cgnv6 ddos-protection¶
Configure CGNV6 DDoS Protection
ddos-protection Specification¶
Parameter Value Type Configuration Resource Element Name ddos-protection Element URI /axapi/v3/cgnv6/ddos-protection Element Attributes ddos-protection_attributes Partition Visibility shared Statistics Data URI /axapi/v3/cgnv6/ddos-protection/stats Schema ddos-protection schemaOperations Allowed:
| Operation | Method | URI | Payload | |
|---|---|---|---|---|
Create Object | POST | /axapi/v3/cgnv6/ddos-protection | ||
Get Object | GET | /axapi/v3/cgnv6/ddos-protection | ||
Modify Object | POST | /axapi/v3/cgnv6/ddos-protection | ||
Delete Object | DELETE | /axapi/v3/cgnv6/ddos-protection | ||
ddos-protection attributes¶
disable-nat-ip-by-bgp
Description: disable-nat-ip-by-bgp is a JSON Block. Please see below for disable-nat-ip-by-bgp
Type: Object
Reference Object: /axapi/v3/cgnv6/ddos-protection/disable-nat-ip-by-bgp
enable-action
Description ‘local’: Enable local logs only; ‘remote’: Enable logging to remote server & IPFIX; ‘both’: Enable both local & remote logs;
Type: string
Supported Values: local, remote, both
Default: local
ip-entries
Description: ip-entries is a JSON Block. Please see below for ip-entries
Type: Object
Reference Object: /axapi/v3/cgnv6/ddos-protection/ip-entries
l4-entries
Description: l4-entries is a JSON Block. Please see below for l4-entries
Type: Object
Reference Object: /axapi/v3/cgnv6/ddos-protection/l4-entries
logging-action
Description ‘enable’: enable CGN DDoS protection logging; ‘disable’: Disable both local & remote CGN DDoS protection logging;
Type: string
Supported Values: enable, disable
Default: enable
max-hw-entries
Description Configure maximum HW entries
Type: number
Range: 0-262144
Default: 262144
packets-per-second
Description: packets-per-second is a JSON Block. Please see below for packets-per-second
Type: Object
sampling-enable
Type: Listsyn-cookie
Description: syn-cookie is a JSON Block. Please see below for syn-cookie
Type: Object
toggle
Description ‘enable’: Enable CGNV6 NAT pool DDoS protection (default); ‘disable’: Disable CGNV6 NAT pool DDoS protection;
Type: string
Supported Values: enable, disable
Default: enable
uuid
Description uuid of the object
Type: string
Maximum Length: 64 characters
Maximum Length: 1 characters
zone
Description Disable NAT IP based on DDoS zone name set in BGP
Type: string
Format: string-rlx
Maximum Length: 63 characters
Maximum Length: 1 characters
sampling-enable¶
Specification Value Type list Block object keys counters1
Description ‘all’: all; ‘l3_entry_added’: L3 Entry Added; ‘l3_entry_deleted’: L3 Entry Deleted; ‘l3_entry_added_to_bgp’: L3 Entry added to BGP; ‘l3_entry_removed_from_bgp’: Entry removed from BGP; ‘l3_entry_added_to_hw’: L3 Entry added to HW; ‘l3_entry_removed_from_hw’: L3 Entry removed from HW; ‘l3_entry_too_many’: L3 Too many entries; ‘l3_entry_match_drop’: L3 Entry match drop; ‘l3_entry_match_drop_hw’: L3 HW entry match drop; ‘l3_entry_drop_max_hw_exceeded’: L3 Entry Drop due to HW Limit Exceeded; ‘l4_entry_added’: L4 Entry added; ‘l4_entry_deleted’: L4 Entry deleted; ‘l4_entry_added_to_hw’: L4 Entry added to HW; ‘l4_entry_removed_from_hw’: L4 Entry removed from HW; ‘l4_hw_out_of_entries’: HW out of L4 entries; ‘l4_entry_match_drop’: L4 Entry match drop; ‘l4_entry_match_drop_hw’: L4 HW Entry match drop; ‘l4_entry_drop_max_hw_exceeded’: L4 Entry Drop due to HW Limit Exceeded; ‘l4_entry_list_alloc’: L4 Entry list alloc; ‘l4_entry_list_free’: L4 Entry list free; ‘l4_entry_list_alloc_failure’: L4 Entry list alloc failures; ‘ip_node_alloc’: Node alloc; ‘ip_node_free’: Node free; ‘ip_node_alloc_failure’: Node alloc failures; ‘ip_port_block_alloc’: Port block alloc; ‘ip_port_block_free’: Port block free; ‘ip_port_block_alloc_failure’: Port block alloc failure; ‘ip_other_block_alloc’: Other block alloc; ‘ip_other_block_free’: Other block free; ‘ip_other_block_alloc_failure’: Other block alloc failure; ‘entry_added_shadow’: Entry added shadow; ‘entry_invalidated’: Entry invalidated; ‘l3_entry_add_to_bgp_failure’: L3 Entry BGP add failures; ‘l3_entry_remove_from_bgp_failure’: L3 entry BGP remove failures; ‘l3_entry_add_to_hw_failure’: L3 entry HW add failure; ‘syn_cookie_syn_ack_sent’: SYN cookie SYN ACK sent; ‘syn_cookie_verification_passed’: SYN cookie verification passed; ‘syn_cookie_verification_failed’: SYN cookie verification failed; ‘syn_cookie_conn_setup_failed’: SYN cookie connection setup failed;
Type: string
Supported Values: all, l3_entry_added, l3_entry_deleted, l3_entry_added_to_bgp, l3_entry_removed_from_bgp, l3_entry_added_to_hw, l3_entry_removed_from_hw, l3_entry_too_many, l3_entry_match_drop, l3_entry_match_drop_hw, l3_entry_drop_max_hw_exceeded, l4_entry_added, l4_entry_deleted, l4_entry_added_to_hw, l4_entry_removed_from_hw, l4_hw_out_of_entries, l4_entry_match_drop, l4_entry_match_drop_hw, l4_entry_drop_max_hw_exceeded, l4_entry_list_alloc, l4_entry_list_free, l4_entry_list_alloc_failure, ip_node_alloc, ip_node_free, ip_node_alloc_failure, ip_port_block_alloc, ip_port_block_free, ip_port_block_alloc_failure, ip_other_block_alloc, ip_other_block_free, ip_other_block_alloc_failure, entry_added_shadow, entry_invalidated, l3_entry_add_to_bgp_failure, l3_entry_remove_from_bgp_failure, l3_entry_add_to_hw_failure, syn_cookie_syn_ack_sent, syn_cookie_verification_passed, syn_cookie_verification_failed, syn_cookie_conn_setup_failed
ip-entries¶
Specification Value Type object uuid
Description uuid of the object
Type: string
Maximum Length: 64 characters
Maximum Length: 1 characters
disable-nat-ip-by-bgp¶
Specification Value Type object uuid
Description uuid of the object
Type: string
Maximum Length: 64 characters
Maximum Length: 1 characters
l4-entries¶
Specification Value Type object uuid
Description uuid of the object
Type: string
Maximum Length: 64 characters
Maximum Length: 1 characters
packets-per-second¶
Specification Value Type object action
Description: action is a JSON Block. Please see below for packets-per-second_action
Type: Object
include-existing-session
Description Count traffic associated with existing session into the packets-per-second (Default: Disabled)
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
ip
Description Configure packets-per-second threshold per IP(default 3000000)
Type: number
Range: 0-30000000
Default: 3000000
other
Description Configure packets-per-second threshold for other L4 protocols(default 10000)
Type: number
Range: 0-30000000
Default: 10000
other-action
Description: other-action is a JSON Block. Please see below for packets-per-second_other-action
Type: Object
tcp
Description Configure packets-per-second threshold per TCP port (default: 3000)
Type: number
Range: 0-30000000
Default: 3000
tcp-action
Description: tcp-action is a JSON Block. Please see below for packets-per-second_tcp-action
Type: Object
udp
Description Configure packets-per-second threshold per UDP port (default: 3000)
Type: number
Range: 0-30000000
Default: 3000
udp-action
Description: udp-action is a JSON Block. Please see below for packets-per-second_udp-action
Type: Object
packets-per-second_other-action¶
Specification Value Type object other-action-type
Description ‘log’: Log the event only; ‘drop’: Log, and drop all packets (default);
Type: string
Supported Values: log, drop
Default: drop
other-expiration
Description To specify time to revert the action after pps is decreased to below threshold (Expiration time, in seconds (default is 30 seconds))
Type: number
Range: 10-65535
Default: 30
packets-per-second_udp-action¶
Specification Value Type object udp-action-type
Description ‘log’: Log the event only; ‘drop’: Log, and drop all packets (default);
Type: string
Supported Values: log, drop
Default: drop
udp-expiration
Description To specify time to revert the action after pps is decreased to below threshold (Expiration time, in seconds (default is 30 seconds))
Type: number
Range: 10-65535
Default: 30
packets-per-second_tcp-action¶
Specification Value Type object tcp-action-type
Description ‘log’: Log the event only; ‘drop’: Log, and drop all packets (default);
Type: string
Supported Values: log, drop
Default: drop
tcp-expiration
Description To specify time to revert the action after pps is decreased to below threshold (Expiration time, in seconds (default is 30 seconds))
Type: number
Range: 10-65535
Default: 30
packets-per-second_action¶
Specification Value Type object action-type
Description ‘log’: Log the event only; ‘drop’: Log, and drop all packets (default); ‘redistribute-route’: Log, Drop, and Notify upstream router to reroute the packets;
Type: string
Supported Values: log, drop, redistribute-route
Default: drop
expiration
Description To specify time to revert the action after pps is decreased to below threshold (Expiration time, in minutes (default is 3600 seconds))
Type: number
Range: 10-8640000
Default: 3600
expiration-route
Description To specify time to revert the action after pps is decreased to below threshold (Expiration time, in seconds (default is 3600 seconds))
Type: number
Range: 10-8640000
Default: 3600
forward
Description Continue forward traffic
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
remove-wait-timer
Description Time after which IP will be removed from blackhole
Type: number
Range: 0-300
Default: 300
route-map
Description Route map name
Type: string
Maximum Length: 128 characters
Maximum Length: 1 characters
timer-multiply-max
Description To specify max value of timer multiplier for attacks lasted long time (Max value of timer multiplier (default is 6))
Type: number
Range: 1-100
Default: 6
syn-cookie¶
Specification Value Type object syn-cookie-enable
Description Enable CGNv6 Syn-Cookie Protection
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
syn-cookie-on-threshold
Description on-threshold for Syn-cookie (Decimal number)
Type: number
Range: 1-1000000
syn-cookie-on-timeout
Description on-timeout for Syn-cookie (Timeout in seconds, default is 120 seconds (2 minutes))
Type: number
Range: 1-300000
Default: 120