Applying the connection limit policy
To make a connection limit policy take effect, apply it globally or to an interface. The connection limit policy applied to an interface takes effect only on the specified connections on the interface. The connection limit policy applied globally takes effect on all the specified connections on the device.
Different connection limit policies can be applied to individual interfaces as well as globally on the device. In this case, the device matches connections against these policies in the order of the policy on the inbound interface, the global policy, and the policy on the outbound interface. It cannot accept new connections as long as the number of connections reaches the lowest upper connection limit defined by these policies.
A connection limit policy takes effect only on new connections. It does not take effect on existing connections.
On an IRF fabric where session synchronization is enabled, connection limit policies applied to a subordinate device do not take effect on sessions switched from the master device.
On a DS-Lite tunnel network, if the AFTR device uses the Endpoint-Independent Mapping-based NAT configuration, you must limit connections from external IPv4 networks to access the internal IPv4 network. To implement B4 device-based connection limits, perform the following tasks:
Add a rule that has the per-ds-lite-b4 to a connection limit policy.
Apply the policy globally or on the DS-Lite tunnel interface.
To apply a connection limit policy:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Apply a connection limit policy. |
| By default, no connection limit is applied. Only one IPv4 connection limit policy and one IPv6 connection limit policy can be applied globally or to an interface. A new IPv4 or IPv6 connection limit policy overwrites the old policy. |