Limitations; Scenario: Setting Up Zonedefense - D-Link DFL-1600 User Manual

296 Chapter 28. ZoneDefense
adding the firewall's interface IP or MAC address connecting towards the
ZoneDefense switch to the Exclude list. This prevents the firewall from
being accidentally blocked out.
28.5

Limitations

Depending on the switch model, various limitations are in effect. The first
one is the latency between the triggering of a block rule to the moment of
the switch(es) actually blocking out the traffic matched by the rule. All
switch models require at least some time to enforce the rules after they
have been provided by the firewall. Some models can activate the rules
within a second while others require up to a minute or even beyond.
Another limitation is the maximum number of rules supported by the
switch. Some switches support only 50 rules while others support up to 800
(usually, in order to block a host or network, one rule per switch port is
needed). When this limit has been reached no more hosts or networks will
be blocked out.
Note
ZoneDefense uses a range of the ACL rule set on the switch. To avoid
potential conflicts in these rules and guarantee the firewall's access control,
it is strongly recommended that the administrator clear the entire ACL rule
set on the switch before processing the ZoneDefense setup.
28.6 : Setting Up ZoneDefense
The following simple example illustrates the steps needed to set up
ZoneDefense function in D-Link firewalls. We assume that all the interfaces
on the firewall have already been properly configured.
Example:
Configuring ZoneDefense
In this simplified scenario, a HTTP threshold of 10 connections/second is
applied. If the connections exceed this limitation, the firewall will block the
specific host (in network range 192.168.2.0/24 for example) from accessing
the switch completely.
D-Link Firewalls User's Guide