Connection-Rate ACL operating notes

  • ACE Types:A connection-rate ACL allows you to configure two types of ACEs (Access Control Entries):
    • ignore <source-criteria>

      This ACE type directs the switch to permit all inbound traffic meeting the configured <source-criteria> without filtering the traffic through the connection-rate policy configured on the port through which the traffic entered the switch. For example, ignore host 15.45.120.70 tells the switch to permit traffic from the host at 15.45.120.70 without filtering this host's traffic through the connection-rate policy configured for the port on which the traffic entered the switch.

    • filter <source-criteria>

      This ACE type does the opposite of an ignore entry. That is, all inbound traffic meeting the configured source-criteria must be filtered through the connection-rate policy configured for the port on which the traffic entered the switch. This option is most useful in applications where it is easier to use filter to specify suspicious traffic sources for screening than to use ignore to specify exceptions for trusted traffic sources that don't need screening. For example, if the host at 15.45.127.43 requires connection-rate screening, but all other hosts in the VLAN do not, you would configure and apply a connection-rate ACL with filter ip host 15.45.127.43 as the first ACE and ignore ip any as the second ACE. In this case, the traffic from host 15.45.127.43 would be screened, but traffic from all other hosts on the VLAN would be permitted without connection-rate screening.

  • Implicit ACEA connection-rate ACL includes a third, implicit filter ip any ACE which is automatically the last ACE in the ACL. This implicit ACE does not appear in displays of the ACL configuration, but is always present in any connection-rate ACL you configure. For example, assume that a port is configured with a connection-rate policy and is in a VLAN configured with a connection-rate ACL. If there is no match between an incoming packet and the ACE criteria in the ACL, then the implicit filter ip any sends the packet for screening by the connection-rate policy configured on that port. To preempt the implicit filter ip any in a given connection-rate ACL, you can configure ignore IP any as the last explicit ACE in the connection-rate ACL. The switch then ignores (permit) traffic that is not explicitly addressed by other ACEs configured sequentially earlier in the ACL without filtering the traffic through the existing connection-rate policy.

  • Monitoring Shared ResourcesActive instances of throttling or blocking a client that is generating a high rate of connection requests uses internal routing switch resources that are shared with several other features. The routing switch provides ample resources for all features. However, if the internal resources become fully subscribed, new instances of throttling or blocking cannot be initiated until the necessary resources are released from other uses. (Event Log messages and SNMP traps are not affected.) For information on determining current resource availability and usage, see the appendix titled "Monitoring Resources" in the management and configuration guide for your switch.