D-Link NetDefend DFL-210 User Manual page 233

10.1.6. Grouping Users of a Pipe
each inside user gets for inbound SSH traffic. This keeps one single user from using up all available
high-priority bandwidth.
First, we will have to figure out how to group the users of the ssh-in pipe. What we want to do is ap-
ply our limits to each user on the internal network. Considering that we are working with inbound
packets, we will want to group per destination IP, so we change the grouping for the "ssh-in" pipe to
"Per DestIP".
When the grouping is set, we can set per-user limits. In this case, we will set the precedence 1 limit
to 16 kbps per user. This means that each user will get no more than a 16 kbps guarantee for their
SSH traffic. If we wanted to, we could also limit the total bandwidth for each user to some value,
maybe 40 kbps.
As you can see, we will run into problems if there are more than four users talking a lot of SSH sim-
ultaneously; 16 kbps times five is more than 64 kbps. The total limit for the pipe will still be in ef-
fect, and each user will have to compete for the available precedence 1 bandwidth the same way
they have to compete for the lowest precedence bandwidth. Dynamic balancing can be used to im-
prove this situation; more about that later.
For a better understanding of what is happening in a live setup, we recommed trying the "pipe -u
<pipename>" console command. It will display a list of currently active users in each pipe.
10.1.6.3. Dynamic Bandwidth Balancing
As previously stated, per-user bandwidth may be limited by enabling grouping within a pipe. This
may be used to ensure that one user cannot consume all of the available bandwidth.
But what if the bandwidth for the pipe as a whole has a limit, and that limit is exceeded?
In the previous example, the precedence 2 bandwidth limit per user is 16 kbps, and the precedence 2
limit for the pipe is 64 kbps. This means that up to four simultaneous users will get their fair share
of high-precedence bandwidth.
If an additional user tries to talk SSH, the limit of 64 kbps will be exceeded. The results of this can-
not be reliably predicted. Some users will still get their 16 kbps, some will not.
To prevent such situations, there is a feature called Dynamic Bandwidth Balancing. This algorithm
ensures that the per-user bandwidth limits are dynamically lowered (and raised) in order to evenly
balance the available bandwidth between the users of the pipe.
In the above sample, when the additional user begins to generate SSH traffic, the limit per user will
be lowered to about 13 kbps (64 kbps divided by 5 users). Temporary restrictions such as these will
be gradually removed, until the configured limit is reached, or until the pipe limits are exceeded, at
which point the user limits will be lowered again. These dynamic adjustments take place 20 times
per second, and will quickly adapt to changed bandwidth distributions.
Dynamic Bandwidth Balancing takes place within each precedence of a pipe individually. This
means that if users are allotted a certain small amount of high priority traffic, and a larger chunk of
best-effort traffic, all users will get their share of the high-precedence traffic as well as their fair
share of the best-effort traffic.
220
Chapter 10. Traffic Management