DELL N3000 User Manual

Configuring Access Control Lists

interface te1/0/1

ip access-group rate-limit-www in

exit

The following is an example of rate limiting in-band management traffic on 

an L2 switch. The first two rules rate limit Telnet and SSH (22) traffic for 

established connections. The third and fourth rules set specific limits for in-

bound Telnet and SSH connection requests (third and fourth rules). Setting 

the control plane mode on the access group limits the requests to those 

packets transferred to the CPU and does not affect packets transiting the 

switching silicon. Likewise, because this is internally an egress ACL, it rate 

limits packets egressing the silicon to the CPU and does not affect packets 

that are routed in software due to L3 table lookup failures, nor does it affect 

packets sent to the CPU via the system rules, as they are applied on ingress. 
The established connection rate limit parameters are 1024 Kbits/second and a 

burst of 128 Kbytes. The non-established rate limits are 12 Kbytes/second 

with a 2 Kbyte burst.

ip access-list rate-limit-inband-mgmt

permit tcp any any eq telnet flag established rate-limit 1024 128

permit tcp any any eq 22 flag established rate-limit 1024 128

permit tcp any any eq telnet rate-limit 12 2

permit tcp any any eq 22 rate-limit 12 2

permit every

exit

ip access-group rate-limit-inband-mgmt control-plane

!

! Block fragmented traffic from being sent to the CPU.

!

ip access-list no-frag-inband-mgmt

deny tcp any any fragments

deny udp any any fragments

deny ip any any fragments

permit every

exit

ip access-group no-frag-inband-mgmt control-plane