Traffic shaping rules can be useful in limiting the amount of bandwidth that various applications and traffic types consume. Global limits can also be used to enforce bandwidth limits on a per device basis. A global bandwidth limit applies not only to outbound traffic, but all routed traffic on an MX security appliance or MR access point. This knowledge base article will describe certain considerations that should be taken into account when configuring the global bandwidth limit and how to use traffic shaping rules to override the global bandwidth limit when necessary.
This knowledge base article describes the configuration steps required to assign a global bandwidth limit to all clients in a network. In the example that is provided each client is assigned a global bandwidth limit of 1024 kbps download and 512 kbps upload. This configuration change would apply to all traffic out of the MX to the internet, and it would also be applied to traffic between VLANs on the MX. For example, if you have file servers in VLAN 2 and clients in VLAN 3, the global bandwidth limit would apply to traffic destined to the internet in addition to traffic between devices in VLAN 2 and 3.
In many cases the global bandwidth limit will be utilized to limit a client’s traffic to the internet, but clients will still need to access internal LAN resources without a bandwidth limit. Traffic shaping rules can be configured to ignore the global bandwidth limit for routed traffic.
In this example, we will assume a global bandwidth limit of 1024 Kbps down and 512 Kbps up. There are two VLANs configured on the MX, but we do not want to limit the bandwidth between clients on VLAN 2 (192.168.2.0/24) and VLAN 3 (192.168.3.0/24). We will create a new traffic shaping rule using Custom expressions to exclude traffic that has a destination IP address in VLAN 2 or 3. Browse to Security appliance > Configure > Traffic shaping > Traffic shaping rules (or, for MR access points, Wireless > Configure > Firewall and Traffic Shaping > Traffic shaping rules):
Note: Traffic shaping rules are processed first to last. Care should be taken to make sure more specific rules are placed at the top of the rule list. Rules can be arranged by clicking on the move pointer and dragging the rule above or below another rule.
Two custom expression entries have been added to the following rule:
This rule will allow unlimited bandwidth between the two VLANs because we have selected Ignore network limit (unlimited). The custom expression that was created is based upon the destination address in the traffic (in this example either a destination IP of 192.168.2.0/24 or 192.168.3.0/24).
Note: When creating a custom expression make note of the difference between ‘localnet’ and net. ‘ Localnet’ matches traffic based upon the source IP address. ‘Net’ matches traffic based upon the destination IP address. In our traffic shaping rule example we would not use ‘localnet’ because this would ignore the global bandwidth limit for any traffic with a source IP address in VLAN 2 or VLAN 3.
As new VLANs are defined on the MX the new subnets will need to be added to the traffic shaping rule. Traffic shaping rules can be configured to be more granular than just a destination IP address. An example would be allowing unlimited RDP bandwidth between the VLANs, but force the global bandwidth limit on all other inter VLAN traffic. This can be done by specifying the port number at the end of the custom expression (ie. net 192.168.2.0/24:3389 for RDP traffic destined to VLAN 2).
On an MR network, there are options under Wireless > Configure > Firewall and Traffic shaping that allow a bandwidth limit to be configured on an per-SSID basis. Unlike a per-client bandwidth limit, this limit cannot be bypassed with a traffic shaping rule or group policy.
Consider the following example configuration:
In the configuration above, all MR access points in this network will refuse to pass more than a total of 1Mb/s for all clients associated to this SSID. Clients could be further limited by configuring a per-client bandwidth limit, but even a whitelisted client on this SSID would be capped at an absolute maximum of 1Mb/s.