Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Firewalls Community


How Does MPF Class 'conn-max' Work Using an Access-list



Setting up some MPF protections for some of our Internet services. I am using MPF to create a class to match traffic out of an ACL, and then am applying some connection limits and parameters on the traffic specified in said ACL. See the relevant configuration:


class-map webserver-protect-class
description Webserver Protection Class used to protect Webservers from DOS attacks
match access-list webserver-protection

policy-map traffic-control-policy

description Policy to control and protect Internet Services

class webserver-protect-class
set connection conn-max 300 embryonic-conn-max 20

access-list webserver-protection extended permit tcp any object-group web-servers-int object-group web


So the ACL just lists a group of destination hosts and services using object-groups. What I am trying to determine is with the above MPF configuration, are the conn-max limits I am imposing going to be set for each host listed in the ACL, or are the limits the total limits for all hosts in the ACL? So for example if I match,, for WWW connections in the ACL, and impose a 300 conn-max in the MPF policy, does the conn-max apply to,, and for WWW traffic individually such that each host has a conn-max of 300, or is the 300 conn-max setting a 300 connection total for all of the hosts such that only 300 connections across as a total are allowed. In other words, only 300 connections are allowed between as a total. I think its the former but when I run the command sh service-policy interface OUTSIDE, it seems to show a total in the output so I want to clarify:


Class-map: webserver-protect-class
Set connection policy: conn-max 300 embryonic-conn-max 20
current conns 84, drop 0


In the output is it showing a total of all the hosts in the ACL and the number of connections that are open amongst all of them? Hopefully this makes sense what I am asking. Thanks in advance for any help here.



Re: How Does MPF Class 'conn-max' Work Using an Access-list

Any ideas on this NetPros?


Re: How Does MPF Class 'conn-max' Work Using an Access-list

I gave up here and called TAC. It works the way I thought it did in the first scenario. Each host in the ACL can only accept the number of connections configured in the set connection part of the policy. Thanks.

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here