Weighted random early detection support 6.2.1
You can use Weighted Random Early Detection (WRED) queuing mechanism within traffic shaping.
This topic includes the following parts:
- Traffic shaping with queuing
- Burst control in queuing mode
- Multi-stage DSCP marking and
class-idin traffic shaper
You cannot configure or see WRED in the GUI. You must use the CLI to configure WRED.
|
WRED is not supported when traffic is offloaded to NPU. |
Traffic shaping with queuing
Traffic shaping has a queuing option. Use this option to fine tune the queue by setting the profile queue size or performing RED (Random Early Drop) according to queue usage.
The next example shows setting the profile queue size limit to 5 so that the queue can contain a maximum of five packets and more packets are dropped.
To set the profile queue size limit:
config firewall shaping-profile
edit "profile"
set type queuing
set default-class-id 31
config shaping-entries
edit 31
set class-id 31
set guaranteed-bandwidth-percentage 5
set maximum-bandwidth-percentage 10
set limit 5 <range from 5 to 10000; defult: 1000>
next
end
next
end
The next example shows performing RED (Random Early Drop) according to queue usage by setting red-probability, min, and max. Setting red-probability to 10 means start to drop packets when queue usage reaches the min setting. When queue usage reaches the max setting, drop 10% of the packets.
- Level 1: when queue is less than
minpackets, drop 0% of packets. - Level 2: when queue reaches
minpackets, start to drop packets. - Level 3: when queue usage is between
minandmaxpackets, drop 0-10% of packets by proportion. - Level 4: when queue (average queue size) is more than
maxpackets, drop 100% of packets.
To set RED according to queue usage:
config firewall shaping-profile
edit "profile"
set type queuing
set default-class-id 31
config shaping-entries
edit 31
set class-id 31
set guaranteed-bandwidth-percentage 5
set maximum-bandwidth-percentage 10
set red-probability 10 <range from 0 to 20; default: 0 no drop>
set min 100 <range from 3 to 3000>
set max 300 <range from 3 to 3000>
next
end
next
end
To troubleshoot this function, use the following diagnose commands:
diagnose netlink intf-class list <intf> diagnose netlink intf-qdisc list <intf>
Burst control in queuing mode
In HTB (Hierarchical Token Bucket) algorithm, each class of traffic has buckets to allow a burst of traffic. The maximum burst is determined by the buckets sizes burst (for guaranteed bandwidth) and cburst (for maximum bandwidth). The shaping profile has burst-in-msec and cburst-in-msec parameters for each shaping entry (class id) to control the bucket size.
This example uses the outbandwidth of the interface as 1Mbps and the maximum bandwidth of class is 50%.
burst = burst-in-msec * guaranteed bandwidth = 100ms x 1Mbps x 50% = 50000b = 6250B
cburst = cburst-in-msec * maximum bandwidth = 200ms x 1Mbps x 50% = 100000b = 12500B
The following example sets burst-in-msec to 100 and cburst-in-msec to 200.
To set burst control in queuing mode:
config firewall shaping-profile
edit "profile"
set type queuing
set default-class-id 31
config shaping-entries
edit 31
set class-id 31
set guaranteed-bandwidth-percentage 5
set maximum-bandwidth-percentage 50
set burst-in-msec 100 <range from 0 to 2000>
set cburst-in-msec 200 <range from 0 to 2000>
next
end
next
end
Multi-stage DSCP marking and class-id in traffic shaper
Traffic shaper has a multi-stage method so that packets are marked with different DSCP and class id at different traffic speeds. Marking packets with different DSCP code is for the next hop to classify the packets. FortiGate benefits by marking packets with a different class id. Combined with the egress interface shaping profile, FortiGate can handle the traffic differently according to its class id.
|
Rule |
DSCP code |
Class ID |
|---|---|---|
|
speed < guarantee bandwidth |
|
|
|
guarantee bandwidth < speed < exceed bandwidth |
|
|
|
exceed bandwidth < speed |
|
|
This example sets the following parameters:
- When current bandwidth is less than 50kbps, mark packets with
diffservcode100000 and setclass idto 10. - When current bandwidth is between 50kbps and 100kbps, mark packets with
exceed-dscp111000 and setexceed-class-idto 20. - When current bandwidth is more than 100kbps, mark packets with
maximum-dscp111111 and setexceed-class-idto 20.
To set multi-stage DSCP marking and class-id in traffic shaper:
config firewall shaper traffic-shaper
edit "50k-100k-150k"
set guaranteed-bandwidth 50
set maximum-bandwidth 150
set diffserv enable
set dscp-marking-method multi-stage <--- New
set exceed-bandwidth 100 <--- New
set exceed-dscp 111000 <--- New
set exceed-class-id 20 <--- New
set maximum-dscp 111111 <--- New
set diffservcode 100000
next
end
config firewall shaping-policy
edit 1
set service "ALL"
set dstintf PORT2
set srcaddr "all"
set dstaddr "all"
set class-id 10
next
end
Traffic shaper also has an overhead option that defines the per-packet size overhead used in rate computation.
To set traffic shaper overhead option:
config firewall shaper traffic-shaper
edit "testing"
set guaranteed-bandwidth 50
set maximum-bandwidth 150
set overhead 14 <range from 0 to 100>
next
end
Examples
The first example shows how to enable RED for FTP traffic from QA. This example sets a maximum of 10% of the packets to be dropped when queue usage reaches the maximum value.
To configure the firewall address:
config firewall address
edit QA_team
set subnet 10.1.100.0/24
next
end
To set shaping policy to classify traffic into different class IDs:
config firewall shaping-policy
edit 1
set service HTTPS HTTP
set dstintf port1
set srcaddr QA_team
set dstaddr all
set class-id 10
next
edit 2
set service FTP
set dstintf port1
set srcaddr QA_team
set dstaddr all
set class-id 20
next
end
To set shaping policy to define the speed of each class ID:
config firewall shaping-profile
edit QA_team_profile
set type queuing
set default-class-id 30
config shaping-entries
edit 1
set class-id 10
set guaranteed-bandwidth-percentage 50
set maximum-bandwidth-percentage 100
next
edit 2
set class-id 20
set guaranteed-bandwidth-percentage 30
set maximum-bandwidth-percentage 60
set red-probability 10
next
edit 3
set class-id 30
set guaranteed-bandwidth-percentage 20
set maximum-bandwidth-percentage 50
next
end
next
end
To apply the shaping policy to the interface:
config sys interface
edit port1
set outbandwidth 10000
set egress-shaping-profile QA_team_profile
next
end
To use diagnose commands to troubleshoot:
# dia netlink intf-class list port1 class htb 1:1 root rate 1250000Bps ceil 1250000Bps burst 1600B/8 mpu 0B overhead 0B cburst 1600B/8 mpu 0B overhead 0B level 7 buffer [00004e20] cbuffer [00004e20] Sent 11709 bytes 69 pkt (dropped 0, overlimits 0 requeues 0) rate 226Bps 2pps backlog 0B 0p lended: 3 borrowed: 0 giants: 0 tokens: 18500 ctokens: 18500 class htb 1:10 parent 1:1 leaf 10: prio 1 quantum 62500 rate 625000Bps ceil 1250000Bps burst 1600B/8 mpu 0B overhead 0B cburst 1600B/8 mpu 0B overhead 0B level 0 buffer [00009c40] cbuffer [00004e20] Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0Bps 0pps backlog 0B 0p lended: 0 borrowed: 0 giants: 0 tokens: 40000 ctokens: 20000 class htb 1:20 parent 1:1 leaf 20: prio 1 quantum 37500 rate 375000Bps ceil 750000Bps burst 1599B/8 mpu 0B overhead 0B cburst 1599B/8 mpu 0B overhead 0B level 0 buffer [0001046a] cbuffer [00008235] Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0Bps 0pps backlog 0B 0p lended: 0 borrowed: 0 giants: 0 tokens: 66666 ctokens: 33333 class htb 1:30 parent 1:1 leaf 30: prio 1 quantum 25000 rate 250000Bps ceil 625000Bps burst 1600B/8 mpu 0B overhead 0B cburst 1600B/8 mpu 0B overhead 0B level 0 buffer [000186a0] cbuffer [00009c40] Sent 11709 bytes 69 pkt (dropped 0, overlimits 0 requeues 0) rate 226Bps 2pps backlog 0B 0p lended: 66 borrowed: 3 giants: 0 tokens: 92500 ctokens: 37000 class red 20:1 parent 20:0
# dia netlink intf-qdisc list port1 qdisc htb 1: root refcnt 5 r2q 10 default 30 direct_packets_stat 0 ver 3.17 Sent 18874 bytes 109 pkt (dropped 0, overlimits 5 requeues 0) backlog 0B 0p qdisc pfifo 10: parent 1:10 refcnt 1 limit 1000p Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) backlog 0B 0p qdisc red 20: parent 1:20 refcnt 1 limit 4000000B min 300000B max 1000000B ewma 9 Plog 23 Scell_log 20 flags 0 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) backlog 0B 0p marked 0 early 0 pdrop 0 other 0 qdisc pfifo 30: parent 1:30 refcnt 1 limit 1000p Sent 18874 bytes 109 pkt (dropped 0, overlimits 0 requeues 0) backlog 0B 0p
The second example shows how to mark QA traffic with different DSCP according to real-time traffic speed.
To configure the firewall address:
config firewall address
edit QA_team
set subnet 10.1.100.0/24
next
end
To configure the firewall shaper traffic shaper:
config firewall shaper traffic-shaper
edit "500k-1000k-1500k"
set guaranteed-bandwidth 500
set maximum-bandwidth 1500
set diffserv enable
set dscp-marking-method multi-stage
set exceed-bandwidth 1000
set exceed-dscp 111000
set maximum-dscp 111111
set diffservcode 100000
next
end
config firewall shaping-policy
edit QA_team
set service "ALL"
set dstintf port1
set traffic-shaper "500k-1000k-1500k"
set traffic-shaper-reverse "500k-1000k-1500k"
set srcaddr "QA_team"
set dstaddr "all"
next
end