本举例是在T5030的R9900版本版本上进行配置和验证的。
如下图所示,某公司拥有202.38.1.1/24至202.38.1.5/24五个公网IP地址,内部网络地址为192.168.0.0/16。通过配置NAT使得内部网络主机可以访问Internet,并提供两台内部服务器供外网访问。为保护内部网络及网络资源,需要进行以下限制:
192.168.0.0/24网段的全部主机总共最多只能与外网建立100000条连接。
192.168.0.0/24网段的每台主机最多只能与外网建立100条连接。
最多允许10000个DNS客户端同时向DNS服务器发送查询请求。
最多允许10000个Web客户端同时向Web服务器发送连接请求。
图-1 基于接口的连接数限制配置组网图
| 内网主机访问外部网络的NAT配置和内部服务器的配置请参见“NAT配置指导”中的“NAT”,此处不进行介绍,下面仅对连接限制的配置步骤进行详细描述。 |
配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<Device> system-view
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] ip address 192.168.0.1 255.255.255.0
[Device-GigabitEthernet1/0/1] quit
请参考以上步骤配置其他接口的IP地址,具体配置步骤略。
配置静态路由
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由,本举例假设到Internet的下一跳IP地址为202.38.1.254,实际使用中请以具体组网情况为准,具体配置步骤如下。
[Device] ip route-static 0.0.0.0 0 202.38.1.254
配置接口加入安全域
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[Device] security-zone name trust
[Device-security-zone-Trust] import interface gigabitethernet 1/0/1
[Device-security-zone-Trust] quit
[Device] security-zone name untrust
[Device-security-zone-Untrust] import interface gigabitethernet 1/0/2
[Device-security-zone-Untrust] quit
配置安全策略
# 配置名称为trust-untrust的安全策略规则,使Host A可以正常访问Internet,具体配置步骤如下。
[Device] security-policy ip
[Device-security-policy-ip] rule name trust-untrust
[Device-security-policy-ip-1-trust-untrust] source-zone trust
[Device-security-policy-ip-1-trust-untrust] destination-zone untrust
[Device-security-policy-ip-1-trust-untrust] source-ip-subnet 192.168.0.0 24
[Device-security-policy-ip-1-trust-untrust] action pass
[Device-security-policy-ip-1-trust-untrust] quit
# 配置名称为untrust-trust的安全策略规则,使Host可以正常访问内网服务器,具体配置步骤如下。
[Device-security-policy-ip] rule name untrust-trust
[Device-security-policy-ip-2-untrust-trust] source-zone untrust
[Device-security-policy-ip-2-untrust-trust] destination-zone trust
[Device-security-policy-ip-2-untrust-trust] destination-ip-subnet 192.168.0.0 24
[Device-security-policy-ip-2-untrust-trust] action pass
[Device-security-policy-ip-2-untrust-trust] quit
[Device-security-policy-ip] quit
配置ACL
# 创建ACL 3000,定义允许内网所有主机发送的报文通过,具体配置步骤如下。
[Device] acl advanced 3000
[Device-acl-ipv4-adv-3000] rule permit ip source 192.168.0.0 0.0.0.255
[Device-acl-ipv4-adv-3000] quit
# 创建ACL 3001,定义允许访问Web Server和DNS Server的报文通过,具体配置步骤如下。
[Device] acl advanced 3001
[Device-acl-ipv4-adv-3001] rule permit ip destination 192.168.0.2 0
[Device-acl-ipv4-adv-3001] rule permit ip destination 192.168.0.3 0
[Device-acl-ipv4-adv-3001] quit
配置连接数限制策略
# 创建连接数限制策略1,允许匹配ACL 3000的全部主机总共最多只能与外网建立100000条连接,超过100000时,需要等连接数恢复到95000以下才允许建立新的连接。允许匹配ACL 3001的服务器最多接受10000条连接请求,超过10000时,需要等连接数降到9800以下才允许建立新的连接,具体配置步骤如下。
[Device] connection-limit policy 1
[Device-connlmt-policy-1] limit 1 acl 3000 amount 100000 95000
[Device-connlmt-policy-1] limit 2 acl 3001 per-destination amount 10000 9800
[Device-connlmt-policy-1] quit
# 创建连接数限制策略2,允许匹配ACL 3000的每台主机最多只能与外网建立100条连接,超过100时,需要等连接数恢复到90以下才允许建立新的连接,具体配置步骤如下。
[Device] connection-limit policy 2
[Device-connlmt-policy-2] limit 1 acl 3000 per-source amount 100 90
[Device-connlmt-policy-2] quit
应用连接数限制策略
# 在全局应用连接数限制策略1。
[Device] connection-limit apply global policy 1
# 在入接口GigabitEthernet1/0/1上应用连接数限制策略2。
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] connection-limit apply policy 2
[Device-GigabitEthernet1/0/1] quit
# 上述配置完成后,执行display connection-limit policy命令显示连接数限制的配置情况,具体内容如下。
[Device] display connection-limit policy 1
IPv4 connection limit policy 1 has been applied 1 times, and has 2 limit rules.
Limit rule list:
Policy Rule StatType HiThres LoThres rate PermitNew ACL
-------------------------------------------------------------------------------
1 1 -- 100000 95000 0 No 3000
2 Dst 10000 9800 0 No 3001
Applied list:
Global
[Device] display connection-limit policy 2
IPv4 connection limit policy 2 has been applied 1 times, and has 1 limit rules.
Limit rule list:
Policy Rule StatType HiThres LoThres rate PermitNew ACL
--------------------------------------------------------------------------------
2 1 Src 100 90 0 No 3000
Applied list:
GigabitEthernet1/0/1
#
interface GigabitEthernet1/0/1
ip address 192.168.0.1 255.255.255.0
connection-limit apply policy 2
#
interface GigabitEthernet1/0/2
ip address 202.38.1.1 255.255.0.0
connection-limit apply policy 2
#
ip route-static 0.0.0.0 0 202.38.1.254
#
security-zone name Trust
import interface GigabitEthernet1/0/1
#
security-zone name Untrust
import interface GigabitEthernet1/0/2
#
security-policy ip
rule 1 name trust-untrust
action pass
source-zone trust
destination-zone untrust
source-ip-subnet 192.168.0.0 255.255.255.0
rule 2 name untrust-trust
action pass
source-zone untrust
destination-zone trust
destination-ip-subnet 192.168.0.0 255.255.255.0
#
acl advanced 3000
rule 0 permit ip source 192.168.0.0 0.0.0.255
#
acl advanced 3001
rule 5 permit ip destination 192.168.0.2 0
rule 10 permit ip destination 192.168.0.3 0
#
connection-limit apply global policy 1
#
connection-limit policy 1
limit 1 acl 3000 amount 100000 95000
limit 2 acl 3001 per-destination amount 10000 9800
#
connection-limit policy 2
limit 1 acl 3000 per-source amount 100 90
#