.. _cgnv6_ddos_protection:
cgnv6 ddos-protection
=====================
Configure CGNV6 DDoS Protection
ddos-protection Specification
-----------------------------
===================================== ==============================================================
**Parameter** **Value**
===================================== ==============================================================
**Type** *Configuration Resource*
**Element Name** ddos-protection
**Element URI** /axapi/v3/cgnv6/ddos-protection
**Element Attributes** ddos-protection_attributes
**Partition Visibility** shared
**Statistics Data URI** /axapi/v3/cgnv6/ddos-protection/stats
**Schema** :download:`ddos-protection schema <cgnv6-ddos-protection/cgnv6-ddos-protection.txt>`
===================================== ==============================================================
**Operations Allowed:**
.. raw:: html
<script type="text/javascript">
function showExample(a,b) { document.getElementById(a+'_div').style.display = 'block'; document.getElementById(a+'_cl').style.display = 'block'; document.getElementById(a+'_eg').style.display = 'none';}
function closeExample(a,b) { document.getElementById(a+'_div').style.display = 'none'; document.getElementById(a+'_cl').style.display = 'none'; document.getElementById(a+'_eg').style.display = 'block';}
</script>
<table width='90%' style='margin-left:5%'>
.. raw:: html
<tr style='border-bottom: thin solid; border-top: thin solid'><th width=15%>Operation</th><th width=10%>Method</th><th>URI</th><th width=15%>Payload</th><th width=10%></th></tr>
.. raw:: html
<tr style='border-bottom: thin solid;'><td valign = 'top'>
Create Object
.. raw:: html
</td><td valign = 'top'>
POST
.. raw:: html
</td><td valign = 'top'>
/axapi/v3/cgnv6/ddos-protection
.. raw:: html
</td><td valign = 'top'>
:ref:`242_ddos-protection_attributes`
.. raw:: html
</td><td><button id='post_eg' onClick="showExample('post')">example</button> <button id='post_cl' onClick="closeExample('post')" style='display:none'>close</button></td></tr>
.. raw:: html
<tr><td colspan=5 style='padding: 0 % 0 %;' valign = 'top'><div id='post_div' style='display:none'>
.. include:: ../artifacts/cgnv6_ddos_protection_POST.txt
:literal:
.. raw:: html
</div></td></tr>
.. raw:: html
<tr style='border-bottom: thin solid;'><td valign = 'top'>
Get Object
.. raw:: html
</td><td valign = 'top'>
GET
.. raw:: html
</td><td valign = 'top'>
/axapi/v3/cgnv6/ddos-protection
.. raw:: html
</td><td valign = 'top'>
:ref:`242_ddos-protection_attributes`
.. raw:: html
</td><td><button id='get_eg' onClick="showExample('get')">example</button> <button id='get_cl' onClick="closeExample('get')" style='display:none'>close</button></td></tr>
.. raw:: html
<tr><td colspan=5 style='padding: 0 % 0 %;' valign = 'top'><div id='get_div' style='display:none'>
.. include:: ../artifacts/cgnv6_ddos_protection_GET.txt
:literal:
.. raw:: html
</div></td></tr>
.. raw:: html
<tr style='border-bottom: thin solid;'><td valign = 'top'>
Modify Object
.. raw:: html
</td><td valign = 'top'>
POST
.. raw:: html
</td><td valign = 'top'>
/axapi/v3/cgnv6/ddos-protection
.. raw:: html
</td><td valign = 'top'>
:ref:`242_ddos-protection_attributes`
.. raw:: html
</td><td></td></tr>
.. raw:: html
<tr style='border-bottom: thin solid;'><td valign = 'top'>
Delete Object
.. raw:: html
</td><td valign = 'top'>
DELETE
.. raw:: html
</td><td valign = 'top'>
/axapi/v3/cgnv6/ddos-protection
.. raw:: html
</td><td valign = 'top'>
:ref:`242_ddos-protection_attributes`
.. raw:: html
</td><td><button id='delete_eg' onClick="showExample('delete')">example</button> <button id='delete_cl' onClick="closeExample('delete')" style='display:none'>close</button></td></tr>
.. raw:: html
<tr><td colspan=5 style='padding: 0 % 0 %;' valign = 'top'><div id='delete_div' style='display:none'>
.. include:: ../artifacts/cgnv6_ddos_protection_DELETE.txt
:literal:
.. raw:: html
</div></td></tr>
.. raw:: html
</table>
.. _242_ddos-protection_attributes:
ddos-protection attributes
--------------------------
**disable-nat-ip-by-bgp**
**Description:** disable-nat-ip-by-bgp is a **JSON Block**. Please see below for :ref:`242_disable-nat-ip-by-bgp`
**Type:** Object
**Reference Object:** :doc:`/axapi/v3/cgnv6/ddos-protection/disable-nat-ip-by-bgp <cgnv6_ddos_protection_disable_nat_ip_by_bgp>`
**enable-action**
**Description** 'local': Enable local logs only; 'remote': Enable logging to remote server & IPFIX; 'both': Enable both local & remote logs;
**Type:** string
**Supported Values:** local, remote, both
**Default:** local
**ip-entries**
**Description:** ip-entries is a **JSON Block**. Please see below for :ref:`242_ip-entries`
**Type:** Object
**Reference Object:** :doc:`/axapi/v3/cgnv6/ddos-protection/ip-entries <cgnv6_ddos_protection_ip_entries>`
**l4-entries**
**Description:** l4-entries is a **JSON Block**. Please see below for :ref:`242_l4-entries`
**Type:** Object
**Reference Object:** :doc:`/axapi/v3/cgnv6/ddos-protection/l4-entries <cgnv6_ddos_protection_l4_entries>`
**logging-action**
**Description** 'enable': enable CGN DDoS protection logging; 'disable': Disable both local & remote CGN DDoS protection logging;
**Type:** string
**Supported Values:** enable, disable
**Default:** enable
**max-hw-entries**
**Description** Configure maximum HW entries
**Type:** number
**Range:** 0-262144
**Default:** 262144
**packets-per-second**
**Description:** packets-per-second is a **JSON Block**. Please see below for :ref:`242_packets-per-second`
**Type:** Object
**sampling-enable**
**Type:** List
**syn-cookie**
**Description:** syn-cookie is a **JSON Block**. Please see below for :ref:`242_syn-cookie`
**Type:** Object
**toggle**
**Description** 'enable': Enable CGNV6 NAT pool DDoS protection (default); 'disable': Disable CGNV6 NAT pool DDoS protection;
**Type:** string
**Supported Values:** enable, disable
**Default:** enable
**uuid**
**Description** uuid of the object
**Type:** string
**Maximum Length:** 64 characters
**Maximum Length:** 1 characters
**zone**
**Description** Disable NAT IP based on DDoS zone name set in BGP
**Type:** string
**Format:** string-rlx
**Maximum Length:** 63 characters
**Maximum Length:** 1 characters
.. _242_sampling-enable:
sampling-enable
^^^^^^^^^^^^^^^
=============================== ===================================================
**Specification** **Value**
=============================== ===================================================
**Type** *list*
**Block object keys**
=============================== ===================================================
**counters1**
**Description** 'all': all; 'l3_entry_added': L3 Entry Added; 'l3_entry_deleted': L3 Entry Deleted; 'l3_entry_added_to_bgp': L3 Entry added to BGP; 'l3_entry_removed_from_bgp': Entry removed from BGP; 'l3_entry_added_to_hw': L3 Entry added to HW; 'l3_entry_removed_from_hw': L3 Entry removed from HW; 'l3_entry_too_many': L3 Too many entries; 'l3_entry_match_drop': L3 Entry match drop; 'l3_entry_match_drop_hw': L3 HW entry match drop; 'l3_entry_drop_max_hw_exceeded': L3 Entry Drop due to HW Limit Exceeded; 'l4_entry_added': L4 Entry added; 'l4_entry_deleted': L4 Entry deleted; 'l4_entry_added_to_hw': L4 Entry added to HW; 'l4_entry_removed_from_hw': L4 Entry removed from HW; 'l4_hw_out_of_entries': HW out of L4 entries; 'l4_entry_match_drop': L4 Entry match drop; 'l4_entry_match_drop_hw': L4 HW Entry match drop; 'l4_entry_drop_max_hw_exceeded': L4 Entry Drop due to HW Limit Exceeded; 'l4_entry_list_alloc': L4 Entry list alloc; 'l4_entry_list_free': L4 Entry list free; 'l4_entry_list_alloc_failure': L4 Entry list alloc failures; 'ip_node_alloc': Node alloc; 'ip_node_free': Node free; 'ip_node_alloc_failure': Node alloc failures; 'ip_port_block_alloc': Port block alloc; 'ip_port_block_free': Port block free; 'ip_port_block_alloc_failure': Port block alloc failure; 'ip_other_block_alloc': Other block alloc; 'ip_other_block_free': Other block free; 'ip_other_block_alloc_failure': Other block alloc failure; 'entry_added_shadow': Entry added shadow; 'entry_invalidated': Entry invalidated; 'l3_entry_add_to_bgp_failure': L3 Entry BGP add failures; 'l3_entry_remove_from_bgp_failure': L3 entry BGP remove failures; 'l3_entry_add_to_hw_failure': L3 entry HW add failure; 'syn_cookie_syn_ack_sent': SYN cookie SYN ACK sent; 'syn_cookie_verification_passed': SYN cookie verification passed; 'syn_cookie_verification_failed': SYN cookie verification failed; 'syn_cookie_conn_setup_failed': SYN cookie connection setup failed;
**Type:** string
**Supported Values:** all, l3_entry_added, l3_entry_deleted, l3_entry_added_to_bgp, l3_entry_removed_from_bgp, l3_entry_added_to_hw, l3_entry_removed_from_hw, l3_entry_too_many, l3_entry_match_drop, l3_entry_match_drop_hw, l3_entry_drop_max_hw_exceeded, l4_entry_added, l4_entry_deleted, l4_entry_added_to_hw, l4_entry_removed_from_hw, l4_hw_out_of_entries, l4_entry_match_drop, l4_entry_match_drop_hw, l4_entry_drop_max_hw_exceeded, l4_entry_list_alloc, l4_entry_list_free, l4_entry_list_alloc_failure, ip_node_alloc, ip_node_free, ip_node_alloc_failure, ip_port_block_alloc, ip_port_block_free, ip_port_block_alloc_failure, ip_other_block_alloc, ip_other_block_free, ip_other_block_alloc_failure, entry_added_shadow, entry_invalidated, l3_entry_add_to_bgp_failure, l3_entry_remove_from_bgp_failure, l3_entry_add_to_hw_failure, syn_cookie_syn_ack_sent, syn_cookie_verification_passed, syn_cookie_verification_failed, syn_cookie_conn_setup_failed
.. _242_ip-entries:
ip-entries
^^^^^^^^^^
=============================== ===================================================
**Specification** **Value**
=============================== ===================================================
**Type** *object*
=============================== ===================================================
**uuid**
**Description** uuid of the object
**Type:** string
**Maximum Length:** 64 characters
**Maximum Length:** 1 characters
.. _242_disable-nat-ip-by-bgp:
disable-nat-ip-by-bgp
^^^^^^^^^^^^^^^^^^^^^
=============================== ===================================================
**Specification** **Value**
=============================== ===================================================
**Type** *object*
=============================== ===================================================
**uuid**
**Description** uuid of the object
**Type:** string
**Maximum Length:** 64 characters
**Maximum Length:** 1 characters
.. _242_l4-entries:
l4-entries
^^^^^^^^^^
=============================== ===================================================
**Specification** **Value**
=============================== ===================================================
**Type** *object*
=============================== ===================================================
**uuid**
**Description** uuid of the object
**Type:** string
**Maximum Length:** 64 characters
**Maximum Length:** 1 characters
.. _242_packets-per-second:
packets-per-second
^^^^^^^^^^^^^^^^^^
=============================== ===================================================
**Specification** **Value**
=============================== ===================================================
**Type** *object*
=============================== ===================================================
**action**
**Description:** action is a **JSON Block**. Please see below for :ref:`242_packets-per-second_action`
**Type:** Object
**include-existing-session**
**Description** Count traffic associated with existing session into the packets-per-second (Default: Disabled)
**Type:** boolean
**Supported Values:** true, false, 1, 0
**Default:** 0
**ip**
**Description** Configure packets-per-second threshold per IP(default 3000000)
**Type:** number
**Range:** 0-30000000
**Default:** 3000000
**other**
**Description** Configure packets-per-second threshold for other L4 protocols(default 10000)
**Type:** number
**Range:** 0-30000000
**Default:** 10000
**other-action**
**Description:** other-action is a **JSON Block**. Please see below for :ref:`242_packets-per-second_other-action`
**Type:** Object
**tcp**
**Description** Configure packets-per-second threshold per TCP port (default: 3000)
**Type:** number
**Range:** 0-30000000
**Default:** 3000
**tcp-action**
**Description:** tcp-action is a **JSON Block**. Please see below for :ref:`242_packets-per-second_tcp-action`
**Type:** Object
**udp**
**Description** Configure packets-per-second threshold per UDP port (default: 3000)
**Type:** number
**Range:** 0-30000000
**Default:** 3000
**udp-action**
**Description:** udp-action is a **JSON Block**. Please see below for :ref:`242_packets-per-second_udp-action`
**Type:** Object
.. _242_packets-per-second_other-action:
packets-per-second_other-action
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
=============================== ===================================================
**Specification** **Value**
=============================== ===================================================
**Type** *object*
=============================== ===================================================
**other-action-type**
**Description** 'log': Log the event only; 'drop': Log, and drop all packets (default);
**Type:** string
**Supported Values:** log, drop
**Default:** drop
**other-expiration**
**Description** To specify time to revert the action after pps is decreased to below threshold (Expiration time, in seconds (default is 30 seconds))
**Type:** number
**Range:** 10-65535
**Default:** 30
.. _242_packets-per-second_udp-action:
packets-per-second_udp-action
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
=============================== ===================================================
**Specification** **Value**
=============================== ===================================================
**Type** *object*
=============================== ===================================================
**udp-action-type**
**Description** 'log': Log the event only; 'drop': Log, and drop all packets (default);
**Type:** string
**Supported Values:** log, drop
**Default:** drop
**udp-expiration**
**Description** To specify time to revert the action after pps is decreased to below threshold (Expiration time, in seconds (default is 30 seconds))
**Type:** number
**Range:** 10-65535
**Default:** 30
.. _242_packets-per-second_tcp-action:
packets-per-second_tcp-action
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
=============================== ===================================================
**Specification** **Value**
=============================== ===================================================
**Type** *object*
=============================== ===================================================
**tcp-action-type**
**Description** 'log': Log the event only; 'drop': Log, and drop all packets (default);
**Type:** string
**Supported Values:** log, drop
**Default:** drop
**tcp-expiration**
**Description** To specify time to revert the action after pps is decreased to below threshold (Expiration time, in seconds (default is 30 seconds))
**Type:** number
**Range:** 10-65535
**Default:** 30
.. _242_packets-per-second_action:
packets-per-second_action
^^^^^^^^^^^^^^^^^^^^^^^^^
=============================== ===================================================
**Specification** **Value**
=============================== ===================================================
**Type** *object*
=============================== ===================================================
**action-type**
**Description** 'log': Log the event only; 'drop': Log, and drop all packets (default); 'redistribute-route': Log, Drop, and Notify upstream router to reroute the packets;
**Type:** string
**Supported Values:** log, drop, redistribute-route
**Default:** drop
**expiration**
**Description** To specify time to revert the action after pps is decreased to below threshold (Expiration time, in minutes (default is 3600 seconds))
**Type:** number
**Range:** 10-8640000
**Default:** 3600
**expiration-route**
**Description** To specify time to revert the action after pps is decreased to below threshold (Expiration time, in seconds (default is 3600 seconds))
**Type:** number
**Range:** 10-8640000
**Default:** 3600
**remove-wait-timer**
**Description** Time after which IP will be removed from blackhole
**Type:** number
**Range:** 0-300
**Default:** 300
**route-map**
**Description** Route map name
**Type:** string
**Maximum Length:** 128 characters
**Maximum Length:** 1 characters
**timer-multiply-max**
**Description** To specify max value of timer multiplier for attacks lasted long time (Max value of timer multiplier (default is 6))
**Type:** number
**Range:** 1-100
**Default:** 6
.. _242_syn-cookie:
syn-cookie
^^^^^^^^^^
=============================== ===================================================
**Specification** **Value**
=============================== ===================================================
**Type** *object*
=============================== ===================================================
**syn-cookie-enable**
**Description** Enable CGNv6 Syn-Cookie Protection
**Type:** boolean
**Supported Values:** true, false, 1, 0
**Default:** 0
**syn-cookie-on-threshold**
**Description** on-threshold for Syn-cookie (Decimal number)
**Type:** number
**Range:** 1-1000000
**syn-cookie-on-timeout**
**Description** on-timeout for Syn-cookie (Timeout in seconds, default is 120 seconds (2 minutes))
**Type:** number
**Range:** 1-300000
**Default:** 120