Bandwidth Control

From Edge Threat Management Wiki - Arista
Jump to navigationJump to search

    Bandwidth Control
Other Links:
Bandwidth Control Description Page
Bandwidth Control Demo
Bandwidth Control Forums
Bandwidth Control Reports
Bandwidth Control FAQs




About Bandwidth Control

Bandwidth Control gives you the power to monitor and control bandwidth usage on your network. It can be used to ensure that your network continues to operate smoothly and that bandwidth is shared optimally based on what is important to you. Many organizations struggle with bandwidth problems such as students watching online videos or clients using BitTorrent while more important tasks struggle to complete for bandwidth. You can use Bandwidth Control to do things like give high priority to Video Chat or slow down all traffic coming out of machines using BitTorrent.

Note: Enabling Bandwidth Control automatically enables QoS. But disabling Bandwidth does NOT automatically disable QoS.


Settings

This section reviews the different settings and configuration options available for Bandwidth Control.


Status

This displays the current status and some statistics.


Setup Wizard

The setup wizard configures the initial configuration of Bandwidth Control - please pay attention to the prompts as they provide valuable information on how the application works and the answers to your questions will determine the configuration.

  • Configure WAN download and upload bandwidth: After the welcome screen, you will be asked to set the bandwidth rates of your WAN interface.
This is the most important setting in the configuration of Bandwidth Control. If you are unsure it is recommended to run some bandwidth tests when there is no other activity to determine the true download and upload rates of your WAN connection. Entering a value around 95%-100% of the measured value is typically ideal. If the value is too low, Bandwidth Control will unnecessarily limit bandwidth to the value you have entered. If the value is too high, Bandwidth Control will be less effective as it will over-allocate bandwidth and lose some ability to differentiate by priority. You will be asked to repeat this process for each WAN interface.
  • Choose a starting configuration: After setting the WAN settings, choose a starting configuration that best suites your organization.
Each configuration's goals are described as well as what is prioritized and deprioritized. These rules can be customized later - this is just a starting configuration.
  • Quotas: In addition to the starting configuration, quotas can also be configured.
Most sites will not need quotas, however quotas can be extremely useful in some scenarios to prevent users from monopolizing resources. To enable quotas, click on Enable and provide information that best suites your organization.
  • Quota Clients: The clients will be given quotas. Be careful to not give a range that includes any servers and machines that you don't want to have quotas.
  • Quota Expiration: The expiration time of each quota (or length of time the quota will be in use.) After a quota expires a new quota will be granted.
  • Quota Size: The size of the quota each host is granted (in bytes).
  • Quota Exceeded Priority: The priority given to hosts after they exceed their quota (if they do so).

More information on Quotas and how they work can be found in the Quotas section.

After this your configuration of Bandwidth Control is complete and Bandwidth Control is enabled!


Rules

The rules tab contains most of the configuration and settings controlling the behavior of Bandwidth Control. Rules determine the action that will be taken when traffic passes through Bandwidth Control. For each session the rules are evaluated in order until the first match is found, then the action associated with the matching rule is performed and the data chunk is sent on its way. If no rule is found the no action is taken. If the session has been given no priority it is given the default QoS priority, which is normally Medium.

Note: Unlike most Rules in other apps, the rules in Bandwidth Control are consulted not only when the session is formed but also again on the first ten packets because some matchers such as "HTTP: Hostname" or "Application Control: Application" are not known until several packets into the session. Also, all of a host's sessions will be reevaluated when they are added/removed to the penalty box or when a quota is exceeded so active sessions will be reprioritized accordingly.

Extensive rule sets can be created (and imported and exported) that carefully assign the correct priorities to the desired traffic and perform the desired actions at the desired times.

The Rules documentation describes how rules work and how they are configured.

Rule Actions

  • Set Priority Sets the matching session to the chosen priority.
    • Priority The priority to be assigned.
  • Tag Host adds tag to the host to mark it for further actions.
  • Give Host a Quota: Gives the host IP a quota
    • Quota Expiration defines how long their quota will last
      • "End of Hour" means the quota will expire at the 59th minute of the hour.
      • "End of Day" means the quota will expire at 11:59pm of the day.
      • "End of Week" means the quota will expire 1 minute before the end of week (Saturday 11:59pm if US-localized)
      • An integer can also be specified for the number of seconds the quota will last from the creation date.
    • Quota Bytes defines the number of bytes in their quota.
  • Give User a Quota: Gives the user a quota
    • Quota Expiration defines how long their quota will last
      • "End of Hour" means the quota will expire at the 59th minute of the hour.
      • "End of Day" means the quota will expire at 11:59pm of the day.
      • "End of Week" means the quota will expire 1 minute before the end of week (Saturday 11:59pm if US-localized)
      • An integer can also be specified for the number of seconds the quota will last from the creation date.
    • Quota Bytes defines the number of bytes in their quota.

Priorities

The overall effect of Bandwidth Control is to map traffic to priorities which are enforced by the QoS engine. There are 7 Priorities: Very High, High, Medium, Low, Limited, Limited More, and Limited Severely.

The first four priorities can be thought of as "normal" - Very High, High, Medium, and Low. They are given certain precedence over bandwidth rights. Very High traffic has the option to consume bandwidth before High, Medium, and Low. The Very High bucket will be assigned the largest amount of bandwidth, less to High, even less to Medium, and much less to Low.

The other three - Limited, Limited More, and Limited Severely - are different in that they will never use all available bandwidth. The classes are punitive because they will limit bandwidth to a percentage of the whole even if there is more available.

To read much more in depth about the effects of prioritization and how bandwidth allotment works, see QoS.

Note: Effective Bandwidth Shaping is all about assigning the correct priorities such that important traffic is never starved by less important traffic.

A fundamental principle is that limiting traffic to a fixed low rate enforcement is almost never the right thing to do because wasted bandwidth is irrecoverable. In cases where the desire is to starve less important traffic it should be assigned a lesser priority (medium or low) so that it can still consume all bandwidth if no more important tasks are available. This means the less important task will finish quicker so that later these resources are free and this occurs definitionally at no expense to higher priority traffic, ever.

The priorites that limit to less than 100% even when the bandwidth is unused (Limited, Limited More, and Limited Severely by default) are useful for punitive situations.



Quotas

Quotas are set amounts of data that can be used over a certain amount of time. This is useful for sites where you want to punish excessive usage. For example, in a hotel we want each IP to get 1 GB a day, but if this amount is exceeded it will be considered excessive and that host can be treated differently (be blocked, receive less bandwidth, etc). By using quotas and rules, bandwidth abusers are handled automatically requiring no administrator intervention.

Quotas can be assigned to Users or Hosts and the current quota status can be viewed by clicking on Users or Hosts accordingly. All sessions' data passing through NG Firewall gets counted against the corresponding Host or User.

Reports

The Reports tab provides a view of all reports and events for all traffic handled by Bandwidth Control.

Reports

This applications reports can be accessed via the Reports tab at the top or the Reports tab within the settings. All pre-defined reports will be listed along with any custom reports that have been created.

Reports can be searched and further defined using the time selectors and the Conditions window at the bottom of the page. The data used in the report can be obtained on the Current Data window on the right.

Pre-defined report queries: {{#section:All_Reports|'Bandwidth Control'}}

The tables queried to render these reports:




Related Topics


Bandwidth Control FAQs

Why are the rules evaluated on the first ten packets of a session?

Often rules involve session "meta-data" conditions such as HTTP: Hostname or Application Control: Application. These meta-data tags are usually completed fairly quickly (first few packets) but they are usually not known until the first few packets. As such the session is evaluated initially and the next 9 packets. This is to ensure that all rules that involve meta-data have a chance to fire. After the first ten packets the meta-data typically does not change and the rules are no longer consulted.


Dropping a Quota does not seem to work. Why?

If you have a rule set to give quotas automatically if a host doesn't have a quota it is probably being given a new quota again very quickly which gives the appearance that you can't delete the quota.


I added a rule to add quotas and the quotas are constantly being refilled and/or full. Why?

Rules are evaluated in order. The action for the first matching rule is taken.

If the first rule is the list say if "Source Address" = "192.168.1.100" then "Give Client a Quota" of "100Mb" then this rule will match EVERY time the rule is evaluated when Source Address = "192.168.1.100." In other words, every time that 192.168.1.100 creates a session it will be given a new quota because that is exactly what the rule says to do. This also ensures that 192.168.1.100 is entirely exempt from any rules following this rule because this rule will ALWAYS match on all sessions from 192.168.1.100.

Usually, when creating a rule you want to specify your conditions like "Source Address" = "192.168.1.100" AND "Client has no Quota" is True. With the second condition this rule matches on the first session of 192.168.1.100 and immediately given a quota. The next time the rules are evaluated this rule will not match because of the "Client does not have quota" condition fails, and the rest of the rules are evaluated normally.


I added a rule to add a client to the penalty box, and now the client is exempt from all prioritization rules. Why?

The same reason as the above FAQ. Rules are evaluated in order. The action for the first matching rule is taken.

If you create a rule at the top that says if "Source Address" = "192.168.1.100" then "Send Client to Penalty Box" then every time the rule is evaluated on traffic from 192.168.1.100 it will be sent to the penalty box and no further rules are evaluated. This effectively exempts 192.168.1.100 from all rules that follow because Rules are evaluated in order. The action for the first matching rule is taken.

Usually, when creating a penalty box rule you want to specify your conditions like "Source Address" = "192.168.1.100" AND "Client is in Penalty Box" is NOT True. With the second condition this rule matches on the first session of 192.168.1.100, which is immediately put in the penalty box. The next time the rules are evaluated this rule will not match because of the "Client is in Penalty Box" is true and the condition specified it should be NOT true. At this point the rest of the rules are evaluated normally, except 192.168.1.100 is in the penalty box as expected.