Traffic shaping recommendations – Amer Networks E5Web GUI User Manual

balancing lowers the limit per user to about 13 Kbps (64 Kbps divided by 5 users).

Dynamic Balancing takes place within each precedence of a pipe individually. This means that if
users are allotted a certain small amount of high priority traffic, and a larger chunk of best-effort
traffic, all users will get their share of the high-precedence traffic as well as their fair share of the
best-effort traffic.

10.1.8. Traffic Shaping Recommendations

The Importance of a Pipe Limit

Traffic shaping only comes into effect when a cOS Core pipe is full. That is to say, it is passing as
much traffic as the total limit allows. If a 500 Kbps pipe is carrying 400 Kbps of low priority traffic
and 90 Kbps of high priority traffic then there is 10 Kbps of bandwidth left and there is no reason
to throttle back anything. It is therefore important to specify a total limit for a pipe so that it
knows what its capacity is and the precedence mechanism is totally dependent on this.

VPN Pipe Limits

Traffic shaping measures the traffic inside VPN tunnels. This is the raw unencrypted data without
any protocol overhead so it will be less than the actual VPN traffic. VPN protocols such as IPsec
can add significant overhead to the data and for this reason it is recommended that the limits
specified in the traffic shaping pipes for VPN traffic are set at around 20% below the actual
available bandwidth.

Relying on the Group Limit

A special case when a total pipe limit is not specified is when a group limit is used instead. The
bandwidth limit is then placed on, for example, each user of a network where the users must
share a fixed bandwidth resource. An ISP might use this approach to limit individual user
bandwidth by specifying a "Per Destination IP" grouping. Knowing when the pipe is full is not
important since the only constraint is on each user. If precedences were used the pipe maximum
would have to be used.

Limits should not be more than the Available Bandwidth

If pipe limits are set higher than the available bandwidth, the pipe will not know when the
physical connection has reached its capacity. If the connection is 500 Kbps but the total pipe
limit is set to 600 Kbps, the pipe will believe that it is not full and it will not throttle lower
precedences.

Limits should be less than Available Bandwidth

Pipe limits should be slightly below the network bandwidth. A recommended value is to make
the pipe limit 95% of the physical limit. The need for this difference becomes less with increasing
bandwidth since 5% represents an increasingly larger piece of the total.

The reason for the lower pipe limit is how cOS Core processes traffic. For outbound connections
where packets leave the Clavister Security Gateway, there is always the possibility that cOS Core
might slightly overload the connection because of the software delays involved in deciding to
send packets and the packets actually being dispatched from buffers.

For inbound connections, there is less control over what is arriving and what has to be processed
by the traffic shaping subsystem and it is therefore more important to set pipe limits slightly
below the real connection limit to account for the time needed for cOS Core to adapt to

Chapter 10: Traffic Management

673