< Home

Limitations and Precautions for Bandwidth Management

Hardware Requirements

The Bandwidth Management function is supported by all models.

All models except USG6635E/6655E, USG6680E and USG6712E/6716E support the dynamic even distribution of bandwidth resources for each IP address or user and the traffic forwarding priority in a traffic profile function.

Only the USG6610E/6620E, USG6630E/6650E, USG6680E and USG6712E/6716E support the restriction on the overall total maximum and guaranteed upstream and downstream bandwidths, and those for each IP/user.

License Requirements

The Bandwidth Management function is not license-controlled.

Limitations

  • Both the parent and child policies must set the traffic limiting mode to "setting the upstream and downstream bandwidth" or "setting the total bandwidth" at the same time. Otherwise, bandwidth control is not accurate.
  • The guaranteed bandwidth and forwarding priority take effect only on traffic traveling through the firewall. For the packets that have been discarded before reaching the firewall (for example, the downstream traffic from the Internet to the intranet for which bandwidth needs to be guaranteed may be discarded due to ISP bandwidth limiting before reaching the firewall), the firewall cannot guarantee bandwidth for them or forward them based on priorities.
  • In the SSL VPN network extension scenario, the overall maximum bandwidth cannot be limited. Only the maximum bandwidth of per IP address or user can be limited.
  • For traffic of the users with anonymous authentication, per-user traffic limiting is not supported.
  • In hot standby networking, the device supports backing up bandwidth management related configurations (including traffic policies and traffic profiles) but not status information such as bandwidth usage. In hot standby deployment in load balancing mode, if the forward and reverse paths of the traffic are inconsistent, the standby device uses the reverse session of the backup session to match the traffic policy. In this way, the bandwidth of the reverse traffic is limited when the forward and reverse paths are inconsistent, but the number of connections of the reverse traffic is not limited.
  • If the bandwidth management and VPN services are used together, it is recommended that the source and destination IP addresses of the traffic policy be set to the source and destination IP addresses of the packets before VPN tunnel encapsulation. Otherwise, the configured bandwidth management function does not take effect when the VPN service other than L2TP VPN, SSL VPN, or GRE over MPLS VPN is used.
  • The FW does not limit the bandwidth of the packets that reach itself or the packets sent from itself.
  • The FW supports bandwidth management through the CPU or hardware chip:
    • After the hardware fast forwarding function is enabled using the hardware fast-forwarding enable command, the device preferentially uses the hardware chip to implement bandwidth management. By default, the hardware fast forwarding function is enabled.
    • When hardware chip resources are insufficient or the hardware fast forwarding function is disabled, the device implements bandwidth management through the CPU.
    You can run the display traffic-policy statistic bandwidth whole both all command to view the traffic policy and the traffic profile referenced by the traffic policy.
    • The traffic policy displayed in the Bandwidth Statistic field and the referenced traffic profile are processed by the CPU.
    • The traffic policy displayed in the Hardware forwarding field and the referenced traffic profile are processed by the hardware chip.

    The traffic matching the same traffic policy may be managed by both the CPU and the hardware chip. In this case, the traffic matching bandwidth policy and the referenced traffic profile are displayed under the two fields.

  • The FW supports bandwidth management through the CPU or hardware chip. The two modes have different processes for guaranteed bandwidth and outbound interface bandwidth.
    • When the device implements bandwidth management through the CPU, the guaranteed bandwidth priority is higher than the outbound interface bandwidth priority. If guaranteed bandwidth is configured for a traffic flow and bandwidth is configured on the outbound interface of the traffic, the device preferentially processes the traffic based on the guaranteed bandwidth instead of the outbound interface bandwidth. In extreme cases, if the configured guaranteed bandwidth is greater than the outbound interface bandwidth, the outbound traffic on the outbound interface may be greater than the maximum outbound bandwidth configured on the outbound interface. However, in actual scenarios, because the bandwidth leased from a carrier is fixed, the traffic whose bandwidth exceeds the actual bandwidth is still discarded on the uplink.
    • When the device implements bandwidth management using a hardware chip, traffic is processed based on the guaranteed bandwidth and then the outbound interface bandwidth. Therefore, it is impossible that the outgoing traffic on the outbound interface of the device is greater than the maximum outbound bandwidth configured on the outbound interface.
  • Bandwidth management implemented through hardware chips has the following limitations:
    • IPv6 traffic does not support bandwidth management through hardware chips, and IPv6 traffic is sent to the CPU for processing. When IPv6 traffic is sent to the CPU for processing, traffic can be limited only based on the total upstream and downstream bandwidth, but not based on the upstream or downstream bandwidth.
    • When CAR resources are used up, bandwidth management cannot be implemented through hardware chips, and traffic is sent to the CPU for processing.
    • The multi-level parent and child bandwidth policy, interface bandwidth configured on the logical interface, and total bandwidth configured in the traffic profile cannot be processed by hardware chips. After the hardware fast forwarding function is enabled, if the preceding traffic is sent to the hardware chip, related configurations do not take effect. To use these functions, run the undo hardware fast-forwarding enable command to disable the hardware fast forwarding function.
  • When the bandwidth management function is used with the ASPF/ALG function and if the ASPF/ALG function is configured for multi-channel protocols, other channels cannot match the traffic policy because the bandwidth management function does not support the association of multi-channel sessions for multi-channel protocols. In this scenario, you are advised to configure applications in the traffic policy to identify new multi-channel protocol traffic.
  • The bandwidth management function supports both IPv4 and IPv6.

Precautions

  • The guaranteed bandwidth and connection limit specified in a child policy cannot be higher than those specified in the parent policy.
  • The parent and child policies must reference different traffic profiles.
  • Static mapping (NAT server) function: The destination address specified in a traffic policy must be a private IP address.
  • Source NAT function: The source IP address or region specified in a traffic policy must be a private IP address.
  • If bandwidth management and NAT64 are used together, specify the corresponding IPv6 address when configuring the source or destination IP address for a traffic policy.
  • Opening the bandwidth management may increase the CPU usage rate of the device. Excise caution when using this function.
Parent Topic: Bandwidth Management
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >