KB.15.15

Operating rules

• Connection-rate filtering does not operate on IPv6 traffic.

• Connection-rate filtering is triggered by inbound IP traffic exhibiting high rates of IP connections

to new hosts. After connection-rate filtering has been triggered on a port, all traffic from the

suspect host is subject to the configured connection-rate policy (notify-only, throttle,

or block).

• When connection-rate filtering is configured on a port, the port cannot be added to, or removed

from, a port trunk group. Before this can be done, connection-rate filtering must be disabled

on the port.

• Where the switch is throttling or blocking inbound IP traffic from a host, any outbound traffic

destined for that host is still permitted.

• Once a throttle has been triggered on a port—temporarily blocking inbound IP traffic—it

cannot be undone during operation: the penalty period must expire before traffic will be

allowed from the host.

Unblocking a currently blocked host

A hostblocked by connection-rate filtering remains blocked until explicitly unblocked by one of the

following methods:

• Using the connection-rate-filter unblock command, see “Listing currently-blocked

hosts” (page 57).

• Rebooting the switch.

• Disabling connection-rate filtering using the no connection-rate-filter command.

• Deleting a VLAN removes blocks on any hosts on that VLAN.

NOTE: Changing a port setting from block to throttle, notify-only, or to no filter

connection-rate, does not unblock a currently blocked host. Similarly, applying a

connection-rate ACL will not unblock a currently blocked host. See the above list for the correct

methods to use to unblock a host.

Applying connection-rate ACLs

A host sending legitimate traffic can trigger connection-rate filtering in some circumstances. If you

can verify that such a host is indeed sending valid traffic and is not a threat to your network, you

can want to configure a connection-rate ACL (access control list) that allows this traffic to bypass

the configured connection-rate filtering.

A connection-rate ACL is an optional tool that consists of one or more explicitly configured Access

Control Entries (ACEs) used to specify whether to enforce the configured connection-rate policy on

traffic from a particular source.

Use of connection-rate ACLs provides the option to apply exceptions to the configured

connection-rate filtering policy. This enables you to allow legitimate traffic from a trusted source,

and apply connection-rate filtering only to inbound traffic from untrusted sources. For example,

where a connection-rate policy has been configured, you can apply a connection-rate ACL that

causes the switch bypass connection-rate policy filtering on traffic from:

• A trusted server exhibiting a relatively high IP connection rate due to heavy demand

• A trusted traffic source on the same port as other, untrusted traffic sources.

The criteria for an exception can include the source IP address of traffic from a specific host, group

of hosts, or a subnet, and can also include source and destination TCP/UDP criteria. This allows

you to apply a notify-only, throttling, or blocking policy while allowing exceptions for legitimate

traffic from specific sources. You can also allow exceptions for traffic with specific TCP or UDP

criteria.

Connection-rate filtering 67