beautypg.com

Applying the connection limit policy, Displaying and maintaining connection limiting, Troubleshooting connection limiting – H3C Technologies H3C SecBlade LB Cards User Manual

Page 263: Symptom, Analysis, Solution, Enabling traffic statistics for a security zone

background image

252

Applying the connection limit policy

To make a connection limit policy take effect, apply it globally or to a service module.
To apply a connection limit policy:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Apply a connection limit
policy.

connection-limit apply policy

policy-number

Only one connection limit policy
can be applied globally.

Displaying and maintaining connection limiting

Task Command

Remarks

Display information about
one or all connection limit

policies.

display connection-limit policy { policy-number |
all } [ | { begin | exclude | include }

regular-expression ]

Available in any view.

Troubleshooting connection limiting

Symptom

On LB, create a connection limit policy and configure two rules for the policy. One limits connections

from each host on segment 192.168.0.0/24 with the upper connection limit 10, and another limits
connections from 192.168.0.100 with the upper connection limit 100.

system-view

[LB] connection-limit policy 0

[LB-connection-limit-policy-0] limit 0 source ip 192.168.0.0 24 destination ip any

protocol ip max-connections 10 per-source

[LB-connection-limit-policy-0] limit 1 source ip 192.168.0.100 32 destination ip any

protocol ip max-connections 100 per-source

With the configuration, the host at 192.168.0.100 can only initiate up to 10 connections to the external
network.

Analysis

Both rules limit 0 and limit 1 contain the IP address 192.168.0.100, and the rule with a smaller ID is

matched first. The rule limit 0 is used for limiting connections from 192.168.0.100.

Solution

Rearrange the two connection limit rules by exchanging their rule IDs so that the rule for the host is

matched first.

Enabling traffic statistics for a security zone

To collect traffic statistics on a security zone, you need to enable the traffic statistics function on the
security zone. The device supports traffic statistics in the following modes:

By direction, inbound, or outbound of a security zone—Collect statistics on packets that enter or
leave a security zone on the device.

This manual is related to the following products:
See also other documents in the category H3C Technologies Safety: