Contents
Quality of Service (QoS)
A Quality of Service (QoS) policy ensures data transfer in accordance with the requirements set for traffic classes. In Kaspersky SD-WAN, the following components contribute to the quality of service:
- Traffic classes are used to queue and prioritize traffic. For example, one of the classes can be used for real-time traffic that requires minimizing packet loss.
- Traffic classifiers determine whether or not to trust DSCP values (Differentiated Services Code Point) set in the traffic packet header fields; they also map DSCP values to traffic classifiers.
- QoS rules determine whether the bandwidth of traffic processed by traffic classifiers is limited.
- Constraints are used in transport services for SLA compliance. You can create two types of constraints:
- Manual TE constraints are used to add Manual-TE paths to transport services. When configuring this type of constraints, you can enable the use of an Auto-SPF path if Manual-TE paths are not available.
- Threshold constraints are used to build Auto-TE routes in transport services based on threshold values of monitoring indicators.
If a link used in a transport service reaches the threshold values of the selected monitoring indicators, this link is completely or partially excluded from the Auto-TE path calculation. Partially excluded links can be taken into account when calculating the Auto-TE path if there are no alternative links satisfying the constraint.
For example, you can create a constraint that completely excludes from the Auto-TE path calculation those links that have reached the packet loss threshold. Thus, in a transport service that uses this constraint, traffic only travels through links that have low packet loss.
- Traffic classification rules are used to identify traffic with particular values of the L2 – L4 header fields, as well as traffic of specified applications, in the overall stream of traffic. For each traffic classification rule, you must specify a sequence number and select a default action, which allows or prohibits further routing of the traffic. Classification rules are added to traffic filters.
- Traffic filters are used to ensure security by blocking excessive or dangerous traffic, to classify traffic, and to comply with SLA requirements for applications. Each filter consists of one or more traffic classification rules.
A maximum of 8 traffic queues can be used on the WAN and LAN interfaces. For each queue, you must specify the minimum and maximum bandwidth as a percentage of the total bandwidth set for the interface as a whole. The sum total of all minimum bandwidth values specified for queues may not exceed 100%.
The queues are strict priority and unreserved bandwidth is first offered to traffic from the higher-priority queue. Each queue is guaranteed certain minimum bandwidth in accordance with its specified minimum bandwidth value. An upper limit on the maximum bandwidth for higher-priority queues is necessary to allow traffic from lower-priority queues to still be transmitted.
You can configure queues when creating or editing WAN interfaces. Due to the fact that Kaspersky SD-WAN does not support creating LAN interfaces, queues can only be configured for LAN interfaces that already exist.
Service providers can use different QoS policies to mark queues in their networks and meet the requirements of service level agreements (SLA) for the passage of client traffic. Therefore, when CPE devices are connected to communication channels of different service providers, the CPE devices can flexibly relabel traffic of different queues for each WAN interface. To configure relabelling, you must change the value of the type of service (hereinafter also referred to as ToS) when configuring queues on the SD-WAN interface.
You can edit only the ToS values of the external (link) headers of traffic packets going out of the WAN interfaces. ToS values of internal traffic packet headers cannot be edited.
Default traffic classes
Kaspersky SD-WAN has default traffic classes for processing and filtering different types of traffic (see the table below). You can create new traffic classes or modify existing ones. Default traffic classes are suitable for most deployment scenarios, and we do not recommend changing them.
Default traffic classes
Name |
Internal tag |
Queue |
KOver |
Exclude when computing path |
---|---|---|---|---|
Best effort |
0 |
0 |
0 |
Yes |
Business normal |
1 |
1 |
1 |
No |
Business critical |
2 |
2 |
1 |
No |
Video |
3 |
3 |
1 |
No |
Conference |
4 |
4 |
1 |
No |
Signaling |
5 |
5 |
1 |
No |
Real time |
6 |
6 |
1 |
No |
Network control |
7 |
7 |
1 |
No |
The default settings presented in the table are described in the instructions for creating and editing traffic classes.
Page topCreating or editing traffic classes
Default traffic classes are suitable for most Kaspersky SD-WAN deployment scenarios, and we do not recommend changing them.
You can create or modify 4 to 8 traffic classes in an SD-WAN instance template, or edit traffic classes in an already deployed SD-WAN instance. If you create traffic classes in an SD-WAN instance template and use that template to deploy an individual instance, the same traffic classes are automatically created in the deployed instance.
To create and edit traffic classes, use the following instructions:
- Creating traffic classes in an SD-WAN instance template.
- Editing traffic classes in an SD-WAN instance template.
- Editing traffic classes in an already deployed SD-WAN instance.
Creating a traffic classifier
You can create a traffic classifier in an already deployed SD-WAN instance or in an SD-WAN instance template. If you create a traffic classifier in an SD-WAN instance template and use that template to deploy an individual instance, the same traffic classifier is automatically created in the deployed instance.
To create a traffic classifier, use the following instructions:
- Creating a traffic classifier in an already deployed SD-WAN instance.
- Creating a traffic classifier in an SD-WAN instance template.
Editing a traffic classifier
You can edit a traffic classifier in an already deployed SD-WAN instance or in an SD-WAN instance template. For a description of the settings, see the instructions for creating a traffic classifier.
To edit a traffic classifier in an already deployed SD-WAN instance:
- In the menu, go to the Infrastructure section.
The SD-WAN infrastructure management page is displayed. By default, the Network resources tab is selected, which displays the table of SD-WAN Controllers.
- Click Management next to the SD-WAN Controller and in the drop-down list, select Configuration menu.
This opens the SD-WAN Controller configuration menu. By default, you are taken to the Controller nodes section, which displays a table of Controller nodes.
- Go to the QoS section.
The Traffic classes tab, which is selected by default, displays the table of traffic classes.
- Select the Traffic classifiers tab.
A table of traffic classes is displayed.
- Click Management next to the traffic classifier and in the drop-down list, select Edit.
- This opens a window; in that window, edit the settings that you want to change.
- Click Save.
To edit a traffic classifier in an SD-WAN instance template:
- In the menu, go to the SD-WAN → SD-WAN instance templates subsection.
A table of SD-WAN instance templates is displayed.
- Click the SD-WAN Instance template.
The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand button
.
- Select the Traffic classifiers tab.
A table of traffic classes is displayed.
- Click Management next to the traffic classifier and in the drop-down list, select Edit.
- This opens a window; in that window, edit the settings that you want to change.
- Click Save.
- In the upper part of the settings area, click Save to save the configuration of the SD-WAN instance template.
Deleting a traffic classifier
You can delete a traffic classifier in an already deployed SD-WAN instance or in an SD-WAN instance template. Deleted traffic classifiers cannot be restored.
To delete a traffic classifier in an already deployed SD-WAN instance:
- In the menu, go to the Infrastructure section.
The SD-WAN infrastructure management page is displayed. By default, the Network resources tab is selected, which displays the table of SD-WAN Controllers.
- Click Management next to the SD-WAN Controller and in the drop-down list, select Configuration menu.
This opens the SD-WAN Controller configuration menu. By default, you are taken to the Controller nodes section, which displays a table of Controller nodes.
- Go to the QoS section.
The Traffic classes tab, which is selected by default, displays the table of traffic classes.
- Select the Traffic classifiers tab.
A table of traffic classes is displayed.
- Click Management next to the traffic classifier and in the drop-down list, select Delete.
- In the confirmation window, click Delete.
The traffic classifier is deleted and is no longer displayed in the table.
To delete a traffic classifier in an SD-WAN instance template:
- In the menu, go to the SD-WAN → SD-WAN instance templates subsection.
A table of SD-WAN instance templates is displayed.
- Click the SD-WAN Instance template.
The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand button
.
- Select the Traffic classifiers tab.
A table of traffic classes is displayed.
- Click Management next to the traffic classifier and in the drop-down list, select Delete.
The traffic classifier is deleted and is no longer displayed in the table.
- In the upper part of the settings area, click Save to save the configuration of the SD-WAN instance template.
Creating a QoS rule
You can create a QoS rule in an already deployed SD-WAN instance or in an SD-WAN instance template. If you create a QoS rule in an SD-WAN instance template and use that template to deploy an individual instance, the same QoS rule is automatically created in the deployed instance.
Before creating a QoS rule, you must create a traffic classifier.
To create a QoS rule, use the following instructions:
- Creating a QoS rule in an already deployed SD-WAN instance.
- Creating a QoS rule in an SD-WAN instance template.
Editing a QoS rule
You can edit a QoS rule in an already deployed SD-WAN instance or in an SD-WAN instance template. For a description of the settings, see the instructions for creating a QoS rule.
To edit a QoS rule in an already deployed SD-WAN instance:
- In the menu, go to the Infrastructure section.
The SD-WAN infrastructure management page is displayed. By default, the Network resources tab is selected, which displays the table of SD-WAN Controllers.
- Click Management next to the SD-WAN Controller and in the drop-down list, select Configuration menu.
This opens the SD-WAN Controller configuration menu. By default, you are taken to the Controller nodes section, which displays a table of Controller nodes.
- Go to the QoS section.
The Traffic classes tab, which is selected by default, displays the table of traffic classes.
- Select the QoS rules tab.
A table of QoS rules is displayed.
- Click Management next to the QoS rule and in the drop-down list, select Edit.
- This opens a window; in that window, edit the settings that you want to change.
- Click Save.
To edit a QoS rule in an SD-WAN instance template:
- In the menu, go to the SD-WAN → SD-WAN instance templates subsection.
A table of SD-WAN instance templates is displayed.
- Click the SD-WAN Instance template.
The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand button
.
- Select the QoS rules tab.
A table of QoS rules is displayed.
- Click Management next to the QoS rule and in the drop-down list, select Edit.
- This opens a window; in that window, edit the settings that you want to change.
- Click Save.
- In the upper part of the settings area, click Save to save the configuration of the SD-WAN instance template.
Deleting a QoS rule
You can delete a QoS rule in an already deployed SD-WAN instance or in an SD-WAN instance template. Deleted QoS rules cannot be restored.
To delete a QoS rule in an already deployed SD-WAN instance:
- In the menu, go to the Infrastructure section.
The SD-WAN infrastructure management page is displayed. By default, the Network resources tab is selected, which displays the table of SD-WAN Controllers.
- Click Management next to the SD-WAN Controller and in the drop-down list, select Configuration menu.
This opens the SD-WAN Controller configuration menu. By default, you are taken to the Controller nodes section, which displays a table of Controller nodes.
- Go to the QoS section.
The Traffic classes tab, which is selected by default, displays the table of traffic classes.
- Select the QoS rules tab.
A table of QoS rules is displayed.
- Click Management next to the QoS rule and in the drop-down list, select Delete.
- In the confirmation window, click Delete.
The QoS rule is deleted and is no longer displayed in the table.
To delete a QoS rule in an SD-WAN instance template:
- In the menu, go to the SD-WAN → SD-WAN instance templates subsection.
A table of SD-WAN instance templates is displayed.
- Click the SD-WAN Instance template.
The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand button
.
- Select the QoS rules tab.
A table of QoS rules is displayed.
- Click Management next to the QoS rule and in the drop-down list, select Delete.
The QoS rule is deleted and is no longer displayed in the table.
- In the upper part of the settings area, click Save to save the configuration of the SD-WAN instance template.
Creating a Manual-TE constraint
Before creating a Manual-TE constraint, you must create Manual-TE paths.
To create a Manual-TE constraint:
- In the menu, go to the Infrastructure section.
The SD-WAN infrastructure management page is displayed. By default, the Network resources tab is selected, which displays the table of SD-WAN Controllers.
- Click Management next to the SD-WAN Controller and in the drop-down list, select Configuration menu.
This opens the SD-WAN Controller configuration menu. By default, you are taken to the Controller nodes section, which displays a table of Controller nodes.
- Go to the Constraints section.
A table of Manual-TE constraints is displayed.
- In the upper part of the page, click + Manual-TE constraint.
- This opens a window; in that window, in the Name field, enter the name of the Manual-TE constraint.
- Select the Use Manual-TE path check box next to the Manual-TE paths that you want to add to the constraint. By default, the check boxes are cleared and no paths are added to the constraint.
- To allow an Auto-SPF path to be used when no Manual-TE paths are available, select the Ignore if no constrained path is found check box next to the relevant Manual-TE paths. The check box can be selected only for paths that have the Use Manual-TE path check box selected. By default, the check boxes are cleared and Auto-SPF cannot be used as an alternative for all paths.
- Click Create.
The Manual-TE constraint is created and displayed in the table.
Now you can specify the Manual-TE constraint in transport service settings to add Manual-TE paths contained in the constraint to the transport service.
Page topEditing a Manual-TE constraint
To edit a Manual-TE constraint:
- In the menu, go to the Infrastructure section.
The SD-WAN infrastructure management page is displayed. By default, the Network resources tab is selected, which displays the table of SD-WAN Controllers.
- Click Management next to the SD-WAN Controller and in the drop-down list, select Configuration menu.
This opens the SD-WAN Controller configuration menu. By default, you are taken to the Controller nodes section, which displays a table of Controller nodes.
- Go to the Constraints section.
A table of Manual-TE constraints is displayed.
- Click Management next to the Manual-TE constraint and in the drop-down list, select Edit.
- This opens a window; in that window, edit the settings that you want to change. For a description of the settings, see the instructions for creating a Manual-TE constraint.
- Click Save.
Deleting a Manual-TE constraint
Deleted Manual-TE constraints cannot be restored.
To delete a Manual-TE constraint:
- In the menu, go to the Infrastructure section.
The SD-WAN infrastructure management page is displayed. By default, the Network resources tab is selected, which displays the table of SD-WAN Controllers.
- Click Management next to the SD-WAN Controller and in the drop-down list, select Configuration menu.
This opens the SD-WAN Controller configuration menu. By default, you are taken to the Controller nodes section, which displays a table of Controller nodes.
- Go to the Constraints section.
A table of Manual-TE constraints is displayed.
- Click Management next to the Manual-TE constraint and in the drop-down list, select Delete.
- In the confirmation window, click Delete.
The Manual-TE constraint is deleted and is no longer displayed in the table.
Page topCreating a threshold constraint
Before creating a threshold constraint, you must enable monitoring on links.
To create a threshold constraint:
- In the menu, go to the Infrastructure section.
The SD-WAN infrastructure management page is displayed. By default, the Network resources tab is selected, which displays the table of SD-WAN Controllers.
- Click Management next to the SD-WAN Controller and in the drop-down list, select Configuration menu.
This opens the SD-WAN Controller configuration menu. By default, you are taken to the Controller nodes section, which displays a table of Controller nodes.
- Go to the Constraints section.
A table of Manual-TE constraints is displayed.
- Select the Thresholds tab.
A table of threshold constraints is displayed.
- In the upper part of the page, click + Threshold constraint.
- This opens a window; in that window, in the Name field, enter the name of the threshold constraint.
- Select the Do not use tunnels with threshold reached check box next to monitoring indicators to have the threshold constraint exclude links that have reached the threshold value of these indicators from the Auto-TE path calculation. By default, the Do not use tunnels with threshold reached check box is cleared and no monitoring indicators are used to exclude links.
- If necessary, select the Ignore if no constrained path is found check box next to the monitoring indicators to let the constraint include links that have reached threshold values of these indicators in the Auto-TE path calculation when alternative links do not exist. The check box can be selected only for links that have the Do not use tunnels with threshold reached check box selected.
By default, the Ignore if no constrained path is found check box is cleared and the constraint excludes all links that have reached the threshold values of the selected monitoring indicators from the Auto-TE path calculation.
- Click Create.
The constraint is created and displayed in the table.
You can specify the constraint in transport service settings to use it for automatic calculation of the path.
Page topEditing a threshold constraint
To edit a threshold constraint:
- In the menu, go to the Infrastructure section.
The SD-WAN infrastructure management page is displayed. By default, the Network resources tab is selected, which displays the table of SD-WAN Controllers.
- Click Management next to the SD-WAN Controller and in the drop-down list, select Configuration menu.
This opens the SD-WAN Controller configuration menu. By default, you are taken to the Controller nodes section, which displays a table of Controller nodes.
- Go to the Constraints section.
A table of Manual-TE constraints is displayed.
- Select the Thresholds tab.
A table of threshold constraints is displayed.
- Click Management next to the threshold constraint and in the drop-down list, select Edit.
- This opens a window; in that window, edit the settings that you want to change. For a description of the settings, see the instructions for creating a threshold constraint.
- Click Save.
Deleting a threshold constraint
Deleted threshold constraints cannot be restored.
To delete a threshold constraint:
- In the menu, go to the Infrastructure section.
The SD-WAN infrastructure management page is displayed. By default, the Network resources tab is selected, which displays the table of SD-WAN Controllers.
- Click Management next to the SD-WAN Controller and in the drop-down list, select Configuration menu.
This opens the SD-WAN Controller configuration menu. By default, you are taken to the Controller nodes section, which displays a table of Controller nodes.
- Go to the Constraints section.
A table of Manual-TE constraints is displayed.
- Select the Thresholds tab.
A table of threshold constraints is displayed.
- Click Management next to the threshold constraint and in the drop-down list, select Delete.
- In the confirmation window, click Delete.
The threshold constraint is deleted and is no longer displayed in the table.
Page topTraffic classification rules
This section describes how to configure traffic classification rules.
Creating a traffic classification rule
To create a traffic classification rule:
- In the menu, go to the Infrastructure section.
The SD-WAN infrastructure management page is displayed. By default, the Network resources tab is selected, which displays the table of SD-WAN Controllers.
- Click Management next to the SD-WAN Controller and in the drop-down list, select Configuration menu.
This opens the SD-WAN Controller configuration menu. By default, you are taken to the Controller nodes section, which displays a table of Controller nodes.
- Go to the Traffic filters section.
A table of traffic filters is displayed.
- Select the Rules tab.
A table of traffic classification rules is displayed.
- In the upper part of the page, click + Qualification rule.
- This opens a window; in that window, in the Name field, enter the name of the traffic classification rule.
- On the L2 fields tab, select the check boxes next to the L2 fields whose values the rule must use to identify traffic in the overall data stream. If the check box is selected, enter or select the required value. You can use the values of the following fields to identify traffic:
- Outer VLAN ID – range of values: 1 to 2,094.
- Outer VLAN PCP — range of values: 0 to 7.
- Source MAC.
- Source MAC mask.
- Destination MAC.
- Destination MAC mask.
- Ethertype — possible values:
- 0x0800 (selected by default)
- 0x86dd
- 0x0806
- On the L3 fields tab, select the check boxes next to the L3 fields whose values the rule must use to identify traffic in the overall data stream. If the check box is selected, enter or select the required value. You can use the values of the following fields to identify traffic:
- Protocol — Possible values:
- IPv4
- IPv6
- Source IP — IPv4 address or IPv6 address depending on the selected protocol
- Source IP prefix length — Range of values for the IPv4 address: from 0 to 32; for IPv6 address: from 0 to 128
- Destination IP — IPv4 address or IPv6 address depending on the selected protocol
- Destination IP prefix length — Range of values for the IPv4 address: from 0 to 32; for IPv6 address: from 0 to 128
- DSCP
- TOS
- Protocol — Possible values:
- On the L4 fields tab, select the check boxes next to the L4 fields whose values the rule must use to identify traffic in the overall data stream. If the check box is selected, enter or select the required value. You can use the values of the following fields to identify traffic:
- IP protocol
- Source port list
- Destination port list
- ICMP type number
- On the DPI tab, select the application whose traffic the rule must identify in the overall data stream:
- Select the Application check box.
- In the drop-down list, select the application.
DPI (Deep Packet Inspection) classification is not supported for traffic generated by CPE devices.
- Click Create.
The traffic classification rule is created and displayed in the table.
You can use a traffic classification rule when creating a traffic filter.
Example of a created traffic classification rule: You can create a traffic classification rule with the following parameters:
|
Editing a traffic classification rule
To edit a traffic classification rule:
- In the menu, go to the Infrastructure section.
The SD-WAN infrastructure management page is displayed. By default, the Network resources tab is selected, which displays the table of SD-WAN Controllers.
- Click Management next to the SD-WAN Controller and in the drop-down list, select Configuration menu.
This opens the SD-WAN Controller configuration menu. By default, you are taken to the Controller nodes section, which displays a table of Controller nodes.
- Go to the Traffic filters section.
A table of traffic filters is displayed.
- Select the Rules tab.
A table of traffic classification rules is displayed.
- Click Management next to the traffic classification rule and in the drop-down list, select Edit.
- This opens a window; in that window, edit the settings that you want to change. For a description of the settings, see the instructions for creating a traffic classification rule.
- Click Save.
Deleting a traffic classification rule
Deleted traffic classification rules cannot be restored.
To delete a traffic classification rule:
- In the menu, go to the Infrastructure section.
The SD-WAN infrastructure management page is displayed. By default, the Network resources tab is selected, which displays the table of SD-WAN Controllers.
- Click Management next to the SD-WAN Controller and in the drop-down list, select Configuration menu.
This opens the SD-WAN Controller configuration menu. By default, you are taken to the Controller nodes section, which displays a table of Controller nodes.
- Go to the Traffic filters section.
A table of traffic filters is displayed.
- Select the Rules tab.
A table of traffic classification rules is displayed.
- Click Management next to the traffic classification rule and in the drop-down list, select Delete.
- In the confirmation window, click Delete.
The traffic classification rule is deleted and is no longer displayed in the table.
Page topCreating a traffic filter
Before creating a traffic filter, you must create at least one traffic classification rule.
To create a traffic filter:
- In the menu, go to the Infrastructure section.
The SD-WAN infrastructure management page is displayed. By default, the Network resources tab is selected, which displays the table of SD-WAN Controllers.
- Click Management next to the SD-WAN Controller and in the drop-down list, select Configuration menu.
This opens the SD-WAN Controller configuration menu. By default, you are taken to the Controller nodes section, which displays a table of Controller nodes.
- Go to the Traffic filters section.
A table of traffic filters is displayed.
- In the upper part of the page, click + Traffic fliter.
- This opens a window; in that window, in the Name field, enter the name of the traffic filter.
- In the Sequence field, enter the sequential number of the traffic classification rule. The rule with the lowest number is processed first. Range of values: 1 to 998. You cannot specify the same sequence number for multiple rules. The default setting is
10
. - In the Qualification rule drop-down list, select a previously created traffic classification rule that you want to add to the filter.
- In the Action drop-down list, select the action that the traffic classification rule must apply to the traffic identified in the overall data stream:
- Permit — Allow further routing of the traffic. This is the default setting.
- Deny — Block further routing of the traffic.
- Click Add to add a previously created traffic classification rule to the filter. You can add multiple rules.
- In the Default action (if sequence=999) drop-down list, select the action that you want to apply to all other traffic:
- Permit — Allow further routing of the traffic. This is the default setting.
- Deny — Block further routing of the traffic.
- Click Create.
The traffic filter is created and displayed in the table.
You can use a traffic filter when creating transport services.
Editing a traffic filter
To edit a traffic filter:
- In the menu, go to the Infrastructure section.
The SD-WAN infrastructure management page is displayed. By default, the Network resources tab is selected, which displays the table of SD-WAN Controllers.
- Click Management next to the SD-WAN Controller and in the drop-down list, select Configuration menu.
This opens the SD-WAN Controller configuration menu. By default, you are taken to the Controller nodes section, which displays a table of Controller nodes.
- Go to the Traffic filters section.
A table of traffic filters is displayed.
- Click Management next to the traffic filter and in the drop-down list, select Edit.
- This opens a window; in that window, edit the settings that you want to change. For a description of the settings, see the instructions for creating a traffic filter.
- Click Save.
Deleting a traffic filter
Deleted traffic filters cannot be restored.
To delete a traffic filter:
- In the menu, go to the Infrastructure section.
The SD-WAN infrastructure management page is displayed. By default, the Network resources tab is selected, which displays the table of SD-WAN Controllers.
- Click Management next to the SD-WAN Controller and in the drop-down list, select Configuration menu.
This opens the SD-WAN Controller configuration menu. By default, you are taken to the Controller nodes section, which displays a table of Controller nodes.
- Go to the Traffic filters section.
A table of traffic filters is displayed.
- Click Management next to the traffic filter and in the drop-down list, select Delete.
- In the confirmation window, click Delete.
The traffic filter is deleted and is no longer displayed in the table.
Page top