Filtering - HP ProCurve 5308XL-48G Supplementary Manual

•
Notify and reduce spreading: In this case, the switch temporarily blocks inbound routed
traffic from the offending host SA for a "penalty" period and generates an Event Log notice of
this action and (if a trap receiver is configured on the switch) a similar SNMP trap notice.
When the penalty period expires the switch re-evaluates the routed traffic from the host and
continues to block this traffic if the apparent attack continues. (During the re-evaluation
period, routed traffic from the host is allowed.)
•
Block spreading: This option blocks routing of the host's traffic on the switch. When a block
occurs, the switch generates an Event Log notice and (if a trap receiver is configured on the
switch) a similar SNMP trap notice. Note that system personnel must explicitly re-enable a
host that has been previously blocked.
Sensitivity
The ability of connection-rate filtering to detect relatively high instances of connection-rate
attempts from a given source can be adjusted by changing the global sensitivity settings. The
sensitivity can be set to low, medium, high or aggressive.
•
Low: Sets the connection-rate sensitivity to the lowest possible sensitivity, which allows a
mean of 54 routed destinations in less than 0.1 seconds, and a corresponding penalty time for
Throttle mode (if configured) of less than 30 seconds.
•
Medium: Sets the connection-rate sensitivity to allow a mean of 37 routed destinations in
less than 1 second, and a corresponding penalty time for Throttle mode (if configured)
between 30 and 60 seconds.
•
High: Sets the connection-rate sensitivity to allow a mean of 22 routed destinations in less
than 1 second, and a corresponding penalty time for Throttle mode (if configured) between 60
and 90 seconds.
•
Aggressive: Sets the connection-rate sensitivity to the highest possible level, which allows a
mean of 15 routed destinations in less than 1 second, and a corresponding penalty time for
Throttle mode (if configured) between 90 and 120 seconds.
Connection-rate ACL
Connection-rate ACLs are used to exclude legitimate high-rate inbound traffic from the
connection-rate filtering policy. A connection-rate ACL, consisting of a series of access control
entries (ACEs), creates exceptions to these per-port policies by creating special rules for
individual hosts, groups of hosts, or entire subnets (See Filtering section below for more
details). Thus, the system administrator can adjust a connection-rate filtering policy to create
and apply an exception to configured filters on the ports in a VLAN.

Filtering

ACLs – Access Control Lists
When routing is turned on across Layer 3 interfaces, all routable packets are allowed across
these interfaces. Selectively filtering the packets that can flow across these interfaces is useful
for security or bandwidth control purposes. Filtering at Layer 3 is done through Access Control
Lists (ACL).
A single complete filter statement, the ACL, is composed of one or more Access Control
Entries(ACE). An ACE statement can permit or deny a packet based on it's:
•
Source and/or destination IP address or IP subnet
•
Source and/or destination TCP/UDP port number with less than, greater than, equal, not equal
or number range. Being able to specify less than, greater than, etc. can save a lot of ACEs
trying to bound a group of port numbers and is not found in some competitors' ACL
implementations.
•
IP protocol (IP, TCP, UDP)
Each static VLAN on the 5300 can have one inbound and one outbound ACL defined. The 5300
can have up to 99 Standard ACLs, which are defined as ACLs that are based only on source IP
addresses. The 5300 can also have up to 99 Extended ACLs, which are defined as ACLs based
on any of the other parameters listed above. Up to a total of 1024 ACEs can be used to specify
the 5300 ACLs.
The order of the ACEs within the ACL is important. When processing an ACL, the 5300 starts
with the first ACE in the ACL and will continue to work through the list of ACEs, in order, until
the packet matches the condition set forth in a particular ACE. At that point any further ACEs in
the ACL are ignored. If a packet does not match any of the conditions in the ACL, it is denied.
19