Table of Contents
Advertisement
and 23, respectively:
Keep the forward chain of both rules as std-out only. Again, to simplify this example, we
concentrate only on inbound traffic, which is the direction that is the most likely to be the first
one to fill up in client-oriented setups.
Set the return chain of the port 22 rule to ssh-in followed by std-in.
Set the return chain of the port 23 rule to telnet-in followed by std-in.
Set the priority assignment for both rules to Use defaults from first pipe; the default
precedence of both the ssh-in and telnet-in pipes is 2.
Using this approach rather than hard-coding precedence 2 in the rule set, it is easy to change the
precedence of all SSH and Telnet traffic by changing the default precedence of the ssh-in and
telnet-in pipes.
Notice that we did not set a total limit for the ssh-in and telnet-in pipes. We do not need to since
the total limit will be enforced by the std-in pipe at the end of the respective chains.
The ssh-in and telnet-in pipes act as a "priority filter": they make sure that no more than the
reserved amount, 64 and 32 Kbps, respectively, of precedence 2 traffic will reach std-in. SSH and
Telnet traffic exceeding their guarantees will reach std-in as precedence 0, the best-effort
precedence of the std-in and ssh-in pipes.
10.1.7. Pipe Groups
NetDefendOS provides a further level of control within pipes through the ability to split pipe
bandwidth into individual resource users within a group and to apply a limit and guarantee to
each user.
Individual users can be distinguished according to one of the following:
•
Source IP
•
Destination IP
•
Source Network
•
Destination Network
•
Source Port (includes the IP)
•
Destination Port (includes the IP)
•
Source Interface
•
Destination Interface
This feature is enabled by enabling the Grouping option in a pipe. The individual users of a group
can then have a limit and/or guarantee specified for them in the pipe. For example, if grouping is
done by source IP then each user corresponds to each unique source IP address.
Note: The return chain ordering is important
Here, the ordering of the pipes in the return chain is important. Should std-in appear
before ssh-in and telnet-in, then traffic will reach std-in at the lowest precedence only
and hence compete for the 250 Kbps of available bandwidth with other traffic.
788
Chapter 10: Traffic Management
- Quick Links:
- User Manual
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
