D-Link NetDefend DFL-210 User Manual page 416
Network security firewall ver 2.26.01
Hide thumbs
Also See for NetDefend DFL-210:
- Log reference manual (476 pages) ,
- User manual (469 pages) ,
- Cli reference manual (213 pages)
Table of Contents
Advertisement
10.1.12. More Pipe Examples
•
Priority 0 - Web plus remaining from other levels
To implement this scheme, we can use the in-pipe and out-pipe. We first enter the Pipe Limits for
each pipe. These limits correspond to the list above and are:
•
Priority 6 - 500
•
Priority 4 - 250
•
Priority 2 - 1000
Now create the Pipe Rules:
Rule
Name
web_surf
voip
citrix
other
These rules are processed from top to bottom and force different kinds of traffic into precedences
based on the Service. Customized service objects may need to be first created in order to identify
particular types of traffic. The all service at the end, catches anything that falls through from earlier
rules since it is important that no traffic bypasses the pipe rule set otherwise using pipes will not
work.
Pipe Chaining
Suppose the requirement now is to limit the precedence 2 capacity (other traffic) to 1000 kbps so
that it does not spill over into precedence 0. This is done with pipe chaining where we create new
pipes called in-other and out-other both with a Pipe Limit of 1000. The other pipe rule is then
modified to use these:
Rule
Name
other
Note that in-other and out-other are first in the pipe chain in both directions. This is because we
want to limit the traffic immediately, before it enters the in-pipe and out-pipe and competes with
VoIP, Citrix and Web-surfing traffic.
A VPN Scenario
In the cases discussed so far, all traffic shaping is occurring inside a single NetDefend Firewall.
VPN is typically used for communication between a headquarters and branch offices in which case
pipes can control traffic flow in both directions. With VPN it is the tunnel which is the source and
destination interface for the pipe rules.
An important consideration which has been discussed previously, is allowance in the Pipe Total
values for the overhead used by VPN protocols. As a rule of thumb, a pipe total of 1700 bps is
reasonable for a VPN tunnel where the underlying physical connection capacity is 2 Mbps.
It is also important to remember to insert into the pipe all non-VPN traffic using the same physical
link.
Forward
Return
Source
Pipes
Pipes
Interface
out-pipe
in-pipe
out-pipe
in-pipe
out-pipe
in-pipe
out-pipe
in-pipe
Forward
Return
Source
Pipes
Pipes
Interface
out-other
in-other
out-pipe
in-pipe
Source
Dest
Network
Interface
lan
lannet
wan
lan
lannet
wan
lan
lannet
wan
lan
lannet
wan
Source
Dest
Network
Interface
lan
lannet
wan
416
Chapter 10. Traffic Management
Dest
Selected
Network
Service
all-nets
http_all
all-nets
H323
all-nets
citrix
all-nets
All
Dest
Selected
Network
Service
all-nets
All
Prece
dence
0
6
4
2
Prece
dence
2
Advertisement
Table of Contents
Troubleshooting
