R2511-HP MSR Router Series Security Configuration Guide(V5)
439
• If the default connection limit action is permit, the user connections are limited according to the
configured default connection limit parameters. When the number of connections reaches the
upper limit, users cannot establish new connections. When the connection number goes below the
lower limit, users can establish new connections.
The default connection limit parameters of a connection limit policy take effect only after the policy is
applied. For more information about how to apply a connection limit policy, see "Applying the
connec
tion limit policy."
To configure the default connection limit action and parameters:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter connection limit
policy view.
connection-limit policy policy-number N/A
3. Set the default
connection limit action.
connection-limit default action { deny |
permit }
Optional.
By default, deny is adopted.
The device does not limit
connections that do not match
the connection limit rules in the
policy.
4. Set the default
connection limit
parameters.
connection-limit default amount upper-limit
max-amount lower-limit min-amount
Optional.
Configuring an ACL-based connection limit rule
An ACL-based connection limit rule references an ACL to specify the connections to be limited. The rule
can limit the number of each group of matching connections.
When the upper connection limit of a connection group is reached, the device does not accept new
connections of the group until the number of connections equals or goes below the lower connection limit
for the group.
The limit rules are matched in ascending order of rule ID. When you configure connection limit rules for
a policy, carefully check the rules and their order. HP recommends that you arrange the rules in
ascending order of scale and range.
The following three types of connection limit rules are supported:
• per-destination—Limits connections by destination IP address.
• per-service—Limits connections by service type or application.
• per-source—Limits connections by source IP address.
If you specify multiple limit types in one limit rule, they work together to limit and collect statistics on user
connections. For example, with both per-destination and per-service limit types specified, the connection
limit rule limits and collects statistics on user connections of the same service with the same destination
IP address.
By default, a connection limit policy uses the default connection limit settings. For more information about
the default connection limit settings, see the connection-limit default amount command.
To configure an ACL-based connection limit rule: