10-09-2013 09:22 AM
We have a security scanning tool that has overloaded the ACE during it's scans due to the high number of connections it creates towards the servers.
I would like to configure the ACE so that it can protect itself from DoS attacks, specificailly I want the ACE to be able to limit the rate of incomming connections.
I came accross the feature "Configuring Rate Limits for a Policy Map", in here: http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/security/guide/tcpipnrm.html#wp1125308
But I am not sure how the policy map is applied. Is the configured limit-rate applied per server farm/VIP? or per interface? Should I configure the rate-limit class-map under the load balance policy, or under a seperate policy?
I found the below statement in here: http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_x/command/reference/parammap.html#wp1195366
"
The ACE applies these rate limits to each class map that you associate with the policy at the virtual server level."
What does the above statement mean?
10-10-2013 01:58 PM
Hi,
Try the following:
host1/Admin(config)# parameter-map type connection RATE-LIMIT-TAChost1/Admin(config-parammap-conn)# rate-limit connection 100000
policy-map multi-match client-vips
class slb-vip
loadbalance vip inservice
loadbalance policy slb
nat dynamic 5 vlan 50
connection advanced-options RATE-LIMIT-TAC >>>> apply it here!
Jorge
Mark it if was useful
10-20-2013 03:19 AM
Thank you.
According to the document, the parameter map is applied to a Virtual Server through the command
connection advanced-options
But what I actually want to achive is to make the box protect itself, and not the servers/virtual servers. This is because the security scanning tool overloads the ACE itself, making it unavailable, and causing and outage for all server farms.
What I am looking for is a global command that applies to the ACE, that will limit the overall connections comming into the server, without specifiying a virtual server/real server.
10-20-2013 05:06 AM
Hi,
You can also try this:
To limit the maximum number of ACE connections, create a resource class and then use the following commands:
•Through-the-ACE connections—limit-resource conc-connections
•To-the-ACE connections—limit-resource mgmt-connections
Make sure that you assign the current context to the resource class.
For details on security features on ACE i would also suggest to go through the below link:
Let me know if that helps.
Regards,
Kanwal
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: