Traffic Shaping Recommendations - D-Link NetDefend DFL-210 User Manual

10.1.10. Traffic Shaping
Recommendations
computer A is not the same as port 1024 of computer B and individual connections are identifiable.
If grouping by network is chosen, the network size should also be specified (this has the same
meaning as the netmask).
A Simple Groups Scenario
If the total bandwidth limit for a pipe is 400 bps and we want to allocate this bandwidth amongst
many destination IP addresses so no single IP address can take more then 100 bps of bandwidth, we
select "Per DestIP" grouping and enter the total limit for the grouping as 100 bps. Bandwidth is then
allocated on a "first come, first forwarded" basis but no single destination IP address can ever take
more than 100 bps. No matter how many connections are involved the combined total bandwidth
can still not exceed the pipe limit of 400 bps.
Instead of specifying a total group limit, the alternative is to enable the Dynamic Balancing option.
This ensures that the available bandwidth is divided equally between all addresses regardless of how
many there are and this is done up to the limit of the pipe. If a total group limit of 100 bps is also
specified, as before, then no single user may take more than that amount of bandwidth.
Group Limits and Guarantees
In addition to specifying a total limit for group users, limits can be specified for each preference. If
we specify a group user limit of 30 bps for precedence 2 then this means that users assigned a
precedence of 2 by a Pipe Rule will be guaranteed 30 bps no matter how many users are using the
pipe. Just as with normal pipe precedences, traffic in excess of 30 bps for users at precedence 2 is
moved down to the Best Effort precedence.
Continuing with the previous example, we could limit how much guaranteed bandwidth each inside
user gets for inbound SSH traffic. This prevents a single user from using up all available
high-priority bandwidth.
First we group the users of the ssh-in pipe so limits will apply to each user on the internal network.
Since the packets are inbound, we select the grouping for the ssh-in pipe to be "Per DestIP".
Now we specify per-user limits by setting the precedence 2 limit to 16 kbps per user. This means
that each user will get no more than a 16 kbps guarantee for their SSH traffic. If desired, we could
also limit the group total bandwidth for each user to some value, such as 40 kbps.
There will be a problem if there are more than 5 users utilizing SSH simultaneously: 16 kbps times
5 is more than 64 kbps. The total limit for the pipe will still be in effect, and each user will have to
compete for the available precedence 2 bandwidth the same way they have to compete for the lowest
precedence bandwidth. Some users will still get their 16 kbps, some will not.
Dynamic balancing can be enabled to improve this situation by making sure all of the 5 users get the
same amount of limited bandwidth. When the 5th user begins to generate SSH traffic, balancing
lowers the limit per user to about 13 kbps (64 kbps divided by 5 users).
Dynamic Balancing takes place within each precedence of a pipe individually. This means that if
users are allotted a certain small amount of high priority traffic, and a larger chunk of best-effort
traffic, all users will get their share of the high-precedence traffic as well as their fair share of the
best-effort traffic.

10.1.10. Traffic Shaping Recommendations

The importance of setting a pipe limit
Traffic shaping only comes into effect when a NetDefendOS pipe is full. That is to say, it is passing
as much traffic as the total limit allows. If a 500 kbps pipe is carrying 400 kbps of low priority
traffic and 90 kbps of high priority traffic then there is 10 kbps of bandwidth left and there is no
reason to throttle back anything. It is therefore important to specify a total limit for a pipe so that it
412
Chapter 10. Traffic Management