Citrix ADC

Configure rate limit at packet level

You can configure a stream selector and a responder policy to collect statistics at the packet level flowing through all the connections identified by the selector. If the number of packets per second exceed the configured threshold, the policy applies the configured action (RESET or DROP). You can configure these policies for all types of virtual servers. Packets of all sizes are considered.

To configure rate limiting at packet level, perform the following tasks

  1. Enable load balancing
  2. Add stream selector
  3. Add stream identifier
  4. Add responder policy
  5. Add load balancing virtual server
  6. Bind responder policy

To enable load balancing feature

At the command prompt, type:

enable ns feature lb

To add a stream selector

At the command prompt, type:

add stream selector packetlimitselector client.ip.src client.tcp.srcport client.ip.dst client.tcp.dstport

To add a stream identifier

At the command prompt, type:

add stream identifier packetlimitidentifier packetlimitselector -interval 1

To enable tracking of ACK only packets

At the command prompt, type:

set stream identifier packetlimitidentifier –trackAckOnlyPackets ENABLED

To add a responder policy

At the command prompt, type:

add responder policy packet_rate_sessionpolicy "ANALYTICS.STREAM(\"packetlimitidentifier\").COLLECT_STATS(\"PACKET_LIMIT\", <max_threshold_PPS>, ACTION, 0/1)" NOOP


  • <max_threshold_PPS> is the maximum number of packets allowed through the connection per second.
  • ACTION can be DROP or RESET.
  • 0 or 1 represents the limit type; 0 represents the BURSTY limit type and 1 represents the SMOOTH limit type.


add responder policy packet_rate_sessionpolicy "ANALYTICS.STREAM(\"packetlimitidentifier\").COLLECT_STATS(\"PACKET_LIMIT\", 40, RESET, 0)" NOOP

To add a load balancing virtual server

At the command prompt, type:

add lb vserver <name> <serviceType> <ip> <port>

add lb vserver Vserver-lb-1 HTTP 80

To bind a responder policy

After the selector and the responder policy are configured, the policy can be bound globally or to the specific virtual server.

At the command prompt, type either of the following commands:

bind responder global <policyName> <priority> [<gotoPriorityExpression>] [-type <type>] [-invoke  (<labelType>  <labelName>) ]


bind lb vserver <name>@  (-policyName <string>@ [-priority <positive_integer>]


bind responder global packet_rate_sessionpolicy 101 END -type REQ_DEFAULT

bind responder global packet_rate_sessionpolicy 102 END -type

bind lb vserver v1 -policyname packet_rate_sessionpolicy -priority 10
Configure rate limit at packet level