3-5
Virus Throttling (Connection-Rate Filtering)
Overview of Connection-Rate Filtering
Connection-Rate ACLs. The basic connection-rate filtering policy is con-
figured per-port as notify-only, throttle, and block. A connection-rate ACL cre-
ates exceptions to these per-port policies by creating special rules for
individual hosts, groups of hosts, or entire subnets. Thus, you can adjust a
connection-rate filtering policy to create and apply an exception to configured
filters on the ports in a VLAN. Note that connection-rate ACLs are useful only
if you need to exclude inbound traffic from your connection-rate filtering
policy. For example, a server responding to network demand may send a
relatively high number of legitimate connection requests. This can generate a
false positive by exhibiting the same elevated connection-rate behavior as a
worm. Using a connection-rate ACL to apply an exception for this server
allows you to exclude the trusted server from connection-rate filtering and
thereby keep the server running without interruption.
Note Use connection-rate ACLs only when you need to exclude an IP traffic source
(including traffic with specific UDP or TCP criteria) from a connection-rate
filtering policy. Otherwise, the ACL is not necessary.
Operating Rules
â– Connection-rate filtering does not operate on IPv6 traffic.
â– Connection-rate filtering is triggered by inbound IP traffic exhibiting
high rates of IP connections to new hosts. After connection-rate
filtering has been triggered on a port, all traffic from the suspect host
is subject to the configured connection-rate policy (notify-only, throttle,
or block).
â– When connection-rate filtering is configured on a port, the port cannot
be added to, or removed from, a port trunk group. Before this can be
done, connection-rate filtering must be disabled on the port.
â– Where the switch is throttling or blocking inbound IP traffic from a
host, any outbound traffic destined for that host is still permitted.
■Once a throttle has been triggered on a port—temporarily blocking
inbound IP traffic—it cannot be undone during operation: the penalty
period must expire before traffic will be allowed from the host.
To Next Page
Loading...
Need help?
General
