summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
Diffstat (limited to 'docs')
-rw-r--r--docs/ch10-qos.rst1179
1 files changed, 1169 insertions, 10 deletions
diff --git a/docs/ch10-qos.rst b/docs/ch10-qos.rst
index 3dba8e71..114d64ba 100644
--- a/docs/ch10-qos.rst
+++ b/docs/ch10-qos.rst
@@ -1,7 +1,1169 @@
QoS and Traffic Policy
======================
-The traffic policy subsystem provides an interface to Linux traffic control.
+VyOS uses tc_ as backend for QoS. VyOS provides its users with configuration
+nodes for the following shaping/queueing/policing disciplines:
+
+* HTB
+* HFSC
+* SFQ
+* pfifo
+* network-emulator
+* PRIO
+* GRED
+* TBF
+* DRR
+
+VyOS QoS configuration is done in two steps. The first one consists in setting
+up your classes/queues and traffic filters to distribute traffic amongst them.
+The second step is to apply such traffic policy to an interface ingress or
+egress.
+
+Creating a traffic policy
+-------------------------
+
+Such configuration takes place under the `traffic-policy` tree.
+
+Available subtrees :
+
+.. code-block:: sh
+
+ set traffic-policy drop-tail NAME
+ set traffic-policy fair-queue NAME
+ set traffic-policy limiter NAME
+ set traffic-policy network-emulator NAME
+ set traffic-policy priority-queue NAME
+ set traffic-policy random-detect NAME
+ set traffic-policy rate-control NAME
+ set traffic-policy round-robin NAME
+ set traffic-policy shaper NAME
+ set traffic-policy shaper-hfsc NAME
+
+Apply traffic policy to an interface
+------------------------------------
+
+Once a traffic-policy is created, you can apply it to an interface :
+
+.. code-block:: sh
+
+ set interfaces ethernet eth0 traffic-policy in WAN-IN
+ set interfaces etherhet eth0 traffic-policy out WAN-OUT
+
+Traffic policies in VyOS
+------------------------
+An overview of QoS traffic policies supported by VyOS.
+
+Drop-tail (FIFO)
+^^^^^^^^^^^^^^^^
+
+A packet queuing mechanism on a FIFO (First In, First Out) basis; packets are
+sent out in the same order as they arrive. The queue has a defined length,
+packets arriving after the queue is filled up will be dropped (hence the name
+`drop tail`, the "tail" of the queue will be dropped). With this policy in
+place, all traffic is treated equally and put into a single queue. Applicable
+to outbound traffic only.
+
+Available commands:
+
+* Define a drop-tail policy (unique name, exclusive to this policy):
+ :code:`set traffic-policy drop-tail <policy name>`
+
+* Add a description:
+ :code:`set traffic-policy drop-tail <policy name> description <description>`
+
+* Set the queue length limit (max. number of packets in queue), range
+ 0...4294967295 packets: :code:`set traffic-policy drop-tail <policy name>
+ queue-limit <limit>`
+
+Fair queue (SFQ)
+^^^^^^^^^^^^^^^^
+
+Fair queue is a packet queuing mechanism that separates traffic flows based on
+their source/destination IP addresses and/or source port and places them into
+buckets. Bandwidth is allocated fairly between buckets based on the Stochastic
+airness Queuing algorithm. Applicable to outbound traffic only.
+
+Available commands:
+
+* Define a fair queue policy:
+ :code:`set traffic-policy fair-queue <policy name>`
+
+* Add a description:
+ :code:`set traffic-policy fair-queue <policy name> description <description>`
+
+* Set hash update interval; the algorithm used is stochastic and thus not
+ 'truly' fair, hash collisions can occur, in which case traffic flows may be
+ put into the same bucket. To mitigate this, the hashes can be updated at a
+ set interval, Range 0...4294967295 seconds: :code:`set traffic-policy
+ fair-queue <policy name> hash-interval <seconds>`
+
+* Set the queue-limit (max. number of packets in queue), range 0...4294967295
+ packets, default 127: :code:`set traffic-policy fair-queue <policy name>
+ queue-limit <limit>`
+
+Limiter
+^^^^^^^
+
+The limiter performs ingress policing of traffic flows. Multiple classes of
+traffic can be defined and traffic limits can be applied to each class. Traffic
+exceeding the defined bandwidth limits is dropped. Applicable to inbound
+traffic only.
+
+Available commands:
+
+* Define a traffic limiter policy:
+ :code:`set traffic-policy limiter <policy-name>`
+* Add a description:
+ :code:`set traffic-policy limiter <policy-name> description <description>`
+
+Traffic classes
+^^^^^^^^^^^^^^^
+
+* Define a traffic class for a limiter policy, range for class ID is 1...4095:
+ :code:`set traffic-policy limiter <policy-name> class <class ID>`
+* Add a class description:
+ :code:`set traffic-policy limiter <policy-name> class <class ID> description
+ <description>`
+* Specify a bandwidth limit for a class, in kbit/s:
+ :code:`set traffic-policy limiter <policy-name> class <class ID> bandwidth
+ <rate>`. Available suffixes:
+
+ * kbit (kilobits per second, default)
+ * mbit (megabits per second)
+ * gbit (gigabits per second)
+ * kbps (kilobytes per second)
+ * mbps (megabytes per second)
+ * gbps (gigabytes per second)
+
+* Set a burst size for a class, the maximum amount of traffic that can be sent,
+ in bytes: :code:`set traffic-policy limiter <policy-name> class <class ID>
+ burst <burst-size>`. Available suffixes:
+
+ * kb (kilobytes)
+ * mb (megabytes)
+ * gb (gigabytes)
+
+Default class
+^^^^^^^^^^^^^
+
+* Define a default class for a limiter policy that applies to traffic not
+ matching any other classes for this policy: :code:`set traffic-policy limiter
+ <policy name> default`
+
+* Specify a bandwidth limit for the default class, in kbit/s: :code:`set
+ traffic-policy limiter <policy name> default bandwidth <rate>`. Available
+ suffixes:
+
+ * kbit (kilobits per second, default)
+ * mbit (megabits per second)
+ * gbit (gigabits per second)
+ * kbps (kilobytes per second)
+ * mbps (megabytes per second)
+ * gbps (gigabytes per second)
+
+* Set a burst size for the default class, the maximum amount of traffic that
+ can be sent, in bytes: :code:`set traffic-policy limiter <policy-name>
+ default burst <burst-size>`. Available suffixes:
+
+ * kb (kilobytes)
+ * mb (megabytes)
+ * gb (gigabytes)
+
+* Specify the priority of the default class to set the order in which the rules
+ are evaluated, the higher the number the lower the priority, range 0...20
+ (default 20): :code:`set traffic-policy limiter <policy name> default
+ priority <priority>`
+
+Matching rules
+^^^^^^^^^^^^^^
+
+* Define a traffic class matching rule:
+ :code:`set traffic-policy limiter <policy name> class <class ID> match
+ <match name>`
+
+* Add a description:
+ :code:`set traffic-policy limiter <policy name> class <class ID> match
+ <match name> description <description>`
+
+* Specify the priority of a matching rule to set the order in which the rules
+ are evaluated, the higher the number the lower the priority, range 0...20
+ (default 20): :code:`set traffic-policy limiter <policy name> class
+ <class ID> priority <priority>`
+
+* Specify a match criterion based on a **destination MAC address**
+ (format: xx:xx:xx:xx:xx:xx): :code:`set traffic-policy limiter <policy name>
+ class <class ID> match <match name> ether destination <MAC address>`
+
+* Specify a match criterion based on a **source MAC address** (format:
+ xx:xx:xx:xx:xx:xx): :code:`set traffic-policy limiter <policy name> class
+ <class ID> match <match name> ether source <MAC address>`
+
+* Specify a match criterion based on **packet type/protocol**, range 0...65535:
+ :code:`set traffic-policy limiter <policy name> class <class ID> match
+ <match name> ether protocol <number>`
+
+* Specify a match criterion based on the **fwmark field**, range 0....4294967295:
+ :code:`set traffic-policy limiter <policy name> class <class ID> match
+ <match name> mark <fwmark>`
+
+* Specify a match criterion based on **VLAN ID**, range 1...4096:
+ :code:`set traffic-policy limiter <policy name> class <class ID> match
+ <match name> vif <VLAN ID>`
+
+**IPv4**
+
+* Specify a match criterion based on **destination IPv4 address** and/or port,
+ port may be specified as number or service name (i.e. ssh): :code:`set
+ traffic-policy limiter <policy name> class <class ID> match <match name> ip
+ destination <IPv4 address|port>`
+
+* Specify a match criterion based on **source IPv4 address** and/or port, port
+ may be specified as number or service name (i.e. ssh): :code:`set
+ traffic-policy limiter <policy name> class <class ID> match <match name> ip
+ source <IPv4 address|port>`
+
+* Specify a match criterion based on **DSCP (Differentiated Services Code Point)
+ value**, DSCP value may be specified as decimal or hexadecimal number:
+ :code:`set traffic-policy limiter <policy name> class <class ID> match
+ <match name> ip dscp <DSCP value>`
+
+* Specify a match criterion based on **IPv4 protocol**, protocol may be
+ specified by name (i.e. icmp) or IANA-assigned number: :code:`set
+ traffic-policy limiter <policy name> class <class ID> match <match name> ip
+ protocol <proto>`
+
+**IPv6**
+
+* Specify a match criterion based on **destination IPv6 address and/or port**,
+ port may be specified as number or service name (i.e. ssh): :code:`set
+ traffic-policy limiter <policy name> class <class ID> match <match name>
+ ipv6 destination <IPv6 address|port>`
+
+* Specify a match criterion based on **source IPv6 address and/or port**, port
+ may be specified as number or service name (i.e. ssh): :code:`set
+ traffic-policy limiter <policy name> class <class ID> match <match name>
+ ipv6 source <IPv6 address|port>`
+
+* Specify a match criterion based on **DSCP (Differentiated Services Code
+ Point) value**, DSCP value may be specified as decimal or hexadecimal number:
+ :code:`set traffic-policy limiter <policy name> class <class ID> match
+ <match name> ipv6 dscp <DSCP value>`
+
+* Specify a match criterion based on **IPv6 protocol**, protocol may be
+ specified by name (i.e. icmp) or IANA-assigned number: :code:`set
+ traffic-policy limiter <policy name> class <class ID> match <match name>
+ ipv6 protocol <proto>`
+
+Network emulator
+^^^^^^^^^^^^^^^^
+
+The network emulator policy emulates WAN traffic, which is useful for testing
+purposes. Applicable to outbound traffic only.
+
+Available commands:
+
+* Define a network emulator policy:
+ :code:`set traffic-policy network-emulator <policy name>`
+
+* Add a description:
+ :code:`set traffic-policy network-emulator <policy name> description <description>`
+
+* Specify a bandwidth limit in kbit/s:
+ :code:`set traffic-policy network-emulator <policy name> bandwidth <rate>`
+ Available suffixes:
+ * kbit (kilobits per second, default)
+ * mbit (megabits per second)
+ * gbit (gigabits per second)
+ * kbps (kilobytes per second)
+ * mbps (megabytes per second)
+ * gbps (gigabytes per second)
+
+* Set a burst size, the maximum amount of traffic that can be sent, in bytes:
+ :code:`set traffic-policy network-emulator <policy name> burst <burst size>`
+ Available suffixes:
+ * kb (kilobytes)
+ * mb (megabytes)
+ * gb (gigabytes)
+
+* Define a delay between packets:
+ :code:`set traffic-policy network-emulator <policy name> network-delay <delay>`
+ Available suffixes:
+ * secs (seconds)
+ * ms (milliseconds, default)
+ * us (microseconds)
+
+* Set a percentage of corrupted of packets (one bit flip, unchanged checksum):
+ :code:`set traffic-policy network-emulator <policy name> packet-corruption
+ <percent>`
+
+* Set a percentage of random packet loss:
+ :code:`set traffic-policy network-emulator <policy name> packet-loss <percent>`
+
+* Set a percentage of packets for random reordering:
+ :code:`set traffic-policy network-emulator <policy name> packet-reordering
+ <percent>`
+
+* Set a queue length limit in packets, range 0...4294967295, default 127:
+ :code:`set traffic-policy network-emulator <policy name> queue-limit <limit>`
+
+Priority queue
+^^^^^^^^^^^^^^
+
+Up to seven queues with differing priorities can be defined, packets are placed
+into queues based on associated match criteria. Packets are transmitted from
+the queues in priority order. If queues with a higher order are being filled
+with packets continuously, packets from lower priority queues will only be
+transmitted after traffic volume from higher priority queues decreases.
+
+Available commands:
+
+* Define a priority queue:
+ :code:`set traffic-policy priority-queue <policy name>`
+
+* Add a description:
+ :code:`set traffic-policy priority-queue <policy name> description <description>`
+
+Traffic classes
+***************
+
+* Define a traffic class, each class is a separate queue, range for class ID
+ is 1...7, while 1 being the lowest priority: :code:`set traffic-policy
+ priority-queue <policy name> class <class ID>`
+
+* Add a class description: :code:`set traffic-policy priority-queue
+ <policy name> class <class ID> description <description>`
+
+* Set a queue length limit in packets, default 1000:
+ :code:`set traffic-policy priority-queue <policy name> class <class ID>
+ queue-limit <limit>`
+
+* Specify a queue type for a traffic class, available queue types:
+ * drop-tail
+ * fair-queue
+ * random-detect
+ :code:`set traffic-policy priority-queue <policy name> class <class ID>
+ queue-type <type>`
+
+**Default class**
+
+* Define a default priority queue:
+ :code:`set traffic-policy priority-queue <policy name> default`
+
+* Define a maximum queue length for the default traffic class in packets:
+ :code:`set traffic-policy priority-queue <policy name> default queue-limit
+ <limit>`
+
+* Specify the queuing type for the default traffic class, available queue types:
+ * drop-tail
+ * fair-queue
+ * random-detect
+ :code:`set traffic-policy priority-queue <policy name> default queue-type <type>`
+
+Matching rules
+^^^^^^^^^^^^^^
+
+* Define a class matching rule:
+ :code:`set traffic-policy priority-queue <policy name> class <class ID> match
+ <match name>`
+
+* Add a match rule description:
+ :code:`set traffic-policy priority-queue <policy name> class <class ID> match
+ <match name> description <description>`
+
+* Specify a match criterion based on a **destination MAC address**
+ (format: xx:xx:xx:xx:xx:xx): :code:`set traffic-policy priority-queue
+ <policy name> class <class ID> match <match name> ether destination
+ <MAC address>`
+
+* Specify a match criterion based on a **source MAC address**
+ (format: xx:xx:xx:xx:xx:xx): :code:`set traffic-policy priority-queue
+ <policy name> class <class ID> match <match name> ether source <MAC address>`
+
+* Specify a match criterion based on **packet type/protocol**, range 0...65535:
+ :code:`set traffic-policy priority-queue <policy name> class <class ID> match
+ <match name> ether protocol <number>`
+
+* Specify a match criterion based on **ingress interface**:
+ :code:`set traffic-policy priority-queue <policy name> class <class ID> match
+ <match name> interface <interface>`
+
+* Specify a match criterion based on the **fwmark field**, range 0....4294967295:
+ :code:`set traffic-policy priority-queue <policy name> class <class ID> match
+ <match name> mark <fwmark>`
+
+* Specify a match criterion based on **VLAN ID**, range 1...4096:
+ :code:`set traffic-policy priority-queue <policy name> class <class ID> match
+ <match name> vif <VLAN ID>`
+
+**IPv4**
+
+* Specify a match criterion based on **destination IPv4 address and/or port**,
+ port may be specified as number or service name (i.e. ssh): :code:`set
+ traffic-policy priority-queue <policy name> class <class ID> match
+ <match name> ip destination <IPv4 address|port>`
+
+* Specify a match criterion based on **source IPv4 address and/or port**, port
+ may be specified as number or service name (i.e. ssh): :code:`set
+ traffic-policy priority-queue <policy name> class <class ID> match
+ <match name> ip source <IPv4 address|port>`
+
+* Specify a match criterion based on **DSCP (Differentiated Services Code Point)
+ value**, DSCP value may be specified as decimal or hexadecimal number:
+ :code:`set traffic-policy priority-queue <policy name> class <class ID> match
+ <match name> ip dscp <DSCP value>`
+
+* Specify a match criterion based on **IPv4 protocol**, protocol may be
+ specified by name (i.e. icmp) or IANA-assigned number: :code:`set
+ traffic-policy priority-queue <policy name> class <class ID> match
+ <match name> ip protocol <proto>`
+
+**IPv6**
+
+* Specify a match criterion based on **destination IPv6 address and/or port**,
+ port may be specified as number or service name (i.e. ssh): :code:`set
+ traffic-policy priority-queue <policy name> class <class ID> match
+ <match name> ipv6 destination <IPv6 address|port>`
+
+* Specify a match criterion based on **source IPv6 address and/or port**, port
+ may be specified as number or service name (i.e. ssh): :code:`set
+ traffic-policy priority-queue <policy name> class <class ID> match
+ <match name> ipv6 source <IPv6 address|port>`
+
+* Specify a match criterion based on **DSCP (Differentiated Services Code Point)
+ value**, DSCP value may be specified as decimal or hexadecimal number:
+ :code:`set traffic-policy priority-queue <policy name> class <class ID> match
+ <match name> ipv6 dscp <DSCP value>`
+
+* Specify a match criterion based on **IPv6 protocol**, protocol may be
+ specified by name (i.e. icmp) or IANA-assigned number: :code:`set
+ traffic-policy priority-queue <policy name> class <class ID> match
+ <match name> ipv6 protocol <proto>`
+
+Random Early Detection (RED/WRED)
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+RED
+***
+
+A Random Early Detection (RED) policy starts randomly dropping packets from a
+queue before it reaches its queue limit thus avoiding congestion. It is also
+beneficial for TCP connections as the gradual dropping of packets acts as a
+signal for the sender to decrease its transmission rate, avoiding global TCP
+synchronisation. Applicable to outbound traffic only.
+
+Available commands:
+
+* Define a RED policy:
+ :code:`set traffic-policy random-detect <policy name>`
+
+* Add a description:
+ :code:`set traffic-policy random-detect <policy name> description <description>`
+
+* Set a bandwidth limit, default auto:
+ :code:`set traffic-policy random-detect <policy name> bandwidth <rate>`
+ Available suffixes:</u>
+ * auto (bandwidth limit based on interface speed, default)
+ * kbit (kilobits per second)
+ * mbit (megabits per second)
+ * gbit (gigabits per second)
+ * kbps (kilobytes per second)
+ * mbps (megabytes per second)
+ * gbps (gigabytes per second)
+
+WRED
+****
+
+In contrast to RED, Weighted Random Early Detection (WRED) differentiates
+between classes of traffic in a single queue and assigns different precedence
+to traffic flows accordingly; low priority packets are dropped from a queue
+earlier than high priority packets. This is achieved by using the first three
+bits of the ToS (Type of Service) field to categorise data streams and in
+accordance with the defined precedence parameters a decision is made. A WRED
+policy is defined with the following parameters:
+
+* precedence
+* min-threshold
+* max-threshold
+* average-packet
+* mark-probability
+* queue-limit
+
+If the average queue size is lower than the :code:`min-threshold`, an arriving
+packet is placed in the queue. If the average queue size is between
+:code:`min-threshold` and :code:`max-threshold` an arriving packet is either
+dropped or placed in the queue depending on the defined :code:`mark-probability`.
+In case the average queue size is larger than :code:`max-threshold`, packets
+are dropped. If the current queue size is larger than :code:`queue-limit`,
+packets are dropped. The average queue size depends on its former average size
+and its current size. If :code:`max-threshold` is set but :code:`min-threshold`
+is not, then :code:`min-threshold` is scaled to 50% of :code:`max-threshold`.
+In principle, values must be :code:`min-threshold` < :code:`max-threshold` <
+:code:`queue-limit`. Applicable to outbound traffic only.
+
+Possible values for WRED parameters:
+
+* precedence - IP precedence, first three bits of the ToS field as defined in
+ RFC791_.
+
+ +------------+----------------------+
+ | Precedence | Priority |
+ +============+======================+
+ | 7 | Network Control |
+ +------------+----------------------+
+ | 6 | Internetwork Control |
+ +------------+----------------------+
+ | 5 | CRITIC/ECP |
+ +------------+----------------------+
+ | 4 | Flash Override |
+ +------------+----------------------+
+ | 3 | Flash |
+ +------------+----------------------+
+ | 2 | Immediate |
+ +------------+----------------------+
+ | 1 | Priority |
+ +------------+----------------------+
+ | 0 | Routine |
+ +------------+----------------------+
+
+* min-threshold - Min value for the average queue length, packets are dropped
+ if the average queue length reaches this threshold. Range 0...4096, default
+ is dependent on precedence:
+
+ +------------+-----------------------+
+ | Precedence | default min-threshold |
+ +============+=======================+
+ | 7 | 16 |
+ +------------+-----------------------+
+ | 6 | 15 |
+ +------------+-----------------------+
+ | 5 | 14 |
+ +------------+-----------------------+
+ | 4 | 13 |
+ +------------+-----------------------+
+ | 3 | 12 |
+ +------------+-----------------------+
+ | 2 | 11 |
+ +------------+-----------------------+
+ | 1 | 10 |
+ +------------+-----------------------+
+ | 0 | 9 |
+ +------------+-----------------------+
+
+* max-threshold - Max value for the average queue length, packets are dropped
+ if this value is exceeded. Range 0...4096 packets, default 18.
+
+* average-packet - Average packet size in bytes, default 1024.
+
+* mark-probability - The fraction of packets (n/probability) dropped from the
+ queue when the average queue length reaches <code>max-threshold</code>,
+ default 10.
+
+* queue-limit - Packets are dropped when the current queue length reaches this
+ value, default 4*<code>max-threshold</code>.
+
+Usage:
+:code:`set traffic-policy random-detect <policy-name> precedence
+<precedence> [average-packet <bytes> | mark-probability <probability> |
+max-threshold <max> | min-threshold <min> | queue-limit <packets>]`
+
+Rate control (TBF)
+^^^^^^^^^^^^^^^^^^
+
+The rate control policy uses the Token Bucket Filter (TBF_) algorithm to limit
+the packet flow to a set rate. Short bursts can be allowed to exceed the limit.
+Applicable to outbound traffic only.
+
+Available commands:
+
+* Define a rate control policy:
+ :code:`set traffic-policy rate-control <policy-name>`
+
+* Add a description:
+ :code:`set traffic-policy rate-control <policy-name> description <description>`
+
+* Specify a bandwidth limit in kbits/s:
+ :code:`set traffic-policy rate-control <policy-name> bandwidth <rate>`
+ Available suffixes:</u>
+ * kbit (kilobits per second, default)
+ * mbit (megabits per second)
+ * gbit (gigabits per second)
+ * kbps (kilobytes per second)
+ * mbps (megabytes per second)
+ * gbps (gigabytes per second)
+
+* Specify a burst size in bytes, default 15 kilobytes:
+ :code:`set traffic-policy rate-control <policy-name> burst <burst-size>`
+ Available suffixes:
+ * kb (kilobytes)
+ * mb (megabytes)
+ * gb (gigabytes)
+
+* Specify a latency in milliseconds; the maximum amount of time packets are
+ allowed to wait in the queue, default 50 milliseconds:
+ :code:`set traffic-policy rate-control <policy-name> latency`
+ Available suffixes:
+ * secs (seconds)
+ * ms (milliseconds, default)
+ * us (microseconds)
+
+Round robin (DRR)
+^^^^^^^^^^^^^^^^^
+
+The round robin policy divides available bandwidth between all defined traffic
+classes.
+
+Available commands:
+
+* Define a round robin policy:
+ :code:`set traffic-policy round-robin <policy-name>`
+
+* Add a description:
+ :code:`set traffic-policy round-robin <policy-name> description <description>`
+
+* Define a traffic class ID, range 2...4095:
+ :code:`set traffic-policy round-robin <policy-name> class <class>`
+
+**Default policy:**
+
+* Define a default priority queue:
+ :code:`set traffic-policy round-robin <policy name> default`
+
+* Set the number of packets that can be sent per scheduling quantum:
+ :code:`set traffic-policy round-robin <policy name> default quantum <packets>`
+
+* Define a maximum queue lenght for the default policy in packets:
+ :code:`set traffic-policy round-robin <policy name> default queue-limit <limit>`
+
+* Specify the queuing type for the default policy, available queue types:
+ * drop-tail
+ * fair-queue
+ * priority (based on the DSCP values in the ToS byte)
+ :code:`set traffic-policy round-robin <policy name> default queue-type <type>`
+
+Matching rules
+**************
+
+* Define a class matching rule:
+ :code:`set traffic-policy round-robin <policy name> class <class ID> match
+ <match name>`
+
+* Add a match rule description:
+ :code:`set traffic-policy round-robin <policy name> class <class ID> match
+ <match name> description <description>`
+
+* Specify a match criterion based on a **destination MAC address** (format:
+ xx:xx:xx:xx:xx:xx):
+ :code:`set traffic-policy round-robin <policy name> class <class ID> match
+ <match name> ether destination <MAC address>`
+
+* Specify a match criterion based on a **source MAC address** (format:
+ xx:xx:xx:xx:xx:xx):
+ :code:`set traffic-policy round-robin <policy name> class <class ID> match
+ <match name> ether source <MAC address>`
+
+* Specify a match criterion based on **packet type/protocol**, range 0...65535:
+ :code:`set traffic-policy round-robin <policy name> class <class ID> match
+ <match name> ether protocol <number>`
+
+* Specify a match criterion based on **ingress interface**:
+ :code:`set traffic-policy round-robin <policy name> class <class ID> match
+ <match name> interface <interface>`
+
+* Specify a match criterion based on the **fwmark field**, range 0....4294967295:
+ :code:`set traffic-policy round-robin <policy name> class <class ID> match
+ <match name> mark <fwmark>`
+
+* Specify a match criterion based on **VLAN ID**, range 1...4096:
+ :code:`set traffic-policy round-robin <policy name> class <class ID> match
+ <match name> vif <VLAN ID>*`
+
+**IPv4**
+
+* Specify a match criterion based on **destination IPv4 address and/or port**,
+ port may be specified as number or service name (i.e. ssh):
+ :code:`set traffic-policy round-robin <policy name> class <class ID> match
+ <match name> ip destination <IPv4 address|port>`
+
+* Specify a match criterion based on **source IPv4 address and/or port**, port
+ may be specified as number or service name (i.e. ssh):
+ :code:`set traffic-policy round-robin <policy name> class <class ID> match
+ <match name> ip source <IPv4 address|port>`
+
+* Specify a match criterion based on **DSCP (Differentiated Services Code Point)
+ value**, DSCP value may be specified as decimal or hexadecimal number:
+ :code:`set traffic-policy round-robin <policy name> class <class ID> match
+ <match name> ip dscp <DSCP value>`
+
+* Specify a match criterion based on **IPv4 protocol**, protocol may be
+ specified by name (i.e. icmp) or IANA-assigned number:
+ :code:`set traffic-policy round-robin <policy name> class <class ID> match
+ <match name> ip protocol <proto>`
+
+**IPv6**
+
+* Specify a match criterion based on **destination IPv6 address and/or port**,
+ port may be specified as number or service name (i.e. ssh):
+ :code:`set traffic-policy round-robin <policy name> class <class ID> match
+ <match name> ipv6 destination <IPv6 address|port>`
+
+* Specify a match criterion based on **source IPv6 address and/or port**, port
+ may be specified as number or service name (i.e. ssh):
+ :code:`set traffic-policy round-robin <policy name> class <class ID> match
+ <match name> ipv6 source <IPv6 address|port>`
+
+* Specify a match criterion based on **DSCP (Differentiated Services Code Point)
+ value**, DSCP value may be specified as decimal or hexadecimal number:
+ :code:`set traffic-policy round-robin <policy name> class <class ID> match
+ <match name> ipv6 dscp <DSCP value>`
+
+* Specify a match criterion based on **IPv6 protocol**, protocol may be
+ specified by name (i.e. icmp) or IANA-assigned number:
+ :code:`set traffic-policy round-robin <policy name> class <class ID> match
+ <match name> ipv6 protocol <proto>`
+
+Traffic shaper
+--------------
+
+The shaper policy uses the Hierarchical Token Bucket algorithm to allocate
+different amounts of bandwidth to different traffic classes. In contrast to
+round robin, shaper limits bandwidth allocation by traffic class whereas round
+robin divides the total available bandwidth between classes.
+
+Avialable commands:
+
+* Define a shaper policy:
+ :code:`set traffic-policy shaper <policy-name>`
+
+* Add a description:
+ :code:`set traffic-policy shaper <policy-name> description <description>`
+
+* Set the available bandwidth for all combined traffic of this policy in kbit/s,
+ default 100%:
+ :code:`set traffic-policy shaper <policy-name> bandwidth <rate>`
+ Available suffixes:
+ * % (percentage of total bandwidth)
+ * kbit (kilobits per second)
+ * mbit (megabits per second)
+ * gbit (gigabits per second)
+ * kbps (kilobytes per second)
+ * mbps (megabytes per second)
+ * gbps (gigabytes per second)
+
+Traffic classes
+***************
+
+* Define a traffic class for a shaper policy, range for class ID is 2...4095:
+ :code:`set traffic-policy shaper <policy-name> class <class ID>`
+
+* Add a class description:
+ :code:`set traffic-policy shaper <policy name> class <class ID> description
+ <description>`
+
+* Specify a bandwidth limit for a class, in kbit/s:
+ :code:`set traffic-policy shaper <policy-name> class <class ID> bandwidth <rate>`
+ Available suffixes:
+ * kbit (kilobits per second, default)
+ * mbit (megabits per second)
+ * gbit (gigabits per second)
+ * kbps (kilobytes per second)
+ * mbps (megabytes per second)
+ * gbps (gigabytes per second)
+
+* Set a burst size for a class, the maximum amount of traffic that can be sent,
+ in bytes: :code:`set traffic-policy shaper <policy-name> class <class ID>
+ burst <burst-size>` Available suffixes:
+ * kb (kilobytes)
+ * mb (megabytes)
+ * gb (gigabytes)
+
+* Set a bandwidth ceiling for a class in kbit/s:
+ :code:`set traffic-policy shaper <policy-name> class <class ID> ceiling <rate>`
+ Available suffixes:
+ * % (percentage of total bandwidth)
+ * kbit (kilobits per second)
+ * mbit (megabits per second)
+ * gbit (gigabits per second)
+
+* Set the priority of a class for allocation of additional bandwidth, if unused
+ bandwidth is available. Range 0...7, lowest number has lowest priority,
+ default 0: :code:`set traffic-policy shaper <policy-name> class <class ID>
+ priority <priority>`
+
+* Set a queue length limit in packets:
+ :code:`set traffic-policy shaper <policy name> class <class ID> queue-limit
+ <limit>`
+
+* Specify a queue type for a traffic class, default fair-queue. Available
+ queue types:
+ * drop-tail
+ * fair-queue
+ * random-detect
+ * priority
+ :code:`set traffic-policy shaper <policy name> class <class ID> queue-type <type>`
+
+* Modify DSCP field; the DSCP field value of packets in a class can be
+ rewritten to change the forwarding behaviour and allow for traffic
+ conditioning: :code:`set traffic-policy shaper <policy name> class <class ID>
+ set-dscp <value>`
+
+ DSCP values as per RFC2474_ and RFC4595_:
+
+ +---------+------------+--------+------------------------------+
+ | Binary | Configured | Drop | Description |
+ | value | value | rate | |
+ +=========+============+========+==============================+
+ | 101110 | 46 | - | Expedited forwarding (EF) |
+ +---------+------------+--------+------------------------------+
+ | 000000 | 0 | - | Best effort traffic, default |
+ +---------+------------+--------+------------------------------+
+ | 001010 | 10 | Low | Assured Forwarding(AF) 11 |
+ +---------+------------+--------+------------------------------+
+ | 001100 | 12 | Medium | Assured Forwarding(AF) 12 |
+ +---------+------------+--------+------------------------------+
+ | 001110 | 14 | High | Assured Forwarding(AF) 13 |
+ +---------+------------+--------+------------------------------+
+ | 010010 | 18 | Low | Assured Forwarding(AF) 21 |
+ +---------+------------+--------+------------------------------+
+ | 010100 | 20 | Medium | Assured Forwarding(AF) 22 |
+ +---------+------------+--------+------------------------------+
+ | 010110 | 22 | High | Assured Forwarding(AF) 23 |
+ +---------+------------+--------+------------------------------+
+ | 011010 | 26 | Low | Assured Forwarding(AF) 31 |
+ +---------+------------+--------+------------------------------+
+ | 011100 | 28 | Medium | Assured Forwarding(AF) 32 |
+ +---------+------------+--------+------------------------------+
+ | 011110 | 30 | High | Assured Forwarding(AF) 33 |
+ +---------+------------+--------+------------------------------+
+ | 100010 | 34 | Low | Assured Forwarding(AF) 41 |
+ +---------+------------+--------+------------------------------+
+ | 100100 | 36 | Medium | Assured Forwarding(AF) 42 |
+ +---------+------------+--------+------------------------------+
+ | 100110 | 38 | High | Assured Forwarding(AF) 43 |
+ +---------+------------+--------+------------------------------+
+
+Matching rules
+**************
+
+* Define a class matching rule:
+ :code:`set traffic-policy shaper <policy name> class <class ID> match
+ <match name>`
+
+* Add a match rule description:
+ :code:`set traffic-policy shaper <policy name> class <class ID> match
+ <match name> description <description>`
+
+* Specify a match criterion based on a **destination MAC address**
+ (format: xx:xx:xx:xx:xx:xx):
+ :code:`set traffic-policy shaper <policy name> class <class ID> match
+ <match name> ether destination <MAC address>`
+
+* Specify a match criterion based on a **source MAC address**
+ (format: xx:xx:xx:xx:xx:xx):
+ :code:`set traffic-policy shaper <policy name> class <class ID> match
+ <match name> ether source <MAC address>`
+
+* Specify a match criterion based on **packet type/protocol**, range 0...65535:
+ :code:`set traffic-policy shaper <policy name> class <class ID> match
+ <match name> ether protocol <number>`
+
+* Specify a match criterion based on **ingress interface**:
+ :code:`set traffic-policy shaper <policy name> class <class ID> match
+ <match name> interface <interface>`
+
+* Specify a match criterion based on the **fwmark field**, range 0....4294967295:
+ :code:`set traffic-policy shaper <policy name> class <class ID> match
+ <match name> mark <fwmark>`
+
+* Specify a match criterion based on **VLAN ID**, range 1...4096:
+ :code:`set traffic-policy round-robin <policy name> class <class ID> match
+ <match name> vif <VLAN ID>`
+
+**IPv4**
+
+* Specify a match criterion based on **destination IPv4 address and/or port**,
+ port may be specified as number or service name (i.e. ssh):
+ :code:`set traffic-policy shaper <policy name> class <class ID> match
+ <match name> ip destination <IPv4 address|port>`
+
+* Specify a match criterion based on **source IPv4 address and/or port**, port
+ may be specified as number or service name (i.e. ssh):
+ :code:`set traffic-policy shaper <policy name> class <class ID> match
+ <match name> ip source <IPv4 address|port>`
+
+* Specify a match criterion based on **DSCP (Differentiated Services Code Point)
+ value**, DSCP value may be specified as decimal or hexadecimal number:
+ :code:`set traffic-policy shaper <policy name> class <class ID> match
+ <match name> ip dscp <DSCP value>`
+
+* Specify a match criterion based on **IPv4 protocol**, protocol may be
+ specified by name (i.e. icmp) or IANA-assigned number:
+ :code:`set traffic-policy shaper <policy name> class <class ID> match
+ <match name> ip protocol <proto>`
+
+**IPv6**
+
+* Specify a match criterion based on **destination IPv6 address and/or port**,
+ port may be specified as number or service name (i.e. ssh):
+ :code:`set traffic-policy shaper <policy name> class <class ID> match
+ <match name> ipv6 destination <IPv6 address|port>`
+
+* Specify a match criterion based on **source IPv6 address and/or port**,
+ port may be specified as number or service name (i.e. ssh):
+ :code:`set traffic-policy shaper <policy name> class <class ID> match
+ <match name> ipv6 source <IPv6 address|port>`
+
+* Specify a match criterion based on **DSCP (Differentiated Services Code Point)
+ value**, DSCP value may be specified as decimal or hexadecimal number:
+ :code:`set traffic-policy shaper <policy name> class <class ID> match
+ <match name> ipv6 dscp <DSCP value>`
+
+* Specify a match criterion based on **IPv6 protocol**, protocol may be
+ specified by name (i.e. icmp) or IANA-assigned number:
+ :code:`set traffic-policy shaper <policy name> class <class ID> match
+ <match name> ipv6 protocol <proto>`
+
+shaper-hfsc (HFSC_ + sfq)
+-------------------------
+
+The case of ingress shaping. Only a **limiter** policy can be applied directly
+for ingress traffic on an interface. It is possible though to use what is
+called an Intermediate Functional Block (IFB_) to allow the usage of any policy
+on the ingress traffic.
+
+Let's assume eth0 is your WAN link. You created two traffic-policies: `WAN-IN`
+and `WAN-OUT`.
+
+First, create the IFB:
+
+.. code-block:: sh
+
+ set interfaces input ifb0 description "WAN Input"
+
+Apply the `WAN-OUT` traffic-policy to ifb0 input.
+
+.. code-block:: sh
+
+ set interfaces input ifb0 traffic-policy in WAN-IN
+
+Redirect traffic from eth0 to ifb0
+
+.. code-block:: sh
+
+ set interfaces ethernet eth0 redirect ifb0
+
+Classful policies and traffic matching
+--------------------------------------
+
+`limiter`, `round-robin`, `priority-queue`, `shaper` and `shaper-hfsc`
+distribute traffic into different classes with different options. In VyOS,
+classes are numbered and work like firewall rules. e.g:
+
+.. code-block:: sh
+
+ set traffic-policy shaper SHAPER class 30
+
+Matching traffic
+^^^^^^^^^^^^^^^^
+
+A class can have multiple match filters:
+
+.. code-block:: sh
+
+ set traffic-policy <POLICY> <POLICY-NAME> class N match MATCH-FILTER-NAME
+
+Example:
+
+.. code-block:: sh
+
+ set traffic-policy shaper SHAPER class 30 match HTTP
+ set traffic-policy shaper SHAPER class 30 match HTTPs
+
+A match filter contains multiple criteria and will match traffic if all those criteria are true.
+
+For example:
+
+.. code-block:: sh
+
+ set traffic-policy shaper SHAPER class 30 match HTTP ip protocol tcp
+ set traffic-policy shaper SHAPER class 30 match HTTP ip source port 80
+
+This will match tcp traffic with source port 80.
+
+description
+***********
+
+.. code-block:: sh
+
+ set traffic-policy shaper SHAPER class 30 match MATCH description "match filter description"
+
+ether
+*****
+
+.. code-block:: sh
+
+ edit traffic-policy shaper SHAPER class 30 match MATCH ether
+
+destination
+***********
+
+protocol
+********
+
+source
+******
+
+interface
+*********
+
+.. code-block:: sh
+
+ edit traffic-policy shaper SHAPER class 30 match MATCH interface <interface-name>
+
+ip
+**
+.. code-block:: sh
+
+ edit traffic-policy shaper SHAPER class 30 match MATCH ip
+
+destination
+***********
+
+.. code-block:: sh
+
+ set destination address IPv4-SUBNET
+ set destination port U32-PORT
+
+dscp
+****
+
+.. code-block:: sh
+
+ set dscp DSCPVALUE
+
+max-length
+**********
+
+.. code-block:: sh
+
+ set max-length U32-MAXLEN
+
+Will match ipv4 packets with a total length lesser than set value.
+
+protocol
+********
+.. code-block:: sh
+
+ set protocol <IP PROTOCOL>
+
+source
+******
+
+.. code-block:: sh
+
+ set source address IPv4-SUBNET
+ set source port U32-PORT
+
+tcp
+***
+
+**NOTE:** you must set ip protocol to TCP to use the TCP filters.
+**NOTE#2**: This filter will only match packets with an IPv4 header length of
+20 bytes (which is the majority of IPv4 packets anyway).
+
+.. code-block:: sh
+
+ set tcp ack
+
+Will match tcp packets with ACK flag set.
+.. code-block:: sh
+
+ set tcp syn
+
+Will match tcp packets with SYN flag set.
+
+ipv6
+****
+
+.. code-block:: sh
+
+ edit traffic-policy shaper SHAPER class 30 match MATCH ipv6
+
+destination
+***********
+
+ .. code-block:: sh
+
+ set destination address IPv6-SUBNET
+ set destination port U32-PORT
+
+dscp
+****
+
+.. code-block:: sh
+
+ set dscp DSCPVALUE
+
+max-length
+**********
+
+.. code-block:: sh
+
+ set max-length U32-MAXLEN
+
+Will match ipv6 packets with a payload length lesser than set value.
+
+protocol
+********
+
+.. code-block:: sh
+
+ set protocol IPPROTOCOL
+
+source
+******
+
+.. code-block:: sh
+
+ set source address IPv6-SUBNET
+ set source port U32-PORT
+
+tcp
+***
+
+**NOTE**: you must set ipv6 protocol to TCP to use the TCP filters.
+**NOTE#2**: This filter will only match IPv6 packets with no header extension
+(http://en.wikipedia.org/wiki/IPv6_packet#Extension_headers no header extension).
+
+.. code-block:: sh
+
+ set tcp ack
+
+Will match tcp packets with ACK flag set.
+
+.. code-block:: sh
+
+ set tcp syn
+
+Will match tcp packets with SYN flag set.
+
+mark
+****
+
+.. code-block:: sh
+
+ set traffic-policy shaper SHAPER class 30 match MATCH mark **firewall-mark**
+
+vif
+***
+
+.. code-block:: sh
+
+ set traffic-policy shaper SHAPER class 30 match MATCH vif **vlan-tag**
+
+
+
+Examples:
+---------
One common use of traffic policy is to limit bandwidth for an interface. In
the example below we limit bandwidth for our LAN connection to 200 Mbit
@@ -53,13 +1215,10 @@ interface-level `traffic-policy` directive:
Note that a traffic policy can also be defined to match specific traffic flows
using class statements.
-VyOS 1.2 (Crux) also supports HFSC_:
-
-.. code-block:: sh
-
- set traffic-policy shaper-hfsc
-
-See further information on the QoS_ page.
-
+.. _tc: http://en.wikipedia.org/wiki/Tc_(Linux)
+.. _RFC791: https://tools.ietf.org/html/rfc791
+.. _TBF: https://en.wikipedia.org/wiki/Token_bucket
+.. _RFC2474: https://tools.ietf.org/html/rfc2474#page-7
+.. _RFC4595: https://tools.ietf.org/html/rfc4594#page-19
.. _HFSC: https://en.wikipedia.org/wiki/Hierarchical_fair-service_curve
-.. _QoS: https://wiki.vyos.net/wiki/QoS
+.. _IFB: http://www.linuxfoundation.org/collaborate/workgroups/networking/ifb