¡Bienvenido a la nueva Comunidad de Soporte de Cisco! Nos encantaría conocer su opinión
New Member

Cisco ACE

We have a security scanning tool  that has overloaded the ACE during it's scans due to the high number of connections it creates towards the servers.

I would like to configure the ACE so that it can protect it self from DoS attacks, specificailly I want the ACE to be able to limit the rate of incomming connections.

I came accross the feature "Configuring Rate Limits for a Policy Map", in here: http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/security/guide/tcpipnrm.html#wp1125308

But I am not sure how the policy map is applied. Is the configured limit-rate applied per server farm/VIP? or per interface? Should I configure the rate-limit class-map under the load balance policy, or under a seperate policy?

I found the below statement in here: http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_x/command/reference/parammap.html#wp1195366


The ACE applies these rate limits to each class map that you associate with the policy at the virtual server level."

What does the above statement mean?

Cisco Employee

It means the parameter map is

It means the parameter map is applied to a policy map. In the service policy multi-match, each class map has a policy map which references. Multiple class maps could reference the same policy map. Also, each multi-match could be applied to multiple interfaces, and even, each interface could have multiple service policies. Each traffic that complies a class map in a multi-match service policy who references the policy map with the rate limit, its pooled and restricted by the command. You could have a policy with the parameter map for a multimatch applied in an interface, and having another policy without the parameter map for a different class map in a multimatch.

Best Regards,
Luis Ramos