Specifications

Sensitivity

The ability of connection-rate filtering to detect relatively high instances of connection-rate attempts from a given

source can be adjusted by changing the global sensitivity settings. The sensitivity can be set to low, medium,

high, or aggressive, as described below.

•Low: Sets the connection-rate sensitivity to the lowest possible sensitivity, which allows a mean of 54 routed

destinations in less than 0.1 seconds, and a corresponding penalty time for Throttle mode (if configured) of

less than 30 seconds.

•Medium: Sets the connection-rate sensitivity to allow a mean of 37 routed destinations in less than one

second, and a corresponding penalty time for Throttle mode (if configured) between 30 and 60 seconds.

•High: Sets the connection-rate sensitivity to allow a mean of 22 routed destinations in less than one second,

and a corresponding penalty time for Throttle mode (if configured) between 60 and 90 seconds.

•Aggressive: Sets the connection-rate sensitivity to the highest possible level, which allows a mean of 15 routed

destinations in less than one second, and a corresponding penalty time for Throttle mode (if configured)

between 90 and 120 seconds.

Connection-rate ACL

Connection-rate ACLs are used to exclude legitimate high-rate inbound traffic from the connection-rate filtering

policy. A connection-rate ACL, consisting of a series of access control entries, creates exceptions to these per-

port policies by creating special rules for individual hosts, groups of hosts, or entire subnets. Thus, the system

administrator can adjust a connection-rate filtering policy to create and apply an exception to configured filters

on the ports in a VLAN.

Appendix E: VRRP

Virtual Router Redundancy Protocol (VRRP) is designed to eliminate the single point of failure inherent in the

static default routed environment. In a VRRP environment, two or more “virtual” routers cooperate to provide

a high-availability capability on a LAN. VRRP specifies an election protocol that dynamically assigns routing

responsibility to one of the virtual routers on a LAN.

A virtual router consists of a set of router interfaces on the same network that shares a virtual router identifier

(VRID) and a virtual IP address. One router in the group becomes the VRRP Master and the other routers are

designated as VRRP Backups. The VRRP Master controls the IP addresses associated with a virtual router.

The VRRP Master router periodically sends advertisements to a reserved multicast group address. The VRRP

Backup routers listen for advertisements and one of the backups will assume the Master role, if necessary. A

VRRP router can support many virtual router instances, each with a unique VRID/IP address combination. The

election process provides dynamic failover to one of the remaining VRRP Backups should the Master become

unavailable.

Figure E-1: VRRP example topology

Multiple router interfaces comprise a

virtual router configured with a

common virtual IP address: 10.1.10.1

Host: 10.1.10.10/24

Default Gateway: 10.1.10.1

Intranet

and/or

Internet

Router A Router B

VRRP is an election protocol that dynamically assigns responsibility

for a virtual router on a LAN

Provides High Availability for a default gateway without the need

to reconfigure end hosts