Need help understanding rate limit 'average' and 'burst' values

My goal is to have a rate limit of max 2 requests per second per IP address for an API service we are hosting.

So I kept average as 2 and burst as 100 with default period of 1, but I could make more than 2 req/s from one IP (tested using Apache JMeter and Siege). I tried lowering the burst value to 2 and made 6 concurrent requests from same IP. Now it only allowed 2 requests and gave 429 for the rest 4. I increased burst to 6 and made 10 concurrent request from same IP and now it allowed 6 requests and gave 429 for remaining 4.

According to the docs for average value:

average is the maximum rate, by default in requests per second, allowed from a given source.

So why did an average value of 2 allow more than 2 req/s from the same IP address?