Connection Limit Configuration Example - HP VSR1000 Security Configuration Manual

Connection limit configuration example

Network requirements
As shown in
internal network address is 192.168.0.0/16. Configure NAT so that the internal users can access the
Internet and external users can access the internal servers, and configure connection limits to meet the
following requirements:
All hosts on segment 192.168.0.0/24 can establish up to 100000 connections to the external
•
network.
Each host on segment 192.168.0.0/24 can establish up to 100 connections to the external network.
•
• Up to 10000 query requests from DNS clients to the DNS server are allowed at the same time.
Up to 10000 connection requests from Web clients to the Web server are allowed at the same time.
•
Figure 89 Network diagram
Configuration procedure
The following example only describes how to configure connection limits. For information about NAT
configuration and internal server configuration, see Layer 3—IP Services Configuration Guide.
# Create ACL 3000 to permit packets from all hosts on the internal network.
<Router> system-view
[Router] acl number 3000
[Router-acl-adv-3000] rule permit ip source 192.168.0.0 0.0.0.255
[Router-acl-adv-3000] quit
# Create ACL 3001 to permit packets to the Web server and the DNS server.
[Router] acl number 3001
[Router-acl-adv-3001] rule permit ip destination 192.168.0.2 0
[Router-acl-adv-3001] rule permit ip destination 192.168.0.3 0
[Router-acl-adv-3001] quit
# Create connection limit policy 1.
[Router] connection-limit policy 1
# Configure connection limit rule 1 to permit up to 100000 connections from all the hosts that match ACL
3000. When the number of connections exceeds 100000, new connections cannot be established until
the number drops below 95000.
[Router-connlmt-policy-1] limit 1 acl 3000 amount 100000 95000
Figure 89, a company has five public IP addresses: 202.38.1.1/24 to 202.38.1.5/24. The
310