Global trl – Brocade Communications Systems ServerIron ADX 12.4.00a User Manual

Page 28

Advertising
background image

14

ServerIron ADX Security Guide

53-1002440-03

Transaction Rate Limit (TRL)

1

Syntax: trl {default | { <client-IPv4> <client-mask> | <client-IPv6> <prefix> } {exclude |

monitor-interval
<monitor-value> conn-rate <connection-value> hold-down-time <hold-down-value>}}

default - Specifies default transaction rate limit parameter.

<client-IPv4> - Specifies IPv4 client subnet and <client-mask> - Specifies the IPv4 client mask.

<client-IPv6> - Specifies IPv6 client subnet and <prefix> - Specifies the IPv6 client mask bits.

exclude - Specifies to exclude the prefix from transaction rate limit.

monitor-interval - Specifies time interval for monitoring in 100ms.

<monitor-value> - Specifies value of time interval for monitoring.

conn-rate - Specifies connection rate.

<connection-value> - Specifies value of connection rate for client.

hold-down-time - Specifies time for holding down source.

<hold-down-value> - Specifies hold down time in minutes.

Command modes
Global configuration mode.

Global TRL

If TRL per client subnet is not needed, Global TRL can be used to create a configuration to apply to
all the incoming traffic.

Use ip [tcp | udp | icmp] trans-rate to enable TRL on the ServerIron for TCP, UDP, or ICMP traffic. If
any more than a specified number packets per second come from the same IP address over a
specified interval, then all traffic from that IP address is held down for a specified number of
minutes.

Syntax: [no] ip [tcp | udp | icmp] trans-rate monitor-interval <interval> conn-rate <rate>

hold-down-time <minutes>

monitor-interval <interval> Amount of time used to measure incoming traffic. This parameter is
specified in increments of 100ms. For example, to measure traffic over a 1 second interval, you
would specify 10 for this.

conn-rate <rate> Threshold for the number of connections per second from any one IP address.
Traffic exceeding this rate over the specified interval is subject to hold down.

hold-down-time <minutes> Number of minutes that traffic from an IP address that has sent
packets at rate higher than the configured threshold is to be held down.

Example

ServerIronADX(config)# ip tcp trans-rate monitor-interval 600 conn-rate 100

hold-down-time 5

This command configures the ServerIron to monitor incoming TCP traffic. If more than 100 TCP
connections per second arrive from the same IP address over a 60-second interval (600 X 100ms),
then all TCP traffic from that IP address is held down for 5 minutes.

To apply TRL to TCP traffic coming into port 80 on interface 1/1.

Advertising
Popular Brands
Popular manuals