QoS

From VyOS Wiki
Revision as of 10:15, 21 August 2017 by Max1e6 (talk | contribs) (The case of ingress shaping)
Jump to: navigation, search

Introduction

VyOS uses tc as a backend for QoS. VyOS provides its users with configuration nodes for the following shaping/queueing/policing disciplines :

  • HTB
  • HFSC
  • SFQ
  • pfifo
  • network-emulator
  • PRIO
  • GRED
  • TBF
  • DRR

Configuration nodes in VyOS

VyOS QoS configuration is done in two steps. The first one consists in setting up your classes/queues and traffic filters to distribute traffic amongst them. The second step is to apply such traffic policy to an interface ingress or egress.

Creating a traffic policy

Such configuration takes place under the traffic-policy tree.

Available subtrees :

# set traffic-policy drop-tail NAME
# set traffic-policy fair-queue NAME
# set traffic-policy limiter NAME
# set traffic-policy network-emulator NAME
# set traffic-policy priority-queue NAME
# set traffic-policy random-detect NAME
# set traffic-policy rate-control NAME
# set traffic-policy round-robin NAME
# set traffic-policy shaper NAME
# set traffic-policy shaper-hfsc NAME

Applying a traffic policy to an interface

Once a traffic-policy is created, you can apply it to an interface :

# set interfaces ethernet eth0 traffic-policy in WAN-IN
# set interfaces etherhet eth0 traffic-policy out WAN-OUT


The case of ingress shaping

Only a limiter policy can be applied directly for ingress traffic on an interface.

It is possible though to use what is called an Intermediate Functional Block to allow the usage of any policy on the ingress traffic.

Let's assume eth0 is your WAN link. You created two traffic-policies : WAN-IN and WAN-OUT.

First, create the IFB :

# set interfaces input ifb0 description "WAN Input"

Apply the WAN-OUT traffic-policy to ifb0 input.

# set interfaces input ifb0 traffic-policy in WAN-IN

Redirect traffic from eth0 to ifb0

# set interfaces ethernet eth0 redirect ifb0

Traffic policies in VyOS

drop-tail

pfifo

fair-queue

sfq

limiter

network-emulator

netem

priority-queue

prio

random-detect

gred

rate-control

tbf

round-robin

drr

shaper

HTB + sfq (fair-queue), HTB + pfifo (drop-tail), HTB + prio (priority), HTB + red (random-detect)

shaper-hfsc

HFSC + sfq

Classful policies and traffic matching

limiter, round-robin, priority-queue, shaper and shaper-hfsc distribute traffic into different classes with different options. In VyOS, classes are numbered and work like firewall rules. e.g :

# set traffic-policy shaper SHAPER class 30

Matching traffic

A class can have multiple match filters :

# set traffic-policy POLICY POLICY-NAME class N match MATCH-FILTER-NAME

Example :

# set traffic-policy shaper SHAPER class 30 match HTTP
# set traffic-policy shaper SHAPER class 30 match HTTPs

A match filter contains multiple criteria and will match traffic if all those criteria are true.

For example :

# set traffic-policy shaper SHAPER class 30 match HTTP ip protocol tcp
# set traffic-policy shaper SHAPER class 30 match HTTP ip source port 80

This will match tcp traffic with source port 80.

description

# set traffic-policy shaper SHAPER class 30 match MATCH description "match filter description"

ether

# edit traffic-policy shaper SHAPER class 30 match MATCH ether

destination

protocol

source

interface

# edit traffic-policy shaper SHAPER class 30 match MATCH interface interface-name

ip

# edit traffic-policy shaper SHAPER class 30 match MATCH ip

destination

# set destination address IPv4-SUBNET
# set destination port U32-PORT

dscp

# set dscp DSCPVALUE

max-length

# set max-length U32-MAXLEN

Will match ipv4 packets with a total length lesser than set value.

protocol

# set protocol IPPROTOCOL

source

# set source address IPv4-SUBNET
# set source port U32-PORT

tcp

Note : you must set ip protocol to TCP to use the TCP filters. Note 2 : This filter will only match packets with an IPv4 header length of 20 bytes (which is the majority of IPv4 packets anyway).

# set tcp ack

Will match tcp packets with ACK flag set.

# set tcp syn

Will match tcp packets with SYN flag set.

ipv6

# edit traffic-policy shaper SHAPER class 30 match MATCH ipv6

destination

# set destination address IPv6-SUBNET
# set destination port U32-PORT

dscp

# set dscp DSCPVALUE

max-length

# set max-length U32-MAXLEN

Will match ipv6 packets with a payload length lesser than set value.

protocol

# set protocol IPPROTOCOL

source

# set source address IPv6-SUBNET
# set source port U32-PORT

tcp

Note : you must set ipv6 protocol to TCP to use the TCP filters. Note 2 : This filter will only match IPv6 packets with no header extension.

# set tcp ack

Will match tcp packets with ACK flag set.

# set tcp syn

Will match tcp packets with SYN flag set.

mark

# set traffic-policy shaper SHAPER class 30 match MATCH mark firewall-mark

vif

# set traffic-policy shaper SHAPER class 30 match MATCH vif vlan-tag