Bandwidth management FAQ

Q.     Why are traffic logs not update when traffic is present for a long time?

A.     Identify whether a memory threshold alarm is generated. If a memory threshold alarm is generated, traffic log data will not be updated until the device reboots.

Q.     What are the differences and similarities between bandwidth management and other DPI services?

A.     Differences: A DPI application profile does not need to be created and referenced for bandwidth management.

A traffic policy in bandwidth management is configured in system view and takes effect on all interfaces on the device. The number of traffic policies and the number of traffic profiles are limited only by the device memory.

Similarities: Both of them are related to the Deep Inspect Engine (DIM). The DIM must be enabled for an interzone policy. Bandwidth management performs rate limiting based on the DIM session information. In addition, application-based  or application group-based rate limiting requires the DIM to identify packets.

Q.     Why does the configured interface bandwidth not take effect?

A.     The bandwidth interface takes effect only after it is referenced by a traffic policy that is enabled. The bandwidth interface takes effect even if the traffic policy is empty. In addition, the bandwidth interface takes effect only the outbound direction of an interface.

Q.     How do a traffic policy, interface bandwidth, and QoS policy process traffic?

A.     The traffic is first limited by the default interface bandwidth (1 Gbps for 1 Gbps interface and 10-Gbps for 10 Gbps interface) of the input interface. Then, the traffic is limited by the QoS policy applied to the inbound direction of the input interface. The traffic will be matched again the match criteria in the traffic policy, and matching traffic is rate limited by the traffic profile. On the output interface, the traffic is limited by the interface bandwidth and QoS policy applied to the outbound direction. As a best practice, do not use both DPI services and QoS. They have overlapping functions, and QoS affects the some settings of bandwidth management.

Q.     What are the differences between the DSCP priority in a traffic rule and the forwarding priority and DSCP priority in a traffic profile?

A.     The DSCP priority in a traffic rule is used to match packets. Its use is the same as other match criteria, such as source/destination security zone and source/destination IP address.

The packets of a traffic profile with a higher forwarding priority are preferentially forwarded.

The DSCP priority in a traffic profile is used to modify the original DSCP priority in packets. You can use a packet capture tool to identify whether the modified DSCP priority takes effect.

Q.     What do OR and AND between match criteria mean in a traffic policy?

A.     The relationship between user and user group and the relationship between application and application group are OR. The relationship between any other match criteria is AND. One match criterion can contain multiple match values. A packet matches a match criterion if it matches one value.

Q.     What is the match order of different traffic policies and parent/child traffic policies?

A.     Different traffic policies are matched in configuration order. The parent traffic policy is first matched. The child traffic policy is matched only after the parent traffic policy is matched. The traffic profile in the child traffic policy is applied if the child traffic policy is matched. The traffic profile in the child traffic policy is limited by the traffic profile in the parent traffic policy.

Q.     Why do traffic reports and traffic logs not display traffic statistics when traffic is present for a long time?

A.     There are two reasons-

·     The traffic does not reach the device.

·     The session statistics enable command is not executed.

Q.     Why is rate limiting inaccurate after per-user or per-IP rate limit is configured?

A.     Understand the concept of overall bandwidth. For example, if the per-user rate limit is 100 kbps, 10 users are limited to a total of 1 Mbps. If the per-IP rate limit is 100 kbps, 10 IP addresses are limited to a total of 1 Mbps. If the overall bandwidth is limited, the per-user rate limit multiplied by the number of users is smaller than the overall bandwidth. Similarly, the per-IP rate limit multiplied by the number of IP addresses is smaller than the overall bandwidth. If the per-user or per-IP rate limit multiplied by the number of users is greater than the overall bandwidth, the displayed bandwidth is the overall bandwidth instead of the calculated value.

Q.     Which command can I used to display the current connection count?

A.     You can use the display traffic-policy statistics connection-limit maximum per-rule all command to displays the current connections, rejected connections, and the total connection limit. Before you can view the current connections and rejected connections, you must configure the total connection limit on the Web interface or at the CLI.

Q.     What is the difference among per-rule, per-user, and per-IP bandwidth limits?

A.     The per-rule bandwidth limit is total bandwidth limit for the entire rule. The per-user and per-IP bandwidth limits are controlled by the per-rule bandwidth limit. Additionally, you can per-user or per-IP bandwidth limit, but not both. Similarly, the connection count limit and connection rate limit are also configured per rule, per user, and per IP.

Q.     How should I understand the concepts of forwarding priority and guaranteed bandwidth?

A.     The forwarding priority takes effect after it is configured, and the guaranteed bandwidth takes effect when congestion occurs on a link. The guaranteed bandwidth settings for two key services can both take effect, and packets with a higher forwarding priority are forwarded preferentially. The guaranteed bandwidth is the minimum bandwidth guaranteed to a flow. The forwarding priority determines whether packets of a flow are forwarded preferentially.