3-24
Virus Throttling (Connection-Rate Filtering)
Configuring and Applying Connection-Rate ACLs
Applying Connection-Rate ACLs
To apply a connection-rate ACL, use the access group command described 
below. Note that this command differs from the access group command for 
non-connection-rate ACLs.
Using CIDR Notation To Enter the ACE Mask
You can use CIDR (Classless Inter-Domain Routing) notation to enter ACE 
masks. The switch interprets the bits specified with CIDR notation as the IP 
address bits in an ACE and the corresponding IP address bits in a packet. The 
switch then converts the mask to inverse notation for ACE use. 
Table 3-1. Examples of CIDR Notation for Masks
Syntax: [no] vlan < vid > ip access-group < crf-list-name > connection-rate-filter
This command applies a connection-rate access control list 
(ACL) to inbound traffic on ports in the specified VLAN that 
are configured for connection-rate filtering. (A connection-
rate ACL does not apply to ports in the VLAN that are not 
configured for connection-rate filtering.) The no form of the 
command removes the connection-rate ACL assignment from 
the VLAN. 
Note: The switch allows only one connection-rate ACL assign-
ment per VLAN. If a connection-rate ACL is already assigned 
to a VLAN and you assign another connection-rate ACL to that 
VLAN, the second ACL overwrites the first one. (A connection-
rate ACL can be in addition to any standard or extended ACLs 
already assigned to the VLAN.) 
IP Address Used In an 
ACL with CIDR Notation
Resulting ACL Mask Meaning
10.38.240.125/15 0.1.255.255 The leftmost 15 bits must match; the 
remaining bits are wildcards.
10.38.240.125/20 0.0.15.255 The leftmost 20 bits must match; the 
remaining bits are wildcards.
10.38.240.125/21 0.0.7.255 The leftmost 21 bits must match; the 
remaining bits are wildcards.
10.38.240.125/24 0.0.0.255 The leftmost 24 bits must match; the 
remaining bits are wildcards.
10.38.240.125/32 0.0.0.0 All bits must match.