KB.15.15

Used in the ACE context (above) to specify the action of the connection-rate ACE

(filter or ignore), and the UDP/TCP criteria and SA of the IP traffic that the ACE

affects.

filter

This option assigns a policy of filtering (dropping) IP traffic having an SA that

matches the source address criteria in the ACE.

ignore

This option specifies a policy of allowing IP traffic having an SA that matches the

source address criteria in the ACE.

<udp | tcp> <any | host> ip-addr | ip-addr mask-length

Applies the filter or ignore action to either TCP packets or UDP packets having the

specified SA.

any

Applies the ACEs action (filter or ignore) to IP traffic having any SA.

host <ip-addr>

Applies the ACEs action (filter or ignore) to IP traffic having the specified host

SA.

ip-addr <mask-length>

Applies the ACEs action (filter or ignore) to IP traffic having an SA within the

range defined by either:

<src-ip-addr/cidr-mask-bits>

<src-ip-addr < mask >>

Use this criterion for traffic received from either a subnet or a group of IP addresses.

The mask can be in either dotted-decimal format or CIDR format with the number

of significant bits. See “Using an ACL in a connection-rate configuration example”

(page 62).

[udp/tcp-options]

destination-port < tcp-data > [ source-port < tcp-data> ]

source-port tcp-data [ destination-port tcp-data ]

destination-port < udp-data > [ source-port < udp-data> ]

source-port udp-data [ destination-port udp-data ]

tcp-data: operator tcp-port-#

udp-data: operator udp-port-#

operator <eq | gt | lt | neq | range>

eq <port-nbr-or-name>

"Equal To": To have a match with the ACE entry, the TCP or UDP source-port number

in a packet must be equal to the specified port number.

gt <port-nbr-or-name>

"Greater Than": To have a match with the ACE entry, the TCP or UDP source-port

number in a packet must be greater than the specified port number.

lt <port-nbr-or-name>

60 Virus throttling (connection-rate filtering)