Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

rate limit per ip

I have a customer who ran into a situation the other day where one of their websites was down because it was receiving too many http POST requests, the POST requests filled the queue on their server and was timing out for other clients. Is there a way i am able to set up the asa so it will restrict how many connections are allowed per second/minute from one ip? Thanks in advance!

3 REPLIES
Super Bronze

rate limit per ip

Hi,

Let me start of by saying that I have not played around with these settings that many times myself. I have usually set connection timeout values for certain connections more than use connection limits

Wonder if something along these lines would work

access-list WEB-SERVER-CONNECTIONLIMIT extended permit tcp any host eq www

access-list WEB-SERVER-CONNECTIONLIMIT extended permit tcp any host https

class-map WEB-SERVER-CONNECTIONLIMIT

match access-list WEB-SERVER-CONNECTIONLIMIT

policy-map global_policy

class WEB-SERVER-CONNECTIONLIMIT

  set connection per-client-max per-client-embryonic-max

I am not sure but to my understanding the destination IP address you use in the ACL depends on your software. I am using 8.4(5) so I actually used the local IP address as the destination of the ACL even though the host was Static NATed to a public IP address

- Jouni

New Member

rate limit per ip

Thanks for the reply Jouni. I think I will have to give this a shot.

set connection per-client-max per-client-embryonic-max

Is per-client-max referring to how many times one ip is allowed to make connections? What would you recommend for the embyonic-max value?

Thanks!

Super Bronze

rate limit per ip

Hi,

Yes, to my understanding the first one sets the connection limit for one source IP address.

As I said I have not used this configuration that much myself. But as the embryonic connection refers to a connection that hasn't fully formed then I would imagine this would not need to be very high value since there should not be that many connections from a single source IP address that have not fully formed. If there were it would most likely be a situation where the client was only sending TCP SYN to the target server with the intention to disrupt the server operation.

- Jouni

453
Views
5
Helpful
3
Replies
CreatePlease to create content