Showing results for 
Search instead for 
Did you mean: 


How Does MPF Class 'conn-max' Work Using an Access-list



Setting up some MPF protections for some of our Internet services. I am using MPF to create a class to match traffic out of an ACL, and then am applying some connection limits and parameters on the traffic specified in said ACL. See the relevant configuration:


class-map webserver-protect-class
description Webserver Protection Class used to protect Webservers from DOS attacks
match access-list webserver-protection

policy-map traffic-control-policy

description Policy to control and protect Internet Services

class webserver-protect-class
set connection conn-max 300 embryonic-conn-max 20

access-list webserver-protection extended permit tcp any object-group web-servers-int object-group web


So the ACL just lists a group of destination hosts and services using object-groups. What I am trying to determine is with the above MPF configuration, are the conn-max limits I am imposing going to be set for each host listed in the ACL, or are the limits the total limits for all hosts in the ACL? So for example if I match,, for WWW connections in the ACL, and impose a 300 conn-max in the MPF policy, does the conn-max apply to,, and for WWW traffic individually such that each host has a conn-max of 300, or is the 300 conn-max setting a 300 connection total for all of the hosts such that only 300 connections across as a total are allowed. In other words, only 300 connections are allowed between as a total. I think its the former but when I run the command sh service-policy interface OUTSIDE, it seems to show a total in the output so I want to clarify:


Class-map: webserver-protect-class
Set connection policy: conn-max 300 embryonic-conn-max 20
current conns 84, drop 0


In the output is it showing a total of all the hosts in the ACL and the number of connections that are open amongst all of them? Hopefully this makes sense what I am asking. Thanks in advance for any help here.



Re: How Does MPF Class 'conn-max' Work Using an Access-list

Any ideas on this NetPros?


Re: How Does MPF Class 'conn-max' Work Using an Access-list

I gave up here and called TAC. It works the way I thought it did in the first scenario. Each host in the ACL can only accept the number of connections configured in the set connection part of the policy. Thanks.