H3C MSR Series Command Reference Manual page 960
Comware 7 security
Hide thumbs
Also See for MSR Series:
- Command reference manual (174 pages) ,
- Configuration manual (80 pages) ,
- Manual (33 pages)
Table of Contents
Advertisement
description text: Specifies a description for the connection limit rule, a case-sensitive string of 1 to
127 characters. By default, a connection limit rule does not have a description.
Usage guidelines
Each connection limit policy can define multiple rules. Each rule must specify the used ACL, rule
type, and either of upper/lower connection limit and connection establishment rate limit. In one rule,
you can specify one or multiple of the keywords per-destination, per-source, and per-service, but
you cannot specify the per-dslite-b4 keyword together with other keywords. For example, if the
per-destination and per-source combination is specified, connections are limited by the source IP
address and destination IP address. Connections with the same source IP address and destination
IP address are the same type.
When you configure a connection limit rule, follow these guidelines:
•
Different rules in the same connection limit policy must use different ACLs.
•
If you specify none of the per-destination, per-source, and per-service keywords, all
connections that match the specified ACL are limited by the specified value.
•
When the connections established on a device are matched against a connection limit policy,
the limit rules in the policy are matched in ascending order of rule ID.
•
When the specified ACL changes, the connections that have been established are limited by
the new connection limit policy.
•
A rule that has the per-dslite-b4 keyword limits IPv4 connections of the DS-Lite tunnel B4
device that matches the specified IPv6 ACL in the rule. On a DS-Lite tunnel network, if the
AFTR device uses the Endpoint-Independent Mapping-based NAT configuration, you must limit
connections from external IPv4 networks to access the internal IPv4 network. To implement B4
device-based connection limits, perform the following tasks:
Add a rule that has the per-dslite-b4 to a connection limit policy.
Apply the policy globally or on the DS-Lite tunnel interface.
Examples
# Configure connection limit rule 1 for IPv4 connection limit policy 1:
1.
Configure ACL 3000.
<Sysname> system-view
[Sysname] acl advanced 3000
[Sysname-acl-ipv4-adv-3000] rule permit ip source 192.168.0.0 0.0.0.255
[Sysname-acl-ipv4-adv-3000] quit
2.
Limit connections that match ACL 3000 by the source and destination IP addresses, with the
upper limit 2000, lower limit 1800, and establishment rate 10 per second.
[Sysname] connection-limit policy 1
[Sysname-connlmt-policy-1] limit 1 acl 3000 per-destination per-source amount 2000
1800 rate 10
3.
Verify that when the connection number exceeds 2000, new connections cannot be established
until the connection number goes below 1800. (Details not shown.)
# Configure connection limit rule 2 for IPv6 connection limit policy 12:
4.
Configure ACL 2001.
<Sysname> system-view
[Sysname] acl ipv6 basic 2001
[Sysname-acl-ipv6-basic-2001] rule permit source 2:1::/96
[Sysname-acl-ipv6-basic-2001] quit
5.
Limit connections that match ACL 2001 by the source and destination IP addresses, with the
upper limit 200, lower limit 100, and establishment rate 10 per second.
[Sysname] connection-limit ipv6-policy 12
937
Advertisement
Table of Contents
