
1、启用
connection-limit enable /*开启连接数限制功能
connection-limit default deny /*默认连接数限制为拒绝
connection-limit default amount upper-limit 50 lower-limit 20 /*默认下连接数上限为50,下限为20
connection-limit default deny /*默认连接数限制为拒绝
connection-limit default amount upper-limit 50 lower-limit 20 /*默认下连接数上限为50,下限为20
2、ACL配置
acl number 2007
description bruce chan
description bruce chan
rule 0 deny source 172.17.16.42 0 /*不在限制范围内的地址
rule 1 deny source 172.16.17.0 0.0.0.255
rule 2 deny source 172.17.17.187 0
rule 3 deny source 172.17.16.210 0
rule 4 deny source 172.17.17.91 0 logging
rule 5 deny source 172.16.2.47 0
rule 10 permit source 172.17.16.0 0.0.0.255 /*匹配172.17.16.0/24网段
rule 20 permit source 172.17.117.0 0.0.0.255
rule 30 permit source 172.17.218.0 0.0.0.255
rule 40 permit source 172.17.131.0 0.0.0.255
rule 50 permit source 172.17.151.0 0.0.0.255
rule 60 permit source 172.17.181.0 0.0.0.255
rule 70 permit source 172.17.123.0 0.0.0.255
rule 71 permit source 172.17.220.0 0.0.0.255
rule 72 permit source 172.17.122.0 0.0.0.255
rule 73 permit source 172.16.0.0 0.0.255.255
3、根据匹配的ACL建策略
rule 1 deny source 172.16.17.0 0.0.0.255
rule 2 deny source 172.17.17.187 0
rule 3 deny source 172.17.16.210 0
rule 4 deny source 172.17.17.91 0 logging
rule 5 deny source 172.16.2.47 0
rule 10 permit source 172.17.16.0 0.0.0.255 /*匹配172.17.16.0/24网段
rule 20 permit source 172.17.117.0 0.0.0.255
rule 30 permit source 172.17.218.0 0.0.0.255
rule 40 permit source 172.17.131.0 0.0.0.255
rule 50 permit source 172.17.151.0 0.0.0.255
rule 60 permit source 172.17.181.0 0.0.0.255
rule 70 permit source 172.17.123.0 0.0.0.255
rule 71 permit source 172.17.220.0 0.0.0.255
rule 72 permit source 172.17.122.0 0.0.0.255
rule 73 permit source 172.16.0.0 0.0.255.255
3、根据匹配的ACL建策略
connection-limit policy 0
limit 0 acl 2007 per-source amount 110 80
limit 0 acl 2007 per-source amount 110 80
4、运用策略
nat connect-limit-policy 0
转载于:https://blog.51cto.com/beyondcto/101523