Response options
The response behavior of connection-rate filtering can be adjusted by using filtering options. When a worm-like behavior is detected, the connection-rate filter can respond to the threats on the port in the following ways:
•Notify only of potential attack: While the apparent attack continues, the switch generates an Event Log notice identifying the offending host source address (SA) and (if a trap receiver is configured on the switch) a similar SNMP trap notice.
•Notify and reduce spreading: In this case, the switch temporarily blocks inbound routed traffic from the offending host source address for a “penalty” period and generates an Event Log notice of this action and a similar SNMP trap notice if a trap receiver is configured on the switch. When the penalty period expires, the switch re-evaluates the routed traffic from the host and continues to block this traffic if the apparent attack continues. During the re-evaluation period, routed traffic from the host is allowed.
•Block spreading: This option blocks routing of the host’s traffic on the switch. When a block occurs, the switch generates an Event Log notice and a similar SNMP trap notice if a trap receiver is configured on the switch. Note that system personnel must explicitly re-enable a host that has been previously blocked.
Sensitivity
The ability of connection-rate filtering to detect relatively high instances of connection-rate attempts from a given source can be adjusted by changing the global sensitivity settings. The sensitivity can be set to low, medium, high, or aggressive as described below:
•Low: sets the connection-rate sensitivity to the lowest possible sensitivity, which allows a mean of 54 routed destinations in less than 0.1 seconds, and a corresponding penalty time for Throttle mode (if configured) of less than 30 seconds
•Medium: sets the connection-rate sensitivity to allow a mean of 37 routed destinations in less than 1 second, and a corresponding penalty time for Throttle mode (if configured) between 30 and 60 seconds
•High: sets the connection-rate sensitivity to allow a mean of 22 routed destinations in less than 1 second, and a corresponding penalty time for Throttle mode (if configured) between 60 and 90 seconds
•Aggressive: sets the connection-rate sensitivity to the highest possible level, which allows a mean of 15 routed destinations in less than 1 second, and a corresponding penalty time for Throttle mode (if configured) between 90 and 120 seconds
Connection-rate ACL
Connection-rate ACLs are used to exclude legitimate high-rate inbound traffic from the connection- rate filtering policy. A connection-rate ACL, consisting of a series of access control entries, creates exceptions to these per-port policies by creating special rules for individual hosts, groups of hosts, or entire subnets. Thus, the system administrator can adjust a connection-rate filtering policy to create and apply an exception to configured filters on the ports in a VLAN.
Appendix G: VRRP
Virtual Router Redundancy Protocol (VRRP) is designed to eliminate the single point of failure inherent in the static default routed environment. In a VRRP environment, two or more “virtual” routers cooperate to provide a high-availability capability on a LAN. VRRP specifies an election protocol that dynamically assigns routing responsibility to one of the virtual routers on a LAN.
A virtual router consists of a set of router interfaces on the same network that share a virtual router identifier (VRID) and a virtual IP address. One router in the group becomes the VRRP Master and the other routers are designated as VRRP Backups. The VRRP Master controls the IP addresses associated with a virtual router.
53
