HP MSR2000/3000/4000 Router Series Security Command Reference
390
ipv6: References an IPv6 ACL. If this keyword is not specified, an IPv4 ACL is referenced. This keyword
exists only in IPv6 connection limit policy view.
acl-number: Specifies the ACL number in the range of 2000 to 3999.
name acl-name: Specifies the ACL name.
per-destination: Limits connections by destination IP address.
per-service: Limits connections by service port.
per-source: Limits connections by source IP address.
max-amount: Specifies the upper connection limit in the range of 1 to 1000000. When user connections
in a range or of a type exceed the upper connection limit, new connections cannot be created.
min-amount: Specifies the lower connection limit in the range of 1 to 1000000. The lower connection
limit cannot be greater than the upper connection limit. New connections cannot be created until the
connection number goes below the lower connection limit.
Usage guidelines
Each connection limit policy can define multiple rules, and each rule must specify the referenced ACL,
rule type, and upper/lower connection limit. The rule types can be one or multiple of the keywords
per-destination, per-source, and per-service. For example, if the per-destination and per-source
combination is specified, connections are limited by the source IP address and destination IP address.
Connections with the same source IP address and destination IP address are the same type.
• Different rules in the same connection limit policy must reference different ACLs.
• If you specify none of the per-destination, per-source, and per-service keywords, all connections
matching the referenced ACL are limited by the specified value.
• When the connections established on a device are matched against a connection limit policy, the
limit rules in the policy are matched in ascending order of rule ID.
• When the referenced ACL changes, the connections that have been established are limited by the
new connection limit policy.
Examples
# Configure connection limit rule 1 that references ACL 3000 for IPv4 connection limit policy 1 to limit
connections matching ACL 3000 by the source and destination IP addresses, with the upper limit 2000
and lower limit 1800. This limit rule permits up to 2000 connections from each host on network
192.168.0.0/2 to a destination IP address on external networks. When the connection number exceeds
2000, new connections cannot be established until the connection number goes below 1800.
<Sysname> system-view
[Sysname] acl number 3000
[Sysname-acl-adv-3000] rule permit ip source 192.168.0.0 0.0.0.255
[Sysname-acl-adv-3000] quit
[Sysname] connection-limit policy 1
[Sysname-connlmt-policy-1] limit 1 acl 3000 per-destination per-source amount 2000 1800
# Configure connection limit rule 2 that references ACL 2001 for IPv6 connection limit policy 12 to limit
connections matching ACL 2001 by the source and destination IP addresses, with the upper limit 200
and lower limit 100. This limit rule permits up to 200 connections from each host on network 2:1::/96 to
a destination IP address on external networks. When the connection number exceeds 200, new
connections cannot be established until the connection number goes below 100.
<Sysname> system-view
[Sysname] acl ipv6 number 2001