Knowledge Search


×
 

Traffic Shaping on a zone with Multiple Interfaces

  [KB7762] Show Article Properties


Summary:
Traffic shaping with multiple interfaces on untrust zone.  Examples include dual-untrust, and redundant interfaces.
Symptoms:
Cannot configure traffic shaping if egress zone has more than one interface.   No traffic shaping options are available for policies in the WebUI
Solution:

Traffic shaping on an egress zone with multiple interfaces is supported on ScreenOS 5.1.0 and higher.  In order to enable this functionality, the following command must be applied:

set traffic-shaping multi-egress-if

This command is enabled by default in ScreenOS 5.2.0 and higher.

Here is how this feature works.  With 'multi-egress-if' enabled, assume the outgoing zone has 'n' interfaces, the traffic associated to the session in this policy will have a guaranteed bandwidth of n*gbw, and a maximum bandwidth of n*mbw.

Example:

Assume ethernet3 and ethernet4 is bound to the untrust zone.  We have 2 interfaces in the egress zone.  Assume we have the following policy:

set policy from trust to untrust any any any permit gbw 128 mbw 256

With this setup, the effective gbw is 256 kbit/sec, and the mbw is 512 kbps.

 

Related Links: