Access Security Guide K/KA/KB.15.15
configured for the port on which the traffic entered the switch. This option is most useful
in applications where it is easier to use filter to specify suspicious traffic sources for
screening than to use ignore to specify exceptions for trusted traffic sources that don't
need screening. For example, if the host at 15.45.127.43 requires connection-rate
screening, but all other hosts in the VLAN do not, you would configure and apply a
connection-rate ACL with filter ip host 15.45.127.43 as the first ACE and
ignore ip any as the second ACE. In this case, the traffic from host 15.45.127.43
would be screened, but traffic from all other hosts on the VLAN would be permitted without
connection-rate screening.
• Implicit ACE
A connection-rate ACL includes a third, implicit filter ip any ACE which is automatically
the last ACE in the ACL. This implicit ACE does not appear in displays of the ACL configuration,
but is always present in any connection-rate ACL you configure. For example, assume that a
port is configured with a connection-rate policy and is in a VLAN configured with a
connection-rate ACL. If there is no match between an incoming packet and the ACE criteria
in the ACL, then the implicit filter ip any sends the packet for screening by the
connection-rate policy configured on that port. To preempt the implicit filter ip any in
a given connection-rate ACL, you can configure ignore IP any as the last explicit ACE in
the connection-rate ACL. The switch will then ignore (permit) traffic that is not explicitly
addressed by other ACEs configured sequentially earlier in the ACL without filtering the traffic
through the existing connection-rate policy.
• Monitoring Shared Resources
Active instances of throttling or blocking a client that is generating a high rate of connection
requests uses internal routing switch resources that are shared with several other features. The
routing switch provides ample resources for all features. However, if the internal resources
become fully subscribed, new instances of throttling or blocking cannot be initiated until the
necessary resources are released from other uses. (Event Log messages and SNMP traps are
not affected.) For information on determining current resource availability and usage, see the
appendix titled "Monitoring Resources" in the Management and Configuration Guide for your
switch.
Using CIDR notation to enter the ACE mask
You can use Classless Inter-Domain Routing (CIDR) notation to enter ACE masks. The switch interprets
the bits specified with CIDR notation as the IP address bits in an ACE and the corresponding IP
address bits in a packet. The switch then converts the mask to inverse notation for ACE use.
Table 5 CIDR notation for masks
MeaningResulting ACL maskIP address used in an ACL
with CIDR notation
The leftmost 15 bits must match; the remaining bits are
wildcards.
0.1.255.25510.38.240.125/15
The leftmost 20 bits must match; the remaining bits are
wildcards.
0.0.15.25510.38.240.125/20
The leftmost 21 bits must match; the remaining bits are
wildcards.
0.0.7.25510.38.240.125/21
The leftmost 24 bits must match; the remaining bits are
wildcards.
0.0.0.25510.38.240.125/24
All bits must match.0.0.0.010.38.240.125/32
Connection-rate filtering 69