Documente Academic
Documente Profesional
Documente Cultură
Introduction........................................................................................................................................................... 1
Summary ............................................................................................................................................................... 8
QoS Cyberoam Certified Network & Security Professional
Introduction
Cyberoam does not only identify the applications, but also controls and ensures that the application
are given the right kind of treatment, so that they perform as required by the organizations network
administrator. This module will provide knowledge about QoS terminology, models, options and how
QoS is configured on CyberoamOS.
Why QoS
QoS is required for an organization because bandwidth is finite. Being finite, some traffic can be
susceptible to packet-loss, or latency. Also, some traffic can be bandwidth demanding or vital to
internal organization network. QoS comes in as a handy tool for optimizing the applications in an
organizations network. QoS has the capability to regulate the selected packet flows in network. QoS is
one of basic features provided by any network device. However, CyberoamOS extends the QoS to a
network, subnet, user, and application, making it Application Quality of Service and User Quality of
Service.
Classification
CyberoamOS recognizes packets in different classes. There are predefined classes in CyberoamOS
which map to a priority queue. Classification is a necessity for functioning of QoS. In Cyberoam
devices, packets will be assigned a QoS after the session is initiated, and the application and identity
is determined.
Competitive firewall appliances classify packets based on IP or DCSP markings, this type of
classification is good with general network scenarios, but not from the application and identity point of
view. A QoS profile on Cyberoam has eight classes. Each class maps to a priority queue which is
listed in the table below.
1
Cyberoam Certified Network & Security Professional QoS
The screen below shows the priority classes from Cyberoam QoS policy, to see the classes navigate
to QoS -> Policy -> Add -> Priority
Bandwidth Limiting
At the outgoing interface (egress), a class from the QoS Class Profile is used to bond the packet with
the priority queue. Cyberoam does not only link the packet with the priority queue, but also provides
strict and committed bandwidth.
Strict
In a Strict Bandwidth policy, Cyberoam does not guarantee the bandwidth to the user; however, if the
bandwidth is available, the user will get the value specified at the time of policy creation. For an
example, if user john has been allocated a strict bandwidth policy of 2Mbps, john will get speeds up to
2Mbps, depending on the traffic in the network. If the network is free, john will get 2 Mbps, but if the
network is loaded with heavy traffic john will get bandwidth which is not more than 2 Mbps (depending
on the traffic).
Committed
In a Committed Bandwidth policy, Cyberoam guarantees the value specified at the time of creation to
the user. Also, on a committed bandwidth, a burst limit can be specified. The burst limit is the
maximum bandwidth that can be given to the user. Total bandwidth allotted to the user is the sum of
committed bandwidth value and burst limit. For an example, if the user john is allocated with
committed bandwidth of 2 Mbps and burst limit is 2 Mbps, john will get 2 Mbps at any point of time
guaranteed. However, if john requires more bandwidth and there is unutilized bandwidth, john will get
the burst limit specified. It should be noted that the burst limit though 2 Mbps, can vary depending on
the traffic in the network. Therefore total bandwidth for john is 4Mbps, out of which 2 Mbps is
guaranteed and 2 Mbps is variable on the network dependency.
2
QoS Cyberoam Certified Network & Security Professional
Scheduler
On CyberoamOS scheduler algorithm determines how often the queue is services. The selects the
next packet to de-queue based on the priority. CyberoamOS uses Linux algorithms HSFC
(Hierarchical Fair Service Curve) and HTB (Hierarchical Token Bucket).
Congestion management
When a queue is filling faster than it can be cleared, Cyberoam drops the packets when the queue
becomes full.
Packet Marking
If any upstream or downstream device marks DSCP bits, CyberoamOS can maintain and alter those
bits. In case, a packet is not marked with DSCP bits, CyberoamOS can mark the packet and send it to
next hop/destination. QoS should not be confused with packet marking as they are separate
functionalities of CyberoamOS. Whether or not QoS is configured, CyberoamOS continues to mark the
flows according to policy.
QoS Implementation
QoS in CyberoamOS can be applied to Identity (User/Group), firewall rule, application, web category,
and schedule.
Policy
3
Cyberoam Certified Network & Security Professional QoS
Parameters
Identity
User
A QoS policy can be applied to the user, for this go to Identity -> Users -> User -> Add
4
QoS Cyberoam Certified Network & Security Professional
Group
To Apply a QoS policy on a group, go to Identity -> Groups -> Select the group
Firewall
To apply a QoS policy to a firewall, first create a policy based on firewall from QoS -> Policy -> Add
5
Cyberoam Certified Network & Security Professional QoS
Application
To apply QoS on application, go to Firewall -> Rule -> Security Policies, and select application filter
In the QoS & Routing Policy, Select the QoS policy.
Web Category
To apply QoS on Web Category, select Web Filter Policy from Firewall wall and apply QoS policy from
the QoS & Routing Policy.
6
QoS Cyberoam Certified Network & Security Professional
QoS Configuration
QoS settings can be done from web admin console. Go to QoS > Settings.
(KB Link: http://kb.cyberoam.com/default.asp?id=2743&SID=&Lang=1)
7
Cyberoam Certified Network & Security Professional QoS
Summary
QoS allows Traffic shaping and bandwidth management. In this module we have learnt
Need for QoS
Classification
Bandwidth Limiting
Scheduler
Congestion management
Packet Marking
Implementation of QoS in CyberoamOS