Using an ACL in a connection-rate configuration example

This example adds connection-rate ACLs to the example in Viewing the connection-rate configuration .

Sample network
In the basic example, the administrator configured connection-rate blocking on port D2. However:
  • The administrator has elevated the connection-rate sensitivity to high.

  • The server at IP address frequently transmits a relatively high rate of legitimate connection requests, which now triggers connection-rate blocking of the server's IP address on port D2. This causes periodic, unnecessary blocking of access to the server.

The administrator needs to maintain blocking protection from the "Company Intranet" while allowing access to the server at Because the server is carefully maintained as a trusted device, the administrator's solution is to configure a connection-rate ACL that causes the switch to ignore (circumvent) connection-rate filtering for inbound traffic from the server, while maintaining the filtering for all other inbound traffic on port D2.

The configuration steps include:

  1. Create the connection-rate ACL with a single entry:
    1. Use the IP address of the desired server.
    2. Include a CIDR notation of "32" for the ACL mask. (Which means the mask allows only traffic whose source IP address (SA) exactly matches the specified IP address.)
    3. The ACL automatically includes the implicit

      ACE as the last entry, which means that any traffic that is not from the desired server is subject to filtering by the connection-rate policy configured on port D2.

  2. Assigning the ACL to the VLAN through which traffic from the server enters the switch.
    Creating and assigning a connection rate ACL
    Example of switch configuration display with a connection-rate ACL