Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Allocating Network Bandwidth Using Traffic Shaping Options


Use the traffic shaping option to allocate an appropriate amount of network bandwidth to every user and application on a specific device interface. The appropriate amount of bandwidth is defined as cost-effective carrying capacity at a guaranteed quality of service (QoS). To classify traffic, you create security policies and specify the amount of guaranteed bandwidth and maximum bandwidth, and the priority for each class of traffic. You can also shape traffic at the policy level to allocate bandwidth for particular types of traffic.

Guaranteed bandwidth and maximum bandwidth are not strictly policy based but, with multiple physical interfaces in the egress zone, are based on both policy and total egress physical interface bandwidth available. The physical bandwidth of every interface is allocated to the guaranteed bandwidth parameter for all policies. If there is any bandwidth left over, it is sharable by any other traffic. In other words, each policy gets its guaranteed bandwidth and shares whatever is left over, on a priority basis (up to the limit of its maximum bandwidth specification), with all other policies. Refer to Setting Physical Link Attributes for Interfaces for more information describing how to configure physical settings on the device interface.

Using the traffic shaping option, you can configure the following traffic shaping parameters:

  • Priority Levels—You can use the Traffic Shaping screen to perform priority queuing on bandwidth that is not allocated to guaranteed bandwidth, or unused guaranteed bandwidth. Queuing allows the security device to buffer traffic in up to eight different priority queues. The security device maps the eight priority levels to the first three bits in the DiffServ field, or to the IP precedence field in the ToS byte in the IP packet header. By default, the highest priority (priority 0) on the security device maps to 111 in the IP precedence field. The lowest priority (priority 7) maps to 000 in the IP precedence field.

  • Traffic Shaping Mode—Traffic shaping is automatically determined by the device, but you can set it to on or off.

  • Clear DSCP Class Selector—The class selector controls the number of bits affected in the DiffServ field. By default, the priority levels affect only the first three bits in the eight bit DiffServ field. The remaining bits are untouched, but can be altered by an upstream router, which might change the IP priority preference. When the DSCP class selector is enabled, the class selector zeroes the remaining five bits in the DiffServ field, which prevents upstream routers from altering priority levels.

  • DiffServ code point Group Marking and DSCP Group—Sometimes the DSCP value is already marked for incoming traffic in a policy. The device does not need to mark the DSCP value again during a policy match. By enabling the DiffServ code point Group Marking option, you can avoid repeated marking of DSCP values in a policy. When the DiffServ code point Group Marking option is enabled, you can create DSCP Groups. NSM goes through all the DSCP groups in the DSCP Group list to remove repeated marking of the DSCP values.

    You can add a new DSCP Group, modify or delete an existing group using the Add, Edit or Delete icons. You can create or delete multiple DSCP Group ranges for a single DSCP Group.

For a more detailed explanation about configuring traffic shaping on security devices, see the “Fundamentals” volume in the Concepts & Examples ScreenOS Reference Guide.