Global trl, Transaction rate limit hold-down value, Displaying trl rules statistics – Brocade Virtual ADX Security Guide (Supporting ADX v03.1.00) User Manual

Page 27

Advertising
background image

Brocade Virtual ADX Security Guide

15

53-1003250-01

Transaction rate limit

1

Global TRL

If TRL per client subnet is not needed, Global TRL can be used to create a configuration to apply to
all the incoming traffic.

Use the ip [tcp | udp | icmp] trans-rate command to enable TRL on the Brocade Virtual ADX for TCP,
UDP, or ICMP traffic. If any more than a specified number packets per second come from the same
IP address over a specified interval, then all traffic from that IP address is held down for a specified
number of minutes.

Syntax: [no] ip [tcp | udp | icmp] trans-rate monitor-interval interval conn-rate rate hold-down-time

minutes

The monitor-interval interval parameter is the amount of time used to measure incoming traffic.
This parameter is specified in increments of 100ms. For example, to measure traffic over a 1
second interval, you would specify 10.

The conn-rate rate parameter is the threshold for the number of connections per second from any
one IP address. Traffic exceeding this rate over the specified interval is subject to hold down.

The hold-down-time minutes parameter is the number of minutes that traffic from an IP address
that has sent packets at rate higher than the configured threshold is to be held down.

Virtual ADX(config)# ip tcp trans-rate monitor-interval 600 conn-rate 100

hold-down-time 5

This command configures the Brocade Virtual ADX to monitor incoming TCP traffic. If more than
100 TCP connections per second arrive from the same IP address over a 60-second interval (600 X
100ms), then all TCP traffic from that IP address is held down for 5 minutes.

To apply TRL to TCP traffic coming into port 80 on interface 1/1.

Virtual ADX(config)# interface ethernet 1/1

Virtual ADX(config-if-1/1)# ip tcp trans-rate 80

Syntax: [no] ip [tcp | udp | icmp] trans-rate <ports>

where ports sets one or more TCP or UDP ports to monitor. With TRL, the Brocade Virtual ADX can
monitor up to four specific ports. The Brocade Virtual ADX can also monitor traffic to all the ports by
configuring the default port.

Transaction rate limit hold-down value

If you configure "hold down 0," the incoming request is not held down. Instead it generates a log.

Displaying TRL rules statistics

You can display statistics for TRL rules as shown.

Syntax: show client-trl rules-stat

Virtual ADX#show client-trl rules-stat

Policy-Name default-rule ipv4-rules-alloted ipv4-rules-added ipv6-rules-alloted ipv6-rules-added

trl1

0

2500

0

2500

0

trl2

0

2500

0

2500

0

trl3

0

2500

0

2500

0

Global ipv4 rule num: 2500, total-alloted-ipv4-rules: 7500

Global ipv6 rule num: 2500, total-alloted-ipv6-rules: 7500

Advertising
Popular Brands
Popular manuals