06-18-2018 06:46 AM
Hi community,
I have two questions regarding the ISE CLI commands synflood-limit and rate-limit:
Cheers!
Solved! Go to Solution.
06-18-2018 09:33 PM
Such settings could impact authentication TPS; especially EAP-TLS. Please use them with cautions.
The command synflood-limit takes only a numeric value as the argument so it applies to all TCP attempts. A similar command "conn-limit" takes ip and port arguments so give us more choices if we are to implement sync flood protection on TCP connections. The other command "rate-limit" also take ip and port arguments but it applies to all TCP/UDP/ICMP.
06-18-2018 09:33 PM
Such settings could impact authentication TPS; especially EAP-TLS. Please use them with cautions.
The command synflood-limit takes only a numeric value as the argument so it applies to all TCP attempts. A similar command "conn-limit" takes ip and port arguments so give us more choices if we are to implement sync flood protection on TCP connections. The other command "rate-limit" also take ip and port arguments but it applies to all TCP/UDP/ICMP.
10-24-2019 10:04 AM
Hello, hslai
I would like to know if maybe you know what is it the recommended rate for configuring with the command "rate-limit" for TCP/UDP/ICMP. Right now I'm hardening an ISE deployment, and I've been following this guide https://community.cisco.com/t5/security-documents/ise-security-best-practices-hardening/ta-p/3640651 but I don't know what value the rate limit has to take.
Thank you so much in advance.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide