13-Security Configuration Guide

HomeSupportResource CenterH3C Access Points Cloud Mode Configuration Guides(E2442 R2442)-6W10013-Security Configuration Guide
14-Connection limit configuration
Title Size Download
14-Connection limit configuration 89.37 KB

Configuring connection limits

About connection limits

The connection limit feature enables the device to monitor and limit the number of established connections.

As shown in Figure 1, configure the connection limit feature to resolve the following issues:

·     If Host B initiates a large number of connections in a short period of time, it might exhaust system resources and cause Host A to be unable to access the Internet.

·     If the internal server receives a large number of connection requests in a short period of time, the server cannot process other requests.

Figure 1 Network diagram

 

Connection limit tasks at a glance

To configure connection limits, perform the following tasks:

1.     Creating a connection limit policy

2.     Configuring the connection limit policy

¡     Configuring an IPv4 connection limit policy

¡     Configuring an IPv6 connection limit policy

3.     Applying the connection limit policy

¡     Applying a connection limit policy to an interface

¡     Applying a connection limit policy globally

Creating a connection limit policy

1.     Enter system view.

system-view

2.     Create a connection limit policy and enter its view.

connection-limit { ipv6-policy | policy } policy-id

Configuring the connection limit policy

About connection limit policies

To use a connection limit policy, you need to add limit rules to the policy. Each rule defines a range of connections and the criteria for limiting the connections. Connections in the range will be limited based on the criteria. The criteria include upper/lower connection limit and connection establishment rate limit. When the number of matching connections reaches the upper limit, the device does not accept new connections until the number of connections drops below the lower limit. The device will send logs when the number of connections exceeds the upper limit and when the number of connections drops below the lower limit. If the matching connections are limited based on the establishment rate, the number of connections established per second cannot exceed the rate limit The connections that do not match any connection limit rules are not limited.

In each connection limit rule, an ACL is used to define the connection range. In addition, the rule also uses the following filtering methods to further limit the connections:

·     per-destination—Limits user connections by destination IP address.

·     per-service—Limits user connections by service (transport layer protocol and service port).

·     per-source—Limits user connections by source IP address.

·     per-dslite-b4—Limits user connections by the B4 device on a DS-Lite tunnel.

You can select more than one filtering method, and the selected methods take effect at the same time. For example, if you specify both per-destination and per-service, the user connections using the same service and destined to the same IP address are limited. If you do not specify any filtering methods in a limit rule, all user connections in the range are limited.

Restrictions and guidelines for connection limit policy configuration

When a connection limit policy is applied, connections on the device match all limit rules in the policy in ascending order of rule IDs. As a best practice, specify a smaller range and more filtering methods in a rule with a smaller ID.

For distributed security devices, the connections are limited on a per-interface module basis.

Configuring an IPv4 connection limit policy

1.     Enter system view.

system-view

2.     Create an IPv4 connection limit policy and enter its view.

connection-limit policy policy-id

3.     Configure a connection limit rule.

¡     Configure a connection limit rule based on destination IP address, service, or source IP address.

limit limit-id acl { acl-number | name acl-name } [ per-destination | per-service | per-source ] * { amount max-amount min-amount | rate rate } * [ description text ]

¡     Configure a connection limit rule based on DS-Lite tunnel.

limit limit-id acl ipv6 { acl-number | name acl-name } per-dslite-b4 { amount max-amount min-amount | rate rate } * [ description text ]

4.     (Optional.) Configure a description for the connection limit policy.

description text

By default, an IPv4 connection limit policy does not have a description.

Configuring an IPv6 connection limit policy

1.     Enter system view.

system-view

2.     Create an IPv6 connection limit policy and enter its view.

connection-limit ipv6-policy policy-id

3.     Configure a connection limit rule.

limit limit-id acl ipv6 { acl-number | name acl-name } [ per-destination | per-service | per-source ] * { amount max-amount min-amount | rate rate } * [ description text ]

4.     (Optional.) Configure a description for the connection limit policy.

description text

By default, an IPv6 connection limit policy does not have a description.

Applying the connection limit policy

About connection limit application

To make a connection limit policy take effect, apply it globally or to an interface. The connection limit policy applied to an interface takes effect only on the specified connections on the interface. The connection limit policy applied globally takes effect on all the specified connections on the device.

Different connection limit policies can be applied to individual interfaces as well as globally on the device. In this case, the device matches connections against these policies in the order of the policy on the inbound interface, the global policy, and the policy on the outbound interface. It cannot accept new connections as long as the number of connections reaches the smallest upper connection limit defined by these policies.

Restrictions and guidelines for connection limit application

A connection limit policy or any modification to it takes effect only on new connections. It does not take effect on existing connections.

On a DS-Lite tunnel network, if the AFTR device uses the Endpoint-Independent Mapping-based NAT configuration, you must limit connections from external IPv4 networks to access the internal IPv4 network. To implement B4 device-based connection limits, perform the following tasks:

·     Add a rule that has the per-dslite-b4 keyword to a connection limit policy.

·     Apply the policy globally or on the DS-Lite tunnel interface.

Applying a connection limit policy to an interface

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Apply a connection limit policy to the interface.

connection-limit apply { ipv6-policy | policy } policy-id

By default, no connection limit policy is applied to an interface.

Only one IPv4 connection limit policy and one IPv6 connection limit policy can be applied to an interface. A new IPv4 or IPv6 connection limit policy overwrites the old policy.

Applying a connection limit policy globally

1.     Enter system view.

system-view

2.     Apply a connection limit policy globally.

connection-limit apply global { ipv6-policy | policy } policy-id

By default, no connection limit policy is applied globally.

Only one IPv4 connection limit policy and one IPv6 connection limit policy can be applied globally. A new IPv4 or IPv6 connection limit policy overwrites the old policy.

Display and maintenance commands for connection limits

Execute display commands in any view and reset commands in user view.

 

Task

Command

Display the connection limit policy information.

display connection-limit { ipv6-policy | policy } { all | policy-id }

Display the connection limit statistics globally or on an interface.

display connection-limit statistics { global | interface interface-type interface-number }

Display statistics about IPv4 connections matching connection limit rules globally or on an interface.

display connection-limit stat-nodes { global | interface interface-type interface-number } [ { deny-new | permit-new } | destination destination-ip | service-port port-number | source source-ip ] * [ count ]

display connection-limit stat-nodes { global | interface interface-type interface-number } dslite-peer b4-address [ count ]

Display statistics about IPv6 connections matching connection limit rules globally or on an interface.

display connection-limit ipv6-stat-nodes { global | interface interface-type interface-number } [ { deny-new | permit-new } | destination destination-ip | service-port port-number | source source-ip ] * [ count ]

Clear the connection limit statistics globally or on an interface.

reset connection-limit statistics { global | interface interface-type interface-number }

 

Troubleshooting connection limits

ACLs in the connection limit rules with overlapping segments

Symptom

A connection limit policy has two rules. Rule 1 sets the upper limit to 10 for the connections from each host on segment 192.168.0.0/24. Rule 2 sets the upper limit to 100 for the connections from 192.168.0.100/24.

<Device> system-view

[Device] acl basic 2001

[Device-acl-ipv4-basic-2001] rule permit source 192.168.0.0 0.0.0.255

[Device-acl-ipv4-basic-2001] quit

[Device] acl basic 2002

[Device-acl-ipv4-basic-2002] rule permit source 192.168.0.100 0

[Device-acl-ipv4-basic-2002] quit

[Device] connection-limit policy 1

[Device-connection-limit-policy-1] limit 1 acl 2001 per-destination amount 10 5

[Device-connection-limit-policy-1] limit 2 acl 2002 per-destination amount 100 10

As a result, the host at 192.168.0.100 can only initiate a maximum of 10 connections to the external network.

Solution

To resolve the issue:

1.     Rearrange the two connection limit rules by exchanging their rule IDs.

2.     If the issue persists, contact H3C Support.