Verification, Troubleshooting connection limiting, Connection limit rules with overlapping segments – H3C Technologies H3C SecPath F1000-E User Manual
Page 121: Symptom, Analysis

4
# Configure connection limit rule 0 to limit connections from hosts on segment 192.168.0.0/24 to the
external network per source address, with the upper connection limit of 100.
[Device-connection-limit-policy-0] limit 0 source ip 192.168.0.0 24 destination ip any
protocol ip max-connections 100 per-source
# Configure connection limit rule 1 to limit connections from the external network to the DNS server
192.168.0.3/24, with the upper connection limit of 10000.
[Device-connection-limit-policy-0] limit 1 source ip any destination ip 192.168.0.3 32
protocol dns max-connections 10000
# Configure connection limit rule 2 to limit connections from the external network to the Web server
192.168.0.2/24, with the upper connection limit of 10000.
[Device-connection-limit-policy-0] limit 2 source ip any destination ip 192.168.0.2 32
protocol http max-connections 10000
[Device-connection-limit-policy-0] quit
# Apply the connection limit policy.
[Device] connection-limit apply policy 0
Verification
After the above configuration, use the display connection-limit policy to display the information
about the connection limit policy. The output in the example is as follows:
[Device] display connection-limit policy 0
Connection-limit policy 0, refcount 1, 3 limits
limit 0 source ip 192.168.0.0 24 destination ip any protocol ip max-connections 100
per-source
limit 1 source ip any destination ip 192.168.0.3 32 protocol dns max-connections 10000
limit 2 source ip any destination ip 192.168.0.2 32 protocol http max-connections 10000
Troubleshooting Connection Limiting
Connection Limit Rules with Overlapping Segments
Symptom
On the device, create a connection limit policy and configure two rules for the policy. One limits
connections from each host on segment 192.168.0.0/24 with the upper connection limit 10, and another
limits connections from 192.168.0.100 with the upper connection limit 100.
[Device-connection-limit-policy-0] limit 0 source ip 192.168.0.0 24 destination ip any
protocol ip max-connections 10 per-source
[Device-connection-limit-policy-0] limit 1 source ip 192.168.0.100 32 destination ip any
protocol ip max-connections 100 per-source
With the configuration above, the host 192.168.0.100 can only initiate up to 10 connections to the
external network.
Analysis
Both rules limit 0 and limit 1 contain the IP address 192.168.0.100, and the rule with a smaller ID is
matched first. Therefore, rule 0 is used for connections from 192.168.0.100.