Configuration procedure
The following example only describes how to configure connection limits. For information about NAT configuration and internal server configuration, see Layer 3—IP Services Configuration Guide.
# Create ACL 3000 to permit packets from all hosts on the internal network.
<Router> system-view [Router] acl advanced 3000 [Router-acl-ipv4-adv-3000] rule permit ip source 192.168.0.0 0.0.0.255 [Router-acl-ipv4-adv-3000] quit
# Create ACL 3001 to permit packets to the Web server and the DNS server.
[Router] acl advanced 3001 [Router-acl-ipv4-adv-3001] rule permit ip destination 192.168.0.2 0 [Router-acl-ipv4-adv-3001] rule permit ip destination 192.168.0.3 0 [Router-acl-ipv4-adv-3001] quit
# Create connection limit policy 1.
[Router] connection-limit policy 1
# Configure connection limit rule 1 to permit a maximum of 100000 connections from all the hosts that match ACL 3000. When the number of connections exceeds 100000, new connections cannot be established until the number drops below 95000.
[Router-connection-limit-policy-1] limit 1 acl 3000 amount 100000 95000
# Configure connection limit rule 2 to permit a maximum of 10000 connections to the servers that match ACL 3001. When the number of connections exceeds 10000, new connections cannot be established until the number drops below 9800.
[Router-connection-limit-policy-1] limit 2 acl 3001 per-destination amount 10000 9800 [Router-connection-limit-policy-1] quit
# Create connection limit policy 2.
[Router] connection-limit policy 2
# Configure connection limit rule 1 to permit a maximum of 100 connections from each host matching ACL 3000. When the number of connections exceeds 100, new connections cannot be established until the number drops below 90.
[Router-connection-limit-policy-2] limit 1 acl 3000 per-source amount 100 90 [Router-connection-limit-policy-2] quit
# Apply connection limit policy 1 globally.
[Router] connection-limit apply global policy 1
# Apply connection limit policy 2 to inbound interface GigabitEthernet 1/0/1.
[Router] interface gigabitethernet 1/0/1 [Router-GigabitEthernet1/0/1] connection-limit apply policy 2 [Router-GigabitEthernet1/0/1] quit