Verification, Troubleshooting connection limiting, Connection limit rules with overlapping segments – H3C Technologies H3C SecPath F1000-E User Manual

4

# Configure connection limit rule 0 to limit connections from hosts on segment 192.168.0.0/24 to the

external network per source address, with the upper connection limit of 100.

[Device-connection-limit-policy-0] limit 0 source ip 192.168.0.0 24 destination ip any

protocol ip max-connections 100 per-source

# Configure connection limit rule 1 to limit connections from the external network to the DNS server
192.168.0.3/24, with the upper connection limit of 10000.

[Device-connection-limit-policy-0] limit 1 source ip any destination ip 192.168.0.3 32

protocol dns max-connections 10000

# Configure connection limit rule 2 to limit connections from the external network to the Web server
192.168.0.2/24, with the upper connection limit of 10000.

[Device-connection-limit-policy-0] limit 2 source ip any destination ip 192.168.0.2 32

protocol http max-connections 10000

[Device-connection-limit-policy-0] quit

# Apply the connection limit policy.

[Device] connection-limit apply policy 0

Verification

After the above configuration, use the display connection-limit policy to display the information
about the connection limit policy. The output in the example is as follows:

[Device] display connection-limit policy 0

Connection-limit policy 0, refcount 1, 3 limits

limit 0 source ip 192.168.0.0 24 destination ip any protocol ip max-connections 100

per-source

limit 1 source ip any destination ip 192.168.0.3 32 protocol dns max-connections 10000

limit 2 source ip any destination ip 192.168.0.2 32 protocol http max-connections 10000

Troubleshooting Connection Limiting

Connection Limit Rules with Overlapping Segments

Symptom

On the device, create a connection limit policy and configure two rules for the policy. One limits

connections from each host on segment 192.168.0.0/24 with the upper connection limit 10, and another

limits connections from 192.168.0.100 with the upper connection limit 100.

[Device-connection-limit-policy-0] limit 0 source ip 192.168.0.0 24 destination ip any

protocol ip max-connections 10 per-source

[Device-connection-limit-policy-0] limit 1 source ip 192.168.0.100 32 destination ip any

protocol ip max-connections 100 per-source

With the configuration above, the host 192.168.0.100 can only initiate up to 10 connections to the

external network.

Analysis

Both rules limit 0 and limit 1 contain the IP address 192.168.0.100, and the rule with a smaller ID is

matched first. Therefore, rule 0 is used for connections from 192.168.0.100.