System Administration Guide: Network Interfaces and Network Virtualization

Interface-Based Flow Control for Traditional Networks

This section shows how to set up flow control for a heavily used system on a traditional network. A proxy server in a small network is used as an example. However, the same generic procedures apply for configuring flow control on the interface of any system on your network.

The steps use the scenario shown in Interface-based Resource Control for a Traditional Network. This topology is typical of the networks in use at colleges or small businesses that host their own services and do not outsource their applications. The scenario is illustrated in Figure 10–3.

During the next task, you create a flow control policy to control traffic over both of the proxy server's interfaces. The task shows how to improve the proxy server's efficiency on its public side by doing the following for traffic over DMZ0:

The task then shows how to improve proxy server performance on the internal network by doing the following for traffic over internal1:

You use the flowadm and dladm commands throughout the procedure. For detailed technical information about these commands, refer to the dladm(1M) and the flowadm(1M) man pages.

ProcedureHow to Set Up and Configure Flow Control for a System on a Traditional Network

Before You Begin

This procedure assumes that you are using a system with at least two interfaces. However, you can use the flowadm command as shown in the next steps to configure flow control for a single-interface host.

The procedure assumes that the names of the interface nge0 and nge1 have already been changed to DMZ0 andinternal0, respectively.


Note –

You do not have to change the interface device names to use the steps in this procedure. However, many sites might prefer to create their own link names to provide more clarity for their configurations. To change the device name of an interface, refer to How to Rename a Data Link.


  1. On the system where you set up flow control, become superuser or assume the equivalent root role.

    To create and assign the root role, see How to Make root User Into a Role in System Administration Guide: Security Services.

  2. Check the status of the links.


    # dladm show-link
    LINK        CLASS    MTU    STATE    OVER
    internal0   phys     1500   up       --
    e1000g0     phys     1500   unknown  --
    e1000g1     phys     1500   unknown  --
    DMZ0        phys     1500   up       --

    Note that the nge interfaces are now listed by their new link names.

  3. Verify that the interfaces are plumbed and up on the IP layer.


    # ifconfig -a
    lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
             inet 127.0.0.1 netmask ff000000
    DMZ0: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index 2
            inet 10.10.6.5 netmask ff000000 broadcast 10.255.255.255
            ether 0:14:4f:94:d0:60
    internal0: flags=201000849<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index 2
            inet 10.10.12.42 netmask ffffff00 broadcast 10.10.10.255
            ether 0:10:20:30:40:aa

    The output verifies that the interfaces are plumbed and listed by their link names.

  4. Create a flow to isolate traffic by the port number of the application.

    Specify the port number and the associated transport layer protocol of the application to the flowadm command. Use the following syntax:


    # flowadm add-flow -l link-name -a transport=name,port-number flow-name
    

    The -l option is followed by the link name. The -a option is followed by the attributes of the flow that you want to configure. Use the following syntax to specify the attributes of a flow that is defined by the port number of the application:

    transport=name

    Name of the appropriate transport layer protocol that is used in conjunction with the application's port number. Possible values include TCP, UDP, SCTP, ICMP, and ICMPv6.

    local_port | remote_port=port-number

    Port number of the application whose packets you want to isolate into a flow. You also must indicate whether the packets are flowing through the system's local port or arriving from a remote system's port . To find out the port number of an application, consult the /etc/services file, as explained in the services(4) man page.

    flow-name

    Name that you create for the flow.

    For example, use the following commands to create flows for the DMZ0 link that is shown in Figure 10–3:


    # flowadm add-flow -l DMZ0 -a transport=tcp,local_port=80 httpflow
    # flowadm add-flow -l DMZ0 -a transport=tcp,local_port=443 httpsflow

    The flow httpflow isolates traffic for the HTTP application, which runs over the standard port 80 on the proxy server. The flow httpsflow isolates traffic for the HTTPS application, which runs over the standard port 443.

  5. Verify the status of the flows on a link.

    Use the following syntax for the show-flow subcommand of flowadm:


    flowadm show-flow -l link-name 
    

    The next example shows how to display the status of the DMZ0 link.


    # flowadm show-flow -l DMZ0
    NAME            LINK            ATTR            VALUE
    httpsflow       DMZ0
                                    ip_version      4
                                    transport       tcp
                                    local_port      443
    httpflow        DMZ0
                                    ip_version      4
                                    transport       tcp
                                    local_port      80
  6. Add bandwidth controls to a flow.

    Use the following syntax of the show-flowprop subcommand of flowadm:


    flowadm set-flowprop -p flow-properties flow-name
    

    You can specify any of the following for flow-properties:

    maxbw

    Maximum amount of bandwidth that packets in this flow can use on the link.

    priority

    Amount of priority to give to packets in this flow, in relation to other flows on the link. The possible values are high, normal, or low.

    cpus

    Allocate packets of the flow to a processor set, for systems that have multiple processor sets.

    For example, for the flows on the DMZ0 link, you might set the following bandwidths:


    # flowadm set-flowprop -p maxbw=100 httpflow
    # flowadm set-flowprop -p maxbw=100 httpsflow
    

    These flows set a bandwidth limit on both the open and secure HTTP services on link DMZ0 of the proxy server shown in Figure 10–3.

  7. Create flows to isolate traffic from a host by IP address.

    Use the following syntax:


    flowadm add-flow -l  link-name -a local_ip | remote_ip=IP address flow-name
    

    For example, in Figure 10–3, the proxy server acts as a proxy for three servers on internal network 10.10.12.0/24. This system also forwards packets for users on network 10.10.12.0/24. To create flows to separate the traffic from the three servers, you would do the following:


    flowadm add-flow -l internal0 -a local_ip=10.10.12.45 app-flow 
    flowadm add-flow -l internal0 -a local_ip=10.10.12.46 db-flow
    flowadm add-flow -l internal0 -a local_ip=10.10.12.47 backup-flow
    

    You do not need to create a separate flow for user packet traffic.

  8. Set priorities for a flow.

    When you set priorities, flows are assigned importance in comparison to each other. The three priority settings are high, normal, and low. You use the set-flowprop subcommand of flowadm, as shown in Step 7, to set flow priority.

    For example, you might set priorities for the flows from the three servers on network 10.10.12.0/24 in Figure 10–3 as follows:

    • Give the application server a medium amount of bandwidth and high priority.

    • Give the database server slightly less bandwidth and high priority.

    • Give the backup server a narrow bandwidth and low priority.

    On a system with processor sets, you can also assign cpus to flows, as shown in the syntax in Step 7. You can isolate a flow further by assigning to it a specified amount of cpus. For example, the proxy server in Figure 10–3 has 16 processor sets, which you can assign to particular flows.

    Here are the set-flowprop policies for the internal servers shown in Figure 10–3


    # flowadm set-flowprop -p maxbw=100,priority=high,cpus=2 app-flow
    # flowadm set-flowprop -p maxbw=100,priority=high,cpus=3 db-flow
    # flowadm set-flowprop -p maxbw=10,priority=low,cpus=4 backup-flow
    
  9. Verify that the flows now exist on the system's interfaces.


    # flowadm show-flow
    NAME            LINK            ATTR            VALUE
    app-flow        internal0
                                    ip_version      4
                                    local_ip        10.10.12.45/
    db-flow         internal0
                                    ip_version      4
                                    local_ip        10.10.12.46/
    backup-flow    internal0
                                    ip_version      4
                                    local_ip        10.10.12.47/
    
    httpsflow       DMZ0
                                    ip_version      4
                                    transport       tcp
                                    local_port      443
    httpflow        DMZ0
                                    ip_version      4
                                    transport       tcp
                                    local_port      80

Example 13–1 Setting Up Traditional Flow Control on an Interface

This example contains the steps for setting flow control on the interfaces of the proxy server that is shown in Interface-based Resource Control for a Traditional Network. Five flows are created with the following characteristics:

httpflow

Created on link DMZ0 over interface nge0. This flow contains HTTP packets, which flow through the local port 80.

httpsflow

Created on link DMZ0 over interface nge0. This flow contains secure HTTP packets, which flow through the local port 443.

app-flow

Created on link internal0 over interface nge1. This flow contains all traffic from IP address 10.10.12.45, which is the address of an application server on the network.

db-flow

Created on link internal0 over interface nge1. This flow contains all traffic from IP address 10.10.12.46, which is the address of a database server on the network.

backup-flow

Created on link internal0 over interface nge1. This flow contains all traffic from IP address 10.10.12.47, which is the address of a backup server on the network.


# dladm show-phys
LINK         MEDIA                STATE      SPEED DUPLEX   DEVICE
nge1         Ethernet             up         1000 full      nge1
e1000g0      n                    unknown    0    half      e1000g0
e1000g1      n                    unknown    0    half      e1000g1
nge0         Ethernet             up         1000 full      nge0
# dladm show-link
LINK        CLASS    MTU    STATE    OVER
internal0   phys     1500   up       --
e1000g0     phys     1500   unknown  --
e1000g1     phys     1500   unknown  --
DMZ0        phys     1500   up       --
#ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
         inet 127.0.0.1 netmask ff000000
DMZ0: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index 2
        inet 10.10.6.5 netmask ff000000 broadcast 10.255.255.255
        ether 0:14:4f:94:d0:60
internal0: flags=201000849<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index 2
        inet 10.10.12.42 netmask ffffff00 broadcast 10.10.10.255
        ether 0:10:20:30:40:aa
# flowadm add-flow -l DMZ0 -a transport=tcp,local_port=80 httpflow
# flowadm add-flow -l DMZ0 -a transport=tcp,local_port=443 httpsflow
# flowadm set-flowprop -p maxbw=100 httpflow
# flowadm set-flowprop -p maxbw=100 httpsflow
# flowadm add-flow -l internal0 -a local_ip=10.10.12.45 app-flow 
# flowadm add-flow -l internal0 -a local_ip=10.10.12.46 db-flow
# flowadm add-flow -l internal0 -a local_ip=10.10.12.47 backup-flow
# flowadm set-flowprop -p maxbw=100,priority=high,cpus=2 app-flow
# flowadm set-flowprop -p maxbw=100,priority=high,cpus=3 db-flow
# flowadm set-flowprop -p maxbw=10,priority=low,cpus=4 backup-flow
# flowadm show-flow
NAME            LINK            ATTR            VALUE
app-flow        internal0
                                ip_version      4
                                local_ip        10.10.12.45/
db-flow         internal0
                                ip_version      4
                                local_ip        10.10.12.46/
backup-flow    internal0
                                ip_version      4
                                local_ip        10.10.12.47/

httpsflow       DMZ0
                                ip_version      4
                                transport       tcp
                                local_port      443
httpflow        DMZ0
                                ip_version      4
                                transport       tcp
                                local_port      80

See Also