.. _cgnv6_ddos_protection: cgnv6 ddos-protection ===================== Configure CGNV6 DDoS Protection ddos-protection Specification ----------------------------- ===================================== ============================================================== **Parameter** **Value** ===================================== ============================================================== **Type** *Configuration Resource* **Element Name** ddos-protection **Element URI** /axapi/v3/cgnv6/ddos-protection **Element Attributes** ddos-protection_attributes **Partition Visibility** shared,private **Statistics Data URI** /axapi/v3/cgnv6/ddos-protection/stats **Schema** :download:`ddos-protection schema ` ===================================== ============================================================== **Operations Allowed:** .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html
OperationMethodURIPayload
Create Object .. raw:: html POST .. raw:: html /axapi/v3/cgnv6/ddos-protection .. raw:: html :ref:`245_ddos-protection_attributes` .. raw:: html
Get Object .. raw:: html GET .. raw:: html /axapi/v3/cgnv6/ddos-protection .. raw:: html :ref:`245_ddos-protection_attributes` .. raw:: html
Modify Object .. raw:: html POST .. raw:: html /axapi/v3/cgnv6/ddos-protection .. raw:: html :ref:`245_ddos-protection_attributes` .. raw:: html
Delete Object .. raw:: html DELETE .. raw:: html /axapi/v3/cgnv6/ddos-protection .. raw:: html :ref:`245_ddos-protection_attributes` .. raw:: html
.. _245_ddos-protection_attributes: ddos-protection attributes -------------------------- **disable-nat-ip-by-bgp** **Description:** disable-nat-ip-by-bgp is a **JSON Block**. Please see below for :ref:`245_disable-nat-ip-by-bgp` **Type:** Object **Reference Object:** :doc:`/axapi/v3/cgnv6/ddos-protection/disable-nat-ip-by-bgp ` **enable-action** **Description** 'local': Enable local logs only; 'remote': Enable logging to remote server & IPFIX; 'both': Enable both local & remote logs; **Type:** string **Supported Values:** local, remote, both **Default:** local **ip-entries** **Description:** ip-entries is a **JSON Block**. Please see below for :ref:`245_ip-entries` **Type:** Object **Reference Object:** :doc:`/axapi/v3/cgnv6/ddos-protection/ip-entries ` **l4-entries** **Description:** l4-entries is a **JSON Block**. Please see below for :ref:`245_l4-entries` **Type:** Object **Reference Object:** :doc:`/axapi/v3/cgnv6/ddos-protection/l4-entries ` **logging-action** **Description** 'enable': enable CGN DDoS protection logging; 'disable': Disable both local & remote CGN DDoS protection logging; **Type:** string **Supported Values:** enable, disable **Default:** enable **max-hw-entries** **Description** Configure maximum HW entries **Type:** number **Range:** 0-262144 **Default:** 262144 **packets-per-second** **Description:** packets-per-second is a **JSON Block**. Please see below for :ref:`245_packets-per-second` **Type:** Object **sampling-enable** **Type:** List **syn-cookie** **Description:** syn-cookie is a **JSON Block**. Please see below for :ref:`245_syn-cookie` **Type:** Object **toggle** **Description** 'enable': Enable CGNV6 NAT pool DDoS protection (default); 'disable': Disable CGNV6 NAT pool DDoS protection; **Type:** string **Supported Values:** enable, disable **Default:** enable **uuid** **Description** uuid of the object **Type:** string **Maximum Length:** 64 characters **Maximum Length:** 1 characters **zone** **Description** Disable NAT IP based on DDoS zone name set in BGP **Type:** string **Format:** string-rlx **Maximum Length:** 63 characters **Maximum Length:** 1 characters .. _245_packets-per-second: packets-per-second ^^^^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *object* =============================== =================================================== **action** **Description:** action is a **JSON Block**. Please see below for :ref:`245_packets-per-second_action` **Type:** Object **include-existing-session** **Description** Count traffic associated with existing session into the packets-per-second (Default: Disabled) **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **ip** **Description** Configure packets-per-second threshold per IP(default 3000000) **Type:** number **Range:** 0-30000000 **Default:** 3000000 **other** **Description** Configure packets-per-second threshold for other L4 protocols(default 10000) **Type:** number **Range:** 0-30000000 **Default:** 10000 **other-action** **Description:** other-action is a **JSON Block**. Please see below for :ref:`245_packets-per-second_other-action` **Type:** Object **tcp** **Description** Configure packets-per-second threshold per TCP port (default: 3000) **Type:** number **Range:** 0-30000000 **Default:** 3000 **tcp-action** **Description:** tcp-action is a **JSON Block**. Please see below for :ref:`245_packets-per-second_tcp-action` **Type:** Object **udp** **Description** Configure packets-per-second threshold per UDP port (default: 3000) **Type:** number **Range:** 0-30000000 **Default:** 3000 **udp-action** **Description:** udp-action is a **JSON Block**. Please see below for :ref:`245_packets-per-second_udp-action` **Type:** Object .. _245_packets-per-second_action: packets-per-second_action ^^^^^^^^^^^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *object* =============================== =================================================== **action-type** **Description** 'log': Log the event only; 'drop': Log, and drop all packets (default); 'redistribute-route': Log, Notify upstream router to reroute the packets. Drop all packets by default.; **Type:** string **Supported Values:** log, drop, redistribute-route **Default:** drop **expiration** **Description** To specify time to revert the action after pps is decreased to below threshold (Expiration time, in minutes (default is 3600 seconds)) **Type:** number **Range:** 10-8640000 **Default:** 3600 **expiration-route** **Description** To specify time to revert the action after pps is decreased to below threshold (Expiration time, in seconds (default is 3600 seconds)) **Type:** number **Range:** 10-8640000 **Default:** 3600 **forward** **Description** Continue forward traffic **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **remove-wait-timer** **Description** Time after which IP will be removed from blackhole **Type:** number **Range:** 0-300 **Default:** 300 **route-map** **Description** Route map name **Type:** string **Maximum Length:** 128 characters **Maximum Length:** 1 characters **timer-multiply-max** **Description** To specify max value of timer multiplier for attacks lasted long time (Max value of timer multiplier (default is 6)) **Type:** number **Range:** 1-100 **Default:** 6 .. _245_packets-per-second_tcp-action: packets-per-second_tcp-action ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *object* =============================== =================================================== **tcp-action-type** **Description** 'log': Log the event only; 'drop': Log, and drop all packets (default); **Type:** string **Supported Values:** log, drop **Default:** drop **tcp-expiration** **Description** To specify time to revert the action after pps is decreased to below threshold (Expiration time, in seconds (default is 30 seconds)) **Type:** number **Range:** 10-65535 **Default:** 30 .. _245_packets-per-second_udp-action: packets-per-second_udp-action ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *object* =============================== =================================================== **udp-action-type** **Description** 'log': Log the event only; 'drop': Log, and drop all packets (default); **Type:** string **Supported Values:** log, drop **Default:** drop **udp-expiration** **Description** To specify time to revert the action after pps is decreased to below threshold (Expiration time, in seconds (default is 30 seconds)) **Type:** number **Range:** 10-65535 **Default:** 30 .. _245_packets-per-second_other-action: packets-per-second_other-action ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *object* =============================== =================================================== **other-action-type** **Description** 'log': Log the event only; 'drop': Log, and drop all packets (default); **Type:** string **Supported Values:** log, drop **Default:** drop **other-expiration** **Description** To specify time to revert the action after pps is decreased to below threshold (Expiration time, in seconds (default is 30 seconds)) **Type:** number **Range:** 10-65535 **Default:** 30 .. _245_syn-cookie: syn-cookie ^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *object* =============================== =================================================== **syn-cookie-enable** **Description** Enable CGNv6 Syn-Cookie Protection **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **syn-cookie-on-threshold** **Description** on-threshold for Syn-cookie (Decimal number) **Type:** number **Range:** 1-1000000 **syn-cookie-on-timeout** **Description** on-timeout for Syn-cookie (Timeout in seconds, default is 120 seconds (2 minutes)) **Type:** number **Range:** 1-300000 **Default:** 120 .. _245_sampling-enable: sampling-enable ^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *list* **Block object keys** =============================== =================================================== **counters1** **Description** 'all': all; 'l3_entry_added': L3 Entry Added; 'l3_entry_deleted': L3 Entry Deleted; 'l3_entry_added_to_bgp': L3 Entry added to BGP; 'l3_entry_removed_from_bgp': Entry removed from BGP; 'l3_entry_added_to_hw': L3 Entry added to HW; 'l3_entry_removed_from_hw': L3 Entry removed from HW; 'l3_entry_too_many': L3 Too many entries; 'l3_entry_match_drop': L3 Entry match drop; 'l3_entry_match_drop_hw': L3 HW entry match drop; 'l3_entry_drop_max_hw_exceeded': L3 Entry Drop due to HW Limit Exceeded; 'l4_entry_added': L4 Entry added; 'l4_entry_deleted': L4 Entry deleted; 'l4_entry_added_to_hw': L4 Entry added to HW; 'l4_entry_removed_from_hw': L4 Entry removed from HW; 'l4_hw_out_of_entries': HW out of L4 entries; 'l4_entry_match_drop': L4 Entry match drop; 'l4_entry_match_drop_hw': L4 HW Entry match drop; 'l4_entry_drop_max_hw_exceeded': L4 Entry Drop due to HW Limit Exceeded; 'l4_entry_list_alloc': L4 Entry list alloc; 'l4_entry_list_free': L4 Entry list free; 'l4_entry_list_alloc_failure': L4 Entry list alloc failures; 'ip_node_alloc': Node alloc; 'ip_node_free': Node free; 'ip_node_alloc_failure': Node alloc failures; 'ip_port_block_alloc': Port block alloc; 'ip_port_block_free': Port block free; 'ip_port_block_alloc_failure': Port block alloc failure; 'ip_other_block_alloc': Other block alloc; 'ip_other_block_free': Other block free; 'ip_other_block_alloc_failure': Other block alloc failure; 'entry_added_shadow': Entry added shadow; 'entry_invalidated': Entry invalidated; 'l3_entry_add_to_bgp_failure': L3 Entry BGP add failures; 'l3_entry_remove_from_bgp_failure': L3 entry BGP remove failures; 'l3_entry_add_to_hw_failure': L3 entry HW add failure; 'syn_cookie_syn_ack_sent': SYN cookie SYN ACK sent; 'syn_cookie_verification_passed': SYN cookie verification passed; 'syn_cookie_verification_failed': SYN cookie verification failed; 'syn_cookie_conn_setup_failed': SYN cookie connection setup failed; **Type:** string **Supported Values:** all, l3_entry_added, l3_entry_deleted, l3_entry_added_to_bgp, l3_entry_removed_from_bgp, l3_entry_added_to_hw, l3_entry_removed_from_hw, l3_entry_too_many, l3_entry_match_drop, l3_entry_match_drop_hw, l3_entry_drop_max_hw_exceeded, l4_entry_added, l4_entry_deleted, l4_entry_added_to_hw, l4_entry_removed_from_hw, l4_hw_out_of_entries, l4_entry_match_drop, l4_entry_match_drop_hw, l4_entry_drop_max_hw_exceeded, l4_entry_list_alloc, l4_entry_list_free, l4_entry_list_alloc_failure, ip_node_alloc, ip_node_free, ip_node_alloc_failure, ip_port_block_alloc, ip_port_block_free, ip_port_block_alloc_failure, ip_other_block_alloc, ip_other_block_free, ip_other_block_alloc_failure, entry_added_shadow, entry_invalidated, l3_entry_add_to_bgp_failure, l3_entry_remove_from_bgp_failure, l3_entry_add_to_hw_failure, syn_cookie_syn_ack_sent, syn_cookie_verification_passed, syn_cookie_verification_failed, syn_cookie_conn_setup_failed, l3_entry_del_to_hw_failure, add_l3_entry_added_to_hw_blklist_queue, del_l3_entry_added_to_hw_blklist_queue, add_l3_entry_dequeued_from_hw_blklist_q, del_l3_entry_dequeued_from_hw_blklist_q, l4_entry_del_to_hw_failure, add_l4_entry_added_to_hw_blklist_queue, del_l4_entry_added_to_hw_blklist_queue, add_l4_entry_dequeued_from_hw_blklist_q, del_l4_entry_dequeued_from_hw_blklist_q, l4_entry_add_to_hw_failure, l3_hw_out_of_entries, l4_entry_add_to_hw_failure_notif, l3_entry_add_to_hw_failure_notif, l4_entry_already_in_addQ, l4_entry_already_in_delQ, l3_entry_already_in_addQ, l3_entry_added_to_hw_again, l3_entry_hw_count_exceeded, l3_entry_hw_res_usage_exceeded, l3_entry_hw_add_q_size_exceeded, l3_entry_hw_del_q_size_exceeded, l3_entry_hw_add_q_malloc_failed, l3_entry_hw_del_q_malloc_failed, l4_entry_hw_count_exceeded, l4_entry_hw_res_usage_exceeded, l4_entry_hw_add_q_size_exceeded, l4_entry_hw_del_q_size_exceeded, l4_entry_hw_add_malloc_failed, l4_entry_hw_del_q_malloc_failed, l4_entry_add_to_hw_with_ipd_match, l3_entry_add_to_hw_after_timeout, l4_entry_pkt_hit_count, l3_entry_pkt_hit_count, l4_entry_hw_remov_notif_on_removed_sw, l4_entry_hw_remov_notif_on_stale_sw, l4_entry_hw_add_notif_on_stale_sw, l3_entry_hw_add_notif_on_stale_sw, l3_entry_hw_aging, l3-already-in-hw, l4_entry_hw_aging, l4-already-in-hw, l4-already-not-in-hw, l3_entry_reset_hw_on_failures, l4_entry_add_clear_in_progress, l4_entry_hw_add_no_ctx, l4_entry_hw_del_no_ctx, entry_remove_from_hw_with_sw, entry_unfill_stalled, add_l4_entry_batched, del_l4_entry_batched, add_l3_entry_batched, add_l4_entry_batching_failed, del_l4_entry_batching_failed, add_l3_entry_batching_failed, add_l4_entry_ipc_failed, del_l4_entry_ipc_failed, add_l3_entry_ipc_failed, add_l4_entry_ipc_received, del_l4_entry_ipc_received, add_l3_entry_ipc_received, add_l4_entry_response_recv, del_l4_entry_response_recv, add_l3_entry_response_recv, dcmsg_add_req_no_buff, dcmsg_add_ack_no_buff, dcmsg_notify_no_buff, dcmsg_add_req_sent, dcmsg_add_req_send_failed, dcmsg_add_ack_sent, dcmsg_add_ack_send_failed, dcmsg_notif_sent, dcmsg_notif_send_failed, dcmsg_add_req_malformed_tlv, dcmsg_add_ack_malformed_tlv, dcmsg_notif_malformed_tlv, dcmsg_rcv, dcmsg_rx_invalid_msg_hdr, dcmsg_rx_invalid_sync_hdr **counters2** **Description** 'dcmsg_add_req_rcv': Batched Add-req interblade hw offload dcmsg recv; 'dcmsg_add_ack_rcv': Batched Add-ack interblade hw offload dcmsg recv; 'dcmsg_notify_rcv': Notif interblade hw offload dcmsg recv; 'dcmsg_stale_ack_on_l3': Stale ADD-ACK dcmsg recv on l3 entry; 'dcmsg_stale_ack_on_l4': Stale ADD-ACK dcmsg recv on l4 entry; 'dcmsg_l3_add_req_timeout': L3 Add-req interblade hw offload dcmsg timed out; 'dcmsg_l4_add_req_timeout': L4 Add-req interblade hw offload dcmsg timed out; 'dcmsg_l3_add_req_sent': L3 Add-req hw offload dcmsg packed; 'dcmsg_l4_add_req_sent': L4 Add-req hw offload dcmsg packed; 'dcmsg_l3_add_req_rcv': L3 Add-req hw offload dcmsg rcv; 'dcmsg_l4_add_req_rcv': L4 Add-req hw offload dcmsg rcv; 'dcmsg_l3_add_ack_sent': L3 Add-ack hw offload dcmsg packed; 'dcmsg_l4_add_ack_sent': L4 Add-ack hw offload dcmsg packed; 'dcmsg_l3_add_ack_rcv': L3 Add-ack hw offload dcmsg rcv; 'dcmsg_l4_add_ack_rcv': L4 Add-ack hw offload dcmsg rcv; 'dcmsg_l3_add_ack_rcv_success': L3 Add-ack hw offload dcmsg is successful; 'dcmsg_l3_add_ack_rcv_fail': L3 Add-ack hw offload failed; 'dcmsg_l4_add_ack_rcv_success': L4 Add-ack hw offload dcmsg is successful; 'dcmsg_l4_add_ack_rcv_fail': L4 Add-ack hw offload failed; 'dcmsg_l3_add_req_retx': L3 Add-req hw offload dcmsg retx; 'dcmsg_l3_add_req_retx_in_progress': L3 Add-req hw dcmsg retx when offload on PU1 in progress; 'dcmsg_l3_add_req_retx_hw_added': L3 Add-req hw offload dcmsg retx when entry is hw added; 'dcmsg_l4_add_req_retx': L4 Add-req hw offload dcmsg retx; 'dcmsg_buff_alloc_fail': DCMSG Buff alloc failure; 'dcmsg_add_ack_drop': DCMSG Add-ack dropped on PU1; 'dcmsg_notif_drop': DCMSG Notif dropped on PU1; 'dcmsg_add_ack_delayed': DCMSG Add-ack delayed on PU1; 'l4_entry_add_to_hw_processing_error': L4 entry HW add processing error; 'l4_entry_add_to_hw_no_support': L4 entry HW add No support; 'l4_entry_add_to_hw_no_res_error': L4 entry HW add No resource; 'l3_entry_add_to_hw_processing_error': L3 entry HW add processing error; 'l3_entry_add_to_hw_no_support': L3 entry HW add No support; 'l3_entry_add_to_hw_no_res_error': L3 entry HW add No resource; 'add_l4_entry_ipc_failed_no_resp': L4 entry Add request IPC failed with no response attribute; 'del_l4_entry_ipc_failed_no_resp': L4 entry Del request IPC failed with no response attribute; 'add_l3_entry_ipc_failed_no_resp': L3 entry Add request IPC failed with no response attribute; **Type:** string **Supported Values:** dcmsg_add_req_rcv, dcmsg_add_ack_rcv, dcmsg_notify_rcv, dcmsg_stale_ack_on_l3, dcmsg_stale_ack_on_l4, dcmsg_l3_add_req_timeout, dcmsg_l4_add_req_timeout, dcmsg_l3_add_req_sent, dcmsg_l4_add_req_sent, dcmsg_l3_add_req_rcv, dcmsg_l4_add_req_rcv, dcmsg_l3_add_ack_sent, dcmsg_l4_add_ack_sent, dcmsg_l3_add_ack_rcv, dcmsg_l4_add_ack_rcv, dcmsg_l3_add_ack_rcv_success, dcmsg_l3_add_ack_rcv_fail, dcmsg_l4_add_ack_rcv_success, dcmsg_l4_add_ack_rcv_fail, dcmsg_l3_add_req_retx, dcmsg_l3_add_req_retx_in_progress, dcmsg_l3_add_req_retx_hw_added, dcmsg_l4_add_req_retx, dcmsg_buff_alloc_fail, dcmsg_add_ack_drop, dcmsg_notif_drop, dcmsg_add_ack_delayed, l4_entry_add_to_hw_processing_error, l4_entry_add_to_hw_no_support, l4_entry_add_to_hw_no_res_error, l3_entry_add_to_hw_processing_error, l3_entry_add_to_hw_no_support, l3_entry_add_to_hw_no_res_error, add_l4_entry_ipc_failed_no_resp, del_l4_entry_ipc_failed_no_resp, add_l3_entry_ipc_failed_no_resp .. _245_l4-entries: l4-entries ^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *object* =============================== =================================================== **uuid** **Description** uuid of the object **Type:** string **Maximum Length:** 64 characters **Maximum Length:** 1 characters .. _245_ip-entries: ip-entries ^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *object* =============================== =================================================== **uuid** **Description** uuid of the object **Type:** string **Maximum Length:** 64 characters **Maximum Length:** 1 characters .. _245_disable-nat-ip-by-bgp: disable-nat-ip-by-bgp ^^^^^^^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *object* =============================== =================================================== **uuid** **Description** uuid of the object **Type:** string **Maximum Length:** 64 characters **Maximum Length:** 1 characters