flowspec-attribute
Syntax
flowspec-attribute name {
action {
mark;
rate-limit;
redirect;
routing-instance;
sample;
}
invert-match {
destination;
destination-port {
port-range port-range-value {
contains;
exact;
part-of;
}
port-value name {
value (afs | bgp | biff | bootpc | bootps | cmd | cvspserver | dhcp | domain | eklogin | ekshell | exec | expression | finger | ftp | ftp-data | http | https | ident | imap | kerberos-sec | klogin | kpasswd | krb-prop | krbupdate | kshell | ldap | ldp | login | mobileip-agent | mobilip-mn | msdp | netbios-dgm | netbios-ns | netbios-ssn | nfsd | nntp | ntalk | ntp | pop3 | pptp | printer | radacct | radius | rip | rkinit | smtp | snmp | snmptrap | snpp | socks | ssh | sunrpc | syslog | tacacs | tacacs-ds | talk | telnet | tftp | timed | who | xdmcp | zephyr-clt | zephyr-hm | zephyr-srv);
}
}
destination-v6-prefix-offset;
dscp {
value value;
}
flow-label {
value value;
}
fragment {
value (dont-fragment | first-fragment | is-fragment | last-fragment | not-a-fragment);
}
icmp6-code {
value (address-unreachable | administratively-prohibited | expression | ip6-header-bad | no-route-to-destination | port-unreachable | ttl-eq-zero-during-reassembly | ttl-eq-zero-during-transit | unrecognized-next-header | unrecognized-option);
}
icmp6-type {
value (destination-unreachable | echo-reply | echo-request | expression | membership-query | membership-report | membership-termination | neighbor-advertisement | neighbor-solicit | node-information-reply | node-information-request | packet-too-big | parameter-problem | redirect | router-advertisement | router-renumbering | router-solicit | time-exceeded);
}
icmp-code {
value (communication-prohibited-by-filtering | destination-host-prohibited | destination-host-unknown | destination-network-prohibited | destination-network-unknown | expression | fragmentation-needed | host-precedence-violation | host-unreachable | host-unreachable-for-tos | ip-header-bad | network-unreachable | network-unreachable-for-tos | port-unreachable | precedence-cutoff-in-effect | protocol-unreachable | redirect-for-host | redirect-for-network | redirect-for-tos-and-host | redirect-for-tos-and-net | required-option-missing | source-host-isolated | source-route-failed | ttl-eq-zero-during-reassembly | ttl-eq-zero-during-transit);
}
icmp-type {
value (echo-reply | echo-request | expression | info-reply | info-request | mask-reply | mask-request | parameter-problem | redirect | router-advertisement | router-solicit | source-quench | time-exceeded | timestamp | timestamp-reply | unreachable);
}
packet-length {
value value;
}
port {
port-range port-range-value {
contains;
exact;
part-of;
}
port-value name {
value (afs | bgp | biff | bootpc | bootps | cmd | cvspserver | dhcp | domain | eklogin | ekshell | exec | expression | finger | ftp | ftp-data | http | https | ident | imap | kerberos-sec | klogin | kpasswd | krb-prop | krbupdate | kshell | ldap | ldp | login | mobileip-agent | mobilip-mn | msdp | netbios-dgm | netbios-ns | netbios-ssn | nfsd | nntp | ntalk | ntp | pop3 | pptp | printer | radacct | radius | rip | rkinit | smtp | snmp | snmptrap | snpp | socks | ssh | sunrpc | syslog | tacacs | tacacs-ds | talk | telnet | tftp | timed | who | xdmcp | zephyr-clt | zephyr-hm | zephyr-srv);
}
}
protocol {
value (ah | egp | esp | expression | gre | icmp | icmp6 | igmp | ipip | ospf | pim | rsvp | sctp | tcp | udp);
}
source;
source-port {
port-range port-range-value {
contains;
exact;
part-of;
}
port-value name {
value (afs | bgp | biff | bootpc | bootps | cmd | cvspserver | dhcp | domain | eklogin | ekshell | exec | expression | finger | ftp | ftp-data | http | https | ident | imap | kerberos-sec | klogin | kpasswd | krb-prop | krbupdate | kshell | ldap | ldp | login | mobileip-agent | mobilip-mn | msdp | netbios-dgm | netbios-ns | netbios-ssn | nfsd | nntp | ntalk | ntp | pop3 | pptp | printer | radacct | radius | rip | rkinit | smtp | snmp | snmptrap | snpp | socks | ssh | sunrpc | syslog | tacacs | tacacs-ds | talk | telnet | tftp | timed | who | xdmcp | zephyr-clt | zephyr-hm | zephyr-srv);
}
}
source-v6-prefix-offset;
tcp-flags {
value (ack | expression | fin | push | rst | syn | urgent);
}
}
match {
destination;
destination-port {
cumulative-count (equal | orhigher | orlower) cumulative-count-value;
port-count (equal | orhigher | orlower) port-count-value;
port-range port-range-value {
contains;
exact;
part-of;
}
port-value name {
value (afs | bgp | biff | bootpc | bootps | cmd | cvspserver | dhcp | domain | eklogin | ekshell | exec | expression | finger | ftp | ftp-data | http | https | ident | imap | kerberos-sec | klogin | kpasswd | krb-prop | krbupdate | kshell | ldap | ldp | login | mobileip-agent | mobilip-mn | msdp | netbios-dgm | netbios-ns | netbios-ssn | nfsd | nntp | ntalk | ntp | pop3 | pptp | printer | radacct | radius | rip | rkinit | smtp | snmp | snmptrap | snpp | socks | ssh | sunrpc | syslog | tacacs | tacacs-ds | talk | telnet | tftp | timed | who | xdmcp | zephyr-clt | zephyr-hm | zephyr-srv);
}
range-count (equal | orhigher | orlower) range-count-value;
}
destination-v6-prefix-offset;
dscp {
value value;
}
flow-label {
value value;
}
fragment {
value (dont-fragment | first-fragment | is-fragment | last-fragment | not-a-fragment);
}
icmp6-code {
value (address-unreachable | administratively-prohibited | expression | ip6-header-bad | no-route-to-destination | port-unreachable | ttl-eq-zero-during-reassembly | ttl-eq-zero-during-transit | unrecognized-next-header | unrecognized-option);
}
icmp6-type {
value (destination-unreachable | echo-reply | echo-request | expression | membership-query | membership-report | membership-termination | neighbor-advertisement | neighbor-solicit | node-information-reply | node-information-request | packet-too-big | parameter-problem | redirect | router-advertisement | router-renumbering | router-solicit | time-exceeded);
}
icmp-code {
value (communication-prohibited-by-filtering | destination-host-prohibited | destination-host-unknown | destination-network-prohibited | destination-network-unknown | expression | fragmentation-needed | host-precedence-violation | host-unreachable | host-unreachable-for-tos | ip-header-bad | network-unreachable | network-unreachable-for-tos | port-unreachable | precedence-cutoff-in-effect | protocol-unreachable | redirect-for-host | redirect-for-network | redirect-for-tos-and-host | redirect-for-tos-and-net | required-option-missing | source-host-isolated | source-route-failed | ttl-eq-zero-during-reassembly | ttl-eq-zero-during-transit);
}
icmp-type {
value (echo-reply | echo-request | expression | info-reply | info-request | mask-reply | mask-request | parameter-problem | redirect | router-advertisement | router-solicit | source-quench | time-exceeded | timestamp | timestamp-reply | unreachable);
}
packet-length {
value value;
}
port {
cumulative-count (equal | orhigher | orlower) cumulative-count-value;
port-count (equal | orhigher | orlower) port-count-value;
port-range port-range-value {
contains;
exact;
part-of;
}
port-value name {
value (afs | bgp | biff | bootpc | bootps | cmd | cvspserver | dhcp | domain | eklogin | ekshell | exec | expression | finger | ftp | ftp-data | http | https | ident | imap | kerberos-sec | klogin | kpasswd | krb-prop | krbupdate | kshell | ldap | ldp | login | mobileip-agent | mobilip-mn | msdp | netbios-dgm | netbios-ns | netbios-ssn | nfsd | nntp | ntalk | ntp | pop3 | pptp | printer | radacct | radius | rip | rkinit | smtp | snmp | snmptrap | snpp | socks | ssh | sunrpc | syslog | tacacs | tacacs-ds | talk | telnet | tftp | timed | who | xdmcp | zephyr-clt | zephyr-hm | zephyr-srv);
}
range-count (equal | orhigher | orlower) range-count-value;
}
protocol {
value (ah | egp | esp | expression | gre | icmp | icmp6 | igmp | ipip | ospf | pim | rsvp | sctp | tcp | udp);
}
source;
source-port {
cumulative-count (equal | orhigher | orlower) cumulative-count-value;
port-count (equal | orhigher | orlower) port-count-value;
port-range port-range-value {
contains;
exact;
part-of;
}
port-value name {
value (afs | bgp | biff | bootpc | bootps | cmd | cvspserver | dhcp | domain | eklogin | ekshell | exec | expression | finger | ftp | ftp-data | http | https | ident | imap | kerberos-sec | klogin | kpasswd | krb-prop | krbupdate | kshell | ldap | ldp | login | mobileip-agent | mobilip-mn | msdp | netbios-dgm | netbios-ns | netbios-ssn | nfsd | nntp | ntalk | ntp | pop3 | pptp | printer | radacct | radius | rip | rkinit | smtp | snmp | snmptrap | snpp | socks | ssh | sunrpc | syslog | tacacs | tacacs-ds | talk | telnet | tftp | timed | who | xdmcp | zephyr-clt | zephyr-hm | zephyr-srv);
}
range-count (equal | orhigher | orlower) range-count-value;
}
source-v6-prefix-offset;
tcp-flags {
value (ack | expression | fin | push | rst | syn | urgent);
}
}
}Hierarchy Level
[edit logical-systems name policy-options],
[edit policy-options]
Description
Attributes of a flow specification. Use in configuring policies to match certain conditions and take policy actions (accept/reject) accordingly for validating the flow specifications at the edge routers.
Options
| name |
Flowspec attribute name |
| action |
Define flowspec action attributes
|
From a policy point of view, the actions listed above are the policy match conditions. The ‘match’ and ‘action’ keywords are route attributes used to match against a flow route.
The remaining statements are explained separately. See CLI Explorer.
Required Privilege Level
Routing — To view this statement in the configuration.
routing-control — To add this statement to the configuration
Release Information
Statement introduced in Junos OS Release 25.2.