ACLs in the connection limit rules with overlapping segments

Symptom

A connection limit policy has two rules. Rule 1 sets the upper limit to 10 for the connections from each host on segment 192.168.0.0/24. Rule 2 sets the upper limit to 100 for the connections from 192.168.0.100/24.

<Router> system-view
[Router] acl basic 2001
[Router-acl-ipv4-basic-2001] rule permit source 192.168.0.0 0.0.0.255
[Router-acl-ipv4-basic-2001] quit
[Router] acl basic 2002
[Router-acl-ipv4-basic-2002] rule permit source 192.168.0.100 0
[Router-acl-ipv4-basic-2002] quit
[Router] connection-limit policy 1
[Router-connection-limit-policy-1] limit 1 acl 2001 per-destination amount 10 5
[Router-connection-limit-policy-1] limit 2 acl 2002 per-destination amount 100 10

As a result, the host at 192.168.0.100 can only initiate a maximum of 10 connections to the external network.

Solution

To resolve the problem:

  1. Rearrange the two connection limit rules by exchanging their rule IDs.

  2. If the problem persists, contact Hewlett Packard Enterprise Support.