Articles in this section

See more

How to Setup Traffic Shaping

Avatar
Sinefa | Level 1 Support Team
Updated
Follow

What's in this Guide

How to Enable Traffic Shaping
Customise/Review Traffic Shaping Policies
Shaping by AD Username
Shaping by AD Group
Location Definitions
Definition Ordering
Shaping/Blocking Traffic from the Probe itself
Setting DiffServ Tag (DSCP Tagging)

 

Enable Shaping under Probe settings

For each Probe you would like to run Traffic Shaping on, configure the following:

Under Settings > Probes > Edit the probe (pencil icon)

  1. Configure the 'Local Subnets'. These are the subnets which appear on the LAN side of the Sinefa hardware. Usually they would be the same network id as the IP Address of the Probe (as you can see from the image below)
  2. Check the 'Shaping' checkbox
  3. Configure the 'inbound' and 'outbound' bandwidth for the link that you will be shaping.

 

 

Review Traffic Shaping Policies 

You can use the default policy set. Optionally you can change the Traffic Shaping policies to suit your environment under Settings > Shaping > Policies

When setting up these policies, you will need to factor in your high priority applications/definitions that will require a policy put in place to ensure they have dedicated bandwidth. An example of this would be a VPN, firstly you would need to know what type of VPN has been set-up (i.e. PPTP, L2TP, IPSEC, SSL or a VPN client like Citrix) to then be able to define this as well as the subnet it is allocated (i.e. 10.171.20.0/24).

To get a better idea of in what order these rules take effect and the bandwidth allocations applied, scroll down to the Bandwidth Priority/Bandwidth Allocation section in this article.

Each Field Explained

Field Definition
Definitions This is where you add in what you want to shape by i.e. Application, Application tag, Host, Subnet, User, etc. When you add in each definition side by side, an OR operator takes effect and your shaping rule will take effect if it matches at least 1 of the definitions specified
+ AND This is where you can use an AND operator rather than the OR operator between each definition, this is to ensure that the shaping policy matches all definitions specified before taking effect
Action This is where you can define what you would like to be completed once the definition conditions have been met, it can either be set to Shape, Block or Ignore. See below for definition ordering
DSCP Tagging

DSCP tagging is ideal for MPLS network or environments where DSCP tags are maintained and honoured in the Service Provider's (SP) network. With this feature, customers can compliment existing policies arranged by the SP by offering far more granular policies and filtering.  When using DSCP tagging in a network that honours DSCP priorities ensure that the priorities are clearly understood and line up with the Sinefa policies to avoid any performance conflicts. 

By default (-) the DSCP field is not changed/tagged. 
Allocated Bandwidth This is for shaping only, this allocates minimum bandwidth to the definition you are setting up. This bandwidth is NOT reserved for this application meaning other applications may use it if the application is not using it. However as soon as the application is detected it will be allocated (at least) its Allocated Bandwidth.
Maximum Bandwidth This is the maximum amount of bandwidth that the policy can be allocated
Priority This is for the probe to determine what definition takes priority by assigning it a rating ranging from 1 (high priority) to 8 (lowest priority) The policies with the highest priority get access to the available bandwidth first.

Examples
Say we have a Traffic Shaping setup as below:
Policy 1: Shape SSH, Allocated BW 30%, Maximum BW 50%, Priority 1
Policy 2: Shape HTTP, Allocated BW 60%, Maximum BW 100%, Priority 4
Policy 3: Shape SMTP, Allocated BW 10%, Maximum BW 100%, Priority 7

If all applications want to use 100% of the available link bandwidth, then each application will get its Allocated BW.

  • Allocated BW - SSH (30%), HTTP (60%), SMTP (10%) 
  • Burst BW - none available
  • Total BW - SSH (30%), HTTP (60%), SMTP (10%) 

If the only application on the network is SSH and it wants to use 100% of the bandwidth it will be given 50% of the bandwidth because that is its 'Maximum BW'. If SMTP then appears on the network and wants to also use 100% of the bandwidth, then each application will be given its Allocated Bandwidth first, then SSH will be given first priority to any remaining bandwidth, then SMTP will be given any remaining bandwidth.

  • Allocated BW - SSH (30%), SMTP (10%) 
  • Burst BW - SSh (+20%), SMTP (+40% = 100-30-10-20)
  • Total BW - SSH (50%), SMTP (50%)

 

Shaping by AD username

Sinefa traffic shaping can be configured to shape by username within a policy. Use the prefix "user:" to shape by username.
See example below on how one could shape a user called 'john_smith' 

 

 

Shaping by AD Group

Sinefa traffic shaping can be configured to shape by AD Group within a policy. Use the prefix "user-group:" to shape by AD group


See example below on how one could shape a group called 'SinefaInternal'

 


Locations 

You can apply a shaping policy to locations that don't have a Sinefa Probe deployed. Locations are defined by:

  • Name
  • Subnet
  • Bandwidth Inbound
  • Bandwidth Outbound

This is under Settings > Shaping > Locations 

 


Definition ordering 

Ignore rules are evaluated first, then block rules. When traffic shaping policies are applied, the most specific definitions are evaluated first. The order in which definitions are evaluated against the traffic is:

Action Definition
Ignore Traffic Shaping rules do not get applied to this application/definition
Block  Once applied, End users will be unable to use what's defined (i.e. Facebook, Youtube, etc.)
Shape  IP address/host or most specific subnet address (e.g. 192.168.0.124/32)
Shape  Least specific subnet address (e.g. 192.168.0.0/16)
Shape  Application (e.g. Facebook)
Shape  Application Group (e.g. "All Software Updates")
Catch All  (i.e. All Other Traffic)

IPv6 addresses/subnets can be added to the policies in the same way as IPv4, either as a single address or as a subnet (but not as a range). 

 


Shaping / Blocking traffic from the Probe itself

The Probe can block traffic going through it once the block policy has been applied. Traffic from the Probe itself will not be shaped or blocked, unless the Sinefa Probe is using a management port and traffic is coming back through the bridge port. 

 

 

See Also
Sinefa Best Practise Guide
Error Applying Shaping Config 

Related articles

Comments

0 comments

Article is closed for comments.

Powered by Zendesk