Wednesday 20 February 2019

Bandwidth Limit Connections

Creating Classes of Network Traffic

…with RHEL 7

References:

Prioritisation of Outbound Network Traffic

Scenario

  1. Any class of traffic may consume all available bandwidth.

  2. If there are simultaneous competing traffic classes then:

  3. High priority traffic gets to use all the available bandwidth except what is guaranteed to the lower classes.

  4. Medium priority traffic gets its guaranteed rate. If there is no high priority traffic then the medium traffic will expand and consume the entire bandwidth available.

  5. Low priority traffic gets its guaranteed rate. Only when there is no high or medium priority traffic, the low priority traffic will expand and consume the entire bandwidth available.

  6. Low priority traffic classes will loose their additional allocation of bandwidth over their guaranteed bandwidth whenever there is higher priority traffic.

Solution Design

With RHEL 7 Traffic Control to create three classes of traffic:

  1. High priority

    • Application traffic
    • Services that directory support the application; dns, ldap, ntp.

  2. Medium priority (default class)

    • Infrastructure services; software updates via Red Hat Satellite.
    • Maintenance services; ssh.

  3. Low priority

    • Forwarding Logs

The maximum rate of high priority traffic and the ceiling for all three classes of traffic is being set to an unrealistically high number to ensure the server will use all available bandwidth. Just as what would happen if there were no traffic prioritisation rules. It is thought “900mbit” is an unrealistic rate for the target links we intend to use.

The “burst” attribute is used to adjust the responsiveness of maintaining adherence to the rates. The default will be used and the system will set a value which is a little sluggish/lazy but it should affect changes within seconds.

Limitations

  1. Only outbound traffic is being limited in this solution. Our focus is on controlling the uploading of “Log” traffic.

Implementation

The “Traffic Control” command “/usr/sbin/tc” comes with the “iproute” package.

Show the Traffic Classes

tc class show ens5
tc -s class show ens5
tc filter show dev ens5 parent 1:

Delete existing traffic control rules

tc qdisc delete dev ens5 root

Create the Traffic Classes and set the default class.

tc qdisc add dev ens5 root handle 1: htb default 20
tc class add dev ens5 parent 1: classid 1:1 htb rate 900mbit
tc class add dev ens5 parent 1:1 classid 1:10 htb rate 900mbit ceil 900mbit prio 1
tc class add dev ens5 parent 1:1 classid 1:20 htb rate 10mbit ceil 900mbit prio 2
tc class add dev ens5 parent 1:1 classid 1:30 htb rate 1kbit ceil 900mbit prio 3

Make the queue scheduling fair to minimise starvation when under heavy load.

tc qdisc add dev ens5 parent 1:10 handle 10: sfq perturb 10
tc qdisc add dev ens5 parent 1:20 handle 20: sfq perturb 10
tc qdisc add dev ens5 parent 1:30 handle 30: sfq perturb 10

Select traffic for the High priority class.

tc filter add dev ens5 parent 1: protocol ip u32 match ip dport 53 0xffff flowid 1:10
tc filter add dev ens5 parent 1: protocol ip u32 match ip dport 123 0xffff flowid 1:10
tc filter add dev ens5 parent 1: protocol ip u32 match ip dport 389 0xffff flowid 1:10
tc filter add dev ens5 parent 1: protocol ip u32 match ip dport <application_ports> 0xffff flowid 1:10

Select traffic for the Medium priority class.

tc filter add dev ens5 parent 1: protocol ip u32 match ip dport 22 0xffff flowid 1:20
tc filter add dev ens5 parent 1: protocol ip u32 match ip dst <satellite> 0xffff flowid 1:20

Select traffic for the Low priority class.

tc filter add dev ens5 parent 1: protocol ip u32 match ip dport 514 0xffff flowid 1:30

Written with StackEdit.

Posted by at No comments:

Tips for libvirt

Tips for libvirt

Connecting to a Remote and NAT-ed Hypervisor

I don’t know how but not only did virt-manager control the remote libvirtd hypervisor but VNC graphical console was also forwarded over the SSH tunnel
Prerequisits:

  • RHEL 7
  • root user is not permitted SSH login.

Remote Internet Router:

  • enable SSH port forwarding from the remote Internet router to the remote hypervisor.

Remote Hypervisor:

Uncomment the following 2 lines in /etc/libvirt/libvirtd.conf

unix_sock_group = "libvirt"  
unix_sock_rw_perms = "0770"
systemctl restart libvirtd

Local Graphical Desktop
Load you SSH key for the remote account and test connectivity:

ssh-add <ssh_private_key>
ssh -p <port> <user>@<ip>

Close the SSH session if you want to when you are happy it works correctly.

Start virt-manager with a connection to the remote hypervisor:

  • virt-manager -c qemu+ssh://@:/system

Written with StackEdit.

Posted by at No comments:
Subscribe to: Posts (Atom)