Are you exceeding the configured rate for the policer? Did you expect to drop at any rate? The rule sets a non-0 policing rate.
On Sat, 17 Sept 2022 at 17:42, Gustavo Santos <[email protected]> wrote: > > Hi Saku, > > PS: Real ASN was changed to 65000 on the configuration snippet. > > > > show route table inetflow.0 extensive > > 1x8.2x8.84.34,*,proto=17,port=0/term:7 (1 entry, 1 announced) > TSI: > KRT in dfwd; > Action(s): discard,count > Page 0 idx 0, (group KENTIK_FS type Internal) Type 1 val 0x63b7c098 > (adv_entry) > Advertised metrics: > Flags: NoNexthop > Localpref: 100 > AS path: [65000 I > Communities: traffic-rate:52873:0 > Advertise: 00000001 > Path 1x8.2x8.84.34,*,proto=17,port=0 > Vector len 4. Val: 0 > *Flow Preference: 5 > Next hop type: Fictitious, Next hop index: 0 > Address: 0x5214bfc > Next-hop reference count: 22 > Next hop: > State: <Active SendNhToPFE> > Local AS: 52873 > Age: 8w0d 20:30:33 > Validation State: unverified > Task: RT Flow > Announcement bits (2): 0-Flow 1-BGP_RT_Background > AS path: I > Communities: traffic-rate:65000:0 > > show firewall > > Filter: __flowspec_default_inet__ > Counters: > Name Bytes Packets > 1x8.2x8.84.34,*,proto=17,port=0 19897391083 510189535 > > > BGP Group > > {master}[edit protocols bgp group KENTIK_FS] > type internal; > hold-time 720; > mtu-discovery; > family inet { > unicast; > flow { > no-validate flowspec-import; > } > } > } > > > > Import policy > {master}[edit] > gustavo@MX10K3# edit policy-options policy-statement flowspec-import > > {master}[edit policy-options policy-statement flowspec-import] > gustavo@MX10K3# show > term 1 { > then accept; > } > > IP transit interface > > {master}[edit interfaces ae0 unit 10] > gustavo@MX10K3# show > vlan-id 10; > family inet { > mtu 1500; > filter { > inactive: input ddos; > } > sampling { > input; > } > address x.x.x.x.x/31; > } > > > Em sáb., 17 de set. de 2022 às 03:00, Saku Ytti <[email protected]> escreveu: >> >> Can you provide some output. >> >> Like 'show route table inetflow.0 extensive' and config. >> >> On Sat, 17 Sept 2022 at 05:05, Gustavo Santos via juniper-nsp >> <[email protected]> wrote: >> > >> > Hi, >> > >> > We have noticed that flowspec is not working or filtering as expected. >> > Trying a DDoS detection and rule generator tool, and we noticed that the >> > flowspec rule is installed, >> > the filter counter is increasing , but no filtering at all. >> > >> > For example DDoS traffic from source port UDP port 123 is coming from an >> > Internet Transit >> > facing interface AE0. >> > The destination of this traffic is to a customer Interface ET-0/0/10. >> > >> > Even with all information and "show" commands confirming that the traffic >> > has been filtered, customer and snmp and netflow from the customer facing >> > interface is showing that the "filtered" traffic is hitting the >> > destination. >> > >> > Is there any caveat or limitation or anyone hit this issue? I tried this >> > with two MX10003 routers one with 19.R3-xxx and the other one with 20.4R3 >> > junos branch. >> > >> > Regards. >> > _______________________________________________ >> > juniper-nsp mailing list [email protected] >> > https://puck.nether.net/mailman/listinfo/juniper-nsp >> >> >> >> -- >> ++ytti -- ++ytti _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
