Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Detailed information about DDOS queues on QFX5K switches

0

0

Article ID: KB35684 KB Last Updated: 10 Jul 2020Version: 1.0
Summary:
On many occasions, it is not clear how the various types of control traffic are mapped to the internal DDOS queues and their rate-limits. 
This article provides this information for the QFX5K platforms.
There might be minor changes across different code versions. The rates can be checked with the command also shared on this document.
 
Symptoms:
Our public documentation provides information about DDOS queues and the various protocols mapped to them. But some of the types of control traffic are not very clear. This document tries to clarify this matter.
Solution:
To check  the internal control protocol/exception traffic mapped to the internal DDOS queues, the command below can be collected from shell (choosing the proper FPC):

cprod -A fpc0 -c "show halp-pkt asic-queues"
------ --------- -------- -------- ------------------------------
 CMICQ  Channel   bwidth    burst     Qlen           Proto(s)
------ ---------- -------- -------- --------- ------------------------------
     0        3      500      200      200             uncls
     4        1     4000      200      200          vchassis
     7        3      300       10      200             vxlan
     8        3     1500      200      200           localnh
     9        3     1000      200      200         vcipc-udp
    10        3     2000      200      200     sample-source
    11        3     2000      200      200       sample-dest
    12        3       50       10      200        l3mtu-fail,ttl,ip-opt
    14        3      100       10      200        garp-reply
    15        3      500       10      200           fw-host
    16        3      500      200      200             ndpv6
    17        3     1000      200      200          dhcpv4v6
    19        3     1500      200      200     ipmc-reserved
    20        3      300      200      200           resolve
    21        3      100       10      200       l3dest-miss
    22        3      100       10      200          redirect
    23        3      300      200      200            l3nhop
    24        3      100       10      200  l3mc-sgv-hit-icl
    25        3       50       10      200   martian-address
    26        3     1000      200      200              l2pt
    27        3       50       10      200         urpf-fail
    28        3     1000      300      300      ipmcast-miss
    29        2      300       10      200   nonucast-switch
    30        2     3000      200      200      rsvp,ldp,bgp
    31        2     3000      200      200      unknown-l2mc,rip,ospf
    32        2     1000      200      200      fip-snooping
    33        2     1000      200      200              igmp
    34        2      500      200      200               arp
    35        2     1500      200      200          pim-data
    36        2     1500      200      200        ospf-hello
    37        2     1500      200      200          pim-ctrl
    38        2     2000      200      200              isis
    39        1      250      200      200              lacp
    40        1     1200      200      200               bfd
    41        1      100       10      200               ntp
    42        1      500      200      200          vchassis
    43        1     1000      200      200    stp,pvstp,lldp


As per can be observed from the above output,  due to the limited number of available queues, multiple protocols are mapped to the same queue.

The table below provides more detailed information:

 
CPU packet receive reason/Protocol  
Extra information
CPU queue number for QFX5100 HW rate limit (pps) Burst size (number of packets)
BPDU (STP, VSTP), LLDP, MVRP BPDU (STP, VSTP), LLDP, MVRP  43 1000 200
VCCPD VCC protocol packets 42 500 200
NTP NTP 41 100 10
BFD  BFD 40 1200 200
LACP LACP 39 250 200
ISIS ISIS 38 2000 200
PIM CONTROL PIM CONTROL 37 1500 200
OSPF HELLO OSPF HELLO
 
36 1500  200
PIM_DATA  Route is present but NH points to CPU. (PIME) 35 1500 200
ARP All ARP packets with and without vxlan. IPV6 NS/NA with VXLAN. (When no-arp-suppression is enabled ) 34 500 200
IGMP/MLD IGMP/MLD 33 1000 200
FIP SNOOPING FIP SNOOPING 32 1000 10
UNKNOWN_L2MC, RIP, OSPF LSAs UNKNOWN_L2MC, RIP, OSPF LSAs with p2p also. 31 3000  200
BGP/RSVP/LDP BGP/RSVP/LDP 30 3000 200
NON UCAST SWITCHED  When multicast route points to CPU and there is no filter configured 29 300 10
IP MCAST MISS  Filter rule for (*,g) 28 1000
 
300
URPF FAIL  Unicast Reverse Path Forwarding Failure 27 300 10
L2PT L2PT 26 1000  200
MARTIAN_ADDR This is a common queue for MPLS traceroute and ping. 25 50  10
L3MC-SGV-HIT-ICL STARG_DATA_ICL filter is used for multicast convergence in case of MCLAG 24 100  10
L3_NHOP  UCAST_SWITCHED/NHOP_HIT 
If the packet is copied to CPU through NH table, it will be mapped to this Q.
23 300 200
REDIRECT ICMP REDIRECT Yes its ICMP redirect. 22 100 10
L3_DEST_MISS (No route) RESOLVE is a still route hit. This could be no route present. 21 100 10
RESOLVE IP packets with destination address to be resolved. Packets will HIT resolve NH 20 300 200
IPMC_RESERVED Reserved IP multicast packets   i.e. dest 224.0.0.x/24 or ff0X:0:0:0:0:0:0:0, which are not explicitly classified to other CPU queues 
 
19 1500 200
UNUSED   18    
DHCPV4V6 DHCPV4V6 17 1000 200
NDPv6 NDPv6(non-vxlan) 16 500 200
FW_HOST This is mainly used only by CLI firewalls with action as LOG/SYSLOG.
Lets say PKT matches on some filter rule and it does not match on any of the protocol reasons, then it will be classified only as filter Match and might get copied to CPU 15 by CPU_COS_MAP table.
15 500 200
GARP_REPLY  BCAST GARP Reply. 14 100  10
UNUSED   13    
IP_OPTION, TTL, L3_MTU_FAIL This is for packets received with:
  1. Ip-options in the header.
  2. Ttl-0/1
  1. Packets which fail Egress MTU checks.
12 50 10
SAMPLE_DEST
  Traffic sampling feature
 
11 2000 200
SAMPLE_SOURCE   Traffic sampling feature 10 2000 200
VC IPC UDP To send trace messages/logs from line cards to Master. 9 1000 200
LOCAL_NH  ssh, scp, telnet, ftp, snmp to a local configured IP address . Any data traffic destined to a Local IP NH will be copied to this Q. There is a special NH created in the HW and filter rules is installed to match packets hitting this NH to copy them to CPU 8.
 
Vxlan RA packets will also be in this Q.
8 1500 200
VXLAN 1) VXLAN_L2_L3_PKTS: Any VXLAN exception packets like SIP miss and BFD packets over VXLAN. 
2) Arp and IPV6 NS/ND packets with no-arp-suppression disabled.
3) Any vxlan packets received over VTEP/Access ports which are not classified into any protocol Q will make it to Q 7.
7 300 10
UNUSED   6    
UNUSED   5    
VC TCP IPC between Master and all line cards 4 4000 200
UNUSED   3    
Drop Typically used as a Drop Q to not process these packets. Used by Firewall rules in case of Discard. There might be cases where packets might be copied to CPU by pipeline and there is a filter to drop these packets. These packets thought copied to CPU will not be processed as they are placed in Drop Q by filter. 2 0 10
INVALID/MISC/UNCLASSIFIED Any Traffic which is not classified to any of the Q’s will be placed in Q 0. 0 500 200
 


 
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search