policy-id: Specifies the ID of a connection limit policy. IPv4 and IPv6 connection limit policies have independent numbering systems. The value range for this argument is 1 to 32.

Examples

# Create IPv4 connection limit policy 1 and enter its view.

<Sysname> system-view

[Sysname] connection-limit policy 1

[Sysname-connlmt-policy-1]

# Create IPv6 connection limit policy 12 and enter its view.

<Sysname> system-view

[Sysname] connection-limit ipv6-policy 12

[Sysname-connlmt-ipv6-policy-12]

Related commands

connection-limit apply

connection-limit apply global

display connection-limit

limit

connection-limit apply

Use connection-limit apply to apply a connection limit policy to an interface.

Use undo connection-limit apply to remove a connection limit policy from an interface.

Syntax

connection-limit apply { ipv6-policy | policy } policy-id

undo connection-limit apply { ipv6-policy | policy }

Default

No connection limit policy is applied to an interface.

Views

Interface view

Predefined user roles

network-admin

Parameters

ipv6-policy: Specifies an IPv6 connection limit policy.

policy: Specifies an IPv4 connection limit policy.

policy-id: Specifies the ID of a connection limit policy. The value range for this argument is 1 to 32.

Usage guidelines

Only one IPv4 connection limit policy and one IPv6 connection limit policy can be applied to an interface. A new IPv4 or IPv6 connection limit policy overwrites the old one.

Examples

# Apply IPv4 connection limit policy 1 to VLAN-interface 2.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] connection-limit apply policy 1

# Apply IPv6 connection limit policy 12 to VLAN-interface 2.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] connection-limit apply ipv6-policy 12

Related commands

connection-limit

limit

connection-limit apply global

Use connection-limit apply global to apply a connection limit policy globally.

Use undo connection-limit apply global to remove the application.

Syntax

connection-limit apply global { ipv6-policy | policy } policy-id

undo connection-limit apply global { ipv6-policy | policy }

Default

No connection limit policy is applied globally.

Views

System view

Predefined user roles

network-admin

Parameters

ipv6-policy: Specifies an IPv6 connection limit policy.

policy: Specifies an IPv4 connection limit policy.

policy-id: Specifies the ID of a connection limit policy. The value range for this argument is 1 to 32.

Usage guidelines

Only one IPv4 connection limit policy and one IPv6 connection limit policy can be applied globally. A new IPv4 or IPv6 connection limit policy overwrites the old one.

Examples

# Apply IPv4 connection limit policy 1 globally.

<Sysname> system-view

[Sysname] connection-limit apply global policy 1

# Apply IPv6 connection limit policy 12 globally.

<Sysname> system-view

[Sysname] connection-limit apply global ipv6-policy 12

Related commands

connection-limit

limit

connection-limit log-suppress interval

Use connection-limit log-suppress interval to set the logging suppression interval.

Use undo connection-limit log-suppress interval to restore the default.

Syntax

connection-limit log-suppress interval time-value

undo connection-limit log-suppress interval

Default

Connection limit log messages are not suppressed.

Views

System view

Predefined user roles

network-admin

Parameters

time-value: Specifies the logging suppression interval in the range of 1 to 60 seconds.

Usage guidelines

If a connection limit rule is matched frequently in a short period after the upper limit is reached, the device records a large number of repeated log messages for the rule. This command suppresses the generation of repeated log messages for the same rule in the specified period.

The suppression start time of a log message is the time when it is generated.

If you want to know whether the upper limit is reached during a short interval, set a short interval value to avoid generating a very small number of log messages.

Examples

# Set the logging suppression interval to 30 seconds.

<Sysname> system-view

[Sysname] connection-limit log-suppress interval 30

description

Use description to configure a description for a connection limit policy.

Use undo description to restore the default.

Syntax

description text

undo description

Default

A connection limit policy does not have a description.

Views

IPv4 connection limit policy view

IPv6 connection limit policy view

Predefined user roles

network-admin

Parameters

text: Specifies a description, a case-sensitive string of 1 to 127 characters.

Usage guidelines

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Configure the description as CenterToA for IPv4 connection limit policy 1.

<Sysname> system-view

[Sysname] connection-limit policy 1

[Sysname-connlmt-policy-1] description CenterToA

Related commands

display connection-limit

Use display connection-limit to display information about connection limit policies.

Syntax

display connection-limit { ipv6-policy | policy } { policy-id | all }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ipv6-policy: Specifies an IPv6 connection limit policy.

policy: Specifies an IPv4 connection limit policy.

policy-id: Specifies a connection limit policy by its ID. The value range for this argument is 1 to 32.

all: Specifies all connection limit policies.

Examples

# Display information about all IPv4 connection limit policies.

<Sysname> display connection-limit policy all

3 policies in total:

Policy Rule Stat Type HiThres LoThres ACL

--------------------------------------------------------------------------------

0 1 Src-Dst-Port 2000 1800 3000

12 Src-Dst 500 45 3001

255 -- 1000000 980000 2001

1 2 Dst-Port 800 70 3010

3 Src-Dst 100 90 3000

10 Src-Dst-Port 50 45 3003

11 Src 200 200 3004

200 -- 500000 498000 2002

28 4 Port 1500 1400 3100

5 Dst 3000 280 3101

21 Src-Dst 200 180 3102

25 Src-Port 50 35 3200

Description list:

Policy Description

--------------------------------------------------------------------------------

1 IPv4Description1

28 Description for IPv4 28

# Display information about IPv4 connection limit policy 1.

<Sysname> display connection-limit policy 1

IPv4 connection limit policy 1 has been applied 5 times, and has 5 limit rules.

Description: IPv4Description1

Limit rule list:

Policy Rule Stat Type HiThres LoThres ACL

--------------------------------------------------------------------------------

1 2 Dst-Port 800 700 3010

3 Src-Dst 100 90 3000

10 Src-Dst-Port 50 45 3003

11 Src 200 200 3004

200 -- 500000 498000 2002

Application list:

GigabitEthernet1/0/1

GigabitEthernet1/0/2

Vlan-interface1

Tunnel0

Global

# Display information about all IPv6 connection limit policies.

<Sysname> display connection-limit ipv6-policy all

2 policies in total:

Policy Rule Stat Type HiThres LoThres ACL

--------------------------------------------------------------------------------

3 1 Src-Dst 1000 800 3010

2 Dst 500 450 3001

4 2 Src-Dst-Port 800 700 3010

3 Src 100 90 3020

200 -- 100000 89000 2005

Description list:

Policy Description

--------------------------------------------------------------------------------

3 IPv6Description3

4 Description for IPv6 4

# Display information about IPv6 connection limit policy 3.

<Sysname> display connection-limit ipv6-policy 3

IPv6 connection limit policy 3 has been applied 3 times, and has 2 limit rules.

Description: IPv6Description3

Limit rule list:

Policy Rule Stat Type HiThres LoThres ACL

--------------------------------------------------------------------------------

3 1 Src-Dst 1000 800 3010

2 Dst 500 450 3001

Application list:

GigabitEthernet1/0/1

Vlan-interface1

Tunnel0

Table 1 Command output

Field	Description
Limit rule list	Connection limit policy information.
Policy	Number of the connection limit policy.
Rule	Number of the connection limit rule.
Stat Type	Statistics types: · Src-Dst-Port—Limits connections by source IP, destination IP, and service combination. · Src-Dst—Limits connections by source IP address and destination IP address combination. · Src-Port—Limits connections by source IP and service combination. · Dst-Port—Limits connections by destination IP and service combination. · Src—Limits connections by source IP address. · Dst—Limits connections by destination IP address. · Port—Limits connections by service. · Dslite—Limits connections by B4 device of a DS-Lite tunnel. · --—Limits connections not by a specific IP address or service. All connections that match the ACL used by the rule are limited.
HiThres	Upper limit of the connections.
LoThres	Lower limit of the connections.
ACL	Number or name of the ACL used by the rule.
Application list	Application list of the connection limit policy, including interface name and Global. Global indicates that the connection limit policy is applied globally.
Description	Connection limit policy description.
Description list	List of connection limit policy descriptions.

Related commands

connection-limit

connection-limit apply

connection-limit apply global

limit

display connection-limit ipv6-stat-nodes

Use display connection-limit ipv6-stat-nodes to display statistics about IPv6 connections that match connection limit rules globally or on an interface.

Syntax

display connection-limit ipv6-stat-nodes { global | interface interface-type interface-number } [ destination destination-ip | service-port port-number | source source-ip ] * [ count ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

global: Displays statistics about IPv6 connections that match connection limit rules globally.

interface interface-type interface-number: Specifies an interface by its type and number.

destination destination-ip: Specifies a destination by its IP address.

service-port port-number: Specifies a service port by its port number.

source source-ip: Specifies a source by its IP address.

count: Displays only the number of limit rule-based statistics sets. Detailed information about the specified IPv6 connections is not displayed. If you do not specify this keyword, the command displays detailed information about the specified IPv6 connections that match connection limit rules.

Usage guidelines

The statistics for this command include the following information:

· Connection information, including the source/destination IP address, service port, and transport layer protocol of connections.

· Matching connection limit rules.

· Number of current connections.

· Whether or not new connections can be created.

To further filter the output statistics, specify the following options in the command:

· source source-ip.

· destination destination-ip.

· service-port port-number.

For example, if you specify the source source-ip and destination destination-ip combination, this command displays statistics about IPv6 connections that match connection limit rules by source IP address and destination IP address.

If you specify none of the source source-ip, destination destination-ip, and service-port port-number options, this command displays statistics about all IPv6 connections that match connection limit rules.

Deleting or modifying an IPv6 connection limit policy will not delete the effective IPv6 connection limit rule-based statistics sets. An IPv6 connection limit rule-based statistics set will be automatically deleted after all the IPv6 connections for the set are disconnected.

Examples

# Display the number of global limit rule-based statistics sets that match the source IP address 2::1.

<Sysname> display connection-limit ipv6-stat-nodes global source 2::1 count

Current limit statistic nodes count is 16.

# Display the number of global IPv6 limit rule-based statistics sets.

<Sysname> display connection-limit ipv6-stat-nodes global

Src IP address : Any

VPN instance : --

Dst IP address : Any

VPN instance : --

DS-Lite tunnel peer : --

Service : icmp/0

Limit rule ID : 22(ACL: 3666)

Sessions threshold Hi/Lo: 3500/3000

Sessions count : 3100

New session flag : Permit

# Display statistics about IPv6 connections that match the connection limit rule on VLAN-interface 2.

<Sysname> display connection-limit ipv6-stat-nodes interface vlan-interface 2

Src IP address : Any

VPN instance : vpn5

Dst IP address : fe80::5ed9:98ff:feb1:69b6

VPN instance : abcdefghijklmnopqrstuvwxyzabcde

DS-Lite tunnel peer : 9876543210

Service : tcp/12345

Limit rule ID : 12345(ACL: 3184)

Sessions threshold Hi/Lo: 1000000/90000

Sessions count : 150000

New session flag : Permit

Table 2 Command output

Field	Description
Src IP address	Source IP address.
Dst IP address	Destination IP address.
VPN instance	This field is not supported in the current software version. MPLS L3VPN instance to which the IP address belongs. Two hyphens (--) indicates that the IP address is on the public network.
DS-Lite tunnel peer	This field is not supported in the current software version. ID of the DS-Lite tunnel. Two hyphens (--) indicates that the connection does not belong to a DS-Lite tunnel.
Service	Protocol name and service port number. For an unwell-known protocol, this field displays unknown(xx).The cross signs (xx) indicates the protocol number. For the ICMP protocol, the protocol number is the decimal digits that are converted from the hexadecimal contents of the type and code fields.
Limit rule ID	ID of the matched rule. The ACL number of the rule is enclosed in parentheses.
Sessions threshold Hi/Lo	Upper and lower connection limits.
Sessions count	Number of current connections.
New session flag	Whether or not new connections can be created: · Permit—New connections can be created. · Deny—New connections cannot be created. NOTE: When the number of connections reaches the upper limit, this field displays Permit although new connections are not allowed. This field displays Deny only when the number of connections exceeds the upper limit.

Related commands

connection-limit apply global ipv6-policy

connection-limit apply ipv6-policy

connection-limit ipv6-policy

limit

display connection-limit statistics

Use display connection-limit statistics to display the connection limit statistics globally or on an interface.

Syntax

display connection-limit statistics { global | interface interface-type interface-number }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

global: Displays the global connection limit statistics.

interface interface-type interface-number: Specifies an interface by its type and number.

Examples

# Display the global connection limit statistics.

<Sysname> display connection-limit statistics global

Connection limit statistics (Global, slot 1):

Dropped IPv4 packets: 54781

Dropped IPv6 packets: 11457

Table 3 Command output

Field	Description
Dropped IPv4 packet	Number of IPv4 packets that are dropped because the upper connection limit is exceeded for the IPv4 connection limit policy that is configured globally or on an interface.
Dropped IPv6 packet	Number of IPv6 packets that are dropped because the upper connection limit is exceeded for the IPv6 connection limit policy that is configured globally or on an interface.

Related commands

connection-limit

connection-limit apply

connection-limit apply global

limit

display connection-limit stat-nodes

Use display connection-limit stat-nodes to display statistics about IPv4 connections that match connection limit rules globally or on an interface.

Syntax

display connection-limit stat-nodes { global | interface interface-type interface-number } [ destination destination-ip | service-port port-number | source source-ip ] * [ count ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

global: Displays statistics about IPv4 connections that match connection limit rules globally.

interface interface-type interface-number: Specifies an interface by its type and number.

destination destination-ip: Specifies a destination by its IP address.

service-port port-number: Specifies a service port by its port number.

source source-ip: Specifies a source by its IP address.

count: Displays only the number of limit rule-based statistics sets. Detailed information about the specified IPv4 connections is not displayed. If you do not specify this keyword, the command displays detailed information about the specified IPv4 connections that match connection limit rules.

Usage guidelines

The statistics for this command include the following information:

· Connection information, including the source/destination IP address, service port, and transport layer protocol of connections.

· Matching connection limit rules.

· Number of current connections.

· Whether or not new connections can be created.

To further filter the output statistics, specify the following options in the command:

· source source-ip.

· destination destination-ip.

· service-port port-number.

For example, if you specify the source source-ip and destination destination-ip combination, this command displays statistics about IPv4 connections that match connection limit rules by source IP address and destination IP address.

If you do not specify any of the source source-ip, destination destination-ip, and service-port port-number options, this command displays statistics about all IPv4 connections that match connection limit rules.

Deleting or modifying an IPv4 connection limit policy will not delete the effective IPv6 connection limit rule-based statistics sets. An IPv4 connection limit rule-based statistics set will be automatically deleted after all the IPv6 connections for the set are disconnected.

Examples

# Display the number of global limit rule-based statistics sets.

<Sysname> display connection-limit stat-nodes global count

Current limit statistic nodes count is 5.

# Display statistics about all IPv4 connections that match the connection limit rule on VLAN-interface 2.

<Sysname> display connection-limit stat-nodes interface vlan-interface 2

Src IP address : 100.100.100.100

VPN instance : 0123456789012345678901234567890

Dst IP address : 200.200.200.200

VPN instance : abcdefghijklmnopqrstuvwxyzabcde

DS-Lite tunnel peer : 1234567890

Service : tcp/12345

Limit rule ID : 12345(ACL: 3001)

Sessions threshold Hi/Lo: 1100000/980000

Sessions count : 1050000

New session flag : Permit

Table 4 Command output

Field	Description
Src IP address	Source IP address.
Dst IP address	Destination IP address.
VPN instance	This field is not supported in the current software version. MPLS L3VPN instance to which the IP address belongs. Two hyphens (--) indicates that the IP address is on the public network.
DS-Lite tunnel peer	This field is not supported in the current software version. ID of the DS-Lite tunnel. Two hyphens (--) indicates that the connection does not belong to a DS-Lite tunnel.
Service	Protocol name and service port number. For an unwell-known protocol, this field displays unknown(xx). The cross signs (xx) represents the protocol number. For the ICMP protocol, the protocol number is the decimal digits that are converted from the hexadecimal contents of the type and code fields.
Sessions threshold Hi/Lo	Upper and lower connection limits.
Sessions count	Number of current connections.
New session flag	Whether or not new connections can be created: · Permit—New connections can be created. · Deny—New connections cannot be created. NOTE: When the number of connections reaches the upper limit, this field displays Permit although new connections are not allowed. This field displays Deny only when the number of connections exceeds the upper limit.

Related commands

connection-limit apply global policy

connection-limit apply policy

connection-limit policy

limit

Use limit to configure a connection limit rule.

Use undo limit to delete a connection limit rule.

Syntax

In IPv4 connection limit policy view:

limit limit-id acl { acl-number | name acl-name } [ per-destination | per-service | per-source ] * amount max-amount min-amount [ description text ]

undo limit limit-id

In IPv6 connection limit policy view:

limit limit-id acl ipv6 { acl-number | name acl-name } [ per-destination | per-service | per-source ] * amount max-amount min-amount [ description text ]

undo limit limit-id

Default

No connection limit rules exist.

Views

IPv4 connection limit policy view

IPv6 connection limit policy view

Predefined user roles

network-admin

Parameters

limit-id: Specifies a connection limit rule by its ID. The value range for this argument is 1 to 256.

acl: Specifies the ACL that matches the user range. Only the user connections that match the ACL are limited.

ipv6: Specifies an IPv6 ACL. If you do not specify this keyword, an IPv4 ACL is used.

acl-number: Specifies an ACL by its number in the range of 2000 to 3999.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter. To avoid confusion, it cannot be all.

per-destination: Limits connections by destination IP address.

per-service: Limits connections by service depending on transport layer protocol and service port.

per-source: Limits connections by source IP address.

amount: Specifies the upper and lower connection limits.

max-amount: Specifies the upper connection limit in the range of 1 to 4294967295. When user connections in a range or of a type exceed the upper connection limit, new connections cannot be created.

min-amount: Specifies the lower connection limit in the range of 1 to 4294967295. The lower connection limit cannot be greater than the upper connection limit. New connections cannot be created until the connection number goes below the lower connection limit.

description text: Specifies a description for the connection limit rule, a case-sensitive string of 1 to 127 characters. By default, a connection limit rule does not have a description.

Usage guidelines

Each connection limit policy can define multiple rules, and each rule must specify the used ACL, rule type, and upper/lower connection limit. In one rule, you can specify one or multiple of the keywords per-destination, per-source, and per-service. For example, if the per-destination and per-source combination is specified, connections are limited by the source IP address and destination IP address. Connections with the same source IP address and destination IP address are the same type.

When you configure a connection limit rule, follow these guidelines:

· Different rules in the same connection limit policy must use different ACLs.

· If you specify none of the per-destination, per-source, and per-service keywords, all connections that match the specified ACL are limited by the specified value.

· When the connections established on a device are matched against a connection limit policy, the limit rules in the policy are matched in ascending order of rule ID.

· When the specified ACL changes, the connections that have been established are limited by the new connection limit policy.

Examples

# Configure connection limit rule 1 for IPv4 connection limit policy 1:

1. Configure ACL 3000.

<Sysname> system-view

[Sysname] acl advanced 3000

[Sysname-acl-ipv4-adv-3000] rule permit ip source 192.168.0.0 0.0.0.255

[Sysname-acl-ipv4-adv-3000] quit

2. Limit connections that match ACL 3000 by the source and destination IP addresses, with the upper limit 2000 and lower limit 1800.

[Sysname] connection-limit policy 1

[Sysname-connlmt-policy-1] limit 1 acl 3000 per-destination per-source amount 2000 1800

3. Verify that when the connection number exceeds 2000, new connections cannot be established until the connection number goes below 1800. (Details not shown.)

# Configure connection limit rule 2 for IPv6 connection limit policy 12:

1. Configure ACL 2001.

<Sysname> system-view

[Sysname] acl ipv6 basic 2001

[Sysname-acl-ipv6-basic-2001] rule permit source 2:1::/96

[Sysname-acl-ipv6-basic-2001] quit

2. Limit connections that match ACL 2001 by the source and destination IP addresses, with the upper limit 200 and lower limit 100.

[Sysname] connection-limit ipv6-policy 12

[Sysname-connlmt-ipv6-policy-12] limit 2 acl ipv6 2001 per-destination amount 200 100

3. Verify that when the connection number exceeds 200, new connections cannot be established until the connection number goes below 100. (Details not shown.)

Related commands

connection-limit

display connection-limit

reset connection-limit statistics

Use reset connection-limit statistics to clear the connection limit statistics globally or on an interface.

Syntax

reset connection-limit statistics { global | interface interface-type interface-number }

Views

User view

Predefined user roles

network-admin

network-operator

Parameters

global: Clears the global connection limit statistics.

interface interface-type interface-number: Specifies an interface by its type and number.

Examples

# Clear the connection limit statistics on VLAN-interface 2.

<Sysname> reset connection-limit statistics interface vlan-interface 2

Related commands

display connection-limit statistics

16-Security Command Reference

Connection limit commands