An eviction policy provides the system with guidelines for how aggressively it discards flows from the flow table. You can customize the eviction policy to prevent flow table attacks, where a large number of slow flows are used to negatively impact system resources. You can also set how the system responds to such flow problems in an eviction policy, and attach such eviction policies globally, to route domains, and to virtual servers, to protect the system, applications, and network segments with a high level of customization.
A connection limit provides a hard limit to the number of connections allowed on a virtual server or on a route domain. If you set such a limit, all connection attempts above this limit are not allowed.
|Disabled||Slow flows are monitored, but not removed from the system when the threshold requirement is met for 30 seconds.|
|Absolute||Slow flows are removed from the system when the threshold requirement is met for 30 seconds. Setting an absolute limit removes all slow flows beyond the specified absolute number of flows.|
|Percent||Slow flows are removed from the system when the threshold requirement is met for 30 seconds. Setting a percentage limit removes that percentage of slow flows above the specified monitoring setting, so the default value of 100% removes all slow flows above the slow flow threshold, after the grace period.|
This table lists the BIG-IP® eviction policy algorithms and associated configuration information.
In an eviction policy, you specify one or more algorithms, or any combination of algorithms, to determine how traffic flows are dropped when the eviction policy threshold limits are reached. Selected algorithms are processed at the same time as a combined strategy, not in a specific order, so the combination of algorithms determines the final strategy used to remove flows. This strategy biases or weights the final algorithm toward the outcomes you have selected, though these choices are not absolute.
|Bias Idle||Biases flow removal toward the existing flows that have been idle, with no payload bytes, for the longest.|
Biases flow removal toward the oldest existing flows.
Biases flow removal toward the flows with the fewest bytes.
When this algorithm is selected, add a value to the field Minimum Time Delay in the Strategy Configuration area. This value determines the period of time for which a flow is allowed to exist, at a minimum, before it is subject to removal through the Bias Bytes algorithm.
|Low Priority Route Domains||
Biases flow removal toward flows on low priority route domains. When this algorithm is selected, use the Low Priority Route Domains setting in the Strategy Configuration area to move low priority route domains from the Available list to the Selected list.
|Low Priority Virtual Servers||Biases flow removal toward flows on low priority virtual servers. When this algorithm is selected, use the Low Priority Virtual Servers setting in the Strategy Configuration area to move low priority virtual servers from the Available list to the Selected list.|
|Low Priority Countries||Biases flow removal toward flows from lower priority countries. When this algorithm is selected, in the Low Priority Countries setting in the Strategy Configuration area, select low priority countries from the list and click Add to add them to the low priority list.|
|Low Priority Ports and Protocols||Biases flow removal toward flows on low priority ports and protocols. When this algorithm is selected, use the Low Priority Ports and Protocols setting in the Strategy Configuration area to add ports, protocols, and combinations to the low priority ports and protocols list (you must also specify a name).|