F3215-HP Load Balancing Module Security Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

211

212

213

214

215

216

217

218

219

220

210

Ste

Command

Remarks

2. Apply a connection limit

policy.

connection-limit apply policy

policy-number

Only one connection limit policy

can be applied globally.

Displaying and maintaining connection limiting

Task Command

Remarks

Display information about

one or all connection limit

policies.

display connection-limit policy { policy-number |

all } [ | { begin | exclude | include }

regular-expression ]

Available in any view.

Troubleshooting connection limiting

Symptom

On LB module, create a connection limit policy and configure two rules for the policy. One limits

connections from each host on segment 192.168.0.0/24 with the upper connection limit 10, and another

limits connections from 192.168.0.100 with the upper connection limit 100.

<LB> system-view

[LB] connection-limit policy 0

[LB-connection-limit-policy-0] limit 0 source ip 192.168.0.0 24 destination ip any

protocol ip max-connections 10 per-source

[LB-connection-limit-policy-0] limit 1 source ip 192.168.0.100 32 destination ip any

protocol ip max-connections 100 per-source

With the configuration, the host at 192.168.0.100 can only initiate up to 10 connections to the external

network.

Analysis

Both rules limit 0 and limit 1 contain the IP address 192.168.0.100, and the rule with a smaller ID is

matched first. The rule limit 0 is used for limiting connections from 192.168.0.100.

Solution

Rearrange the two connection limit rules by exchanging their rule IDs so that the rule for the host is

matched first.

Enabling traffic statistics for a security zone

To collect traffic statistics on a security zone, you need to enable the traffic statistics function on the

security zone. The device supports traffic statistics in the following modes:

• By direction, inbound, or outbound of a security zone—Collect statistics on packets that enter or

leave a security zone on the device.

• By source or destination IP address—Collect statistics on packets sent to a security zone on the

device by source IP addresses or on packets sent from a security zone on the device by destination

IP addresses.

To enable traffic statistics on a security zone: