- Table of Contents
-
- 03-Security Configuration Guide
- 00-Preface
- 01-Security zone configuration
- 02-Security policy configuration
- 03-ASPF configuration
- 04-Session management
- 05-Object group configuration
- 06-Object policy configuration
- 07-IP source guard configuration
- 08-AAA configuration
- 09-User identification configuration
- 10-Password control configuration
- 11-Portal configuration
- 12-MAC authentication configuration
- 13-IPoE configuration
- 14-Public key management
- 15-PKI configuration
- 16-SSH configuration
- 17-SSL configuration
- 18-Connection limit configuration
- 19-Attack detection and prevention configuration
- 20-Server connection detection configuration
- 21-ARP attack protection configuration
- 22-ND attack defense configuration
- 23-uRPF configuration
- 24-IP-MAC binding configuration
- 25-IP reputation configuration
- 26-APR configuration
- 27-Keychain configuration
- 28-Crypto engine configuration
- Related Documents
-
Title | Size | Download |
---|---|---|
18-Connection limit configuration | 108.37 KB |
Connection limit tasks at a glance
Creating a connection limit policy
Configuring the connection limit policy
About connection limit policies
Restrictions and guidelines for connection limit policy configuration
Configuring an IPv4 connection limit policy
Configuring an IPv6 connection limit policy
Applying the connection limit policy
About connection limit application
Restrictions and guidelines for connection limit application
Applying a connection limit policy to an interface
Applying a connection limit policy globally
Display and maintenance commands for connection limits
Connection limit configuration examples
Example: Configuring connection limits
Troubleshooting connection limits
ACLs in the connection limit rules with overlapping segments
Configuring connection limits
About connection limits
The connection limit feature enables the device to monitor and limit the number of established connections.
As shown in Figure 1, configure the connection limit feature to resolve the following issues:
· If Host B initiates a large number of connections in a short period of time, it might exhaust system resources and cause Host A to be unable to access the Internet.
· If the internal server receives a large number of connection requests in a short period of time, the server cannot process other requests.
Connection limit tasks at a glance
To configure connection limits, perform the following tasks:
1. Creating a connection limit policy
2. Configuring the connection limit policy
¡ Configuring an IPv4 connection limit policy
¡ Configuring an IPv6 connection limit policy
3. Applying the connection limit policy
¡ Applying a connection limit policy to an interface
¡ Applying a connection limit policy globally
Creating a connection limit policy
1. Enter system view.
system-view
2. Create a connection limit policy and enter its view.
connection-limit { ipv6-policy | policy } policy-id
Configuring the connection limit policy
About connection limit policies
To use a connection limit policy, you need to add limit rules to the policy. Each rule defines a range of connections and the criteria for limiting the connections. Connections in the range will be limited based on the criteria. The criteria include upper/lower connection limit and connection establishment rate limit. When the number of matching connections reaches the upper limit or connection rate limit, the device accepts or rejects new connections depending on the action you configured. If the action is to reject new connections, the device does not accept new connections until the number of connections drops below the lower limit or connection rate limit due to connection aging. The device will send logs when the number of connections exceeds the upper limit or connection rate limit. The device will send logs when the number of connections drops below the lower limit or connection rate limit only if the action is to reject new connections. The connections that do not match any connection limit rules are not limited.
In each connection limit rule, an ACL is used to define the connection range. In addition, the rule also uses the following filtering methods to further limit the connections:
· per-destination—Limits user connections by destination IP address.
· per-service—Limits user connections by service (transport layer protocol and service port).
· per-source—Limits user connections by source IP address.
· per-dslite-b4—Limits user connections by the B4 device on a DS-Lite tunnel. For information about DS-Lite tunnels, see VPN Configuration Guide.
You can select more than one filtering method, and the selected methods take effect at the same time. For example, if you specify both per-destination and per-service, the user connections using the same service and destined to the same IP address are limited. If you do not specify any filtering methods in a limit rule, all user connections in the range are limited.
Restrictions and guidelines for connection limit policy configuration
When a connection limit policy is applied, connections on the device match all limit rules in the policy in ascending order of rule IDs. As a best practice, specify a smaller range and more filtering methods in a rule with a smaller ID.
For distributed security devices, the connections are limited on a per-interface module basis.
Configuring an IPv4 connection limit policy
1. Enter system view.
system-view
2. Create an IPv4 connection limit policy and enter its view.
connection-limit policy policy-id
3. Configure a connection limit rule.
¡ Configure a connection limit rule based on destination IP address, service, or source IP address.
limit limit-id acl { acl-number | name acl-name } [ per-destination | per-service | per-source ] * { amount max-amount min-amount | rate rate } * [ description text | permit-new ] *
¡ Configure a connection limit rule based on DS-Lite tunnel.
limit limit-id acl ipv6 { acl-number | name acl-name } per-dslite-b4 { amount max-amount min-amount | rate rate } * [ description text | permit-new ] *
4. (Optional.) Configure a description for the connection limit policy.
description text
By default, an IPv4 connection limit policy does not have a description.
Configuring an IPv6 connection limit policy
1. Enter system view.
system-view
2. Create an IPv6 connection limit policy and enter its view.
connection-limit ipv6-policy policy-id
3. Configure a connection limit rule.
limit limit-id acl ipv6 { acl-number | name acl-name } [ per-destination | per-service | per-source ] * { amount max-amount min-amount | rate rate } * [ description text | permit-new ] *
4. (Optional.) Configure a description for the connection limit policy.
description text
By default, an IPv6 connection limit policy does not have a description.
Applying the connection limit policy
About connection limit application
To make a connection limit policy take effect, apply it globally or to an interface. The connection limit policy applied to an interface takes effect only on the specified connections on the interface. The connection limit policy applied globally takes effect on all the specified connections on the device.
Different connection limit policies can be applied to individual interfaces as well as globally on the device. In this case, the device matches connections against these policies in the order of the policy on the inbound interface, the global policy, and the policy on the outbound interface. It cannot accept new connections as long as the number of connections reaches the smallest upper connection limit defined by these policies.
Restrictions and guidelines for connection limit application
A connection limit policy or any modification to it takes effect only on new connections. It does not take effect on existing connections.
In a hot backup network where session synchronization is enabled, connection limit policies applied to a subordinate device do not take effect on sessions switched from the master device.
On a DS-Lite tunnel network, if the AFTR device uses the Endpoint-Independent Mapping-based NAT configuration, you must limit connections from external IPv4 networks to access the internal IPv4 network. To implement B4 device-based connection limits, perform the following tasks:
· Add a rule that has the per-dslite-b4 keyword to a connection limit policy.
· Apply the policy globally or on the DS-Lite tunnel interface.
Applying a connection limit policy to an interface
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Apply a connection limit policy to the interface.
connection-limit apply { ipv6-policy | policy } policy-id
By default, no connection limit policy is applied to an interface.
Only one IPv4 connection limit policy and one IPv6 connection limit policy can be applied to an interface. A new IPv4 or IPv6 connection limit policy overwrites the old policy.
Applying a connection limit policy globally
1. Enter system view.
system-view
2. Apply a connection limit policy globally.
connection-limit apply global { ipv6-policy | policy } policy-id
By default, no connection limit policy is applied globally.
Only one IPv4 connection limit policy and one IPv6 connection limit policy can be applied globally. A new IPv4 or IPv6 connection limit policy overwrites the old policy.
Display and maintenance commands for connection limits
Execute display commands in any view and reset commands in user view.
Task |
Command |
Display the connection limit policy information. |
display connection-limit { ipv6-policy | policy } { all | policy-id } |
Display the connection limit statistics globally or on an interface. |
display connection-limit statistics { global | interface interface-type interface-number } [ chassis chassis-number slot slot-number ] |
Display statistics about IPv4 connections matching connection limit rules globally or on an interface. |
display connection-limit stat-nodes { global | interface interface-type interface-number } [ chassis chassis-number slot slot-number ] [ { deny-new | permit-new } | destination destination-ip | service-port port-number | source source-ip ] * [ count ] display connection-limit stat-nodes { global | interface interface-type interface-number } [ chassis chassis-number slot slot-number ] dslite-peer b4-address [ count ] |
Display statistics about IPv6 connections matching connection limit rules globally or on an interface. |
display connection-limit ipv6-stat-nodes { global | interface interface-type interface-number } [ chassis chassis-number slot slot-number ] [ { deny-new | permit-new } | destination destination-ip | service-port port-number | source source-ip ] * [ count ] |
Clear the connection limit statistics globally or on an interface. |
reset connection-limit statistics { global | interface interface-type interface-number } [ chassis chassis-number slot slot-number ] |
Connection limit configuration examples
Example: Configuring connection limits
Network configuration
As shown in Figure 2, a company has five public IP addresses: 202.38.1.1/24 to 202.38.1.5/24. The internal network address is 192.168.0.0/16. Configure NAT so that the internal users can access the Internet and external users can access the internal servers. Configure connection limits to meet the following requirements:
· All hosts on segment 192.168.0.0/24 can establish a maximum of 100000 connections to the external network.
· Each host on segment 192.168.0.0/24 can establish a maximum of 100 connections to the external network.
· A maximum of 10000 query requests from DNS clients to the DNS server are allowed at the same time.
· A maximum of 10000 connection requests from Web clients to the Web server are allowed at the same time.
Procedure
The following example only describes how to configure connection limits. For information about NAT configuration and internal server configuration, see Layer 3—IP Services Configuration Guide.
# Assign IP addresses to interfaces and configure routes, security zones, and interzone policies. Make sure the network connections are available. (Details not shown.)
# Create ACL 3000 to permit packets from all hosts on the internal network.
<Device> system-view
[Device] acl advanced 3000
[Device-acl-ipv4-adv-3000] rule permit ip source 192.168.0.0 0.0.0.255
[Device-acl-ipv4-adv-3000] quit
# Create ACL 3001 to permit packets to the Web server and the DNS server.
[Device] acl advanced 3001
[Device-acl-ipv4-adv-3001] rule permit ip destination 192.168.0.2 0
[Device-acl-ipv4-adv-3001] rule permit ip destination 192.168.0.3 0
[Device-acl-ipv4-adv-3001] quit
# Create connection limit policy 1.
[Device] connection-limit policy 1
# Configure connection limit rule 1 to permit a maximum of 100000 connections from all the hosts that match ACL 3000. When the number of connections exceeds 100000, new connections cannot be established until the number drops below 95000.
[Device-connlmt-policy-1] limit 1 acl 3000 amount 100000 95000
# Configure connection limit rule 2 to permit a maximum of 10000 connections to the servers that match ACL 3001. When the number of connections exceeds 10000, new connections cannot be established until the number drops below 9800.
[Device-connlmt-policy-1] limit 2 acl 3001 per-destination amount 10000 9800
[Device-connlmt-policy-1] quit
# Create connection limit policy 2.
[Device] connection-limit policy 2
# Configure connection limit rule 1 to permit a maximum of 100 connections from each host matching ACL 3000. When the number of connections exceeds 100, new connections cannot be established until the number drops below 90.
[Device-connlmt-policy-2] limit 1 acl 3000 per-source amount 100 90
[Device-connlmt-policy-2] quit
# Apply connection limit policy 1 globally.
[Device] connection-limit apply global policy 1
# Apply connection limit policy 2 to inbound interface GigabitEthernet 1/2/5/1.
[Device] interface gigabitethernet 1/2/5/1
[Device-GigabitEthernet1/2/5/1] connection-limit apply policy 2
[Device-GigabitEthernet1/2/5/1] quit
Verifying the configuration
# Display information about the connection limit policy.
[Device] display connection-limit policy 1
IPv4 connection limit policy 1 has been applied 1 times, and has 2 limit rules.
Limit rule list:
Policy Rule StatType HiThres LoThres rate PermitNew ACL
-------------------------------------------------------------------------------
1 1 -- 100000 95000 0 No 3000
2 Dst 10000 9800 0 No 3001
Applied list:
Global
[Device] display connection-limit policy 2
IPv4 connection limit policy 2 has been applied 1 times, and has 1 limit rules.
Limit rule list:
Policy Rule StatType HiThres LoThres rate PermitNew ACL
--------------------------------------------------------------------------------
2 1 Src 100 90 0 No 3000
Applied list:
GigabitEthernet1/2/5/1
Troubleshooting connection limits
ACLs in the connection limit rules with overlapping segments
Symptom
A connection limit policy has two rules. Rule 1 sets the upper limit to 10 for the connections from each host on segment 192.168.0.0/24. Rule 2 sets the upper limit to 100 for the connections from 192.168.0.100/24.
<Device> system-view
[Device] acl basic 2001
[Device-acl-ipv4-basic-2001] rule permit source 192.168.0.0 0.0.0.255
[Device-acl-ipv4-basic-2001] quit
[Device] acl basic 2002
[Device-acl-ipv4-basic-2002] rule permit source 192.168.0.100 0
[Device-acl-ipv4-basic-2002] quit
[Device] connection-limit policy 1
[Device-connlmt-policy-1] limit 1 acl 2001 per-destination amount 10 5
[Device-connlmt-policy-1] limit 2 acl 2002 per-destination amount 100 10
As a result, the host at 192.168.0.100 can only initiate a maximum of 10 connections to the external network.
Solution
To resolve the issue:
1. Rearrange the two connection limit rules by exchanging their rule IDs.
2. If the issue persists, contact H3C Support.