Configuring interface-based traffic shaping
You can enable traffic shaping on an interface. This allows you to enforce bandwidth limits on individual interfaces.
You configure interface-based traffic shaping in the FortiGate CLI, by performing the following tasks:
- Classify traffic in a traffic shaping policy.
- Assign bandwidth in a traffic shaping profile.
- Apply the traffic shaping profile as the egress traffic shaper on an interface.
FortiOS supports traffic shaping on egress interfaces only. You can typically achieve traffic shaping on ingress interfaces by configuring traffic shaping on corresponding egress interfaces. For example, if you want to control inbound traffic on the WAN interface of the FortiGate, you can apply outbound traffic shaping to the LAN interface.
Classifying traffic in a traffic shaping policy
You classify traffic using a traffic shaping policy. You set a class-id for the policy, which the FortiGate stores on the kernel session, so that it can quickly categorize any traffic that matches the criteria you define in the traffic shaping policy.
Set the traffic class in a traffic shaping policy – CLI
config firewall shaping-policy
edit <shaping_policy_ID>
set class-id <traffic_class_ID>
next
end
where class-id
is the traffic class ID in the range of 2 to 31.
Assigning bandwidth in a traffic shaping profile
You assign guaranteed bandwidth and maximum bandwidth using a traffic shaping profile.
If a class has a small traffic volume, other classes can borrow unused bandwidth from it.
Assign bandwidth percentages in a traffic shaping profile – CLI
config firewall shaping-profile
edit <profile-name>
set default-class-id <default_class_ID>
config shaping-entries
edit <shaping_entry_ID>
set class-id <class_ID>
set priority low {high | medium | low}
set guaranteed-bandwidth-percentage <percentage>
set maximum-bandwidth-percentage <percentage>
next
end
end
where you set the following variables:
CLI option | Description |
---|---|
| The default class ID handles unclassified packets, including all local traffic. You must define the default class ID, since unclassified traffic must be controlled. The range is 2 to 31. Any traffic class that's defined in the traffic shaping policy, but isn't defined in the traffic shaping profile, is classified as part of the default class ID. |
| The |
| The |
| The For example, if you set the The |
| The You can assign 100% as the value, so that the class can potentially take all of the bandwidth of the designated interface. |
Example: Configuring an interface-based traffic shaper
config firewall shaping-profile
edit <profile-name>
set default-class-id 2
config shaping-entries
edit 1
set class-id 2
set priority low
set guaranteed-bandwidth-percentage 3
set maximum-bandwidth-percentage 50
next
edit 3
set class-id 5
set priority low
set guaranteed-bandwidth-percentage 3
set maximum-bandwidth-percentage 50
next
end
end
Applying the traffic shaping profile to an interface
To apply the traffic shaping profile to an interface, you select the interface, set bandwidth limits for ingress and egress traffic to the total amount of bandwidth that's available on the interface, and set the traffic shaping profile that you want to apply to the interface.
A FortiGate begins to process traffic as it arrives (ingress) and departs (egress) on an interface. In later phases of network processing, such as enforcing maximum bandwidth use on sessions handled by a security policy, if the current rate for the destination interface or traffic regulated by that security policy is too high, the FortiGate may drop the packet. Time spent on prior processing, such as web filtering, decryption, or IPS, is often wasted on packets that aren't forwarded. This applies to VLAN interfaces and physical interfaces.
You can prevent this wasted effort on ingress by configuring the FortiGate to preemptively drop excess packets when they're received at the source interface, before most other traffic processing is performed.
Rate limiting traffic accepted by the interface allows you to restrict incoming traffic to rates that, while no longer the full capacity of the interface, at the traffic shaping point in the processing are more likely to result in acceptable rates of outgoing traffic per destination interface or all security policies. This conserves FortiGate processing resources for those packets that are more likely to be viable completely to the point of egress.
NP6 interfaces on FortiGate devices don’t fully support bandwidth limits. When you set the outbandwidth setting on an NP6 interface, the FortiGate implements a lower bandwidth limit than the one that you configure. The inbandwidth setting has no effect on an NP6 interface, unless you disable NP offloading for the traffic on that interface.
Apply the traffic shaping profile to an interface – CLI
config system interface
edit <interface_name>
set inbandwidth <bandwidth_limit>
set outbandwidth <bandwidth_limit>
set egress-shaping-profile <egress_shaper_name>
next
end
where you set the following variables:
CLI option | Description |
---|---|
| Set the bandwidth limit for incoming traffic on the interface. Excess packets are dropped. The range is 0 to 1677600 Kbps. Setting this option to 0 provides unlimited bandwidth. |
| Set the bandwidth limit for outgoing traffic on the interface. The range is 0 to 1677600 Kbps. Setting this option to 0 provides unlimited bandwidth. |
| Set this to the traffic shaping profile that you want to apply to the interface. |
Examples of bandwidth allocations among competing priority classes
The following examples show how the bandwidth algorithm uses the class ID and priority settings to determine which class wins when there are competing traffic classes. These examples are based on the assumption that the traffic volume of each class is larger than its allocated bandwidth.
Example 1
An egress interface on a FortiGate has a total bandwidth of 1 GB. A traffic shaping profile with the following settings is applied to the interface:
Class | Priority | guaranteed-bandwidth-percentage (%) | maximum-bandwidth-percentage (%) |
---|---|---|---|
2 | high | 20% | 100% |
3 | low | 20% | 100% |
When both class 2 and class 3 have 1 GB of generated traffic, the results are shown in the following table. Both class 2 and 3 are assigned guaranteed bandwidth first, which is 200 MB each (20% of 1 GB). The remaining 600 MB of bandwidth is then allocated to class 2, because it has a higher priority.
Class | Priority | Actual bandwidth |
---|---|---|
2 | high | 80% of 1 GB (800 MB) |
3 | low | 20% of 1 GB (200 MB) |
Example 2
The algorithm can get a bit more complex when you assign multiple classes with the same priority. When the same priority classes compete for available bandwidth, the allocation to each class is proportional to its guaranteed bandwidth.
An egress interface on a FortiGate has a total bandwidth of 1 GB. A traffic shaping profile with the following settings is applied to the interface:
Class | Priority | guaranteed-bandwidth-percentage (%) | maximum-bandwidth-percentage (%) |
---|---|---|---|
2 | high | 20% | 100% |
3 | low | 20% | 100% |
4 | high | 30% | 100% |
When class 2, class 3, and class 4 each have 1 GB of generated traffic, the results are shown in the following table. All classes are assigned the guaranteed bandwidth first, which is 200 MB, 200 MB, and 300 MB respectively. The remaining 300 MB of bandwidth is then allocated to class 2 and class 4, because they have a higher priority. The allocation for the remaining 300 MB is proportional to their guaranteed bandwidth. In this case, it is 120 MB for class 2 (300 MB * 20 / 50) and 180 MB for class 4 (300 MB * 30 / 50).
Class | Priority | Actual bandwidth |
---|---|---|
2 | high | 200 MB + 120 MB = 320 MB |
3 | low | 200 MB + 0 = 200 MB |
4 | high | 300 MB + 180 MB = 480 MB |