Configuration of the NAT connection limit function of the Huawei MSR series router

 

I. Networking requirements:

As an egress NAT router, MSR limits the maximum number of NAT sessions on the internal host 192.168.0.3 and 192.168.0.2 by default.

Device List: One MSR series router

Ii. Networking diagram:

 

3. configuration steps:

MSR Configuration

#

// Enable connection restriction, which must be configured

Connection-limit enable

// Set the default connection quantity to 1 and the lower limit to 0. After the upper limit is reached, the new session is allowed only after the upper limit is reached.

Connection-limit default amount upper-limit 1 lower-limit 0

#

// Define the connection restriction policy, index 0

Connection-limit policy 0

// Use the default connection limit for data streams matching ACL2000, that is, the upper limit is 1 and the lower limit is 0.

Limit 0 acl 2000

// Use the upper limit of 2 for data streams matching ACL2001 and the lower limit of 1 for the number of sessions

Limit 1 acl 2001 per-source amount 2 1

#

// Define each ACL. ACL2002 is used for NAT translation, and 2000 and 2001 are used for connection restrictions.

Acl number 2000

Rule 0 permit source 192.168.0.2 0

Acl number 2001

Rule 0 permit source 192.168.0.3 0

Acl number 2002

Rule 0 permit source 192.168.0.0 0.0.255

#

// Configure the connection to the public network interface

Interface GigabitEthernet0/0

Port link-mode route

Ip address 1.2.0.1 255.255.255.0

Nat outbound 2002

#

// Configure the connection Intranet Interface

Interface GigabitEthernet0/1

Port link-mode route

Ip address 192.168.0.1 255.255.255.0

#

// Route Configuration

Ip route-static 0.0.0.0 0.0.0.0 1.2.0.254

#

// Enable the NAT connection restriction, that is, specifying a Policy Index

Nat connection-limit-policy 0

#

Iv. Key configuration points:

1) connection-limit must be enabled;

2) If connection-limit default amout is not configured, ACL 2000 of policy 0 is not limited in this example;

3) The connection-limit policy must be defined, because a policy must be specified for NAT connection restrictions;

4) if only the ACL is specified in the connection restriction policy, the connection-limit default is used to limit the number of ACLs specified by per-source, per-destination, and per-service, if connection-limit is not configured, no restrictions are imposed;

5) if the ACL is further restricted by per-source, per-destination, and per-service in the connection restriction policy, this configuration prevails without the connection-limit default restriction;

6) if the ACL does not match the connection restriction policy, no restriction is imposed;

7) the connection restriction policy must be specified in NAT; otherwise, any restriction will not take effect.

Noh A "?? Y? R t "style =" padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; text-align: left; ">Limit 1 acl 2001 per-source amount 2 1

# // Define each ACL. ACL2002 is used for NAT translation, and 2000 and 2001 are used for connection restrictions. Acl number 2000 Rule 0 permit source 192.168.0.2 0 Acl number 2001 Rule 0 permit source 192.168.0.3 0 Acl number 2002 Rule 0 permit source 192.168.0.0 0.0.255# // Configure the connection to the public network interface Interface GigabitEthernet0/0Port link-mode route Ip address 1.2.0.1 255.255.255.0 Nat outbound 2002# // Configure the connection Intranet Interface Interface GigabitEthernet0/1Port link-mode route Ip address 192.168.0.1 255.255.255.0# // Route Configuration Ip route-static 0.0.0.0 0.0.0.0 1.2.0.254# // Enable NAT connection restrictions, that is, specifying a Policy Index Nat connection-limit-policy 0#

 

IV, Configuration key points: 1) connection-limit must be enabled; 2) If connection-limit default amout is not configured, the ACL 2000 of policy 0 is not limited in this example; 3) the connection-limit policy must be defined, because a policy must be specified for NAT connection restrictions; 4) If only ACL is specified in the connection restriction policy, if you do not specify per-source, per-destination, or per-service, use connection-limit default. If connection-limit is not configured, no restrictions are imposed. 5) if the ACL is further restricted by per-source, per-destination, and per-service in the connection restriction policy, this configuration prevails without the connection-limit default restriction. 6) if the ACL does not match the connection restriction policy, no restriction is imposed. 7) NAT must specify Set the connection restriction policy. Otherwise, any restriction will not take effect.