General description of policing

SSG applies policing to the following logical objects:

  1. Common Channel - All traffic passing through the DPI device that is not allocated to a Virtual Channel (vChannel). Policing of the Common Channel.
  2. Virtual channel (vChannel) - Traffic that is described by a physical port pair or VLAN or CIDR. This traffic is not included in the Common Channel and has its own configuration Policing of Virtual Channel (vChannel).
  3. Subscriber - The traffic of a particular Subscriber, which is defined by a list of IP addresses or CIDRs. Subscriber traffic can be assigned Subcribers channel policing for IPv4 and IPV6, but also policing of the Shared or Virtual channel the Subscriber is on.
  4. Session - Traffic that is defined by a set of parameters IPsrc:port, IPdst:port and protocol trait TCP, UDP, ICMP etc. Policing by session and overriding traffic classes

Policing is applied to the 8 traffic classes exposed by the option Traffic prioritization depending on protocols and directions

Getting a protocol into its own class is also governed by the (class <-> priority option). This approach allows the use of external and internal policers to be combined in a compatible manner.

Two polishing mechanisms are available to choose from:

  1. TBF without hierarchy (Token Bucket Function), used to restrict/block a specific policing class. Band restriction with burst support.
  2. HTB with hierarchy for 8 classes (Hierarchical Token Bucket), used to prioritize by traffic class. Bandwidth limitation with borrowing.

Application scenarios of Shared and Virtual Channel Policing:

  1. control the approach to the upper limit of the channel band ("shelf") and prioritize traffic by protocol and direction, so that low-priority traffic is displaced from the band in favor of high-priority traffic. This mechanism allows you to keep the shelf under control and save on the fact that you do not need to buy excess bandwidth, you can even lower the upper limit by 10-15% without any noticeable effect for subscribers.
  2. limit the size of the occupied bandwidth for a group of protocols. A popular use case for this mechanism is to limit torrents. One possible use case is described in the document "Optimizing uplink channel"