NS5GT ScreenOS 5.0 Traffic Shaping



  • How does traffic shaping and priority work on these things? Is the traffic shaping policy setup per direction?

    For example:

    All Untrust -> Trust policies only affect eachother; All Trust -> Untrust policies only affect eachother?

    Essentially, I want to try and limit some of the bandwidth I use for incoming services when I have outgoing services that require it, such as TCP Acknowledgements.

    Is there a way?


  • Global Moderator

    Just configure an small amount with GB on the incomming, low prio. Give the outbound no GB and a large max. This will reduce inbound when outbound is there to serve.



  • Incoming and Outgoing bandwidth is on an assymetrical connection.


  • Global Moderator

    Ok, I would do it like this:

    configure your line speed + 5% as bandwith on untrust interface (the 5% helps you to buffer also upstream, if you don’t want this just confugre linespeed).

    Configure your outbound trafic in a policy, give it Max bandwith 90 or 95 % of available bandwith (linespeed). Give this high prio.

    Configure inbound FTP wtih 5 or 10 % and low prio.

    I think this does what you want.

    BTW what about inbound mail? If any also 5% low prio.

    Configu



  • @sfouant:

    @michel1966:

    Every thing you configure is bi-directional. I think this makes it’s hard to configure what you want.

    Traffic shaping is not bi-directional.  Much of the traffic-shaping parameters are set within policy which by it’s very definition implies a uni-directional nature.  Even some of the options which are not set at the policy level such as ‘Guaranteed Bandwidth’ and ‘Maximum Bandwidth’ are based on both policy and total egress physical interface bandwidth available.

    There is a lot of useful information in the ‘Traffic Shaping’ chapter in the ScreenOS Concepts & Examples Guide, Volume 2:Fundamentals.

    Hey sfouant:

    I’m reading those docs now on traffic shaping and it has me slightly confused.

    What I’m trying to do is give any and all priority for things like any and all web communications to have higher priority than an incoming service.

    This way I can maintain say, an FTP server while giving web users inside higher priority to traffic than the FTP server.

    Since the FTP is in passive mode, all data connections are inbound.

    All web traffic is outbound.

    I’d like to give all outbound web traffic higher priority than the inbound FTP connections. (This includes things like acknowledgement packets to the web servers).


  • Global Moderator

    H’mm when you configure bandwith settings on a policy it’s realy the same for both flows of the session. In that sense it is bi-directional. What define for downstream you get on up stream.  Of course you can put BW on inbound policy but then outboud return packets get the same settings. That’s what a menat with bi-directional.

    Greetz!



  • @michel1966:

    Every thing you configure is bi-directional. I think this makes it’s hard to configure what you want.

    Traffic shaping is not bi-directional.  Much of the traffic-shaping parameters are set within policy which by it’s very definition implies a uni-directional nature.  Even some of the options which are not set at the policy level such as ‘Guaranteed Bandwidth’ and ‘Maximum Bandwidth’ are based on both policy and total egress physical interface bandwidth available.

    There is a lot of useful information in the ‘Traffic Shaping’ chapter in the ScreenOS Concepts & Examples Guide, Volume 2:Fundamentals.


  • Global Moderator

    Every thing you configure is bi-directional. I think this makes it’s hard to configure what you want.


 

33
Online

38.4k
Users

12.7k
Topics

44.5k
Posts