What's in this Guide
How to Enable Traffic Shaping
Advanced Shaping
Customise/Review Traffic Shaping Policies
Shaping by AD Username
Shaping by AD Group
Time based (scheduled) shaping
Location Definitions
Definition Ordering
Shaping/Blocking Traffic from the Probe itself
Setting DiffServ Tag (DSCP Tagging)
Enable Traffic Shaping
For each Probe you would like to run Traffic Shaping on, configure the following:
Under Settings > Probes > Edit the probe (pencil icon)
- Configure the 'Local Subnets'. These are the subnets which appear on the LAN side of the Sinefa hardware. Usually they would be the same network id as the IP Address of the Probe (as you can see from the image below)
- Check the 'Shaping' tab up top
- Configure the 'inbound' and 'outbound' bandwidth for the link that you will be shaping
This is known as basic shaping. Much of the complexity of enterprise shaping is automated and some assumptions are made. When basic shaping is enabled, this is what happens:
- Only the 'Default' policy is used (any other policies are ignored)
- The policy is applied to ALL bridges (on probes with multiple bridges)
- The 'in' and 'out' bandwidth settings are applied independently to all bridges (e.g. each bridge is configured with the same bandwidth and policy settings and is independent of any other bridge on the probe)
- The policy is applied proportionally to every other local subnet for each probe (or location) where shaping is enabled
- The policy is applied to all other traffic that does not match traffic to or from another other probe or location
Basic shaping works well in many cases, however, for greater control and flexibility you can switch to advanced shaping.
Advanced Shaping
Advanced shaping allows you to configure fine-grained shaping behavior for each bridge on the probe.
To do this, follow these steps:
- Under Settings > Probes > Edit the probe (pencil icon)
- Select the 'Shaping' tab up top
- Select 'Switch to Advanced Mode'
From there, you can select 'Add Bridge' to configure shaping on a probe's bridge or edit one of the existing bridges.
Field | Definition |
Bridge |
This probe will apply policies separately to traffic to and from subnets of EVERY OTHER probe under your account set to Full OR Branch mode. |
VLAN |
Specify one or more VLAN tags to match. You can create more than one shaping definition for each bridge by applying different shaping definitions to different VLANs. If you leave this blank, all traffic on the bridge will be matched. |
Subnets |
Optionally specify subnets. Shaping will be applied to these subnets only. Leave blank to apply shaping to all traffic on this bridge. |
Label |
Labels are used when you have multiple WANs, for example you may have some sites connected via VPN and other sites connected via MPLS – labels allow you to tag locations and bridges so that they are treated like their own isolated networks and shaping rules are not setup for traffic flowing between them. Think of each label as an isolated WAN network. |
Schedule |
Apple a time-based schedule to this bridge. This bridge's shaping will only be enabled while this scedule is active. |
Shaping |
Enable shaping on this bridge. Shaping policies wont be applied to this bridge until this is enabled. |
Internet / Policy |
Enable shaping on Internet traffic. This will apply the selected policy to all Internet traffic, that is, all traffic that does not match any of the WAN policies. |
WAN Mesh Mode / Policy |
Set 'Mesh Mode' to the desired setting (see the following for definitions on each Mesh Mode). Set the policy to be applied to all WAN traffic. |
Bandwidth In/Out |
Set your Bandwidth In and Out values in kbps to the desired amount (e.g. if you have an 8Mbps inbound and 8Mbps outbound connected to br1, you would set the values to 8,000 in and 8,000 out). |
WAN Mesh Mode Definitions
Setting | Definition |
Full |
This probe will apply policies separately to traffic to and from subnets of EVERY OTHER probe under your account set to Full OR Branch mode. |
Branch |
This probe will apply policies separately to traffic to and from subnets of ONLY probes under your account set to Full mode. |
None |
This probe will NOT apply policies separately to traffic to and from subnets of other probes under your account mode. |
Review Traffic Shaping Policies
You can use the default policy set. Optionally you can change the Traffic Shaping policies to suit your environment under Settings > Shaping > Policies
When setting up these policies, you will need to factor in your high priority applications/definitions that will require a policy put in place to ensure they have dedicated bandwidth. An example of this would be a VPN, firstly you would need to know what type of VPN has been set-up (i.e. PPTP, L2TP, IPSEC, SSL or a VPN client like Citrix) to then be able to define this as well as the subnet it is allocated (i.e. 10.171.10.0/24).
To get a better idea of in what order these rules take effect and the bandwidth allocations applied, scroll down to the Bandwidth Priority/Bandwidth Allocation section in this article.
Each Field Explained
Examples
Say we have a Traffic Shaping setup as below:
Policy 1: Shape SSH, Allocated BW 30%, Maximum BW 50%, Priority 1
Policy 2: Shape HTTP, Allocated BW 60%, Maximum BW 100%, Priority 4
Policy 3: Shape SMTP, Allocated BW 10%, Maximum BW 100%, Priority 7
If all applications want to use 100% of the available link bandwidth, then each application will get its Allocated BW.
- Allocated BW - SSH (30%), HTTP (60%), SMTP (10%)
- Burst BW - none available
- Total BW - SSH (30%), HTTP (60%), SMTP (10%)
If the only application on the network is SSH and it wants to use 100% of the bandwidth it will be given 50% of the bandwidth because that is its 'Maximum BW'. If SMTP then appears on the network and wants to also use 100% of the bandwidth, then each application will be given its Allocated Bandwidth first, then SSH will be given first priority to any remaining bandwidth, then SMTP will be given any remaining bandwidth.
- Allocated BW - SSH (30%), SMTP (10%)
- Burst BW - SSh (+20%), SMTP (+40% = 100-30-10-20)
- Total BW - SSH (50%), SMTP (50%)
Shaping by AD username
Sinefa traffic shaping can be configured to shape by username within a policy. Use the prefix "user:" to shape by username.
See example below on how one could shape a user called 'john_smith'
Shaping by AD Group
Sinefa traffic shaping can be configured to shape by AD Group within a policy. Use the prefix "user-group:" to shape by AD group
See example below on how one could shape a group called 'SinefaInternal'
Time-based (scheduled) traffic shaping
You can enable/disable a shaping policy rule based on the time of day or day of the week. You can also enable/disable an entire advanced shaping bridge based on the time of day or day of the week.
These schedules can be configured under Settings > Shaping > Schedules. The below example show both a Business Hours (8am - 6pm Monday to Friday) schedule and an After Hours (Midnight - 8am Monday to Friday, 6pm to Midnight Monday to Friday and all day Saturday and Sunday).
If a schedule is applied to a rule (under policies) or a bridge (under advanced shaping) that rule or bridge is only active when the schedule is active. At all other times, the rule or bridge is disabled and the traffic would fall through to another rule or bridge.
Time is always based on the local timezone of the probe. The How to setup the timezone on a probe article explains how to configure this.
Locations
You can apply a shaping policy to locations that don't have a Sinefa Probe deployed. Locations are defined by:
- Name
- Subnet
- Bandwidth Inbound
- Bandwidth Outbound
This is under Settings > Shaping > LocationsIn this example we have 3 branch offices with different subnets, we want to define these locations and then any policy configured under Policies will be applied against the bandwidth value set per each location's subnet.
Definition ordering
Ignore rules are evaluated first, then block rules. When traffic shaping policies are applied, the most specific definitions are evaluated first. The order in which definitions are evaluated against the traffic is:
Action | Definition |
Ignore | Traffic Shaping rules do not get applied to this application/definition |
Block | Once applied, End users will be unable to use what's defined (i.e. Facebook, Youtube, etc.) |
Shape | IP address/host or most specific subnet address (e.g. 192.168.0.124/32) |
Shape | Least specific subnet address (e.g. 192.168.0.0/16) |
Shape | Application (e.g. Facebook) |
Shape | Application Group (e.g. "All Software Updates") |
Catch All | (i.e. All Other Traffic) |
IPv6 addresses/subnets can be added to the policies in the same way as IPv4, either as a single address or as a subnet (but not as a range).
Shaping / Blocking traffic from the Probe itself
The Probe can block traffic going through it once the block policy has been applied. Traffic from the Probe itself will not be shaped or blocked, unless the Sinefa Probe is using a management port and traffic is coming back through the bridge port.
See Also
Sinefa Best Practise Guide
Error Applying Shaping Config
Comments
0 comments
Article is closed for comments.