cgnv6 ddos-protection

Configure CGNV6 DDoS Protection

ddos-protection Specification

Type	Configuration Resource
Element Name	ddos-protection
Element URI	/axapi/v3/cgnv6/ddos-protection
Element Attributes	ddos-protection_attributes
Statistics Data URI	/axapi/v3/cgnv6/ddos-protection/stats
Schema	ddos-protection schema

Operations Allowed:

Operation	Method	URI	Payload
Create Object	POST	/axapi/v3/cgnv6/ddos-protection	ddos-protection attributes
Get Object	GET	/axapi/v3/cgnv6/ddos-protection	ddos-protection attributes
Modify Object	POST	/axapi/v3/cgnv6/ddos-protection	ddos-protection attributes
Delete Object	DELETE	/axapi/v3/cgnv6/ddos-protection	ddos-protection attributes

ddos-protection attributes

disable-nat-ip-by-bgp

Description: disable-nat-ip-by-bgp is a JSON Block. Please see below for disable-nat-ip-by-bgp

Type: Object

Refernce Object: /axapi/v3/cgnv6/ddos-protection/disable-nat-ip-by-bgp

ip-entries

Description: ip-entries is a JSON Block. Please see below for ip-entries

Type: Object

Refernce Object: /axapi/v3/cgnv6/ddos-protection/ip-entries

l4-entries

Description: l4-entries is a JSON Block. Please see below for l4-entries

Type: Object

Refernce Object: /axapi/v3/cgnv6/ddos-protection/l4-entries

logging

Description: logging is a JSON Block. Please see below for logging

Type: Object

max-hw-entries

Description Configure maximum HW entries

Type: number

Range: 0-262144

Default: 262144

packets-per-second

Description: packets-per-second is a JSON Block. Please see below for packets-per-second

Type: Object

syn-cookie

Description: syn-cookie is a JSON Block. Please see below for syn-cookie

Type: Object

toggle

Description ‘enable’: Enable CGNV6 NAT pool DDoS protection (default); ‘disable’: Disable CGNV6 NAT pool DDoS protection;

Type: string

Supported Values: enable, disable

Default: enable

uuid

Description uuid of the object

Type: string

Maximum Length: 64 characters

Maximum Length: 1 characters

zone

Description Disable NAT IP based on DDoS zone name set in BGP

Type: string

Format: string-rlx

Maximum Length: 63 characters

Maximum Length: 1 characters

logging

Specification
Type	object

enable-action

Description ‘local’: Enable local logs only; ‘remote’: Enable logging to remote server & IPFIX; ‘both’: Enable both local & remote logs;

Type: string

Supported Values: local, remote, both

Default: local

logging-action

Description ‘enable’: enable CGN DDoS protection logging; ‘disable’: Disable both local & remote CGN DDoS protection logging;

Type: string

Supported Values: enable, disable

Default: enable

ip-entries

Specification
Type	object

uuid

Description uuid of the object

Type: string

Maximum Length: 64 characters

Maximum Length: 1 characters

disable-nat-ip-by-bgp

Specification
Type	object

uuid

Description uuid of the object

Type: string

Maximum Length: 64 characters

Maximum Length: 1 characters

l4-entries

Specification
Type	object

uuid

Description uuid of the object

Type: string

Maximum Length: 64 characters

Maximum Length: 1 characters

packets-per-second

Specification
Type	object

action

Description: action is a JSON Block. Please see below for packets-per-second_action

Type: Object

include-existing-session

Description Count traffic associated with existing session into the packets-per-second (Default: Disabled)

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

ip

Description Configure packets-per-second threshold per IP(default 3000000)

Type: number

Range: 0-30000000

Default: 3000000

other

Description Configure packets-per-second threshold for other L4 protocols(default 10000)

Type: number

Range: 0-30000000

Default: 10000

tcp

Description Configure packets-per-second threshold per TCP port (default: 3000)

Type: number

Range: 0-30000000

Default: 3000

udp

Description Configure packets-per-second threshold per UDP port (default: 3000)

Type: number

Range: 0-30000000

Default: 3000

packets-per-second_action

Specification
Type	object

action-type

Description ‘log’: Log the event only; ‘drop’: Log, and drop all packets (default); ‘redistribute-route’: Log, Drop, and Notify upstream router to reroute the packets;

Type: string

Supported Values: log, drop, redistribute-route

Default: drop

expiration

Description To specify time to revert the action after pps is decreased to below threshold (Expiration time, in seconds (default is 3600 seconds))

Type: number

Range: 10-8640000

Default: 3600

remove-wait-timer

Description Time after which IP will be removed from blackhole

Type: number

Range: 0-300

Default: 300

route-map

Description Route map name

Type: string

Maximum Length: 128 characters

Maximum Length: 1 characters

timer-multiply-max

Description To specify max value of timer multiplier for attacks lasted long time (Max value of timer multiplier (default is 6))

Type: number

Range: 1-100

Default: 6

syn-cookie

Specification
Type	object

syn-cookie-enable

Description Enable CGNv6 Syn-Cookie Protection

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

syn-cookie-on-threshold

Description on-threshold for Syn-cookie (Decimal number)

Type: number

Range: 1-1000000

syn-cookie-on-timeout

Description on-timeout for Syn-cookie (Timeout in seconds, default is 120 seconds (2 minutes))

Type: number

Range: 1-300000

Default: 120

stats data

	Counter	Size	Description
	ip_other_block_alloc	8	Other block alloc
	l4_entry_list_alloc	8	L4 Entry list alloc
	l3_entry_add_to_bgp_failure	8	L3 Entry BGP add failures
	ip_node_free	8	Node free
	l4_entry_added	8	L4 Entry added
	l4_hw_out_of_entries	8	HW out of L4 entries
	l4_entry_list_free	8	L4 Entry list free
	l4_entry_added_to_hw	8	L4 Entry added to HW
	syn_cookie_verification_failed	8	SYN cookie verification failed
	ip_node_alloc	8	Node alloc
	l3_entry_match_drop_hw	8	L3 HW entry match drop
	l4_entry_deleted	8	L4 Entry deleted
	l3_entry_remove_from_bgp_failure	8	L3 entry BGP remove failures
	l3_entry_removed_from_hw	8	L3 Entry removed from HW
	l3_entry_deleted	8	L3 Entry Deleted
	l3_entry_removed_from_bgp	8	Entry removed from BGP
	l3_entry_too_many	8	L3 Too many entries
	l3_entry_match_drop	8	L3 Entry match drop
	syn_cookie_verification_passed	8	SYN cookie verification passed
	l3_entry_drop_max_hw_exceeded	8	L3 Entry Drop due to HW Limit Exceeded
	l4_entry_match_drop	8	L4 Entry match drop
	ip_port_block_free	8	Port block free
	entry_invalidated	8	Entry invalidated
	l4_entry_drop_max_hw_exceeded	8	L4 Entry Drop due to HW Limit Exceeded
	l3_entry_add_to_hw_failure	8	L3 entry HW add failure
	ip_other_block_alloc_failure	8	Other block alloc failure
	ip_port_block_alloc	8	Port block alloc
	syn_cookie_syn_ack_sent	8	SYN cookie SYN ACK sent
	l3_entry_added_to_hw	8	L3 Entry added to HW
	l4_entry_list_alloc_failure	8	L4 Entry list alloc failures
	ip_other_block_free	8	Other block free
	l4_entry_match_drop_hw	8	L4 HW Entry match drop
	l3_entry_added	8	L3 Entry Added
	entry_added_shadow	8	Entry added shadow
	l4_entry_removed_from_hw	8	L4 Entry removed from HW
	l3_entry_added_to_bgp	8	L3 Entry added to BGP
	ip_port_block_alloc_failure	8	Port block alloc failure
	ip_node_alloc_failure	8	Node alloc failures