glid

Description                                                    Configure a global set of IP limiting rules for system-wide IP limiting.

NOTE:                                                                   This command configures a limit ID (LID) for use with the IP limiting feature. To con­figure a LID for use with Large-Scale NAT (LSN) instead, see the IPv4-to-IPv6 Transi­tion Solutions Guide.

Syntax                                                                  [no] glid num

Replace num with the limit ID (1-1023).

This command changes the CLI to the configuration level for the specified global LID, where the following command is available.

(The other commands are common to all CLI configuration levels. See Config Commands: Global.)

Command

Description

[no] conn-limit num

Specifies the maximum number of concurrent connections allowed for a client. You can specify 0-1048575. Connection limit 0 immediately locks down matching cli­ents.

There is no default value set for this parameter.

[no] conn-rate-limit num per num-of-100ms

Specifies the maximum number of new connections allowed for a client within the specified limit period. You can specify 1-4294967295 connections. The limit period can be 100-6553500 milliseconds (ms), specified in increments of 100 ms.

There is no default value set for this parameter.

[no] dns options

Configure settings for IPv4 DNS features.

[no] dns64 options

Configure settings for IPv6 DNS features.

[no] over-limit-action [forward | reset]
[
lockout minutes]
[
log minutes]

Specifies the action to take when a client exceeds one or more of the limits. The command also configures lockout and enables logging. Action can include:

  drop – The ACOS device drops that traffic. If logging is enabled, the ACOS device also generates a log message. (There is no drop keyword; this is default action.)

  forward – The ACOS device forwards the traffic. If logging is enabled, the ACOS device also generates a log message.

  reset – For TCP, the ACOS device sends a TCP RST to the client. If logging is enabled, the ACOS device also generates a log message.

The lockout option specifies the number of minutes during which to apply the over-limit action after the client exceeds a limit. The lockout period is activated when a client exceeds any limit. The lockout period can be 1-1023 minutes. There is no default lockout period.

The log option generates log messages when clients exceed a limit. When you enable logging, a separate message is generated for each over-limit occurrence, by default. You can specify a logging period, in which case the ACOS device holds onto the repeated messages for the specified period, then sends one message at the end of the period for all instances that occurred within the period. The logging period can be 0-255 minutes. The default is 0 (no wait period).

[no] request-limit num

Specifies the maximum number of concurrent Layer 7 requests allowed for a client. You can specify 1-1048575.

[no] request-rate-limit num per num-of-100ms

Specifies the maximum number of Layer 7 requests allowed for the client within the specified limit period. You can specify 1-4294967295 connections. The limit period can be 100-6553500 milliseconds (ms), specified in increments of 100 ms.

[no] use-nat-pool
pool-name

Binds a NAT pool to the GLID. The pool is used to provide reverse NAT for class-list members that are mapped to this GLID. (The use-nat-pool option, available in GLIDs, is applicable only to transparent traffic, not to SLB traffic.)

Default                                                                See descriptions in the table.

Mode                                                                   Configuration mode

Usage                                                                  This command uses a single class list for IP limiting. To use multiple class lists for system-wide IP limiting, use a policy template instead. See the “slb template policy” command in the Com­mand Line Interface Reference for ADC.

Differences Between GLIDs and LIDs

A Global Limit ID (GLID) is an ID that identifies a set of limiting rules configured globally. This ID is included in a class-list, as shown in the following example:

glid 10

  request-limit 100

class-list HTTP-RL

  10.100.0.0/16 lid 1

  10.2.0.0/16 lid 2

  0.0.0.0/0 glid 10

The limiting rules within a GLID can be reused in different class-list objects, unlike a Local Limit ID (LID).

A LID is an ID that identifies a set of limiting rules configured inside an SLB template of a certain type, such as an SLB policy template or an SLB DNS template, that support a class-list. For example:

slb template policy Policy-HTTP-RL

  class-list HTTP-RL

    lid 1

      request-limit 1000

    lid 2

      request-limit 10

A local limit ID can be used if the same class-list is used for several different VIPs, and if each VIP has different limiting rules; using the LID eliminates the need to create many class-lists.

Note that GLIDs and LIDs are optional configurations within a class-list, and they are not required if the class-list is used as a black-list or a white-list.

Additional Usage Information about GLIDs and LIDs

A policy template is also required if you plan to apply IP limiting rules to individual virtual servers or virtual ports.

The request-limit and request-rate-limit options apply only to HTTP, fast-HTTP, and HTTPS virtual ports. For details on configuring these options, see Request Limiting and Request-Rate Limiting in Class Lists .

The over-limit-action log option, when used with the request-limit or request-rate-limit option, always lists Ethernet port 1 as the interface.

The use-nat-pool option is applicable only to transparent traffic, not to SLB traffic.

Example                                                            The following commands configure a global IP limiting rule to be applied to all IP clients (the clients that match class list “global”):

ACOS(config)#glid 1

ACOS(config-glid:1)#conn-rate-limit 10000 per 1

ACOS(config-glid:1)#conn-limit 2000000

ACOS(config-glid:1)#over-limit forward logging

ACOS(config-glid:1)#exit

ACOS(config)#system glid 1

ACOS(config)#class-list global

ACOS(config-class list)#0.0.0.0/0 glid 1

Table of Contents

Index

Glossary

-Search-

Back