What's in this Guide
How to Enable Traffic Shaping
How to Enable Traffic Shaping per Bridge
Customise/Review Traffic Shaping Policies
Shaping by AD Username
Shaping by AD Group
Shaping/Blocking Traffic from the Probe itself
Setting DiffServ Tag (DSCP Tagging)
Enable Traffic Shaping
For each Probe you would like to run Traffic Shaping on, configure the following:
Under Settings > Probes > Edit the probe (pencil icon)
- Configure the 'Local Subnets'. These are the subnets which appear on the LAN side of the Sinefa hardware. Usually they would be the same network id as the IP Address of the Probe (as you can see from the image below)
- Check the 'Shaping' tab up top
- Configure the 'inbound' and 'outbound' bandwidth for the link that you will be shaping.
Enable Traffic Shaping per Bridge
If you have a probe with multiple bridges setup inline, you are now able to set different bandwidth values per bridge. To do this, configure the following:
- Under Settings > Probes > Edit the probe (pencil icon)
- Select the 'Shaping' tab up top
- Select 'Advanced'
- Under the desired bridge, select the 'Enabled' option next to 'Shaping'
- Set 'Mesh Mode' to the desired setting (see the following for definitions on each Mesh Mode)
- Set your Bandwidth In and Out values in kbps to the desired amount (i.e. if you have an 8mbps inbound and 8mbps outbound connected to br1, you would set the values to 8,000 in and 8,000 out)
- Repeat the above for any additional bridge if required then select 'Apply'
Mesh Mode Definitions
|Full||This probe will apply policies separately to traffic to and from subnets of EVERY OTHER probe under your account set to Full OR Branch mode.|
|Branch||This probe will apply policies separately to traffic to and from subnets of ONLY probes under your account set to Full mode.|
|None||This probe will NOT apply policies separately to traffic to and from subnets of other probes under your account mode.|
Review Traffic Shaping Policies
You can use the default policy set. Optionally you can change the Traffic Shaping policies to suit your environment under Settings > Shaping > Policies
When setting up these policies, you will need to factor in your high priority applications/definitions that will require a policy put in place to ensure they have dedicated bandwidth. An example of this would be a VPN, firstly you would need to know what type of VPN has been set-up (i.e. PPTP, L2TP, IPSEC, SSL or a VPN client like Citrix) to then be able to define this as well as the subnet it is allocated (i.e. 10.171.10.0/24).
To get a better idea of in what order these rules take effect and the bandwidth allocations applied, scroll down to the Bandwidth Priority/Bandwidth Allocation section in this article.
Each Field Explained
Say we have a Traffic Shaping setup as below:
Policy 1: Shape SSH, Allocated BW 30%, Maximum BW 50%, Priority 1
Policy 2: Shape HTTP, Allocated BW 60%, Maximum BW 100%, Priority 4
Policy 3: Shape SMTP, Allocated BW 10%, Maximum BW 100%, Priority 7
If all applications want to use 100% of the available link bandwidth, then each application will get its Allocated BW.
- Allocated BW - SSH (30%), HTTP (60%), SMTP (10%)
- Burst BW - none available
- Total BW - SSH (30%), HTTP (60%), SMTP (10%)
If the only application on the network is SSH and it wants to use 100% of the bandwidth it will be given 50% of the bandwidth because that is its 'Maximum BW'. If SMTP then appears on the network and wants to also use 100% of the bandwidth, then each application will be given its Allocated Bandwidth first, then SSH will be given first priority to any remaining bandwidth, then SMTP will be given any remaining bandwidth.
- Allocated BW - SSH (30%), SMTP (10%)
- Burst BW - SSh (+20%), SMTP (+40% = 100-30-10-20)
- Total BW - SSH (50%), SMTP (50%)
Shaping by AD username
Sinefa traffic shaping can be configured to shape by username within a policy. Use the prefix "user:" to shape by username.
See example below on how one could shape a user called 'john_smith'
Shaping by AD Group
Sinefa traffic shaping can be configured to shape by AD Group within a policy. Use the prefix "user-group:" to shape by AD group
See example below on how one could shape a group called 'SinefaInternal'
You can apply a shaping policy to locations that don't have a Sinefa Probe deployed. Locations are defined by:
- Bandwidth Inbound
- Bandwidth Outbound
This is under Settings > Shaping > Locations
In this example we have 3 branch offices with different subnets, we want to define these locations and then any policy configured under Policies will be applied against the bandwidth value set per each location's subnet.
Ignore rules are evaluated first, then block rules. When traffic shaping policies are applied, the most specific definitions are evaluated first. The order in which definitions are evaluated against the traffic is:
|Ignore||Traffic Shaping rules do not get applied to this application/definition|
|Block||Once applied, End users will be unable to use what's defined (i.e. Facebook, Youtube, etc.)|
|Shape||IP address/host or most specific subnet address (e.g. 192.168.0.124/32)|
|Shape||Least specific subnet address (e.g. 192.168.0.0/16)|
|Shape||Application (e.g. Facebook)|
|Shape||Application Group (e.g. "All Software Updates")|
|Catch All||(i.e. All Other Traffic)|
IPv6 addresses/subnets can be added to the policies in the same way as IPv4, either as a single address or as a subnet (but not as a range).
Shaping / Blocking traffic from the Probe itself
The Probe can block traffic going through it once the block policy has been applied. Traffic from the Probe itself will not be shaped or blocked, unless the Sinefa Probe is using a management port and traffic is coming back through the bridge port.