Brocade Virtual ADX Graphical User Interface Guide (Supporting ADX v03.1.00) User Manual

120

Brocade Virtual ADX Graphical User Interface Guide

53-1003242-01

Content switching

7

DNS

Allows the ADX device to
provide DNS attack
protection to VIP traffic.
This protection is provided
by performing a deep
packet scan and then
classifying DNS requests
based on the query type,
query name, RD flag or the
DNSSEC “OK” bit in the
EDNS0 header.
Based on this
classification, the following
actions can be taken either
individually or in
combination: forward
traffic to a specific server
group, drop packets, log
events or rate limit DNS
traffic from the identified
client.

Under Rule-Action List, select a rule name from the Rule

Name list

and click one of the following options for Action:

•

Redirect: Allows the ADX device to redirect any packets that
match the filter to a server or server group. Select one of the
following options:

-

Group ID: Enter the server group ID. The range is from 0
through 1023.

-

Server

ID: Enter the real server ID. The range is from

1024 through 2047.

•

Rate: Allows the ADX device to direct the rate limit packets
that match the filter based on the following values:

-

Monitor Interval: Enter the monitoring window in 100 ms
unit.

-

Hold-down Period: Enter the length of hold down period
in minutes.

-

Connection Rate: Enter a threshold for the number of
global TCP connections per second that are expected on
the device.

•

Drop: Directs the device to drop any packets that match the
filter.

Other
Protocols

Allows the device to make a
load balancing decision
based on the traffic of
other protocols.

Under the Rule-Action List, select the rule name from the Rule

Name list and select one of the options from the Action list:

•

Begin Delimiter: Specifies to set this rule to be the beginning
delimiter.

•

End Delimiter: Specifies to set this rule to be the ending
delimiter.

•

Forward: Allows the device to forward packets that matches a
specified rule to a specified real server or server group:

-

Group ID: Enter the server group ID. The range is from 0
through 1023.

-

Server ID: Enter the real server ID. The range is from
1024 through 2047.

•

Persist: Allows the device to send requests with similar
content to the same server when the specified rule is
matched. When a rule is matched, the device uses the
content that matched the rule to select a server or server
group to send the packet. Provide the following information:

•

Offset: Enter the offset in bytes from the end of the
matched string.

•

Length: Enter the length of the persist string in bytes.

•

End Delimiter: Enter the substring with which the persist
string ends.

•

Persist Hash to Bucket: Select the check box to hash the
persist string to a hashing bucket.

•

Goto: Allows the matched pattern to be forwarded to another
policy as input and an evaluation to be performed. Provide
the following information:

-

Go to this policy: Select the request policy from the list.

•

Reset-Client: Allows the device to send a TCP reset to the
client, which abruptly terminates the connection.

•

Rewrite: Allows the device to rewrite the matched string with a
pattern that you specify.

TABLE 25

Protocol settings (Continued)

Protocol

Function

Your Action