Setting the Maximum Number of Entries in the NAT Mapping Table
Context
Since terminals are vulnerable to network attacks on a complex network, the terminals under network attacks will occupy a large number of NAT mapping entries on the devices they connected to. Once the NAT mapping entries on the devices are exhausted, other terminals cannot access the Internet because no NAT mapping entry can be allocated to them. In this case, you can set the maximum number of NAT mapping entries that can be used by a user. When the number of NAT mapping entries created for a user exceeds the configured limit, the device does not generate new NAT mapping entries. As a result, denying the user's Internet access is restricted.
V300R019C13 and later version support this function.
Procedure
- Run system-view
The system view is displayed.
- Run nat session limit limit-number { per-src-ip | per-des-ip | per-src-port | per-des-port } [ acl acl-number ]
The maximum number of NAT mapping entries that can be created for a user is set.
By default, the maximum number of NAT mapping entries that can be used by a user is not configured.