KB.15.15

Figure 33 Sample network

In the basic example, the administrator configured connection-rate blocking on port D2. However:

• The administrator has elevated the connection-rate sensitivity to high.

• The server at IP address 15.45.50.17 frequently transmits a relatively high rate of legitimate

connection requests, which now triggers connection-rate blocking of the server's IP address

on port D2. This causes periodic, unnecessary blocking of access to the server.

The administrator needs to maintain blocking protection from the "Company Intranet" while allowing

access to the server at 15.45.50.17. Because the server is carefully maintained as a trusted device,

the administrator's solution is to configure a connection-rate ACL that causes the switch to ignore

(circumvent) connection-rate filtering for inbound traffic from the server, while maintaining the

filtering for all other inbound traffic on port D2.

The configuration steps include:

1. Create the connection-rate ACL with a single entry:

• Use the IP address of the desired server.

• Include a CIDR notation of "32" for the ACL mask. (Which means the mask will allow

only traffic whose source IP address (SA) exactly matches the specified IP address.)

• The ACL will automatically include the implicit filter ACE as the last entry, which

means that any traffic that is not from the desired server will be subject to filtering by the

connection-rate policy configured on port D2.

Configuring and applying connection-rate ACLs 63