Nortel Networks WEB OS 212777 User Manual

Web OS 10.0 Application Guide

182

n

Chapter 7: Filtering

212777-A, February 2002

TCP Rate Limiting Filter Based on Source IP Address

This example shows how to define a filter that limits clients with IP address 30.30.30.x to 150
TCP connections per second. Once a user exceeds that limit, they are not allowed any new
TCP connections for 10 minutes.

Configure the following on the switch:

Fastage

and

slowage

are set at their default values:

Fastage

= 0 (1 sec)

slowage

= 0 (2 minutes).

Time window =

timewin

x

fastage

= 1 x 1 second = 1 second

Hold down time =

holddur

x

slowage

= 5 x 2 minutes = 10 minutes

Max rate =

maxcon

/time window = 150 connections/1 second = 150 connections/second

Any client with source IP address equal to 30.30.30.x is allowed to make 150 new TCP con-
nections per second to any single destination. When the rate limit of 150 is met, the hold down
time takes effect and the client is not allowed to make any new TCP connections to the same
destination for 10 minutes.

>> # /cfg/slb/filt 100/ena

(Enable the filter)

>> Filter 100 # sip 30.30.30.0

(Specify the source IP address)

>> Filter 100 # smask 255.255.255.0

(Specify the source IP address mask)

>> Filter 100 # adv/tcp

(Select the advanced filter menu)

>> TCP advanced# tcplim en

(Enable TCP rate limiting)

>> TCP advanced# maxconn 15

(Specify the maximum connections)

>> TCP advanced# /cfg/slb/adv

(Select the Layer 4 advanced menu)

>> Layer 4 Advanced # timewin 1

(Set the time window for the session)

>> Layer 4 Advanced # holddur 5

(Set the hold duration for the session)