Page Comparison

...

The session limiter is configured on interface dp0p1s1, which means it is applied to both inbound and outbound sessions created on that interface. However because there in only an inbound firewall on dp0p1s1 then that means the session limiter only 'sees' inbound sessions.

Code Block

v@vm-rtr-1# run sh session limit
Session limit parameter "MAX_HALFOPEN_200":
    Sessions allowed                                                               200
    Sessions blocked                                                               100
    Current session counts (estab/half-open/terminating)                     [0:200:0]
    Max session counts (estab/half-open/terminating)                         [0:200:0]
    Time since last session created                                              23.0s
    Sessions per sec avg (1sec/1min/5mins)                                     [0:0:0]
    Max sessions per sec avg (1sec/1min/5mins)                                 [0:0:0]
    Time since max sessions per sec (1sec/1min/5mins)              [never:never:never]
    Time since last session blocked                                              23.0s
    Max sessions blocked per sec avg (1sec/1min/5mins)                         [0:0:0]
    Features                                                              max-halfopen
    Max half-open sessions                                
        Maximum                                                                    200
        Sessions blocked                                                           100

Session limit group "PROTOTCP":
    Active on (dp0p1s1)
    rule    parameter  proto           allowed         blocked        
    ----    ---------  -----           -------         -------        
    10      PARAM1     tcp             200             100            
    condition - proto tcp

...

After sending 100 packets each of UDP, TCP and ICMP (with different ports and/or source addresses):

Code Block

v@vm-rtr-1# run sh session limit
Session limit parameter "MAXRATE4":
    Sessions allowed                                                               111
    Sessions blocked                                                               189
    Current session counts (estab/half-open/terminating)                       [0:0:0]
    Max session counts (estab/half-open/terminating)                          [0:74:0]
    Time since last session created                                               1.9m
    Sessions per sec avg (1sec/1min/5mins)                                     [0:0:0]
    Max sessions per sec avg (1sec/1min/5mins)                                 [4:0:0]
    Time since max sessions per sec (1sec/1min/5mins)               [1.9m:never:never]
    Time since last session blocked                                               1.9m
    Max sessions blocked per sec avg (1sec/1min/5mins)                         [7:0:0]
    Features                                                                rate-limit
    Rate limit                                            
        Rate sessions/second                                                         4
        Max burst                                                                    4
        Interval (milliseconds)                                                   1000
        Sessions blocked                                                           189

Session limit group "LIMIT_GROUP1":
    Active on (dp0p1s1)
    rule    parameter  proto           allowed         blocked        
    ----    ---------  -----           -------         -------        
    10      PARAM1     udp             37              63             
    condition - proto udp 

    20      PARAM1     tcp             37              63             
    condition - proto tcp 

    30      PARAM1     icmp            37              63             
    condition - proto icmp

...

Versions Compared

Old Version 10

New Version 11

Key