We have a security scanning tool that has overloaded the ACE during it's scans due to the high number of connections it creates towards the servers.
I would like to configure the ACE so that it can protect it self from DoS attacks, specificailly I want the ACE to be able to limit the rate of incomming connections.
I came accross the feature "Configuring Rate Limits for a Policy Map", in here: http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/security/guide/tcpipnrm.html#wp1125308
But I am not sure how the policy map is applied. Is the configured limit-rate applied per server farm/VIP? or per interface? Should I configure the rate-limit class-map under the load balance policy, or under a seperate policy?
I found the below statement in here: http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_x/command/reference/parammap.html#wp1195366
"
The ACE applies these rate limits to each class map that you associate with the policy at the virtual server level."
What does the above statement mean?