Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
810
Views
0
Helpful
2
Replies

How Does MPF Class 'conn-max' Work Using an Access-list

rfranzke
Level 1
Level 1

‎04-09-2018 09:16 AM - edited ‎02-21-2020 07:36 AM

All,

 

Setting up some MPF protections for some of our Internet services. I am using MPF to create a class to match traffic out of an ACL, and then am applying some connection limits and parameters on the traffic specified in said ACL. See the relevant configuration:

 

class-map webserver-protect-class
description Webserver Protection Class used to protect Webservers from DOS attacks
match access-list webserver-protection

policy-map traffic-control-policy

description Policy to control and protect Internet Services

class webserver-protect-class
set connection conn-max 300 embryonic-conn-max 20

access-list webserver-protection extended permit tcp any object-group web-servers-int object-group web

 

So the ACL just lists a group of destination hosts and services using object-groups. What I am trying to determine is with the above MPF configuration, are the conn-max limits I am imposing going to be set for each host listed in the ACL, or are the limits the total limits for all hosts in the ACL? So for example if I match 10.10.10.5, 10.10.10.6, 10.10.10.7 for WWW connections in the ACL, and impose a 300 conn-max in the MPF policy, does the conn-max apply to 10.10.10.5, 10.10.10.6, and 10.10.10.7 for WWW traffic individually such that each host has a conn-max of 300, or is the 300 conn-max setting a 300 connection total for all of the 10.10.10.5-7 hosts such that only 300 connections across 10.10.10.5-7 as a total are allowed. In other words, only 300 connections are allowed between 10.10.10.5-7 as a total. I think its the former but when I run the command sh service-policy interface OUTSIDE, it seems to show a total in the output so I want to clarify:

 

Class-map: webserver-protect-class
Set connection policy: conn-max 300 embryonic-conn-max 20
current conns 84, drop 0

 

In the output is it showing a total of all the hosts in the ACL and the number of connections that are open amongst all of them? Hopefully this makes sense what I am asking. Thanks in advance for any help here.

 

Labels:
0 Helpful
2 Replies 2

rfranzke
Level 1
Level 1

‎04-11-2018 07:57 AM

Any ideas on this NetPros?

0 Helpful

rfranzke
Level 1
Level 1

‎04-13-2018 06:58 AM

I gave up here and called TAC. It works the way I thought it did in the first scenario. Each host in the ACL can only accept the number of connections configured in the set connection part of the policy. Thanks.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card