Login
- Table of Contents
-
- 16-Security Configuration Guide
- 00-Preface
- 01-ACL configuration
- 02-APR configuration
- 03-ARP attack protection configuration
- 04-ASPF configuration
- 05-IP source guard configuration
- 06-IPsec configuration
- 07-ND attack defense configuration
- 08-Password control configuration
- 09-PKI configuration
- 10-SSH configuration
- 11-SSL configuration
- 12-SSL VPN configuration
- 13-URL filtering configuration
- 14-User profile configuration
- 15-Bandwidth management configuration
- 16-Public key management
- 17-Attack detection and prevention configuration
- 18-Session management
- 19-Connection limit configuration
- 20-Crypto engine configuration
- 21-Time range configuration
- 22-Protocol packet rate limit configuration
- 23-DPI engine configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 15-Bandwidth management configuration | 153.75 KB |
Contents
Configuring bandwidth management
Restrictions: Hardware compatibility with bandwidth management
Restrictions and guidelines: Bandwidth management configuration
Prerequisites for bandwidth management
Bandwidth management tasks at a glance
Configuring parameters for the traffic profile
Setting the reference mode for the traffic profile
Configuring match criteria for the traffic rule
Specifying a traffic profile for the traffic rule
Specifying a time range for the traffic rule
Managing and maintaining a traffic rule
Display and maintenance commands for bandwidth management
Configuring bandwidth management
About bandwidth management
Bandwidth management provides fine-grained control over traffic that flows through the device by using the following information:
· SSIDs.
· User profiles.
· Applications.
· DSCP priorities.
Application scenario
Bandwidth management is used in the following scenarios:
· Enterprise intranet users need far more bandwidth than the amount of bandwidth leased from an ISP. This creates a bandwidth bottleneck at the intranet egress.
· The P2P traffic on the intranet egress consumes a majority of the bandwidth resources. As a result, bandwidth cannot be guaranteed for key services.
Bandwidth management allows you to deploy traffic rules on the network egress for different traffic types. Bandwidth management improves bandwidth efficiency and guarantees bandwidth for key services when congestion occurs.
Bandwidth management process
Bandwidth management is implemented through the traffic policy. You can configure traffic profiles and traffic rules in traffic policy view. A traffic profile specifies the guaranteed bandwidth and maximum bandwidth. A traffic rule specifies match criteria to match packets and the traffic profile to apply to matching packets.
As shown in Figure 1, the bandwidth management process is as follows:
1. The device matches the packet against the match criteria in a traffic rule.
The packet meets a match criterion if it matches any of its match values. A packet does not match a match criterion if it matches none of its match values.
2. If the packet meets all match criteria in the traffic rule (for the user and user group criteria, only one criterion needs to be matched), the packet matches the traffic rule. Otherwise, the packet does not match the traffic rule and continues to be matched by the next traffic rule. If the packet does not match any traffic rule, the packet is forwarded without bandwidth management.
3. After the packet matches a traffic rule, the interface processes the packet according to the traffic profile (if any) specified for the traffic rule.
If no traffic profile is specified for the traffic rule, the packet is forwarded without bandwidth management.
4. The traffic profile processes the packet according to its settings.
5. If the interface is configured with a QoS feature in the outbound direction, the interface performs bandwidth management before performing QoS.
6. The packet is controlled by the interface bandwidth of the output interface.
Figure 1 Bandwidth management process
Traffic rule
Multiple traffic rules can be configured in the traffic policy. For a traffic rule, you can define the match criteria to match packets and specify the traffic profile to apply to matching packets.
Traffic rules support rule nesting, which allows a traffic rule to have a parent traffic rule. A maximum of four nesting levels are supported.
Match criteria in a traffic rule
A traffic rule can have multiple match criteria. You can configure the following match criteria in a traffic rule:
· SSIDs.
· User profiles.
· Services.
· Applications.
· DSCP priorities.
One match criterion can contain multiple match values. For example, you can configure multiple applications for an application match criterion.
Action in a traffic rule
You can use a traffic profile for an action in a traffic rule. The device limits the matching traffic according to the settings in the traffic profile.
Match order for parent and child traffic rules
The following rules apply when the device matches a traffic rule with a parent traffic rule:
· The parent traffic rule is first matched. After the parent traffic rule is matched, the child traffic rule is matched. If the parent traffic rule is not matched, the child traffic rule is ignored and the matching process fails.
· If both parent and child traffic rules are matched, the traffic profile for the child traffic rule is applied. If only the parent traffic rule is matched, the traffic profile for the parent traffic rule is applied.
Traffic profile
A traffic profile defines bandwidth resources that can be used by a traffic type. The interface bandwidth can be allocated among multiple traffic profiles. You can configure the following bandwidth limit parameters and priority parameters in a traffic profile:
Rate limit mode for a traffic profile
You can limit the traffic rate in one of the following ways:
· Limit the upstream bandwidth and downstream bandwidth separately.
· Limit the upstream bandwidth and downstream bandwidth as a whole.
Total bandwidth limits
· Total guaranteed bandwidth—Guarantees the total minimum bandwidth for key services when congestion occurs.
· Total maximum bandwidth—Controls the total maximum bandwidth for non-key services to prevent them consuming a large amount of bandwidth.
Per-IP or per-user bandwidth limits
· Per-IP or per-user guaranteed bandwidth—Guarantees the minimum bandwidth per IP address or per user to provide for bandwidth management at finer granularity.
· Per-IP or per-user maximum bandwidth—Controls the maximum bandwidth allowed per IP address or per user to provide for bandwidth management at finer granularity.
Per-rule, per-IP, or per-user connection limits
· Per-rule, per-IP, or per-user connection limits—You can set the connection count limit and connection rate limit to prevent the following situations:
¡ The system resources on the device are exhausted because internal users initiate a large number of connections to external networks in a short time period.
¡ An internal server cannot process normal connection requests because it receives a large number of connection requests in a short time period.
Priority parameters
· Traffic priority—When an interface is congested with packets of multiple traffic profiles, packets with higher priority are sent first. Packets with the same priority have the same chance of being forwarded.
· DSCP marking—Modifies the DSCP value in packets. Network devices can classify traffic by using DSCP values and provide different treatment for packets according to the modified DSCP values.
Restrictions: Hardware compatibility with bandwidth management
|
Hardware series |
Model |
Product code |
Bandwidth management compatibility |
|
WX1800H series |
WX1804H |
EWP-WX1804H-PWR-CN |
Yes |
|
WX2500H series |
WX2508H-PWR-LTE WX2510H WX2510H-F WX2540H WX2540H-F WX2560H |
EWP-WX2508H-PWR-LTE EWP-WX2510H-PWR EWP-WX2510H-F-PWR EWP-WX2540H EWP-WX2540H-F EWP-WX2560H |
Yes |
|
WX3000H series |
WX3010H WX3010H-X WX3010H-L WX3024H WX3024H-L WX3024H-F |
EWP-WX3010H EWP-WX3010H-X-PWR EWP-WX3010H-L-PWR EWP-WX3024H EWP-WX3024H-L-PWR EWP-WX3024H-F |
Yes: · WX3010H · WX3010H-X · WX3024H · WX3024H-F No: · WX3010H-L · WX3024H-L |
|
WX3500H series |
WX3508H WX3510H WX3520H WX3520H-F WX3540H |
EWP-WX3508H EWP-WX3510H EWP-WX3520H EWP-WX3520H-F EWP-WX3540H |
Yes |
|
WX5500E series |
WX5510E WX5540E |
EWP-WX5510E EWP-WX5540E |
Yes |
|
WX5500H series |
WX5540H WX5560H WX5580H |
EWP-WX5540H EWP-WX5560H EWP-WX5580H |
Yes |
|
Access controller modules |
LSUM1WCME0 EWPXM1WCME0 LSQM1WCMX20 LSUM1WCMX20RT LSQM1WCMX40 LSUM1WCMX40RT EWPXM2WCMD0F EWPXM1MAC0F |
LSUM1WCME0 EWPXM1WCME0 LSQM1WCMX20 LSUM1WCMX20RT LSQM1WCMX40 LSUM1WCMX40RT EWPXM2WCMD0F EWPXM1MAC0F |
Yes |
|
Hardware series |
Model |
Product code |
Bandwidth management compatibility |
|
WX1800H series |
WX1804H WX1810H WX1820H WX1840H |
EWP-WX1804H-PWR EWP-WX1810H-PWR EWP-WX1820H EWP-WX1840H-GL |
Yes |
|
WX3800H series |
WX3820H WX3840H |
EWP-WX3820H-GL EWP-WX3840H-GL |
No |
|
WX5800H series |
WX5860H |
EWP-WX5860H-GL |
No |
Restrictions and guidelines: Bandwidth management configuration
As a best practice, observe the depth-first principle when creating policies. Always create a policy with a smaller management scope before a policy with a larger management scope.
Prerequisites for bandwidth management
Before configuring bandwidth management, complete the following tasks:
· Configure time ranges (see time range configuration in Security Configuration Guide).
· Configure applications (see APR configuration in Security Configuration Guide).
· Configure users and user groups (see user identification configuration in User Access and Authentication Configuration Guide).
Bandwidth management tasks at a glance
To configure bandwidth management, perform the following tasks:
1. Configuring a traffic profile
¡ Configuring parameters for the traffic profile
¡ Setting the reference mode for the traffic profile
¡ (Optional.) Renaming the traffic profile
¡ Configuring match criteria for the traffic rule
¡ Specifying a traffic profile for the traffic rule
¡ (Optional.) Specifying a time range for the traffic rule
3. (Optional.) Managing and maintaining a traffic rule
Configuring a traffic profile
Creating a traffic profile
1. Enter system view.
system-view
2. Enter traffic policy view.
traffic-policy
3. Create a traffic profile and enter traffic profile view.
profile name profile-name
Configuring parameters for the traffic profile
About this task
A traffic profile defines the bandwidth resources that can be used and takes effect after it is specified for a traffic rule.
Restrictions and guidelines
· Any two of the following settings are mutually exclusive:
¡ Per-IP maximum bandwidth.
¡ Per-user maximum bandwidth.
¡ Dynamic and even allocation for maximum bandwidth.
The most recent configuration takes effect.
· The per-IP guaranteed bandwidth setting and per-user guaranteed bandwidth setting are mutually exclusive.
Procedure
1. Enter system view.
system-view
2. Enter traffic policy view.
traffic-policy
3. Enter traffic profile view.
profile name profile-name
4. Configure bandwidth settings.
¡ Set the total guaranteed bandwidth or maximum bandwidth for the traffic profile.
bandwidth { downstream | total | upstream } { guaranteed | maximum } bandwidth-value
By default, the total guaranteed bandwidth and maximum bandwidth are not set.
The maximum bandwidth must be greater than or equal to the guaranteed bandwidth.
Before you can enable dynamic and even allocation for maximum bandwidth, you must set the total maximum bandwidth.
¡ Set the per-IP or per-user guaranteed bandwidth or maximum bandwidth for the traffic profile.
bandwidth { downstream | total | upstream } { guaranteed | maximum } { per-ip | per-user } bandwidth-value
By default, the per-IP or per-user guaranteed bandwidth and maximum bandwidth are not set.
5. Enable dynamic and even allocation for maximum bandwidth.
bandwidth average enable
By default, dynamic and even allocation for maximum bandwidth is disabled.
6. Configure connection limit settings.
¡ Set the connection count limit for the traffic profile.
connection-limit count { per-rule | per-ip | per-user } connection-number
By default, the connection count limit is not set.
¡ Set the connection rate limit for the traffic profile.
connection-limit rate { per-rule | per-ip | per-user } connection-rate
By default, the connection rate limit is not set.
7. Configure priority settings.
¡ Set the traffic priority for packets of the traffic profile.
traffic-priority priority-value
By default, the traffic priority for packets of a traffic profile is 1.
¡ Mark the DSCP value for packets of the traffic profile.
remark dscp dscp-value
By default, the DSCP value for packets of a traffic profile is not marked.
Setting the reference mode for the traffic profile
About this task
A traffic profile can be referenced by multiple traffic rules in one of the following ways:
· per-rule—Each rule that uses the profile can reach the bandwidth limits and connection limits specified in the profile.
· rule-shared—All rules that use the profile share the bandwidth limits and connection limits specified in the profile.
Procedure
1. Enter system view.
system-view
2. Enter traffic policy view.
traffic-policy
3. Enter traffic profile view.
profile name profile-name
4. Set the reference mode for the traffic profile.
profile reference-mode { per-rule | rule-shared }
The default setting is per-rule.
Renaming the traffic profile
1. Enter system view.
system-view
2. Enter traffic policy view.
traffic-policy
3. Rename a traffic profile.
profile rename old-name new-name
Configuring a traffic rule
Creating a traffic rule
About this task
For a new traffic rule to inherit the match criteria of an existing traffic rule, specify the existing traffic rule as the parent of the new traffic rule. You can specify traffic profiles for both parent and child traffic rules.
Restrictions and guidelines
A level-4 rule cannot act as a parent rule.
You can specify a parent traffic rule only when creating a traffic rule. You cannot add or modify a parent traffic rule for an existing traffic rule.
Procedure
1. Enter system view.
system-view
2. Enter traffic policy view.
traffic-policy
3. Create a traffic rule and enter traffic rule view.
rule name rule-name [ parent parent-rule-name ]
You can specify a traffic rule as the parent traffic rule for multiple child traffic rules.
Configuring match criteria for the traffic rule
1. Enter system view.
system-view
2. Enter traffic policy view.
traffic-policy
3. Enter traffic rule view.
rule name rule-name [ parent parent-rule-name ]
4. Configure an application or application group as a match criterion.
application { app application-name | app-group application-group-name }
By default, no application or application group is used as a match criterion.
5. Configure a user or user group as a match criterion.
¡ Configure a user as a match criterion.
user user-name [ domain domain-name ]
¡ Configure a user group as a match criterion.
user-group user-group-name [ domain domain-name ]
By default, no user or user group is used as a match criterion.
6. Configure a DSCP priority as a match criterion.
dscp dscp-value
By default, no DSCP priority is used as a match criterion.
7. Configure an SSID as a match criterion.
wlan ssid ssid-name
By default, no SSID is used as a match criterion.
8. Configure a user profile as a match criterion.
wlan user-profile profile-name
By default, no user profile is used as a match criterion.
Specifying a traffic profile for the traffic rule
About this task
If a packet matches a traffic rule, the device applies the traffic profile specified for the traffic rule to the packet. You can set the guaranteed bandwidth and maximum bandwidth in a traffic profile.
Restrictions and guidelines
When you specify traffic profiles for parent and child traffic rules, make sure the following conditions are met:
· The maximum bandwidth for a child traffic rule must be smaller than or equal to that for the parent traffic rule.
· The guaranteed bandwidth for a child traffic rule must be smaller than or equal to that for the parent traffic rule.
· The traffic profiles cannot be the same for the child and parent traffic rules.
Procedure
1. Enter system view.
system-view
2. Enter traffic policy view.
traffic-policy
3. Enter traffic rule view.
rule name rule-name [ parent parent-rule-name ]
4. Specify a traffic profile for the traffic rule.
action qos profile profile-name
By default, no traffic profile is specified for a traffic rule (packets matching a traffic rule are allowed to pass).
Specifying a time range for the traffic rule
1. Enter system view.
system-view
2. Enter traffic policy view.
traffic-policy
3. Enter traffic rule view.
rule name rule-name [ parent parent-rule-name ]
4. Specify a time range during which the traffic rule is in effect.
time-range time-range-name
By default, a traffic rule is in effect at any time.
Managing and maintaining a traffic rule
Copying a traffic rule
1. Enter system view.
system-view
2. Enter traffic policy view.
traffic-policy
3. Copy a traffic rule.
rule copy rule-name new-rule-name
Renaming a traffic rule
1. Enter system view.
system-view
2. Enter traffic policy view.
traffic-policy
3. Rename a traffic rule.
rule rename old-rule-name new-rule-name
Moving a traffic rule
1. Enter system view.
system-view
2. Enter traffic policy view.
traffic-policy
3. Move a traffic rule to a new position.
rule move rule-name1 { after | before } rule-name2
Disabling a traffic rule
1. Enter system view.
system-view
2. Enter traffic policy view.
traffic-policy
3. Enter traffic rule view.
rule name rule-name [ parent parent-rule-name ]
4. Disable the traffic rule.
disable
By default, a traffic rule is enabled.
Display and maintenance commands for bandwidth management
|
|
IMPORTANT: The WX1800H series, WX2500H series, and WX3000H series access controllers do not support parameters or commands that are available only in IRF mode. |
Execute display commands in any view and reset commands in user view.
|
Task |
Command |
|
Display traffic statistics for traffic rules. |
In standalone mode: display traffic-policy statistics bandwidth { downstream | total | upstream } { per-ip { ipv4 [ ipv4-address ] | ipv6 [ ipv6-address ] } rule rule-name | per-rule [ rule-name ] | per-user [ user user-name ] rule rule-name } In IRF mode: display traffic-policy statistics bandwidth { downstream | total | upstream } { per-ip { ipv4 [ ipv4-address ] | ipv6 [ ipv6-address ] } rule rule-name | per-rule [ rule-name ] | per-user [ user user-name ] rule rule-name } [ slot slot-number ] |
|
Display connection limit statistics. |
In standalone mode: display traffic-policy statistics connection-limit { per-ip { ipv4 [ ipv4-address ] | ipv6 [ ipv6-address ] } rule rule-name | per-rule [ rule-name ] | per-user [ user user-name ] rule rule-name } } In IRF mode: display traffic-policy statistics connection-limit { per-ip { ipv4 [ ipv4-address ] | ipv6 [ ipv6-address ] } rule rule-name | per-rule [ rule-name ] | per-user [ user user-name ] rule rule-name } } [ slot slot-number ] |
|
Display rule-hit statistics. |
In standalone mode: display traffic-policy statistics rule-hit [ rule rule-name ] In IRF mode: display traffic-policy statistics rule-hit [ rule rule-name ] [ slot slot-number ] |
|
Clear traffic statistics for traffic rules. |
In standalone mode: reset traffic-policy statistics bandwidth { downstream | total | upstream } { per-ip { ipv4 [ ipv4-address ] | ipv6 [ ipv6-address ] } rule rule-name | per-rule [ rule-name ] | per-user [ user user-name ] rule rule-name } In IRF mode: reset traffic-policy statistics bandwidth { downstream | total | upstream } { per-ip { ipv4 [ ipv4-address ] | ipv6 [ ipv6-address ] } rule rule-name | per-rule [ rule-name ] | per-user [ user user-name ] rule rule-name } [ slot slot-number ] |
|
Clear connection limit statistics. |
In standalone mode: reset traffic-policy statistics connection-limit { per-ip { ipv4 [ ipv4-address ] | ipv6 [ ipv6-address ] } rule rule-name | per-rule [ rule-name ] | per-user [ user user-name ] rule rule-name } } In IRF mode: reset traffic-policy statistics connection-limit { per-ip { ipv4 [ ipv4-address ] | ipv6 [ ipv6-address ] } rule rule-name | per-rule [ rule-name ] | per-user [ user user-name ] rule rule-name } } [ slot slot-number ] |
|
Clear rule-hit statistics. |
In standalone mode: reset traffic-policy statistics rule-hit [ rule rule-name ] In IRF mode: reset traffic-policy statistics rule-hit [ rule rule-name ] [ slot slot-number ] |
