Bandwidth sharing among security zones on the USG6000 series

21

How bandwidth is shared among security zones?
The USG6000 series can implement bandwidth sharing by using two methods. Assume that the demilitarized zone (DMZ) and trust zone need to share 20 Mbit/s of uplink bandwidth.
Method 1:
Configure a traffic profile and set the reference mode to exclusive.
[sysname] traffic-policy
[sysname-policy-traffic] profile up_20m
[sysname-policy-traffic-profile-up_20m] bandwidth reference-mode per-rule
[sysname-policy-traffic-profile-up_20m] bandwidth maximum-bandwidth whole upstream 20000
Reference the configured traffic profile in a traffic policy.
[sysname-policy-traffic] rule name 1
[sysname-policy-traffic-rule-1]source-zone dmz trust
[sysname-policy-traffic-rule-1]destination-zone untrust
[sysname-policy-traffic-rule-1]action qos profile up_20

Method 2:
Configure a traffic profile and set the reference mode to shared.
[sysname] traffic-policy
[sysname-policy-traffic] profile up_20m
[sysname-policy-traffic-profile-up_20m] bandwidth reference-mode rule-shared
[sysname-policy-traffic-profile-up_20m] bandwidth maximum-bandwidth whole upstream 20000
Configure two traffic policies and enable both policies to reference the configured traffic profile.
[sysname-policy-traffic] rule name 1
[sysname-policy-traffic-rule-1]source-zone dmz
[sysname-policy-traffic-rule-1]destination-zone untrust
[sysname-policy-traffic-rule-1]action qos profile up_20
[sysname-policy-traffic-rule-1]quit
[sysname-policy-traffic] rule name 2
[sysname-policy-traffic-rule-1]source-zone trust
[sysname-policy-traffic-rule-1]destination-zone untrust
[sysname-policy-traffic-rule-1]action qos profile up_20

Other related questions:
Types of security zones for the USG6000 series
The default security zones include Untrust, DMZ, Trust, and Local.

Whether security zones of the USG6000 series can be of the same level
The levels of different security zones cannot be the same.

Security zone level restrictions on the USG series
The security level ranges from 1 to 100. The larger the value, the higher the security level. The VPN instance supports a maximum of 32 security zones, including four default zones, and each virtual firewall supports a maximum of eight security zones, including four default zones.

Assigning interfaces to security zones on the USG6000
Perform as follows to assign interfaces to security zones: 1. Run the firewall zone command to access the corresponding zone. 2. Run the add interface command to add the corresponding interface.

Definition of the security level of a security zone on the firewall
In a VPN instance, each security zone has a globally unique security priority. That is, two security zones with the same security priority do not exist in a VPN instance. The security level ranges from 1 to 100. A larger value indicates a higher security level. By default, the device has four security zones, and their security levels are as follows: 1. The Untrust zone is a security zone with a low security level, namely, 5. It is usually used to define insecure networks, such as the Internet. 2. The DMZ is a security zone with a medium security level, namely, 50. It is usually used to define the zone where the intranet server resides. Devices of this type are deployed on the intranet but frequently accessed from the extranet, causing large security risks. In addition, they are not allowed to proactively access the extranet. Therefore, they are deployed in a zone whose security level is lower than Trust but higher than Untrust. 3. The Trust zone is a security zone with a relatively high security level, namely, 85. It is usually used to define the zone where the intranet device users reside. 4. The Local zone is the security zone of the highest security level, namely, 100. A local zone is a device itself, including interfaces on the device. All packets constructed on and proactively sent from the device are regarded as from the Local area; those to be responded and processed by the device (including the packets to be detected or directly forwarded) are regarded as to the Local zone. Users cannot change Local zone configurations, for example, adding interfaces to the Local zone. You cannot delete a default security zone or reset its security level. You can also create security zones and define their security levels as required.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top