From 3590944f01fc3e2d21b70a14c0b6cec1e02caef7 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Wed, 3 Oct 2018 12:58:56 +0200 Subject: Extend QoS chapter --- docs/ch10-qos.rst | 1179 ++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 1169 insertions(+), 10 deletions(-) (limited to 'docs') diff --git a/docs/ch10-qos.rst b/docs/ch10-qos.rst index 3dba8e71..114d64ba 100644 --- a/docs/ch10-qos.rst +++ b/docs/ch10-qos.rst @@ -1,7 +1,1169 @@ QoS and Traffic Policy ====================== -The traffic policy subsystem provides an interface to Linux traffic control. +VyOS uses tc_ as backend for QoS. VyOS provides its users with configuration +nodes for the following shaping/queueing/policing disciplines: + +* HTB +* HFSC +* SFQ +* pfifo +* network-emulator +* PRIO +* GRED +* TBF +* DRR + +VyOS QoS configuration is done in two steps. The first one consists in setting +up your classes/queues and traffic filters to distribute traffic amongst them. +The second step is to apply such traffic policy to an interface ingress or +egress. + +Creating a traffic policy +------------------------- + +Such configuration takes place under the `traffic-policy` tree. + +Available subtrees : + +.. code-block:: sh + + set traffic-policy drop-tail NAME + set traffic-policy fair-queue NAME + set traffic-policy limiter NAME + set traffic-policy network-emulator NAME + set traffic-policy priority-queue NAME + set traffic-policy random-detect NAME + set traffic-policy rate-control NAME + set traffic-policy round-robin NAME + set traffic-policy shaper NAME + set traffic-policy shaper-hfsc NAME + +Apply traffic policy to an interface +------------------------------------ + +Once a traffic-policy is created, you can apply it to an interface : + +.. code-block:: sh + + set interfaces ethernet eth0 traffic-policy in WAN-IN + set interfaces etherhet eth0 traffic-policy out WAN-OUT + +Traffic policies in VyOS +------------------------ +An overview of QoS traffic policies supported by VyOS. + +Drop-tail (FIFO) +^^^^^^^^^^^^^^^^ + +A packet queuing mechanism on a FIFO (First In, First Out) basis; packets are +sent out in the same order as they arrive. The queue has a defined length, +packets arriving after the queue is filled up will be dropped (hence the name +`drop tail`, the "tail" of the queue will be dropped). With this policy in +place, all traffic is treated equally and put into a single queue. Applicable +to outbound traffic only. + +Available commands: + +* Define a drop-tail policy (unique name, exclusive to this policy): + :code:`set traffic-policy drop-tail ` + +* Add a description: + :code:`set traffic-policy drop-tail description ` + +* Set the queue length limit (max. number of packets in queue), range + 0...4294967295 packets: :code:`set traffic-policy drop-tail + queue-limit ` + +Fair queue (SFQ) +^^^^^^^^^^^^^^^^ + +Fair queue is a packet queuing mechanism that separates traffic flows based on +their source/destination IP addresses and/or source port and places them into +buckets. Bandwidth is allocated fairly between buckets based on the Stochastic +airness Queuing algorithm. Applicable to outbound traffic only. + +Available commands: + +* Define a fair queue policy: + :code:`set traffic-policy fair-queue ` + +* Add a description: + :code:`set traffic-policy fair-queue description ` + +* Set hash update interval; the algorithm used is stochastic and thus not + 'truly' fair, hash collisions can occur, in which case traffic flows may be + put into the same bucket. To mitigate this, the hashes can be updated at a + set interval, Range 0...4294967295 seconds: :code:`set traffic-policy + fair-queue hash-interval ` + +* Set the queue-limit (max. number of packets in queue), range 0...4294967295 + packets, default 127: :code:`set traffic-policy fair-queue + queue-limit ` + +Limiter +^^^^^^^ + +The limiter performs ingress policing of traffic flows. Multiple classes of +traffic can be defined and traffic limits can be applied to each class. Traffic +exceeding the defined bandwidth limits is dropped. Applicable to inbound +traffic only. + +Available commands: + +* Define a traffic limiter policy: + :code:`set traffic-policy limiter ` +* Add a description: + :code:`set traffic-policy limiter description ` + +Traffic classes +^^^^^^^^^^^^^^^ + +* Define a traffic class for a limiter policy, range for class ID is 1...4095: + :code:`set traffic-policy limiter class ` +* Add a class description: + :code:`set traffic-policy limiter class description + ` +* Specify a bandwidth limit for a class, in kbit/s: + :code:`set traffic-policy limiter class bandwidth + `. Available suffixes: + + * kbit (kilobits per second, default) + * mbit (megabits per second) + * gbit (gigabits per second) + * kbps (kilobytes per second) + * mbps (megabytes per second) + * gbps (gigabytes per second) + +* Set a burst size for a class, the maximum amount of traffic that can be sent, + in bytes: :code:`set traffic-policy limiter class + burst `. Available suffixes: + + * kb (kilobytes) + * mb (megabytes) + * gb (gigabytes) + +Default class +^^^^^^^^^^^^^ + +* Define a default class for a limiter policy that applies to traffic not + matching any other classes for this policy: :code:`set traffic-policy limiter + default` + +* Specify a bandwidth limit for the default class, in kbit/s: :code:`set + traffic-policy limiter default bandwidth `. Available + suffixes: + + * kbit (kilobits per second, default) + * mbit (megabits per second) + * gbit (gigabits per second) + * kbps (kilobytes per second) + * mbps (megabytes per second) + * gbps (gigabytes per second) + +* Set a burst size for the default class, the maximum amount of traffic that + can be sent, in bytes: :code:`set traffic-policy limiter + default burst `. Available suffixes: + + * kb (kilobytes) + * mb (megabytes) + * gb (gigabytes) + +* Specify the priority of the default class to set the order in which the rules + are evaluated, the higher the number the lower the priority, range 0...20 + (default 20): :code:`set traffic-policy limiter default + priority ` + +Matching rules +^^^^^^^^^^^^^^ + +* Define a traffic class matching rule: + :code:`set traffic-policy limiter class match + ` + +* Add a description: + :code:`set traffic-policy limiter class match + description ` + +* Specify the priority of a matching rule to set the order in which the rules + are evaluated, the higher the number the lower the priority, range 0...20 + (default 20): :code:`set traffic-policy limiter class + priority ` + +* Specify a match criterion based on a **destination MAC address** + (format: xx:xx:xx:xx:xx:xx): :code:`set traffic-policy limiter + class match ether destination ` + +* Specify a match criterion based on a **source MAC address** (format: + xx:xx:xx:xx:xx:xx): :code:`set traffic-policy limiter class + match ether source ` + +* Specify a match criterion based on **packet type/protocol**, range 0...65535: + :code:`set traffic-policy limiter class match + ether protocol ` + +* Specify a match criterion based on the **fwmark field**, range 0....4294967295: + :code:`set traffic-policy limiter class match + mark ` + +* Specify a match criterion based on **VLAN ID**, range 1...4096: + :code:`set traffic-policy limiter class match + vif ` + +**IPv4** + +* Specify a match criterion based on **destination IPv4 address** and/or port, + port may be specified as number or service name (i.e. ssh): :code:`set + traffic-policy limiter class match ip + destination ` + +* Specify a match criterion based on **source IPv4 address** and/or port, port + may be specified as number or service name (i.e. ssh): :code:`set + traffic-policy limiter class match ip + source ` + +* Specify a match criterion based on **DSCP (Differentiated Services Code Point) + value**, DSCP value may be specified as decimal or hexadecimal number: + :code:`set traffic-policy limiter class match + ip dscp ` + +* Specify a match criterion based on **IPv4 protocol**, protocol may be + specified by name (i.e. icmp) or IANA-assigned number: :code:`set + traffic-policy limiter class match ip + protocol ` + +**IPv6** + +* Specify a match criterion based on **destination IPv6 address and/or port**, + port may be specified as number or service name (i.e. ssh): :code:`set + traffic-policy limiter class match + ipv6 destination ` + +* Specify a match criterion based on **source IPv6 address and/or port**, port + may be specified as number or service name (i.e. ssh): :code:`set + traffic-policy limiter class match + ipv6 source ` + +* Specify a match criterion based on **DSCP (Differentiated Services Code + Point) value**, DSCP value may be specified as decimal or hexadecimal number: + :code:`set traffic-policy limiter class match + ipv6 dscp ` + +* Specify a match criterion based on **IPv6 protocol**, protocol may be + specified by name (i.e. icmp) or IANA-assigned number: :code:`set + traffic-policy limiter class match + ipv6 protocol ` + +Network emulator +^^^^^^^^^^^^^^^^ + +The network emulator policy emulates WAN traffic, which is useful for testing +purposes. Applicable to outbound traffic only. + +Available commands: + +* Define a network emulator policy: + :code:`set traffic-policy network-emulator ` + +* Add a description: + :code:`set traffic-policy network-emulator description ` + +* Specify a bandwidth limit in kbit/s: + :code:`set traffic-policy network-emulator bandwidth ` + Available suffixes: + * kbit (kilobits per second, default) + * mbit (megabits per second) + * gbit (gigabits per second) + * kbps (kilobytes per second) + * mbps (megabytes per second) + * gbps (gigabytes per second) + +* Set a burst size, the maximum amount of traffic that can be sent, in bytes: + :code:`set traffic-policy network-emulator burst ` + Available suffixes: + * kb (kilobytes) + * mb (megabytes) + * gb (gigabytes) + +* Define a delay between packets: + :code:`set traffic-policy network-emulator network-delay ` + Available suffixes: + * secs (seconds) + * ms (milliseconds, default) + * us (microseconds) + +* Set a percentage of corrupted of packets (one bit flip, unchanged checksum): + :code:`set traffic-policy network-emulator packet-corruption + ` + +* Set a percentage of random packet loss: + :code:`set traffic-policy network-emulator packet-loss ` + +* Set a percentage of packets for random reordering: + :code:`set traffic-policy network-emulator packet-reordering + ` + +* Set a queue length limit in packets, range 0...4294967295, default 127: + :code:`set traffic-policy network-emulator queue-limit ` + +Priority queue +^^^^^^^^^^^^^^ + +Up to seven queues with differing priorities can be defined, packets are placed +into queues based on associated match criteria. Packets are transmitted from +the queues in priority order. If queues with a higher order are being filled +with packets continuously, packets from lower priority queues will only be +transmitted after traffic volume from higher priority queues decreases. + +Available commands: + +* Define a priority queue: + :code:`set traffic-policy priority-queue ` + +* Add a description: + :code:`set traffic-policy priority-queue description ` + +Traffic classes +*************** + +* Define a traffic class, each class is a separate queue, range for class ID + is 1...7, while 1 being the lowest priority: :code:`set traffic-policy + priority-queue class ` + +* Add a class description: :code:`set traffic-policy priority-queue + class description ` + +* Set a queue length limit in packets, default 1000: + :code:`set traffic-policy priority-queue class + queue-limit ` + +* Specify a queue type for a traffic class, available queue types: + * drop-tail + * fair-queue + * random-detect + :code:`set traffic-policy priority-queue class + queue-type ` + +**Default class** + +* Define a default priority queue: + :code:`set traffic-policy priority-queue default` + +* Define a maximum queue length for the default traffic class in packets: + :code:`set traffic-policy priority-queue default queue-limit + ` + +* Specify the queuing type for the default traffic class, available queue types: + * drop-tail + * fair-queue + * random-detect + :code:`set traffic-policy priority-queue default queue-type ` + +Matching rules +^^^^^^^^^^^^^^ + +* Define a class matching rule: + :code:`set traffic-policy priority-queue class match + ` + +* Add a match rule description: + :code:`set traffic-policy priority-queue class match + description ` + +* Specify a match criterion based on a **destination MAC address** + (format: xx:xx:xx:xx:xx:xx): :code:`set traffic-policy priority-queue + class match ether destination + ` + +* Specify a match criterion based on a **source MAC address** + (format: xx:xx:xx:xx:xx:xx): :code:`set traffic-policy priority-queue + class match ether source ` + +* Specify a match criterion based on **packet type/protocol**, range 0...65535: + :code:`set traffic-policy priority-queue class match + ether protocol ` + +* Specify a match criterion based on **ingress interface**: + :code:`set traffic-policy priority-queue class match + interface ` + +* Specify a match criterion based on the **fwmark field**, range 0....4294967295: + :code:`set traffic-policy priority-queue class match + mark ` + +* Specify a match criterion based on **VLAN ID**, range 1...4096: + :code:`set traffic-policy priority-queue class match + vif ` + +**IPv4** + +* Specify a match criterion based on **destination IPv4 address and/or port**, + port may be specified as number or service name (i.e. ssh): :code:`set + traffic-policy priority-queue class match + ip destination ` + +* Specify a match criterion based on **source IPv4 address and/or port**, port + may be specified as number or service name (i.e. ssh): :code:`set + traffic-policy priority-queue class match + ip source ` + +* Specify a match criterion based on **DSCP (Differentiated Services Code Point) + value**, DSCP value may be specified as decimal or hexadecimal number: + :code:`set traffic-policy priority-queue class match + ip dscp ` + +* Specify a match criterion based on **IPv4 protocol**, protocol may be + specified by name (i.e. icmp) or IANA-assigned number: :code:`set + traffic-policy priority-queue class match + ip protocol ` + +**IPv6** + +* Specify a match criterion based on **destination IPv6 address and/or port**, + port may be specified as number or service name (i.e. ssh): :code:`set + traffic-policy priority-queue class match + ipv6 destination ` + +* Specify a match criterion based on **source IPv6 address and/or port**, port + may be specified as number or service name (i.e. ssh): :code:`set + traffic-policy priority-queue class match + ipv6 source ` + +* Specify a match criterion based on **DSCP (Differentiated Services Code Point) + value**, DSCP value may be specified as decimal or hexadecimal number: + :code:`set traffic-policy priority-queue class match + ipv6 dscp ` + +* Specify a match criterion based on **IPv6 protocol**, protocol may be + specified by name (i.e. icmp) or IANA-assigned number: :code:`set + traffic-policy priority-queue class match + ipv6 protocol ` + +Random Early Detection (RED/WRED) +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +RED +*** + +A Random Early Detection (RED) policy starts randomly dropping packets from a +queue before it reaches its queue limit thus avoiding congestion. It is also +beneficial for TCP connections as the gradual dropping of packets acts as a +signal for the sender to decrease its transmission rate, avoiding global TCP +synchronisation. Applicable to outbound traffic only. + +Available commands: + +* Define a RED policy: + :code:`set traffic-policy random-detect ` + +* Add a description: + :code:`set traffic-policy random-detect description ` + +* Set a bandwidth limit, default auto: + :code:`set traffic-policy random-detect bandwidth ` + Available suffixes: + * auto (bandwidth limit based on interface speed, default) + * kbit (kilobits per second) + * mbit (megabits per second) + * gbit (gigabits per second) + * kbps (kilobytes per second) + * mbps (megabytes per second) + * gbps (gigabytes per second) + +WRED +**** + +In contrast to RED, Weighted Random Early Detection (WRED) differentiates +between classes of traffic in a single queue and assigns different precedence +to traffic flows accordingly; low priority packets are dropped from a queue +earlier than high priority packets. This is achieved by using the first three +bits of the ToS (Type of Service) field to categorise data streams and in +accordance with the defined precedence parameters a decision is made. A WRED +policy is defined with the following parameters: + +* precedence +* min-threshold +* max-threshold +* average-packet +* mark-probability +* queue-limit + +If the average queue size is lower than the :code:`min-threshold`, an arriving +packet is placed in the queue. If the average queue size is between +:code:`min-threshold` and :code:`max-threshold` an arriving packet is either +dropped or placed in the queue depending on the defined :code:`mark-probability`. +In case the average queue size is larger than :code:`max-threshold`, packets +are dropped. If the current queue size is larger than :code:`queue-limit`, +packets are dropped. The average queue size depends on its former average size +and its current size. If :code:`max-threshold` is set but :code:`min-threshold` +is not, then :code:`min-threshold` is scaled to 50% of :code:`max-threshold`. +In principle, values must be :code:`min-threshold` < :code:`max-threshold` < +:code:`queue-limit`. Applicable to outbound traffic only. + +Possible values for WRED parameters: + +* precedence - IP precedence, first three bits of the ToS field as defined in + RFC791_. + + +------------+----------------------+ + | Precedence | Priority | + +============+======================+ + | 7 | Network Control | + +------------+----------------------+ + | 6 | Internetwork Control | + +------------+----------------------+ + | 5 | CRITIC/ECP | + +------------+----------------------+ + | 4 | Flash Override | + +------------+----------------------+ + | 3 | Flash | + +------------+----------------------+ + | 2 | Immediate | + +------------+----------------------+ + | 1 | Priority | + +------------+----------------------+ + | 0 | Routine | + +------------+----------------------+ + +* min-threshold - Min value for the average queue length, packets are dropped + if the average queue length reaches this threshold. Range 0...4096, default + is dependent on precedence: + + +------------+-----------------------+ + | Precedence | default min-threshold | + +============+=======================+ + | 7 | 16 | + +------------+-----------------------+ + | 6 | 15 | + +------------+-----------------------+ + | 5 | 14 | + +------------+-----------------------+ + | 4 | 13 | + +------------+-----------------------+ + | 3 | 12 | + +------------+-----------------------+ + | 2 | 11 | + +------------+-----------------------+ + | 1 | 10 | + +------------+-----------------------+ + | 0 | 9 | + +------------+-----------------------+ + +* max-threshold - Max value for the average queue length, packets are dropped + if this value is exceeded. Range 0...4096 packets, default 18. + +* average-packet - Average packet size in bytes, default 1024. + +* mark-probability - The fraction of packets (n/probability) dropped from the + queue when the average queue length reaches max-threshold, + default 10. + +* queue-limit - Packets are dropped when the current queue length reaches this + value, default 4*max-threshold. + +Usage: +:code:`set traffic-policy random-detect precedence + [average-packet | mark-probability | +max-threshold | min-threshold | queue-limit ]` + +Rate control (TBF) +^^^^^^^^^^^^^^^^^^ + +The rate control policy uses the Token Bucket Filter (TBF_) algorithm to limit +the packet flow to a set rate. Short bursts can be allowed to exceed the limit. +Applicable to outbound traffic only. + +Available commands: + +* Define a rate control policy: + :code:`set traffic-policy rate-control ` + +* Add a description: + :code:`set traffic-policy rate-control description ` + +* Specify a bandwidth limit in kbits/s: + :code:`set traffic-policy rate-control bandwidth ` + Available suffixes: + * kbit (kilobits per second, default) + * mbit (megabits per second) + * gbit (gigabits per second) + * kbps (kilobytes per second) + * mbps (megabytes per second) + * gbps (gigabytes per second) + +* Specify a burst size in bytes, default 15 kilobytes: + :code:`set traffic-policy rate-control burst ` + Available suffixes: + * kb (kilobytes) + * mb (megabytes) + * gb (gigabytes) + +* Specify a latency in milliseconds; the maximum amount of time packets are + allowed to wait in the queue, default 50 milliseconds: + :code:`set traffic-policy rate-control latency` + Available suffixes: + * secs (seconds) + * ms (milliseconds, default) + * us (microseconds) + +Round robin (DRR) +^^^^^^^^^^^^^^^^^ + +The round robin policy divides available bandwidth between all defined traffic +classes. + +Available commands: + +* Define a round robin policy: + :code:`set traffic-policy round-robin ` + +* Add a description: + :code:`set traffic-policy round-robin description ` + +* Define a traffic class ID, range 2...4095: + :code:`set traffic-policy round-robin class ` + +**Default policy:** + +* Define a default priority queue: + :code:`set traffic-policy round-robin default` + +* Set the number of packets that can be sent per scheduling quantum: + :code:`set traffic-policy round-robin default quantum ` + +* Define a maximum queue lenght for the default policy in packets: + :code:`set traffic-policy round-robin default queue-limit ` + +* Specify the queuing type for the default policy, available queue types: + * drop-tail + * fair-queue + * priority (based on the DSCP values in the ToS byte) + :code:`set traffic-policy round-robin default queue-type ` + +Matching rules +************** + +* Define a class matching rule: + :code:`set traffic-policy round-robin class match + ` + +* Add a match rule description: + :code:`set traffic-policy round-robin class match + description ` + +* Specify a match criterion based on a **destination MAC address** (format: + xx:xx:xx:xx:xx:xx): + :code:`set traffic-policy round-robin class match + ether destination ` + +* Specify a match criterion based on a **source MAC address** (format: + xx:xx:xx:xx:xx:xx): + :code:`set traffic-policy round-robin class match + ether source ` + +* Specify a match criterion based on **packet type/protocol**, range 0...65535: + :code:`set traffic-policy round-robin class match + ether protocol ` + +* Specify a match criterion based on **ingress interface**: + :code:`set traffic-policy round-robin class match + interface ` + +* Specify a match criterion based on the **fwmark field**, range 0....4294967295: + :code:`set traffic-policy round-robin class match + mark ` + +* Specify a match criterion based on **VLAN ID**, range 1...4096: + :code:`set traffic-policy round-robin class match + vif *` + +**IPv4** + +* Specify a match criterion based on **destination IPv4 address and/or port**, + port may be specified as number or service name (i.e. ssh): + :code:`set traffic-policy round-robin class match + ip destination ` + +* Specify a match criterion based on **source IPv4 address and/or port**, port + may be specified as number or service name (i.e. ssh): + :code:`set traffic-policy round-robin class match + ip source ` + +* Specify a match criterion based on **DSCP (Differentiated Services Code Point) + value**, DSCP value may be specified as decimal or hexadecimal number: + :code:`set traffic-policy round-robin class match + ip dscp ` + +* Specify a match criterion based on **IPv4 protocol**, protocol may be + specified by name (i.e. icmp) or IANA-assigned number: + :code:`set traffic-policy round-robin class match + ip protocol ` + +**IPv6** + +* Specify a match criterion based on **destination IPv6 address and/or port**, + port may be specified as number or service name (i.e. ssh): + :code:`set traffic-policy round-robin class match + ipv6 destination ` + +* Specify a match criterion based on **source IPv6 address and/or port**, port + may be specified as number or service name (i.e. ssh): + :code:`set traffic-policy round-robin class match + ipv6 source ` + +* Specify a match criterion based on **DSCP (Differentiated Services Code Point) + value**, DSCP value may be specified as decimal or hexadecimal number: + :code:`set traffic-policy round-robin class match + ipv6 dscp ` + +* Specify a match criterion based on **IPv6 protocol**, protocol may be + specified by name (i.e. icmp) or IANA-assigned number: + :code:`set traffic-policy round-robin class match + ipv6 protocol ` + +Traffic shaper +-------------- + +The shaper policy uses the Hierarchical Token Bucket algorithm to allocate +different amounts of bandwidth to different traffic classes. In contrast to +round robin, shaper limits bandwidth allocation by traffic class whereas round +robin divides the total available bandwidth between classes. + +Avialable commands: + +* Define a shaper policy: + :code:`set traffic-policy shaper ` + +* Add a description: + :code:`set traffic-policy shaper description ` + +* Set the available bandwidth for all combined traffic of this policy in kbit/s, + default 100%: + :code:`set traffic-policy shaper bandwidth ` + Available suffixes: + * % (percentage of total bandwidth) + * kbit (kilobits per second) + * mbit (megabits per second) + * gbit (gigabits per second) + * kbps (kilobytes per second) + * mbps (megabytes per second) + * gbps (gigabytes per second) + +Traffic classes +*************** + +* Define a traffic class for a shaper policy, range for class ID is 2...4095: + :code:`set traffic-policy shaper class ` + +* Add a class description: + :code:`set traffic-policy shaper class description + ` + +* Specify a bandwidth limit for a class, in kbit/s: + :code:`set traffic-policy shaper class bandwidth ` + Available suffixes: + * kbit (kilobits per second, default) + * mbit (megabits per second) + * gbit (gigabits per second) + * kbps (kilobytes per second) + * mbps (megabytes per second) + * gbps (gigabytes per second) + +* Set a burst size for a class, the maximum amount of traffic that can be sent, + in bytes: :code:`set traffic-policy shaper class + burst ` Available suffixes: + * kb (kilobytes) + * mb (megabytes) + * gb (gigabytes) + +* Set a bandwidth ceiling for a class in kbit/s: + :code:`set traffic-policy shaper class ceiling ` + Available suffixes: + * % (percentage of total bandwidth) + * kbit (kilobits per second) + * mbit (megabits per second) + * gbit (gigabits per second) + +* Set the priority of a class for allocation of additional bandwidth, if unused + bandwidth is available. Range 0...7, lowest number has lowest priority, + default 0: :code:`set traffic-policy shaper class + priority ` + +* Set a queue length limit in packets: + :code:`set traffic-policy shaper class queue-limit + ` + +* Specify a queue type for a traffic class, default fair-queue. Available + queue types: + * drop-tail + * fair-queue + * random-detect + * priority + :code:`set traffic-policy shaper class queue-type ` + +* Modify DSCP field; the DSCP field value of packets in a class can be + rewritten to change the forwarding behaviour and allow for traffic + conditioning: :code:`set traffic-policy shaper class + set-dscp ` + + DSCP values as per RFC2474_ and RFC4595_: + + +---------+------------+--------+------------------------------+ + | Binary | Configured | Drop | Description | + | value | value | rate | | + +=========+============+========+==============================+ + | 101110 | 46 | - | Expedited forwarding (EF) | + +---------+------------+--------+------------------------------+ + | 000000 | 0 | - | Best effort traffic, default | + +---------+------------+--------+------------------------------+ + | 001010 | 10 | Low | Assured Forwarding(AF) 11 | + +---------+------------+--------+------------------------------+ + | 001100 | 12 | Medium | Assured Forwarding(AF) 12 | + +---------+------------+--------+------------------------------+ + | 001110 | 14 | High | Assured Forwarding(AF) 13 | + +---------+------------+--------+------------------------------+ + | 010010 | 18 | Low | Assured Forwarding(AF) 21 | + +---------+------------+--------+------------------------------+ + | 010100 | 20 | Medium | Assured Forwarding(AF) 22 | + +---------+------------+--------+------------------------------+ + | 010110 | 22 | High | Assured Forwarding(AF) 23 | + +---------+------------+--------+------------------------------+ + | 011010 | 26 | Low | Assured Forwarding(AF) 31 | + +---------+------------+--------+------------------------------+ + | 011100 | 28 | Medium | Assured Forwarding(AF) 32 | + +---------+------------+--------+------------------------------+ + | 011110 | 30 | High | Assured Forwarding(AF) 33 | + +---------+------------+--------+------------------------------+ + | 100010 | 34 | Low | Assured Forwarding(AF) 41 | + +---------+------------+--------+------------------------------+ + | 100100 | 36 | Medium | Assured Forwarding(AF) 42 | + +---------+------------+--------+------------------------------+ + | 100110 | 38 | High | Assured Forwarding(AF) 43 | + +---------+------------+--------+------------------------------+ + +Matching rules +************** + +* Define a class matching rule: + :code:`set traffic-policy shaper class match + ` + +* Add a match rule description: + :code:`set traffic-policy shaper class match + description ` + +* Specify a match criterion based on a **destination MAC address** + (format: xx:xx:xx:xx:xx:xx): + :code:`set traffic-policy shaper class match + ether destination ` + +* Specify a match criterion based on a **source MAC address** + (format: xx:xx:xx:xx:xx:xx): + :code:`set traffic-policy shaper class match + ether source ` + +* Specify a match criterion based on **packet type/protocol**, range 0...65535: + :code:`set traffic-policy shaper class match + ether protocol ` + +* Specify a match criterion based on **ingress interface**: + :code:`set traffic-policy shaper class match + interface ` + +* Specify a match criterion based on the **fwmark field**, range 0....4294967295: + :code:`set traffic-policy shaper class match + mark ` + +* Specify a match criterion based on **VLAN ID**, range 1...4096: + :code:`set traffic-policy round-robin class match + vif ` + +**IPv4** + +* Specify a match criterion based on **destination IPv4 address and/or port**, + port may be specified as number or service name (i.e. ssh): + :code:`set traffic-policy shaper class match + ip destination ` + +* Specify a match criterion based on **source IPv4 address and/or port**, port + may be specified as number or service name (i.e. ssh): + :code:`set traffic-policy shaper class match + ip source ` + +* Specify a match criterion based on **DSCP (Differentiated Services Code Point) + value**, DSCP value may be specified as decimal or hexadecimal number: + :code:`set traffic-policy shaper class match + ip dscp ` + +* Specify a match criterion based on **IPv4 protocol**, protocol may be + specified by name (i.e. icmp) or IANA-assigned number: + :code:`set traffic-policy shaper class match + ip protocol ` + +**IPv6** + +* Specify a match criterion based on **destination IPv6 address and/or port**, + port may be specified as number or service name (i.e. ssh): + :code:`set traffic-policy shaper class match + ipv6 destination ` + +* Specify a match criterion based on **source IPv6 address and/or port**, + port may be specified as number or service name (i.e. ssh): + :code:`set traffic-policy shaper class match + ipv6 source ` + +* Specify a match criterion based on **DSCP (Differentiated Services Code Point) + value**, DSCP value may be specified as decimal or hexadecimal number: + :code:`set traffic-policy shaper class match + ipv6 dscp ` + +* Specify a match criterion based on **IPv6 protocol**, protocol may be + specified by name (i.e. icmp) or IANA-assigned number: + :code:`set traffic-policy shaper class match + ipv6 protocol ` + +shaper-hfsc (HFSC_ + sfq) +------------------------- + +The case of ingress shaping. Only a **limiter** policy can be applied directly +for ingress traffic on an interface. It is possible though to use what is +called an Intermediate Functional Block (IFB_) to allow the usage of any policy +on the ingress traffic. + +Let's assume eth0 is your WAN link. You created two traffic-policies: `WAN-IN` +and `WAN-OUT`. + +First, create the IFB: + +.. code-block:: sh + + set interfaces input ifb0 description "WAN Input" + +Apply the `WAN-OUT` traffic-policy to ifb0 input. + +.. code-block:: sh + + set interfaces input ifb0 traffic-policy in WAN-IN + +Redirect traffic from eth0 to ifb0 + +.. code-block:: sh + + set interfaces ethernet eth0 redirect ifb0 + +Classful policies and traffic matching +-------------------------------------- + +`limiter`, `round-robin`, `priority-queue`, `shaper` and `shaper-hfsc` +distribute traffic into different classes with different options. In VyOS, +classes are numbered and work like firewall rules. e.g: + +.. code-block:: sh + + set traffic-policy shaper SHAPER class 30 + +Matching traffic +^^^^^^^^^^^^^^^^ + +A class can have multiple match filters: + +.. code-block:: sh + + set traffic-policy class N match MATCH-FILTER-NAME + +Example: + +.. code-block:: sh + + set traffic-policy shaper SHAPER class 30 match HTTP + set traffic-policy shaper SHAPER class 30 match HTTPs + +A match filter contains multiple criteria and will match traffic if all those criteria are true. + +For example: + +.. code-block:: sh + + set traffic-policy shaper SHAPER class 30 match HTTP ip protocol tcp + set traffic-policy shaper SHAPER class 30 match HTTP ip source port 80 + +This will match tcp traffic with source port 80. + +description +*********** + +.. code-block:: sh + + set traffic-policy shaper SHAPER class 30 match MATCH description "match filter description" + +ether +***** + +.. code-block:: sh + + edit traffic-policy shaper SHAPER class 30 match MATCH ether + +destination +*********** + +protocol +******** + +source +****** + +interface +********* + +.. code-block:: sh + + edit traffic-policy shaper SHAPER class 30 match MATCH interface + +ip +** +.. code-block:: sh + + edit traffic-policy shaper SHAPER class 30 match MATCH ip + +destination +*********** + +.. code-block:: sh + + set destination address IPv4-SUBNET + set destination port U32-PORT + +dscp +**** + +.. code-block:: sh + + set dscp DSCPVALUE + +max-length +********** + +.. code-block:: sh + + set max-length U32-MAXLEN + +Will match ipv4 packets with a total length lesser than set value. + +protocol +******** +.. code-block:: sh + + set protocol + +source +****** + +.. code-block:: sh + + set source address IPv4-SUBNET + set source port U32-PORT + +tcp +*** + +**NOTE:** you must set ip protocol to TCP to use the TCP filters. +**NOTE#2**: This filter will only match packets with an IPv4 header length of +20 bytes (which is the majority of IPv4 packets anyway). + +.. code-block:: sh + + set tcp ack + +Will match tcp packets with ACK flag set. +.. code-block:: sh + + set tcp syn + +Will match tcp packets with SYN flag set. + +ipv6 +**** + +.. code-block:: sh + + edit traffic-policy shaper SHAPER class 30 match MATCH ipv6 + +destination +*********** + + .. code-block:: sh + + set destination address IPv6-SUBNET + set destination port U32-PORT + +dscp +**** + +.. code-block:: sh + + set dscp DSCPVALUE + +max-length +********** + +.. code-block:: sh + + set max-length U32-MAXLEN + +Will match ipv6 packets with a payload length lesser than set value. + +protocol +******** + +.. code-block:: sh + + set protocol IPPROTOCOL + +source +****** + +.. code-block:: sh + + set source address IPv6-SUBNET + set source port U32-PORT + +tcp +*** + +**NOTE**: you must set ipv6 protocol to TCP to use the TCP filters. +**NOTE#2**: This filter will only match IPv6 packets with no header extension +(http://en.wikipedia.org/wiki/IPv6_packet#Extension_headers no header extension). + +.. code-block:: sh + + set tcp ack + +Will match tcp packets with ACK flag set. + +.. code-block:: sh + + set tcp syn + +Will match tcp packets with SYN flag set. + +mark +**** + +.. code-block:: sh + + set traffic-policy shaper SHAPER class 30 match MATCH mark **firewall-mark** + +vif +*** + +.. code-block:: sh + + set traffic-policy shaper SHAPER class 30 match MATCH vif **vlan-tag** + + + +Examples: +--------- One common use of traffic policy is to limit bandwidth for an interface. In the example below we limit bandwidth for our LAN connection to 200 Mbit @@ -53,13 +1215,10 @@ interface-level `traffic-policy` directive: Note that a traffic policy can also be defined to match specific traffic flows using class statements. -VyOS 1.2 (Crux) also supports HFSC_: - -.. code-block:: sh - - set traffic-policy shaper-hfsc - -See further information on the QoS_ page. - +.. _tc: http://en.wikipedia.org/wiki/Tc_(Linux) +.. _RFC791: https://tools.ietf.org/html/rfc791 +.. _TBF: https://en.wikipedia.org/wiki/Token_bucket +.. _RFC2474: https://tools.ietf.org/html/rfc2474#page-7 +.. _RFC4595: https://tools.ietf.org/html/rfc4594#page-19 .. _HFSC: https://en.wikipedia.org/wiki/Hierarchical_fair-service_curve -.. _QoS: https://wiki.vyos.net/wiki/QoS +.. _IFB: http://www.linuxfoundation.org/collaborate/workgroups/networking/ifb -- cgit v1.2.3