CLI方式:基于接口的连接数限制典型配置

使用版本

本举例是在T5030的R9900版本版本上进行配置和验证的。

组网需求

如下图所示,某公司拥有202.38.1.1/24至202.38.1.5/24五个公网IP地址,内部网络地址为192.168.0.0/16。通过配置NAT使得内部网络主机可以访问Internet,并提供两台内部服务器供外网访问。为保护内部网络及网络资源,需要进行以下限制:

图-1 基于接口的连接数限制配置组网图

配置步骤

内网主机访问外部网络的NAT配置和内部服务器的配置请参见“NAT配置指导”中的“NAT”,此处不进行介绍,下面仅对连接限制的配置步骤进行详细描述。

  1. 配置接口IP地址

    # 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。

    <Device> system-view

    [Device] interface gigabitethernet 1/0/1

    [Device-GigabitEthernet1/0/1] ip address 192.168.0.1 255.255.255.0

    [Device-GigabitEthernet1/0/1] quit

    请参考以上步骤配置其他接口的IP地址,具体配置步骤略。

  2. 配置静态路由

    本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。

    # 请根据组网图中规划的信息,配置静态路由,本举例假设到Internet的下一跳IP地址为202.38.1.254,实际使用中请以具体组网情况为准,具体配置步骤如下。

    [Device] ip route-static 0.0.0.0 0 202.38.1.254

  3. 配置接口加入安全域

    # 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。

    [Device] security-zone name trust

    [Device-security-zone-Trust] import interface gigabitethernet 1/0/1

    [Device-security-zone-Trust] quit

    [Device] security-zone name untrust

    [Device-security-zone-Untrust] import interface gigabitethernet 1/0/2

    [Device-security-zone-Untrust] quit

  4. 配置安全策略

    # 配置名称为trust-untrust的安全策略规则,使Host A可以正常访问Internet,具体配置步骤如下。

    [Device] security-policy ip

    [Device-security-policy-ip] rule name trust-untrust

    [Device-security-policy-ip-1-trust-untrust] source-zone trust

    [Device-security-policy-ip-1-trust-untrust] destination-zone untrust

    [Device-security-policy-ip-1-trust-untrust] source-ip-subnet 192.168.0.0 24

    [Device-security-policy-ip-1-trust-untrust] action pass

    [Device-security-policy-ip-1-trust-untrust] quit

    # 配置名称为untrust-trust的安全策略规则,使Host可以正常访问内网服务器,具体配置步骤如下。

    [Device-security-policy-ip] rule name untrust-trust

    [Device-security-policy-ip-2-untrust-trust] source-zone untrust

    [Device-security-policy-ip-2-untrust-trust] destination-zone trust

    [Device-security-policy-ip-2-untrust-trust] destination-ip-subnet 192.168.0.0 24

    [Device-security-policy-ip-2-untrust-trust] action pass

    [Device-security-policy-ip-2-untrust-trust] quit

    [Device-security-policy-ip] quit

  5. 配置ACL

    # 创建ACL 3000,定义允许内网所有主机发送的报文通过,具体配置步骤如下。

    [Device] acl advanced 3000

    [Device-acl-ipv4-adv-3000] rule permit ip source 192.168.0.0 0.0.0.255

    [Device-acl-ipv4-adv-3000] quit

    # 创建ACL 3001,定义允许访问Web Server和DNS Server的报文通过,具体配置步骤如下。

    [Device] acl advanced 3001

    [Device-acl-ipv4-adv-3001] rule permit ip destination 192.168.0.2 0

    [Device-acl-ipv4-adv-3001] rule permit ip destination 192.168.0.3 0

    [Device-acl-ipv4-adv-3001] quit

  6. 配置连接数限制策略

    # 创建连接数限制策略1,允许匹配ACL 3000的全部主机总共最多只能与外网建立100000条连接,超过100000时,需要等连接数恢复到95000以下才允许建立新的连接。允许匹配ACL 3001的服务器最多接受10000条连接请求,超过10000时,需要等连接数降到9800以下才允许建立新的连接,具体配置步骤如下。

    [Device] connection-limit policy 1

    [Device-connlmt-policy-1] limit 1 acl 3000 amount 100000 95000

    [Device-connlmt-policy-1] limit 2 acl 3001 per-destination amount 10000 9800

    [Device-connlmt-policy-1] quit

    # 创建连接数限制策略2,允许匹配ACL 3000的每台主机最多只能与外网建立100条连接,超过100时,需要等连接数恢复到90以下才允许建立新的连接,具体配置步骤如下。

    [Device] connection-limit policy 2

    [Device-connlmt-policy-2] limit 1 acl 3000 per-source amount 100 90

    [Device-connlmt-policy-2] quit

  7. 应用连接数限制策略

    # 在全局应用连接数限制策略1。

    [Device] connection-limit apply global policy 1

    # 在入接口GigabitEthernet1/0/1上应用连接数限制策略2。

    [Device] interface gigabitethernet 1/0/1

    [Device-GigabitEthernet1/0/1] connection-limit apply policy 2

    [Device-GigabitEthernet1/0/1] quit

验证配置

# 上述配置完成后,执行display connection-limit policy命令显示连接数限制的配置情况,具体内容如下。

[Device] display connection-limit policy 1

IPv4 connection limit policy 1 has been applied 1 times, and has 2 limit rules.

Limit rule list:

Policy Rule StatType HiThres LoThres rate PermitNew ACL

-------------------------------------------------------------------------------

1 1 -- 100000 95000 0 No 3000

2 Dst 10000 9800 0 No 3001

Applied list:

Global

[Device] display connection-limit policy 2

IPv4 connection limit policy 2 has been applied 1 times, and has 1 limit rules.

Limit rule list:

Policy Rule StatType HiThres LoThres rate PermitNew ACL

--------------------------------------------------------------------------------

2 1 Src 100 90 0 No 3000

Applied list:

GigabitEthernet1/0/1

配置文件

#

interface GigabitEthernet1/0/1

ip address 192.168.0.1 255.255.255.0

connection-limit apply policy 2

#

interface GigabitEthernet1/0/2

ip address 202.38.1.1 255.255.0.0

connection-limit apply policy 2

#

ip route-static 0.0.0.0 0 202.38.1.254

#

security-zone name Trust

import interface GigabitEthernet1/0/1

#

security-zone name Untrust

import interface GigabitEthernet1/0/2

#

security-policy ip

rule 1 name trust-untrust

action pass

source-zone trust

destination-zone untrust

source-ip-subnet 192.168.0.0 255.255.255.0

rule 2 name untrust-trust

action pass

source-zone untrust

destination-zone trust

destination-ip-subnet 192.168.0.0 255.255.255.0

#

acl advanced 3000

rule 0 permit ip source 192.168.0.0 0.0.0.255

#

acl advanced 3001

rule 5 permit ip destination 192.168.0.2 0

rule 10 permit ip destination 192.168.0.3 0

#

connection-limit apply global policy 1

#

connection-limit policy 1

limit 1 acl 3000 amount 100000 95000

limit 2 acl 3001 per-destination amount 10000 9800

#

connection-limit policy 2

limit 1 acl 3000 per-source amount 100 90

#