Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

flow (IPv6)

Syntax

Hierarchy Level

Description

Configure the BGP flow specification for the IPv6 address family to automate coordination of traffic filtering rules and to allow propagation of traffic flow specification rules for IPv6 and IPv6 VPN in order to mitigate distributed denial-of-service attacks. Flow specification provides protection against denial-of-service attacks and restricts bad traffic that consumes bandwidth and stops it near the source.

Note:

To propagate IPv6 flow specification routes through BGP, enable family inet6 flow or inet6-vpn flow at the [edit protocols bgp family] hierarchy level on BGP routers in the network.

Options

discard-action-for-unresolved-redir-addr

Configure the discard action for BGP flow specification routes that were not resolved using the redirect to IP action.

interface-group group<exclude>

Exclude applying flowspec filter to traffic received on specific interfaces. Use exclude to specify the interface group where you do not want to receive the traffic.

per-route-accounting

Enable traffic accounting per flowspec route.

no-per-route-accounting

Disable traffic accounting per flowspec route.

destination ipv6-prefix

IP destination address field.

destination-port destination-port-names

TCP or User Datagram Protocol (UDP) destination port field. You cannot specify both the port and destination-port match conditions in the same term.

In place of the numeric value, you can specify one of the following text synonyms (the port numbers are also listed): afs (1483), bgp (179), biff (512), bootpc (68), bootps (67), cmd (514), cvspserver (2401), dhcp (67), domain (53), eklogin (2105), ekshell (2106), exec (512), finger (79), ftp (21), ftp-data (20), http (80), https (443), ident (113), imap (143), kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544), ldap (389), login (513), mobileip-agent (434), mobilip-mn (435), msdp (639), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123), pop3 (110), pptp (1723), printer (515), radacct (1813), radius (1812), rip (520), rkinit (2108), smtp (25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525), who (513), xdmcp (177), zephyr-clt (2103), or zephyr-hm (2104).

dscp value

Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most significant six bits of this byte form the DSCP.

  • Range: You can specify DSCP in hexadecimal or decimal form from 0 through 63.

flow-label numeric-expression

The value of this field ranges from 0 through 1048575.

This match condition is supported only on Junos devices with enhanced MPCs that are configured for enhanced-ip mode.

fragment fragment-value

The keywords are grouped by the fragment type with which they are associated:

  • first-fragment

  • is-fragment

  • last-fragment

  • not-a-fragment

This match condition is supported only on Junos devices with enhanced MPCs that are configured for enhanced-ip mode.

icmp6-code icmp6-code-value

ICMP6 code field. This value or keyword provides more specific information than icmp6-type. Because the value’s meaning depends on the associated icmp6-type value, you must specify icmp6-type along with icmp6-code.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed). The keywords are grouped by the ICMP type with which they are associated:

  • parameter-problem: ip-header-bad (0), required-option-missing (1)

  • redirect: redirect-for-host (1), redirect-for-network (0), redirect-for-tos-and-host (3), redirect-for-tos-and-net (2)

  • time-exceeded: ttl-eq-zero-during-reassembly (1), ttl-eq-zero-during-transit (0)

  • unreachable: communication-prohibited-by-filtering (13), destination-host-prohibited (10), destination-host-unknown (7), destination-network-prohibited (9), destination-network-unknown (6), fragmentation-needed (4), host-precedence-violation (14), host-unreachable (1), host-unreachable-for-TOS (12), network-unreachable (0), network-unreachable-for-TOS (11), port-unreachable (3), precedence-cutoff-in-effect (15), protocol-unreachable (2), source-host-isolated (8), source-route-failed (5)

icmp6-type icmp6-type-value

ICMP6 packet type field. Normally, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): echo-reply (0), echo-request (8), info-reply (16), info-request (15), mask-request (17), mask-reply (18), parameter-problem (12), redirect (5), router-advertisement (9), router-solicit (10), source-quench (4), time-exceeded (11), timestamp (13), timestamp-reply (14), or unreachable (3).

packet-length packet-length

Total IP packet length value can range from 0 through 65535.

port port-names

TCP or UDP source or destination port field. You cannot specify both the port match condition and either the destination-port or source-port match condition in the same term.

In place of the numeric value, you can specify one of the text synonyms listed under destination-port.

prefix-offset number

(Optional) Specify the number of bits that must be skipped before Junos OS starts matching the prefix.

This match condition is supported only on Junos devices with enhanced MPCs that are configured for enhanced-ip mode.

protocol number

For IPv6, the IP protocol field is supported only on Junos devices with MPCs that are configured for enhanced-ip mode. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): ah (51), egp (8), esp (50), gre (47), icmp (1), igmp (2), ipip (4), ipv6 (41), ospf (89), pim (103), rsvp (46), tcp (6), or udp (17).

source ipv6-prefix

IP source address field.

source-port source-port-names

TCP or UDP source port field. You cannot specify the port and source-port match conditions in the same term.

In place of the numeric field, you can specify one of the text synonyms listed under destination-port.

tcp-flags tcp-flags

TCP header format.

no-install

Prohibit installing received routes in the forwarding table.

accept

Accept a packet. This is the default value.

community name

Replace any communities in the route with the specified communities.

discard

Discard a packet silently, without sending an Internet Control Message Protocol (ICMP) message.

mark value

Set a DSCP value for traffic that matches this flow. Specify a value from 0 through 63.

This action is supported only on Junos devices with MPCs that are configured for enhanced-ip mode.

Note:

Junos OS supports traffic marking extended BGP community filtering action. For IPv4 traffic, Junos OS modifies the DiffServ code point (DSCP) bits of a transiting IPv4 packet to the corresponding value of the extended community. For IPv6 packets, Junos OS modifies the first six bits of the traffic class field of the transmitting IPv6 packet to the corresponding value of the extended community.

redirect

Redirect (tunnel) this flow's traffic to given next-hop address.

next-term

Continue to the next match condition for evaluation.

rate-limit rate-limit

Limit the bandwidth on the flow route. Express the limit in bits per second (bps).

routing-instance route-target-extended-community

Specify a routing instance to which packets are forwarded.

sample

Sample the traffic on the flow route.

traceoptions

Define tracing operations that track all routing protocol functionality in the routing device.

Required Privilege Level

routing—To view this statement in the configuration.

routing-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 16.1.