Specifying traffic priority per vip – Brocade Virtual ADX Security Guide (Supporting ADX v03.1.00) User Manual

Page 16

Advertising
background image

4

Brocade Virtual ADX Security Guide

53-1003250-01

Application Traffic Prioritization

1

Specifying traffic priority per VIP

Use the priority command to configure default and attack priority on a per VIP basis. Use the
max-tcp-conn-rate or max-udp-conn-rate command to specify maximum TCP and UDP connection
rate at the VIP level and enable the traffic prioritization function.

For example, to configure highest priority to a VIP servicing HTTP traffic, enter the following
commands.

Virtual ADX(config)# server virtual vs1 200.1.1.1

Virtual ADX(config-vs-vs1)# port http

Virtual ADX(config-vs-vs1)# bind http rs1 http rs2 http

Virtual ADX(config-vs-vs1)# priority tcp 5 attack-priority 1

Virtual ADX(config-vs-vs1)# max-tcp-conn-rate 100000 enable-protection

To configure medium priority to a VIP servicing FTP traffic, enter the following commands.

Virtual ADX(config)# server virtual vs2 200.1.1.2

Virtual ADX(config-vs-vs2)# port ftp

Virtual ADX(config-vs-vs2)# bind ftp rs3 ftp rs4 ftp

Virtual ADX(config-vs-vs2)# priority tcp 3 attack-priority 0

Virtual ADX(config-vs-vs2)# max-tcp-conn-rate 2000 enable-protection

Syntax: [no] priority [tcp | udp | ip] default-value [attack-priority attack-value]

The tcp option specifies TCP SLB traffic.

The udp option specifies UDP SLB traffic.

The ip option specifies remaining traffic such as ICMP.

NOTE

When using the priority command, you are required to specify either a tcp, udp, or ip option.

The default-value variable is the default priority value. Enter a number from 0 through 7. If you
enter 7, which is the highest priority level, when BP-RX queue is full, there would be some
packet drops as well.

The attack-priority attack-value option specifies the attack priority value. For the attack-value
variable, enter a number from 0 through 7. If you enter 7, which is the highest priority level,
when BP-RX queue is full, there would be some packet drops as well.

Syntax: [no] max-tcp-conn-rate rate-value enable-protection

Syntax: [no] max-udp-conn-rate rate-value enable-protection

The rate-value parameter represent the maximum connection rate allowed. Traffic exceeding
this rate is considered attack traffic.

The enable-protection is a mandatory keyword that enables the traffic prioritization function.

Specifying the monitor interval to classify and declassify an attack

Use the server attack-interval command to specify the monitor interval for classifying and
declassifying an attack condition. For example, to specify the monitor interval for classifying and
declassifying an attack condition, enter the following command.

Virtual ADX(config)# server attack-interval classify 100 de-classify 200

Advertising
Popular Brands
Popular manuals