Forum Discussion
Connection Rate Limit Mode - Per Source Address
We are trying to use the Connection Rate Limit Mode - Per Source Address option for one of our higly used VIP's. What the best way to configure this setting. We have tried this option without much success or no success. I am able to set a value for Connection limit and that seems to work but not the ableve mentioned option. Any inputs will be much appreciated
Are you actually seeing different IP addresses on the F5 BIG-IP? If you are source NATing on a firewall/proxy and the F5 BIG-IP doesn't see the real source IPs then this won't work for you.
- DeepsriAltocumulus
The VIP is seeing different soure IP's, its not getting NAT'ed IP
Hi Deepsri ,
It works per source address subnet masks which you as admin sets the mask on the virtual server optins.
This is a piece of info in bigip GUI :
"
Connection Rate Limit Source MaskSpecifies an IP address mask, in bits, to be applied to the source address as part of the rate limiting. The default is 0, which is equivalent to using the entire address, 32 in IPv4, or 128 in IPv6.
"It should give you stable results based on subnet mask that you set.
Note that , Connection Limits have not allowness if the connections per source address subnet mask exceed the defined limits , so you have to properly set the mask value and the limit as well.
Also ,
Have a look in the following article , you may hit in this BUG : https://my.f5.com/manage/s/article/K17082I hope this helps you
- awan_mCirrostratus
i am trying to implement Rate limit too - but i dont quiet understnd this part
"Specifies an IP address mask, in bits, to be applied to the source address as part of the rate limiting. The default is 0, which is equivalent to using the entire address, 32 in IPv4, or 128 in IPv6."as an example
1 have 2 Virtual servers sharing the same ip but different ports - and these are non http apps
VS1 - 10.10.10.10 - port 4403 - rate limit 10 - Mode - Virtual server and source Address
VS2 - 10.10.10.10 - port 4404 - rate limit 10 - Mode - Virtual server and source Addressi have same client ips connecting to both
if a clinet IP - 20.20.20.20 reaches limit for VS1 - how would that impact its connections on VS2. meaning
if the clinets is on 11 connection on VS1 will that also block it on VS2 where it has 4 connections .
and in the above scenario - what valuse should i specify for - Connection Rate Limit Source Mask ?
thanks
Hi awan_m ,
For you query about both of Virtual server :
Each virtual server has it's own settings and connection limits , so VS1 shouldn't impact VS2 even if it has same ip , this is could be done by L4 firewall for example.
For suitable values of Connection Limits :it depends on your environment and clients traffic patterns , you should ask the server owner , how many connections do you expect to recieve on this VS per source ip.
My Recommendation :
use >>> Connection Limit not Connection rate limit >>> to be able to set optimal values.
If you did this , enable your AVR module and monitor the Max Concurent connections ( For a week or month ) and take this value and set it to the VS Connection Limits ( Be careful , if this VS was under DoS attack within the monitoring period you have to reset your stats and re-monitor the traffic connections again ) this is not to put a very large limit that bigip sensed from the DoS ATTACK.
The way to get your Connection stats :
> Provision AVR First.
> Add this Virtual server into analytics profile > wait 10 mis and start monitoring.
> to moinitor your VS connections :
Go to Statistics >> Analystics >> Virtual servers >> Traffic Details >> Connections.
you will see all collected stats since you added this VS to AVR.
If you need to know how to enable AVR and Analytics profile :
use this web site https://clouddocs.f5.com/training/community/analytics/html/class1/class1.html
Concentrate on >>> Task1 & Task2.
I hope you see my comment insightful ^^
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com