What's in this Guide
How to Enable Traffic Shaping
Customise/Review Traffic Shaping Policies
Shaping by AD Username
Shaping by AD Group
Shaping/Blocking Traffic from the Probe itself
Setting DiffServ Tag (DSCP Tagging)
Enable Shaping under Probe settings
For each Probe you would like to run Traffic Shaping on, configure the following:
Under Settings > Probes > Edit the probe (pencil icon)
- Configure the 'Local Subnets'. These are the subnets which appear on the LAN side of the Sinefa hardware. Usually they would be the same network id as the IP Address of the Probe (as you can see from the image below)
- Check the 'Shaping' checkbox
- Configure the 'inbound' and 'outbound' bandwidth for the link that you will be shaping.
Review Traffic Shaping Policies
You can use the default policy set. Optionally you can change the Traffic Shaping policies to suit your environment under Settings > Shaping > Policies
When setting up these policies, you will need to factor in your high priority applications/definitions that will require a policy put in place to ensure they have dedicated bandwidth. An example of this would be a VPN, firstly you would need to know what type of VPN has been set-up (i.e. PPTP, L2TP, IPSEC, SSL or a VPN client like Citrix) to then be able to define this as well as the subnet it is allocated (i.e. 10.171.20.0/24).
To get a better idea of in what order these rules take effect and the bandwidth allocations applied, scroll down to the Bandwidth Priority/Bandwidth Allocation section in this article.
Each Field Explained
Say we have a Traffic Shaping setup as below:
Policy 1: Shape SSH, Allocated BW 30%, Maximum BW 50%, Priority 1
Policy 2: Shape HTTP, Allocated BW 60%, Maximum BW 100%, Priority 4
Policy 3: Shape SMTP, Allocated BW 10%, Maximum BW 100%, Priority 7
If all applications want to use 100% of the available link bandwidth, then each application will get its Allocated BW.
- Allocated BW - SSH (30%), HTTP (60%), SMTP (10%)
- Burst BW - none available
- Total BW - SSH (30%), HTTP (60%), SMTP (10%)
If the only application on the network is SSH and it wants to use 100% of the bandwidth it will be given 50% of the bandwidth because that is its 'Maximum BW'. If SMTP then appears on the network and wants to also use 100% of the bandwidth, then each application will be given its Allocated Bandwidth first, then SSH will be given first priority to any remaining bandwidth, then SMTP will be given any remaining bandwidth.
- Allocated BW - SSH (30%), SMTP (10%)
- Burst BW - SSh (+20%), SMTP (+40% = 100-30-10-20)
- Total BW - SSH (50%), SMTP (50%)
Shaping by AD username
Sinefa traffic shaping can be configured to shape by username within a policy. Use the prefix "user:" to shape by username.
See example below on how one could shape a user called 'john_smith'
Shaping by AD Group
Sinefa traffic shaping can be configured to shape by AD Group within a policy. Use the prefix "user-group:" to shape by AD group
See example below on how one could shape a group called 'SinefaInternal'
You can apply a shaping policy to locations that don't have a Sinefa Probe deployed. Locations are defined by:
- Bandwidth Inbound
- Bandwidth Outbound
This is under Settings > Shaping > Locations
Ignore rules are evaluated first, then block rules. When traffic shaping policies are applied, the most specific definitions are evaluated first. The order in which definitions are evaluated against the traffic is:
|Ignore||Traffic Shaping rules do not get applied to this application/definition|
|Block||Once applied, End users will be unable to use what's defined (i.e. Facebook, Youtube, etc.)|
|Shape||IP address/host or most specific subnet address (e.g. 192.168.0.124/32)|
|Shape||Least specific subnet address (e.g. 192.168.0.0/16)|
|Shape||Application (e.g. Facebook)|
|Shape||Application Group (e.g. "All Software Updates")|
|Catch All||(i.e. All Other Traffic)|
IPv6 addresses/subnets can be added to the policies in the same way as IPv4, either as a single address or as a subnet (but not as a range).
Shaping / Blocking traffic from the Probe itself
The Probe can block traffic going through it once the block policy has been applied. Traffic from the Probe itself will not be shaped or blocked, unless the Sinefa Probe is using a management port and traffic is coming back through the bridge port.