[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1256
  • Last Modified:

Control inbound bandwidth

I have a WatchGuard XTM 510 connected to a NetGear GS108t switch that has VLANs defined on it.  The GS108t switch is going to the Outside port of a PacketShaper 1700 and then spits out to another GS108t switch that splits into two VLAN subnets.

I want to put some type of QoS policy on thWatchGuardrd that will allow me to control the amount of bandwidth that any one device can consume on an inbound request.  Whats the best way to go about this?

I can provide more details if needed.

2 Solutions
Aaron StreetInfrastructure ManagerCommented:
it is very hard to control inbound traffic  unless the provider upstream supports a form of QOS.

The reason for this is you have no control over the sending station, and the traffic has to pass over the link before your devices see it.

you can restrict the inbound traffic to a set about, but this will not stop malicious traffic or devices that chose to ignore it.

Bandwith policies work best when you have control of both ends of the link. If you do not the best you can achieve is to manage the out going requests in such away as they help control what is coming back in. For example you could set a very low TCP window size so that the sending station will send only small amount of data before waiting for an ACK. you can then hold back on sending the ack to insure the bandwidth used never goes above a set level. but this is messy and introduces a lot of bandwidth over head.

Another way is to use inbound ques, that drop packets above a defined rate, this causes the end station to back of and resend as it will detect the lost packets and slow down its trandsmite rate. However it still only deals with well behaved remote devices. and will not help in the case of a DOS attack.
Agreed. Unless you have control of the sending side of the link, you have no way to control what's sent over that link. As already stated, inbound QOS on your side will only drop what's already been sent.

In fact, drops on your side may actually increase bandwidth utilization since the other side will then have to retransmit. And the only way to control TCP window size is to configure each workstation on your side to request a small window size of the sending party- and that will apply to internal traffic also, not just internet.
Collins26050Author Commented:
Thanks for both of your comments and imputs.  This helps me out a great deal and I may consider modifying the TCP window size in the future but I agree that tampering too much could introduce a lot of overhead.

I will watch this and see if I really need to pursue any action as the spikes that caused my concern have only happened a couple of times.

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now