of how many there are. This is done up to the limit of the pipe.
If a total group limit of 100 bps is also specified with dynamic balancing, then this still means that
no single user may take more than that amount of bandwidth.
Precedences and Dynamic Balancing
As discussed, in addition to specifying a total limit for a grouping, limits can be specified for each
precedence within a grouping. If we specify a precedence 2 grouping limit of 30 bps then this means
that users assigned a precedence of 2 by a pipe rule will be guaranteed 30 bps no matter how many
users are using the pipe. Just as with normal pipe precedences, traffic in excess of 30 bps for users at
precedence 2 is moved down to the best effort precedence.
Continuing with the previous example, we could limit how much guaranteed bandwidth each inside
user gets for inbound SSH traffic. This prevents a single user from using up all available
high-priority bandwidth.
First we group the users of the ssh-in pipe so limits will apply to each user on the internal network.
Since the packets are inbound, we select the grouping for the ssh-in pipe to be Destination IP.
Now specify per-user limits by setting the precedence 2 limit to 16 kbps per user. This means that
each user will get no more than a 16 kbps guarantee for their SSH traffic. If desired, we could also
limit the group total bandwidth for each user to some value, such as 40 kbps.
There will be a problem if there are more than 5 users utilizing SSH simultaneously: 16 kbps times
5 is more than 64 kbps. The total limit for the pipe will still be in effect, and each user will have to
compete for the available precedence 2 bandwidth the same way they have to compete for the lowest
precedence bandwidth. Some users will still get their 16 kbps, some will not.
Dynamic balancing can be enabled to improve this situation by making sure all of the 5 users get the
same amount of limited bandwidth. When the 5th user begins to generate SSH traffic, balancing
lowers the limit per user to about 13 kbps (64 kbps divided by 5 users).
Dynamic Balancing takes place within each precedence of a pipe individually. This means that if
users are allotted a certain small amount of high priority traffic, and a larger chunk of best-effort
traffic, all users will get their share of the high-precedence traffic as well as their fair share of the
best-effort traffic.
10.1.8. Traffic Shaping Recommendations
The Importance of a Pipe Limit
Traffic shaping only comes into effect when a NetDefendOS pipe is full. That is to say, it is passing
as much traffic as the total limit allows. If a 500 kbps pipe is carrying 400 kbps of low priority
traffic and 90 kbps of high priority traffic then there is 10 kbps of bandwidth left and there is no
reason to throttle back anything. It is therefore important to specify a total limit for a pipe so that it
knows what its capacity is and the precedence mechanism is totally dependent on this.
VPN Pipe Limits
Traffic shaping measures the traffic inside VPN tunnels. This is the raw unencrypted data without
any protocol overhead so it will be less than the actual VPN traffic. VPN protocols such as IPsec
can add significant overhead to the data and for this reason it is recommended that the limits
specified in the traffic shaping pipes for VPN traffic are set at around 20% below the actual
available bandwidth.
Relying on the Group Limit
10.1.8. Traffic Shaping
Recommendations
Chapter 10. Traffic Management
505
Summary of Contents for NetDefend DFL-1660
Page 28: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 28 ...
Page 88: ...2 6 3 Restore to Factory Defaults Chapter 2 Management and Maintenance 88 ...
Page 166: ...3 10 DNS Chapter 3 Fundamentals 166 ...
Page 254: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 254 ...
Page 268: ...5 4 IP Pools Chapter 5 DHCP Services 268 ...
Page 368: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 368 ...
Page 390: ...7 4 7 SAT and FwdFast Rules Chapter 7 Address Translation 390 ...
Page 414: ...8 3 Customizing Authentication HTML Pages Chapter 8 User Authentication 414 ...
Page 490: ...9 8 6 Specific Symptoms Chapter 9 VPN 490 ...
Page 528: ...10 4 6 Setting Up SLB_SAT Rules Chapter 10 Traffic Management 528 ...
Page 544: ...11 7 HA Advanced Settings Chapter 11 High Availability 544 ...
Page 551: ...12 3 5 Limitations Chapter 12 ZoneDefense 551 ...
Page 574: ...Default 512 13 9 Miscellaneous Settings Chapter 13 Advanced Settings 574 ...
Page 575: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 575 ...