BWM (Bandwidth Management)

Overview

Bandwidth management provides a convenient way to manage the use of various services on the network. It manages general protocols (for example, HTTP and FTP) and applies traffic prioritization to enhance the performance of delay-sensitive applications like voice and video.

Use the BWM screens to control bandwidth for services passing through the Zyxel Device, and to identify the conditions that define the bandwidth control.

What You Need to Know

When you allow a service, you can restrict the bandwidth it uses. It controls TCP and UDP traffic. Use policy routes to manage other types of traffic (like ICMP).

Note: Bandwidth management in policy routes has priority over TCP and UDP traffic policies.

If you want to use a service, make sure both the security policy allow the service’s packets to go through the Zyxel Device.

Note: The Zyxel Device checks security policies before it checks bandwidth management rules for traffic going through the Zyxel Device.

Bandwidth management examines every TCP and UDP connection passing through the Zyxel Device. Then, you can specify, by port, whether or not the Zyxel Device continues to route the connection.

BWM Type

The Zyxel Device supports three types of bandwidth management: Shared, Per user and Per-Source-IP.

The Shared BWM type is selected by default in a bandwidth management rule. All matched traffic shares the bandwidth configured in the rule.

If the BWM type is set to Per user in a rule, each user that matches the rule can use up to the configured bandwidth by his/her own.

Select the Per-Source-IP type when you want to set the maximum bandwidth for traffic from an individual source IP address.

DiffServ and DSCP Marking

QoS is used to prioritize source-to-destination traffic flows. All packets in the same flow are given the same priority. CoS (class of service) is a way of managing traffic in a network by grouping similar types of traffic together and treating each type as a class. You can use CoS to give different priorities to different packet types.

DiffServ (Differentiated Services) is a class of service (CoS) model that marks packets so that they receive specific per-hop treatment at DiffServ-compliant network devices along the route based on the application types and traffic flow. Packets are marked with DiffServ Code Points (DSCPs) indicating the level of service desired. This allows the intermediary DiffServ-compliant network devices to handle the packets differently depending on the code points without the need to negotiate paths or remember state information for every flow. In addition, applications do not have to request a particular service or give advanced notice of where the traffic is going.

Connection and Packet Directions

Bandwidth management looks at the connection direction, that is, from which interface the connection was initiated and to which interface the connection is going.

A connection has outbound and inbound packet flows. The Zyxel Device controls the bandwidth of traffic of each flow as it is going out through an interface or VPN tunnel.

• The outbound traffic flows from the connection initiator to the connection responder.

• The inbound traffic flows from the connection responder to the connection initiator.

For example, a LAN to WAN connection is initiated from LAN and goes to the WAN.

• Outbound traffic goes from a LAN device to a WAN device. Bandwidth management is applied before sending the packets out a WAN interface on the Zyxel Device.

• Inbound traffic comes back from the WAN device to the LAN device. Bandwidth management is applied before sending the traffic out a LAN interface.

Outbound and Inbound Bandwidth Limits

You can limit an application’s outbound or inbound bandwidth. This limit keeps the traffic from using up too much of the out-going interface’s bandwidth. This way you can make sure there is bandwidth for other applications. When you apply a bandwidth limit to outbound or inbound traffic, each member of the out-going zone can send up to the limit. Take a LAN to WAN policy for example.

• Outbound traffic is limited to 200 kbps. The connection initiator is on the LAN so outbound means the traffic traveling from the LAN to the WAN. Each of the WAN zone’s two interfaces can send the limit of 200 kbps of traffic.

• Inbound traffic is limited to 500 kbs. The connection initiator is on the LAN so inbound means the traffic traveling from the WAN to the LAN.

Bandwidth Management Priority

• The Zyxel Device gives bandwidth to higher-priority traffic first, until it reaches its configured bandwidth rate.

• Then lower-priority traffic gets bandwidth.

• The Zyxel Device uses a fairness-based (round-robin) scheduler to divide bandwidth among traffic flows with the same priority.

• The Zyxel Device automatically treats traffic with bandwidth management disabled as priority 7 (the lowest priority).

Maximize Bandwidth Usage

Maximize bandwidth usage allows applications with maximize bandwidth usage enabled to “borrow” any unused bandwidth on the out-going interface.

After each application gets its configured bandwidth rate, the Zyxel Device uses the fairness- based scheduler to divide any unused bandwidth on the out-going interface amongst applications that need more bandwidth and have maximize bandwidth usage enabled.

Unused bandwidth is divided equally. Higher priority traffic does not get a larger portion of the unused bandwidth.

Bandwidth Management Behavior

The following sections show how bandwidth management behaves with various settings. For example, you configure DMZ to WAN policies for FTP servers A and B. Each server tries to send 1000 kbps, but the WAN is set to a maximum outgoing speed of 1000 kbps. You configure policy A for server A’s traffic and policy B for server B’s traffic.

Configured Rate Effect

In the following table the configured rates total less than the available bandwidth and maximize bandwidth usage is disabled, both servers get their configured rate.

Configured Rate Effect
Policy	Configured RAte	Max. b. u.	priority	Actual rate
A	300 kbps	No	1	300 kbps
B	200 kbps	No	1	200 kbps

Priority Effect

Here the configured rates total more than the available bandwidth. Because server A has higher priority, it gets up to it’s configured rate (800 kbps), leaving only 200 kbps for server B.

Priority Effect
Policy	Configured RAte	Max. b. u.	priority	Actual rate
A	800 kbps	Yes	1	800 kbps
B	1000 kbps	Yes	2	200 kbps

Maximize Bandwidth Usage Effect

With maximize bandwidth usage enabled, after each server gets its configured rate, the rest of the available bandwidth is divided equally between the two. So server A gets its configured rate of 300 kbps and server B gets its configured rate of 200 kbps. Then the Zyxel Device divides the remaining bandwidth (1000 - 500 = 500) equally between the two (500 / 2 = 250 kbps for each). The priority has no effect on how much of the unused bandwidth each server gets.

So server A gets its configured rate of 300 kbps plus 250 kbps for a total of 550 kbps. Server B gets its configured rate of 200 kbps plus 250 kbps for a total of 450 kbps.

Maximize Bandwidth Usage Effect
Policy	Configured RAte	Max. b. u.	priority	Actual rate
A	300 kbps	Yes	1	550 kbps
B	200 kbps	Yes	2	450 kbps

Priority and Over Allotment of Bandwidth Effect

Server A has a configured rate that equals the total amount of available bandwidth and a higher priority. You should regard extreme over allotment of traffic with different priorities (as shown here) as a configuration error. Even though the Zyxel Device still attempts to let all traffic get through and not be lost, regardless of its priority, server B gets almost no bandwidth with this configuration.

Priority and Over Allotment of Bandwidth Effect
Policy	Configured RAte	Max. b. u.	priority	Actual rate
A	1000 kbps	Yes	1	999 kbps
B	1000 kbps	Yes	2	1 kbps

Bandwidth Management Configuration

The Bandwidth management screens control the bandwidth allocation for TCP and UDP traffic. You can use source interface, destination interface, destination port, schedule, user, source, destination information, DSCP code and service type as criteria to create a sequence of specific conditions, similar to the sequence of rules used by firewalls, to specify how the Zyxel Device handles the DSCP value and allocate bandwidth for the matching packets.

This screen allows you to enable/disable bandwidth management and add, edit, and remove user-defined bandwidth management policies.The default bandwidth management policy is the one with the priority of “default”. It is the last policy the Zyxel Device checks if traffic does not match any other bandwidth management policies you have configured. You cannot remove, activate, deactivate or move the default bandwidth management policy.

Configuration > Bandwidth Management
Label	Description
Enable BWM	Select this check box to activate management bandwidth.
Enable Highest Bandwidth Priority for SIP Traffic	Select this to maximize the throughput of SIP traffic to improve SIP-based VoIP call sound quality. This has the Zyxel Device immediately send SIP traffic upon identifying it. When this option is enabled the Zyxel Device ignores any other application patrol rules for SIP traffic (so there is no bandwidth control for SIP traffic) and does not record SIP traffic bandwidth usage statistics.
Add	Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.
Edit	Select an entry and click this to be able to modify it.
Remove	Select an entry and click this to delete it.
Activate	To turn on an entry, select it and click Activate.
Inactivate	To turn off an entry, select it and click Inactivate.
Move	To change an entry’s position in the numbered list, select it and click Move to display a field to type a number for where you want to put that entry and press [ENTER] to move the entry to the number that you typed.
Status	The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. The status icon is not available for the default bandwidth management policy.
Priority	This field displays a sequential value for each bandwidth management policy and it is not associated with a specific setting. This field displays default for the default bandwidth management policy.
Description	This field displays additional information about this policy.
BWM Type	This field displays the below types of BWM: • Shared, when the policy is set for all matched traffic • Per User, when the policy is set for an individual user or a user group • Per-Source-IP, when the policy is set for a source IP
User	This is the type of user account to which the policy applies. If any displays, the policy applies to all user accounts.
Schedule	This is the schedule that defines when the policy applies. none means the policy always applies.
Incoming Interface	This is the source interface of the traffic to which this policy applies.
Outgoing Interface	This is the destination interface of the traffic to which this policy applies.
Source	This is the source address or address group, including geographic address and FQDN (group) objects, for whom this policy applies. If any displays, the policy is effective for every source.
Destination	This is the destination address or address group, including geographic address and FQDN (group) objects, for whom this policy applies. If any displays, the policy is effective for every destination.
DSCP Code	These are the DSCP code point values of incoming and outgoing packets to which this policy applies. The lower the number the higher the priority with the exception of 0 which is usually given only best-effort treatment. any means all DSCP value or no DSCP marker. default means traffic with a DSCP value of 0. This is usually best effort traffic The “af” options stand for Assured Forwarding. The number following the “af” identifies one of four classes and one of three drop preferences.
Service	App and the service name displays if you selected Application Object for the service type. An Application Object is a pre-defined service. Obj and the service name displays if you selected Service Object for the service type. A Service Object is a customized pre-defined service or another service. Mouse over the service object name to view the corresponding IP protocol number.
BWM In/Pri/Out/Pri	This field shows the amount of bandwidth the traffic can use. In - This is how much inbound bandwidth, in kilobits per second, this policy allows the matching traffic to use. Inbound refers to the traffic the Zyxel Device sends to a connection’s initiator. If no displays here, this policy does not apply bandwidth management for the inbound traffic. Out - This is how much outgoing bandwidth, in kilobits per second, this policy allows the matching traffic to use. Outbound refers to the traffic the Zyxel Device sends out from a connection’s initiator. If no displays here, this policy does not apply bandwidth management for the outbound traffic. Pri - This is the priority for the incoming (the first Pri value) or outgoing (the second Pri value) traffic that matches this policy. The smaller the number, the higher the priority. Traffic with a higher priority is given bandwidth before traffic with a lower priority. The Zyxel Device ignores this number if the incoming and outgoing limits are both set to 0. In this case the traffic is automatically treated as being set to the lowest priority (7) regardless of this field’s configuration.
DSCP Marking	This is how the Zyxel Device handles the DSCP value of the incoming and outgoing packets that match this policy. In - Inbound, the traffic the Zyxel Device sends to a connection’s initiator. Out - Outbound, the traffic the Zyxel Device sends out from a connection’s initiator. If this field displays a DSCP value, the Zyxel Device applies that DSCP value to the route’s outgoing packets. preserve means the Zyxel Device does not modify the DSCP value of the route’s outgoing packets. default means the Zyxel Device sets the DSCP value of the route’s outgoing packets to 0. The “af” choices stand for Assured Forwarding. The number following the “af” identifies one of four classes and one of three drop preferences.
Apply	Click Apply to save your changes back to the Zyxel Device.
Reset	Click Reset to return the screen to its last-saved settings.

The Bandwidth Management Add/Edit Screen

The Configuration > Bandwidth Management Add/Edit screen allows you to create a new condition or edit an existing one.

802.1P Marking

Use 802.1P to prioritize outgoing traffic from a VLAN interface. The Priority Code is a 3-bit field within a 802.1Q VLAN tag that’s used to prioritize associated outgoing VLAN traffic. "0" is the lowest priority level and "7" is the highest.

Single Tagged 802.1Q Frame Format
			DA	SA	TPID	Priority	VID	Len/Etype	Data	FCS	IEEE 802.1Q customer tagged frame

802.1Q Frame
DA	Destination Address	Priority	802.1p Priority
SA	Source Address	Len/Etype	Length and type of Ethernet frame
TPID	Tag Protocol IDentifier	Data	Frame data
VID	VLAN ID	FCS	Frame Check Sequence

The following table is a guide to types of traffic for the priority code.

Priority Code and Types of Traffic
Priority	Traffic Types
0 (lowest)	Background
1	Best Effort
2	Excellent Effort
3	Critical Applications
4	Video, less than 100 ms latency and jitter
5	Voice, less than 10 ms latency and jitter
6	Internetwork Control
7 (highest)	Network Control

Configuration > Bandwidth Management > Add/Edit
Label	Description
Create new Object	Use to configure any new settings objects that you need to use in this screen.
Configuration
Enable	Select this check box to turn on this policy.
Description	Enter a description of this policy. It is not used elsewhere. You can use alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long.
Criteria	Use this section to configure the conditions of traffic to which this policy applies.
BWM Type	This field displays the below types of BWM rule: • Shared, when the policy is set for all users • Per User, when the policy is set for an individual user or a user group • Per Source IP, when the policy is set for a source IP
User	Select a user name or user group to which to apply the policy. Use Create new Object if you need to configure a new user account. Select any to apply the policy for every user.
Schedule	Select a schedule that defines when the policy applies or select Create Object to configure a new one. Otherwise, select none to make the policy always effective.
Incoming Interface	Select the source interface of the traffic to which this policy applies.
Outgoing Interface	Select the destination interface of the traffic to which this policy applies.
Source	Select a source address or address group, including geographic address and FQDN (group) objects, for whom this policy applies. Use Create new Object if you need to configure a new one. Select any if the policy is effective for every source.
Destination	Select a destination address or address group, including geographic address and FQDN (group) objects, for whom this policy applies. Use Create new Object if you need to configure a new one. Select any if the policy is effective for every destination.
DSCP Code	Select a DSCP code point value of incoming packets to which this policy route applies or select User Defined to specify another DSCP code point. The lower the number the higher the priority with the exception of 0 which is usually given only best-effort treatment. any means all DSCP value or no DSCP marker. default means traffic with a DSCP value of 0. This is usually best effort traffic The “af” choices stand for Assured Forwarding. The number following the “af” identifies one of four classes and one of three drop preferences.
User-Defined DSCP Code	Use this field to specify a custom DSCP code point.
Service Type	Select Service Object or Application Object if you want a specific service (defined in a service object) or application patrol service to which the policy applies.
Service Object	This field is available if you selected Service Object as the service type. Select a service or service group to identify the type of traffic to which this policy applies. any means all services.
Application Object	This field is available if you selected Application Object as the service type. Select an application patrol service to identify the specific traffic to which this policy applies.
DSCP Marking	Set how the Zyxel Device handles the DSCP value of the incoming and outgoing packets that match this policy. Inbound refers to the traffic the Zyxel Device sends to a connection’s initiator. Outbound refers to the traffic the Zyxel Device sends out from a connection’s initiator. Select one of the pre-defined DSCP values to apply or select User Defined to specify another DSCP value. The “af” choices stand for Assured Forwarding. The number following the “af” identifies one of four classes and one of three drop preferences. Select preserve to have the Zyxel Device keep the packets’ original DSCP value. Select default to have the Zyxel Device set the DSCP value of the packets to 0.
Bandwidth Shaping	Configure these fields to set the amount of bandwidth the matching traffic can use.
Inbound kbps	Type how much inbound bandwidth, in kilobits per second, this policy allows the traffic to use. Inbound refers to the traffic the Zyxel Device sends to a connection’s initiator. If you enter 0 here, this policy does not apply bandwidth management for the matching traffic that the Zyxel Device sends to the initiator. Traffic with bandwidth management disabled (inbound and outbound are both set to 0) is automatically treated as the lowest priority (7). If the sum of the bandwidths for routes using the same next hop is higher than the actual transmission speed, lower priority traffic may not be sent if higher priority traffic uses all of the actual bandwidth.
Outbound kbps	Type how much outbound bandwidth, in kilobits per second, this policy allows the traffic to use. Outbound refers to the traffic the Zyxel Device sends out from a connection’s initiator. If you enter 0 here, this policy does not apply bandwidth management for the matching traffic that the Zyxel Device sends out from the initiator. Traffic with bandwidth management disabled (inbound and outbound are both set to 0) is automatically treated as the lowest priority (7). If the sum of the bandwidths for routes using the same next hop is higher than the actual transmission speed, lower priority traffic may not be sent if higher priority traffic uses all of the actual bandwidth.
Priority	This field displays when the inbound or outbound bandwidth management is not set to 0. Enter a number between 1 and 7 to set the priority for traffic that matches this policy. The smaller the number, the higher the priority. Traffic with a higher priority is given bandwidth before traffic with a lower priority. The Zyxel Device uses a fairness-based (round-robin) scheduler to divide bandwidth between traffic flows with the same priority. The number in this field is ignored if the incoming and outgoing limits are both set to 0. In this case the traffic is automatically treated as being set to the lowest priority (7) regardless of this field’s configuration.
Maximize Bandwidth Usage	This field displays when the inbound or outbound bandwidth management is not set to 0 and the BWM Type is set to Shared. Enable maximize bandwidth usage to let the traffic matching this policy “borrow” all unused bandwidth on the out-going interface. After each application or type of traffic gets its configured bandwidth rate, the Zyxel Device uses the fairness-based scheduler to divide any unused bandwidth on the out-going interface among applications and traffic types that need more bandwidth and have maximize bandwidth usage enabled.
Maximum	If you did not enable Maximize Bandwidth Usage, then type the maximum unused bandwidth that traffic matching this policy is allowed to “borrow” on the out-going interface (in Kbps), here.
802.1P Marking	Use 802.1P to prioritize outgoing traffic from a VLAN interface.
Priority Code	This is a 3-bit field within a 802.1Q VLAN tag that’s used to prioritize associated outgoing VLAN traffic. "0" is the lowest priority level and "7" is the highest. The setting configured here overwrites existing priority settings.
Interface	Choose a VLAN interface to which to apply the priority level for matching frames.
Related Setting
Log	Select whether to have the Zyxel Device generate a log (log), log and alert (log alert) or neither (no) when any traffic matches this policy.
OK	Click OK to save your changes back to the Zyxel Device.
Cancel	Click Cancel to exit this screen without saving your changes.

Adding Objects for the BWM Policy

Objects are parameters to which the Policy rules are built upon. There are three kinds of objects you can add/edit for the BWM policy, they are User, Schedule and Address objects.

Configuration > BWM > Create New Object > Add User
label	description
User Name	Type a user or user group object name of the rule.
User Type	Select a user type from the drop down menu. The user types are Admin, Limited admin, User, Guest, Ext-user, Ext-group-user.
Password	Type a password for the user object. The password can consist of alphanumeric characters, the underscore, and some punctuation marks (+-/*= :; .! @$&%#~ ‘ \ () ), and it can be up to eight characters long.
Retype	Retype the password to confirm.
Description	Enter a description for this user object. It is not used elsewhere. You can use alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long.
Authentication Timeout Settings	Choose either Use Default setting option, which shows the default Lease Time of 1,440 minutes and Reauthentication Time of 1,440 minutes or you can enter them manually by choosing Use Manual Settings option.
Lease Time	This shows the Lease Time setting for the user, by default it is 1,440 minutes.
Reauthentication Time	This shows the Reauthentication Time for the user, by default it is 1,440 minutes.
OK	Click OK to save the setting.
Cancel	Click Cancel to abandon this screen.

Configuration > BWM > Create New Object > Add Schedule
label	description
Name	Enter a name for the schedule object of the rule.
Type	Select an option from the drop down menu for the schedule object. It will show One Time or Recurring.
Start Date	Click the icon menu on the right to choose a Start Date for the schedule object.
Start Time	Click the icon menu on the right to choose a Start Time for the schedule object.
Stop Date	Click the icon menu on the right to choose a Stop Date for schedule object.
Stop Time	Click the icon menu on the right to choose a Stop Time for the schedule object.

Configuration > BWM > Create New Object > Add Address
label	description
Name	Enter a name for the Address object of the rule.
Address Type	Select an Address Type from the drop down menu on the right. The Address Types are Host, Range, Subnet, Interface IP, Interface Subnet, and Interface Gateway.
IP Address	Enter an IP address for the Address object.
OK	Click OK to save the setting.
Cancel	Click Cancel to abandon the setting.