10-09-2013 09:22 AM
We have a security scanning tool that has overloaded the ACE during it's scans due to the high number of connections it creates towards the servers.
I would like to configure the ACE so that it can protect itself from DoS attacks, specificailly I want the ACE to be able to limit the rate of incomming connections.
I came accross the feature "Configuring Rate Limits for a Policy Map", in here: http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/security/guide/tcpipnrm.html#wp1125308
But I am not sure how the policy map is applied. Is the configured limit-rate applied per server farm/VIP? or per interface? Should I configure the rate-limit class-map under the load balance policy, or under a seperate policy?
I found the below statement in here: http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_x/command/reference/parammap.html#wp1195366
"
The ACE applies these rate limits to each class map that you associate with the policy at the virtual server level."
What does the above statement mean?
10-10-2013 01:58 PM
Hi,
Try the following:
host1/Admin(config)# parameter-map type connection RATE-LIMIT-TAChost1/Admin(config-parammap-conn)# rate-limit connection 100000
policy-map multi-match client-vips
class slb-vip
loadbalance vip inservice
loadbalance policy slb
nat dynamic 5 vlan 50
connection advanced-options RATE-LIMIT-TAC >>>> apply it here!
Jorge
Mark it if was useful
10-20-2013 03:19 AM
Thank you.
According to the document, the parameter map is applied to a Virtual Server through the command
connection advanced-options
But what I actually want to achive is to make the box protect itself, and not the servers/virtual servers. This is because the security scanning tool overloads the ACE itself, making it unavailable, and causing and outage for all server farms.
What I am looking for is a global command that applies to the ACE, that will limit the overall connections comming into the server, without specifiying a virtual server/real server.
10-20-2013 05:06 AM
Hi,
You can also try this:
To limit the maximum number of ACE connections, create a resource class and then use the following commands:
•Through-the-ACE connections—limit-resource conc-connections
•To-the-ACE connections—limit-resource mgmt-connections
Make sure that you assign the current context to the resource class.
For details on security features on ACE i would also suggest to go through the below link:
Let me know if that helps.
Regards,
Kanwal
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide