cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

365
Views
0
Helpful
2
Replies
Highlighted
Beginner

How Does MPF Class 'conn-max' Work Using an Access-list

All,

 

Setting up some MPF protections for some of our Internet services. I am using MPF to create a class to match traffic out of an ACL, and then am applying some connection limits and parameters on the traffic specified in said ACL. See the relevant configuration:

 

class-map webserver-protect-class
description Webserver Protection Class used to protect Webservers from DOS attacks
match access-list webserver-protection

policy-map traffic-control-policy

description Policy to control and protect Internet Services

class webserver-protect-class
set connection conn-max 300 embryonic-conn-max 20

access-list webserver-protection extended permit tcp any object-group web-servers-int object-group web

 

So the ACL just lists a group of destination hosts and services using object-groups. What I am trying to determine is with the above MPF configuration, are the conn-max limits I am imposing going to be set for each host listed in the ACL, or are the limits the total limits for all hosts in the ACL? So for example if I match 10.10.10.5, 10.10.10.6, 10.10.10.7 for WWW connections in the ACL, and impose a 300 conn-max in the MPF policy, does the conn-max apply to 10.10.10.5, 10.10.10.6, and 10.10.10.7 for WWW traffic individually such that each host has a conn-max of 300, or is the 300 conn-max setting a 300 connection total for all of the 10.10.10.5-7 hosts such that only 300 connections across 10.10.10.5-7 as a total are allowed. In other words, only 300 connections are allowed between 10.10.10.5-7 as a total. I think its the former but when I run the command sh service-policy interface OUTSIDE, it seems to show a total in the output so I want to clarify:

 

Class-map: webserver-protect-class
Set connection policy: conn-max 300 embryonic-conn-max 20
current conns 84, drop 0

 

In the output is it showing a total of all the hosts in the ACL and the number of connections that are open amongst all of them? Hopefully this makes sense what I am asking. Thanks in advance for any help here.

 

2 REPLIES 2
Highlighted
Beginner

Re: How Does MPF Class 'conn-max' Work Using an Access-list

Any ideas on this NetPros?

Highlighted
Beginner

Re: How Does MPF Class 'conn-max' Work Using an Access-list

I gave up here and called TAC. It works the way I thought it did in the first scenario. Each host in the ACL can only accept the number of connections configured in the set connection part of the policy. Thanks.