Cisco ACE

belaldarwish · ‎10-09-2013

We have a security scanning tool that has overloaded the ACE during it's scans due to the high number of connections it creates towards the servers.

I would like to configure the ACE so that it can protect it self from DoS attacks, specificailly I want the ACE to be able to limit the rate of incomming connections.

I came accross the feature "Configuring Rate Limits for a Policy Map", in here: http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/security/guide/tcpipnrm.html#wp1125308

But I am not sure how the policy map is applied. Is the configured limit-rate applied per server farm/VIP? or per interface? Should I configure the rate-limit class-map under the load balance policy, or under a seperate policy?

I found the below statement in here: http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_x/command/reference/parammap.html#wp1195366

"

The ACE applies these rate limits to each class map that you associate with the policy at the virtual server level."

What does the above statement mean?

lramosba · ‎12-04-2014

It means the parameter map is applied to a policy map. In the service policy multi-match, each class map has a policy map which references. Multiple class maps could reference the same policy map. Also, each multi-match could be applied to multiple interfaces, and even, each interface could have multiple service policies. Each traffic that complies a class map in a multi-match service policy who references the policy map with the rate limit, its pooled and restricted by the command. You could have a policy with the parameter map for a multimatch applied in an interface, and having another policy without the parameter map for a different class map in a multimatch.

Best Regards,
Luis Ramos