This chapter explains how to set up resource management on a per-interface basis. This capability improves system and network performance for many types of network configurations, from corporate intranetworks, to local area networks, to virtual networks on a single system.
The chapter covers the following topics:
Task |
Description |
For Instructions |
---|---|---|
Manage traffic flows on a system to improve performance, efficiency, and observability |
Isolate network traffic into individual flows. Then assign the flows a set amount of interface bandwidth and a priority among other flows. |
How to Set Up and Configure Flow Control for a System on a Traditional Network |
Manage traffic flows on a virtual network for system efficiency and for providing different types of services to each container of the virtual network. |
Isolate the traffic on each container into individual flows. Assign traffic flows on each container a differing amount of bandwidth and priority, possibly to establish service level agreements. |
To come |
With interface-based resource management, you can isolate, prioritize, track, and control data traffic on an individual system. These features also enable you to improve the efficiency and performance of a network. Isolating types of data traffic is especially helpful for network provisioning, establishing service level agreements, billing clients, and diagnosing security problems. The concepts in this section pertain to traffic on an internal virtual network as well to traffic on systems configured in traditional external networks.
Resource control helps to isolate processes to improve a system's efficiency and to make the processes easier to observe and track for accounting purposes. Configuring resource control involves organizing packet traffic on the interface into flows that have the same characteristics. These characteristics are derived from the information contained in the fields of an individual packet's header. Therefore, you can organize packet traffic into flows by one of the following characteristics:
IP address
Transport protocol name (UDP, TCP, or SCTP)
Application port number, for example, port 21 for FTP
DS field attribute, which is used for quality-of-service in IPv6 packets only. (For more information about the DS field, refer to DS Codepoint in System Administration Guide: IP Services.)
Note that a flow can be based only on one of the previously listed characteristics.
For example, you can create a flow for only FTP packets or only for all packets received from a particular source IP address. You cannot create a flow for packets from port number 21 (FTP) that come only from a specified IP address. Or you cannot create a flow for all traffic from IP address 192.168.1.10, and then create flows for transport layer traffic on 192.168.1.10.
Bandwidth management involves assigning a portion of the interface's bandwidth to each flow. Modern network interfaces, such as GLD.v3 interfaces e1000g, bge, nge, and others, have large amounts of bandwidth available for assignment to flows. When you create a flow, you can allocate bandwidth to it and then give the flow a relative priority among all flows on the interface. Furthermore, if the system has processor sets, you can assign a CPU processor set to a flow.
The resulting set of rules that define the characteristics of all flows on a system make up the system's flow control policy. You implement these rules by using the flowadm command and its set-flowprop subcommand. For complete technical information, refer to the flowadm(1M) man page.
This chapter uses the term flow control to generically refer to both resource control and bandwidth management, unless the text specifically states otherwise.
This section shows how to set up flow control for a heavily used system on a traditional network. A proxy server in a small network is used as an example. However, the same generic procedures apply for configuring flow control on the interface of any system on your network.
The steps use the scenario shown in Interface-based Resource Control for a Traditional Network. This topology is typical of the networks in use at colleges or small businesses that host their own services and do not outsource their applications. The scenario is illustrated in Figure 10–3.
During the next task, you create a flow control policy to control traffic over both of the proxy server's interfaces. The task shows how to improve the proxy server's efficiency on its public side by doing the following for traffic over DMZ0:
Creating two flows to isolate web traffic, one flow for HTTP packets and a second flow for secure HTTPS packets.
Assigning a specific amount of the interface's bandwidth to each flow
Prioritizing the two flows in comparison to other types of packet traffic.
The task then shows how to improve proxy server performance on the internal network by doing the following for traffic over internal1:
Creating separate flows for the application server, database server, and backup server.
Using the IP address of each server as the identifier for packet traffic from the proxy to the application server.
Not creating flows for traffic from the individual systems on subnet 10.10.12.0/24
You use the flowadm and dladm commands throughout the procedure. For detailed technical information about these commands, refer to the dladm(1M) and the flowadm(1M) man pages.
This procedure assumes that you are using a system with at least two interfaces. However, you can use the flowadm command as shown in the next steps to configure flow control for a single-interface host.
The procedure assumes that the names of the interface nge0 and nge1 have already been changed to DMZ0 andinternal0, respectively.
You do not have to change the interface device names to use the steps in this procedure. However, many sites might prefer to create their own link names to provide more clarity for their configurations. To change the device name of an interface, refer to How to Rename a Data Link.
On the system where you set up flow control, become superuser or assume the equivalent root role.
To create and assign the root role, see How to Make root User Into a Role in System Administration Guide: Security Services.
Check the status of the links.
# dladm show-link LINK CLASS MTU STATE OVER internal0 phys 1500 up -- e1000g0 phys 1500 unknown -- e1000g1 phys 1500 unknown -- DMZ0 phys 1500 up -- |
Note that the nge interfaces are now listed by their new link names.
Verify that the interfaces are plumbed and up on the IP layer.
# ifconfig -a lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000 DMZ0: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index 2 inet 10.10.6.5 netmask ff000000 broadcast 10.255.255.255 ether 0:14:4f:94:d0:60 internal0: flags=201000849<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index 2 inet 10.10.12.42 netmask ffffff00 broadcast 10.10.10.255 ether 0:10:20:30:40:aa |
The output verifies that the interfaces are plumbed and listed by their link names.
Create a flow to isolate traffic by the port number of the application.
Specify the port number and the associated transport layer protocol of the application to the flowadm command. Use the following syntax:
# flowadm add-flow -l link-name -a transport=name,port-number flow-name |
The -l option is followed by the link name. The -a option is followed by the attributes of the flow that you want to configure. Use the following syntax to specify the attributes of a flow that is defined by the port number of the application:
Name of the appropriate transport layer protocol that is used in conjunction with the application's port number. Possible values include TCP, UDP, SCTP, ICMP, and ICMPv6.
Port number of the application whose packets you want to isolate into a flow. You also must indicate whether the packets are flowing through the system's local port or arriving from a remote system's port . To find out the port number of an application, consult the /etc/services file, as explained in the services(4) man page.
Name that you create for the flow.
For example, use the following commands to create flows for the DMZ0 link that is shown in Figure 10–3:
# flowadm add-flow -l DMZ0 -a transport=tcp,local_port=80 httpflow # flowadm add-flow -l DMZ0 -a transport=tcp,local_port=443 httpsflow |
The flow httpflow isolates traffic for the HTTP application, which runs over the standard port 80 on the proxy server. The flow httpsflow isolates traffic for the HTTPS application, which runs over the standard port 443.
Verify the status of the flows on a link.
Use the following syntax for the show-flow subcommand of flowadm:
flowadm show-flow -l link-name |
The next example shows how to display the status of the DMZ0 link.
# flowadm show-flow -l DMZ0 NAME LINK ATTR VALUE httpsflow DMZ0 ip_version 4 transport tcp local_port 443 httpflow DMZ0 ip_version 4 transport tcp local_port 80 |
Add bandwidth controls to a flow.
Use the following syntax of the show-flowprop subcommand of flowadm:
flowadm set-flowprop -p flow-properties flow-name |
You can specify any of the following for flow-properties:
Maximum amount of bandwidth that packets in this flow can use on the link.
Amount of priority to give to packets in this flow, in relation to other flows on the link. The possible values are high, normal, or low.
Allocate packets of the flow to a processor set, for systems that have multiple processor sets.
For example, for the flows on the DMZ0 link, you might set the following bandwidths:
# flowadm set-flowprop -p maxbw=100 httpflow # flowadm set-flowprop -p maxbw=100 httpsflow |
These flows set a bandwidth limit on both the open and secure HTTP services on link DMZ0 of the proxy server shown in Figure 10–3.
Create flows to isolate traffic from a host by IP address.
Use the following syntax:
flowadm add-flow -l link-name -a local_ip | remote_ip=IP address flow-name |
For example, in Figure 10–3, the proxy server acts as a proxy for three servers on internal network 10.10.12.0/24. This system also forwards packets for users on network 10.10.12.0/24. To create flows to separate the traffic from the three servers, you would do the following:
flowadm add-flow -l internal0 -a local_ip=10.10.12.45 app-flow flowadm add-flow -l internal0 -a local_ip=10.10.12.46 db-flow flowadm add-flow -l internal0 -a local_ip=10.10.12.47 backup-flow |
You do not need to create a separate flow for user packet traffic.
Set priorities for a flow.
When you set priorities, flows are assigned importance in comparison to each other. The three priority settings are high, normal, and low. You use the set-flowprop subcommand of flowadm, as shown in Step 7, to set flow priority.
For example, you might set priorities for the flows from the three servers on network 10.10.12.0/24 in Figure 10–3 as follows:
Give the application server a medium amount of bandwidth and high priority.
Give the database server slightly less bandwidth and high priority.
Give the backup server a narrow bandwidth and low priority.
On a system with processor sets, you can also assign cpus to flows, as shown in the syntax in Step 7. You can isolate a flow further by assigning to it a specified amount of cpus. For example, the proxy server in Figure 10–3 has 16 processor sets, which you can assign to particular flows.
Here are the set-flowprop policies for the internal servers shown in Figure 10–3
# flowadm set-flowprop -p maxbw=100,priority=high,cpus=2 app-flow # flowadm set-flowprop -p maxbw=100,priority=high,cpus=3 db-flow # flowadm set-flowprop -p maxbw=10,priority=low,cpus=4 backup-flow |
Verify that the flows now exist on the system's interfaces.
# flowadm show-flow NAME LINK ATTR VALUE app-flow internal0 ip_version 4 local_ip 10.10.12.45/ db-flow internal0 ip_version 4 local_ip 10.10.12.46/ backup-flow internal0 ip_version 4 local_ip 10.10.12.47/ httpsflow DMZ0 ip_version 4 transport tcp local_port 443 httpflow DMZ0 ip_version 4 transport tcp local_port 80 |
This example contains the steps for setting flow control on the interfaces of the proxy server that is shown in Interface-based Resource Control for a Traditional Network. Five flows are created with the following characteristics:
Created on link DMZ0 over interface nge0. This flow contains HTTP packets, which flow through the local port 80.
Created on link DMZ0 over interface nge0. This flow contains secure HTTP packets, which flow through the local port 443.
Created on link internal0 over interface nge1. This flow contains all traffic from IP address 10.10.12.45, which is the address of an application server on the network.
Created on link internal0 over interface nge1. This flow contains all traffic from IP address 10.10.12.46, which is the address of a database server on the network.
Created on link internal0 over interface nge1. This flow contains all traffic from IP address 10.10.12.47, which is the address of a backup server on the network.
# dladm show-phys LINK MEDIA STATE SPEED DUPLEX DEVICE nge1 Ethernet up 1000 full nge1 e1000g0 n unknown 0 half e1000g0 e1000g1 n unknown 0 half e1000g1 nge0 Ethernet up 1000 full nge0 # dladm show-link LINK CLASS MTU STATE OVER internal0 phys 1500 up -- e1000g0 phys 1500 unknown -- e1000g1 phys 1500 unknown -- DMZ0 phys 1500 up -- #ifconfig -a lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000 DMZ0: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index 2 inet 10.10.6.5 netmask ff000000 broadcast 10.255.255.255 ether 0:14:4f:94:d0:60 internal0: flags=201000849<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index 2 inet 10.10.12.42 netmask ffffff00 broadcast 10.10.10.255 ether 0:10:20:30:40:aa # flowadm add-flow -l DMZ0 -a transport=tcp,local_port=80 httpflow # flowadm add-flow -l DMZ0 -a transport=tcp,local_port=443 httpsflow # flowadm set-flowprop -p maxbw=100 httpflow # flowadm set-flowprop -p maxbw=100 httpsflow # flowadm add-flow -l internal0 -a local_ip=10.10.12.45 app-flow # flowadm add-flow -l internal0 -a local_ip=10.10.12.46 db-flow # flowadm add-flow -l internal0 -a local_ip=10.10.12.47 backup-flow # flowadm set-flowprop -p maxbw=100,priority=high,cpus=2 app-flow # flowadm set-flowprop -p maxbw=100,priority=high,cpus=3 db-flow # flowadm set-flowprop -p maxbw=10,priority=low,cpus=4 backup-flow # flowadm show-flow NAME LINK ATTR VALUE app-flow internal0 ip_version 4 local_ip 10.10.12.45/ db-flow internal0 ip_version 4 local_ip 10.10.12.46/ backup-flow internal0 ip_version 4 local_ip 10.10.12.47/ httpsflow DMZ0 ip_version 4 transport tcp local_port 443 httpflow DMZ0 ip_version 4 transport tcp local_port 80 |
To observe flow traffic on a network, refer to How to Verify Virtual Network Connectivity by Using the snoop Command (flow control specific information to come)
To gathered statistics for flows for accounting purposes, refer to Gathering Usage Statistics for VNICs and Flows.