Brocade Communications Systems 12.4.00a Manual De Usuario
14
ServerIron ADX Security Guide
53-1002440-03
Transaction Rate Limit (TRL)
1
Syntax: trl {default | { <client-IPv4> <client-mask> | <client-IPv6> <prefix> } {exclude |
monitor-interval
<monitor-value> conn-rate <connection-value> hold-down-time <hold-down-value>}}
<monitor-value> conn-rate <connection-value> hold-down-time <hold-down-value>}}
default - Specifies default transaction rate limit parameter.
<client-IPv4> - Specifies IPv4 client subnet and <client-mask> - Specifies the IPv4 client mask.
<client-IPv6> - Specifies IPv6 client subnet and <prefix> - Specifies the IPv6 client mask bits.
exclude - Specifies to exclude the prefix from transaction rate limit.
monitor-interval - Specifies time interval for monitoring in 100ms.
<monitor-value> - Specifies value of time interval for monitoring.
conn-rate - Specifies connection rate.
<connection-value> - Specifies value of connection rate for client.
hold-down-time - Specifies time for holding down source.
<hold-down-value> - Specifies hold down time in minutes.
Command modes
Global configuration mode.
Global configuration mode.
Global TRL
If TRL per client subnet is not needed, Global TRL can be used to create a configuration to apply to
all the incoming traffic.
all the incoming traffic.
Use ip [tcp | udp | icmp] trans-rate to enable TRL on the ServerIron for TCP, UDP, or ICMP traffic. If
any more than a specified number packets per second come from the same IP address over a
specified interval, then all traffic from that IP address is held down for a specified number of
minutes.
any more than a specified number packets per second come from the same IP address over a
specified interval, then all traffic from that IP address is held down for a specified number of
minutes.
Syntax: [no] ip [tcp | udp | icmp] trans-rate monitor-interval <interval> conn-rate <rate>
hold-down-time <minutes>
monitor-interval <interval> Amount of time used to measure incoming traffic. This parameter is
specified in increments of 100ms. For example, to measure traffic over a 1 second interval, you
would specify 10 for this.
specified in increments of 100ms. For example, to measure traffic over a 1 second interval, you
would specify 10 for this.
conn-rate <rate> Threshold for the number of connections per second from any one IP address.
Traffic exceeding this rate over the specified interval is subject to hold down.
Traffic exceeding this rate over the specified interval is subject to hold down.
hold-down-time <minutes> Number of minutes that traffic from an IP address that has sent
packets at rate higher than the configured threshold is to be held down.
packets at rate higher than the configured threshold is to be held down.
Example
ServerIronADX(config)# ip tcp trans-rate monitor-interval 600 conn-rate 100
hold-down-time 5
This command configures the ServerIron to monitor incoming TCP traffic. If more than 100 TCP
connections per second arrive from the same IP address over a 60-second interval (600 X 100ms),
then all TCP traffic from that IP address is held down for 5 minutes.
connections per second arrive from the same IP address over a 60-second interval (600 X 100ms),
then all TCP traffic from that IP address is held down for 5 minutes.
To apply TRL to TCP traffic coming into port 80 on interface 1/1.