beautypg.com

A summary of traffic shaping – Amer Networks E5Web GUI User Manual

Page 674

background image

changing conditions.

Attacks on Bandwidth

Traffic shaping cannot protect against incoming resource exhaustion attacks, such as DoS attacks
or other flooding attacks. cOS Core will prevent these extraneous packets from reaching the
hosts behind the Clavister Security Gateway, but cannot protect the connection becoming
overloaded if an attack floods it.

Watching for Leaks

When setting out to protect and shape a network bottleneck, make sure that all traffic passing
through that bottleneck passes through the defined cOS Core pipes.

If there is traffic going through the Internet connection that the pipes do not know about, cOS
Core cannot know when the Internet connection becomes full.

The problems resulting from leaks are exactly the same as in the cases described above. Traffic
"leaking" through without being measured by pipes will have the same effect as bandwidth
consumed by parties outside of administrator control but sharing the same connection.

Troubleshooting

For a better understanding of what is happening in a live setup, the console command:

Device:/> pipe -u

can be used to display a list of currently active users in each pipe.

10.1.9. A Summary of Traffic Shaping

cOS Core traffic shaping provides a sophisticated set of mechanisms for controlling and
prioritizing network packets. The following points summarize its use:

Select the traffic to manage through Pipe Rules.

Pipe Rules send traffic through Pipes.

A pipe can have a limit which is the maximum amount of traffic allowed.

A pipe can only know when it is full if a total limit for the pipe is specified.

A single pipe should handle traffic in only one direction (although 2 way pipes are allowed).

Pipes can be chained so that one pipe's traffic feeds into another pipe.

Specific traffic types can be given a priority in a pipe.

Priorities can be given a maximum limit which is also a guarantee. Traffic that exceeds this
will be sent at the minimum precedence which is also called the Best Effort precedence.

At the best effort precedence all packets are treated on a "first come, first forwarded" basis.

Within a pipe, traffic can also be separated on a Group basis. For example, by source IP
address. Each user in a group (for example, each source IP address) can be given a maximum
limit and precedences within a group can be given a limit/guarantee.

A pipe limit need not be specified if group members have a maximum limit.

Chapter 10: Traffic Management

674

This manual is related to the following products:
See also other documents in the category Amer Networks Computer Accessories: