security flowspec-route-injector profile
security flowspec-route-injectBIG-Isecurityaflowspec-route-injector profile(1)
NAME
profile - Configures a Security FlowSpec Route Injector profile
MODULE
security flowspec-route-injector
SYNTAX
Manage profile component within the security flowspec-route-injector
module using the syntax shown in the following sections.
CREATE/MODIFY
create profile [name]
modify profile [name]
options:
app-service [[string] | none]
description [string]
max-flowspec-routes-limit [integer]
neighbor [add | delete | modify | none | replace-all-with] {
[IP Address] {
adj-out [disabled | enabled]
bgp-multiple-instance [disabled | enabled]
extended-asn-cap [disabled | enabled]
graceful-restart [disabled | enabled]
graceful-restart-time [integer]
hold-time [integer]
local-address [IP Address]
local-as [integer]
remote-as [integer]
router-id [IPv4 Address]
}
}
rules [[add | delete | modify | none | replace-all-with] {
[name] {
action {
dscp-value [integer]
next-hop [IP Address]
rate-limit [integer]
asn-community [string]
type [drop | redirect | rate-limit | qos]
}
alias [string]
app-service [string]
advertisement-ttl-from-now [integer]
description [string]
remove-config-upon-expiry [bool]
match {
destination-address [IP Address]
destination-ports [list of ports / port-ranges]
dscp-values [list of integers]
ip-fragments [list of integers]
ip-protocols [list of protocols]
ports [list of ports / port-ranges]
source-address [IP Address]
source-ports [list of ports / port-ranges]
}
}
}
route-domain [name]
peer-group {
adj-out [disabled | enabled]
bgp-multiple-instance [disabled | enabled]
extended-asn-cap [disabled | enabled]
graceful-restart [disabled | enabled]
graceful-restart-time [integer]
hold-time [integer]
local-address [IP Address]
local-as [integer]
remote-as [integer]
router-id [IPv4 Address]
}
security-log-profile [string]
edit profile
options:
all-properties
non-default-properties
DISPLAY
list profile
show running-config profile
DESCRIPTION
profile component under security flowspec-route-injector is used to
manage a Security FlowSpec Route Injector profile (unique per route
domain instance). Security FlowSpec route injector profile is used by
AFM/DHD module to advertise routes based on Source/Destination IP,
Source/Destination Port, Protocol etc. for blackholing and scrubbing
use cases using BGP FlowSpec mechanism (RFC 5575).
EXAMPLES
create profile p1
neighbor add {
10.128.10.128 {
local-address 10.128.10.169
}
}
peer-group {
local-as 60000
remote-as 60000
router-id 1.1.1.1
}
route-domain 0 }
Create a security flowspec-route-injector profile p1 for route-domain 0
and add 1 peer neighbor 10.128.10.128. Common attributes that are
shared by all neighbors in the profile (unless overridden) are defined
using peer-group settings.
modify profile p1 peer-group { graceful-restart enabled graceful-
restart-time 120 }
Modify profile p1 and update graceful-restart and graceful-restart-time
peer-group attributes.
list policy
Displays the current list of configured security flowspec-route-
injector profiles.
OPTIONS
description
User defined description.
advertisement-ttl-from-now
Specifies the duration (in minutes) after which FlowSpec should be
withdrawn. The default is 5 minutes. If it is 0, it would be
allowed for user to immediately expire the rule (and withdraw from
upstream routers).
This is user write-only configuration. It is used for system to
calculate expiry time of the rule. It is mutual exclusive with
expiry-time.
max-flowspec-routes-limit
Specifies the maximum number of FlowSpec routes that can be
advertised simultaneously per FlowSpec profile (or route domain)
instance. Minimum allowed value is 100, Maximum allowed value is
10,000 (which is default value too).
neighbor
Add, modify, delete BGP peer neighbor configuration. Each neighbor
is uniquely identified / configured using IP Address as the name.
description
User defined description.
adj-out
Enable/Disable BGP adj-rib-out feature. Default is enabled.
bgp-multiple-instance
Enable/Disable BGP multiple instance capability. Default is
disabled.
extended-asn-cap
Enable/Disable Extended ASN capability (i.e. send 4-byte
ASN). Default is enabled.
graceful-restart
Enable/Disable graceful restart capability. Default is
disabled.
graceful-restart-time
Specifies graceful restart time (max time needed for
Neighbor(s) to restart).
hold-time
Specifies the hold time (max time that can elapse between
messages from peer). Default is 90 seconds.
local-address
Specifies the Local Address (on BigIP) to be used for
initiating BGP connection(s) with peers.
local-as
Specifies the BGP Local AS number.
remote-as
Specifies the BGP Remote AS number.
router-id
Specifies the BGP Router ID to be used in BGP OPEN message
when initiating BGP connection with peers. Router ID is an
IPv4 address.
route-domain
Specifies name of the route domain to be used by the Security
FlowSpec Route Injector profile. This is required field at the
time of profile creation and is non-mutable after policy creation.
rules
Specifies configuration of rules that can be advertised per
FlowSpec profile.
action
Specifies BGP FlowSpec Advertisement Action configuration.
dscp-value
Specifies the BGP FlowSpec DSCP value for advertisement
qos action. The default is 0. The valid range is 0 ~ 63
inclusive.
next-hop
Specifies BGP FlowSpec redirection next hop address
rate-limit
Specifies the BGP FlowSpec rate limit (bytes/sec) for
advertisement rate limiting action.
asn-community
Specifies the BGP Extended Community value (in the
format - AA:NNN, where AA is 16-bit number and NNN is
32-bit number) for redirect-to-VRF support when BGP
Flowspec advertisement action is redirect.
type Specifies the BGP FlowSpec Advertisement Action type for
this FlowSpec Route Injector profile. The default is
redirect.
alias
Specifies the alias name of this rule.
app-service
The application service that the object belongs to.
creation-time
The time when this rule is created. This is not user
configurable field.
description
User defined description.
expiry-time
The time when this rule is going to be expired.
This field is mutual exclusive with advertisement-ttl-from-
now. If user specifies advertisement-ttl-from-now, expiry-
time will be calculated from it.
last-modified-time
The time when this rule is modified. This is not user
configurable field.
remove-config-upon-expiry
Specifies whether or not this rule needs to be automatically
removed when reaching expiry time. The default is true. If
it is set to false, user needs to manually remove this rule
as it is needed.
The maximum allowed expired rules per profile in database is
defined by DB variable, flowspec.max.expired_and_saved_rules
(min = 0, max = 1000, default = 100).
match
Specifies BGP FlowSpec matching criteria configuration.
destination-address
Specifies the destination address/prefix to match in
packets.
destination-ports
Specifies a list of ports that matches destination
TCP/UDP ports in packets.
This destination-ports configuration is mutual exclusive
with ports field.
dscp-values
Specifies a list of DSCP values to match in packets. The
valid range for each of DSCP value in the list must be
within 0 ~ 63 inclusive.
ip-fragments
Specifies a list of IP fragments to match in packets.
ip-protocols
Specifies a set of protocol values that are used to
match the IP protocol value byte in IP packets. The
valid protocols are ICMP, TCP, UDP, and SCTP. If port
object is specified, the valid protocols are TCP, UDP,
and SCTP.
ports
Specifies a list of ports that matches source OR
destination TCP/UDP ports in packets.
This ports configuration is mutual exclusive with
destination-ports and source-ports.
source-address
Specifies the source address/prefix to match in packets.
source-ports
Specifies a list of ports that matches source TCP/UDP
ports in packets.
This source-ports configuration is mutual exclusive with
ports field.
peer-group
Specifies peer group settings that are inherited by each neighbor
unless overridden specifically for that neighbor.
adj-out
Enable/Disable BGP adj-rib-out feature. Default is enabled.
bgp-multiple-instance
Enable/Disable BGP multiple instance capability. Default is
disabled.
extended-asn-cap
Enable/Disable Extended ASN capability (i.e. send 4-byte
ASN). Default is enabled.
graceful-restart
Enable/Disable graceful restart capability. Default is
disabled.
graceful-restart-time
Specifies graceful restart time (max time needed for
Neighbor(s) to restart).
hold-time
Specifies the hold time (max time that can elapse between
messages from peer). Default is 90 seconds.
local-address
Specifies the Local Address (on BigIP) to be used for
initiating BGP connection(s) with peers.
local-as
Specifies the BGP Local AS number.
remote-as
Specifies the BGP Remote AS number.
router-id
Specifies the BGP Router ID to be used in BGP OPEN message
when initiating BGP connection with peers. Router ID is an
IPv4 address.
security-log-profile
Specifies log publisher name used for this FlowSpec Route Injector
profile.
SEE ALSO
create, edit, list, modify, security, security scrubber, security
scrubber profile, security blacklist-publisher profile
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008, 2012-2013, 2015, 2017. All
rights reserved.
BIG-IP 2security5flowspec-route-injector profile(1)