Comware

We are currently facing a network issue where the WSUS server is sending an excessive number of sessions to the firewall, resulting in a general blockage of the firewall equipment. Upon investigating potential solutions, one option is to create an ACL (Access Control List) on the switch with a session limit to deny traffic once this limit is reached.

During the ACL creation process, I encountered the need to configure the "ip session sac" option. However, this option is not available on the HPE 5710 switch, version 7.1.070, Release 2702. I would like to know if there is any other way to configure this session limitation on this switch to prevent the firewall from being affected by the excessive traffic from WSUS.

I appreciate any guidance or suggestions on this matter.

Thank you.

Try connection-limit

# Create ACL 3000 to permit HTTP(s) requests to the WSUS server ports 8530 and 8531.<AC> system-view[AC] acl advanced 3000[AC-acl-ipv4-adv-3000] rule permit tcp source 192.168.1.0 0.0.0.255 destination-port eq 8530[AC-acl-ipv4-adv-3000] rule permit tcp source 192.168.1.0 0.0.0.255 destination-port eq 8531[AC-acl-ipv4-adv-3000] quit# Create connection limit policy 1.[AC] connection-limit policy 1# Configure connection limit rule 1 to permit a maximum of 100 connections from each host matching ACL 3000. When the number of connections exceeds 100, new connections cannot be established until the number drops below 50.[AC-connection-limit-policy-1] limit 1 acl 3000 per-source amount 100 50[AC-connection-limit-policy-1] quit# Apply connection limit policy 1 globally.[AC] connection-limit apply global policy 1

And also try to upgrade to latest version of Comware 7. Switch is running very old version.

------------------------------
Gorazd Kikelj
MVP Guru 2024

Original Message:
Sent: May 02, 2024 12:31 PM
From: Andres_Gama
Subject: Configuration Issue on HPE 5710 Switch

We are currently facing a network issue where the WSUS server is sending an excessive number of sessions to the firewall, resulting in a general blockage of the firewall equipment. Upon investigating potential solutions, one option is to create an ACL (Access Control List) on the switch with a session limit to deny traffic once this limit is reached.

During the ACL creation process, I encountered the need to configure the "ip session sac" option. However, this option is not available on the HPE 5710 switch, version 7.1.070, Release 2702. I would like to know if there is any other way to configure this session limitation on this switch to prevent the firewall from being affected by the excessive traffic from WSUS.

I appreciate any guidance or suggestions on this matter.

Thank you.

Good morning,

I'm trying to configure as per the previous indication:

# Create ACL 3000 to permit HTTP(s) requests to the WSUS server ports 8530 and 8531.
<AC> system-view 
[AC] acl advanced 3000 
[AC-acl-ipv4-adv-3000] rule permit tcp source 192.168.1.0 0.0.0.255 destination-port eq 8530 
[AC-acl-ipv4-adv-3000] rule permit tcp source 192.168.1.0 0.0.0.255 destination-port eq 8531 
[AC-acl-ipv4-adv-3000] quit 

# Create connection limit policy 1. 
[AC] connection-limit policy 1 

# Configure connection limit rule 1 to permit a maximum of 100 connections from each host matching ACL 3000. When the number of connections exceeds 100, new connections cannot be established until the number drops below 50. 
[AC-connection-limit-policy-1] limit 1 acl 3000 per-source amount 100 50 
[AC-connection-limit-policy-1] quit 

# Apply connection limit policy 1 globally. 
[AC] connection-limit apply global policy 1

But when entering the switch's configuration mode and starting with the configurations, I find that several syntaxes indicated previously do not appear. For example, when trying to establish the "rule permit", I do not see the TCP option, but the following options:

counting      Specify rule counting
fragment      Check fragment packet
logging       Log the number of packets matching the rule
source        Specify a source address
time-range    Specify a special time
vpn-instance  Specify VPN-Instance

Then, I tried omitting "tcp" by using rule permit source 192.168.1.0 0.0.0.255, but I do not see the "destination" option, but the following options:

counting      Specify rule counting
fragment      Check fragment packet
logging       Log the number of packets matching the rule
time-range    Specify a special time
vpn-instance  Specify VPN-Instance

Therefore, I cannot continue with the configuration. I would like to know if there is another way to perform this configuration, considering that it is an HPE 5710 24SFP+ 6QS+/2QS28 switch with boot image version 7.1.070, release version 2702. Or perhaps the problem lies in the software version, and it is necessary to update to obtain more options? If this is the case, what would be the recommended version for the update?

Thank you and regards.

Try connection-limit

# Create ACL 3000 to permit HTTP(s) requests to the WSUS server ports 8530 and 8531.<AC> system-view[AC] acl advanced 3000[AC-acl-ipv4-adv-3000] rule permit tcp source 192.168.1.0 0.0.0.255 destination-port eq 8530[AC-acl-ipv4-adv-3000] rule permit tcp source 192.168.1.0 0.0.0.255 destination-port eq 8531[AC-acl-ipv4-adv-3000] quit# Create connection limit policy 1.[AC] connection-limit policy 1# Configure connection limit rule 1 to permit a maximum of 100 connections from each host matching ACL 3000. When the number of connections exceeds 100, new connections cannot be established until the number drops below 50.[AC-connection-limit-policy-1] limit 1 acl 3000 per-source amount 100 50[AC-connection-limit-policy-1] quit# Apply connection limit policy 1 globally.[AC] connection-limit apply global policy 1

And also try to upgrade to latest version of Comware 7. Switch is running very old version.

------------------------------
Gorazd Kikelj
MVP Guru 2024

Original Message:
Sent: May 02, 2024 12:31 PM
From: Andres_Gama
Subject: Configuration Issue on HPE 5710 Switch

We are currently facing a network issue where the WSUS server is sending an excessive number of sessions to the firewall, resulting in a general blockage of the firewall equipment. Upon investigating potential solutions, one option is to create an ACL (Access Control List) on the switch with a session limit to deny traffic once this limit is reached.

During the ACL creation process, I encountered the need to configure the "ip session sac" option. However, this option is not available on the HPE 5710 switch, version 7.1.070, Release 2702. I would like to know if there is any other way to configure this session limitation on this switch to prevent the firewall from being affected by the excessive traffic from WSUS.

I appreciate any guidance or suggestions on this matter.

Thank you.