Forum Discussion
Deepsri
Altocumulus
AltocumulusConnection Rate Limit Mode - Per Source Address
We are trying to use the Connection Rate Limit Mode - Per Source Address option for one of our higly used VIP's. What the best way to configure this setting. We have tried this option without much su...
Hi Deepsri ,
It works per source address subnet masks which you as admin sets the mask on the virtual server optins.
This is a piece of info in bigip GUI :
"
Connection Rate Limit Source Mask
Specifies an IP address mask, in bits, to be applied to the source address as part of the rate limiting. The default is 0, which is equivalent to using the entire address, 32 in IPv4, or 128 in IPv6.
"
It should give you stable results based on subnet mask that you set.
Note that , Connection Limits have not allowness if the connections per source address subnet mask exceed the defined limits , so you have to properly set the mask value and the limit as well.
Also ,
Have a look in the following article , you may hit in this BUG : https://my.f5.com/manage/s/article/K17082
I hope this helps you
awan_m
Cirrostratus
Cirrostratusi am trying to implement Rate limit too - but i dont quiet understnd this part
"Specifies an IP address mask, in bits, to be applied to the source address as part of the rate limiting. The default is 0, which is equivalent to using the entire address, 32 in IPv4, or 128 in IPv6."
as an example
1 have 2 Virtual servers sharing the same ip but different ports - and these are non http apps
VS1 - 10.10.10.10 - port 4403 - rate limit 10 - Mode - Virtual server and source Address
VS2 - 10.10.10.10 - port 4404 - rate limit 10 - Mode - Virtual server and source Address
i have same client ips connecting to both
if a clinet IP - 20.20.20.20 reaches limit for VS1 - how would that impact its connections on VS2. meaning
if the clinets is on 11 connection on VS1 will that also block it on VS2 where it has 4 connections .
and in the above scenario - what valuse should i specify for - Connection Rate Limit Source Mask ?
thanks
Hi awan_m ,
For you query about both of Virtual server :
Each virtual server has it's own settings and connection limits , so VS1 shouldn't impact VS2 even if it has same ip , this is could be done by L4 firewall for example.
For suitable values of Connection Limits :it depends on your environment and clients traffic patterns , you should ask the server owner , how many connections do you expect to recieve on this VS per source ip.
My Recommendation :
use >>> Connection Limit not Connection rate limit >>> to be able to set optimal values.
If you did this , enable your AVR module and monitor the Max Concurent connections ( For a week or month ) and take this value and set it to the VS Connection Limits ( Be careful , if this VS was under DoS attack within the monitoring period you have to reset your stats and re-monitor the traffic connections again ) this is not to put a very large limit that bigip sensed from the DoS ATTACK.
The way to get your Connection stats :
> Provision AVR First.
> Add this Virtual server into analytics profile > wait 10 mis and start monitoring.
> to moinitor your VS connections :
Go to Statistics >> Analystics >> Virtual servers >> Traffic Details >> Connections.
you will see all collected stats since you added this VS to AVR.
If you need to know how to enable AVR and Analytics profile :
use this web site https://clouddocs.f5.com/training/community/analytics/html/class1/class1.html
Concentrate on >>> Task1 & Task2.
I hope you see my comment insightful ^^