Solution, Symptom, Analysis – H3C Technologies H3C SecPath F1000-E User Manual

5

Solution

Rearrange the two connection limit rules by exchanging their rule IDs so that the rule for the host is

matched first.

Connection Limit Rules with Overlapping Protocol Types

Symptom

Internal server 192.168.0.100 provides both Web and FTP services for external users. On the device,

create a connection limit policy and configure two rules, one limiting TCP connections to the server with
the upper limit 100 and the second limiting HTTP connections to the server with the upper limit 10000.

[Device-connection-limit-policy-0] limit 0 source ip any destination ip 192.168.0.100

protocol tcp max-connections 100

[Device-connection-limit-policy-0] limit 1 source ip any destination ip 192.168.0.100

protocol http max-connections 10000

With the configuration above, 100 HTTP connections to the server can be established at most.

Analysis

Both rules limit 0 and limit 1 involve HTTP connections, and the rule with a smaller ID is matched first.

Therefore, rule 0 is used for HTTP connections.

Solution

Rearrange the two connection limit rules by exchanging their rule IDs so that the rule for HTTP

connections is matched first.