security firewall name <name> rule <rule-number> police <limiting-method>
Specifies the type of packet rate limiting method.
The action is to drop packets when rule is matched.
- name
- The name of a firewall rule set.
- rule-number
- The numeric identifier of a rule. The identifier ranges from 1 through 9999.
- bandwidth limit
- The bandwidth rate as a number followed by no space and a scaling suffix representing the rate (for example, 10mbit).
The following suffixes are supported:
No suffix: Kilobits per second.
mbit: Megabits per second.
mbps: Megabytes per second.
gbit: Gigabits per second.
kbps: Kilobytes per second.
gbps: Gigabytes per second.
- burst limit
- The burst size limit in number of bytes. The number can range from 1 through 312500000.
- ratelimit limit
- The number of packets that can be sent in a second.
n: Number of packets per second.
nkpps: Thousands of packets per second.
nmpps: Millions packets per second.
- dscp dscp-value
- Specifies the DSCP number. The supported values are af11 through af13, af21 through af23, af31 through af33, af41 through af43, cs1 through cs7, default, ef, and va.
Packets are marked with the given value if policing is exceeded.
- pcp pcp-number
- The 802.1 priority-code point number. The number can range from 0 through 7.
Packets are marked with the given value if policing is exceeded.
Configuration mode
security {
firewall {
name name {
rule rule-number {
police {
bandwidth limit
burst size
then {
action drop
mark {
dscp dscp-value
pcp pcp-number
}
}
}
}
}
}
}
If no then action is specified, then the default action is to drop the packet if police limits are exceeded.
Use the set form of this command to enable or disable policing of firewall rule actions.
Use the delete form of this command to delete the policing value for a rule.
Use the show form of this command to display the policing value for a rule.