Calculation and regulation of packet rates
Packet rates specified for Maximum Bandwidth or Guaranteed Bandwidth are:
rate = amount / time
where rate is expressed in kilobits per second (Kb/s).
Burst size at any given instant cannot exceed the amount configured in Maximum Bandwidth. Packets in excess are dropped. Packets deduct from the amount of bandwidth available to subsequent packets and available bandwidth regenerates at a fixed rate. As a result, bandwidth available to a given packet may be less than the configured rate, down to a minimum of 0 Kb/s.
Rate calculation and behavior can alternatively be described using the token bucket metaphor, where:
• a traffic flow has an associated bucket, which represents burst size bounds, and is the size of your configured bandwidth limit
• the bucket receives tokens, which represent available bandwidth, at the fixed configured rate
• as time passes, tokens are added to the bucket, up to the capacity of the bucket; excess tokens are discarded
• when a packet arrives, the packet must deduct bandwidth tokens from the bucket equal to its packet size in order to egress
• packets cannot egress if there are insufficient tokens to pay for its egress; these nonconforming packets are dropped
Bursts are not redistributed over a longer interval, so bursts are propagated rather than smoothed, although their peak size is limited.
Maximum burst size is the capacity of the bucket (the configured bandwidth limit); actual size varies by the current number of tokens in the bucket, which may be less than bucket capacity, due to deductions from previous packets and the fixed rate at which tokens accumulate. A depleted bucket refills at the rate of your configured bandwidth limit. Bursts cannot borrow tokens from other time intervals. This behavior is illustrated in
Figure 315.
Figure 315: Bursts and bandwidth limits over time
By limiting traffic peaks and token regeneration in this way, the available bandwidth at a given moment may be less than bucket capacity, but your limit on the total amount per time interval is ensured. That is, total bandwidth use during each interval of 1 second is at most the integral of your configured rate.
You may observe that external clients, such as FTP or BitTorrent clients, initially report rates between Maximum Bandwidth and twice that of Maximum Bandwidth, depending on the size of their initial burst. This is notably so when a connection is initiated following a period of no network activity.The apparent discrepancy in rates is caused by a difference of perspective when delimiting time intervals. A burst from the client may initially consume all tokens in the bucket, and before the end of 1 second, as the bucket regenerates, be allowed to consume almost another bucket’s worth of bandwidth. From the perspective of the client, this constitutes one time interval. From the perspective of the FortiGate unit, however, the bucket cannot accumulate tokens while full; therefore, the time interval for token regeneration begins after the initial burst, and does not contain the burst. These different points of reference result in an initial discrepancy equal to the size of the burst — the client’s rate contains it, but the FortiGate unit’s rate does not. If the connection is sustained to its limit and time progresses over an increasing number of intervals, however, this discrepancy decreases in importance relative to the bandwidth total, and the client’s reported rate will eventually approach that of the FortiGate unit’s configured rate limit.
For example, your Maximum Bandwidth might be 50 Kb/s and there has been no network activity for one or more seconds. The bucket is full. A burst from an FTP client immediately consumes 50 Kb. Because the bucket completely regenerates over 1 second, by the time almost another 1 second has elapsed from the initial burst, traffic can consume another 49.999 Kb, for a total of 99.999 Kb between the two points in time. From the vantage point of an external FTP client regulated by this bandwidth limit, it therefore initially appears that the bandwidth limit is 99.999 Kb/s, almost twice the configured limit of 50 Kb/s. However, bucket capacity only regenerates at your configured rate of 50 Kb/s, and so the connection can only consume a maximum of 50 Kb during each second thereafter. The result is that as bandwidth consumption is averaged over an increasing number of time intervals, each of which are limited to 50 Kb/s, the effects of the first interval’s doubled bandwidth size diminishes proportionately, and the client’s reported rate eventually approach your configured rate limit. This effect is illustrated in
Table 102.
Table 102: Effects of a 50 Kb/s limit on client reported rates
Total size transferred (Kb) | Time (s) | Rate reported by client (Kb/s) |
99.999
(50 + 49.999) | 1 | 99.999 |
149.999 | 2 | 74.999 |
199.999 | 3 | 66.666 |
249.999 | 4 | 62.499 |
299.999 | 5 | 59.998 |
349.999 | 6 | 58.333 |
... | ... | ... |
Guaranteed Bandwidth can also be described using a token bucket metaphor. However, because this feature attempts to achieve or exceed a rate rather than limit it, the FortiGate unit does not discard non-conforming packets, as it does for Maximum Bandwidth; instead, when the flow does not achieve the rate, the FortiGate unit increases the packets’ priority queue, in an effort to increase the rate.
Guaranteed and maximum bandwidth rates apply to the bidirectional total for all sessions controlled by the security policy. For example, an FTP connection may entail two separate connections for the data and control portion of the session; some packets may be reply traffic rather than initiating traffic. All packets for both connections are counted when calculating the packet rate for comparison with the guaranteed and maximum bandwidth rate.
