This section shows how to set up flow control for a heavily used system on a traditional network. A proxy server in a small network is used as an example. However, the same generic procedures apply for configuring flow control on the interface of any system on your network.
The steps use the scenario shown in Interface-based Resource Control for a Traditional Network. This topology is typical of the networks in use at colleges or small businesses that host their own services and do not outsource their applications. The scenario is illustrated in Figure 10–3.
During the next task, you create a flow control policy to control traffic over both of the proxy server's interfaces. The task shows how to improve the proxy server's efficiency on its public side by doing the following for traffic over DMZ0:
Creating two flows to isolate web traffic, one flow for HTTP packets and a second flow for secure HTTPS packets.
Assigning a specific amount of the interface's bandwidth to each flow
Prioritizing the two flows in comparison to other types of packet traffic.
The task then shows how to improve proxy server performance on the internal network by doing the following for traffic over internal1:
Creating separate flows for the application server, database server, and backup server.
Using the IP address of each server as the identifier for packet traffic from the proxy to the application server.
Not creating flows for traffic from the individual systems on subnet 10.10.12.0/24
You use the flowadm and dladm commands throughout the procedure. For detailed technical information about these commands, refer to the dladm(1M) and the flowadm(1M) man pages.
This procedure assumes that you are using a system with at least two interfaces. However, you can use the flowadm command as shown in the next steps to configure flow control for a single-interface host.
The procedure assumes that the names of the interface nge0 and nge1 have already been changed to DMZ0 andinternal0, respectively.
You do not have to change the interface device names to use the steps in this procedure. However, many sites might prefer to create their own link names to provide more clarity for their configurations. To change the device name of an interface, refer to How to Rename a Data Link.
On the system where you set up flow control, become superuser or assume the equivalent root role.
To create and assign the root role, see How to Make root User Into a Role in System Administration Guide: Security Services.
Check the status of the links.
# dladm show-link LINK CLASS MTU STATE OVER internal0 phys 1500 up -- e1000g0 phys 1500 unknown -- e1000g1 phys 1500 unknown -- DMZ0 phys 1500 up -- |
Note that the nge interfaces are now listed by their new link names.
Verify that the interfaces are plumbed and up on the IP layer.
# ifconfig -a lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000 DMZ0: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index 2 inet 10.10.6.5 netmask ff000000 broadcast 10.255.255.255 ether 0:14:4f:94:d0:60 internal0: flags=201000849<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index 2 inet 10.10.12.42 netmask ffffff00 broadcast 10.10.10.255 ether 0:10:20:30:40:aa |
The output verifies that the interfaces are plumbed and listed by their link names.
Create a flow to isolate traffic by the port number of the application.
Specify the port number and the associated transport layer protocol of the application to the flowadm command. Use the following syntax:
# flowadm add-flow -l link-name -a transport=name,port-number flow-name |
The -l option is followed by the link name. The -a option is followed by the attributes of the flow that you want to configure. Use the following syntax to specify the attributes of a flow that is defined by the port number of the application:
Name of the appropriate transport layer protocol that is used in conjunction with the application's port number. Possible values include TCP, UDP, SCTP, ICMP, and ICMPv6.
Port number of the application whose packets you want to isolate into a flow. You also must indicate whether the packets are flowing through the system's local port or arriving from a remote system's port . To find out the port number of an application, consult the /etc/services file, as explained in the services(4) man page.
Name that you create for the flow.
For example, use the following commands to create flows for the DMZ0 link that is shown in Figure 10–3:
# flowadm add-flow -l DMZ0 -a transport=tcp,local_port=80 httpflow # flowadm add-flow -l DMZ0 -a transport=tcp,local_port=443 httpsflow |
The flow httpflow isolates traffic for the HTTP application, which runs over the standard port 80 on the proxy server. The flow httpsflow isolates traffic for the HTTPS application, which runs over the standard port 443.
Verify the status of the flows on a link.
Use the following syntax for the show-flow subcommand of flowadm:
flowadm show-flow -l link-name |
The next example shows how to display the status of the DMZ0 link.
# flowadm show-flow -l DMZ0 NAME LINK ATTR VALUE httpsflow DMZ0 ip_version 4 transport tcp local_port 443 httpflow DMZ0 ip_version 4 transport tcp local_port 80 |
Add bandwidth controls to a flow.
Use the following syntax of the show-flowprop subcommand of flowadm:
flowadm set-flowprop -p flow-properties flow-name |
You can specify any of the following for flow-properties:
Maximum amount of bandwidth that packets in this flow can use on the link.
Amount of priority to give to packets in this flow, in relation to other flows on the link. The possible values are high, normal, or low.
Allocate packets of the flow to a processor set, for systems that have multiple processor sets.
For example, for the flows on the DMZ0 link, you might set the following bandwidths:
# flowadm set-flowprop -p maxbw=100 httpflow # flowadm set-flowprop -p maxbw=100 httpsflow |
These flows set a bandwidth limit on both the open and secure HTTP services on link DMZ0 of the proxy server shown in Figure 10–3.
Create flows to isolate traffic from a host by IP address.
Use the following syntax:
flowadm add-flow -l link-name -a local_ip | remote_ip=IP address flow-name |
For example, in Figure 10–3, the proxy server acts as a proxy for three servers on internal network 10.10.12.0/24. This system also forwards packets for users on network 10.10.12.0/24. To create flows to separate the traffic from the three servers, you would do the following:
flowadm add-flow -l internal0 -a local_ip=10.10.12.45 app-flow flowadm add-flow -l internal0 -a local_ip=10.10.12.46 db-flow flowadm add-flow -l internal0 -a local_ip=10.10.12.47 backup-flow |
You do not need to create a separate flow for user packet traffic.
Set priorities for a flow.
When you set priorities, flows are assigned importance in comparison to each other. The three priority settings are high, normal, and low. You use the set-flowprop subcommand of flowadm, as shown in Step 7, to set flow priority.
For example, you might set priorities for the flows from the three servers on network 10.10.12.0/24 in Figure 10–3 as follows:
Give the application server a medium amount of bandwidth and high priority.
Give the database server slightly less bandwidth and high priority.
Give the backup server a narrow bandwidth and low priority.
On a system with processor sets, you can also assign cpus to flows, as shown in the syntax in Step 7. You can isolate a flow further by assigning to it a specified amount of cpus. For example, the proxy server in Figure 10–3 has 16 processor sets, which you can assign to particular flows.
Here are the set-flowprop policies for the internal servers shown in Figure 10–3
# flowadm set-flowprop -p maxbw=100,priority=high,cpus=2 app-flow # flowadm set-flowprop -p maxbw=100,priority=high,cpus=3 db-flow # flowadm set-flowprop -p maxbw=10,priority=low,cpus=4 backup-flow |
Verify that the flows now exist on the system's interfaces.
# flowadm show-flow NAME LINK ATTR VALUE app-flow internal0 ip_version 4 local_ip 10.10.12.45/ db-flow internal0 ip_version 4 local_ip 10.10.12.46/ backup-flow internal0 ip_version 4 local_ip 10.10.12.47/ httpsflow DMZ0 ip_version 4 transport tcp local_port 443 httpflow DMZ0 ip_version 4 transport tcp local_port 80 |
This example contains the steps for setting flow control on the interfaces of the proxy server that is shown in Interface-based Resource Control for a Traditional Network. Five flows are created with the following characteristics:
Created on link DMZ0 over interface nge0. This flow contains HTTP packets, which flow through the local port 80.
Created on link DMZ0 over interface nge0. This flow contains secure HTTP packets, which flow through the local port 443.
Created on link internal0 over interface nge1. This flow contains all traffic from IP address 10.10.12.45, which is the address of an application server on the network.
Created on link internal0 over interface nge1. This flow contains all traffic from IP address 10.10.12.46, which is the address of a database server on the network.
Created on link internal0 over interface nge1. This flow contains all traffic from IP address 10.10.12.47, which is the address of a backup server on the network.
# dladm show-phys LINK MEDIA STATE SPEED DUPLEX DEVICE nge1 Ethernet up 1000 full nge1 e1000g0 n unknown 0 half e1000g0 e1000g1 n unknown 0 half e1000g1 nge0 Ethernet up 1000 full nge0 # dladm show-link LINK CLASS MTU STATE OVER internal0 phys 1500 up -- e1000g0 phys 1500 unknown -- e1000g1 phys 1500 unknown -- DMZ0 phys 1500 up -- #ifconfig -a lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000 DMZ0: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index 2 inet 10.10.6.5 netmask ff000000 broadcast 10.255.255.255 ether 0:14:4f:94:d0:60 internal0: flags=201000849<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index 2 inet 10.10.12.42 netmask ffffff00 broadcast 10.10.10.255 ether 0:10:20:30:40:aa # flowadm add-flow -l DMZ0 -a transport=tcp,local_port=80 httpflow # flowadm add-flow -l DMZ0 -a transport=tcp,local_port=443 httpsflow # flowadm set-flowprop -p maxbw=100 httpflow # flowadm set-flowprop -p maxbw=100 httpsflow # flowadm add-flow -l internal0 -a local_ip=10.10.12.45 app-flow # flowadm add-flow -l internal0 -a local_ip=10.10.12.46 db-flow # flowadm add-flow -l internal0 -a local_ip=10.10.12.47 backup-flow # flowadm set-flowprop -p maxbw=100,priority=high,cpus=2 app-flow # flowadm set-flowprop -p maxbw=100,priority=high,cpus=3 db-flow # flowadm set-flowprop -p maxbw=10,priority=low,cpus=4 backup-flow # flowadm show-flow NAME LINK ATTR VALUE app-flow internal0 ip_version 4 local_ip 10.10.12.45/ db-flow internal0 ip_version 4 local_ip 10.10.12.46/ backup-flow internal0 ip_version 4 local_ip 10.10.12.47/ httpsflow DMZ0 ip_version 4 transport tcp local_port 443 httpflow DMZ0 ip_version 4 transport tcp local_port 80 |
To observe flow traffic on a network, refer to How to Verify Virtual Network Connectivity by Using the snoop Command (flow control specific information to come)
To gathered statistics for flows for accounting purposes, refer to Gathering Usage Statistics for VNICs and Flows.