Login
- Table of Contents
-
- 16-Security Configuration Guide
- 00-Preface
- 01-ACL configuration
- 02-Time range configuration
- 03-User profile configuration
- 04-Password control configuration
- 05-Public key management
- 06-PKI configuration
- 07-IPsec configuration
- 08-SSH configuration
- 09-SSL configuration
- 10-SSL VPN configuration
- 11-Session management
- 12-Connection limit configuration
- 13-Attack detection and prevention configuration
- 14-IP source guard configuration
- 15-ARP attack protection configuration
- 16-ND attack defense configuration
- 17-ASPF configuration
- 18-Protocol packet rate limit configuration
- 19-Crypto engine configuration
- 20-Object group configuration
| Title | Size | Download |
|---|---|---|
| 12-Connection limit configuration | 97.12 KB |
Restrictions: Hardware compatibility with connection limit
Connection limit tasks at a glance
Creating a connection limit policy
Configuring the connection limit policy
About connection limit policies
Restrictions and guidelines for connection limit policy configuration
Configuring an IPv4 connection limit policy
Configuring an IPv6 connection limit policy
Applying the connection limit policy
About connection limit application
Restrictions and guidelines for connection limit application
Applying a connection limit policy to an interface
Applying a connection limit policy globally
Display and maintenance commands for connection limits
Troubleshooting connection limits
ACLs in the connection limit rules with overlapping segments
Configuring connection limits
About connection limits
The connection limit feature enables the device to monitor and limit the number of established connections.
As shown in Figure 1, configure the connection limit feature to resolve the following issues:
· If Host B initiates a large number of connections in a short period of time, it might exhaust system resources and cause Host A to be unable to access the Internet.
· If the internal server receives a large number of connection requests in a short period of time, the server cannot process other requests.
Restrictions: Hardware compatibility with connection limit
|
Hardware series |
Model |
Product code |
Connection limit compatibility |
|
WX1800H series |
WX1804H-PWR |
EWP-WX1804H-PWR-CN |
Yes |
|
WX2500H series |
WX2508H-PWR-LTE WX2510H-PWR WX2510H-F-PWR WX2540H WX2540H-F WX2560H |
EWP-WX2508H-PWR-LTE EWP-WX2510H-PWR EWP-WX2510H-F-PWR EWP-WX2540H EWP-WX2540H-F EWP-WX2560H |
Yes |
|
MAK series |
MAK204 MAK206 |
EWP-MAK204 EWP-MAK206 |
Yes |
|
WX3000H series |
WX3010H WX3010H-X-PWR WX3010H-L-PWR WX3024H WX3024H-L-PWR WX3024H-F |
EWP-WX3010H EWP-WX3010H-X-PWR EWP-WX3010H-L-PWR EWP-WX3024H EWP-WX3024H-L-PWR EWP-WX3024H-F |
Yes: · WX3010H · WX3010H-X-PWR · WX3024H · WX3024H-F No: · WX3010H-L-PWR · WX3024H-L-PWR |
|
WX3500H series |
WX3508H WX3508H WX3510H WX3510H WX3520H WX3520H-F WX3540H WX3540H |
EWP-WX3508H EWP-WX3508H-F EWP-WX3510H EWP-WX3510H-F EWP-WX3520H EWP-WX3520H-F EWP-WX3540H EWP-WX3540H-F |
Yes |
|
WX5500E series |
WX5510E WX5540E |
EWP-WX5510E EWP-WX5540E |
Yes |
|
WX5500H series |
WX5540H WX5560H WX5580H |
EWP-WX5540H EWP-WX5560H EWP-WX5580H |
Yes |
|
Access controller modules |
LSUM1WCME0 EWPXM1WCME0 LSQM1WCMX20 LSUM1WCMX20RT LSQM1WCMX40 LSUM1WCMX40RT EWPXM2WCMD0F EWPXM1MAC0F |
LSUM1WCME0 EWPXM1WCME0 LSQM1WCMX20 LSUM1WCMX20RT LSQM1WCMX40 LSUM1WCMX40RT EWPXM2WCMD0F EWPXM1MAC0F |
Yes |
|
Hardware series |
Model |
Product code |
Connection limit compatibility |
|
WX1800H series |
WX1804H-PWR WX1810H-PWR WX1820H WX1840H |
EWP-WX1804H-PWR EWP-WX1810H-PWR EWP-WX1820H EWP-WX1840H-GL |
Yes |
|
WX3800H series |
WX3820H WX3840H |
EWP-WX3820H-GL EWP-WX3840H-GL |
Yes |
|
WX5800H series |
WX5860H |
EWP-WX5860H-GL |
Yes |
Connection limit tasks at a glance
To configure connection limits, perform the following tasks:
1. Creating a connection limit policy
2. Configuring the connection limit policy
¡ Configuring an IPv4 connection limit policy
¡ Configuring an IPv6 connection limit policy
3. Applying the connection limit policy
¡ Applying a connection limit policy to an interface
¡ Applying a connection limit policy globally
Creating a connection limit policy
1. Enter system view.
system-view
2. Create a connection limit policy and enter its view.
connection-limit { ipv6-policy | policy } policy-id
Configuring the connection limit policy
About connection limit policies
To use a connection limit policy, you need to add limit rules to the policy. Each rule defines a range of connections and the criteria for limiting the connections. Connections in the range will be limited based on the criteria. The criteria include upper/lower connection limit and connection establishment rate limit. When the number of matching connections reaches the upper limit, the device does not accept new connections until the number of connections drops below the lower limit. The device will send logs when the number of connections exceeds the upper limit and when the number of connections drops below the lower limit. If the matching connections are limited based on the establishment rate, the number of connections established per second cannot exceed the rate limit The connections that do not match any connection limit rules are not limited.
In each connection limit rule, an ACL is used to define the connection range. In addition, the rule also uses the following filtering methods to further limit the connections:
· per-destination—Limits user connections by destination IP address.
· per-service—Limits user connections by service (transport layer protocol and service port).
· per-source—Limits user connections by source IP address.
You can select more than one filtering method, and the selected methods take effect at the same time. For example, if you specify both per-destination and per-service, the user connections using the same service and destined to the same IP address are limited. If you do not specify any filtering methods in a limit rule, all user connections in the range are limited.
Restrictions and guidelines for connection limit policy configuration
When a connection limit policy is applied, connections on the device match all limit rules in the policy in ascending order of rule IDs. As a best practice, specify a smaller range and more filtering methods in a rule with a smaller ID.
Configuring an IPv4 connection limit policy
1. Enter system view.
system-view
2. Create an IPv4 connection limit policy and enter its view.
connection-limit policy policy-id
3. Configure a connection limit rule.
limit limit-id acl { acl-number | name acl-name } [ per-destination | per-service | per-source ] * { amount max-amount min-amount | rate rate } * [ description text ]
4. (Optional.) Configure a description for the connection limit policy.
description text
By default, an IPv4 connection limit policy does not have a description.
Configuring an IPv6 connection limit policy
1. Enter system view.
system-view
2. Create an IPv6 connection limit policy and enter its view.
connection-limit ipv6-policy policy-id
3. Configure a connection limit rule.
limit limit-id acl ipv6 { acl-number | name acl-name } [ per-destination | per-service | per-source ] * { amount max-amount min-amount | rate rate } * [ description text ]
4. (Optional.) Configure a description for the connection limit policy.
description text
By default, an IPv6 connection limit policy does not have a description.
Applying the connection limit policy
About connection limit application
To make a connection limit policy take effect, apply it globally or to an interface. The connection limit policy applied to an interface takes effect only on the specified connections on the interface. The connection limit policy applied globally takes effect on all the specified connections on the device.
Different connection limit policies can be applied to individual interfaces as well as globally on the device. In this case, the device matches connections against these policies in the order of the policy on the inbound interface, the global policy, and the policy on the outbound interface. It cannot accept new connections as long as the number of connections reaches the smallest upper connection limit defined by these policies.
Restrictions and guidelines for connection limit application
A connection limit policy or any modification to it takes effect only on new connections. It does not take effect on existing connections.
Applying a connection limit policy to an interface
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Apply a connection limit policy to the interface.
connection-limit apply { ipv6-policy | policy } policy-id
By default, no connection limit policy is applied to an interface.
Only one IPv4 connection limit policy and one IPv6 connection limit policy can be applied to an interface. A new IPv4 or IPv6 connection limit policy overwrites the old policy.
Applying a connection limit policy globally
1. Enter system view.
system-view
2. Apply a connection limit policy globally.
connection-limit apply global { ipv6-policy | policy } policy-id
By default, no connection limit policy is applied globally.
Only one IPv4 connection limit policy and one IPv6 connection limit policy can be applied globally. A new IPv4 or IPv6 connection limit policy overwrites the old policy.
Display and maintenance commands for connection limits
|
|
IMPORTANT: The WX1800H series, WX2500H series, MAK series, and WX3000H series access controllers do not support parameters or commands that are available only in IRF mode. |
Execute display commands in any view and reset commands in user view.
|
Task |
Command |
|
Display the connection limit policy information. |
display connection-limit { ipv6-policy | policy } { all | policy-id } |
|
Display the connection limit statistics globally or on an interface. |
In standalone mode: display connection-limit statistics { global | interface interface-type interface-number } In IRF mode: display connection-limit statistics { global | interface interface-type interface-number } [ slot slot-number ] |
|
Display statistics about IPv4 connections matching connection limit rules globally or on an interface. |
In standalone mode: display connection-limit stat-nodes { global | interface interface-type interface-number } [ { deny-new | permit-new } | destination destination-ip | service-port port-number | source source-ip ] * [ count ] In IRF mode: display connection-limit stat-nodes { global | interface interface-type interface-number } [ slot slot-number ] [ { deny-new | permit-new } | destination destination-ip | service-port port-number | source source-ip ] * [ count ] |
|
Display statistics about IPv6 connections matching connection limit rules globally or on an interface. |
In standalone mode: display connection-limit ipv6-stat-nodes { global | interface interface-type interface-number } [ { deny-new | permit-new } | destination destination-ip | service-port port-number | source source-ip ] * [ count ] In IRF mode: display connection-limit ipv6-stat-nodes { global | interface interface-type interface-number } [ slot slot-number ] [ { deny-new | permit-new } | destination destination-ip | service-port port-number | source source-ip ] * [ count ] |
|
Clear the connection limit statistics globally or on an interface. |
In standalone mode: reset connection-limit statistics { global | interface interface-type interface-number } In IRF mode: reset connection-limit statistics { global | interface interface-type interface-number } [ slot slot-number ] |
Troubleshooting connection limits
ACLs in the connection limit rules with overlapping segments
Symptom
A connection limit policy has two rules. Rule 1 sets the upper limit to 10 for the connections from each host on segment 192.168.0.0/24. Rule 2 sets the upper limit to 100 for the connections from 192.168.0.100/24.
<Device> system-view
[Device] acl basic 2001
[Device-acl-ipv4-basic-2001] rule permit source 192.168.0.0 0.0.0.255
[Device-acl-ipv4-basic-2001] quit
[Device] acl basic 2002
[Device-acl-ipv4-basic-2002] rule permit source 192.168.0.100 0
[Device-acl-ipv4-basic-2002] quit
[Device] connection-limit policy 1
[Device-connection-limit-policy-1] limit 1 acl 2001 per-destination amount 10 5
[Device-connection-limit-policy-1] limit 2 acl 2002 per-destination amount 100 10
As a result, the host at 192.168.0.100 can only initiate a maximum of 10 connections to the external network.
Solution
To resolve the issue:
1. Rearrange the two connection limit rules by exchanging their rule IDs.
2. If the issue persists, contact H3C Support.
