10-20-2009 02:01 PM
Good day. I'm trying to rate limit traffic on my ACE module. I see that i can do real server rate limiting and connection limiting. Is there a way to do that based upon flow or is there some way to differentiate between source addresses?
Thanks in Advance.
10-20-2009 04:21 PM
You can either rate limit on per Vserver basis or rserver basis.
example1: rserver based rate limiting
serverfarm host syed-farm
rserver syed-server
rate-limit connection 300
example2: Vserver based rate limiting
parameter-map type connection syed-map
rate-limit connection 300
policy-map multi-match vlanx-vips
class VIP80
connection advanced-options syed-map
Rate limiting based on any other source or destination criteria is not supported.
One option to explore would be to use a dedicate context for a particular APP and
resource limit the connections using "limit-resource rate" command.
Netpace1/Admin(config-resource)# limit-resource rate ?
bandwidth Limit bandwidth in bytes per second
connections Limit connections per second
inspect-conn Limit rtsp/ftp inspect connections per second
mac-miss Limit mac miss traffic (punted to-the-box) in
pkts/sec
mgmt-traffic Limit management traffic (to-the-box) in bytes per
second
ssl-connections Limit number of SSL connections per second
syslog Limit syslog messages per second
HTH
Syed Iftekhar Ahmed
10-20-2009 08:08 PM
Thanks for the advice Syed. I'll test that first.
I'm trying to prevent ddos attacks at the ACE level. I guess i can move out a bit since i think 6500's can do per flow rate limiting.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: