For more details, please see ourCookie Policy.

Application Delivery (ADX)

Posts: 24
Registered: ‎05-04-2009

How do I block traffic to services which do not exist most efficient?

We had tons of port scans here a few days ago and it looks like port scans using virtual servers as destination do hit the ServerIron CPUs pretty hard. Is there any way to get rid of this problem? I would like to drop traffic to services which do not exist with the lowest impact to the CPU possible.

Super Contributor
Posts: 316
Registered: ‎05-01-2009

Re: How do I block traffic to services which do not exist most efficient?

My suggestion would be to enable "vip-protection":

server virtual vip a.b.c.d


Out of the documentation:

VIP protection adds CAM entries for each defined virtual port associated with each VIP. An additional CAM entry
is defined for ICMP traffic destined to each VIP. An entry to drop the traffic is also added in the CAM for each VIP,
which makes sure that traffic destined to any destination port other than the virtual ports is dropped by hardware.

This is protection in hardware - it is dropping all traffic to non-configured service in hardware. The CPUs are not involved at this time. Is this what you are looking for?

It is as well possible to use this setting globally via:

server vip-protection

Join the Broadcom Community

Get quick and easy access to valuable resources across the Broadcom Community Network.