Contents

Configuring bandwidth management 1

About bandwidth management 1

Application scenario· 1

Bandwidth management process· 1

Traffic rule· 2

Rule matching acceleration· 3

Traffic profile· 3

Restrictions and guidelines: Bandwidth management configuration· 4

Prerequisites for bandwidth management 4

Bandwidth management tasks at a glance· 4

Configuring a traffic profile· 5

Creating a traffic profile· 5

Configuring bandwidth limits for the traffic profile· 5

Configuring bandwidth detection for the traffic profile· 7

Setting the reference mode for the traffic profile· 8

Renaming the traffic profile· 8

Configuring a traffic rule· 9

Creating a traffic rule· 9

Configuring match criteria for the traffic rule· 9

Specifying an action for the traffic rule· 11

Specifying a time range for the traffic rule· 11

Managing and maintaining a traffic rule· 12

Copying a traffic rule· 12

Renaming a traffic rule· 12

Moving a traffic rule· 12

Disabling a traffic rule· 12

Activating rule matching acceleration· 13

Enabling bandwidth management for all IPv6 Layer 4 traffic· 13

Enabling after-NAT source or destination matching· 14

Enabling hardware bandwidth management 14

Enabling bandwidth management statistics collection· 15

Display and maintenance commands for bandwidth management 16

Bandwidth management configuration examples‌· 17

Example: Configuring a single traffic profile· 17

Example: Configuring parent/child traffic profiles· 19

 

Configuring bandwidth management

About bandwidth management

Bandwidth management provides fine-grained control over traffic that flows through the device by using the following information:

·     Source and destination security zones.

·     Source and destination IP addresses.

·     Services.

·     Users/user groups.

·     Applications.

·     DSCP priorities.

Application scenario

Bandwidth management is used in the following scenarios:

·     Enterprise intranet users need far more bandwidth than the amount of bandwidth leased from an ISP. This creates a bandwidth bottleneck at the intranet egress.

·     The P2P traffic on the intranet egress consumes a majority of the bandwidth resources. As a result, bandwidth cannot be guaranteed for key services.

Bandwidth management allows you to deploy traffic rules on the network egress for different traffic types. Bandwidth management improves bandwidth efficiency and guarantees bandwidth for key services when congestion occurs.

Bandwidth management process

Bandwidth management is implemented through the traffic policy. You can configure traffic profiles and traffic rules in traffic policy view. A traffic profile specifies the guaranteed bandwidth and maximum bandwidth. A traffic rule specifies match criteria to match packets and the traffic profile to apply to matching packets.

As shown in Figure 1, the bandwidth management process is as follows:

1.     The device matches the packet against the match criteria in a traffic rule.

The packet meets a match criterion if it matches any of its match values. A packet does not match a match criterion if it matches none of its match values.

2.     If the packet meets all match criteria in the traffic rule (for the user and user group criteria or application and application group criteria, only one criterion needs to be matched), the packet matches the traffic rule. Otherwise, the packet does not match the traffic rule and continues to be matched by the next traffic rule. If the packet does not match any traffic rule, the packet is forwarded without bandwidth management.

3.     The packet stops the matching process once it matches a traffic rule. The system executes the action configured in the rule for the packet that successfully match the rule.

¡     Block—Drops the packets directly.

¡     Rate-limiting—Directs the packets to the referenced traffic profile for processing, and forwards packets that do not exceed the bandwidth limit through the output interface.

¡     No rate limiting—Forwards packets directly through the output interface without passing through a traffic profile.

4.     The traffic profile processes the packet according to its settings.

5.     If the interface is configured with a QoS feature in the outbound direction, the interface performs bandwidth management before performing QoS.

6.     The packet is controlled by the interface bandwidth of the output interface.

Figure 1 Bandwidth management process

 

Traffic rule

Multiple traffic rules can be configured in the traffic policy. For a traffic rule, you can define the match criteria to match packets and specify the traffic profile to apply to matching packets.

Traffic rules support rule nesting, which allows a traffic rule to have a parent traffic rule. A maximum of four nesting levels are supported.

Match criteria in a traffic rule

A traffic rule can have multiple match criteria. You can configure the following match criteria in a traffic rule:

·     Source and destination security zones.

·     Source and destination IP addresses.

·     Source and destination IP address object groups.

·     Services.

·     Users/user groups.

·     Applications.

·     DSCP priorities.

One match criterion can contain multiple match values. For example, you can configure multiple applications for an application match criterion.

Action in a traffic rule

You can use a traffic profile for an action in a traffic rule. The device limits the matching traffic according to the settings in the traffic profile.

Match order for parent and child traffic rules

The following rules apply when the device matches a traffic rule with a parent traffic rule:

·     The parent traffic rule is first matched. After the parent traffic rule is matched, the child traffic rule is matched. If the parent traffic rule is not matched, the child traffic rule is ignored and the matching process fails.

·     If both parent and child traffic rules are matched, the traffic profile for the child traffic rule is executed before the traffic profile for the parent traffic rule is executed. If both parent and child traffic rules are about the same parameter, the smaller value for an upper-limit parameter or the larger value for a lower-limit parameter is applied. If only the parent traffic rule is matched, the traffic profile for the parent traffic rule is applied.

Rule matching acceleration

This feature accelerates traffic rule matching when there is a large number of rules in the traffic policy. Insufficient memory can cause rule matching acceleration failures. Unaccelerated rules do not take effect, and rules that have been accelerated are not affected.

Traffic profile

A traffic profile defines bandwidth resources that can be used by a traffic type. The interface bandwidth can be allocated among multiple traffic profiles for granular bandwidth resource management and control.

You can configure the following bandwidth limit parameters and priority parameters in a traffic profile:

Rate limit mode for a traffic profile

You can limit the traffic rate in one of the following ways:

·     Limit the upstream bandwidth and downstream bandwidth separately.

·     Limit the upstream bandwidth and downstream bandwidth as a whole.

Total bandwidth limits

·     Total guaranteed bandwidth—Guarantees the total minimum bandwidth for key services when congestion occurs.

·     Total maximum bandwidth—Controls the total maximum bandwidth for non-key services to prevent them consuming a large amount of bandwidth.

Per-IP or per-user bandwidth limits

·     Per-IP or per-user guaranteed bandwidth—Guarantees the minimum bandwidth per IP address or per user to provide for bandwidth management at finer granularity.

·     Per-IP or per-user maximum bandwidth—Controls the maximum bandwidth allowed per IP address or per user to provide for bandwidth management at finer granularity.

Per-rule, per-IP, or per-user connection limits

·     Per-rule, per-IP, or per-user connection limits—You can set the connection count limit and connection rate limit to prevent the following situations:

¡     The system resources on the device are exhausted because internal users initiate a large number of connections to external networks in a short time period.

¡     An internal server cannot process normal connection requests because it receives a large number of connection requests in a short time period.

Priority parameters

·     Traffic priority—Network devices can classify traffic by using DSCP values. When an interface is congested with packets of multiple traffic profiles, packets with higher priority are sent first. Packets with the same priority have the same chance of being forwarded.

·     DSCP marking—Re-sets the DSCP value in packets. Network devices can classify traffic by using DSCP values and provide different treatment for packets according to the modified DSCP values.

Restrictions and guidelines: Bandwidth management configuration

When you configure bandwidth management, follow these restrictions and guidelines:

·     As a best practice, observe the depth-first principle when creating policies. Always create a policy with a smaller management scope before a policy with a larger management scope.

·     An interface with small default expected bandwidth might experience traffic loss if the following conditions exist:

¡     There is a large amount of traffic on the interface.

¡     The interface uses the default expected bandwidth.

To avoid traffic loss, implicitly set the expected bandwidth to a large value for such an interface. For example, you can set the expected bandwidth of a tunnel interface to a value greater than 64 kbps (the default) if there is a large amount of traffic on the interface.

·     Bandwidth management is performed on a per-card basis. On a device installed with multiple security service cards, you must consider the number of security service cards when configuring bandwidth parameters in a traffic profile. For example, if the device is installed with three security service cards and you want to limit the uplink maximum bandwidth to 30000 kbps, you must configure the uplink maximum bandwidth to 10000 kbps.

Prerequisites for bandwidth management

Before configuring bandwidth management, complete the following tasks:

·     Configure time ranges (see time range configuration in ACL and QoS Configuration Guide).

·     Configure IP address object groups and service object groups (see object group configuration in Security Configuration Guide).

·     Configure applications (see APR configuration in Security Configuration Guide).

·     Configure users and user groups (see user identification configuration in Security Configuration Guide).

·     Configure security zones (see security zone configuration in Security Configuration Guide).

Bandwidth management tasks at a glance

To configure bandwidth management, perform the following tasks:

1.     ‍Configuring a traffic profile

¡     Creating a traffic profile

¡     Configuring bandwidth limits for the traffic profile

¡     (Optional.) Configuring bandwidth detection for the traffic profile

¡     Setting the reference mode for the traffic profile

¡     (Optional.) Renaming the traffic profile

2.     Configuring a traffic rule

¡     Creating a traffic rule

¡     Configuring match criteria for the traffic rule

¡     Specifying an action for the traffic rule

¡     (Optional.) Specifying a time range for the traffic rule

3.     (Optional.) Managing and maintaining a traffic rule

¡     Copying a traffic rule

¡     Renaming a traffic rule

¡     Moving a traffic rule

¡     Disabling a traffic rule

4.     (Optional.) Activating rule matching acceleration

5.     (Optional.) Enabling bandwidth management for all IPv6 Layer 4 traffic

6.     (Optional.) Enabling after-NAT source or destination matching

7.     (Optional.) Enabling hardware bandwidth management

8.     (Optional.) Enabling bandwidth management statistics collection

Configuring a traffic profile

Creating a traffic profile

1.     Enter system view.

system-view

2.     Enter traffic policy view.

traffic-policy

3.     Create a traffic profile and enter traffic profile view.

profile name profile-name

Configuring bandwidth limits for the traffic profile

About this task

A traffic profile defines the bandwidth resources that can be used for bandwidth management and takes effect after it is specified for a traffic rule.

Restrictions and guidelines

·     Any two of the following settings are mutually exclusive:

¡     Per-IP maximum bandwidth.

¡     Per-user maximum bandwidth.

¡     Dynamic and even allocation for maximum bandwidth.

The most recent configuration takes effect.

The per-IP guaranteed bandwidth setting and per-user guaranteed bandwidth setting are mutually exclusive.

The per-user bandwidth setting takes effect only if you specify a user or user group as a match criterion in the traffic rule.

·     The per-IP bandwidth setting takes effect only if you specify an IP address or IP address object group as a match criterion in the traffic rule.

If you specify a source IP address or source IP address object group as a match criterion, the device limits traffic based on source IP addresses.

If you specify a destination IP address or destination IP address object group as a match criterion, the device limits traffic based on destination IP addresses.

If you specify both source and destination IP addresses/destination IP address object groups as match criteria, the device limits traffic based on source IP addresses.

Procedure

1.     Enter system view.

system-view

2.     Enter traffic policy view.

traffic-policy

3.     Enter traffic profile view.

profile name profile-name

4.     Configure bandwidth settings.

¡     Set the total guaranteed bandwidth or maximum bandwidth for the traffic profile.

bandwidth { downstream | total | upstream } { guaranteed | maximum } bandwidth-value

By default, the total guaranteed bandwidth and maximum bandwidth are not set.

The maximum bandwidth must be greater than or equal to the guaranteed bandwidth.

Before you can enable dynamic and even allocation for maximum bandwidth, you must set the total maximum bandwidth.

¡     Set the per-IP or per-user guaranteed bandwidth or maximum bandwidth for the traffic profile.

bandwidth { downstream | total | upstream } { guaranteed | maximum } { per-ip | per-user } bandwidth-value

By default, the per-IP or per-user guaranteed bandwidth and maximum bandwidth are not set.

¡     Set the TCP MSS for the traffic profile.

tcp mss mss-value

By default, the TCP MSS is not set.

5.     Set the per-IP monthly traffic quota.

bandwidth total traffic-quota per-ip monthly quota-value

By default, the amount of traffic used by an IP address per month is not limited.

6.     Enable dynamic and even allocation for maximum bandwidth.

bandwidth average enable

By default, dynamic and even allocation for maximum bandwidth is disabled.

7.     Configure connection limit settings.

¡     Set the connection count limit for the traffic profile.

connection-limit count { per-rule | per-ip | per-user } connection-number

By default, the connection count limit is not set.

¡     Set the connection rate limit for the traffic profile.

connection-limit rate { per-rule | per-ip | per-user } connection-rate

By default, the connection rate limit is not set.

8.     Configure priority settings.

¡     Set the traffic priority for packets of the traffic profile.

traffic-priority priority-value

By default, the traffic priority for packets of a traffic profile is 1.

¡     Mark the DSCP value for packets of the traffic profile.

remark dscp dscp-value

By default, the DSCP value for packets of a traffic profile is not marked.

Configuring bandwidth detection for the traffic profile

About this task

This feature monitors the traffic rates based on IP addresses in real time to identify the maximum rate and minimum rate of each IP address. If the traffic rate of an IP address exceeds or falls below a user-configured bandwidth threshold, the device sends logs to the log host by using the fast log output feature.

You can configure static bandwidth thresholds or configure the dynamic bandwidth threshold learning feature.

·     Static bandwidth threshold—Allows you to configure a minimum threshold and a maximum threshold.

·     Dynamic threshold learning—Allows the device to obtain minimum and maximum bandwidth thresholds by dynamically learning traffic rates. This feature is useful if you do not know the traffic patterns in a network and cannot determine appropriate bandwidth thresholds. With this feature enabled, the device measures the traffic rates over a user-configured duration and calculates an average rate. Then, the device obtains the minimum and maximum bandwidth thresholds by using the average rate multiplied by the minimum and maximum tolerance values.

If you configure both static bandwidth thresholds and the dynamic bandwidth threshold learning feature for the traffic profile, the following rules apply:

·     Before the device learns the average traffic rate, it uses the static bandwidth thresholds.

·     After the device learns the average traffic rate, it uses the dynamic bandwidth thresholds.

Restrictions and guidelines

The per-IP bandwidth detection feature takes effect only if you specify an IP address or IP address object group as a match criterion in the traffic rule.

·     If you specify a source IP address or source IP address object group as a match criterion, the device monitors the traffic rates based on source IP addresses.

·     If you specify a destination IP address or destination IP address object group as a match criterion, the device monitors the traffic rates based on destination IP addresses.

·     If you specify both source and destination IP addresses/destination IP address object groups as match criteria, the device monitors the traffic rates based on source IP addresses.

Procedure

1.     Enter system view.

system-view

2.     Enter traffic policy view.

traffic-policy

3.     Enter traffic profile view.

profile name profile-name

4.     Enable per-IP bandwidth threshold detection.

per-ip bandwidth-threshold-detect enable

By default, per-IP threshold bandwidth detection is disabled.

5.     Configure per-IP static bandwidth thresholds.

¡     Set the maximum bandwidth threshold.

per-ip bandwidth-threshold max-value max-value

By default, the maximum bandwidth threshold is not set.

¡     Set the minimum bandwidth threshold.

per-ip bandwidth-threshold min-value min-value

By default, the maximum bandwidth threshold is not set.

6.     Configure per-IP dynamic bandwidth threshold learning.

a.     Enable per-IP dynamic bandwidth threshold learning.

per-ip bandwidth-threshold-learn enable

By default, per-IP dynamic bandwidth threshold learning is disabled.

b.     Set the duration for per-IP dynamic bandwidth threshold learning.

per-ip bandwidth-threshold-learn duration duration-value

By default, the duration for per-IP dynamic bandwidth threshold learning is 1440 minutes (24 hours).

As a best practice, set the learning duration to be longer than 1440 minutes for the device to learn traffic for no less than a whole day.

c.     Set the maximum tolerance value.

per-ip bandwidth-threshold-learn tolerance max-value max-value

By default, the maximum tolerance value is not set.

d.     Set the minimum tolerance value.

per-ip bandwidth-threshold-learn tolerance m min-value min-value

By default, the minimum tolerance value is not set.

Setting the reference mode for the traffic profile

About this task

A traffic profile can be referenced by multiple traffic rules in one of the following ways:

·     per-rule—Each rule that uses the profile can reach the bandwidth limits and connection limits specified in the profile.

·     rule-shared—All rules that use the profile share the bandwidth limits and connection limits specified in the profile.

Procedure

1.     Enter system view.

system-view

2.     Enter traffic policy view.

traffic-policy

3.     Enter traffic profile view.

profile name profile-name

4.     Set the reference mode for the traffic profile.

profile reference-mode { per-rule | rule-shared }

The default setting is per-rule.

Renaming the traffic profile

1.     Enter system view.

system-view

2.     Enter traffic policy view.

traffic-policy

3.     Rename a traffic profile.

profile rename old-name new-name

Configuring a traffic rule

Creating a traffic rule

About this task

For a new traffic rule to inherit the match criteria of an existing traffic rule, specify the existing traffic rule as the parent of the new traffic rule. You can specify traffic profiles for both parent and child traffic rules.

Restrictions and guidelines

A level-4 rule cannot act as a parent rule.

You can specify a parent traffic rule only when creating a traffic rule. You cannot add or modify a parent traffic rule for an existing traffic rule.

Procedure

1.     Enter system view.

system-view

2.     Enter traffic policy view.

traffic-policy

3.     Create a traffic rule and enter traffic rule view.

rule [ rule-id ] name rule-name [ parent parent-rule-name ]

You can specify a traffic rule as the parent traffic rule for multiple child traffic rules.

Configuring match criteria for the traffic rule

1.     ‍Enter system view.

system-view

2.     Enter traffic policy view.

traffic-policy

3.     Enter traffic rule view.

Choose one option as needed:

¡     rule rule-id

¡     rule [ rule-id ] name rule-name [ parent parent-rule-name ]

4.     Configure a security zone as a match criterion.

¡     Configure a destination security zone as a match criterion.

destination-zone destination-zone-name

¡     Configure a source security zone as a match criterion.

source-zone source-zone-name

By default, no security zone is used as a match criterion.

5.     Configure an IP address or IP address range as a match criterion.

¡     Configure a destination IP address or IP address range as a match criterion.

destination-ip { ipv4 { host ip-address | range ip-address1 ip-address2 | subnet ip-address { mask-length | mask } } | ipv6 { host ipv6-address | range ipv6-address1 ipv6-address2 | subnet { ipv6-address prefix-length | ipv6-address/prefix-length } } }

¡     Configure a source IP address or IP address range as a match criterion.

source-ip { ipv4 { host ip-address | range ip-address1 ip-address2 | subnet ip-address { mask-length | mask } } | ipv6 { host ipv6-address | range ipv6-address1 ipv6-address2 | subnet { ipv6-address prefix-length | ipv6-address/prefix-length } } }

By default, no IP address or IP address range is used as a match criterion.

6.     Configure an IP address object group as a match criterion.

¡     Configure a destination IP address object group as a match criterion.

destination-address address-set object-group-name

¡     Configure a source IP address object group as a match criterion.

source-address address-set object-group-name

By default, no IP address object group is used as a match criterion.

7.     Configure a service object group as a match criterion.

service object-group-name

By default, no service object group is used as a match criterion.

8.     Configure an application or application group as a match criterion.

application { app application-name | app-group application-group-name }

By default, no application or application group is used as a match criterion.

9.     Configure a user or user group as a match criterion.

¡     Configure a user as a match criterion.

user user-name [ domain domain-name ]

¡     Configure a user group as a match criterion.

user-group user-group-name [ domain domain-name ]

By default, no user or user group is used as a match criterion.

10.     Configure a DSCP priority as a match criterion.

dscp dscp-value

By default, no DSCP priority is used as a match criterion.

11.     Configure an IPv6 packet attribute as a match criterion.

¡     Configure the flow label attribute as a match criterion

ipv6 flow-label { nonzero | zero }

By default, the flow label attribute is not used as a match criterion.

¡     Configure the extension header attribute as a match criterion

ipv6 extension-header { authentication | destination | encapsulating | fragment | hop-by-hop | routing }

By default, the extension header attribute is not used as a match criterion.

12.     Configure a terminal or terminal group as a match criterion.

¡     Configure a terminal as a match criterion.

terminal terminal-name

By default, no terminal is used as a match criterion.

¡     Configure a terminal group as a match criterion.

terminal-group group-name

By default, no terminal group is used as a match criterion.

13.     Configure a VPN instance as a match criterion.

vrf vrf-name

By default, a traffic policy takes effect on packets in the public network and all VPN instances.

 

Specifying an action for the traffic rule

About this task

If a packet matches a traffic rule, the device performs the action specified in the traffic rule on the packet.

Restrictions and guidelines

When you specify traffic profiles for parent and child traffic rules, make sure the following conditions are met:

·     The maximum bandwidth for a child traffic rule must be smaller than or equal to that for the parent traffic rule.

·     The guaranteed bandwidth for a child traffic rule must be smaller than or equal to that for the parent traffic rule.

·     The traffic profiles cannot be the same for the child and parent traffic rules.

Procedure

1.     Enter system view.

system-view

2.     Enter traffic policy view.

traffic-policy

3.     Enter traffic rule view.

Choose one option as needed:

¡     rule rule-id

¡     rule [ rule-id ] name rule-name [ parent parent-rule-name ]

4.     Specify an action for the traffic rule.

action { deny | none | qos profile profile-name }

The default action is none, which allows matching packets to pass through without bandwidth management.

Specifying a time range for the traffic rule

1.     Enter system view.

system-view

2.     Enter traffic policy view.

traffic-policy

3.     Enter traffic rule view.

Choose one option as needed:

¡     rule rule-id

¡     rule [ rule-id ] name rule-name [ parent parent-rule-name ]

4.     Specify a time range during which the traffic rule is in effect.

time-range time-range-name

By default, a traffic rule is in effect at any time.

Managing and maintaining a traffic rule

Copying a traffic rule

1.     Enter system view.

system-view

2.     Enter traffic policy view.

traffic-policy

3.     Copy a traffic rule.

rule copy rule-name new-rule-name

Renaming a traffic rule

1.     Enter system view.

system-view

2.     Enter traffic policy view.

traffic-policy

3.     Rename a traffic rule.

rule rename old-rule-name new-rule-name

Moving a traffic rule

1.     Enter system view.

system-view

2.     Enter traffic policy view.

traffic-policy

3.     Move a traffic rule to a new position.

rule move rule-name1 { after | before } rule-name2

Disabling a traffic rule

1.     Enter system view.

system-view

2.     Enter traffic policy view.

traffic-policy

3.     Enter traffic rule view.

Choose one option as needed:

¡     rule rule-id

¡     rule [ rule-id ] name rule-name [ parent parent-rule-name ]

4.     Disable the traffic rule.

disable

By default, a traffic rule is enabled.

Activating rule matching acceleration

About this task

Rule matching acceleration does not take effect on newly added, modified, and moved rules unless the feature is activated for the rules. By default, the system automatically activates rule matching acceleration for such rules at specific intervals. The interval is 2 seconds if 100 or fewer rules exist and 20 seconds if over 100 rules exist.

To activate rule matching acceleration immediately after a rule change, you can perform this task.

Restrictions and guidelines

If no rule change is detected, the system does not perform an activation operation.

Insufficient memory can cause rule matching acceleration failures. Unaccelerated rules do not take effect, and rules that have been accelerated are not affected.

Procedure

1.     Enter system view.

system-view

2.     Enter traffic policy view.

traffic-policy

3.     Activate rule matching acceleration.

accelerate activate

Enabling bandwidth management for all IPv6 Layer 4 traffic

About this task

By default, bandwidth management is performed on traffic flows of TCP, UDP, ICMP, and ICMPv6. This feature enables the device to perform bandwidth management on traffic flows of all IPv6 Layer 4 traffic in addition to the supported IPv4 Layer 4 traffic.

Procedure

1.     Enter system view.

system-view

2.     Enter traffic policy view.

traffic-policy

3.     Enable bandwidth management for all IPv6 Layer 4 traffic.

all-traffic-control enable

By default, this feature is disabled.

Enabling after-NAT source or destination matching

About this task

If source or destination NAT will be performed on a flow to be managed, perform this task to match the flow with the IP address, port number, and VPN instance after NAT. For more information about NAT, see Layer 3—IP Services Configuration Guide.

Procedure

1.     ‍Enter system view.

system-view

2.     Enter traffic policy view.

traffic-policy

3.     Enable after-NAT source matching.

source-matching after-nat

By default, the packet information before NAT is used for matching.

4.     Enable after-NAT destination matching.

destination-matching after-nat

By default, the packet information before NAT is used for matching.

Enabling hardware bandwidth management

About this task

Perform this task in scenarios where high forwarding performed is required and bandwidth management is used to only limit traffic rates.

By default, hardware bandwidth management is disabled and the device performs bandwidth management through software fast forwarding. Software fast forwarding requires CPU processing. When the load on the CPU is heavy, the packet processing speed will be lowered.

With this feature enabled, the device performs bandwidth management through hardware fast forwarding, which is faster in packet processing than software fast forwarding.

After this feature is enabled, the device can only limit the upstream traffic rate, downstream traffic rate, and total traffic rate. Other bandwidth management functions do not take effect.

Restrictions and guidelines

This feature takes effect only after hardware fast forwarding is enabled on the device. For more information about hardware fast forwarding, see fast forwarding in Layer 3—IP Services Configuration Guide.

This feature cannot be used together with other Layer 4 and higher-layer services.

If you enable this feature before all service cards installed on the device can work correctly, you will be prompted that the device does not support the feature. In this case, enable this feature after all service cards can work correctly.

With this feature enabled, only the first layer of traffic policy and its child traffic policy in multiple-layer parent and child traffic policies take effect.

The display traffic-policy statistics rule-hit command displays only statistics for software forwarded traffic, not for hardware forwarded traffic.

Procedure

1.     Enter system view.

system-view

2.     Enter traffic policy view.

traffic-policy

3.     Enable hardware bandwidth management.

hardware rate-limit enable

By default, this feature is disabled.

Enabling bandwidth management statistics collection

About this task

This feature can collect the following statistics:

·     Traffic statistics, which can be displayed by using the display traffic-policy statistics bandwidth command.

·     Connection limit statistics, which can be displayed by using the display traffic-policy statistics connection-limit command.

·     Rule-hit statistics, which can be displayed by using the display traffic-policy statistics rule-hit command.

Restrictions and guidelines

This feature affects device performance. As a best practice, enable this feature only if you need to view statistics.

Procedure

1.     Enter system view.

system-view

2.     Enter traffic policy view.

traffic-policy

3.     Enable bandwidth management statistics collection.

¡     Enable traffic statistics collection.

statistics bandwidth enable

By default, traffic statistics collection is disabled.

¡     Enable connection limit statistics collection.

statistics connection-limit enable

By default, connection limit statistics collection is disabled.

¡     Enable rule-hit statistics collection.

statistics rule-hit enable

By default, rule-hit statistics collection is disabled.

Display and maintenance commands for bandwidth management

Execute display commands in any view and reset commands in user view.

 

Task	Command
Display traffic statistics for traffic rules.	display traffic-policy statistics bandwidth { downstream | total | upstream } { per-ip { ipv4 [ ipv4-address ] | ipv6 [ ipv6-address ] } rule rule-name | per-rule [ name rule-name ] | per-user [ user user-name ] rule rule-name } [ slot slot-number [ cpu cpu-number ] ]
Display connection limit statistics.	display traffic-policy statistics connection-limit { per-ip { ipv4 [ ipv4-address ] | ipv6 [ ipv6-address ] } rule rule-name | per-rule [ name rule-name ] | per-user [ user user-name ] rule rule-name } } [ slot slot-number [ cpu cpu-number ] ]
Display rule-hit statistics.	display traffic-policy statistics rule-hit [ [ beyond beyond-number ] | [ rule rule-name ] ] [ slot slot-number [ cpu cpu-number ] ]
Display the support of the device for hardware bandwidth management.	display traffic-policy hardware-rate-limit support
Clear traffic statistics for traffic rules.	reset traffic-policy statistics bandwidth { downstream | total | upstream } { per-ip { ipv4 [ ipv4-address ] | ipv6 [ ipv6-address ] } rule rule-name | per-rule [ name rule-name ] | per-user [ user user-name ] rule rule-name } [ slot slot-number [ cpu cpu-number ] ]
Clear connection limit statistics.	reset traffic-policy statistics connection-limit { per-ip { ipv4 [ ipv4-address ] | ipv6 [ ipv6-address ] } rule rule-name | per-rule [ name rule-name ] | per-user [ user user-name ] rule rule-name } } [ slot slot-number [ cpu cpu-number ] ]
Clear rule-hit statistics.	reset traffic-policy statistics rule-hit [ rule rule-name ] [ slot slot-number [ cpu cpu-number ] ]

 

Bandwidth management configuration examples‌

Example: Configuring a single traffic profile

Network configuration

As shown in Figure 2, configure bandwidth management on the device to meet the following requirements:

·     The maximum bandwidth is limited to 30720 kbps for both upstream and downstream iQiYiPPS application traffic of the host in the intranet.

·     The guaranteed bandwidth is 30720 kbps for both upstream and downstream FTP traffic of the host .

·     The bandwidth of the interface to the Internet is limited to 102400 kbps.

Figure 2 Network diagram

‌

Table 1 Interface label and interface name mappings

Interface label	Interface name
Interface1	Ten-GigabitEthernet2/3/1
Interface2	Ten-GigabitEthernet2/3/2

 

Procedure

1.     Assign IP addresses to interfaces:

# Assign an IP address to interface Ten-GigabitEthernet 2/3/1.

<Sysname> system-view

[Sysname] sysname Device

[Device] interface ten-gigabitethernet 2/3/1

[Device-Ten-GigabitEthernet2/3/1] ip address 10.1.1.1 255.255.255.0

[Device-Ten-GigabitEthernet2/3/1] quit

[Device] interface ten-gigabitethernet 2/3/2

[Device-Ten-GigabitEthernet2/3/2] ip address 20.1.1.1 255.255.255.0

[Device-Ten-GigabitEthernet2/3/2] quit

2.     Configure settings for routing.

This example configures static routes, and the next hop in the routes is 202.38.1.3.

[Device] ip route-static 3.1.1.2 24 20.1.1.2

3.     Configure traffic profiles:

# Create a traffic profile named aiqiyi, and enter traffic profile view.

[Device] traffic-policy

[Device-traffic-policy] profile name aiqiyi

# Set the maximum bandwidth to 30720 kbps for both upstream and downstream traffic.

[Device-traffic-policy-profile-aiqiyi] bandwidth upstream maximum 30720

[Device-traffic-policy-profile-aiqiyi] bandwidth downstream maximum 30720

[Device-traffic-policy-profile-aiqiyi] quit

# Create a traffic profile named profileftp, and enter traffic profile view.

[Device-traffic-policy] profile name profileftp

# Set the guaranteed bandwidth to 30720 kbps for both upstream and downstream traffic.

[Device-traffic-policy-profile-profileftp] bandwidth upstream guaranteed 30720

[Device-traffic-policy-profile-profileftp] bandwidth downstream guaranteed 30720

[Device-traffic-policy-profile-profileftp] quit

[Device-traffic-policy] quit

4.     Set the expected bandwidth to 102400 kbps for interface Ten-GigabitEthernet 2/3/2.

[Device] interface ten-gigabitethernet 2/3/2

[Device-Ten-GigabitEthernet2/3/2] bandwidth 102400

[Device-Ten-GigabitEthernet2/3/2] quit

5.     Update the APR signature library to the latest version.

6.     Configure traffic rules:

# Enter traffic policy view.

[Device] traffic-policy

# Create a traffic rule named aiqiyi, and enter traffic rule view.

[Device-traffic-policy] rule name aiqiyi

# Configure the predefined application iQiYiPPS as a match criterion.

[Device-traffic-policy-rule-1-aiqiyi] application app iQiYiPPS

# Specify traffic profile aiqiyi for traffic rule aiqiyi.

[Device-traffic-policy-rule-1-aiqiyi] action qos profile aiqiyi

[Device-traffic-policy-rule-1-aiqiyi] quit

# Create a traffic rule named ruleftp, and enter traffic rule view.

[Device-traffic-policy] rule name ruleftp

# Configure the predefined application FTP as a match criterion.

[Device-traffic-policy-rule-2-ruleftp] application app ftp

# Specify traffic profile profileftp for traffic rule ruleftp.

[Device-traffic-policy-rule-2-ruleftp] action qos profile profileftp

[Device-traffic-policy-rule-2-ruleftp] quit

[Device-traffic-policy] quit

Verifying the configuration

# Verify that the iQiYiPPS application traffic rate cannot exceed 30720 kbps and the FTP traffic rate can reach a minimum of 30720 kbps when the total traffic rate on Ten-GigabitEthernet 2/3/2 reaches 102400 kbps. (Details not shown.)

Configuration files

#

 sysname Device

#

interface Ten-GigabitEthernet2/3/1

 ip address 10.1.1.1 255.255.255.0

#

interface Ten-GigabitEthernet2/3/2

 ip address 20.1.1.1 255.255.255.0

 bandwidth 102400

#

 ip route-static 3.1.1.0 24 20.1.1.2

#

traffic-policy

 rule 1 name aiqiyi

  action qos profile aiqiyi

  application app iQiYiPPS

 rule 2 name ruleftp

  action qos profile profileftp

  application app ftp

 profile name aiqiyi

  bandwidth downstream maximum 30720

  bandwidth upstream maximum 30720

 profile name profileftp

  bandwidth downstream guaranteed 30720

  bandwidth upstream guaranteed 30720

#

Example: Configuring parent/child traffic profiles

Network configuration

As shown in Figure 3, configure bandwidth management on the device to meet the following requirements:

·     The maximum bandwidth is limited to 30720 kbps for both upstream and downstream iQiYiPPS application traffic of the host in the intranet.

·     The guaranteed bandwidth is 30720 kbps for both upstream and downstream FTP traffic of the host .

·     The total traffic rate of the host is limited to 40960 kbps.

Figure 3 Network diagram

‌

Table 2 Interface label and interface name mappings

Interface label	Interface name
Interface1	Ten-GigabitEthernet2/3/1
Interface2	Ten-GigabitEthernet2/3/2

 

Procedure

1.     Assign IP addresses to interfaces:

# Assign an IP address to interface Ten-GigabitEthernet 2/3/1.

<Sysname> system-view

[Sysname] sysname Device

[Device] interface ten-gigabitethernet 2/3/1

[Device-Ten-GigabitEthernet2/3/1] ip address 10.1.1.1 255.255.255.0

[Device-Ten-GigabitEthernet2/3/1] quit

[Device] interface ten-gigabitethernet 2/3/2

[Device-Ten-GigabitEthernet2/3/2] ip address 20.1.1.1 255.255.255.0

[Device-Ten-GigabitEthernet2/3/2] quit

2.     Configure settings for routing.

This example configures static routes, and the next hop in the routes is 202.38.1.3.

[Device] ip route-static 3.1.1.2 24 20.1.1.2

3.     Configure traffic profiles:

# Create a traffic profile named profile, and enter traffic profile view.

[Device] traffic-policy

[Device-traffic-policy] profile name profile

# Set the maximum bandwidth to 40960 kbps for both upstream and downstream traffic.

[Device-traffic-policy-profile-profile] bandwidth upstream maximum 40960

[Device-traffic-policy-profile-profile] bandwidth downstream maximum 40960

[Device-traffic-policy-profile-profile] quit

# Create a traffic profile named aiqiyi, and enter traffic profile view.

[Device-traffic-policy] profile name aiqiyi

# Set the maximum bandwidth to 30720 kbps for both upstream and downstream traffic.

[Device-traffic-policy-profile-aiqiyi] bandwidth upstream maximum 30720

[Device-traffic-policy-profile-aiqiyi] bandwidth downstream maximum 30720

[Device-traffic-policy-profile-aiqiyi] quit

# Create a traffic profile named profileftp, and enter traffic profile view.

[Device-traffic-policy] profile name profileftp

# Set the guaranteed bandwidth to 30720 kbps for both upstream and downstream traffic.

[Device-traffic-policy-profile-profileftp] bandwidth upstream guaranteed 30720

[Device-traffic-policy-profile-profileftp] bandwidth downstream guaranteed 30720

[Device-traffic-policy-profile-profileftp] quit

4.     Update the APR signature library to the latest version.

5.     Configure traffic rules:

# Create a traffic rule named rule, and enter traffic rule view.

[Device-traffic-policy] rule name rule

# Specify traffic profile profile for traffic rule rule.

[Device-traffic-policy-rule-1-rule] action qos profile profile

[Device-traffic-policy-rule-1-rule] quit

# Create a traffic rule named aiqiyi, enter traffic rule view, and specify traffic rule rule as its parent rule.

[Device-traffic-policy] rule name aiqiyi parent rule

# Configure the predefined application iQiYiPPS as a match criterion.

[Device-traffic-policy-rule-2-aiqiyi] application app iQiYiPPS

# Specify traffic profile aiqiyi for traffic rule aiqiyi.

[Device-traffic-policy-rule-2-aiqiyi] action qos profile aiqiyi

[Device-traffic-policy-rule-2-aiqiyi] quit

# Create a traffic rule named ruleftp, enter traffic rule view, and specify traffic rule rule as its parent rule.

[Device-traffic-policy] rule name ruleftp parent rule

# Configure the  predefined application FTP as a match criterion.

[Device-traffic-policy-rule-3-ruleftp] application app ftp

# Specify traffic profile profileftp for traffic rule ruleftp.

[Device-traffic-policy-rule-3-ruleftp] action qos profile profileftp

[Device-traffic-policy-rule-3-ruleftp] quit

[Device-traffic-policy] quit

Verifying the configuration

# Verify that the total traffic rate of the host is limited to 40960 kbps, and that the iQiYiPPS application traffic rate is limited to 30720 kbps. When congestion occurs, FTP traffic is not affected. (Details not shown.)

Configuration files

#

 sysname Device

#

interface Ten-GigabitEthernet2/3/1

 ip address 10.1.1.1 255.255.255.0

#

interface Ten-GigabitEthernet2/3/2

 ip address 20.1.1.1 255.255.255.0

#

ip route-static 3.1.1.0 24 20.1.1.2

#

traffic-policy

 rule 1 name rule

  action qos profile profile

 rule 2 name aiqiyi parent rule

  action qos profile aiqiyi

  application app iQiYiPPS

 rule 3 name ruleftp parent rule

  action qos profile profileftp

  application app ftp

 profile name aiqiyi

  bandwidth downstream maximum 30720

  bandwidth upstream maximum 30720

 profile name profile

  bandwidth downstream maximum 40960

  bandwidth upstream maximum 40960

 profile name profileftp

  bandwidth downstream guaranteed 30720

  bandwidth upstream guaranteed 30720

#