< Home

CLI: Example for Configuring a Shared Traffic Profile for Multi-Dimensional Bandwidth Management on One Department

This section provides an example for referencing a shared traffic profile in multiple policies to manage the bandwidth of one department in multiple dimensions.

Networking Requirements

As shown in Figure 1, an enterprise has departments A and B. The enterprise requires to enable the bandwidth management function on the FW to assign bandwidth resources available departments A and B. To prevent P2P services from occupying too many bandwidth resources, the enterprise also requires that the total bandwidth for P2P services of departments A and B be restricted. Therefore, departments A and B are subject to their separate bandwidth control and the bandwidth control of overall P2P services. Specific requirements are as follows:

  • The maximum downstream bandwidth of department A cannot exceed 60 Mbit/s.
  • The maximum downstream bandwidth of department B cannot exceed 40 Mbit/s.
  • The maximum downstream bandwidth for P2P services of departments A and B cannot exceed 80 Mbit/s.
  • The P2P traffic is counted in the total traffic of each department.
Figure 1 Networking diagram for configuring a shared traffic profile for multi-dimensional bandwidth management on one department

Configuration Roadmap

  1. Set interface IP addresses and assign the interfaces to security zones.
  2. Configure a traffic policy for department A and reference the traffic profile in which the overall maximum downstream bandwidth is 60 Mbit/s.
  3. Configure a traffic policy for department B and reference the traffic profile in which the overall maximum downstream bandwidth is 40 Mbit/s.
  4. Configure traffic policies respectively for the P2P service of departments A and B, use the traffic policies for their respective departments as their parent policies, and reference the same traffic profile in which the overall maximum downstream bandwidth is 80 Mbit/s.
  • Upstream and downstream depend on the direction of FW bandwidth policy. For simplicity, upstream refers to the direction from Trust to Untrust, and downstream refers to Untrust to DMZ in this section.
  • Assuming that the security zones, routers, and security policies have been configured, this section introduces only how to configure bandwidth management.

Procedure

  1. Set interface IP addresses and assign the interfaces to security zones.
    1. Set an IP address for interface GigabitEthernet 0/0/1 and assign the interface to the untrust zone. 

      <FW> system-view
[FW] interface GigabitEthernet 0/0/1
[FW-GigabitEthernet0/0/1] ip address 1.1.1.1 24
[FW-GigabitEthernet0/0/1] quit
[FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet 0/0/1
[FW-zone-untrust] quit

    2. Set an IP address for interface GigabitEthernet 0/0/3 and add the interface to the trust zone. 

      [FW] interface GigabitEthernet 0/0/3
[FW-GigabitEthernet0/0/3] ip address 10.3.0.1 24
[FW-GigabitEthernet0/0/3] quit
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 0/0/3
[FW-zone-trust] quit

  2. Configure a traffic profile for department A. 

    [FW] traffic-policy
[FW-policy-traffic] profile profile_dep_a
[FW-policy-traffic-profile-profile_dep_a] bandwidth maximum-bandwidth whole downstream 60000
[FW-policy-traffic-profile-profile_dep_a] quit

  3. Configure bandwidth management for department A.

    In the example, user authentication configuration for department A (dep_a) and department B (dep_b) has been completed.

    [FW-policy-traffic] rule name policy_dep_a
[FW-policy-traffic-rule-policy_dep_a] source-zone trust
[FW-policy-traffic-rule-policy_dep_a] destination-zone untrust
[FW-policy-traffic-rule-policy_dep_a] user user-group /default/dep_a
[FW-policy-traffic-rule-policy_dep_a] action qos profile profile_dep_a
[FW-policy-traffic-rule-policy_dep_a] quit

  4. Configure a traffic profile for department B. 

    [FW-policy-traffic] profile profile_dep_b
[FW-policy-traffic-profile-profile_dep_b] bandwidth maximum-bandwidth whole downstream 40000
[FW-policy-traffic-profile-profile_dep_b] quit

  5. Configure bandwidth management for department B. 

    [FW-policy-traffic] rule name policy_dep_b
[FW-policy-traffic-rule-policy_dep_b] source-zone trust
[FW-policy-traffic-rule-policy_dep_b] destination-zone untrust
[FW-policy-traffic-rule-policy_dep_b] user user-group /default/dep_b
[FW-policy-traffic-rule-policy_dep_b] action qos profile profile_dep_b
[FW-policy-traffic-rule-policy_dep_b] quit

  6. Configure traffic profiles respectively for the P2P service of departments A and B. 

    [FW-policy-traffic] profile profile_p2p_all
[FW-policy-traffic-profile-profile_p2p_all] bandwidth reference-mode rule-shared
[FW-policy-traffic-profile-profile_p2p_all] bandwidth maximum-bandwidth whole downstream 80000
[FW-policy-traffic-profile-profile_p2p_all] quit

  7. Configure bandwidth management for the P2P service of department A.

    The following example describes the bandwidth management configuration for the BitTorrent (BT) service. You can specify other P2P services as required.

    [FW-policy-traffic] rule name policy_dep_a_p2p parent policy_dep_a
[FW-policy-traffic-rule-policy_dep_a_p2p] source-zone trust
[FW-policy-traffic-rule-policy_dep_a_p2p] destination-zone untrust
[FW-policy-traffic-rule-policy_dep_a_p2p] application app BT
[FW-policy-traffic-rule-policy_dep_a_p2p] action qos profile profile_p2p_all
[FW-policy-traffic-rule-policy_dep_a_p2p] quit

  8. Configure bandwidth management for the P2P service of department B. 

    [FW-policy-traffic] rule name policy_dep_b_p2p parent policy_dep_b
[FW-policy-traffic-rule-policy_dep_b_p2p] source-zone trust
[FW-policy-traffic-rule-policy_dep_b_p2p] destination-zone untrust
[FW-policy-traffic-rule-policy_dep_b_p2p] application app BT
[FW-policy-traffic-rule-policy_dep_b_p2p] action qos profile profile_p2p_all
[FW-policy-traffic-rule-policy_dep_b_p2p] quit

Configuration Scripts

#                                                                               
sysname FW           
#                                                                               
interface GigabitEthernet0/0/1   
 undo shutdown
 ip address 1.1.1.1 255.255.255.0
#                                                                               
interface GigabitEthernet0/0/3   
 undo shutdown
 ip address 10.3.0.1 255.255.255.0
#                                                                               
firewall zone trust                                                             
 set priority 85                                                                
 add interface GigabitEthernet0/0/3   
#                                                                               
firewall zone untrust                                                           
 set priority 5                                                                 
 add interface GigabitEthernet0/0/1   
#                                                                               
traffic-policy                                                                  
 profile profile_dep_a                                                          
  bandwidth maximum-bandwidth whole downstream 60000                            
 profile profile_dep_b                                                          
  bandwidth maximum-bandwidth whole downstream 40000                            
 profile profile_p2p_all                                                        
  bandwidth reference-mode rule-shared                                          
  bandwidth maximum-bandwidth whole downstream 80000                            
 rule name policy_dep_a                                                         
  source-zone trust                                                             
  destination-zone untrust                                                      
  user user-group /default/dep_a                                                
  action qos profile profile_dep_a                                              
 rule name policy_dep_a_p2p parent policy_dep_a                                 
  source-zone trust                                                             
  destination-zone untrust                                                      
  application app BT                                                            
  action qos profile profile_p2p_all                                            
 rule name policy_dep_b                                                         
  source-zone trust                                                             
  destination-zone untrust                                                      
  user user-group /default/dep_b                                                
  action qos profile profile_dep_b                                              
 rule name policy_dep_b_p2p parent policy_dep_b                                 
  source-zone trust                                                             
  destination-zone untrust                                                      
  application app BT                                                            
  action qos profile profile_p2p_all                                            

# The following user/group creation configuration is stored in the database, but not in the configuration profile.
user-manage group /default/dep_a
user-manage group /default/dep_b
Parent Topic: Traffic Management
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >