Login
| Title | Size | Download |
|---|---|---|
| 01-Bandwidth management configuration | 156.49 KB |
Contents
Configuring bandwidth management
Restrictions and guidelines: Bandwidth management configuration
Prerequisites for bandwidth management
Bandwidth management tasks at a glance
Configuring bandwidth limits for the traffic profile
Setting the reference mode for the traffic profile
Configuring match criteria for the traffic rule
Specifying an action for the traffic rule
Specifying a time range for the traffic rule
Managing and maintaining a traffic rule
Enabling bandwidth management statistics collection
Display and maintenance commands for bandwidth management
Configuring bandwidth management
About bandwidth management
Bandwidth management provides fine-grained control over traffic that flows through the device by using the following information:
· SSIDs.
· User profiles.
· Source and destination IP addresses.
· Services.
· Users/user groups.
· Applications.
· DSCP priorities.
Application scenario
Bandwidth management is used in the following scenarios:
· Enterprise intranet users need far more bandwidth than the amount of bandwidth leased from an ISP. This creates a bandwidth bottleneck at the intranet egress.
· The P2P traffic on the intranet egress consumes a majority of the bandwidth resources. As a result, bandwidth cannot be guaranteed for key services.
Bandwidth management allows you to deploy traffic rules on the network egress for different traffic types. Bandwidth management improves bandwidth efficiency and guarantees bandwidth for key services when congestion occurs.
Bandwidth management process
Bandwidth management is implemented through the traffic policy. You can configure traffic profiles and traffic rules in traffic policy view. A traffic profile specifies the guaranteed bandwidth and maximum bandwidth. A traffic rule specifies match criteria to match packets and the traffic profile to apply to matching packets.
As shown in Figure 1, the bandwidth management process is as follows:
1. The device matches the packet against the match criteria in a traffic rule.
The packet meets a match criterion if it matches any of its match values. A packet does not match a match criterion if it matches none of its match values.
2. If the packet meets all match criteria in the traffic rule (for the user and user group criteria or application and application group criteria, only one criterion needs to be matched), the packet matches the traffic rule. Otherwise, the packet does not match the traffic rule and continues to be matched by the next traffic rule. If the packet does not match any traffic rule, the packet is forwarded without bandwidth management.
3. After the packet matches a traffic rule, the interface processes the packet according to the traffic profile (if any) specified for the traffic rule.
If no traffic profile is specified for the traffic rule, the packet is forwarded without bandwidth management.
4. The traffic profile processes the packet according to its settings.
5. If the interface is configured with a QoS feature in the outbound direction, the interface performs bandwidth management before performing QoS.
6. The packet is controlled by the interface bandwidth of the output interface.
Figure 1 Bandwidth management process
Traffic rule
Multiple traffic rules can be configured in the traffic policy. For a traffic rule, you can define the match criteria to match packets and specify the traffic profile to apply to matching packets.
Traffic rules support rule nesting, which allows a traffic rule to have a parent traffic rule. A maximum of four nesting levels are supported.
Match criteria in a traffic rule
A traffic rule can have multiple match criteria. You can configure the following match criteria in a traffic rule:
· SSIDs.
· User profiles.
· Source and destination IP addresses.
· Services.
· Users/user groups.
· Applications.
· DSCP priorities.
One match criterion can contain multiple match values. For example, you can configure multiple applications for an application match criterion.
Action in a traffic rule
You can use a traffic profile for an action in a traffic rule. The device limits the matching traffic according to the settings in the traffic profile.
Match order for parent and child traffic rules
The following rules apply when the device matches a traffic rule with a parent traffic rule:
· The parent traffic rule is first matched. After the parent traffic rule is matched, the child traffic rule is matched. If the parent traffic rule is not matched, the child traffic rule is ignored and the matching process fails.
· If both parent and child traffic rules are matched, the traffic profile for the child traffic rule is executed before the traffic profile for the parent traffic rule is executed. If both parent and child traffic rules are about the same parameter, the smaller value for an upper-limit parameter or the larger value for a lower-limit parameter is applied. If only the parent traffic rule is matched, the traffic profile for the parent traffic rule is applied.
Rule matching acceleration
This feature accelerates traffic rule matching when there is a large number of rules in the traffic policy. Insufficient memory can cause rule matching acceleration failures. Unaccelerated rules do not take effect, and rules that have been accelerated are not affected.
Traffic profile
A traffic profile defines bandwidth resources that can be used by a traffic type. The interface bandwidth can be allocated among multiple traffic profiles. You can configure the following bandwidth limit parameters and priority parameters in a traffic profile:
Rate limit mode for a traffic profile
You can limit the traffic rate in one of the following ways:
· Limit the upstream bandwidth and downstream bandwidth separately.
· Limit the upstream bandwidth and downstream bandwidth as a whole.
Total bandwidth limits
· Total guaranteed bandwidth—Guarantees the total minimum bandwidth for key services when congestion occurs.
· Total maximum bandwidth—Controls the total maximum bandwidth for non-key services to prevent them consuming a large amount of bandwidth.
Per-IP or per-user bandwidth limits
· Per-IP or per-user guaranteed bandwidth—Guarantees the minimum bandwidth per IP address or per user to provide for bandwidth management at finer granularity.
· Per-IP or per-user maximum bandwidth—Controls the maximum bandwidth allowed per IP address or per user to provide for bandwidth management at finer granularity.
Per-rule, per-IP, or per-user connection limits
· Per-rule, per-IP, or per-user connection limits—You can set the connection count limit and connection rate limit to prevent the following situations:
¡ The system resources on the device are exhausted because internal users initiate a large number of connections to external networks in a short time period.
¡ An internal server cannot process normal connection requests because it receives a large number of connection requests in a short time period.
Priority parameters
· Traffic priority—When an interface is congested with packets of multiple traffic profiles, packets with higher priority are sent first. Packets with the same priority have the same chance of being forwarded.
· DSCP marking—Modifies the DSCP value in packets. Network devices can classify traffic by using DSCP values and provide different treatment for packets according to the modified DSCP values.
Restrictions and guidelines: Bandwidth management configuration
When you configure bandwidth management, follow these restrictions and guidelines:
· As a best practice, observe the depth-first principle when creating policies. Always create a policy with a smaller management scope before a policy with a larger management scope.
· An interface with small default expected bandwidth might experience traffic loss if the following conditions exist:
¡ There is a large amount of traffic on the interface.
¡ The interface uses the default expected bandwidth.
To avoid traffic loss, implicitly set the expected bandwidth to a large value for such an interface. For example, you can set the expected bandwidth of a tunnel interface to a value greater than 64 kbps (the default) if there is a large amount of traffic on the interface.
Prerequisites for bandwidth management
Before configuring bandwidth management, complete the following tasks:
· Configure time ranges (see time range configuration in Security Configuration Guide).
· Configure IP address object groups and service object groups (see object group configuration in Security Configuration Guide).
· Configure applications (see APR configuration in DPI Configuration Guide).
· Configure users and user groups (see user identification configuration in User Access and Authentication Configuration Guide).
Bandwidth management tasks at a glance
To configure bandwidth management, perform the following tasks:
1. Configuring a traffic profile
¡ Configuring bandwidth limits for the traffic profile
¡ Setting the reference mode for the traffic profile
¡ (Optional.) Renaming the traffic profile
¡ Configuring match criteria for the traffic rule
¡ Specifying an action for the traffic rule
¡ (Optional.) Specifying a time range for the traffic rule
3. (Optional.) Managing and maintaining a traffic rule
4. (Optional.) Enabling bandwidth management statistics collection
Configuring a traffic profile
Creating a traffic profile
1. Enter system view.
system-view
2. Enter traffic policy view.
traffic-policy
3. Create a traffic profile and enter traffic profile view.
profile name profile-name
Configuring bandwidth limits for the traffic profile
About this task
A traffic profile defines the bandwidth resources that can be used and takes effect after it is specified for a traffic rule.
Restrictions and guidelines
· Any two of the following settings are mutually exclusive:
¡ Per-IP maximum bandwidth.
¡ Per-user maximum bandwidth.
¡ Dynamic and even allocation for maximum bandwidth.
The most recent configuration takes effect.
· The per-IP guaranteed bandwidth setting and per-user guaranteed bandwidth setting are mutually exclusive.
Procedure
1. Enter system view.
system-view
2. Enter traffic policy view.
traffic-policy
3. Enter traffic profile view.
profile name profile-name
4. Configure bandwidth settings.
¡ Set the total guaranteed bandwidth or maximum bandwidth for the traffic profile.
bandwidth { downstream | total | upstream } { guaranteed | maximum } bandwidth-value
By default, the total guaranteed bandwidth and maximum bandwidth are not set.
The maximum bandwidth must be greater than or equal to the guaranteed bandwidth.
Before you can enable dynamic and even allocation for maximum bandwidth, you must set the total maximum bandwidth.
¡ Set the per-IP or per-user guaranteed bandwidth or maximum bandwidth for the traffic profile.
bandwidth { downstream | total | upstream } { guaranteed | maximum } { per-ip | per-user } bandwidth-value
By default, the per-IP or per-user guaranteed bandwidth and maximum bandwidth are not set.
¡ Set the TCP MSS for the traffic profile.
tcp mss mss-value
By default, the TCP MSS is not set.
5. Set the per-IP monthly traffic quota.
bandwidth total traffic-quota per-ip monthly quota-value
By default, the amount of traffic used by an IP address per month is not limited.
6. Enable dynamic and even allocation for maximum bandwidth.
bandwidth average enable
By default, dynamic and even allocation for maximum bandwidth is disabled.
7. Configure connection limit settings.
¡ Set the connection count limit for the traffic profile.
connection-limit count { per-rule | per-ip | per-user } connection-number
By default, the connection count limit is not set.
¡ Set the connection rate limit for the traffic profile.
connection-limit rate { per-rule | per-ip | per-user } connection-rate
By default, the connection rate limit is not set.
8. Configure priority settings.
¡ Set the traffic priority for packets of the traffic profile.
traffic-priority priority-value
By default, the traffic priority for packets of a traffic profile is 1.
¡ Mark the DSCP value for packets of the traffic profile.
remark dscp dscp-value
By default, the DSCP value for packets of a traffic profile is not marked.
Setting the reference mode for the traffic profile
About this task
A traffic profile can be referenced by multiple traffic rules in one of the following ways:
· per-rule—Each rule that uses the profile can reach the bandwidth limits and connection limits specified in the profile.
· rule-shared—All rules that use the profile share the bandwidth limits and connection limits specified in the profile.
Procedure
1. Enter system view.
system-view
2. Enter traffic policy view.
traffic-policy
3. Enter traffic profile view.
profile name profile-name
4. Set the reference mode for the traffic profile.
profile reference-mode { per-rule | rule-shared }
The default setting is per-rule.
Renaming the traffic profile
1. Enter system view.
system-view
2. Enter traffic policy view.
traffic-policy
3. Rename a traffic profile.
profile rename old-name new-name
Configuring a traffic rule
Creating a traffic rule
About this task
For a new traffic rule to inherit the match criteria of an existing traffic rule, specify the existing traffic rule as the parent of the new traffic rule. You can specify traffic profiles for both parent and child traffic rules.
Restrictions and guidelines
A level-4 rule cannot act as a parent rule.
You can specify a parent traffic rule only when creating a traffic rule. You cannot add or modify a parent traffic rule for an existing traffic rule.
Procedure
1. Enter system view.
system-view
2. Enter traffic policy view.
traffic-policy
3. (Optional.) Enable bandwidth management for traffic flows of the IP layer and upper layers.
all-traffic-control enable
By default, bandwidth management is performed only for traffic flows of Layer 4 and upper layers.
Use this feature when there is a large number of IP traffic flows in the network.
4. Create a traffic rule and enter traffic rule view.
rule [ rule-id ] name rule-name [ parent parent-rule-name ]
You can specify a traffic rule as the parent traffic rule for multiple child traffic rules.
Configuring match criteria for the traffic rule
1. Enter system view.
system-view
2. Enter traffic policy view.
traffic-policy
3. Enter traffic rule view.
Choose one option as needed:
¡ rule rule-id
¡ rule [ rule-id ] name rule-name [ parent parent-rule-name ]
4. Configure an IP address object group as a match criterion.
¡ Configure a destination IP address object group as a match criterion.
destination-address address-set object-group-name
¡ Configure a source IP address object group as a match criterion.
source-address address-set object-group-name
By default, no IP address object group is used as a match criterion.
5. Configure a service object group as a match criterion.
service object-group-name
By default, no service object group is used as a match criterion.
6. Configure an application or application group as a match criterion.
application { app application-name | app-group application-group-name }
By default, no application or application group is used as a match criterion.
7. Configure a user or user group as a match criterion.
¡ Configure a user as a match criterion.
user user-name [ domain domain-name ]
¡ Configure a user group as a match criterion.
user-group user-group-name [ domain domain-name ]
By default, no user or user group is used as a match criterion.
8. Configure a DSCP priority as a match criterion.
dscp dscp-value
By default, no DSCP priority is used as a match criterion.
9. Configure an IPv6 packet attribute as a match criterion.
¡ Configure the flow label attribute as a match criterion
ipv6 flow-label { nonzero | zero }
By default, the flow label attribute is not used as a match criterion.
¡ Configure the extension header attribute as a match criterion
ipv6 extension-header { authentication | destination | encapsulating | fragment | hop-by-hop | routing }
By default, the extension header attribute is not used as a match criterion.
10. Configure a WLAN attribute as a match criterion.
¡ Configure an SSID as a match criterion.
wlan ssid ssid-name
By default, no SSID is used as a match criterion.
¡ Configure a user profile as a match criterion.
wlan user-profile profile-name
By default, no user profile is used as a match criterion.
11. Configure a terminal or terminal group as a match criterion.
¡ Configure a terminal as a match criterion.
terminal terminal-name
By default, no terminal is used as a match criterion.
¡ Configure a terminal group as a match criterion.
terminal-group group-name
By default, no terminal group is used as a match criterion.
Specifying an action for the traffic rule
About this task
If a packet matches a traffic rule, the device performs the action specified in the traffic rule on the packet.
Restrictions and guidelines
When you specify traffic profiles for parent and child traffic rules, make sure the following conditions are met:
· The maximum bandwidth for a child traffic rule must be smaller than or equal to that for the parent traffic rule.
· The guaranteed bandwidth for a child traffic rule must be smaller than or equal to that for the parent traffic rule.
· The traffic profiles cannot be the same for the child and parent traffic rules.
Procedure
1. Enter system view.
system-view
2. Enter traffic policy view.
traffic-policy
3. Enter traffic rule view.
Choose one option as needed:
¡ rule rule-id
¡ rule [ rule-id ] name rule-name [ parent parent-rule-name ]
4. Specify an action for the traffic rule.
action { deny | none | qos profile profile-name }
The default action is none, which allows matching packets to pass through without bandwidth management.
Specifying a time range for the traffic rule
1. Enter system view.
system-view
2. Enter traffic policy view.
traffic-policy
3. Enter traffic rule view.
Choose one option as needed:
¡ rule rule-id
¡ rule [ rule-id ] name rule-name [ parent parent-rule-name ]
4. Specify a time range during which the traffic rule is in effect.
time-range time-range-name
By default, a traffic rule is in effect at any time.
Managing and maintaining a traffic rule
Copying a traffic rule
1. Enter system view.
system-view
2. Enter traffic policy view.
traffic-policy
3. Copy a traffic rule.
rule copy rule-name new-rule-name
Renaming a traffic rule
1. Enter system view.
system-view
2. Enter traffic policy view.
traffic-policy
3. Rename a traffic rule.
rule rename old-rule-name new-rule-name
Moving a traffic rule
1. Enter system view.
system-view
2. Enter traffic policy view.
traffic-policy
3. Move a traffic rule to a new position.
rule move rule-name1 { after | before } rule-name2
Disabling a traffic rule
1. Enter system view.
system-view
2. Enter traffic policy view.
traffic-policy
3. Enter traffic rule view.
Choose one option as needed:
¡ rule rule-id
¡ rule [ rule-id ] name rule-name [ parent parent-rule-name ]
4. Disable the traffic rule.
disable
By default, a traffic rule is enabled.
Enabling bandwidth management statistics collection
About this task
This feature can collect the following statistics:
· Traffic statistics, which can be displayed by using the display traffic-policy statistics bandwidth command.
· Connection limit statistics, which can be displayed by using the display traffic-policy statistics connection-limit command.
· Rule-hit statistics, which can be displayed by using the display traffic-policy statistics rule-hit command.
Restrictions and guidelines
This feature affects device performance. As a best practice, enable this feature only if you need to view statistics.
Procedure
1. Enter system view.
system-view
2. Enter traffic policy view.
traffic-policy
3. Enable bandwidth management statistics collection.
¡ Enable traffic statistics collection.
statistics bandwidth enable
By default, traffic statistics collection is disabled.
¡ Enable connection limit statistics collection.
statistics connection-limit enable
By default, connection limit statistics collection is disabled.
¡ Enable rule-hit statistics collection.
statistics rule-hit enable
By default, rule-hit statistics collection is disabled.
Display and maintenance commands for bandwidth management
Execute display commands in any view and reset commands in user view.
|
Task |
Command |
|
Display traffic statistics for traffic rules. |
display traffic-policy statistics bandwidth { downstream | total | upstream } { per-ip { ipv4 [ ipv4-address ] | ipv6 [ ipv6-address ] } rule rule-name | per-rule [ name rule-name ] | per-user [ user user-name ] rule rule-name } |
|
Display connection limit statistics. |
display traffic-policy statistics connection-limit { per-ip { ipv4 [ ipv4-address ] | ipv6 [ ipv6-address ] } rule rule-name | per-rule [ name rule-name ] | per-user [ user user-name ] rule rule-name } } |
|
Display rule-hit statistics. |
display traffic-policy statistics rule-hit [ [ beyond beyond-number ] | [ rule rule-name ] ] |
|
Clear traffic statistics for traffic rules. |
reset traffic-policy statistics bandwidth { downstream | total | upstream } { per-ip { ipv4 [ ipv4-address ] | ipv6 [ ipv6-address ] } rule rule-name | per-rule [ name rule-name ] | per-user [ user user-name ] rule rule-name } |
|
Clear connection limit statistics. |
reset traffic-policy statistics connection-limit { per-ip { ipv4 [ ipv4-address ] | ipv6 [ ipv6-address ] } rule rule-name | per-rule [ name rule-name ] | per-user [ user user-name ] rule rule-name } } |
|
Clear rule-hit statistics. |
reset traffic-policy statistics rule-hit [ rule rule-name ] |
