A Summary Of Traffic Shaping - D-Link DFL-260E User Manual

10.1.9. A Summary of Traffic Shaping

fixed bandwidth resource. An ISP might use this approach to limit individual user bandwidth by
specifying a "Per Destination IP" grouping. Knowing when the pipe is full is not important since the
only constraint is on each user. If precedences were used the pipe maximum would have to be used.
Limits should not be more than the Available Bandwidth
If pipe limits are set higher than the available bandwidth, the pipe will not know when the physical
connection has reached its capacity. If the connection is 500 kbps but the total pipe limit is set to
600 kbps, the pipe will believe that it is not full and it will not throttle lower precedences.
Limits should be less than Available Bandwidth
Pipe limits should be slightly below the network bandwidth. A recommended value is to make the
pipe limit 95% of the physical limit. The need for this difference becomes less with increasing
bandwidth since 5% represents an increasingly larger piece of the total.
The reason for the lower pipe limit is how NetDefendOS processes traffic. For outbound
connections where packets leave the NetDefend Firewall, there is always the possibility that
NetDefendOS might slightly overload the connection because of the software delays involved in
deciding to send packets and the packets actually being dispatched from buffers.
For inbound connections, there is less control over what is arriving and what has to be processed by
the traffic shaping subsystem and it is therefore more important to set pipe limits slightly below the
real connection limit to account for the time needed for NetDefendOS to adapt to changing
conditions.
Attacks on Bandwidth
Traffic shaping cannot protect against incoming resource exhaustion attacks, such as DoS attacks or
other flooding attacks. NetDefendOS will prevent these extraneous packets from reaching the hosts
behind the NetDefend Firewall, but cannot protect the connection becoming overloaded if an attack
floods it.
Watching for Leaks
When setting out to protect and shape a network bottleneck, make sure that all traffic passing
through that bottleneck passes through the defined NetDefendOS pipes.
If there is traffic going through the Internet connection that the pipes do not know about,
NetDefendOS cannot know when the Internet connection becomes full.
The problems resulting from leaks are exactly the same as in the cases described above. Traffic
"leaking" through without being measured by pipes will have the same effect as bandwidth
consumed by parties outside of administrator control but sharing the same connection.
Troubleshooting
For a better understanding of what is happening in a live setup, the console command:
gw-world:/> pipe -u <pipename>
can be used to display a list of currently active users in each pipe.
10.1.9. A Summary of Traffic Shaping
NetDefendOS traffic shaping provides a sophisticated set of mechanisms for controlling and
prioritising network packets. The following points summarize its use:
466
Chapter 10. Traffic Management