Overview
- This article describe the steps on how to create a MAC Host, create a Traffic Shaping policy and apply that policy to the MAC host.
The traffic is forwarded at layer 2 by the layer 2 MS, or the MX, depending upon where 192.168.22.22 is located in the network. If traffic is destined to 192.168.32.14 The traffic is received by the MX with a tagged VLAN ID of 2 and processed by the MX. Traffic Shaping. It is possible to limit a certain type of traffic using ACL rules. For CRS3xx series switches it is possible to limit ingress traffic that matches certain parameters and it is possible to limit ingress/egress traffic per port basis. For ingress traffic QoS policer is used, for egress traffic.
Configuration
- You must be logged in to the Admin Console as an administrator with read-write permissions for the relevant feature(s).
Create a MAC Host
- Go to Hosts and Services > MAC Host and then click Add.
- Fill-up the necessary details. For the Type field, select MAC Address.
- Click Save.
Create a Traffic Shaping Policy
- Go to System Services > Traffic Shaping and then click Add.
- Fill-up the necessary details. In this example, the Traffic Shaping policy will use the following parameters.
- Click Save to save the Traffic Shaping (QoS) policy.
Apply the Traffic Shaping Policy to a MAC Host
Apply the traffic shaping policy to the MAC Host by using a Rule.
- Go to Firewall,click Add Firewall Rule and choose User/Network Rule.
- Fill-up the necessary details. Under the Source Networks and Devices, click Add New Item and choose the MAC Host that was created earlier. In this example, it is John Smith. Under the Traffic Shaping Policy, click the drop-down menu and choose the traffic shaping policy that was created earlier. In this example, it is Traffic_Shaping_for_Micheal.
- Click Save to save the rule.
Key Terms
To understand the anti-IP spoofing mechanisms implemented on the MX, it is important to understand several key concepts.
IP Source Address Spoofing
IP source address spoofing is the process of intentionally configuring an IP address to impersonate another host or device on the network. This type of action is typically performed by a malicious actor attempting to circumvent access control restrictions that it would normally be subject to.
Unicast Reverse Path Forwarding
Unicast Reverse Path Forwarding (Unicast RPF) is used to help limit the malicious traffic on an enterprise network. This security feature works by enabling a router to verify the reachability of the source address in packets being forwarded. This capability can limit the appearance of spoofed addresses on a network. If the source IP address is not valid, the packet is discarded.
Operating mode
All MXs can be configured in either NAT or passthrough mode. More detailed information on concentrator modes, click here.
Traffic Shaping For Mac Os
NAT Mode
In NAT mode the MX is configured with one or more local subnets or VLANs. In this configuration, the MX appliance generally serves as the default gateway for devices on the LAN. Client traffic destined to the Internet will have its source IP rewritten to match the WAN IP of the appliance.
Passthrough Mode
Traffic Shaping For Macular Degeneration
In this mode, the MX device does not provide any address translation and operates as a passthrough device between the Internet and the LAN ports (sometimes referred to as a Layer 2 bridge).