home

Supported platforms

Vyatta NOS documentation

Learn how to install, configure, and operate Vyatta Network Operating System (Vyatta NOS), which helps to drive our virtual networking and physical platforms portfolio.

Limiting traffic rates

The Token Bucket Filter (TBF) queuing mechanism can be activated by a firewall rule to limit the rate of incoming packets. Packets are limited to an administratively set rate, but they may have short bursts in excess of this rate. Two rules are required to achieve this limitation: one to accept traffic within the limit, and one to drop traffic in excess of the limit.

For example, to create a rule that accepts a limited rate of two ICMP echo request packets (pings) per second, but provides for short bursts without dropping packets, and that drops packets that do not get matched by the first rule, perform the following steps in configuration mode.

Table 1. Limiting the rate of specific incoming packets
Step Command

Set the protocol to match to ICMP.

vyatta@R1# set security firewall name RATE-LIMIT rule 20 protocol icmp 

Set ICMP type of 8 (echo-request).

vyatta@R1# set security firewall name RATE-LIMIT rule 20 icmp type 8

Set ICMP code of 0 for type 8.

vyatta@R1# set security firewall name RATE-LIMIT rule 20 icmp code 0

Set the desired rate of 2 packets per second.

vyatta@R1# set security firewall name RATE-LIMIT rule 20 limit rate 2/second

Set the burst size of 5 packets.

vyatta@R1# set security firewall name RATE-LIMIT rule 20 limit burst 5

Set the action to accept.

vyatta@R1# set security firewall name RATE-LIMIT rule 20 action accept

Set the description.

vyatta@R1# set security firewall name RATE-LIMIT rule 20 description “Rate-limit incoming icmp echo-request packets to 2/second allowing short bursts of 5 packets”

Set the protocol to match to ICMP.

vyatta@R1# set security firewall name RATE-LIMIT rule 30 protocol icmp 

Set ICMP type of 8 (echo-request).

vyatta@R1# set security firewall name RATE-LIMIT rule 30 icmp type 8

Set ICMP code of 0 for type 8.

vyatta@R1# set security firewall name RATE-LIMIT rule 30 icmp code 0

Set the action to drop.

vyatta@R1# set security firewall name RATE-LIMIT rule 30 action drop

Set the description.

vyatta@R1# set security firewall name RATE-LIMIT rule 30 description “Drop remaining echo requests in excess of the rate in rule 20”

Commit the configuration.

vyatta@R1# commit

Show the configuration.

vyatta@R1# show security firewall name RATE-LIMIT

rule 20 {
    action accept
    description "Rate-limit incoming icmp echo-request packets to 2/second allowing short bursts of 5 packets"
    icmp {
        code 0
        type 8
    }
    limit {
        burst 5
        rate 2/second
    }
    protocol icmp
}
rule 30 {
    action drop
    description "Drop remaining echo requests in excess of the rate in rule 20"
    icmp {
        code 0
        type 8
    }
    protocol icmp
}
vyatta@R1#