Traffic Shaping Citrix and VOIP bridged

Top  Previous  Next

In this scenario we will configure Gibraltar on a transparent traffic shaper on a computer, which is equipped with two network interface cards. Both network interface cards are combined to a bridge therefore, to make the transparent mode possible. The destination of this scenario is to provide a Citrix terminalserver surrounding for the critical corporate protocol ICA of minimum 35 % of the available bandwidth. We also have to guarantee a minimum of 35 % of the traffic for Voice over Ip. Because of latency the rest traffic only gets a maximum of 75 % of the total bandwidth. This is a must have if you do not have a provider that supports the QoS based on TOS bits (most providers don't). Furthermore only 95 % of the total bandwidth may be used to ensure a optimal functionality. The following initial situation is given:

 

Headquarter with 2048/2048 (down,up) internet bandwidth (192.168.0.0/24), IP telephone system: 192.168.0.100
Site 1 with 4096/1024 internet bandwidth (192.168.1.0/24), IP telephone system: 192.168.1.100
Site 2 with 1024/1024 internet bandwidth (192.168.2.0/24), IP telephone system: 192.168.2.100

 

The sites are already connected with a third party product over a secure IPSec tunnel with the headquarter.

 

shaping_szenario_bridge

 

System Requirements

A computer with two compatible network interface cards or a Gibraltar Security Gateway.

 

 

Configuration Headquarter

 

Installation of Gibraltar

 

Please install Gibraltar as described in chapter Installation.

 

System configuration

 

System configuration as described in Scenario 1.

 

Network settings - Network interface cards

 

1.Choose Network in the main menu.
2.Choose the tab of the interface eth1.
3.Interface: Enter the desired name of this network interface (e.g. "int0" so that you can definitely identify the network interface for the internal network).
4.Start automatically: Mark this checkbox to start the network interface automatically when Gibraltar boots.
5.Save: Confirm your changes with clicking the button Save.
6.Choose the tab of the interface eth0.
7.Interface: Enter the desired name of this network interface (e.g. "ext0" so that you can definitely identify the network interface for the external network area).
8.Start automatically: Mark this checkbox to start the network interface automatically, when Gibraltar boots.
9.Save: Confirm your changes with clicking the button Save.
10.Choose the index card Bridging.
11.Interface: Allocate a name for the bridge (e.g. "myBridge")
12.Static IPs: Alter the IP address in the textfield IP address/netmask to the IP address you intend for Gibraltar (CIDR-Notation: e.g. 192.168.1.1/24). You can continue the configuration over this address of the bridge later.
13.Bridged Interfaces: Choose the interfaces "int0" and "ext0".
14.Save: Confirm your changes with clicking the button Save to generate the bridge.

 

ATTENTION: By changing the IP address on the network card which you use for access to Gibraltar, the connection is interrupted. Please adapt the IP address on your work station computer as well.

 

Firewall rules

 

1.Choose Firewall in the main menu.
2.Interface: Choose the value "int0 bridged" from the select box incoming for the internal network interface and the value "ext0 bridged" from the select box outgoing for the external network interface. Click the button Go!. GibADMIN now displays all filter rules for the packets that come from the network interface "int0" and go to the network interface "ext0".
3.Add Rule: Click this button to add a new rule in this range ("int0 -> ext0"). The browser will redirect to a detail form
4.Source address: Choose ANY from the selection box to allow all appropriate resource addresses.
5.Destination address: Choose ANY from the selection box to allow all destination addresses.
7.Comment: Enter a comment about the rule. You can leave the other fields blank in this case.
8.Save: Confirm your changes with clicking the button Save.

 

Add another rule from incoming "ext0 bridged" to outgoing "int0 bridged" with the same settings.

 

IMPORTANT: You have to place Gibraltar now that the internal interface is attached to the switch for the internal LAN and that the external interface leads directly to the router (contingently with a crossbred cable). Gibraltar is now in transparent mode and able to regulate the traffic from the internal network to the external network.

 

Now a service has to be designed for defining the shaping rules. The definition hast to occur with the ICA source ports because the rules have to be defined for the headquarter.

 

Network - Definitions

 

1.Choose Network in the main menu.
2.Choose Definitions in the sub menu.
3.Choose the index card Host/Net Aliases.
4.Define one host/net alias for the site 1 and one for the site 2 (e.g.net1 - 192.168.1.0/24 and net2 - 192.168.2.0/24).
5.Define one host for the host/net alias "voip" for the telephone system 192.168.0.100
6.Save: Confirm your changes with clicking the button Save.

 

The following steps are necessary to be able to manage the total bandwidth:

Definition of the bandwidth of each interface
Classifying the traffic to assign it to the shaping rules
Creating the shaping rules for the regulation

 

Traffic shaping

 

1.Choose Traffic shaping in the main menu.
2.Choose the tab General Settings.
3.Bandwidths: Define the value "2048" for the interface "ext0" for the upload and the download.
4.Save: Confirm your changes with clicking the button Save.
5.Choose the tab Classification.
6.Add classification: Click this button for adding a new classification for the ICA source ports.
7.Name: Enter a name for the new classification (e.g. "icaSource").
8.Source address, Destination address: Select the value ANY from the select boxes.
9.Service: Select the value "ica_source" from the select box.
10.TOS: Select the value "Minimize Delay".
11.Save: Confirm your changes with clicking the button Save.
12.Cancel: Click this button to get back to the overview.
13.Add classification: Click this button for adding a new classification for the ICA destination ports.
14.Name: Enter a name for the new classification (e.g. "icaDest").
15.Source address, Destination address: Select the value ANY from the select boxes.
16.Service: Select the value "ica_destination" from the select box.
17.TOS: Select the value "Minimize Delay".
18.Save: Confirm your changes with clicking the button Save.
19.Cancel: Click this button to get back to the overview.
20.Add classification: Click this button for adding a new classification for the source packets of the telephone system.
21.Name: Enter a name for the new classification (e.g. "voipSource").
22.Source address: Select the value "voip" from the select boxes.
23.Destination address: Select the value "voip" from the select boxes.
24.TOS: Select the value "Minimize Delay".
25.Save: Confirm your changes with clicking the button Save.
26.Cancel: Click this button to get back to the overview.
27.Add classification: Click this button for adding a new classification for the destination packets of the telephone system.
28.Name: Enter a name for the new classification (e.g. "voipDest").
29.Source address: Select the value "ANY" from the select boxes.
30.Destination address: Select the value "voip" from the select boxes.
31.TOS: Select the value "Minimize Delay".
32.Save: Confirm your changes with clicking the button Save.
33.Cancel: Click this button to get back to the overview.
34.Add classification: Click this button for adding a new classification for ICMP. ICMP should be managed by default for error diagnosis.
35.Name: Enter a name for the new classification (e.g. "icmp").
36.Source address, Destination address: Select the value ANY from the select boxes.
37.Service: Select the value "CUSTOM" from the select box.
38.Protocoll: Select the value "ICMP".
39.TOS: Select the value "Minimize Delay".
40.Save: Confirm your changes with clicking the button Save.
41.Cancel: Click this button to get back to the overview.
42.Add classification: Click this button for adding a new classification for the remaining traffic.
43.Name: Enter a name for the new classification (e.g. "rest").
44.Source address, Destination address: Select the value ANY from the select boxes.
45.Save: Confirm your changes with clicking the button Save.

 

ICMP and ICA traffic will be joined to a group "ica". We also join both voip classifications to a group as those groups has to get regulated as a whole.

 

1.Choose the tab Classification Group.
2.Add group: Click this button to add a new classification group containing "icaSource", "icaDest" and "icmp".
3.Name: Enter a name for the group (e.g. "ica").
4.Add member: Choose the members "icaSource", "icaDest", and "icmp".
5.Save: Confirm your changes with clicking the button Save.
6.Cancel: Click this button to get back to the overview.
7.Add group: Click this button to add a new classification group containing "voipSource" and "voipDest.
8.Name: Enter a name for the group (e.g. "ica").
9.Add member: Choose "voipSource" and "voipDest".
10.Save: Confirm your changes with clicking the button Save.

 

To finish the configuration you must set the rules for the two external offices. These rules are responsible for the regulation of the bandwidh. First we will regulate the upload of the headquarter - this is the track "outgoing ext0".

 

1.Choose the tab Traffic shaping rules.
2.Track: Choose "outgoing ext0". Gibraltar now takes the predefined upload bandwith of the track "ext0". This traffic represents the upload of the headquarter.
3.Add rule: Click this button to add a new rule.
4.Name: Enter a name for the new rule (e.g. "ruleNet1").
5.Add member: Click this button to add classifications or classification groups.
6.Choose the classification group "ica" and set the values "360" for Min and "1024" for Max.
7.Choose the classification group "voip" and set the values "360" for Min and "1024" for Max.
8.Choose the classification "rest" and set the values "250" for Min and "768" for Max.
9.Save: Confirm your changes with clicking the button Save.
10.Choose the tab Advanced.
11.Destination address: Choose the definition "net1", because this rule should only be valid for this destination net.
12.Bandwidth (kbit) for nets: Choose the value "1024" as we only want to provide a maximum of 1024kbit for this net. All traffic that goes the way: headquarter->site1 is not allowed to exceed the maximum of 1024kbit.
13.Save: Confirm your changes with clicking the button Save.
14.Cancel: Click this button to return to the overview.
15.Add rule: Click this button to add a new rule.
16.Name: Enter a name for the new rule (e.g. "ruleNet2").
17.Add member: Click this button to add classifications or classification groups.
18.Choose the classification group "ica" and set the values "360" for Min and "1024" for Max.
19.Choose the classification group "voip" and set the values "360" for Min and "1024" for Max.
20.Choose the classification "other" and set the values "250" for Min and "768" for Max.
21.Save: Confirm your changes with clicking the button Save.
22.Choose the tab Advanced.
23.Destination address: Choose the definition "net2", because this rule should only be valid for this destination net.
24.Bandwidth (kbit) for nets: Choose the value "1024" as we only want to provide a maximum of 1024kbit for this net. All traffic that goes the way: headquarter->site1 is not allowed to exceed the maximum of 1024kbit.
25.Save: Confirm your changes with clicking the button Save.

 

Note:

To regulate all traffic in the headquarter it is also essential to limit the download traffic. If we do not regulate this traffic it could be possible that a download into the headquarter blocks the upload packets of the sites.

 

1.Choose the tab Traffic shaping rules.
2.Track: Choose "incoming int0". Gibraltar now takes the predefined download bandwith of the track "ext0". This traffic represents the download of the headquarter.
3.Add rule: Click this button to add a new rule.
4.Name: Enter a name for the new rule (e.g. "ruleDownload").
5.Add member: Click this button to add classifications or classification groups.
6.Choose the classification group "ica" and set the values "716" for Min and "2048" for Max.
7.Choose the classification group "voip" and set the values "716" for Min and "2048" for Max.
8.Choose the classification "rest" and set the values "500" for Min and "1536" for Max.
9.Save: Confirm your changes with clicking the button Save.

 

As we do not want to regulate a net with download shaping it is not necessary to define a target net on the "advanced" tab.

 

Save config

 

1.The configuration has to be saved on an USB-stick or harddisc.

 

The traffic is regulated on the basis of the different bandwidths in both sits now. A printjob, that usually passes an ICA-flow, would not cause a problem any more. To control the outgoing traffic of the sites, the following configurations are necessary:

 

Traffic shaping (site 1)

 

1.Choose Traffic shaping in the main menu.
2.Choose the tab General Settings.
3.Bandwidths: Define the values "1024" and "4096" for the up and the download bandwidth of this site.
4.Save: Confirm your changes with clicking the button Save.
5.Now define the same classifications as in the headquarter!
6.Choose the tab Traffic shaping rules.
7.Track: Choose "outgoing ext0". Gibraltar now takes the predefined upload bandwith of the track "ext0". This traffic represents the upload of the site1.
8.Add rule: Click this button to add a new rule.
9.Name: Enter a name for the new rule (e.g. "ruleHeadquarter").
10.Add member: Click this button to add classifications or classification groups.
11.Choose the classification group "ica" and set the values "360" for Min and "1024" for Max.
12.Choose the classification group "voip" and set the values "360" for Min and "1024" for Max.
13.Choose the classification "rest" and set the values "250" for Min and "768" for Max.
14.Save: Confirm your changes with clicking the button Save.
15.Cancel: Click this button to return to the overview.

 

It is also necessary to limit the download traffic in the sites. Do the following to achieve this goal:

 

1.Choose the tab Traffic shaping rules.
2.Track: Choose "incoming ext0". Gibraltar now takes the predefined download bandwith of the track "ext0". This traffic represents the download of the site1.
3.Add rule: Click this button to add a new rule.
4.Name: Enter a name for the new rule (e.g. "ruleDownload").
5.Add member: Click this button to add classifications or classification groups.
6.Choose the classification group "ica" and set the values "360" for Min and "1024" for Max.
7.Choose the classification group "voip" and set the values "360" for Min and "1024" for Max.
8.Choose the classification "rest" and set the values "2000" for Min and "3072" for Max.
9.Save: Confirm your changes with clicking the button Save.
10.Cancel: Click this button to return to the overview.

 

Note:

We do not have to give the Voip or Ica-traffic a maximum of 4096 in this szenario as the maximum that comes from the headquarter is 1024kbit. The most important thing is the limitation to 75% of the rest traffic to provide a buffer for Voice over IP and ICA.

 

Complete the configuration for site 2 with the bandwidth value of 1024 for upload and download. Therewith you control the traffic at both sites and avoid to affect your ICA-sessions through to big printjobs or video streams. A graphical reporting of the regulation of bandwidths you can find in the module Monitoring.

 

Save config

 

1.Save your configuration on an USB-stick or harddics.