(Optional) Configuring Restrictions on the Number of Session Connections or Ports
You can restrict the number of session connections initiated by each CPE device and the number of ports in the NAT 3-tuples to optimize the bandwidth usage for the tunnels established between the CGN and the CPE devices.
Context
The restrictions on the numbers of session connections or ports in the NAT 3-tuples are configured in the security zone view. The security zone here refers to the one to which the DS-Lite tunnel interface that is configured on the CGN joins.
Procedure
- Access the system view.
- Access the security zone view.
firewall zone [ name ] zone-name
- Configure the restriction on the number of session or port connections.
Configure restriction on the number of sessions.
ds-lite acl6 acl-number session-limit { total | tcp | udp }session-limit-number [ alarm threshold threshold-number ] outbound
alarm threshold: An alarm is generated when the number of session connections exceeds this threshold. By default, an alarm is generated when the number of session connections searches 80% of the total capacity.
If the alarm threshold parameter is left unspecified, the CGN only limits traffic but not generates alarm.
Configure restriction on the number of port connections.
ds-lite acl6 acl-number port-limit { total | tcp | udp } port-limit-number [ alarm threshold threshold-number ] outbound
alarm threshold: An alarm is generated when the number of ports in the NAT 3-tuples exceeds this threshold. By default, an alarm is generated when the number of ports reaches 80% of the total capacity of the address pool.
If the alarm threshold parameter is left unspecified, the CGN only limits traffic but not generates alarm.
- Return to the system view.
Example
Restrict the number of TCP session connections that can be initiated by each CPE to 180,000, and the number of available UDP ports to 10,000.
# Configure ACL6 rules.
<FW> system-view [FW] acl ipv6 number 2500 [FW-acl6-basic-2500] rule permit source 3000::1 64 [FW-acl6-basic-2500] quit
# Configure the DS-Lite tunnel interface of the FW and add the interface to the Trust zone.
[FW] interface tunnel 1 [FW-Tunnel1] tunnel-protocol ipv4-ipv6 ds-lite [FW-Tunnel1] source 3000::2 [FW-Tunnel1] ip address 10.10.10.2/24 [FW-Tunnel1] quit [FW] firewall zone trust [FW-zone-trust] add interface Tunnel 1
Configure restriction on the number of session or port connections in the Trust zone.
[FW-zone-trust] ds-lite acl6 2500 session-limit tcp 180000 outbound [FW-zone-trust] ds-lite acl6 2500 port-limit udp 10000 outbound