Connection limit
This help contains the following topics:
Introduction
The connection limit feature enables the device to collect statistics and limit the number of established connections. It helps protect internal network resources and better allocate system resources.
Connection limit policies
The device supports both IPv4 and IPv6 connection limit policies. You can apply a configured connection limit policy globally or to an interface to limit the number of user connections.
The connection limit policy applied to an interface takes effect only on the specified connections on the interface. The connection limit policy applied globally takes effect on all the specified connections on the device.
Different connection limit policies can be applied to individual interfaces as well as globally on the device. In this case, the device matches connections against these policies in the order of the policy on the inbound interface, the global policy, and the policy on the outbound interface. New connections are limited as long as the number of connections reaches the smallest upper connection limit defined by these policies.
Connection limit rules
To use a connection limit policy, you need to add limit rules to the policy. Each rule defines a range of connections and the criteria for limiting the connections. Connections in the range will be limited based on the criteria. The following criteria are available:
Connection limits —Limit the number of matching connections. When the number of matching connections reaches the upper limit, the device accepts or rejects new connections or blacklists source IP addresses depending on the action you configured. If the action is to reject new connections, the device does not accept new connections until the number of connections drops below the lower limit due to connection aging. If the action is to blacklist source IP addresses, the device does not accept new connections from the blacklisted IP addresses until the blacklist entries for the IP addresses age. The device will send logs when the number of connections exceeds the upper limit. The device will send logs when the number of connections drops below the lower limit only if the action is to reject new connections.Connection establishment rate limit —Limits the number of connections established per second. When the connection establishment rate reaches the upper limit, the device accepts or rejects new connections or blacklists source IP addresses depending on the action you configured and records logs.
Connections that do not match any limit rules are not limited.
In each connection limit rule, an ACL is used to define the connection range. Only the user connections that match the ACL are limited. In addition, the rule also uses the following filtering methods to further limit the connections:
Source IP —Limits user connections by source IP address.Destination IP —Limits user connections by destination IP address.Service port —Limits user connections by service (transport layer protocol and service port).
You can select more than one filtering method, and the selected methods take effect at the same time. For example, if you specify both
When a connection limit policy is applied, the device compares connections with all limit rules in the policy in ascending order of rule IDs. As a best practice, specify a smaller range and more filtering methods in a rule with a smaller ID.
vSystem support information
Support of non-default vSystems for this feature depends on the device model. This feature is available on the Web interface only if it is supported.
Restrictions and guidelines
For devices supporting service modules, the connections are limited on a per-service module basis.
A connection limit policy takes effect only on new connections. It does not take effect on existing connections.
On an IRF fabric where session synchronization is enabled, connection limit policies applied to a subordinate device do not take effect on sessions switched from the master device.
An ACL can only be used once in a connection limit policy and can be used in multiple connection limit policies.
A connection limit policy cannot be applied to a loopback interface.
To configure the
Add to blacklist (blacklist source IP addresses) action, the limit method must beLimit by Source IP and the blacklist function must be enabled.The upper limit must be greater than the number of CPU cores on the device. As a best practice, set the upper limit to a value greater than 32.
Configure connection limit
Analysis
Configure connection limit as shown in Figure-1.
Figure-1 Connection limit configuration procedure
Prerequisites
Complete the following tasks before you configure this feature:
Assign IP addresses to interfaces on the
Network >Interface Configuration >Interfaces page.Configure routes on the
Network >Routing page. Make sure the routes are available.Create security zones on the
Network >Security Zones page.Add interfaces to security zones. You can add interfaces to a security zone on the
Security Zones page or select a security zone for an interface on theInterfaces page.Configure security policies to permit the target traffic on the
Policies >Security Policies page.
Configure interface-based connection limits
Click the
Policies tab.In the navigation pane, select
Active Defense >Concurrent Connection Limit .Configure a connection limit policy. Select an interface from the
Apply to list, enableCreate rule , and clickOK to open the page for configuring a connection limit rule.Figure-2 Configuring a connection limit policy
Figure-3 Configuring a connection limit rule
Table-1 Connection limit policy configuration items
Item
Description
Policy number
Enter a policy number in the range of 1 to 32. The policy number spaces for IPv4 and IPv6 are independent.
IP version
Select an IP version.
Apply to
Select the interfaces to apply the connection limit policy. A connection limit policy applied to an interface takes effect on connections on the interface. A connection limit policy applied globally takes effect on all connections on the device.
Description
Enter a description for the connection limit policy.
Create rule
Enable this option to create a connection limit rule.
Rule ID
Enter a rule ID.
ACL
Select an existing ACL or create an ACL.
Connection establishment rate limit
Enter the maximum connection establishment rate.
Concurrent connection limits
U pper limit —Enter an upper limit. When the number of connections exceeds the upper limit, new connections cannot be established.L ower limit —Enter a lower limit. When the number of connections falls below the lower limit, new connections can be established.
Limit by
Select a limit method:
Source IP —Limits connections from the same IP address.Destination IP —Limits connections to the same IP address.Service port —Limits connections with the same service port.
Action on upper limit exceeding
Permit new connections .Deny new connections .Add to blacklist —This action is supported only for the Source IP limit method. This action does not take effect if the blacklist feature is not enabled. To enable the blacklist feature, access thePolicies >Active Defense >Blacklist page.
Create more rule
Enable this option to create another connection limit rule.
Click
Apply .Figure-4 Connection limit policy list
Configure global connection limits
Click the
Policies tab.In the navigation pane, select
Active Defense >Concurrent Connection Limit .Configure a connection limit policy. Select
Global from theApply to list, enableCreate rule , and clickOK to open the page for configuring a connection limit rule. For more information about parameters, see Table-1.Figure-5 Configuring a connection limit policy
Figure-6 Configuring a connection limit rule
Click
Apply .Figure-7 Connection limit policy list
