Manual Chapter :
Managing External Redirection
Settings
Applies To:
Show VersionsBIG-IQ Centralized Management
- 7.0.0
Managing External Redirection
Settings
Overview of external redirection
settings
You use scrubber profiles, blacklist publishers, and blacklist publisher
profiles to protect
your network by detecting and redirecting DoS and DDoS attacks.
You use scrubber profiles to configure network traffic scrubbing and redirection for your
environment, including enabling
F5
Silverline® DDoS protection. You use blacklist publisher profiles and blacklist
publishers to advertise blacklists to routers in your network.
Create blacklist publishers
You create blacklist publishers to
advertise blacklists to routers in your
network.
- Click.
- On the Blacklist Publishers screen, clickCreate.The New Blacklist Publisher screen opens.
- For theBlacklist Categorysetting, specify the blacklist category to use.
- For theBlacklist Publisher Profilesetting, select a black list publisher profile to use, if one is defined.Using the profile is optional. You can create blacklist publishers without using the profile.
- Save your work.
Create blacklist publisher
profiles
You create a blacklist publisher
profile to use with your blacklist publisher to advertise blacklists to routers in your
network.
You cannot delete an
unused blacklist publisher profile from a
BIG-IP device version 13.0 or earlier during deployment, even
though the deployment difference shows it will be deleted. Deploying the
configuration again causes the blacklist publisher profile to be
deleted.
- Click.
- On the Blacklist Publisher Profiles screen, clickCreate.The New Blacklist Publisher Profile screen opens.
- In theNamefield, type the name of the profile.
- In theDescriptionfield, type a description for the profile.
- For theRoute Domainsetting, specify the route domain on which blacklisted addresses are advertised.
- In theAdvertisement Methodsetting, select the method you want to use to advertise blacklisted addresses:BGPorBGP Flowspec.This setting is supported with BIG-IP devices version 14.0 or later.
- In theAdvertisement Next-Hop IPv4setting, type the next hop IPv4 address of the BGP router to which you want to advertise blacklisted addresses.
- In theAdvertisement Next-Hop IPv6setting, type the next hop IPv6 address of the BGP router to which you want to advertise blacklisted addresses.
- For theTraffic Groupsetting, select the traffic group on which you want to advertise blacklisted addresses.This setting is ignored when deploying to BIG-IP devices with version 13.1 or later. When the configuration with this setting is changed and then evaluated, the setting will show as a difference until the configuration is re-imported from the BIG-IP device.
- Save your work.
Edit the scrubber profile
You modify the scrubber profile to configure
network traffic scrubbing, including enabling F5
Silverline® DDoS protection, if needed.
Before
deploying a change to the scrubber configuration, such as changing the route domain
used by the scrubber, you should make sure the scrubber is inactive on the BIG-IP
device. Deploying a changed configuration while the scrubber is active on the BIG-IP
device can cause the following error:
Deployment failed, with error: Cannot configure scrubber property when scrubber
is active. Stop active scrubbering on scrubberName to make configuration
changes.
- Click.
- On the Scrubber Profiles screen, click the device name for the scrubber profile to modify.Each BIG-IP device has only one scrubber profile.
- On the left, clickPropertiesand modify the settings as needed.
- For theAdvertisement TTLsetting, specify the amount of time, in seconds, that scrubbed IP addresses are advertised to the BGP router or to Silverline DDoS protection.
- To allow an infinite amount of time, selectInfinite.
- To allow a specific amount of time, select the other option and type the number of seconds to advertise.
- For theSilverlinesetting, selectEnabledto use Silverline DDoS protection to offload scrubbed IP addresses, and to display the Silverline configuration properties.
- In theURLfield, type the URL of the Silverline DDoS account.
- In theUserfield, type the user name for the Silverline DDoS account.
- In thePasswordfield, type the password for the Silverline DDoS account.In some cases, the value of thePasswordsetting might be falsely displayed as changed when performing an evaluation prior to a deployment. This is due to encryption salt changes, and you can ignore it.
- In theConfirm Passwordfield, type the password for the Silverline DDoS account again to confirm it.
- To create new or edit route domain scrubber definitions, clickRoute Domains.
- To create a new route domain scrubber definition, clickCreate. Then edit the definition to add details, such as the route domain.
- To edit a route domain scrubber definition, click the pencil icon in the definition row.
- To delete a route domain scrubber definition, right click in the definition row and selectDelete Row.
- When creating or editing a route domain scrubber definition, specify the route domain scrubber definition settings.
- In the Name column, type the optional name of the route domain definition.
- In the Route Domain column, select the route domain to use. You cannot change the route domain once the scrubber definition is created and saved.
- In the VLANs column, select any VLANs that should be excluded.
- In the Scrubbing Threshold column, in the top field, select the type of value:AbsoluteorPercentage.
- In the Scrubbing Threshold column, in the bottom field, specify that the value isInfinite, or selectSpecifyand type a numeric value in Mbps in the provided field.
- In the Advertisement Method column, specify the method for this route domain:BGP,Silverline, orNone.
- In the Scrubber Details column, use theTypesetting to specify how to advertise. Your selection determines what other settings are available.
- To advertise all scrubbed IP addresses to a BGP router, selectAdvertise All. TheIPv4andIPv6settings are displayed. Type the IP address of the BGP router in the appropriate field for the IP address.
- To advertise specific prefixes to a BGP router or to Silverline, selectPrefix Specific Advertisement. TheIP AddressandBGP Scrubber Destinationsettings are displayed.
- In theIP Addressfield, type the IP address and prefix to be scrubbed, in CIDR notation.
- In theBGP Scrubber Destinationfield, type the IP address of the scrubber if the Advertisement Method is set toBGPorBGP Flowspec. This field is only used when the Advertisement Method is set toBGP.
- ClickAddto add the entry to the list.
Scrubber profiles imported from a BIG-IP device might contain the following as IP address values:any,any6,0.0.0.0, or::in the route domain scrubber details whenPrefix Specific Advertisementis selected. These values are not supported on the BIG-IQ Centralized Management system and will cause differences when importing or deploying configurations. You can remove these differences by changing these values to values that BIG-IQ Centralized Management supports. For example, you can replaceanyandany6on the BIG-IP device with a blank value on the BIG-IQ Centralized Management system, since all indicate that any IP address is valid for that field.
- To create or edit virtual server scrubber definitions, clickVirtual Servers.
- To create a new virtual server scrubber definition, clickCreate. Then edit the definition to add details, such as the virtual server.
- To edit a virtual server scrubber definition, click the pencil icon in the definition row.
- To delete a virtual server scrubber definition, right click in the definition row and selectDelete Row.
- Specify the virtual server scrubber definition settings.
- In the Name column, type the optional name of the virtual server definition.
- In the Virtual Server column, select the virtual server to use. You cannot change the virtual server once the scrubber definition is created and saved.
- In the Scrubbing Threshold column, in the top list, select the type of value:AbsoluteorPercentage.
- In the Scrubbing Threshold column, from the bottom list, specify the value. The available value depends on what was chosen in the upper list.
- To have no threshold whenAbsoluteis selected in the top list, selectInfinite.
- To have an absolute threshold whenAbsoluteis selected in the top list, selectSpecifyand type a maximum numeric value in Mbps in the provided field.
- To have a percentage threshold whenPercentageis selected in the top list, type a whole number value from 1 to 100 that specifies the percentage of the maximum bandwidth in the provided field.
- In the Advertisement Method column, select the method for this virtual server.
- In the Scrubber Details column, type the IP address of the scrubber. This value is only used when the Advertisement Method is set toBGP.
- To create or edit blacklist category scrubber definitions, clickCategories.
- To create a new blacklist category scrubber definition, clickCreate. Then edit the definition to add details, such as the advertisement method.
- To edit a blacklist category scrubber definition, click the pencil icon in the definition row.
- To delete a blacklist category scrubber definition, right click in the definition row and selectDelete Row.
- When creating or editing a blacklist category scrubber definition, specify the blacklist category scrubber definition settings.
- In the Name column, type the optional name of the blacklist category scrubber definition.
- In the Blacklist Category column, select the category to use. In most cases, you will want to selectattacked_ips. This is a category created for IP addresses that are under attack. You cannot change the blacklist category once the scrubber definition is created and saved.
- In the Route Domain column, select the route domain to use.
- In the Advertisement Method column, select the method for this blacklist category scrubber definition.
- In the Scrubber Details column, if you selected BGP as the advertisement method, type the destination IP address in theIPv4orIPv6setting, whichever is appropriate. If you selected another advertisement method, you do not supply any scrubber details.
- Save your work.