .;
if (../ddos-system-statistics/packet-arrival-rate-max != "0"){
<output> jcs:printf('|%-20s |%-20s |%-11s |%-10s\n',../../group-name,$name,../ddos-system-statistics/packet-arrival-rate,../ddos-system-statistics/packet-arrival-rate-max);
}
}
<output> "+-------------------------------------------------------------------------+";
}
}
Just copy/paste the code above in /var/db/scripts/op/checkcp.slax file. Then enable the script by adding this configuration:
edit
set system scripts op file checkcp.slax
commit and-quit
Finally play with the op-script:
sponge@bob> op checkcp
+-------------------------------------------------------------------------+
|Protocol |Packet Type |Current pps |Max pps Observed
+-------------------------------------------------------------------------+
|ICMP |aggregate |0 |48
|OSPF |aggregate |0 |2
|PIM |aggregate |0 |2
|BFD |aggregate |0 |11
|LDP |aggregate |0 |3
|BGP |aggregate |1 |17
|SSH |aggregate |3 |249
|SNMP |aggregate |0 |130
|LACP |aggregate |1 |2
|ISIS |aggregate |0 |5
|Reject |aggregate |0 |88080
|TCP-Flags |aggregate |6 |163
|TCP-Flags |initial |0 |1
|TCP-Flags |established |6 |163
|PIMv6 |aggregate |0 |1
|Sample |aggregate |0 |7431
|Sample |host |0 |7431
+-------------------------------------------------------------------------+
David.