06-18-2018 06:46 AM
Hi community,
I have two questions regarding the ISE CLI commands synflood-limit and rate-limit:
Cheers!
Solved! Go to Solution.
06-18-2018 09:33 PM
Such settings could impact authentication TPS; especially EAP-TLS. Please use them with cautions.
The command synflood-limit takes only a numeric value as the argument so it applies to all TCP attempts. A similar command "conn-limit" takes ip and port arguments so give us more choices if we are to implement sync flood protection on TCP connections. The other command "rate-limit" also take ip and port arguments but it applies to all TCP/UDP/ICMP.
06-18-2018 09:33 PM
Such settings could impact authentication TPS; especially EAP-TLS. Please use them with cautions.
The command synflood-limit takes only a numeric value as the argument so it applies to all TCP attempts. A similar command "conn-limit" takes ip and port arguments so give us more choices if we are to implement sync flood protection on TCP connections. The other command "rate-limit" also take ip and port arguments but it applies to all TCP/UDP/ICMP.
10-24-2019 10:04 AM
Hello, hslai
I would like to know if maybe you know what is it the recommended rate for configuring with the command "rate-limit" for TCP/UDP/ICMP. Right now I'm hardening an ISE deployment, and I've been following this guide https://community.cisco.com/t5/security-documents/ise-security-best-practices-hardening/ta-p/3640651 but I don't know what value the rate limit has to take.
Thank you so much in advance.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: