Typical Co-Location and/or WAN Customer Setup
The scenario here assumes that each colocated customer has their own class IP address.
bwmgr fxp0 -ifac -burstthresh 2000000
bwmgr fxp0 -x 100 -addr 199.17.11.1 -bwboth 256000 -bwburst 512000 -bursttrig fxp0
bwmgr fxp0 -x 200 -addr 199.17.11.2 -bwboth 256000 -bwburst 512000 -bursttrig fxp0
bwmgr fxp0 -x 300 -addr 199.17.11.3 -bwboth 256000 -bursttrig fxp0
The above regulates traffic at 256000bps when traffic on the wire is over 2Mb/s. For rules 100 and 200, the specified networks can use 512000bps when traffic levels are below 2Mb/s, while rule 300 allows bursting to full wire speed (no burst setting with a trigger defined is no limit on bursting).
Limit All Incoming Sessions with 1 Rule
Its often desireable to control the amount of bandwidth that each user to a web or ftp site can get without limiting the overall bandwidth that a device has access to. For example, a busy site with heavy graphics content may not want users from high bandwidth locations to dominate the use of bandwidth. The following rule will limit each access to hot 219.15.1.7 to 64000bps.
bwmgr fxp0 -prot tcpconnect -daddr 219.15.1.7 -r -bwboth 64000
Note the use of the -r switch, which "reverses" the limit, that is, instead of limiting 219.15.1.7 to 64000bps, it will limit each address that accesses it to 64000bps. To above will give each accessing IP 64000bps. Another setting:
bwmgr fxp0 -prot tcpconnect -daddr 219.15.1.7 -rc -bwboth 128000
would allow a TOTAL of 128000bps to be shared on a first come, first serve basis by all of the connecting IPs. Alternately:
bwmgr fxp0 -prot tcpconnect -daddr 219.15.1.7 -rb -bwmin 32000 -bwboth 128000
using -rb will cause the 128000bps to be balanced fairly among ACTIVE IPs that access the specified server, with a minimum setting of 32000 for each (ie if there were more than 4 active hosts accessing the server, then they would not be limited to less than 32000bps, but still share the 128000bps).
ALTERNATIVELY, for any of the above settings, you could add the -port use setting as in the following:
bwmgr fxp0 -prot tcpconnect -port use -daddr 219.15.1.7 -r -bwboth 64000
The above will limit each SESSION to 64000bps, allowing other IP traffic from the host to pass. Note that each HTTP access, for example, usually has several sessions, so using the IP is more useful if it doesnt cause problems.
Limit All IP Addresses with 1 Rule
You can limit all IP addresses in your network with a single rule as follows:
bwmgr fxp0 -x 5000 -ipprot allip -r -usesaddr -addr 192.168.0.1 -addrmsk 255.255.255.0 -ruletmo 300 -bwin 128000 -bwout 128000
The above rule will trap each different source address in the specified address range and create a dynamic rule and limit the address to 128000bps in and out. Make sure you leave enough rule index space before the rule to accommodate the number of addresses. If all of your traffic is from known source addresses then you can leave out the address specs and it will trap everything. You don't want to trap in the wrong direction, or you may get a lot more rules that you expect.
Allow only Specific MAC / IP Combinations onto your Network
It is often useful, in an effort to prohibit customers from using IP addresses that are not allocated to them, to only allow specific MACs to have Specific IP addresses. This is particularly useful in a wireless environment where security is a problem. You can do this easily by firewalling out all addresses except those that are explicitly allowed. For example:
bwmgr fxp0 -fw -x 100 -addr 207.11.11.1 -maddr c0:b0:a0:00:00:01
bwmgr fxp0 -fw -x 200 -addr 207.11.11.2 -maddr 00:c0:07:01:01:04
bwmgr fxp0 -fw -x 10000 -prot allip -priority fw-deny
The above allows the specific IP / MAC pairs defined in rules 100 and 200, while rule 10000 results in all others being dropped. Note that the -allip is required to prevent ALL traffic (including arps and other non-ip traffic). Without the -allip, some other previous rule (like a rule allowing ARPs) would be required or your network would not work.
Limiting a Name Virtual Host
"Name" virtual hosts are unique in that there may be many hosts on 1 IP address. To limit http traffic to name virtual hosts, use the -nameaddr switch:
bwmgr fxp0 -nameaddr www.somedomain.com -rc -bwin 128000 -bwout 128000
This would limit all hosts accessing www.somedomain.com to an aggregate total of 128000bps.
Controlling Gnutella (file-sharing) Traffic
This is covered in detail in the bwmgr user manual.
Physical Limits with a Ceiling for the Medium
bwmgr fxp0 -ifac -bwboth 3000000
bwmgr fxp0 -addr 199.17.11.0 -addrmsk 255.255.255.0 -bwboth 1544000
bwmgr fxp0 -addr 199.17.12.0 -addrmsk 255.255.255.0 -bwboth 1544000
bwmgr fxp0 -addr 199.17.11.0 -addrmsk 255.255.255.0 -bwboth 1544000
The above gives each customer up to T1 speed traffic until a physical medium utilization of 3Mb/s is reached. Once overall traffic reaches the ceiling, bandwidth is limited on a first-come basis with all rules receiving equal priority (based on their implied "normal" priority).
Minimum Guarantee by Traffic Type
bwmgr fxp0 -ifac -bwin 10000000 -bwout 10000000
bwmgr fxp0 -prot tcp -port domain -bwmin 10000
bwmgr fxp0 -prot udp -port 40120 -bwmin 64000
The above setting allocates bandwidth out of the 10Mb/s available on the interace to specific types of traffic. The above might have VoIP traffic running on port 40120.
Minimum Guarantee with Limited Burstability
You may want to limit some customers to 56kbs during busy times but allow them up to 256k when bandwidth is available among the class members (as opposed to the wire threshold used by -bwburst). You can do this by defining a class with several customers or classes of data. The number of rules in the class and the priorities will determine the minimum (or average) bandwidth the rule will receive. For example:
bwmgr em0 -addr 207.11.14.1 -name Group1 -b -bwboth 256000
bwmgr em0 -addr 207.11.14.4 -bwlink Group1
bwmgr em0 -addr 207.11.14.6 -bwlink Group1
bwmgr em0 -addr 207.11.14.19 -bwlink Group1
bwmgr em0 -addr 207.11.14.22 -bwlink Group1
The above example groups 5 hosts (or virtual hosts) into a group with an allocation of 256000bps of bandwidth. The worst case, when all are active, will grant 1/5th of the available bandwidth to each (as they are balanced and all the same priority). All will have access to the unused bandwidth of any of the 5 hosts on an equal basis in addition to their 1/5 allotment. When only 1 host is active, for example, that host will have all 256000bps available for their use.
Limiting All Users except Key Personnel
Now suppose you have only key individuals that require high speed access, but most of your organization are browsers or e-mail only. The following is a classic example:
bwmgr em0 -addr 207.11.14.1
bwmgr em0 -addr 207.11.14.4
bwmgr em0 -addr 207.11.14.6
bwmgr em0 -addr 207.11.14.19 -priority discard
bwmgr em0 -addr 207.11.14.0 -addrmsk 255.255.255.0 -bwin 128000 -bwout 128000
In the above example, the first 3 "NULL" entries will give these 3 workstations full access to the net. The 4th entry will have no access to the net whatsoever. And the aggregate of the rest of the 207.11.14 class c will get 128000 bps.
Allowing Critical Traffic Unlimited Bandwidth
The following limits all traffic through an interface to 2Mb/s but allows a critical voice data stream to pass without delay
bwmgr em0 -ifac -bwin 20000000 -bwout 20000000
bwmgr em0 -address internalserver.domain.com -priority passthru
The above will limit traffic other than the specified host to 2Mb/s and allow the server through regardless without counting it as traffic on the interface. "passthru" is designed for use for internal traffic that does not apply to the traffic being managed.
Host or Virtual Host Limiting and Traffic Monitoring
This example assumes that you have a WEB server serving multiple virtual hosts all with their own IP addresses.
bwmgr em0 -name acme -addr 207.11.14.17 -bwboth 128000 -stats
bwmgr em0 -name GenBeerDrinkers -addr 207.11.14.18 -bwin 85000 -bwout 84000 - stats
bwmgr em0 -name Universal -addr 207.11.14.19 -bwin 56000 -bwout 56000 -stats -statsdevice univ0
bwmgr em0 -name Telbc -addr 207.11.14.20 -bwin 28000 -bwout 28000 -stats
This above would limit each IP address to the specified bandwidth. Each customers statistical information would be stored internally and could be graphed by the ET/BWMGR HTML interface. The rule named "Universal" is exported to a device name univ0 (specified by -statsdevice) that can be gathered by an external SNMP client like MRTG. Note that you should always place rules for your higher bandwidth customers before your lower bandwidth customers for performance purposes.
Limiting a Customer with Multiple Class 'C' Addresses
Now suppose you wanted to limit the aggregate usage of a customer with 2 or more distinct network addresses. You could use the bandwith "link" option to create a common bandwidth limit for any number of criteria.
bwmgr em2 -name FredCo -group -bwout 56000 -bwin 56000
bwmgr em2 -addr 209.11.14.0 -addrmsk 255.255.255.0 -bwlink FredCo
bwmgr em2 -addr 128.17.14.0 -addrmsk 255.255.255.0 -bwlink FredCo
Note that the group entry needs to be assigned a name which can be used to link subsequent entries.
Limiting Users Access of Specific Services
Suppose you wanted to restrict an individual employee to a limited amount of bandwidth, to guard against one person dominating your backbone bandwidth doing a large file tranfer.
bwmgr em2 -addr 207.17.1.11 -AIM -priority discard
bwmgr em2 -addr 207.17.1.12 -port www -bwin 40000 -bwout 40000
The first entry disallows use of AOL instant messager to IP address 207.17.1.11. The second entry limits the workstation at .12 to an aggregate bandwidth of 40k for http. Typically this would include http downloads.
Denying Access to Specific Sites using the Firewall
You can deny access to hosts on a global basis with the "discard" priority. The discard priority is a filter mechanism that can selectivly discard traffic from or to specified hosts.
bwmgr em2 -fw -addr www.porncity.com -priority fw-deny
bwmgr em2 -fw -addr www.competitor.com -priority fw-deny
or my favorite
bwmgr em2 -fw -addr www.packeteer.com -priority fw-deny
Allowing Access Only to Specific Sites using the Firewall
If you don't normally allow access to your employees but want them to check something out or research something, you call allow access to specific sites or networks as well:
bwmgr em2 -fw -addr www.cisco.com -addrmsk 255.255.255.0
bwmgr em2 -addr 207.11.17.0 -addrmsk 255.255.255.0 -priority fw-deny
The above would only allow hosts on the 207.11.17.0 network to access cisco's class C (they probably have several, so you may need to know all of them for this to work for big companies!).
Denying Specific Users Access to Specific Sites using the Firewall
You can deny access to specific sites only to specific users, if for example, some of your employees or customers may access a site and others shouldn't.
bwmgr em2 -fw -saddr 207.11.17.1 -daddr www.playboy.com -priority fw-deny
This would prohibit access of www.playboy.com to the workstation 207.11.17.1. If you wanted to grant access to a single user, you could use the following:
bwmgr em2 -fw -prot tcpconnect -saddr 207.11.17.100 -daddr www.playboy.com -priority fw-allow
bwmgr em2 -fw -prot tcpconnect -daddr www.playboy.com -priority fw-discard
This would allow the .100 workstation to connect to the site, and deny it for everyone else.
Denying Access to Specific Services or Devices on Your Network using the Firewall
A classic firewall example is to limit access of outside users to resources on your network. With the ET/BWMGR, you can set up simple, high-performance firewalls that limit or eliminate access to or from your networks or workstations.
bwmgr em2 -fw -addr 204.17.11.0 -addrmsk 255.255.255.0 -priority fw-deny
The above entry would effectively firewall the 204.17.11 network, assuming that interface em2 was a single point of entry/exit to the outside world, such as your "outside" bridge interface. To limit access to services within you net but to allow workstations to get out, you could use the following:
bwmgr em2 -daddr 204.17.11.0 -daddrmsk 255.255.255.0 -prot tcpconnect -priority fw-deny
This would cause all packets with the SYN bit set (but not the ACK bit) to be discarded, which would effectivly disallow all TCP connections to any servers on your network.
Allocating Bandwidth for a Group of IP addresses (or networks)
You may have a situation where you may want to control the bandwidth of a finite set of customers based on a location or based on resources. Suppose, for example. you have 4 customers on a wireless radio, and you wanted to limit the bandwidth that those 4 customers used to 1Mb/s as a group. You could use the following:
bwmgr em2 -x 5000 -name GroupA -group -bwboth 1000000
bwmgr em2 -x 5001 -addr 200.1.1.1 -bwlink GroupA
bwmgr em2 -x 5002 -addr 200.1.7.1 -bwlink GroupA
bwmgr em2 -x 5003 -addr 200.2.1.7 -bwlink GroupA
bwmgr em2 -x 5004 -addr 200.1.1.14 -bwboth 256000 -bwlink GroupA
The above would limit the 4 specified addresses to a total of 1Mb/s, while rule 5004 would also be limited to 256000bps regardless of whether any other group member was using bandwidth.