Configuring connection-rate filtering for low risk networks

​Enable notify-only mode on the ports you want to monitor.

Set global sensitivity to low.

If SNMP trap receivers are available in your network, use the snmp-server command to configure the switch to send SNMP traps.

Monitor the Event Log or (if configured) the available SNMP trap receivers to identify hosts exhibiting high connection rates.

Check any hosts that exhibit relatively high connection rate behavior to determine whether malicious code or legitimate use is the cause of the behavior.

Hosts demonstrating high, but legitimate connection rates, such as heavily used servers, can trigger a connection-rate filter. Configure connection rate ACLs to create policy exceptions for trusted hosts. (Exceptions can be configured for these criteria:

Increase the sensitivity to Medium and repeat steps Step 5 and Step 6.

	NOTE: On networks that are relatively infection-free, sensitivity​ levels above Medium are not recommended.

(Optional.) Enable throttle or block mode on the monitored ports.

	NOTE: ​​On a given VLAN, to unblock the hosts that have been blocked by the connection-rate feature, use the vlan <vid> connection-rate filter unblock command.

Maintain a practice of carefully monitoring the Event Log or configured trap receivers for any sign of high connectivity-rate activity that could indicate an attack by malicious code, see Connection-rate log and trap messages.