security flowspec-route-injector profile
security flowspec-route-injector profile(1) BIG-IP TMSH Manual security flowspec-route-injector profile(1)
NAME
profile - Configures a Security FlowSpec Route Injector profile
MODULE
security flowspec-route-injector
SYNTAX
Manage profile component within the security flowspec-route-injector module using the syntax shown in the
following sections.
CREATE/MODIFY
create profile [name]
modify profile [name]
options:
app-service [[string] | none]
description [string]
max-flowspec-routes-limit [integer]
neighbor [add | delete | modify | none | replace-all-with] {
[IP Address] {
adj-out [disabled | enabled]
bgp-multiple-instance [disabled | enabled]
extended-asn-cap [disabled | enabled]
graceful-restart [disabled | enabled]
graceful-restart-time [integer]
hold-time [integer]
local-address [IP Address]
local-as [integer]
remote-as [integer]
router-id [IPv4 Address]
}
}
rules [[add | delete | modify | none | replace-all-with] {
[name] {
action {
dscp-value [integer]
next-hop [IP Address]
rate-limit [integer]
asn-community [string]
type [drop | redirect | rate-limit | qos]
}
alias [string]
app-service [string]
advertisement-ttl-from-now [integer]
description [string]
remove-config-upon-expiry [bool]
match {
destination-address [IP Address]
destination-ports [list of ports / port-ranges]
dscp-values [list of integers]
icmp-codes [list of integers]
icmp-types [list of integers]
ip-fragments [list of integers]
ip-protocols [list of protocols]
packet-lengths [list of integers / integer-ranges]
ports [list of ports / port-ranges]
source-address [IP Address]
source-ports [list of ports / port-ranges]
tcp-flags {
bitwise-and-fields [list of integers]
bitwise-or-fields [list of integers]
}
}
}
}
route-domain [name]
peer-group {
adj-out [disabled | enabled]
bgp-multiple-instance [disabled | enabled]
extended-asn-cap [disabled | enabled]
graceful-restart [disabled | enabled]
graceful-restart-time [integer]
hold-time [integer]
local-address [IP Address]
local-as [integer]
remote-as [integer]
router-id [IPv4 Address]
}
security-log-profile [string]
edit profile
options:
all-properties
non-default-properties
DISPLAY
list profile
show running-config profile
DESCRIPTION
profile component under security flowspec-route-injector is used to manage a Security FlowSpec Route Injector
profile (unique per route domain instance). Security FlowSpec route injector profile is used by AFM/DHD module
to advertise routes based on Source/Destination IP, Source/Destination Port, Protocol etc. for blackholing and
scrubbing use cases using BGP FlowSpec mechanism (RFC 5575).
EXAMPLES
create profile p1
neighbor add {
10.128.10.128 {
local-address 10.128.10.169
}
}
peer-group {
local-as 60000
remote-as 60000
router-id 1.1.1.1
}
route-domain 0 }
Create a security flowspec-route-injector profile p1 for route-domain 0 and add 1 peer neighbor 10.128.10.128.
Common attributes that are shared by all neighbors in the profile (unless overridden) are defined using peer-
group settings.
modify profile p1 peer-group { graceful-restart enabled graceful-restart-time 120 }
Modify profile p1 and update graceful-restart and graceful-restart-time peer-group attributes.
list policy
Displays the current list of configured security flowspec-route-injector profiles.
OPTIONS
description
User defined description.
advertisement-ttl-from-now
Specifies the duration (in minutes) after which FlowSpec should be withdrawn. The default is 5 minutes.
If it is 0, it would be allowed for user to immediately expire the rule (and withdraw from upstream
routers).
This is user write-only configuration. It is used for system to calculate expiry time of the rule. It is
mutual exclusive with expiry-time.
max-flowspec-routes-limit
Specifies the maximum number of FlowSpec routes that can be advertised simultaneously per FlowSpec
profile (or route domain) instance. Minimum allowed value is 100, Maximum allowed value is 10,000 (which
is default value too).
neighbor
Add, modify, delete BGP peer neighbor configuration. Each neighbor is uniquely identified / configured
using IP Address as the name.
description
User defined description.
adj-out
Enable/Disable BGP adj-rib-out feature. Default is enabled.
bgp-multiple-instance
Enable/Disable BGP multiple instance capability. Default is disabled.
extended-asn-cap
Enable/Disable Extended ASN capability (i.e. send 4-byte ASN). Default is enabled.
graceful-restart
Enable/Disable graceful restart capability. Default is disabled.
graceful-restart-time
Specifies graceful restart time (max time needed for Neighbor(s) to restart).
hold-time
Specifies the hold time (max time that can elapse between messages from peer). Default is 90
seconds.
local-address
Specifies the Local Address (on BigIP) to be used for initiating BGP connection(s) with peers.
local-as
Specifies the BGP Local AS number.
remote-as
Specifies the BGP Remote AS number.
router-id
Specifies the BGP Router ID to be used in BGP OPEN message when initiating BGP connection with
peers. Router ID is an IPv4 address.
route-domain
Specifies name of the route domain to be used by the Security FlowSpec Route Injector profile. This is
required field at the time of profile creation and is non-mutable after policy creation.
rules
Specifies configuration of rules that can be advertised per FlowSpec profile.
action
Specifies BGP FlowSpec Advertisement Action configuration.
dscp-value
Specifies the BGP FlowSpec DSCP value for advertisement qos action. The default is 0. The valid
range is 0 ~ 63 inclusive.
next-hop
Specifies BGP FlowSpec redirection next hop address
rate-limit
Specifies the BGP FlowSpec rate limit (bytes/sec) for advertisement rate limiting action.
asn-community
Specifies the BGP Extended Community value (in the format - AA:NNN, where AA is 16-bit number
and NNN is 32-bit number) for redirect-to-VRF support when BGP Flowspec advertisement action is
redirect.
type Specifies the BGP FlowSpec Advertisement Action type for this FlowSpec Route Injector profile.
The default is redirect.
alias
Specifies the alias name of this rule.
app-service
The application service that the object belongs to.
creation-time
The time when this rule is created. This is not user configurable field.
description
User defined description.
expiry-time
The time when this rule is going to be expired.
This field is mutual exclusive with advertisement-ttl-from-now. If user specifies advertisement-ttl-
from-now, expiry-time will be calculated from it.
last-modified-time
The time when this rule is modified. This is not user configurable field.
remove-config-upon-expiry
Specifies whether or not this rule needs to be automatically removed when reaching expiry time. The
default is true. If it is set to false, user needs to manually remove this rule as it is needed.
The maximum allowed expired rules per profile in database is defined by DB variable,
flowspec.max.expired_and_saved_rules (min = 0, max = 1000, default = 100).
match
Specifies BGP FlowSpec matching criteria configuration.
destination-address
Specifies the destination address/prefix to match in packets.
destination-ports
Specifies a list of ports that matches destination TCP/UDP ports in packets.
This destination-ports configuration is mutual exclusive with ports field.
dscp-values
Specifies a list of DSCP values to match in packets. The valid range for each of DSCP value in
the list must be within 0 ~ 63 inclusive.
icmp-codes
Specifies a list of ICMP codes to match in packets.
icmp-types
Specifies a list of ICMP types to match in packets.
ip-fragments
Specifies a list of IP fragments to match in packets.
ip-protocols
Specifies a set of protocol values that are used to match the IP protocol value byte in IP
packets. The valid protocols are ICMP, TCP, UDP, and SCTP. If port object is specified, the
valid protocols are TCP, UDP, and SCTP.
packet-lengths
Specifies a list of packet lengths (singleton or a range) to match. Packet Length includes L3
(header) size in addition to payload length.
ports
Specifies a list of ports that matches source OR destination TCP/UDP ports in packets.
This ports configuration is mutual exclusive with destination-ports and source-ports.
source-address
Specifies the source address/prefix to match in packets.
source-ports
Specifies a list of ports that matches source TCP/UDP ports in packets.
This source-ports configuration is mutual exclusive with ports field.
tcp-flags
Specifies lists of TCP flags to match in packets."
bitwise-and-fields
Specifies a bitwise AND list of TCP flags to match in packets."
bitwise-or-fields
Specifies a bitwise OR list of TCP flags to match in packets."
peer-group
Specifies peer group settings that are inherited by each neighbor unless overridden specifically for that
neighbor.
adj-out
Enable/Disable BGP adj-rib-out feature. Default is enabled.
bgp-multiple-instance
Enable/Disable BGP multiple instance capability. Default is disabled.
extended-asn-cap
Enable/Disable Extended ASN capability (i.e. send 4-byte ASN). Default is enabled.
graceful-restart
Enable/Disable graceful restart capability. Default is disabled.
graceful-restart-time
Specifies graceful restart time (max time needed for Neighbor(s) to restart).
hold-time
Specifies the hold time (max time that can elapse between messages from peer). Default is 90
seconds.
local-address
Specifies the Local Address (on BigIP) to be used for initiating BGP connection(s) with peers.
local-as
Specifies the BGP Local AS number.
remote-as
Specifies the BGP Remote AS number.
router-id
Specifies the BGP Router ID to be used in BGP OPEN message when initiating BGP connection with
peers. Router ID is an IPv4 address.
security-log-profile
Specifies log publisher name used for this FlowSpec Route Injector profile.
SEE ALSO
create, edit, list, modify, security, security scrubber, security scrubber profile, security blacklist-
publisher profile
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
other than the purchaser's personal use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008, 2012-2013, 2015, 2017. All rights reserved.
BIG-IP 2018-12-28 security flowspec-route-injector profile(1)