Configuring The Connection Limit Policy; Applying The Connection Limit Policy - HP VSR1000 Security Configuration Manual

Configuring the connection limit policy

To use a connection limit policy, you need to add limit rules to the policy. Each rule defines a range of
connections and the criteria for limiting the connections. Connections in the range will be limited based
on the criteria. When the number of matching connections reaches the upper limit, the device does not
accept new connections until the number of connections drops below the lower limit. The connections
that do not match any connection limit rules are not limited.
In each connection limit rule, an ACL is referenced to define the connection range. In addition, the rule
also uses the following filtering methods to further limit the connections:
per-destination—Limits user connections by destination IP address.
•
• per-service—Limits user connections by service (transport layer protocol and service port).
per-source—Limits user connections by source IP address.
•
You can select more than one filtering method, and the selected methods take effect at the same time. For
example, if you specify both per-destination and per-service, the user connections using the same
service and destined to the same IP address are limited. If you do not specify any filtering methods in a
limit rule, all user connections in the range are limited.
When a connection limit policy is applied, connections on the device match against all limit rules in the
policy in ascending order of rule IDs. HP recommends that you specify a smaller range and more filtering
methods in a rule with a smaller ID.
To configure the connection limit policy:
Step
1. Enter system view.
2. Enter connection limit policy
view.
3. Configure a connection limit
rule.

Applying the connection limit policy

To make a connection limit policy take effect, apply it globally or to an interface. The connection limit
policy applied to an interface takes effect only on the specified connections on the interface. The
connection limit policy applied globally takes effect on all the specified connections on the device.
Different connection limit policies can be applied to individual interfaces as well as globally on the
device. In this case, the device matches connections against these policies in the order of the policy on
the inbound interface, the global policy, and the policy on the outbound interface. Once any upper limit
of the connection is reached, the device cannot accept any new connections.
To apply a connection limit policy to an interface:
Command
system-view
connection-limit { ipv6-policy |
policy } policy-id
limit limit-id acl [ ipv6 ]
{ acl-number | name acl-name }
[ per-destination | per-service |
per-source ] * amount max-amount
min-amount
308
Remarks
N/A
N/A
By default, no connection limit rule
exists.
The keyword ipv6 is available only
in IPv6 connection limit policy
view.