How Does MPF Class 'conn-max' Work Using an Access-list

rfranzke — Fri, 21 Feb 2020 15:36:48 GMT

All,

Setting up some MPF protections for some of our Internet services. I am using MPF to create a class to match traffic out of an ACL, and then am applying some connection limits and parameters on the traffic specified in said ACL. See the relevant configuration:

class-map webserver-protect-class
description Webserver Protection Class used to protect Webservers from DOS attacks
match access-list webserver-protection

policy-map traffic-control-policy

description Policy to control and protect Internet Services

class webserver-protect-class
set connection conn-max 300 embryonic-conn-max 20

access-list webserver-protection extended permit tcp any object-group web-servers-int object-group web

So the ACL just lists a group of destination hosts and services using object-groups. What I am trying to determine is with the above MPF configuration, are the conn-max limits I am imposing going to be set for each host listed in the ACL, or are the limits the total limits for all hosts in the ACL? So for example if I match 10.10.10.5, 10.10.10.6, 10.10.10.7 for WWW connections in the ACL, and impose a 300 conn-max in the MPF policy, does the conn-max apply to 10.10.10.5, 10.10.10.6, and 10.10.10.7 for WWW traffic individually such that each host has a conn-max of 300, or is the 300 conn-max setting a 300 connection total for all of the 10.10.10.5-7 hosts such that only 300 connections across 10.10.10.5-7 as a total are allowed. In other words, only 300 connections are allowed between 10.10.10.5-7 as a total. I think its the former but when I run the command sh service-policy interface OUTSIDE, it seems to show a total in the output so I want to clarify:

Class-map: webserver-protect-class
Set connection policy: conn-max 300 embryonic-conn-max 20
current conns 84, drop 0

In the output is it showing a total of all the hosts in the ACL and the number of connections that are open amongst all of them? Hopefully this makes sense what I am asking. Thanks in advance for any help here.

Re: How Does MPF Class 'conn-max' Work Using an Access-list

rfranzke — Wed, 11 Apr 2018 14:57:53 GMT

Any ideas on this NetPros?

Re: How Does MPF Class 'conn-max' Work Using an Access-list

rfranzke — Fri, 13 Apr 2018 13:58:52 GMT

I gave up here and called TAC. It works the way I thought it did in the first scenario. Each host in the ACL can only accept the number of connections configured in the set connection part of the policy. Thanks.

topic Re: How Does MPF Class 'conn-max' Work Using an Access-list in Network Security

How Does MPF Class 'conn-max' Work Using an Access-list

Re: How Does MPF Class 'conn-max' Work Using an Access-list

Re: How Does MPF Class 'conn-max' Work Using an Access-list