D-Link DFL-260E User Manual for DFL-260E - Page 503
Pipe Chaining, A VPN Scenario, in-pipe, out-pipe, Pipe Limits, Pipe Rules, Service, in-other
View all D-Link DFL-260E manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 503 highlights
10.1.10. More Pipe Examples Chapter 10. Traffic Management • Priority 4 - Citrix (250 kpbs) • Priority 2 - Other traffic (1000 kpbs) • Priority 0 - Web plus remaining from other levels To implement this scheme, we can use the in-pipe and out-pipe. We first enter the Pipe Limits for each pipe. These limits correspond to the list above and are: • Priority 6 - 500 • Priority 4 - 250 • Priority 2 - 1000 Now create the Pipe Rules: Rule Name web_surf voip citrix other Forward Pipes out-pipe out-pipe out-pipe out-pipe Return Pipes in-pipe in-pipe in-pipe in-pipe Source Interface lan lan lan lan Source Network lannet lannet lannet lannet Dest Interface wan wan wan wan Dest Network all-nets all-nets all-nets all-nets Selected Service http_all H323 citrix All Prece dence 0 6 4 2 These rules are processed from top to bottom and force different kinds of traffic into precedences based on the Service. Customized service objects may need to be first created in order to identify particular types of traffic. The all service at the end, catches anything that falls through from earlier rules since it is important that no traffic bypasses the pipe rule set otherwise using pipes will not work. Pipe Chaining Suppose the requirement now is to limit the precedence 2 capacity (other traffic) to 1000 kbps so that it does not spill over into precedence 0. This is done with pipe chaining where we create new pipes called in-other and out-other both with a Pipe Limit of 1000. The other pipe rule is then modified to use these: Rule Name other Forward Pipes out-other out-pipe Return Pipes in-other in-pipe Source Interface lan Source Network lannet Dest Interface wan Dest Network all-nets Selected Service All Prece dence 2 Note that in-other and out-other are first in the pipe chain in both directions. This is because we want to limit the traffic immediately, before it enters the in-pipe and out-pipe and competes with VoIP, Citrix and Web-surfing traffic. A VPN Scenario In the cases discussed so far, all traffic shaping is occurring inside a single NetDefend Firewall. VPN is typically used for communication between a headquarters and branch offices in which case pipes can control traffic flow in both directions. With VPN it is the tunnel which is the source and destination interface for the pipe rules. An important consideration which has been discussed previously, is allowance in the Pipe Total values for the overhead used by VPN protocols. As a rule of thumb, a pipe total of 1700 bps is 503