Limiting traffic rates
The Token Bucket Filter (TBF) queuing mechanism can be activated by a firewall rule to limit the rate of incoming packets. Packets are limited to an administratively set rate, but they may have short bursts in excess of this rate. Two rules are required to achieve this limitation: one to accept traffic within the limit, and one to drop traffic in excess of the limit.
For example, to create a rule that accepts a limited rate of two ICMP echo request packets (pings) per second, but provides for short bursts without dropping packets, and that drops packets that do not get matched by the first rule, perform the following steps in configuration mode.
Step | Command |
---|---|
Set the protocol to match to ICMP. |
|
Set ICMP type of 8 (echo-request). |
|
Set ICMP code of 0 for type 8. |
|
Set the desired rate of 2 packets per second. |
|
Set the burst size of 5 packets. |
|
Set the action to accept. |
|
Set the description. |
|
Set the protocol to match to ICMP. |
|
Set ICMP type of 8 (echo-request). |
|
Set ICMP code of 0 for type 8. |
|
Set the action to drop. |
|
Set the description. |
|
Commit the configuration. |
|
Show the configuration. |
|