Traffic Shaping; Policy Routing - D-Link DFL-1100 Manual

the system administrators if email alerting is converted. D-Link updates the attack database
periodically. There is two modes that can be configured, either Inspection Only or
Prevention. Inspection Only will only inspect the traffic and if the DFL-1100 sees anything it
will log, email an alert (if configured) and pass on the traffic, if Prevention is used the traffic
will be dropped and logged and if configured a email alert will be sent.

Traffic Shaping

The simplest way to obtain quality of service in a network, seen from a security as well as
a functionality perspective, is to have the components in the network, not the applications, be
responsible for network traffic control in well-defined choke points.
Traffic shaping works by measuring and queuing IP packets, in transit, with respect to a
number of configurable parameters. Differentiated rate limits and traffic guarantees based on
source, destination and protocol parameters can be created; much the same way firewall
policies are implemented.
There are three different priorities when configuring the traffic shaping, Normal, High and
Critical.
Limit works by limiting the inbound and outbound traffic to the specified speed. This is the
maximum bandwidth that can be used by traffic using this policy. Note however that if you
have other policies using limit; which in total is more then your total internet connection and
have configured the traffic limits on the WAN interface this limit is sometimes lowered to allow
traffic with higher priorities to have precedence.
By using Guarantee, you can traffic using a policy a minimum bandwidth, this will only
work if the traffic limits for the WAN interface are configured correctly.

Policy Routing

Normal routing can be said to be a simple form of policy based routing; the "policy" is the
routing table, and the only data that can be filtered on is the destination IP address of the
packet. What is commonly referred to as policy based routing, is, simply put, an extension of
what fields of the packet we look at to determine the routing decision. In the DFL-1100, each
rule in the firewall policy can specify its own routing decision; in essence, we route according
to the source and destination IP addresses and ports.
Policy based routing can for example be used to route certain protocols through
transparent proxies such as web caches and anti-virus scanners, without adding another point
of failure for the network as a whole. It's very important to know that the proxy must support
this also for it to work.
There are two ways to configure Policy Routing; both include specifying the Gateway to
send the traffic over. The first one, Redirect via routing (make gateway next hop), will just
reroute the traffic to the given gateway as if it was just another router. The second mode, Via
address translation (change destination IP), will change the destination IP in the IP header
and then pass the packet on to the gateway, used for example in transparent squid-proxy
setups.
34