.. _cgnv6_ddos_protection: cgnv6 ddos-protection ===================== Configure CGNV6 DDoS Protection ddos-protection Specification ----------------------------- ===================================== ============================================================== ===================================== ============================================================== **Type** *Configuration Resource* **Element Name** ddos-protection **Element URI** /axapi/v3/cgnv6/ddos-protection **Element Attributes** ddos-protection_attributes **Statistics Data URI** /axapi/v3/cgnv6/ddos-protection/stats **Schema** :download:`ddos-protection schema ` ===================================== ============================================================== **Operations Allowed:** .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html
OperationMethodURIPayload
Create Object .. raw:: html POST .. raw:: html /axapi/v3/cgnv6/ddos-protection .. raw:: html :ref:`157_ddos-protection_attributes` .. raw:: html
Get Object .. raw:: html GET .. raw:: html /axapi/v3/cgnv6/ddos-protection .. raw:: html :ref:`157_ddos-protection_attributes` .. raw:: html
Modify Object .. raw:: html POST .. raw:: html /axapi/v3/cgnv6/ddos-protection .. raw:: html :ref:`157_ddos-protection_attributes` .. raw:: html
Delete Object .. raw:: html DELETE .. raw:: html /axapi/v3/cgnv6/ddos-protection .. raw:: html :ref:`157_ddos-protection_attributes` .. raw:: html
.. _157_ddos-protection_attributes: ddos-protection attributes -------------------------- **disable-nat-ip-by-bgp** **Description:** disable-nat-ip-by-bgp is a **JSON Block**. Please see below for :ref:`157_disable-nat-ip-by-bgp` **Type:** Object **Reference Object:** :doc:`/axapi/v3/cgnv6/ddos-protection/disable-nat-ip-by-bgp ` **enable-action** **Description** 'local': Enable local logs only; 'remote': Enable logging to remote server & IPFIX; 'both': Enable both local & remote logs; **Type:** string **Supported Values:** local, remote, both **Default:** local **ip-entries** **Description:** ip-entries is a **JSON Block**. Please see below for :ref:`157_ip-entries` **Type:** Object **Reference Object:** :doc:`/axapi/v3/cgnv6/ddos-protection/ip-entries ` **l4-entries** **Description:** l4-entries is a **JSON Block**. Please see below for :ref:`157_l4-entries` **Type:** Object **Reference Object:** :doc:`/axapi/v3/cgnv6/ddos-protection/l4-entries ` **logging-action** **Description** 'enable': enable CGN DDoS protection logging; 'disable': Disable both local & remote CGN DDoS protection logging; **Type:** string **Supported Values:** enable, disable **Default:** enable **max-hw-entries** **Description** Configure maximum HW entries **Type:** number **Range:** 0-262144 **Default:** 262144 **packets-per-second** **Description:** packets-per-second is a **JSON Block**. Please see below for :ref:`157_packets-per-second` **Type:** Object **sampling-enable** **Type:** List **syn-cookie** **Description:** syn-cookie is a **JSON Block**. Please see below for :ref:`157_syn-cookie` **Type:** Object **toggle** **Description** 'enable': Enable CGNV6 NAT pool DDoS protection (default); 'disable': Disable CGNV6 NAT pool DDoS protection; **Type:** string **Supported Values:** enable, disable **Default:** enable **uuid** **Description** uuid of the object **Type:** string **Maximum Length:** 64 characters **Maximum Length:** 1 characters **zone** **Description** Disable NAT IP based on DDoS zone name set in BGP **Type:** string **Format:** string-rlx **Maximum Length:** 63 characters **Maximum Length:** 1 characters .. _157_sampling-enable: sampling-enable ^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** =============================== =================================================== **Type** *list* **Block object keys** =============================== =================================================== **counters1** **Description** 'all': all; 'entry_added': Entry Added; 'entry_deleted': Entry Deleted; 'entry_added_to_hw': Entry added to HW; 'entry_removed_from_hw': Entry Removed From HW; 'hw_out_of_entries': HW out of Entries; 'entry_match_drop': Entry Match Drop; 'entry_match_drop_hw': HW Entry Match Drop; 'entry_list_alloc': Entry List Alloc; 'entry_list_free': Entry List Alloc Free; 'entry_list_alloc_failure': Entry List Alloc Failure; 'ip_node_alloc': Node Alloc; 'ip_node_free': Node Free; 'ip_node_alloc_failure': Node Alloc Failure; 'ip_port_block_alloc': Port Block Alloc; 'ip_port_block_free': Port Block Free; 'ip_port_block_alloc_failure': Port Block Alloc Failure; 'ip_other_block_alloc': Other Block Alloc; 'ip_other_block_free': Other Block Free; 'ip_other_block_alloc_failure': Other Block Alloc Failure; 'entry_added_shadow': Entry Added Shadow; 'entry_invalidated': Entry Invalidated; **Type:** string **Supported Values:** all, l3_entry_added, l3_entry_deleted, l3_entry_added_to_bgp, l3_entry_removed_from_bgp, l3_entry_added_to_hw, l3_entry_removed_from_hw, l3_entry_too_many, l3_entry_match_drop, l3_entry_match_drop_hw, l3_entry_drop_max_hw_exceeded, l4_entry_added, l4_entry_deleted, l4_entry_added_to_hw, l4_entry_removed_from_hw, l4_hw_out_of_entries, l4_entry_match_drop, l4_entry_match_drop_hw, l4_entry_drop_max_hw_exceeded, l4_entry_list_alloc, l4_entry_list_free, l4_entry_list_alloc_failure, ip_node_alloc, ip_node_free, ip_node_alloc_failure, ip_port_block_alloc, ip_port_block_free, ip_port_block_alloc_failure, ip_other_block_alloc, ip_other_block_free, ip_other_block_alloc_failure, entry_added_shadow, entry_invalidated, l3_entry_add_to_bgp_failure, l3_entry_remove_from_bgp_failure, l3_entry_add_to_hw_failure, syn_cookie_syn_ack_sent, syn_cookie_verification_passed, syn_cookie_verification_failed, syn_cookie_conn_setup_failed .. _157_ip-entries: ip-entries ^^^^^^^^^^ =============================== =================================================== **Specification** =============================== =================================================== **Type** *object* =============================== =================================================== **uuid** **Description** uuid of the object **Type:** string **Maximum Length:** 64 characters **Maximum Length:** 1 characters .. _157_disable-nat-ip-by-bgp: disable-nat-ip-by-bgp ^^^^^^^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** =============================== =================================================== **Type** *object* =============================== =================================================== **uuid** **Description** uuid of the object **Type:** string **Maximum Length:** 64 characters **Maximum Length:** 1 characters .. _157_l4-entries: l4-entries ^^^^^^^^^^ =============================== =================================================== **Specification** =============================== =================================================== **Type** *object* =============================== =================================================== **uuid** **Description** uuid of the object **Type:** string **Maximum Length:** 64 characters **Maximum Length:** 1 characters .. _157_packets-per-second: packets-per-second ^^^^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** =============================== =================================================== **Type** *object* =============================== =================================================== **action** **Description:** action is a **JSON Block**. Please see below for :ref:`157_packets-per-second_action` **Type:** Object **include-existing-session** **Description** Count traffic associated with existing session into the packets-per-second (Default: Disabled) **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **ip** **Description** Configure packets-per-second threshold per IP(default 3000000) **Type:** number **Range:** 0-30000000 **Default:** 3000000 **other** **Description** Configure packets-per-second threshold for other L4 protocols(default 10000) **Type:** number **Range:** 0-30000000 **Default:** 10000 **other-action** **Description:** other-action is a **JSON Block**. Please see below for :ref:`157_packets-per-second_other-action` **Type:** Object **tcp** **Description** Configure packets-per-second threshold per TCP port (default: 3000) **Type:** number **Range:** 0-30000000 **Default:** 3000 **tcp-action** **Description:** tcp-action is a **JSON Block**. Please see below for :ref:`157_packets-per-second_tcp-action` **Type:** Object **udp** **Description** Configure packets-per-second threshold per UDP port (default: 3000) **Type:** number **Range:** 0-30000000 **Default:** 3000 **udp-action** **Description:** udp-action is a **JSON Block**. Please see below for :ref:`157_packets-per-second_udp-action` **Type:** Object .. _157_packets-per-second_other-action: packets-per-second_other-action ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** =============================== =================================================== **Type** *object* =============================== =================================================== **other-action-type** **Description** 'log': Log the event only; 'drop': Log, and drop all packets (default); **Type:** string **Supported Values:** log, drop **Default:** drop **other-expiration** **Description** To specify time to revert the action after pps is decreased to below threshold (Expiration time, in seconds (default is 30 seconds)) **Type:** number **Range:** 10-65535 **Default:** 30 .. _157_packets-per-second_udp-action: packets-per-second_udp-action ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** =============================== =================================================== **Type** *object* =============================== =================================================== **udp-action-type** **Description** 'log': Log the event only; 'drop': Log, and drop all packets (default); **Type:** string **Supported Values:** log, drop **Default:** drop **udp-expiration** **Description** To specify time to revert the action after pps is decreased to below threshold (Expiration time, in seconds (default is 30 seconds)) **Type:** number **Range:** 10-65535 **Default:** 30 .. _157_packets-per-second_tcp-action: packets-per-second_tcp-action ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** =============================== =================================================== **Type** *object* =============================== =================================================== **tcp-action-type** **Description** 'log': Log the event only; 'drop': Log, and drop all packets (default); **Type:** string **Supported Values:** log, drop **Default:** drop **tcp-expiration** **Description** To specify time to revert the action after pps is decreased to below threshold (Expiration time, in seconds (default is 30 seconds)) **Type:** number **Range:** 10-65535 **Default:** 30 .. _157_packets-per-second_action: packets-per-second_action ^^^^^^^^^^^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** =============================== =================================================== **Type** *object* =============================== =================================================== **action-type** **Description** 'log': Log the event only; 'drop': Log, and drop all packets (default); 'redistribute-route': Log, Drop, and Notify upstream router to reroute the packets; **Type:** string **Supported Values:** log, drop, redistribute-route **Default:** drop **expiration** **Description** To specify time to revert the action after pps is decreased to below threshold (Expiration time, in seconds (default is 3600 seconds)) **Type:** number **Range:** 10-8640000 **Default:** 3600 **remove-wait-timer** **Description** Time after which IP will be removed from blackhole **Type:** number **Range:** 0-300 **Default:** 300 **route-map** **Description** Route map name **Type:** string **Maximum Length:** 128 characters **Maximum Length:** 1 characters **timer-multiply-max** **Description** To specify max value of timer multiplier for attacks lasted long time (Max value of timer multiplier (default is 6)) **Type:** number **Range:** 1-100 **Default:** 6 .. _157_syn-cookie: syn-cookie ^^^^^^^^^^ =============================== =================================================== **Specification** =============================== =================================================== **Type** *object* =============================== =================================================== **syn-cookie-enable** **Description** Enable CGNv6 Syn-Cookie Protection **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **syn-cookie-on-threshold** **Description** on-threshold for Syn-cookie (Decimal number) **Type:** number **Range:** 1-1000000 **syn-cookie-on-timeout** **Description** on-timeout for Syn-cookie (Timeout in seconds, default is 120 seconds (2 minutes)) **Type:** number **Range:** 1-300000 **Default:** 120 .. _157_stats_data: stats data ---------- .. list-table:: :widths: 10 20 30 80 :header-rows: 2 :stub-columns: 1 * - - Counter - Size - Description * - - - - * - - ip_other_block_alloc - 8 - Other block alloc * - - l4_entry_list_alloc - 8 - L4 Entry list alloc * - - l3_entry_add_to_bgp_failure - 8 - L3 Entry BGP add failures * - - ip_node_free - 8 - Node free * - - l4_entry_added - 8 - L4 Entry added * - - l4_hw_out_of_entries - 8 - HW out of L4 entries * - - l4_entry_list_free - 8 - L4 Entry list free * - - l4_entry_added_to_hw - 8 - L4 Entry added to HW * - - syn_cookie_verification_failed - 8 - SYN cookie verification failed * - - ip_node_alloc - 8 - Node alloc * - - l3_entry_match_drop_hw - 8 - L3 HW entry match drop * - - l4_entry_deleted - 8 - L4 Entry deleted * - - l3_entry_remove_from_bgp_failure - 8 - L3 entry BGP remove failures * - - l3_entry_removed_from_hw - 8 - L3 Entry removed from HW * - - l3_entry_deleted - 8 - L3 Entry Deleted * - - l3_entry_removed_from_bgp - 8 - Entry removed from BGP * - - l3_entry_too_many - 8 - L3 Too many entries * - - l3_entry_match_drop - 8 - L3 Entry match drop * - - syn_cookie_verification_passed - 8 - SYN cookie verification passed * - - l3_entry_drop_max_hw_exceeded - 8 - L3 Entry Drop due to HW Limit Exceeded * - - l4_entry_match_drop - 8 - L4 Entry match drop * - - ip_port_block_free - 8 - Port block free * - - entry_invalidated - 8 - Entry invalidated * - - l4_entry_drop_max_hw_exceeded - 8 - L4 Entry Drop due to HW Limit Exceeded * - - l3_entry_add_to_hw_failure - 8 - L3 entry HW add failure * - - ip_other_block_alloc_failure - 8 - Other block alloc failure * - - ip_port_block_alloc - 8 - Port block alloc * - - syn_cookie_syn_ack_sent - 8 - SYN cookie SYN ACK sent * - - l3_entry_added_to_hw - 8 - L3 Entry added to HW * - - l4_entry_list_alloc_failure - 8 - L4 Entry list alloc failures * - - ip_other_block_free - 8 - Other block free * - - l4_entry_match_drop_hw - 8 - L4 HW Entry match drop * - - l3_entry_added - 8 - L3 Entry Added * - - entry_added_shadow - 8 - Entry added shadow * - - l4_entry_removed_from_hw - 8 - L4 Entry removed from HW * - - l3_entry_added_to_bgp - 8 - L3 Entry added to BGP * - - ip_port_block_alloc_failure - 8 - Port block alloc failure * - - ip_node_alloc_failure - 8 - Node alloc failures