Articles in this section

How to Setup Traffic Shaping

Avatar
Sinefa Support Team
Updated
Follow

What's in this Guide

How to Enable Traffic Shaping
Advanced Shaping
Customise/Review Traffic Shaping Policies
Shaping by AD Username
Shaping by AD Group
Time based (scheduled) shaping
Location Definitions
Definition Ordering
Shaping/Blocking Traffic from the Probe itself
Setting DiffServ Tag (DSCP Tagging)

 

Enable Traffic Shaping

For each Probe you would like to run Traffic Shaping on, configure the following:

Under Settings > Probes > Edit the probe (pencil icon)

  1. Configure the 'Local Subnets'. These are the subnets which appear on the LAN side of the Sinefa hardware. Usually they would be the same network id as the IP Address of the Probe (as you can see from the image below)
  2. Check the 'Shaping' tab up top
  3. Configure the 'inbound' and 'outbound' bandwidth for the link that you will be shaping

This is known as basic shaping. Much of the complexity of enterprise shaping is automated and some assumptions are made. When basic shaping is enabled, this is what happens:

  • Only the 'Default' policy is used (any other policies are ignored)
  • The policy is applied to ALL bridges (on probes with multiple bridges)
  • The 'in' and 'out' bandwidth settings are applied independently to all bridges (e.g. each bridge is configured with the same bandwidth and policy settings and is independent of any other bridge on the probe)
  • The policy is applied proportionally to every other local subnet for each probe (or location) where shaping is enabled
  • The policy is applied to all other traffic that does not match traffic to or from another other probe or location

Basic shaping works well in many cases, however, for greater control and flexibility you can switch to advanced shaping.

 

 

Advanced Shaping

Advanced shaping allows you to configure fine-grained shaping behaviour for each bridge on the probe.

To do this, follow these steps:

  1. Under Settings > Probes > Edit the probe (pencil icon)
  2. Select the 'Shaping' tab up top
  3. Select 'Switch to Advanced Mode'

From there, you can select 'Add Bridge' to configure shaping on a probe's bridge or edit one of the existing bridges.

 

 

Field Definition
Bridge

This probe will apply policies separately to traffic to and from subnets of EVERY OTHER probe under your account set to Full OR Branch mode.
VLAN

Specify one or more VLAN tags to match. You can create more than one shaping definition for each bridge by applying different shaping definitions to different VLANs.

If you leave this blank, all traffic on the bridge will be matched.
Subnets

Optionally specify subnets. Shaping will be applied to these subnets only. Leave blank to apply shaping to all traffic on this bridge. 
Label

Labels are used when you have multiple WANs, for example you may have some sites connected via VPN and other sites connected via MPLS – labels allow you to tag locations and bridges so that they are treated like their own isolated networks and shaping rules are not setup for traffic flowing between them.

Think of each label as an isolated WAN network.
Schedule

Apple a time-based schedule to this bridge. This bridge's shaping will only be enabled while this scedule is active.
Shaping

Enable shaping on this bridge. Shaping policies wont be applied to this bridge until this is enabled.
Internet / Policy

Enable shaping on Internet traffic. This will apply the selected policy to all Internet traffic, that is, all traffic that does not match any of the WAN policies.
WAN Mesh Mode / Policy

Set 'Mesh Mode' to the desired setting (see the following for definitions on each Mesh Mode).

Set the policy to be applied to all WAN traffic.
Bandwidth In/Out

Set your Bandwidth In and Out values in kbps to the desired amount (e.g. if you have an 8Mbps inbound and 8Mbps outbound connected to br1, you would set the values to 8,000 in and 8,000 out).

 

 

 

WAN Mesh Mode Definitions

Setting Definition
Full

This probe will apply policies separately to traffic to and from subnets of EVERY OTHER probe under your account set to Full OR Branch mode.
Branch

This probe will apply policies separately to traffic to and from subnets of ONLY probes under your account set to Full mode.
None

This probe will NOT apply policies separately to traffic to and from subnets of other probes under your account mode.

 

Review Traffic Shaping Policies

You can use the default policy set. Optionally you can change the Traffic Shaping policies to suit your environment under Settings > Shaping > Policies

When setting up these policies, you will need to factor in your high priority applications/definitions that will require a policy put in place to ensure they have dedicated bandwidth. An example of this would be a VPN, firstly you would need to know what type of VPN has been set-up (i.e. PPTP, L2TP, IPSEC, SSL or a VPN client like Citrix) to then be able to define this as well as the subnet it is allocated (i.e. 10.171.10.0/24).

 

To get a better idea of in what order these rules take effect and the bandwidth allocations applied, scroll down to the Bandwidth Priority/Bandwidth Allocation section in this article.

Each Field Explained

Field Definition
Definitions

This is where you add in what you want to shape by i.e. Application, Application tag, Host, Subnet, User, etc. When you add in each definition side by side, an OR operator takes effect and your shaping rule will take effect if it matches at least 1 of the definitions specified.
+ AND

This is where you can use an AND operator rather than the OR operator between each definition, this is to ensure that the shaping policy matches all definitions specified before taking effect.
Action

This is where you can define what you would like to be completed once the definition conditions have been met, it can either be set to Shape, Block or Ignore. See below for definition ordering.
DSCP Tagging

DSCP tagging is ideal for MPLS network or environments where DSCP tags are maintained and honoured in the Service Provider's (SP) network. With this feature, customers can compliment existing policies arranged by the SP by offering far more granular policies and filtering.

When using DSCP tagging in a network that honours DSCP priorities ensure that the priorities are clearly understood and line up with the Sinefa policies to avoid any performance conflicts.

By default (-) the DSCP field is not changed/tagged.
Allocated Bandwidth

This is for shaping only, this allocates minimum bandwidth to the definition you are setting up. This bandwidth is NOT reserved for this application meaning other applications may use it if the application is not using it. However as soon as the application is detected it will be allocated (at least) its Allocated Bandwidth.
Maximum Bandwidth

This is the maximum amount of bandwidth that the policy can be allocated.
Priority

This is for the probe to determine what definition takes priority by assigning it a rating ranging from 1 (high priority) to 8 (lowest priority) The policies with the highest priority get access to the available bandwidth first.

Examples
Say we have a Traffic Shaping setup as below:
Policy 1: Shape SSH, Allocated BW 30%, Maximum BW 50%, Priority 1
Policy 2: Shape HTTP, Allocated BW 60%, Maximum BW 100%, Priority 4
Policy 3: Shape SMTP, Allocated BW 10%, Maximum BW 100%, Priority 7

If all applications want to use 100% of the available link bandwidth, then each application will get its Allocated BW.

  • Allocated BW - SSH (30%), HTTP (60%), SMTP (10%)
  • Burst BW - none available
  • Total BW - SSH (30%), HTTP (60%), SMTP (10%)

If the only application on the network is SSH and it wants to use 100% of the bandwidth it will be given 50% of the bandwidth because that is its 'Maximum BW'. If SMTP then appears on the network and wants to also use 100% of the bandwidth, then each application will be given its Allocated Bandwidth first, then SSH will be given first priority to any remaining bandwidth, then SMTP will be given any remaining bandwidth.

  • Allocated BW - SSH (30%), SMTP (10%)
  • Burst BW - SSh (+20%), SMTP (+40% = 100-30-10-20)
  • Total BW - SSH (50%), SMTP (50%)

 

Shaping by AD username

Sinefa traffic shaping can be configured to shape by username within a policy. Use the prefix "user:" to shape by username.
See example below on how one could shape a user called 'john_smith'

 

 

Shaping by AD Group

Sinefa traffic shaping can be configured to shape by AD Group within a policy. Use the prefix "user-group:" to shape by AD group


See example below on how one could shape a group called 'SinefaInternal'

 

 

Time-based (scheduled) traffic shaping

You can enable/disable a shaping policy rule based on the time of day or day of the week. You can also enable/disable an entire advanced shaping bridge based on the time of day or day of the week.

These schedules can be configured under Settings > Shaping > Schedules. The below example show both a Business Hours (8am - 6pm Monday to Friday) schedule and an After Hours (Midnight - 8am Monday to Friday, 6pm to Midnight Monday to Friday and all day Saturday and Sunday).

 

schedules.png

 

If a schedule is applied to a rule (under policies) or a bridge (under advanced shaping) that rule or bridge is only active when the schedule is active. At all other times, the rule or bridge is disabled and the traffic would fall through to another rule or bridge.

Time is always based on the local timezone of the probe. The How to setup the timezone on a probe article explains how to configure this.

 


Locations

You can apply a shaping policy to locations that don't have a Sinefa Probe deployed. Locations are defined by:

  • Name
  • Subnet
  • Bandwidth Inbound
  • Bandwidth Outbound

This is under Settings > Shaping > LocationsIn this example we have 3 branch offices with different subnets, we want to define these locations and then any policy configured under Policies will be applied against the bandwidth value set per each location's subnet.

 


Definition ordering

Ignore rules are evaluated first, then block rules. When traffic shaping policies are applied, the most specific definitions are evaluated first. The order in which definitions are evaluated against the traffic is:

Action Definition
Ignore Traffic Shaping rules do not get applied to this application/definition
Block Once applied, End users will be unable to use what's defined (i.e. Facebook, Youtube, etc.)
Shape IP address/host or most specific subnet address (e.g. 192.168.0.124/32)
Shape Least specific subnet address (e.g. 192.168.0.0/16)
Shape Application (e.g. Facebook)
Shape Application Group (e.g. "All Software Updates")
Catch All (i.e. All Other Traffic)

IPv6 addresses/subnets can be added to the policies in the same way as IPv4, either as a single address or as a subnet (but not as a range).

 


Shaping / Blocking traffic from the Probe itself

The Probe can block traffic going through it once the block policy has been applied. Traffic from the Probe itself will not be shaped or blocked, unless the Sinefa Probe is using a management port and traffic is coming back through the bridge port.

 

 

See Also
Sinefa Best Practise Guide
Error Applying Shaping Config

Related articles

Comments

0 comments

Article is closed for comments.