Filter
Top Products
43
Response options
The response behavior of connection-rate filtering can be adjusted by using filtering options. When a worm-like
behavior is detected, the connection-rate filter can respond to the threats on the port in the following ways:
•Notify only of potential attack: While the apparent attack continues, the switch generates an Event Log notice
identifying the offending host source address (SA) and (if a trap receiver is configured on the switch) a similar
SNMP trap notice.
•Notify and reduce spreading: In this case, the switch temporarily blocks inbound routed traffic from the
offending host source address for a “penalty” period, and generates an Event Log notice of this action and
a similar SNMP trap notice if a trap receiver is configured on the switch. When the penalty period expires,
the switch reevaluates the routed traffic from the host and continues to block this traffic if the apparent attack
continues. During the reevaluation period, routed traffic from the host is allowed.
•Block spreading: This option blocks routing of the host’s traffic on the switch. When a block occurs, the switch
generates an Event Log notice and a similar SNMP trap notice if a trap receiver is configured on the switch.
Note that system personnel must explicitly re-enable a host that has been previously blocked.
Sensitivity
The ability of connection-rate filtering to detect relatively high instances of connection-rate attempts from a given
source can be adjusted by changing the global sensitivity settings. The sensitivity can be set to low, medium,
high, or aggressive, as described below.
•Low: Sets the connection-rate sensitivity to the lowest possible sensitivity, which allows a mean of 54 routed
destinations in less than 0.1 seconds, and a corresponding penalty time for Throttle mode (if configured) of
less than 30 seconds.
•Medium: Sets the connection-rate sensitivity to allow a mean of 37 routed destinations in less than one
second, and a corresponding penalty time for Throttle mode (if configured) between 30 and 60 seconds.
•High: Sets the connection-rate sensitivity to allow a mean of 22 routed destinations in less than one second,
and a corresponding penalty time for Throttle mode (if configured) between 60 and 90 seconds.
•Aggressive: Sets the connection-rate sensitivity to the highest possible level, which allows a mean of 15 routed
destinations in less than one second, and a corresponding penalty time for Throttle mode (if configured)
between 90 and 120 seconds.
Connection-rate ACL
Connection-rate ACLs are used to exclude legitimate high-rate inbound traffic from the connection-rate filtering
policy. A connection-rate ACL, consisting of a series of access control entries, creates exceptions to these per-
port policies by creating special rules for individual hosts, groups of hosts, or entire subnets. Thus, the system
administrator can adjust a connection-rate filtering policy to create and apply an exception to configured filters
on the ports in a VLAN.
Appendix E: VRRP
Virtual Router Redundancy Protocol (VRRP) is designed to eliminate the single point of failure inherent in the
static default routed environment. In a VRRP environment, two or more “virtual” routers cooperate to provide
a high availability capability on a LAN. VRRP specifies an election protocol that dynamically assigns routing
responsibility to one of the virtual routers on a LAN.
A virtual router consists of a set of router interfaces on the same network that shares a virtual router identifier
(VRID) and a virtual IP address. One router in the group becomes the VRRP Master and the other routers are
designated as VRRP Backups. The VRRP Master controls the IP addresses associated with a virtual router.
The VRRP Master router periodically sends advertisements to a reserved multicast group address. The VRRP
Backup routers listen for advertisements and one of the backups will assume the Master role, if necessary.
A VRRP router can support many virtual router instances, each with a unique VRID/IP address combination. The
election process provides dynamic failover to one of the remaining VRRP Backups should the Master become
unavailable.