R3303-HP HSR6800 Routers Security Configuration Guide
368
An IP address-based connection limit rule can be of any of the following types:
• Source-to-destination—Limits connections from a specific internal host or segment to a specific
external host or segment.
• Source-to-any—Limits connections from a specific internal host or segment to external networks.
• Any-to-destination—Limits connections from external networks to a specific internal server.
• Any-to-any—Limits the total number of connections passing through the device.
To configure an IP address-based connection limit rule:
Ste
p
Command
1. Enter system view.
system-view
2. Enter connection limit policy view.
connection-limit policy policy-number
3. Configure an IP address-based
connection limit rule.
limit limit-id { source ip { ip-address mask-length | any } [ source-vpn
src-vpn-name ] | destination ip { ip-address mask-length | any }
[ destination-vpn dst-vpn-name ] } * protocol { dns | http | ip | tcp
| udp } max-connections max-num [ per-destination | per-source |
per-source-destination ]
Applying the connection limit policy
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Apply a connection limit
policy to the NAT module.
nat connection-limit-policy
policy-number
Only one connection limit policy
can be applied to a NAT module.
Displaying and maintaining connection limiting
Task Command
Remarks
Display information about
one or all connection limit
policies.
display connection-limit policy { policy-number | all }
[ | { begin | exclude | include } regular-expression ]
Available in any view.
Connection limit configuration example
Network requirements
As shown in Figure 121, a company has five public IP addresses: 202.38.1.1/24 to 202.38.1.5/24. The
internal network address is 192.168.0.0/16 and two servers are on the internal network. Perform NAT
configuration so that the internal users can access the Internet and external users can access the internal
servers, and configure connection limiting so that: