53
Response options
The response behavior of connection-rate filtering can be adjusted by using filtering options. When a
worm-like behavior is detected, the connection-rate filter can respond to the threats on the port in the
following ways:
• Notify only of potential attack: While the apparent attack continues, the switch generates an Event
Log notice identifying the offending host source address (SA) and (if a trap receiver is configured
on the switch) a similar SNMP trap notice.
• Notify and reduce spreading: In this case, the switch temporarily blocks inbound routed traffic
from the offending host source address for a “penalty” period and generates an Event Log notice of
this action and a similar SNMP trap notice if a trap receiver is configured on the switch. When the
penalty period expires, the switch re-evaluates the routed traffic from the host and continues to
block this traffic if the apparent attack continues. During the re-evaluation period, routed traffic
from the host is allowed.
• Block spreading: This option blocks routing of the host’s traffic on the switch. When a block
occurs, the switch generates an Event Log notice and a similar SNMP trap notice if a trap receiver
is configured on the switch. Note that system personnel must explicitly re-enable a host that has
been previously blocked.
Sensitivity
The ability of connection-rate filtering to detect relatively high instances of connection-rate attempts
from a given source can be adjusted by changing the global sensitivity settings. The sensitivity can be
set to low, medium, high, or aggressive as described below:
• Low: sets the connection-rate sensitivity to the lowest possible sensitivity, which allows a mean of
54 routed destinations in less than 0.1 seconds, and a corresponding penalty time for Throttle mode
(if configured) of less than 30 seconds
• Medium: sets the connection-rate sensitivity to allow a mean of 37 routed destinations in less than
1 second, and a corresponding penalty time for Throttle mode (if configured) between 30 and 60
seconds
• High: sets the connection-rate sensitivity to allow a mean of 22 routed destinations in less than 1
second, and a corresponding penalty time for Throttle mode (if configured) between 60 and 90
seconds
• Aggressive: sets the connection-rate sensitivity to the highest possible level, which allows a mean
of 15 routed destinations in less than 1 second, and a corresponding penalty time for Throttle mode
(if configured) between 90 and 120 seconds
Connection-rate ACL
Connection-rate ACLs are used to exclude legitimate high-rate inbound traffic from the connection-
rate filtering policy. A connection-rate ACL, consisting of a series of access control entries, creates
exceptions to these per-port policies by creating special rules for individual hosts, groups of hosts, or
entire subnets. Thus, the system administrator can adjust a connection-rate filtering policy to create and
apply an exception to configured filters on the ports in a VLAN.
Appendix G: VRRP
Virtual Router Redundancy Protocol (VRRP) is designed to eliminate the single point of failure
inherent in the static default routed environment. In a VRRP environment, two or more “virtual”
routers cooperate to provide a high-availability capability on a LAN. VRRP specifies an election
protocol that dynamically assigns routing responsibility to one of the virtual routers on a LAN.
A virtual router consists of a set of router interfaces on the same network that share a virtual router
identifier (VRID) and a virtual IP address. One router in the group becomes the VRRP Master and the
other routers are designated as VRRP Backups. The VRRP Master controls the IP addresses associated
with a virtual router.
To Next Page
Loading...
