We have a security scanning tool that has overloaded the ACE during it's scans due to the high number of connections it creates towards the servers.
I would like to configure the ACE so that it can protect itself from DoS attacks, specificailly I want the ACE to be able to limit the rate of incomming connections.
I came accross the feature "Configuring Rate Limits for a Policy Map", in here: http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/security/guide/tcpipnrm.html#wp1125308
But I am not sure how the policy map is applied. Is the configured limit-rate applied per server farm/VIP? or per interface? Should I configure the rate-limit class-map under the load balance policy, or under a seperate policy?
I found the below statement in here: http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_x/command/reference/parammap.html#wp1195366
The ACE applies these rate limits to each class map that you associate with the policy at the virtual server level."
What does the above statement mean?
Try the following:
host1/Admin(config)# parameter-map type connection RATE-LIMIT-TAChost1/Admin(config-parammap-conn)# rate-limit connection 100000
policy-map multi-match client-vips
loadbalance vip inservice
loadbalance policy slb
nat dynamic 5 vlan 50
connection advanced-options RATE-LIMIT-TAC >>>> apply it here!
Mark it if was useful
According to the document, the parameter map is applied to a Virtual Server through the command
But what I actually want to achive is to make the box protect itself, and not the servers/virtual servers. This is because the security scanning tool overloads the ACE itself, making it unavailable, and causing and outage for all server farms.
What I am looking for is a global command that applies to the ACE, that will limit the overall connections comming into the server, without specifiying a virtual server/real server.
You can also try this:
To limit the maximum number of ACE connections, create a resource class and then use the following commands:
•Through-the-ACE connections—limit-resource conc-connections
•To-the-ACE connections—limit-resource mgmt-connections
Make sure that you assign the current context to the resource class.
For details on security features on ACE i would also suggest to go through the below link:
Let me know if that helps.