Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco ACE DoS

We have a security scanning tool  that has overloaded the ACE during it's scans due to the high number of connections it creates towards the servers.

I would like to configure the ACE so that it can protect itself from DoS attacks, specificailly I want the ACE to be able to limit the rate of incomming connections.

I came accross the feature "Configuring Rate Limits for a Policy Map", in here:

But I am not sure how the policy map is applied. Is the configured limit-rate applied per server farm/VIP? or per interface? Should I configure the rate-limit class-map under the load balance policy, or under a seperate policy?

I found the below statement in here:


The ACE applies these rate limits to each class map that you associate with the policy at the virtual server level."

What does the above statement mean?

Everyone's tags (6)

Re: Cisco ACE DoS


Try the following:

host1/Admin(config)# parameter-map type connection RATE-LIMIT-TAC
host1/Admin(config-parammap-conn)# rate-limit connection 100000

policy-map multi-match client-vips  
class slb-vip    
loadbalance vip inservice
loadbalance policy slb
nat dynamic 5 vlan 50
connection advanced-options RATE-LIMIT-TAC >>>> apply it here!


Mark it if was useful

New Member

Re: Cisco ACE DoS

Thank you.

According to the document, the parameter map is applied to a Virtual Server through the command

connection advanced-options

But what I actually want to achive is to make the box protect itself, and not the servers/virtual servers. This is because the security scanning tool overloads the ACE itself, making it unavailable, and causing and outage for all server farms.

What I am looking for is a global command that applies to the ACE, that will limit the overall connections comming into the server, without specifiying a virtual server/real server.

Cisco Employee

Re: Cisco ACE DoS


You can also try this:

To limit the maximum number of ACE connections, create a resource class and then use the following commands:

Through-the-ACE connections—limit-resource conc-connections

To-the-ACE connectionslimit-resource mgmt-connections

Make sure that you assign the current context to the resource class.

For details on security features on ACE i would also suggest to go through the below link:

Let me know if that helps.



CreatePlease to create content