D-Link DFL-1660 User Manual page 404
Network security firewall
Hide thumbs
Also See for DFL-1660:
- User manual (595 pages) ,
- Installation manual (45 pages) ,
- Reference manual (948 pages)
Table of Contents
Advertisement
10.1.12. More Pipe Examples
•
Priority 0 - Web plus remaining from other levels
To implement this scheme, we can use the in-pipe and out-pipe. We first enter the Pipe Limits for
each pipe. These limits correspond to the list above and are:
•
Priority 6 - 500
•
Priority 4 - 250
•
Priority 2 - 1000
Now create the Pipe Rules:
Rule
Forward
Name
Pipes
web_surf
out-pipe
voip
out-pipe
citrix
out-pipe
other
out-pipe
These rules are processed from top to bottom and force different kinds of traffic into precedences
based on the Service. Customized service objects may need to be first created in order to identify
particular types of traffic. The all service at the end, catches anything that falls through from earlier
rules since it is important that no traffic bypasses the pipe rule set otherwise using pipes will not
work.
Pipe Chaining
Suppose the requirement now is to limit the precedence 2 capacity (other traffic) to 1000 kbps so
that it does not spill over into precedence 0. This is done with pipe chaining where we create new
pipes called in-other and out-other both with a Pipe Limit of 1000. The other pipe rule is then
modified to use these:
Rule
Forward
Name
Pipes
other
out-other
out-pipe
Note that in-other and out-other are first in the pipe chain in both directions. This is because we
want to limit the traffic immediately, before it enters the in-pipe and out-pipe and competes with
VoIP, Citrix and Web-surfing traffic.
A VPN Scenario
In the cases discussed so far, all traffic shaping is occurring inside a single NetDefend Firewall.
VPN is typically used for communication between a headquarters and branch offices in which case
pipes can control traffic flow in both directions. With VPN it is the tunnel which is the source and
destination interface for the pipe rules.
An important consideration which has been discussed previously, is allowance in the Pipe Total
values for the overhead used by VPN protocols. As a rule of thumb, a pipe total of 1700 bps is
reasonable for a VPN tunnel where the underlying physical connection capacity is 2 Mbps.
It is also important to remember to insert into the pipe all non-VPN traffic using the same physical
link.
Return
Source
Source
Pipes
Interface
Network
in-pipe
lan
lannet
in-pipe
lan
lannet
in-pipe
lan
lannet
in-pipe
lan
lannet
Return
Source
Source
Pipes
Interface
Network
in-other
lan
lannet
in-pipe
404
Chapter 10. Traffic Management
Destination
Destination
Service
Interface
Network
wan
all-nets
http_all
wan
all-nets
H323
wan
all-nets
citrix
wan
all-nets
All
Destination
Destination
Service
Interface
Network
wan
all-nets
All
Prec
0
6
4
2
Prec
2
Advertisement
Table of Contents
Troubleshooting
