Actually I think I'm confused, I'm just not accustomed to seeing other than 0:0 as rate, but it may be thaat the first 0 doesn't matter.
I would verify 'show route flow validation detail' as well as verify presence of policers if any (in PFE 'show filter counters'). I'd also look at the filter more closely at PFE: - show filter (get the index) - show filter index X program On Sun, 18 Sept 2022 at 09:39, Saku Ytti <[email protected]> wrote: > > Are you exceeding the configured rate for the policer? Did you expect > to drop at any rate? The rule sets a non-0 policing rate. > > On Sat, 17 Sept 2022 at 17:42, Gustavo Santos <[email protected]> wrote: > > > > Hi Saku, > > > > PS: Real ASN was changed to 65000 on the configuration snippet. > > > > > > > > show route table inetflow.0 extensive > > > > 1x8.2x8.84.34,*,proto=17,port=0/term:7 (1 entry, 1 announced) > > TSI: > > KRT in dfwd; > > Action(s): discard,count > > Page 0 idx 0, (group KENTIK_FS type Internal) Type 1 val 0x63b7c098 > > (adv_entry) > > Advertised metrics: > > Flags: NoNexthop > > Localpref: 100 > > AS path: [65000 I > > Communities: traffic-rate:52873:0 > > Advertise: 00000001 > > Path 1x8.2x8.84.34,*,proto=17,port=0 > > Vector len 4. Val: 0 > > *Flow Preference: 5 > > Next hop type: Fictitious, Next hop index: 0 > > Address: 0x5214bfc > > Next-hop reference count: 22 > > Next hop: > > State: <Active SendNhToPFE> > > Local AS: 52873 > > Age: 8w0d 20:30:33 > > Validation State: unverified > > Task: RT Flow > > Announcement bits (2): 0-Flow 1-BGP_RT_Background > > AS path: I > > Communities: traffic-rate:65000:0 > > > > show firewall > > > > Filter: __flowspec_default_inet__ > > Counters: > > Name Bytes > > Packets > > 1x8.2x8.84.34,*,proto=17,port=0 19897391083 > > 510189535 > > > > > > BGP Group > > > > {master}[edit protocols bgp group KENTIK_FS] > > type internal; > > hold-time 720; > > mtu-discovery; > > family inet { > > unicast; > > flow { > > no-validate flowspec-import; > > } > > } > > } > > > > > > > > Import policy > > {master}[edit] > > gustavo@MX10K3# edit policy-options policy-statement flowspec-import > > > > {master}[edit policy-options policy-statement flowspec-import] > > gustavo@MX10K3# show > > term 1 { > > then accept; > > } > > > > IP transit interface > > > > {master}[edit interfaces ae0 unit 10] > > gustavo@MX10K3# show > > vlan-id 10; > > family inet { > > mtu 1500; > > filter { > > inactive: input ddos; > > } > > sampling { > > input; > > } > > address x.x.x.x.x/31; > > } > > > > > > Em sáb., 17 de set. de 2022 às 03:00, Saku Ytti <[email protected]> escreveu: > >> > >> Can you provide some output. > >> > >> Like 'show route table inetflow.0 extensive' and config. > >> > >> On Sat, 17 Sept 2022 at 05:05, Gustavo Santos via juniper-nsp > >> <[email protected]> wrote: > >> > > >> > Hi, > >> > > >> > We have noticed that flowspec is not working or filtering as expected. > >> > Trying a DDoS detection and rule generator tool, and we noticed that the > >> > flowspec rule is installed, > >> > the filter counter is increasing , but no filtering at all. > >> > > >> > For example DDoS traffic from source port UDP port 123 is coming from an > >> > Internet Transit > >> > facing interface AE0. > >> > The destination of this traffic is to a customer Interface ET-0/0/10. > >> > > >> > Even with all information and "show" commands confirming that the traffic > >> > has been filtered, customer and snmp and netflow from the customer facing > >> > interface is showing that the "filtered" traffic is hitting the > >> > destination. > >> > > >> > Is there any caveat or limitation or anyone hit this issue? I tried this > >> > with two MX10003 routers one with 19.R3-xxx and the other one with 20.4R3 > >> > junos branch. > >> > > >> > Regards. > >> > _______________________________________________ > >> > juniper-nsp mailing list [email protected] > >> > https://puck.nether.net/mailman/listinfo/juniper-nsp > >> > >> > >> > >> -- > >> ++ytti > > > > -- > ++ytti -- ++ytti _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
