Traffic shaping profiles
As mentioned in Traffic shaping, the three main methods of configuring traffic shaping are:
- Traffic shaping profiles
- Traffic shapers
- Global traffic prioritization
A traffic shaping profile allows traffic shaping to be configured with policing or queuing. Up to 30 classes can be defined, with prioritization and bandwidth limits configured for each class. When queuing is enabled, metrics can be configured for traffic queuing in each class.
Traffic shaping with policing
At the most basic level, policing involves traffic prioritization and bandwidth limits. Traffic prioritization helps categorize traffic into different priority levels: low, medium, high, critical, and top. When bandwidth is limited, traffic with higher priority levels will take precedence over lower priority traffic. Traffic with lower priority levels that exceeds available bandwidth will be dropped. These levels are only applicable in the context of traffic shaping profiles and should not be confused with global traffic prioritization levels.
Bandwidth limits define the guaranteed and maximum bandwidth allotted to each traffic class. These limits are configured as a percentage of the outbandwidth, which is the outbound bandwidth configured on an interface.
Guaranteed bandwidth limits guarantee the minimum bandwidth that is allotted to a given class of traffic. The sum of all guaranteed bandwidth of all classes within a traffic shaping profile cannot exceed 100%. However, the sum of all guaranteed bandwidth does not need to add up to 100%. The guaranteed bandwidth is always respected, even if one class has lower priority than another.
Maximum bandwidth limits define the maximum percentage of the outbandwidth that a traffic class can use up. This value often will be 100%, given that when there is no other traffic going through other classes, you would want to fully utilize the bandwidth of the outbound link. Traffic throughput exceeding the maximum bandwidth will be dropped.
The following diagram illustrates ingress traffic and how the FortiGate assigns classes and bandwidth to each class.
When comparing traffic shaping profiles and traffic shapers, it is important to remember that guaranteed and maximum bandwidth in a traffic shaping profile is a percentage of the outbandwidth, while guaranteed and maximum bandwidth in a traffic shaper is a rate (Kbps, Mbps, and so on). As long as the outbandwidth is true to its measurement, the bandwidth usage should not exceed the available bandwidth of a link when using a traffic shaping profile.
Congestion occurs when actual traffic surpasses the outbandwidth limit. At this point, traffic prioritization helps determine which traffic will be prioritized over others. First, the guaranteed bandwidth limit is allocated for each class. The left over bandwidth is allocated to traffic classes based on priority. The traffic classes with the highest priority can use as much of the remaining bandwidth as needed. Then, the remaining bandwidth can be allocated to classes at the next priority level, and so forth.
To see examples of applied traffic prioritization and bandwidth limits, see the debugs in Verifying that the traffic is being shaped.
Traffic shaping with queuing
When traffic congestion occurs and if there is no queuing, then the excess packets are dropped. With queuing, when traffic exceeds the configured bandwidth limits, the traffic is delayed for transport until bandwidth frees up. Traffic may still be dropped if the queues are full.
In queuing, before a packet egresses an interface, it is first enqueued using an algorithm, such as random early detection (RED) or first in, first out (FIFO). The kernel then dequeues the packet based on the HTB algorithm before sending it out. Queuing can be configured per shaping profile, and it can be customized per class.
The following diagram shows how traffic policing differs from traffic queuing by comparing the bandwidth limit, projected bandwidth utilization, and actual bandwidth utilization.
For more information about traffic shaping with queuing, see Traffic shaping with queuing using a traffic shaping profile.
Configuring traffic shaping profiles
The main steps to configure traffic shaping are:
- Configure the traffic shaping policy, and assign matched traffic to a class (see Traffic shaping policies).
- Configure the traffic shaping profile and apply traffic bandwidth, prioritization and/or queuing per class.
- Configure the interface outbandwidth and apply an egress shaping profile to the interface.
Configuring the traffic shaping profile
A traffic shaping profile consists of the class ID and the settings per class ID. It also defines the type of traffic shaping to apply (policing or queuing) and the default class ID for traffic that does not match any traffic shaping policies.
A class can be configured in the GUI as part of a traffic shaping profile or policy. In the CLI, a traffic class must be defined before it can be assigned within a traffic shaping profile. Class IDs range from 2 - 31, and they can be reused between different traffic shaping profiles.
When configuring a traffic shaping profile, the settings can be defined per class.
The following options can be configured for traffic shaping classes:
GUI option |
CLI option |
Description |
---|---|---|
Default |
set default-class-id <class-id> |
Set the default class ID. Each profile must have one default class ID. The default class ID can be changed at any time. |
Traffic shaping class ID |
set class-id <integer> |
Set the class ID (2 - 31). |
Guaranteed bandwidth |
set guaranteed-bandwidth-percentage <integer> |
Set the percentage of the outbandwidth that will be guaranteed for the class ID. |
Maximum bandwidth |
set maximum-bandwidth-percentage <integer> |
Set the percentage of the outbandwidth that will be the maximum bandwidth for the class ID. |
Priority |
set priority {top | critical | high | medium | low} |
Select the priority level for the class ID. |
To configure a traffic shaping profile in the GUI:
- Go to Policy & Objects > Traffic Shaping, select the Traffic Shaping Profiles tab, and click Create New.
- Enter the profile name, and optionally enter a comment.
- In the Traffic Shaping Classes section, click Create New.
- Configure the traffic shaping class ID settings (Traffic shaping class ID, Guaranteed bandwidth, Maximum bandwidth, and Priority).
- Click OK.
- Create more shaping classes as needed (the total guaranteed bandwidth of all classes cannot exceed 100%).
- Click OK.
To configure a traffic shaping profile in the CLI:
- Configure the shaping class:
config firewall traffic-class edit <integer> set class-name <string> next end
- Configure the shaping profile:
config firewall shaping-profile edit <name> set type {policing | queuing} set default-class-id <class-id> config shaping-entries edit <id> set class-id <integer> set priority {top | critical | high | medium | low} set guaranteed-bandwidth-percentage <integer> set maximum-bandwidth-percentage <integer> next end next end
Configuring the interface outbandwidth
There are two settings that must be configured on an interface that has traffic shaping applied to egressing traffic: a traffic shaping profile must be assigned, and the outbound bandwidth must be configured.
Since traffic shaping is often configured on the WAN interface for egressing traffic, the outbound bandwidth is effectively the upstream bandwidth allowed by your ISP. On the FortiGate, it is possible to perform a speed test on interfaces are assigned a WAN role assigned (see Manual interface speedtest). The speed test performs measurements against public cloud servers, and provides an accurate measurement of the upstream bandwidth. After the test is complete, the results can be used to populate the Outbound bandwidth field.
To configure traffic shaping on an interface:
- Go to Network > Interfaces and double-click an interface to edit it.
- For interfaces assigned a WAN role, in the right-side of the screen, click Execute speed test.
- When the test completes, click OK in the Confirm pane to apply the results to the estimated bandwidth. The speed test results are populated in the Estimated bandwidth fields for kbps Upstream and kbps Downstream.
- In the Traffic Shaping section, enable Outbound shaping profile and select a profile.
- Enable Outbound bandwidth and copy the kbps Upstream value from the speed test, or enter a custom value.
- Click OK.
Verifying that the traffic is being shaped
In this example, three traffic classes are defined in the traffic shaping profile assigned to port1. The outbandwidth configured on port1 is 1000 Kbps. Each class has an allocated-bandwidth
, guaranteed-bandwidth
, max-bandwidth
, and current-bandwidth
value.
- The
guaranteed-bandwidth
andmax-bandwidth
are rates that are converted from the percentage of outbandwidth configured for each class. For example,class-id
2 has 10%guaranteed-bandwidth
, equivalent to 100 Kbps, and 100%max-bandwidth
equivalent to 1000 Kbps. - The
allocated-bandwidth
displays the real-time bandwidth allocation for the traffic class based on all available factors. This value changes as traffic demand changes. - The
current-bandwidth
displays the real-time bandwidth usage detected for the traffic class.
To verify that traffic is being shaped by the traffic shaping profile:
- Enable debug flow to view the live traffic as it matches a traffic shaping policy:
# diagnose debug flow show function-name enable # diagnose debug flow show iprope enable # diagnose debug flow filter <filters> # diagnose debug flow trace start <repeat_number> # diagnose debug enable
Theiprope_shaping_check
function outputs the shaping policy matched for any given traffic:... id=20085 trace_id=21 func=iprope_shaping_check line=934 msg="in-[port3], out-[port1], skb_flags-02000000, vid-0" id=20085 trace_id=21 func=__iprope_check line=2277 msg="gnum-100015, check-ffffffffa002a8fe" id=20085 trace_id=21 func=__iprope_check_one_policy line=2029 msg="checked gnum-100015 policy-3, ret-matched, act-accept" id=20085 trace_id=21 func=__iprope_check_one_policy line=2247 msg="policy-3 is matched, act-accept" id=20085 trace_id=21 func=__iprope_check line=2294 msg="gnum-100015 check result: ret-matched, act-accept, flag-00000000, flag2-00000000"
- Display the session list:
# diagnose sys session filter <filters> # diagnose sys session list
Sessions that match a shaping policy will display
class_id
andshaping_policy_id
fields:... session info: proto=6 proto_state=05 duration=32 expire=0 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=4 origin-shaper= reply-shaper= per_ip_shaper= class_id=4 shaping_policy_id=3 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
- Display the interface statistics:
# diagnose netlink interface list port1 if=port1 family=00 type=1 index=3 mtu=1500 link=0 master=0 ref=95 state=start present fw_flags=2001b800 flags=up broadcast run allmulti multicast Qdisc=pfifo_fast hw_addr=52:54:00:7e:af:a6 broadcast_addr=ff:ff:ff:ff:ff:ff inbandwidth=10000(kbps) total_bytes=2098887K drop_bytes=7854K egress traffic control: bandwidth=1000(kbps) lock_hit=241 default_class=3 n_active_class=3 class-id=2 allocated-bandwidth=140(kbps) guaranteed-bandwidth=100(kbps) max-bandwidth=1000(kbps) current-bandwidth=147(kbps) priority=low forwarded_bytes=8161K dropped_packets=2032 dropped_bytes=3074K class-id=3 allocated-bandwidth=30(kbps) guaranteed-bandwidth=300(kbps) max-bandwidth=1000(kbps) current-bandwidth=10(kbps) priority=medium forwarded_bytes=501K dropped_packets=1 dropped_bytes=1195 class-id=4 allocated-bandwidth=830(kbps) guaranteed-bandwidth=500(kbps) max-bandwidth=1000(kbps) current-bandwidth=810(kbps) priority=high forwarded_bytes=1393K dropped_packets=379 dropped_bytes=572K stat: rxp=8349728 txp=11101735 rxb=2216101183 txb=1394077978 rxe=0 txe=0 rxd=0 txd=0 mc=0 collision=0 @ time=1654202868 re: rxl=0 rxo=0 rxc=0 rxf=0 rxfi=0 rxm=0 te: txa=0 txc=0 txfi=0 txh=0 txw=0 misc rxc=0 txc=0 input_type=0 state=3 arp_entry=0 refcnt=95
If the debug output does not display egress traffic control by class and displays them by priority, it is likely that global traffic prioritization is configured. The global traffic prioritization settings must be disabled to view the preceding debug output (see Global traffic prioritization). |