Configuring bandwidth limitation for the USG2000 or USG5000

42

Configure bandwidth limitation for the USG.

Bandwidth limitation can be achieved through traffic policing, traffic shaping, and interface rate limiting.
Configure traffic policing, traffic shaping, and interface rate limiting to implement traffic control.
1. Configuration procedure:
Configure traffic shaping (QoS GTS).
Configure traffic policing (QoS CAR).
Configure the interface bandwidth (QoS LR).
2. Configuration example:
USG_A and USG_B are interconnected through their GE interface 0/0/1 and GE interface 0/0/2. The server and PC1 can access the Internet through either USG_A or USG_B. The server and PC1 are on the same network segment as GE interface 0/0/3 of USG_A.
Apply the following traffic control policies for packets received by GE interface 0/0/2 of USG_B from the server and PC1:
Limit the rate of packets sent from the server to 54,000 kbit/s.
Limit the rate of packets sent from PC1 to 8000 kbit/s, and the rate of burst traffic to 15,000 kbit/s.
Apply the following traffic control policies for packets received and sent by GE interface 0/0/2 and GE interface 0/0/1 of USG_B:
Limit the rate of packets received by GE interface 0/0/2 of USG_B to 500,000 kbit/s.
Limit the rate to 1000 kbit/s for packets forwarded by GE interface 0/0/1 of USG_B to the Internet.
Network topology:
(Internal server and PC1)---(4)USG_A(1)---(2)USG_B(3)--Internet
Server: 1.1.1.1/8
PC1: 1.1.1.2/8
(1) 172.16.1.2
(2) 172.16.1.1
(3) 172.17.1.1/24
(4) 1.1.1.10/8
3. Configuration procedure:
Configure traffic policing, traffic shaping, and interface rate limiting as follows:
1. Configure traffic shaping on the outbound interface GE interface 0/0/1 of USG_A to ensure compliance with the traffic rate on GE interface 0/0/2 of USG_B.
2. Configure traffic policing on GE interface 0/0/2 of USG_B to limit the packets sent from the server and PC1.
3. Configure interface rate limiting for GE interface 0/0/1 of USG_B to limit the packets destined for the Internet.
4. Procedure:
a. For the USG series, add interfaces to security zones and configure inter-zone packet filtering to ensure normal network communication. The configuration procedure is not described here. For the USG BSR and HSR series, you do not need to add interfaces to security zones or configure packet filtering.
b. Configure IP addresses for interfaces. Configure routes to ensure normal network communication. The configuration procedure is not described here.
c. Configure traffic shaping on GE interface 0/0/1 of USG_A. Traffic shaping is performed for sent packets that exceed the rate 500,000 kbit/s to reduce the packet loss rate on GE interface 0/0/2 of USG_B.
system-view
[USG_A] interface GigabitEthernet 0/0/1
[USG_A-GigabitEthernet0/0/1] qos gts any cir 500000 //Traffic shaping
[USG_A-GigabitEthernet0/0/1] quit
d. Configure traffic policing on GE interface 0/0/2 of USG_B.
[USG_B] system-view
[USG_B] acl number 2001
[USG_B-acl-basic-2001] rule permit source 1.1.1.1 0.0.0.0
[USG_B-acl-basic-2001] quit
[USG_B] acl number 2002
[USG_B-acl-basic-2002] rule permit source 1.1.1.2 0.0.0.0
[USG_B-acl-basic-2002] quit
[USG_B] interface GigabitEthernet 0/0/2 //Traffic policing
[USG_B-GigabitEthernet0/0/2] qos car inbound acl 2001 cir 54000 cbs 54000 green pass red discard
[USG_B-GigabitEthernet0/0/2] qos car inbound acl 2002 cir 8000 cbs 15000 green pass red discard
[USG_B-GigabitEthernet0/0/2] quit
e. Configure interface rate limiting on GE interface 0/0/1 of USG_B to ensure that the rate for GE interface 0/0/1 to send packets does not exceed 1000 kbit/s.
[USG_B] interface GigabitEthernet 0/0/1 //Interface rate limiting
[USG_B-GigabitEthernet0/0/1] qos lr cir 1000 cbs 500
[USG_B-GigabitEthernet0/0/1] quit
5. Verification:
On the USG, run display qos gts interface [ interface-type interface-number ] to view traffic shaping configuration.

Other related questions:
Configuring interface rate limiting for the USG2000 or USG5000
Configure interface rate limiting for the SRG, USG2000, and USG5000. Configuration method: Run qos lr to configure rate limiting for interfaces. Configuration example: Limit the rate to 1000 kbit/s for packets forwarded by GE interface 0/0/1 of the USG to the Internet. Procedure: 1. For the USG series, add interfaces to security zones and configure inter-zone packet filtering to ensure normal network communication. The configuration procedure is not described here. For the USG BSR and HSR series, you do not need to add interfaces to security zones or configure packet filtering. 2. Configure IP addresses for interfaces of the USG. Configure routes to ensure normal network communication. The configuration procedure is not described here. 3. Configure LR on GE interface 0/0/1 of the USG to limit the traffic forwarded by this interface to the Internet. system-view [USG] interface GigabitEthernet 0/0/1 //Access the interface. [USG-GigabitEthernet0/0/1] qos lr cir 1000 cbs 3000 //Limit the interface rate to 1 Mbit/s. Verification: In any view of the USG, run display qos lr interface [ interface-type interface-number ] and view interface rate limiting configuration. [USG] display qos lr interface GigabitEthernet 0/0/1

How to configure bandwidth limiting on an AR?
Traffic shaping, traffic policing, and interface-based rate limiting can be configured to limit bandwidth. 1. Configuration commands: The qos gts command configures traffic shaping. The qos car command configures traffic policing. The qos lr command configures interface bandwidth. 2. Log in to the web system, choose QoS > Traffic Management > Policy Parameter Configuration, and set parameters.

Configuring IPS for the USG2000 and USG5000
Configure IPS on the USG2000 or USG5000. The procedure is as follows: 1. Configure global IPSec parameters. system-view //Access the system view. ips enable //Enable the IPS function. system-view //Access the system view. ips mode { protective | warning } //Configure the IPS operating mode. 2. Configure the IPS signature, upgrade the predefined signature, or configure a custom signature. The procedure for configuring a custom signature is as follows: ips signature signature-id //Create a custom IPS signature and access the IPS signature view. a. name name //Configure the name of the custom IPS signature. b. protocol protocol-name [ [ severity { informational | notification | warning | error | critical } ] | [ direction { to-server | to-client | any } ] | [ source-ip { any | ip-address mask } ] | [ source-port { any | port-number | high | low } ] | [ destination-ip { any | ip-address mask } ] | [ destination-port { any | port-num | high | low } ] | [ offset { { packet | stream } offset-value | any } ] | [ max-stream-len { stream-len | any } ] ] * //Configure the protocol, severity, and direction of the custom IPS signature. c. regex regex //Configure the description of behavioral characteristics of attacks. 3. Configure the IPS policy. ips policy policy-name //Access the IPS policy view. signature-set signature-set-name //Create a signature set and access the signature set view. direction enable //Enable the function of filtering signatures in the signature set based on signature directions. direction { { to-server | to-client | any } * | all } //Add signatures of the specified direction to the signature set. severity enable //Enable the function of filtering signatures in the signature set based on signature severities. severity { above | below } { informational | notification | warning | error |critical } //Add signatures of the specified severity to the signature set. reliability enable //Enable the function of filtering signatures in the signature set based on signature reliability. reliability { above | below } { low | medium | high } //Add signatures of the specified reliability to the signature set. protocol enable //Enable the function of filtering signatures in the signature set based on protocols. protocol { protocol-name &<1-10> | all } //Add signatures of the specified protocol to the signature set. protocol enable //Enable the function of filtering signatures in the signature set based on categories. category mode { or | and } //Configure the matching mode for categories in the signature set. category { category-name &<1-10> | all } //Add signatures of the specified category to the signature set. signature-set [ enable ] action { alert | block } //Configure the enabling status and response mode of the signature set. signature-set move signature-set-name1 { before | after } signature-set-name2 //Modify the priority of the signature set. ips policy policy-name //Create an IPS policy named policy-name. override-signature signature-id enable action { block | alert } //Enable signature overriding and configure the response mode. 4. Apply the IPS policy. policy zone zone-name //Access the intra-zone firewall policy view. policy interzone zone-name1 vpn-instance vpn-instance-name zone-name2 { inbound | outbound }, //Access the inter-zone firewall policy view. policy policy-id //Create a firewall policy and access the policy ID view. action permit //Configure the action of the firewall policy to permit. policy ips ips-policy //Apply the IPS policy.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top