Web: Example for Configuring a Shared Traffic Profile for Multi-Dimensional Bandwidth Management on One Department
This section provides an example for referencing a shared traffic profile in multiple policies to manage the bandwidth of one department in multiple dimensions.
Networking Requirements
As shown in Figure 1, an enterprise has departments A and B. The enterprise requires to enable the bandwidth management function on the FW to assign bandwidth resources available departments A and B. To prevent P2P services from occupying too many bandwidth resources, the enterprise also requires that the total bandwidth for P2P services of departments A and B be restricted. Therefore, departments A and B are subject to their separate bandwidth control and the bandwidth control of overall P2P services. Specific requirements are as follows:
- The maximum downstream bandwidth of department A cannot exceed 60 Mbit/s.
- The maximum downstream bandwidth of department B cannot exceed 40 Mbit/s.
- The maximum downstream bandwidth for P2P services of departments A and B cannot exceed 80 Mbit/s.
- The P2P traffic is counted in the total traffic of each department.
Configuration Roadmap
- Set interface IP addresses and assign the interfaces to security zones.
- Configure a traffic policy for department A and reference the traffic profile in which the overall maximum downstream bandwidth is 60 Mbit/s.
- Configure a traffic policy for department B and reference the traffic profile in which the overall maximum downstream bandwidth is 40 Mbit/s.
- Configure traffic policies respectively for the P2P service of departments A and B, use the traffic policies for their respective departments as their parent policies, and reference the same traffic profile in which the overall maximum downstream bandwidth is 80 Mbit/s.
- Upstream and downstream depend on the direction of FW bandwidth policy. For simplicity, upstream refers to the direction from Trust to Untrust, and downstream refers to Untrust to DMZ in this section.
- Assuming that the security zones, routers, and security policies have been configured, this section introduces only how to configure bandwidth management.
Procedure
- Set interface IP addresses and assign the interfaces to
security zones.
- Click
for GE0/0/3 and set
the parameters as follows:
Zone trust IPv4 IP Address 10.3.0.1/24
- Click
- Configure a traffic profile for department A.
- Choose .
- Choose .
- Configure bandwidth management for department A.
- Choose .
- Click Add and set the parameters
as follows:
In the example, user authentication configuration for department A (dep_a) and department B (dep_b) has been completed.
Name
policy_dep_a
Source Zone
trust
Destination Zone
untrust
User
/default/dep_a
Action
Limit
Traffic Profile
profile_dep_a
- Choose .
- Configure a traffic profile for department B.
- Configure bandwidth management for department B.
- Configure traffic profiles respectively for the P2P service
of departments A and B.
- Configure bandwidth management for the P2P service of department
A.
- Click Add and set the parameters
as follows:
The following example describes the bandwidth management configuration for the BitTorrent (BT) service. You can specify other P2P services as required.
Name
policy_dep_a_p2p
Parent Policy
policy_dep_a
Source Zone
trust
Destination Zone
untrust
Application
BT
Action
Limit
Traffic Profile
profile_p2p_all
- Click Add and set the parameters
as follows:
- Configure bandwidth management for the P2P service of department
B.
Configuration Scripts
This section provides only the script related to the example.
# sysname FW # interface GigabitEthernet0/0/1 undo shutdown ip address 1.1.1.1 255.255.255.0 # interface GigabitEthernet0/0/3 undo shutdown ip address 10.3.0.1 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/1 # traffic-policy profile profile_dep_a bandwidth maximum-bandwidth whole downstream 60000 profile profile_dep_b bandwidth maximum-bandwidth whole downstream 40000 profile profile_p2p_all bandwidth reference-mode rule-shared bandwidth maximum-bandwidth whole downstream 80000 rule name policy_dep_a source-zone trust destination-zone untrust user user-group /default/dep_a action qos profile profile_dep_a rule name policy_dep_a_p2p parent policy_dep_a source-zone trust destination-zone untrust application app BT action qos profile profile_p2p_all rule name policy_dep_b source-zone trust destination-zone untrust user user-group /default/dep_b action qos profile profile_dep_b rule name policy_dep_b_p2p parent policy_dep_b source-zone trust destination-zone untrust application app BT action qos profile profile_p2p_all # The following user/group creation configuration is stored in the database, but not in the configuration profile. user-manage group /default/dep_a user-manage group /default/dep_b