Request limit configuration examples

 

·     Introduction

·     Prerequisites

·     Example: Configuring request limits for public network protection

·     Example: Configuring request limits for internal network protection

 

The following information provides request limit configuration examples.

The request limit feature can limit the new connection establishment rate on the device. It can be used to prevent DDoS attacks from decreasing the device performance.

The device can use request limits to protect the public network or internal network:

·     Public network protection—Limits the rate of connection establishment requests from the public network to the internal network. The device monitors the number of connection establishment requests based on the destination IP address of packets. If the number reaches the connection rate threshold, the device will take the specified action on subsequent packets.

·     Internal network protection—Limits the rate of connection establishment requests from the internal network to the public network. The device monitors the number of connection establishment requests based on the source IP address of packets. If the number reaches the connection rate threshold, the device will take the specified action on subsequent packets.

 

This document is not restricted to specific software or hardware versions. Procedures and information in the examples might be slightly different depending on the software or hardware version of the device.

The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

The following information is provided based on the assumption that you have basic knowledge of the connection limit feature.

Network configuration

As shown in Figure 1, configure request limits for public network protection on the device to limit the rate to 10 for connection requests from the public network to each internal server.

Figure 1 Network diagram

 

Software versions used

This configuration example was created and verified on E8371 of the F5000-AI160 device and E9671 of the M9000-X06 device.

Procedure

Assigning IP addresses to interfaces and adding the interfaces to security zones

# On the top navigation bar, click Network.

# From the navigation pane, select Interface Configuration > Interfaces.

# Click the Edit icon for GE 1/0/1.

# In the dialog box that opens, configure the interface:

1.     Select the Trust security zone.

2.     Click the IPv4 Address tab, and then enter the IP address and mask of the interface. In this example, enter 10.0.0.1/24.

3.     Use the default settings for other parameters.

4.     Click OK.

# Add GE 1/0/2 to the Trust security zone and set its IP address to 192.168.1.1/24 in the same way you configure GE 1/0/1.

Configuring a security policy

# On the top navigation bar, click Policies.

# From the navigation pane, select Security Policies > Security Policies.

# Click Create > Create a policy.

# Configure security policy Secpolicy:

·     Enter security policy name trust-local.

·     Select source security zone Untrust.

·     Select destination security zone Trust.

·     Select type IPv4.

·     Select action Permit.

·     Set destination IPv4 addresses to 192.168.1.10, 192.168.1.11, and 192.168.1.12.

·     Use the default settings for other parameters.

# Click OK.

Configuring request limits

# On the top navigation bar, click Policies.

# From the navigation pane, select Attack Defense > Request Limit.

# Configure the following request limit parameters:

·     Select IP type IPv4.

·     Select action Packet dropping.

·     Select public network interface GE1/0/1.

·     Set the connection rate threshold to 10.

Figure 2 Configuring request limits

 

Verifying the configuration

# Verify that each internal server can receive a maximum of 10 connection requests from the external network.

Network configuration

As shown in Figure 3, configure request limits for internal network protection on the device to limit the rate to 10 for connection requests  initiated from each internal server to the public network.

Figure 3 Network diagram

 

Software versions used

This configuration example was created and verified on E8371 of the F5000-AI160 device and E9671 of the M9000-X06 device.

Procedure

Assigning IP addresses to interfaces and adding the interfaces to security zones

# On the top navigation bar, click Network.

# From the navigation pane, select Interface Configuration > Interfaces.

# Click the Edit icon for GE 1/0/1.

# In the dialog box that opens, configure the interface:

1.     Select the Trust security zone.

2.     Click the IPv4 Address tab, and then enter the IP address and mask of the interface. In this example, enter 10.0.0.1/24.

3.     Use the default settings for other parameters.

4.     Click OK.

# Add GE 1/0/2 to the Trust security zone and set its IP address to 192.168.1.1/24 in the same way you configure GE 1/0/1.

Configuring a security policy

# On the top navigation bar, click Policies.

# From the navigation pane, select Security Policies > Security Policies.

# Click Create > Create a policy.

# Configure security policy Secpolicy:

·     Enter security policy name trust-local.

·     Select source security zone Untrust.

·     Select destination security zone Trust.

·     Select type IPv4.

·     Select action Permit.

·     Set destination IPv4 addresses to 192.168.1.10, 192.168.1.11, and 192.168.1.12.

·     Use the default settings for other parameters.

# Click OK.

Configuring request limits

# On the top navigation bar, click Policies.

# From the navigation pane, select Attack Defense > Request Limit.

# Click the Internal Network Protection tab.

# Configure the following request limit parameters:

·     Select IP type IPv4.

·     Select action Packet dropping.

·     Select internal network interface GE1/0/2.

·     Set the connection rate threshold to 10.

Figure 4 Configuring request limits

 

Verifying the configuration

# Verify that each internal server can initiate a maximum of 10 connections to the external network.