security flowspec-route-injector profile
security flowspec-route-injectBIG-Isecurityaflowspec-route-injector profile(1)
NAME
profile - Configures a Security FlowSpec Route Injector profile
MODULE
security flowspec-route-injector
SYNTAX
Manage profile component within the security flowspec-route-injector
module using the syntax shown in the following sections.
CREATE/MODIFY
create profile [name]
modify profile [name]
options:
app-service [[string] | none]
description [string]
max-flowspec-routes-limit [integer]
neighbor [add | delete | modify | none | replace-all-with] {
[IP Address] {
adj-out [disabled | enabled]
bgp-multiple-instance [disabled | enabled]
extended-asn-cap [disabled | enabled]
graceful-restart [disabled | enabled]
graceful-restart-time [integer]
hold-time [integer]
local-address [IP Address]
local-as [integer]
remote-as [integer]
router-id [IPv4 Address]
}
}
route-domain [name]
peer-group {
adj-out [disabled | enabled]
bgp-multiple-instance [disabled | enabled]
extended-asn-cap [disabled | enabled]
graceful-restart [disabled | enabled]
graceful-restart-time [integer]
hold-time [integer]
local-address [IP Address]
local-as [integer]
remote-as [integer]
router-id [IPv4 Address]
}
edit profile
options:
all-properties
non-default-properties
DISPLAY
list profile
show running-config profile
DESCRIPTION
profile component under security flowspec-route-injector is used to
manage a Security FlowSpec Route Injector profile (unique per route
domain instance). Security FlowSpec route injector profile is used by
AFM/DHD module to advertise routes based on Source/Destination IP,
Source/Destination Port, Protocol etc. for blackholing and scrubbing
use cases using BGP FlowSpec mechanism (RFC 5575).
EXAMPLES
create profile p1
neighbor add {
10.128.10.128 {
local-address 10.128.10.169
}
}
peer-group {
local-as 60000
remote-as 60000
router-id 1.1.1.1
}
route-domain 0 }
Create a security flowspec-route-injector profile p1 for route-domain 0
and add 1 peer neighbor 10.128.10.128. Common attributes that are
shared by all neighbors in the profile (unless overridden) are defined
using peer-group settings.
modify profile p1 peer-group { graceful-restart enabled graceful-
restart-time 120 }
Modify profile p1 and update graceful-restart and graceful-restart-time
peer-group attributes.
list policy
Displays the current list of configured security flowspec-route-
injector profiles.
OPTIONS
description
User defined description.
max-flowspec-routes-limit
Specifies the maximum number of FlowSpec routes that can be
advertised simultaneously per FlowSpec profile (or route domain)
instance. Minimum allowed value is 100, Maximum allowed value is
10,000 (which is default value too).
neighbor
Add, modify, delete BGP peer neighbor configuration. Each neighbor
is uniquely identified / configured using IP Address as the name.
description
User defined description.
adj-out
Enable/Disable BGP adj-rib-out feature. Default is enabled.
bgp-multiple-instance
Enable/Disable BGP multiple instance capability. Default is
disabled.
extended-asn-cap
Enable/Disable Extended ASN capability (i.e. send 4-byte
ASN). Default is enabled.
graceful-restart
Enable/Disable graceful restart capability. Default is
disabled.
graceful-restart-time
Specifies graceful restart time (max time needed for
Neighbor(s) to restart).
hold-time
Specifies the hold time (max time that can elapse between
messages from peer). Default is 90 seconds.
local-address
Specifies the Local Address (on BigIP) to be used for
initiating BGP connection(s) with peers.
local-as
Specifies the BGP Local AS number.
remote-as
Specifies the BGP Remote AS number.
router-id
Specifies the BGP Router ID to be used in BGP OPEN message
when initiating BGP connection with peers. Router ID is an
IPv4 address.
route-domain
Specifies name of the route domain to be used by the Security
FlowSpec Route Injector profile. This is required field at the
time of profile creation and is non-mutable after policy creation.
peer-group
Specifies peer group settings that are inherited by each neighbor
unless overridden specifically for that neighbor.
adj-out
Enable/Disable BGP adj-rib-out feature. Default is enabled.
bgp-multiple-instance
Enable/Disable BGP multiple instance capability. Default is
disabled.
extended-asn-cap
Enable/Disable Extended ASN capability (i.e. send 4-byte
ASN). Default is enabled.
graceful-restart
Enable/Disable graceful restart capability. Default is
disabled.
graceful-restart-time
Specifies graceful restart time (max time needed for
Neighbor(s) to restart).
hold-time
Specifies the hold time (max time that can elapse between
messages from peer). Default is 90 seconds.
local-address
Specifies the Local Address (on BigIP) to be used for
initiating BGP connection(s) with peers.
local-as
Specifies the BGP Local AS number.
remote-as
Specifies the BGP Remote AS number.
router-id
Specifies the BGP Router ID to be used in BGP OPEN message
when initiating BGP connection with peers. Router ID is an
IPv4 address.
SEE ALSO
create, edit, list, modify, security, security scrubber, security
scrubber profile, security blacklist-publisher profile
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008, 2012-2013, 2015, 2017. All
rights reserved.
BIG-IP 2security6flowspec-route-injector profile(1)