Configuring the connection limit policy

To use a connection limit policy, you need to add limit rules to the policy. Each rule defines a range of connections and the criteria for limiting the connections. Connections in the range will be limited based on the criteria. The criteria include upper/lower connection limit and connection establishment rate limit. When the number of matching connections reaches the upper limit, the device does not accept new connections until the number of connections drops below the lower limit. The device will send logs when the number of connections exceeds the upper limit and when the number of connections drops below the lower limit. If the matching connections are limited based on the establishment rate, the number of connections established per second cannot exceed the rate limit. The connections that do not match any connection limit rules are not limited.

In each connection limit rule, an ACL is used to define the connection range. In addition, the rule also uses the following filtering methods to further limit the connections:

per-destination—Limits user connections by destination IP address.
per-service—Limits user connections by service (transport layer protocol and service port).
per-source—Limits user connections by source IP address.
per-ds-lite-b4—Limits user connections by the B4 device on a DS-Lite tunnel. For information about DS-Lite tunnels, see Layer 3—IP Services Configuration Guide.

You can select more than one filtering method, and the selected methods take effect at the same time. For example, if you specify both per-destination and per-service, the user connections using the same service and destined to the same IP address are limited. If you do not specify any filtering methods in a limit rule, all user connections in the range are limited.

When a connection limit policy is applied, connections on the device match all limit rules in the policy in ascending order of rule IDs. As a best practice, specify a smaller range and more filtering methods in a rule with a smaller ID.

To configure the connection limit policy:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter connection limit policy view.	connection-limit { ipv6-policy \| policy } policy-id	N/A
3. Configure a connection limit rule.	In IPv4 connection limit policy view: limit limit-id acl { acl-number \| name acl-name } [ per-destination \| per-service \| per-source ] * { amount max-amount min-amount \| rate rate } * [ description text ] limit limit-id acl ipv6 { acl-number \| name acl-name } per-ds-lite-b4 { amount max-amount min-amount \| rate rate } * [ description text ] In IPv6 connection limit policy view:limit limit-id acl ipv6 { acl-number \| name acl-name } [ per-destination \| per-service \| per-source ] * { amount max-amount min-amount \| rate rate } * [ description text ]	By default, no connection limit rules exist.
4. (Optional.) Configure a description for the connection limit policy.	description text	By default, the connection limit policy does not have a description.

prev	up	next
Creating a connection limit policy	home	Applying the connection limit policy