Bandwidth Management Examples

Typical Co-Location and/or WAN Customer Setup

The scenario here assumes that each colocated customer has their own class IP address.

bwmgr fxp0 -ifac -burstthresh 2000000
bwmgr fxp0 -x 100 -addr -bwboth 256000 -bwburst 512000 -bursttrig fxp0
bwmgr fxp0 -x 200 -addr -bwboth 256000 -bwburst 512000 -bursttrig fxp0
bwmgr fxp0 -x 300 -addr -bwboth 256000 -bursttrig fxp0

The above regulates traffic at 256000bps when traffic on the wire is over 2Mb/s. For rules 100 and 200, the specified networks can use 512000bps when traffic levels are below 2Mb/s, while rule 300 allows bursting to full wire speed (no burst setting with a trigger defined is no limit on bursting).

Limit All Incoming Sessions with 1 Rule

Its often desireable to control the amount of bandwidth that each user to a web or ftp site can get without limiting the overall bandwidth that a device has access to. For example, a busy site with heavy graphics content may not want users from high bandwidth locations to dominate the use of bandwidth. The following rule will limit each access to hot to 64000bps.

bwmgr fxp0 -prot tcpconnect -daddr -r -bwboth 64000

Note the use of the -r switch, which "reverses" the limit, that is, instead of limiting to 64000bps, it will limit each address that accesses it to 64000bps. To above will give each accessing IP 64000bps. Another setting:

bwmgr fxp0 -prot tcpconnect -daddr -rc -bwboth 128000

would allow a TOTAL of 128000bps to be shared on a first come, first serve basis by all of the connecting IPs. Alternately:

bwmgr fxp0 -prot tcpconnect -daddr -rb -bwmin 32000 -bwboth 128000

using -rb will cause the 128000bps to be balanced fairly among ACTIVE IPs that access the specified server, with a minimum setting of 32000 for each (ie if there were more than 4 active hosts accessing the server, then they would not be limited to less than 32000bps, but still share the 128000bps).

ALTERNATIVELY, for any of the above settings, you could add the -port use setting as in the following:

bwmgr fxp0 -prot tcpconnect -port use -daddr -r -bwboth 64000

The above will limit each SESSION to 64000bps, allowing other IP traffic from the host to pass. Note that each HTTP access, for example, usually has several sessions, so using the IP is more useful if it doesnt cause problems.

Limit All IP Addresses with 1 Rule

You can limit all IP addresses in your network with a single rule as follows:

bwmgr fxp0 -x 5000 -ipprot allip -r -usesaddr -addr -addrmsk -ruletmo 300 -bwin 128000 -bwout 128000

The above rule will trap each different source address in the specified address range and create a dynamic rule and limit the address to 128000bps in and out. Make sure you leave enough rule index space before the rule to accommodate the number of addresses. If all of your traffic is from known source addresses then you can leave out the address specs and it will trap everything. You don't want to trap in the wrong direction, or you may get a lot more rules that you expect.

Allow only Specific MAC / IP Combinations onto your Network

It is often useful, in an effort to prohibit customers from using IP addresses that are not allocated to them, to only allow specific MACs to have Specific IP addresses. This is particularly useful in a wireless environment where security is a problem. You can do this easily by firewalling out all addresses except those that are explicitly allowed. For example:

bwmgr fxp0 -fw -x 100 -addr -maddr c0:b0:a0:00:00:01
bwmgr fxp0 -fw -x 200 -addr -maddr 00:c0:07:01:01:04
bwmgr fxp0 -fw -x 10000 -prot allip -priority fw-deny

The above allows the specific IP / MAC pairs defined in rules 100 and 200, while rule 10000 results in all others being dropped. Note that the -allip is required to prevent ALL traffic (including arps and other non-ip traffic). Without the -allip, some other previous rule (like a rule allowing ARPs) would be required or your network would not work.

Limiting a Name Virtual Host

"Name" virtual hosts are unique in that there may be many hosts on 1 IP address. To limit http traffic to name virtual hosts, use the -nameaddr switch:

bwmgr fxp0 -nameaddr -rc -bwin 128000 -bwout 128000

This would limit all hosts accessing to an aggregate total of 128000bps.

Controlling Gnutella (file-sharing) Traffic

This is covered in detail in the bwmgr user manual.

Physical Limits with a Ceiling for the Medium

bwmgr fxp0 -ifac -bwboth 3000000
bwmgr fxp0 -addr -addrmsk -bwboth 1544000
bwmgr fxp0 -addr -addrmsk -bwboth 1544000
bwmgr fxp0 -addr -addrmsk -bwboth 1544000

The above gives each customer up to T1 speed traffic until a physical medium utilization of 3Mb/s is reached. Once overall traffic reaches the ceiling, bandwidth is limited on a first-come basis with all rules receiving equal priority (based on their implied "normal" priority).

Minimum Guarantee by Traffic Type

bwmgr fxp0 -ifac -bwin 10000000 -bwout 10000000
bwmgr fxp0 -prot tcp -port domain -bwmin 10000
bwmgr fxp0 -prot udp -port 40120 -bwmin 64000

The above setting allocates bandwidth out of the 10Mb/s available on the interace to specific types of traffic. The above might have VoIP traffic running on port 40120.

Minimum Guarantee with Limited Burstability

You may want to limit some customers to 56kbs during busy times but allow them up to 256k when bandwidth is available among the class members (as opposed to the wire threshold used by -bwburst). You can do this by defining a class with several customers or classes of data. The number of rules in the class and the priorities will determine the minimum (or average) bandwidth the rule will receive. For example:

bwmgr em0 -addr -name Group1 -b -bwboth 256000
bwmgr em0 -addr -bwlink Group1
bwmgr em0 -addr -bwlink Group1
bwmgr em0 -addr -bwlink Group1
bwmgr em0 -addr -bwlink Group1

The above example groups 5 hosts (or virtual hosts) into a group with an allocation of 256000bps of bandwidth. The worst case, when all are active, will grant 1/5th of the available bandwidth to each (as they are balanced and all the same priority). All will have access to the unused bandwidth of any of the 5 hosts on an equal basis in addition to their 1/5 allotment. When only 1 host is active, for example, that host will have all 256000bps available for their use.

Limiting All Users except Key Personnel

Now suppose you have only key individuals that require high speed access, but most of your organization are browsers or e-mail only. The following is a classic example:

bwmgr em0 -addr
bwmgr em0 -addr
bwmgr em0 -addr
bwmgr em0 -addr -priority discard
bwmgr em0 -addr -addrmsk -bwin 128000 -bwout 128000

In the above example, the first 3 "NULL" entries will give these 3 workstations full access to the net. The 4th entry will have no access to the net whatsoever. And the aggregate of the rest of the 207.11.14 class c will get 128000 bps.

Allowing Critical Traffic Unlimited Bandwidth

The following limits all traffic through an interface to 2Mb/s but allows a critical voice data stream to pass without delay

bwmgr em0 -ifac -bwin 20000000 -bwout 20000000
bwmgr em0 -address -priority passthru

The above will limit traffic other than the specified host to 2Mb/s and allow the server through regardless without counting it as traffic on the interface. "passthru" is designed for use for internal traffic that does not apply to the traffic being managed.

Host or Virtual Host Limiting and Traffic Monitoring

This example assumes that you have a WEB server serving multiple virtual hosts all with their own IP addresses.

bwmgr em0 -name acme -addr -bwboth 128000 -stats
bwmgr em0 -name GenBeerDrinkers -addr -bwin 85000 -bwout 84000 - stats
bwmgr em0 -name Universal -addr -bwin 56000 -bwout 56000 -stats -statsdevice univ0
bwmgr em0 -name Telbc -addr -bwin 28000 -bwout 28000 -stats

This above would limit each IP address to the specified bandwidth. Each customers statistical information would be stored internally and could be graphed by the ET/BWMGR HTML interface. The rule named "Universal" is exported to a device name univ0 (specified by -statsdevice) that can be gathered by an external SNMP client like MRTG. Note that you should always place rules for your higher bandwidth customers before your lower bandwidth customers for performance purposes.

Limiting a Customer with Multiple Class 'C' Addresses

Now suppose you wanted to limit the aggregate usage of a customer with 2 or more distinct network addresses. You could use the bandwith "link" option to create a common bandwidth limit for any number of criteria.

bwmgr em2 -name FredCo -group -bwout 56000 -bwin 56000
bwmgr em2 -addr -addrmsk -bwlink FredCo
bwmgr em2 -addr -addrmsk -bwlink FredCo

Note that the group entry needs to be assigned a name which can be used to link subsequent entries.

Limiting Users Access of Specific Services

Suppose you wanted to restrict an individual employee to a limited amount of bandwidth, to guard against one person dominating your backbone bandwidth doing a large file tranfer.

bwmgr em2 -addr -AIM -priority discard
bwmgr em2 -addr -port www -bwin 40000 -bwout 40000

The first entry disallows use of AOL instant messager to IP address The second entry limits the workstation at .12 to an aggregate bandwidth of 40k for http. Typically this would include http downloads.

Denying Access to Specific Sites using the Firewall

You can deny access to hosts on a global basis with the "discard" priority. The discard priority is a filter mechanism that can selectivly discard traffic from or to specified hosts.

bwmgr em2 -fw -addr -priority fw-deny
bwmgr em2 -fw -addr -priority fw-deny

or my favorite

bwmgr em2 -fw -addr -priority fw-deny

Allowing Access Only to Specific Sites using the Firewall

If you don't normally allow access to your employees but want them to check something out or research something, you call allow access to specific sites or networks as well:

bwmgr em2 -fw -addr -addrmsk
bwmgr em2 -addr -addrmsk -priority fw-deny

The above would only allow hosts on the network to access cisco's class C (they probably have several, so you may need to know all of them for this to work for big companies!).

Denying Specific Users Access to Specific Sites using the Firewall

You can deny access to specific sites only to specific users, if for example, some of your employees or customers may access a site and others shouldn't.

bwmgr em2 -fw -saddr -daddr -priority fw-deny

This would prohibit access of to the workstation If you wanted to grant access to a single user, you could use the following:

bwmgr em2 -fw -prot tcpconnect -saddr -daddr -priority fw-allow
bwmgr em2 -fw -prot tcpconnect -daddr -priority fw-discard

This would allow the .100 workstation to connect to the site, and deny it for everyone else.

Denying Access to Specific Services or Devices on Your Network using the Firewall

A classic firewall example is to limit access of outside users to resources on your network. With the ET/BWMGR, you can set up simple, high-performance firewalls that limit or eliminate access to or from your networks or workstations.

bwmgr em2 -fw -addr -addrmsk -priority fw-deny

The above entry would effectively firewall the 204.17.11 network, assuming that interface em2 was a single point of entry/exit to the outside world, such as your "outside" bridge interface. To limit access to services within you net but to allow workstations to get out, you could use the following:

bwmgr em2 -daddr -daddrmsk -prot tcpconnect -priority fw-deny

This would cause all packets with the SYN bit set (but not the ACK bit) to be discarded, which would effectivly disallow all TCP connections to any servers on your network.

Allocating Bandwidth for a Group of IP addresses (or networks)

You may have a situation where you may want to control the bandwidth of a finite set of customers based on a location or based on resources. Suppose, for example. you have 4 customers on a wireless radio, and you wanted to limit the bandwidth that those 4 customers used to 1Mb/s as a group. You could use the following:

bwmgr em2 -x 5000 -name GroupA -group -bwboth 1000000
bwmgr em2 -x 5001 -addr -bwlink GroupA
bwmgr em2 -x 5002 -addr -bwlink GroupA
bwmgr em2 -x 5003 -addr -bwlink GroupA
bwmgr em2 -x 5004 -addr -bwboth 256000 -bwlink GroupA

The above would limit the 4 specified addresses to a total of 1Mb/s, while rule 5004 would also be limited to 256000bps regardless of whether any other group member was using bandwidth.

Next: Bandwidth Manager GUI Screenshots