cgnv6 ddos-protection

Configure CGNV6 DDoS Protection

ddos-protection Specification

Parameter Value
Type Configuration Resource
Element Name ddos-protection
Element URI /axapi/v3/cgnv6/ddos-protection
Element Attributes ddos-protection_attributes
Partition Visibility shared
Statistics Data URI /axapi/v3/cgnv6/ddos-protection/stats
Schema ddos-protection schema

Operations Allowed:

OperationMethodURIPayload

Create Object

POST

/axapi/v3/cgnv6/ddos-protection

ddos-protection attributes

Get Object

GET

/axapi/v3/cgnv6/ddos-protection

ddos-protection attributes

Modify Object

POST

/axapi/v3/cgnv6/ddos-protection

ddos-protection attributes

Delete Object

DELETE

/axapi/v3/cgnv6/ddos-protection

ddos-protection attributes

ddos-protection attributes

disable-nat-ip-by-bgp

Description: disable-nat-ip-by-bgp is a JSON Block. Please see below for disable-nat-ip-by-bgp

Type: Object

Reference Object: /axapi/v3/cgnv6/ddos-protection/disable-nat-ip-by-bgp

enable-action

Description ‘local’: Enable local logs only; ‘remote’: Enable logging to remote server & IPFIX; ‘both’: Enable both local & remote logs;

Type: string

Supported Values: local, remote, both

Default: local

ip-entries

Description: ip-entries is a JSON Block. Please see below for ip-entries

Type: Object

Reference Object: /axapi/v3/cgnv6/ddos-protection/ip-entries

l4-entries

Description: l4-entries is a JSON Block. Please see below for l4-entries

Type: Object

Reference Object: /axapi/v3/cgnv6/ddos-protection/l4-entries

logging-action

Description ‘enable’: enable CGN DDoS protection logging; ‘disable’: Disable both local & remote CGN DDoS protection logging;

Type: string

Supported Values: enable, disable

Default: enable

max-hw-entries

Description Configure maximum HW entries

Type: number

Range: 0-262144

Default: 262144

packets-per-second

Description: packets-per-second is a JSON Block. Please see below for packets-per-second

Type: Object

sampling-enable

Type: List

syn-cookie

Description: syn-cookie is a JSON Block. Please see below for syn-cookie

Type: Object

toggle

Description ‘enable’: Enable CGNV6 NAT pool DDoS protection (default); ‘disable’: Disable CGNV6 NAT pool DDoS protection;

Type: string

Supported Values: enable, disable

Default: enable

uuid

Description uuid of the object

Type: string

Maximum Length: 64 characters

Maximum Length: 1 characters

zone

Description Disable NAT IP based on DDoS zone name set in BGP

Type: string

Format: string-rlx

Maximum Length: 63 characters

Maximum Length: 1 characters

sampling-enable

Specification Value
Type list
Block object keys  

counters1

Description ‘all’: all; ‘l3_entry_added’: L3 Entry Added; ‘l3_entry_deleted’: L3 Entry Deleted; ‘l3_entry_added_to_bgp’: L3 Entry added to BGP; ‘l3_entry_removed_from_bgp’: Entry removed from BGP; ‘l3_entry_added_to_hw’: L3 Entry added to HW; ‘l3_entry_removed_from_hw’: L3 Entry removed from HW; ‘l3_entry_too_many’: L3 Too many entries; ‘l3_entry_match_drop’: L3 Entry match drop; ‘l3_entry_match_drop_hw’: L3 HW entry match drop; ‘l3_entry_drop_max_hw_exceeded’: L3 Entry Drop due to HW Limit Exceeded; ‘l4_entry_added’: L4 Entry added; ‘l4_entry_deleted’: L4 Entry deleted; ‘l4_entry_added_to_hw’: L4 Entry added to HW; ‘l4_entry_removed_from_hw’: L4 Entry removed from HW; ‘l4_hw_out_of_entries’: HW out of L4 entries; ‘l4_entry_match_drop’: L4 Entry match drop; ‘l4_entry_match_drop_hw’: L4 HW Entry match drop; ‘l4_entry_drop_max_hw_exceeded’: L4 Entry Drop due to HW Limit Exceeded; ‘l4_entry_list_alloc’: L4 Entry list alloc; ‘l4_entry_list_free’: L4 Entry list free; ‘l4_entry_list_alloc_failure’: L4 Entry list alloc failures; ‘ip_node_alloc’: Node alloc; ‘ip_node_free’: Node free; ‘ip_node_alloc_failure’: Node alloc failures; ‘ip_port_block_alloc’: Port block alloc; ‘ip_port_block_free’: Port block free; ‘ip_port_block_alloc_failure’: Port block alloc failure; ‘ip_other_block_alloc’: Other block alloc; ‘ip_other_block_free’: Other block free; ‘ip_other_block_alloc_failure’: Other block alloc failure; ‘entry_added_shadow’: Entry added shadow; ‘entry_invalidated’: Entry invalidated; ‘l3_entry_add_to_bgp_failure’: L3 Entry BGP add failures; ‘l3_entry_remove_from_bgp_failure’: L3 entry BGP remove failures; ‘l3_entry_add_to_hw_failure’: L3 entry HW add failure; ‘syn_cookie_syn_ack_sent’: SYN cookie SYN ACK sent; ‘syn_cookie_verification_passed’: SYN cookie verification passed; ‘syn_cookie_verification_failed’: SYN cookie verification failed; ‘syn_cookie_conn_setup_failed’: SYN cookie connection setup failed;

Type: string

Supported Values: all, l3_entry_added, l3_entry_deleted, l3_entry_added_to_bgp, l3_entry_removed_from_bgp, l3_entry_added_to_hw, l3_entry_removed_from_hw, l3_entry_too_many, l3_entry_match_drop, l3_entry_match_drop_hw, l3_entry_drop_max_hw_exceeded, l4_entry_added, l4_entry_deleted, l4_entry_added_to_hw, l4_entry_removed_from_hw, l4_hw_out_of_entries, l4_entry_match_drop, l4_entry_match_drop_hw, l4_entry_drop_max_hw_exceeded, l4_entry_list_alloc, l4_entry_list_free, l4_entry_list_alloc_failure, ip_node_alloc, ip_node_free, ip_node_alloc_failure, ip_port_block_alloc, ip_port_block_free, ip_port_block_alloc_failure, ip_other_block_alloc, ip_other_block_free, ip_other_block_alloc_failure, entry_added_shadow, entry_invalidated, l3_entry_add_to_bgp_failure, l3_entry_remove_from_bgp_failure, l3_entry_add_to_hw_failure, syn_cookie_syn_ack_sent, syn_cookie_verification_passed, syn_cookie_verification_failed, syn_cookie_conn_setup_failed

ip-entries

Specification Value
Type object

uuid

Description uuid of the object

Type: string

Maximum Length: 64 characters

Maximum Length: 1 characters

disable-nat-ip-by-bgp

Specification Value
Type object

uuid

Description uuid of the object

Type: string

Maximum Length: 64 characters

Maximum Length: 1 characters

l4-entries

Specification Value
Type object

uuid

Description uuid of the object

Type: string

Maximum Length: 64 characters

Maximum Length: 1 characters

packets-per-second

Specification Value
Type object

action

Description: action is a JSON Block. Please see below for packets-per-second_action

Type: Object

include-existing-session

Description Count traffic associated with existing session into the packets-per-second (Default: Disabled)

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

ip

Description Configure packets-per-second threshold per IP(default 3000000)

Type: number

Range: 0-30000000

Default: 3000000

other

Description Configure packets-per-second threshold for other L4 protocols(default 10000)

Type: number

Range: 0-30000000

Default: 10000

other-action

Description: other-action is a JSON Block. Please see below for packets-per-second_other-action

Type: Object

tcp

Description Configure packets-per-second threshold per TCP port (default: 3000)

Type: number

Range: 0-30000000

Default: 3000

tcp-action

Description: tcp-action is a JSON Block. Please see below for packets-per-second_tcp-action

Type: Object

udp

Description Configure packets-per-second threshold per UDP port (default: 3000)

Type: number

Range: 0-30000000

Default: 3000

udp-action

Description: udp-action is a JSON Block. Please see below for packets-per-second_udp-action

Type: Object

packets-per-second_other-action

Specification Value
Type object

other-action-type

Description ‘log’: Log the event only; ‘drop’: Log, and drop all packets (default);

Type: string

Supported Values: log, drop

Default: drop

other-expiration

Description To specify time to revert the action after pps is decreased to below threshold (Expiration time, in seconds (default is 30 seconds))

Type: number

Range: 10-65535

Default: 30

packets-per-second_udp-action

Specification Value
Type object

udp-action-type

Description ‘log’: Log the event only; ‘drop’: Log, and drop all packets (default);

Type: string

Supported Values: log, drop

Default: drop

udp-expiration

Description To specify time to revert the action after pps is decreased to below threshold (Expiration time, in seconds (default is 30 seconds))

Type: number

Range: 10-65535

Default: 30

packets-per-second_tcp-action

Specification Value
Type object

tcp-action-type

Description ‘log’: Log the event only; ‘drop’: Log, and drop all packets (default);

Type: string

Supported Values: log, drop

Default: drop

tcp-expiration

Description To specify time to revert the action after pps is decreased to below threshold (Expiration time, in seconds (default is 30 seconds))

Type: number

Range: 10-65535

Default: 30

packets-per-second_action

Specification Value
Type object

action-type

Description ‘log’: Log the event only; ‘drop’: Log, and drop all packets (default); ‘redistribute-route’: Log, Drop, and Notify upstream router to reroute the packets;

Type: string

Supported Values: log, drop, redistribute-route

Default: drop

expiration

Description To specify time to revert the action after pps is decreased to below threshold (Expiration time, in minutes (default is 3600 seconds))

Type: number

Range: 10-8640000

Default: 3600

expiration-route

Description To specify time to revert the action after pps is decreased to below threshold (Expiration time, in seconds (default is 3600 seconds))

Type: number

Range: 10-8640000

Default: 3600

remove-wait-timer

Description Time after which IP will be removed from blackhole

Type: number

Range: 0-300

Default: 300

route-map

Description Route map name

Type: string

Maximum Length: 128 characters

Maximum Length: 1 characters

timer-multiply-max

Description To specify max value of timer multiplier for attacks lasted long time (Max value of timer multiplier (default is 6))

Type: number

Range: 1-100

Default: 6