The ds-lite port-limit command restricts the number of ports in NAT 3-tuples.
The undo ds-lite port-limit command cancels the restriction on the number of ports in NAT 3-tuples.
ds-lite acl6 acl-number port-limit { tcp tcp-port-limit-number | total total-port-limit-number | udp udp-port-limit-number } [ alarm threshold threshold-number ] outbound
undo ds-lite acl6 acl-number port-limit { tcp tcp-port-limit-number | total total-port-limit-number | udp udp-port-limit-number } [ alarm threshold threshold-number ] outbound
| Parameter | Description | Value |
|---|---|---|
acl-number |
Specifies the ACL6 number. |
The value is an integer ranging from 2000 to 2999. |
tcp tcp-port-limit-number |
Specifies the number of TCP port connections. |
The value is an integer ranging from 1 to 20,000. |
total total-port-limit-number |
Specifies the total number of port connections. |
The value is an integer ranging from 1 to 30,000. |
udp udp-port-limit-number |
Specifies the number of UDP port connections. |
The value is an integer ranging from 1 to 20,000. |
alarm threshold threshold-number |
Specifies the alarm threshold for the number of ports in NAT 3-tuples. |
The value ranges from 60% to 100% and defaults to 80%. |
outbound |
Indicates that the port restriction is implemented on the CPE device. |
- |
The restriction on the number of port connections is to restrict the number or port connections that can be initiated by a CPE, instead of by the users under the CPE.
The restriction on the number of port connections is configured in the security zone view. The security zone here refers to the one to which the DS-Lite tunnel interface that is configured on the FW joins.
# Restrict that a maximum of 10,000 UDP ports are used in the connection between a CPE and the FW.
[sysname] interface tunnel 1 [sysname-Tunnel1] tunnel-protocol ipv4-ipv6 ds-lite [sysname-Tunnel1] source 3000::2 [sysname-Tunnel1] ip address 10.10.10.2 24 [sysname-Tunnel1] quit [sysname] firewall zone trust [sysname-zone-trust] add interface Tunnel 1 [sysname-zone-trust] ds-lite acl6 2500 port-limit udp 10000 outbound