Traffic Shaping In Netdefendos - D-Link NetDefend DFL-210 User Manual

10.1.2. Traffic Shaping in
NetDefendOS
• Applying bandwidth limits and queuing packets that exceed configured limits, then sending
them later when bandwidth demands are lower.
• Dropping packets if packet buffers are full. The packets to be dropped should be chosen from
those that are responsible for the "jam".
• Prioritizing traffic according to administrator decisions. If traffic with a high priority increases
while a communication line is full, traffic with a low priority can be temporarily limited to make
room for the higher priority traffic.
• Providing bandwidth guarantees. This is typically accomplished by treating a certain amount of
traffic (the guaranteed amount) as high priority. Traffic exceeding the guarantee then has the
same priority as "any other traffic", and competes with the rest of the non-prioritized traffic.
Traffic shaping does not typically work by queuing up immense amounts of data and then sorting
out the prioritized traffic to send before sending non-prioritized traffic. Instead, the amount of
prioritized traffic is measured and the non-prioritized traffic is limited dynamically so that it will not
interfere with the throughput of prioritized traffic.

10.1.2. Traffic Shaping in NetDefendOS

NetDefendOS offers extensive traffic shaping capabilities for the packets passing through the
D-Link Firewall. Different rate limits and traffic guarantees can be created as policies based on the
traffic's source, destination and protocol, similar to the way in which IP rule set policies are created.
The two key components for traffic shaping in NetDefendOS are:
• Pipes
• Pipe Rules
Pipes
A Pipe is the fundamental object for traffic shaping and is a conceptual channel through which
packets of data can flow. It has various characteristics that define how traffic passing through it is
handled. As many pipes as are required can be defined by the administrator. None are defined by
default.
Pipes are simplistic in that they do not care about the types of traffic that pass through them nor the
direction of that traffic. They simply measure the data that passes through them and apply the
administrator configured limits for the pipe as a whole or for Precedences and/or Groups (these are
explained later in Section 10.1.6, "Precedences").
NetDefendOS is capable of handling hundreds of pipes simultaneously, but in reality most scenarios
require only a handful of pipes. It is possible that dozens of pipes might be needed in scenarios
where individual pipes are used for individual protocols. Large numbers of pipes might also be
needed in an ISP scenario where individual pipes are allocated to each client.
Pipe Rules
Pipe Rules make up the Pipe Rule set. Each Rule is defined much like other NetDefendOS policies:
by specifying the source/destination interface/network as well as the Service to which the rule is to
apply. Once a new connection is permitted by the IP rule set, the Pipe rule set is then checked for
any matching rules. Pipe rules are checked in the same way as IP rules, by going from top to bottom
in the rule set. The first matching Pipe Rule, if any, is used for traffic shaping.
Note: No pipe rules are defined by default
The rule set for pipe rules is initially empty with no rules being defined by default. At
379
Chapter 10. Traffic Management