10.1.7. Pipe Groups
Set the return chain of the port 23 rule to telnet-in followed by std-in.
Set the priority assignment for both rules to Use defaults from first pipe; the default precedence of
both the ssh-in and telnet-in pipes is 2.
Using this approach rather than hard-coding precedence 2 in the rule set, it is easy to change the
precedence of all SSH and Telnet traffic by changing the default precedence of the ssh-in and
telnet-in pipes.
Notice that we did not set a total limit for the ssh-in and telnet-in pipes. We do not need to since the
total limit will be enforced by the std-in pipe at the end of the respective chains.
The ssh-in and telnet-in pipes act as a "priority filter": they make sure that no more than the
reserved amount, 64 and 32 kbps, respectively, of precedence 2 traffic will reach std-in. SSH and
Telnet traffic exceeding their guarantees will reach std-in as precedence 0, the best-effort
precedence of the std-in and ssh-in pipes.
10.1.7. Pipe Groups
NetDefendOS provides a further level of control within pipes through the ability to split pipe
bandwidth into individual resource users within a group and to apply a limit and guarantee to each
user.
Individual users can be distinguished according to one of the following:
•
Source IP
•
Destination IP
•
Source Network
•
Destination Network
•
Source Port (includes the IP)
•
Destination Port (includes the IP)
•
Source Interface
•
Destination Interface
This feature is enabled by enabling the Grouping option in a pipe. The individual users of a group
can then have a limit and/or guarantee specified for them in the pipe. For example, if grouping is
done by source IP then each user corresponds to each unique source IP address.
A Port Grouping Includes the IP Address
If a grouping by port is selected then this implicitly also includes the IP address. For example, port
1024 of host computer A is not the same as port 1024 of host computer B. It is the combination of
port and IP address that identifies a unique user in a group.
Grouping by Networks Requires the Size
If the grouping is by source or destination network then the network size must also be specified In
Note: The return chain ordering is important
Here, the ordering of the pipes in the return chain is important. Should std-in appear
before ssh-in and telnet-in, then traffic will reach std-in at the lowest precedence only
and hence compete for the 250 kbps of available bandwidth with other traffic.
502
Chapter 10. Traffic Management