Dell Networking N4000 Series Configuration Manual page 638

interface te1/0/1
ip access-group rate-limit-www in
exit
Rate Limit In-Band Management Traffic
The following is an example of rate limiting in-band management traffic on
an L2 switch. The first two rules rate limit Telnet and SSH (22) traffic for
established connections. The third and fourth rules set specific limits for in-
bound Telnet and SSH connection requests (third and fourth rules). Setting
the control plane mode on the access group limits the requests to those
packets transferred to the CPU and does not affect packets transiting the
switching silicon. Likewise, because this is internally an egress ACL, it rate
limits packets egressing the silicon to the CPU and does not affect packets
that are routed in software due to L3 table lookup failures, nor does it affect
packets sent to the CPU via the system rules, as they are applied on ingress.
The established connection rate limit parameters are 1024 Kbits/second and a
burst of 128 Kbytes. The non-established rate limits are 12 Kbytes/second
with a 2 Kbyte burst.
ip access-list rate-limit-inband-mgmt
permit tcp any any eq telnet flag established rate-limit 1024 128
permit tcp any any eq 22 flag established rate-limit 1024 128
permit tcp any any eq telnet rate-limit 12 2
permit tcp any any eq 22 rate-limit 12 2
permit every
exit
ip access-group rate-limit-inband-mgmt control-plane
!
! Block fragmented traffic from being sent to the CPU.
!
ip access-list no-frag-inband-mgmt
deny tcp any any fragments
deny udp any any fragments
deny ip any any fragments
permit every
exit
ip access-group no-frag-inband-mgmt control-plane
638
Configuring Access Control Lists