4000 Router Series Security Configuration Guide

271

Troubleshooting connection limits

ACLs in the connection limit rules with overlapping segments

Symptom

On the router, create a connection limit policy and configure two rules for the policy. One limits

connections from each host on segment 192.168.0.0/24 with the upper connection limit 10, and the

other limits connections from 192.168.0.100/24 with the upper connection limit 100.

<Router> system-view

[Router] acl number 2001

[Router-acl-basic-2001] rule permit source 192.168.0.0 0.0.0.255

[Router-acl-basic-2001] quit

[Router] acl number 2002

[Router-acl-basic-2002] rule permit source 192.168.0.100 0

[Router-acl-basic-2002] quit

[Router] connection-limit policy 1

[Router-connection-limit-policy-1] limit 1 acl 2001 per-destination amount 10 5

[Router-connection-limit-policy-1] limit 2 acl 2002 per-destination amount 100 10

With the configuration, the host at 192.168.0.100 can only initiate up to 10 connections to a destination

on the external network.

Analysis

Both rules limit 1 and limit 2 contain the IP address 192.168.0.100. The connections established on a

device are matched against the limit rules in ascending order of rule ID, so the rule with a smaller rule ID

is matched first and rule limit 1 is used for limiting connections from 192.168.0.100.

Solution

Rearrange the two connection limit rules by exchanging their rule IDs so that the rule for the host is

matched first.