Inbound admission policy

The inbound admission policy is used to control connection requests coming into your network.

The inbound policy is used to restrict traffic attempting to connect to your server. You can restrict access by client, Uniform Resource Identifier (URI), application, or local interface on your iSeries™ server. In addition, you can enhance server performance by applying a class of service to inbound traffic. You define this policy through the Inbound admission wizard in iSeries Navigator.

There are three components to an inbound policy which require more information. They include URIs to restrict traffic, connection rates defined in a class of service, and priority queues to order successful connections. For more information, see URI, Connection rate, and Weighted priority queues.

URI

You might consider using an inbound policy to restrict HTTP traffic connecting to your Web server. In this circumstance, you might create an inbound admission policy that restricts traffic by a specific URI. URI request rate is part of a solution to help protect servers against overload. Designating specific URIs will apply admission controls, based on application level information, to limit the URI requests accepted by the server. In industry, this is also referred to as header-based connection request control, which uses URIs to set priorities.

Specifying a URI allows the inbound policy to examine content, not just packet headers. The content examined is a URI name. For iSeries, you can use the relative URI name (for example, /products/clothing ). The following examples describe the relative URI.

Relative URI

The relative URI is actually a subset of an absolute URI (similar to the old absolute URL). Consider this example: http://www.ibm.com/software. The http://www.ibm.com/software segment is considered the absolute URI. The /software segment is the relative URI. All relative URI values must begin with one forward slash (/). The following segments are valid relative URI examples:

Notes:
  1. When using a URI, you must specify the protocol as TCP. In addition, the port and IP address must match the port and IP address configured for your HTTP server. This is typically port 80.
  2. There is an implicit wildcard when you specify a URI. For example, /software will include anything within the software directory.
  3. Do not use an * in the URI. It is not a valid character.
  4. URI information can be used in either inbound policies or differentiated service (outbound) policy.

Before you set up an inbound policy that uses URIs, you must ensure that the application port assigned for the URI matches the Listen directive enabled for Fast Response Cache Accelerator (FRCA) in the Apache Web Server configuration. To change or view the port for your HTTP server, see Manage addresses and ports for your HTTP server (powered by Apache).

Connection rate

As part of the inbound admission policy, you also must select a class of service. This class of service defines connection rates that act as admission control to limit the connections accepted by the server.

Connection rate limits accept or deny a new packet, based on the average number of connections per second and the maximum number of instantaneous connections defined in the policy you create. These connection limits consist of average rate and burst limit, which the wizards in iSeries navigator will prompt you to enter. When incoming connection requests reach the server, the server analyses the packet header information to determine if this traffic is defined in a policy. The system verifies this information against the connection limits profile. If the packet is within the policy limits, it is placed into the queue.

Use the above information as you complete the Inbound admission wizard. In iSeries Navigator, you can also use the associated Help to refer to similar information as you complete the policy.

Weighted priority queues

As part of inbound control, you can specify the priority in which connection requests are handled after they have been evaluated by the policies. By assigning a weight to a priority queue, you are essentially controlling the queue's response time after a connection has arrived. If queued, the connection will be handled in order of queue priority (high, medium, low, or best effort). If you are unsure of what weights to assign, use the default values. The sum of all the weights must equal 100. For example, If 25 is specified for all priorities, then all queues are treated equally. Suppose that you specify the following weights: High (50), Medium (30), Low (15), and Best effort (5). The accepted connections include:

Related concepts
Class of service
Average connection rate and burst limits