Cisco Secure DDoS Edge Protection
Prerequisites for installing DDoS edge protection
Restrictions of DDoS edge protection
Install and configure DDoS edge protection
Verify DDoS edge protection application configuration

Cisco Secure DDoS Edge Protection

Distributed denial of service (DDoS) edge protection stops DDoS attacks at the network entry point.

Table 1. Feature History Table
Feature Name	Release Information	Description
Cisco Secure DDoS Edge Protection	Release 25.4.1	Introduced in this release on: Fixed Systems (8010 [ASIC: A100])(select variants only) This feature is supported on the Cisco 8011-32Y8L2H2FH routers.
Cisco Secure DDoS Edge Protection	Release 25.2.1	Introduced in this release on: Fixed Systems (8200 [ASIC: Q200, P100], 8700 [ASIC: P100, K100], 8010 [ASIC: A100]) (select variants only); Centralized Systems (8600 [ASIC: Q200]); Modular Systems (8800 [LC ASIC: Q100, Q200, P100]) (select variants only) You can now enable the router to detect DDoS attacks targeting MPLS traffic using DDoS edge protection. The router analyzes MPLS flows to identify malicious traffic patterns, ensuring the availability and performance of services traversing MPLS networks.
Cisco Secure DDoS Edge Protection	Release 25.1.1	Introduced in this release on: Fixed Systems (8700 [ASIC: K100], 8010 [ASIC: A100])(select variants only) This feature is supported on: 8712-MOD-M 8011-4G24Y4H-I
Cisco Secure DDoS Edge Protection	Release 24.4.1	Introduced in this release on: Fixed Systems (8200 [ASIC: P100], 8700 [ASIC: P100])(select variants only); Modular Systems (8800 [LC ASIC: P100])(select variants only) *This feature is supported on: 8212-48FH-M 8711-32FH-M 88-LC1-36EH 88-LC1-12TH24FH-E 88-LC1-52Y8H-EM
Cisco Secure DDoS Edge Protection	Release 24.1.1	You can now efficiently block malicious traffic, safeguarding your network's performance and availability. This is achieved as we have implemented protection against distributed denial-of-service (DDoS) attacks at the network edge, strategically deployed at the ingress point where external network traffic enters. A centralized controller manages DDoS mitigation capabilities using information from a collection of detectors deployed on the routers. These detectors analyze IPv4 and IPv6 traffic in real-time to identify DDoS attacks. Upon detection, the controller enforces deny ACLs to block malicious traffic while allowing legitimate traffic. This local inspection enhances visibility, speeds up response times, and optimizes the network without the need for additional hardware or attack traffic redirection.

The Cisco secure DDoS edge protection software actively halts DDoS attacks at the network entry point, enabling immediate response to threats. Positioned at the network edge, it identifies and counteracts DDoS threats directly on the router. This strategy minimizes network and application impact without affecting core bandwidth by avoiding backhaul of malicious traffic.

Components of Cisco secure DDoS edge protection

The Cisco secure DDoS edge protection consists of these components:

A highly available centralized controller that manages a collection of detectors deployed on routers. The controller can be cloud-based or on-premises. Key functions of the controller include
- managing the container lifecycle for detectors
- configuring and editing detector profiles and security settings
- checking detector health, displaying real-time attack forensics and threat intelligence analyses
- controlling DDoS attack mitigation at the network ingress point
- providing real-time and historical event reporting, and
- operational control and incident response.
A collection of detectors that are deployed on edge or peering routers. The detector is a resource-efficient application container for real-time DDoS detection deployed on routers and managed by the centralized controller.

It analyzes IPv4 and IPv6 traffic on each ingress interface to identify DDoS attacks as they occur.

Starting from Cisco IOS XR Release 25.2.1, MPLS traffic is analyzed using the extracted information from the IPv4 and IPv6 payload to detect accurate DDoS attacks.

Upon detecting a DDoS attack, the centralized controller promptly begins mitigation. The mitigation includes enforcing a deny ACL to block the attack traffic while still allowing legitimate traffic to pass through.

Benefits of Cisco secure DDoS edge protection

Cisco secure DDoS edge protection have the following benefits:

Stops DDoS attacks at the network ingress
Requires no additional hardware or facilities such as power, rack space, and cooling
Requires no changes to the architecture
Avoids the need to overprovision network facilities such as links and routers to account for attack traffic
Prevents backhauling of malicious traffic
Minimizes network outages and optimizes the end-user experience, and
Meets low-latency application requirements.

Prerequisites for installing DDoS edge protection

Configure the management interface to reach the DDoS controller IP address.
Manually configure the base ACL, NetFlow, and SSH configurations.

Restrictions of DDoS edge protection

The DDoS edge protection does not support tunnel traffic.
The system supports only the default VRF configuration, and it applies solely to the management port. For effective communication between the Docker and the controller, you must configure the management port to operate within the default VRF exclusively. This setup guarantees that the Docker can reliably interact with the controller without any network interruptions.
The version protobuf of flow exporter-map is only supported for Monitor Map configured with record mpls ipv4-ipv6-fields.

Install and configure DDoS edge protection

You can install the DDoS edge protection application through the DDoS edge protection controller. Perform the following:

Install and download the DDoS edge protection controller software package from the Software Download page. You can access the user interface, when the controller installation is complete.

Log in to the controller services instance to monitor, manage, and control the device.

Configure a Loopback on the router.

Router(config)#interface Loopback100
Router(config-if)# ipv4 address 15.1.1.2 255.255.255.255
Router(config-if)# exit
Router(config)#interface Loopback101
Router(config-if)# ipv4 address 17.1.1.2 255.255.255.255
Router(config-if)#commit

Configure an ACL on the router.

Router(config)#ipv4 access-list myACL
Router(config-ipv4-acl)# 1301 permit ipv4 any any
Router(config-ipv4-acl)# exit
Router(config)#ipv6 access-list myACL
Router(config-ipv6-acl)# 1301 permit ipv6 any any
Router(config-ipv6-acl)#exit
Router(config)#commit

For more information on implementing access lists and prefix lists, see Understanding Access-List.

If there is any DDoS attack, the controller performs the mitigation action using the ACL rule automatically.

The following is a sample configuration to deny DDoS attacker traffic using user defined ACE rule:

1 deny udp any eq 19 host 45.0.0.1 eq 0 packet-length eq 128 ttl eq 64
2 deny tcp any host 45.0.0.1 eq www match-all -established -fin -psh +syn -urg packet-length eq 60 ttl eq 64
1301 permit ipv4 any any

Result: Configuration updates are sent by the controller to the router.

Configure SSH on the router.

Router(config)#ssh server v2
Router(config)#ssh server netconf
Router(config)#netconf agent tty
Router(config-netconf-tty)#netconf-yang agent ssh
Router(config)#ssh timeout 120
Router(config)#ssh server rate-limit 600
Router(config)#ssh server session-limit 110
Router(config)#ssh server v2
Router(config)#ssh server vrf default
Router(config)#ssh server netconf vrf default
Router(config)#commit

Execute the ping command on the router and check the router connection to the DDoS controller.


Router#ping 10.105.237.54
Thu Jun  1 07:16:43.654 UTC
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.105.237.54 timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/4 ms
RP/0/RP0/CPU0:Router#bash
Thu Jun  1 07:16:53.024 UTC
[Router:~]$ping 10.105.237.54
PING 10.105.237.54 (10.105.237.54) 56(84) bytes of data.
64 bytes from 10.105.237.54: icmp_seq=1 ttl=63 time=1.73 ms
64 bytes from 10.105.237.54: icmp_seq=2 ttl=63 time=1.29 ms
64 bytes from 10.105.237.54: icmp_seq=3 ttl=63 time=1.27 ms
64 bytes from 10.105.237.54: icmp_seq=4 ttl=63 time=1.75 ms
^C
--- 10.105.237.54 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 1.270/1.510/1.751/0.230 ms
[Router:~]$

Enter the details of the device into the DDoS edge protection controller panel and verify that the Deployment, Container, and Configuration indicators all display green.

For more information on installing the DDoS controller, see the Cisco Secure DDoS Edge Protection Installation guide.

The controller automatically performs the following netflow configuration on the router:

//Configuring Monitor Map
Router(config)#flow monitor-map DetectPro_Monitor_IPV6
Router(config-fmm)# record ipv6 extended
Router(config-fmm))#exporter DetectPro_GPB
Router(config-fmm)# cache entries 1000000
Router(config-fmm)#cache entries active 1
Router(config-fmm)#cache entries inactive 1
Router(config-fmm)#cache timeout inactive 1
Router(config-fmm)#cache timeout rate-limit 1000000
Router(config-fmm)#exit
Router(config)#flow monitor-map DetectPro_Monitor_IPV4
Router(config-fmm)# record ipv4 extended
Router(config-fmm)#exporter DetectPro_GPB
Router(config-fmm)# cache entries 1000000
Router(config-fmm)#cache entries active 1
Router(config-fmm)#cache entries inactive 1
Router(config-fmm)#cache timeout inactive 1
Router(config-fmm)#cache timeout rate-limit 1000000
Router(config-fmm)#exit
//Configuring Monitor Map MPLS
Router(config)#flow monitor-map mon_mpls_ipv4_ipv6
Router(config-fmm)#record mpls ipv4-ipv6-fields
Router(config-fmm)#exporter DetectPro_MPLS
Router(config-fmm)#cache entries 1000000
Router(config-fmm)#cache timeout active 1
Router(config-fmm)#cache timeout inactive 1
Router(config-fmm)#cache timeout rate-limit 1000000
Router(config-fmm)#exit
//Configuring Exporter Map
Router(config)#flow exporter-map DetectPro_GPB    
Router(config-fem)#version protobuf
Router(config-fem)#transport udp 5005
Router(config-fem)#source TenGigE0/0/0/16
Router(config-fem)#destination 15.1.1.2
Router(config-fem)#exit
//Configuring Exporter Map MPLS
Router(config)#flow exporter-map DetectPro_MPLS    
Router(config-fem)#version protobuf
Router(config-fem)#transport udp 5005
Router(config-fem)#source loopback101
Router(config-fem)#destination 15.1.1.2
Router(config-fem)#exit
//Configuring Sampler Map
Router(config)#sampler-map DetectPro_NFv9
Router(config-sm)#random 1 out-of 100
!
//Configuring Sampler Map samp_MPLS
Router(config-sm)#random 1 out-of 100
!
//Configuring Interface MPLS
Router(config)#interface TenGigE0/0/0/8
Router(config-if)#ipv4 address 7.7.1.1 255.255.0.0
Router(config-if)#flow mpls monitor mon_mpls_ipv4_ipv6 sampler samp_mpls ingress
!

For more information on the DDoS edge protection, see Cisco Secure DDoS Edge Protection Data Sheet.

Verify DDoS edge protection application configuration

To ensure the DDoS controller has applied the configuration to the device, check the active configuration on the router.

Execute the show running-config appmgr command on the router to verify the appmgr configuration.

RP/0/RP0/CPU0:Router#show running-config appmgr
Thu Jun  1 07:33:36.741 UTC
appmgr
 application esentryd
  activate type docker source esentryd-cisco-20230431633 docker-run-opts "--env-file /harddisk:/ENV_6478443711ac6830700d1aeb --net=host"
 !
!

Execute the show flow monitor command on the router to check the monitor map that is automatically created.

Router#show flow monitor DetectPro_Monitor_IPV4 cache location 0/0/CPU0 
Cache summary for Flow Monitor DetectPro_Monitor_IPV4:
Cache size:                        1000000
Current entries:                         0
Flows added:                    2243884200
Flows not added:                         0
Ager Polls:                     2243884200
  - Active timeout                       0
  - Inactive timeout                     0
  - Immediate                            0
  - TCP FIN flag                         0
  - Emergency aged                       0
  - Counter wrap aged                    0
  - Total                       2243884200
Periodic export:
  - Counter wrap                         0
  - TCP FIN flag                         0
Flows exported                  2243884200


Matching entries:                        0
!

Router#show flow monitor DetectPro_Monitor_IPV6 cache location 0/0/CPU0
Cache summary for Flow Monitor DetectPro_Monitor_IPV6:
Cache size:                        1000000
Current entries:                         0
Flows added:                         59971
Flows not added:                         0
Ager Polls:                          94437
  - Active timeout                   59971
  - Inactive timeout                     0
  - Immediate                            0
  - TCP FIN flag                         0
  - Emergency aged                       0
  - Counter wrap aged                    0
  - Total                            59971
Periodic export:
  - Counter wrap                         0
  - TCP FIN flag                         0
Flows exported                       59971


Matching entries:                        0

Router#show flow monitor mon_mpls_ipv4_ipv6 cache format record location 0/RP0/CPU0 
Cache summary for Flow Monitor mon_mpls_ipv4_ipv6:
Cache size:                        1000000
Current entries:                         0
Flows added:                           963
Flows not added:                         0
Ager Polls:                             83
  - Active timeout                     963
  - Inactive timeout                     0
  - Immediate                            0
  - TCP FIN flag                         0
  - Emergency aged                       0
  - Counter wrap aged                    0
  - Total                              963
Periodic export:
  - Counter wrap                         0
  - TCP FIN flag                         0
Flows exported                         963
!

Execute the show flow exporter command on the router to check the exporter map that is automatically created.

RP/0/RP0/CPU0:Router#show  flow exporter
exporter  exporter-map
RP/0/RP0/CPU0:tortin#show  flow exporter DetectPro_GPB location 0/0/CPU0
Thu Nov 16 06:13:58.059 UTC
Flow Exporter: DetectPro_GPB
Export Protocol: protobuf
Flow Exporter memory usage: 5265344
Used by flow monitors: DetectPro_Monitor_IPV4
                       DetectPro_Monitor_IPV6

Status: Disabled
Transport:   UDP
Destination: 15.1.1.2        (5005) VRF default
Source:      0.0.0.0         (54482)
Flows exported:                                   0 (0 bytes)
Flows dropped:                                    0 (0 bytes)

Templates exported:                               0 (0 bytes)
Templates dropped:                                0 (0 bytes)

Option data exported:                             0 (0 bytes)
Option data dropped:                              0 (0 bytes)

Option templates exported:                        0 (0 bytes)
Option templates dropped:                         0 (0 bytes)

Packets exported:                          20355756 (27716506821 bytes)
Packets dropped:                                  0 (0 bytes)

Total export over last interval of:
  1 hour:                                        12 pkts
                                               1879 bytes
                                                 12 flows
  1 minute:                                       0 pkts
                                                  0 bytes
                                                  0 flows
  1 second:                                       0 pkts
                                                  0 bytes
                                                  0 flows

Router#show  flow exporter
exporter  exporter-map
Router#show  flow exporter exp_mpls_ipv4_ipv6 location 0/RP0/CPU0
Flow Exporter: exp_mpls_ipv4_ipv6
Export Protocol: protobuf
Flow Exporter memory usage: 5265480
Used by flow monitors: mon_mpls_ipv4_ipv6

Status: Normal
Transport:   UDP
Destination: 15.1.1.2        (5005) VRF default
Source:      17.1.1.1        (54341)
Flows exported:                                  963(159519 bytes)
Flows dropped:                                    0 (0 bytes)

Templates exported:                               0 (0 bytes)
Templates dropped:                                0 (0 bytes)

Option data exported:                             0 (0 bytes)
Option data dropped:                              0 (0 bytes)

Option templates exported:                        0 (0 bytes)
Option templates dropped:                         0 (0 bytes)

Packets exported:                               122 (159519 bytes)
Packets dropped:                                  0 (0 bytes)

Total export over last interval of:
  1 hour:                                        92 pkts
                                             119950 bytes
                                                727 flows
  1 minute:                                     122 pkts
                                             159519 bytes
                                                963 flows
  1 second:                                       0 pkts
                                                  0 bytes
                                                  0 flows

Execute the show appmgr application-table command on the router to check the status of docker application.

RP/0/RP0/CPU0:Router#show appmgr application-table
Thu Nov 16 06:13:58.059 UTC
Name     Type   Config State Status
-------- ------ ------------ --------------------------------------------------
esentryd Docker  Activated   Up 8 minutes
RP/0/RP0/CPU0:Router#

Application Hosting Configuration Guide for Cisco 8000 Series Routers, Cisco IOS XR Releases

Bias-Free Language

Book Title

Application Hosting Configuration Guide for Cisco 8000 Series Routers, Cisco IOS XR Releases

Chapter Title