Configuring connection-rate filtering for low risk networks

As stated earlier, connection-rate filtering is triggered only by inbound IP traffic generating a relatively high number of new IP connection requests from the same host.

  1. Enable notify-only mode on the ports you want to monitor.
  2. Set global sensitivity to low.
  3. If SNMP trap receivers are available in your network, use the snmp-server command to configure the switch to send SNMP traps.
  4. Monitor the Event Log or (if configured) the available SNMP trap receivers to identify hosts exhibiting high connection rates.
  5. Check any hosts that exhibit relatively high connection rate behavior to determine whether malicious code or legitimate use is the cause of the behavior.
  6. Hosts demonstrating high, but legitimate connection rates, such as heavily used servers, can trigger a connection-rate filter. Configure connection rate ACLs to create policy exceptions for trusted hosts. (Exceptions can be configured for these criteria:
    1. A single source host or group of source hosts
    2. A source subnet
    3. Either of the above with TCP or UDP criteria

      For more on connection rate ACLs, see Application options.

  7. Increase the sensitivity to Medium and repeat steps 5 and 6.

    On networks that are relatively infection-free, sensitivity levels above Medium are not recommended.

  8. (Optional.) Enable throttle or block mode on the monitored ports.

    On a given VLAN, to unblock the hosts that have been blocked by the connection-rate feature, use the vlan <vid> connection-rate filter unblock command.

  9. Maintain a practice of carefully monitoring the Event Log or configured trap receivers for any sign of high connectivity-rate activity that could indicate an attack by malicious code.