Vyatta NOS documentation

Learn how to install, configure, and operate Vyatta Network Operating System (Vyatta NOS), which helps to drive our virtual networking and physical platforms portfolio.

security firewall name <name> rule <rule-number> police <limiting-method>

Specifies the type of packet rate limiting method.

set security firewall name name rule rule-number police { bandwidth limit | burst size | ratelimit limit | then { action drop | mark { dscp dscp-value | pcp pcp-number } } }
delete security firewall name name rule rule-number police [ { bandwidth limit | burst size | ratelimit | then { action drop | mark { dscp | pcp } } } ]
show security firewall name name rule rule-number police [ { bandwidth | burst | ratelimit | then { action | mark }]

The action is to drop packets when rule is matched.

name
The name of a firewall rule set.
rule-number
The numeric identifier of a rule. The identifier ranges from 1 through 9999.
bandwidth limit
The bandwidth rate as a number followed by no space and a scaling suffix representing the rate (for example, 10mbit).

The following suffixes are supported:

No suffix: Kilobits per second.

mbit: Megabits per second.

mbps: Megabytes per second.

gbit: Gigabits per second.

kbps: Kilobytes per second.

gbps: Gigabytes per second.

burst limit
The burst size limit in number of bytes. The number can range from 1 through 312500000.
ratelimit limit
The number of packets that can be sent in a second.

n: Number of packets per second.

nkpps: Thousands of packets per second.

nmpps: Millions packets per second.

dscp dscp-value
Specifies the DSCP number. The supported values are af11 through af13, af21 through af23, af31 through af33, af41 through af43, cs1 through cs7, default, ef, and va.

Packets are marked with the given value if policing is exceeded.

pcp pcp-number
The 802.1 priority-code point number. The number can range from 0 through 7.

Packets are marked with the given value if policing is exceeded.

Configuration mode


security {
    firewall {
        name name {
            rule rule-number {
                police {
                    bandwidth limit
                    burst size
                    then {
                        action drop
                        mark {
                            dscp dscp-value
                            pcp pcp-number
                        }
                    }
                }
            }
        }
    }
}

If no then action is specified, then the default action is to drop the packet if police limits are exceeded.

Use the set form of this command to enable or disable policing of firewall rule actions.

Use the delete form of this command to delete the policing value for a rule.

Use the show form of this command to display the policing value for a rule.