4000 Router Series Security Configuration Guide

269

Task Command

Clear the connection limit statistics

globally or on an interface (MSR4000).

reset connection-limit statistics { global | interface interface-type

interface-number } [ slot slot-number ]

Connection limit configuration example

Network requirements

As shown in Figure 76, a company has five public IP addresses: 202.38.1.1/24 to 202.38.1.5/24. The

internal network address is 192.168.0.0/16. Configure NAT so that the internal users can access the

Internet and external users can access the internal servers, and configure connection limits so that:

• All hosts on segment 192.168.0.0/24 can establish up to 100000 connections to the external

network.

• Each host on segment 192.168.0.0/24 can establish up to 100 connections to the external network.

• Permit up to 10000 query requests from the DNS client to the DNS server.

• Permit up to 10000 connection requests from the Web client to the Web server.

Figure 76 Network diagram

Configuration procedure

The following example only describes how to configure connection limits. For more information about

NAT configuration and internal server configuration, see Layer 3—IP Services Configuration Guide.

# Create ACL 3000 to permit packets from all hosts on the internal network.

<Router> system-view

[Router] acl number 3000

[Router-acl-adv-3000] rule permit ip source 192.168.0.0 0.0.0.255

[Router-acl-adv-3000] quit

# Create ACL 3001 to permit packets to the Web server and the DNS server.

[Router] acl number 3001

[Router-acl-adv-3001] rule permit ip destination 192.168.0.2 0

[Router-acl-adv-3001] rule permit ip destination 192.168.0.3 0

[Router-acl-adv-3001] quit

# Create connection limit policy 1.

[Router] connection-limit policy 1