FortiGate Traffic Shaping – Guaranteed vs Maximum Bandwidth
Maximum Bandwidth is simple:
- Sets a limit to the amount of bandwidth that can be used.
- In a Traffic Shaping Profile, this is a percentage of the outbandwidth.
- In a Traffic Shaper, this is a rate (eg. 40Mbps).
- If you set the max to 50% of a 100Mbps WAN link, bandwidth is capped at 50Mbps even if the entire pipe is idle. Excess gets dropped (policing) or queued (queueing).
Guaranteed Bandwidth is more complex and less straightforward to understand. We can start by visualizing our egress interface as a pipe. We set our WAN link to 100Mbps, telling the FortiGate “this is the total capacity you have to work with.”
config system interface
edit port2
set outbandwidth 100000
next
end
First, guaranteed bandwidth is a Reservation. When congestion is happening and multiple classes are competing, the FortiGate will always honor each class’s guaranteed amount before giving leftovers to anyone.
- If Class A has 30% guaranteed and Class B has 20% guaranteed, and the pipe is saturated, Class A will get at least 30Mbps and Class B will get at least 20Mbps, regardless of priority. The guaranteed bandwidth is reserved and cannot be overridden.
Second, guaranteed bandwidth determines who gets the leftovers. After all guaranteed reservations are fulfilled, there is bandwidth leftover. The remaining bandwidth is distributed based on priority. Higher priority classes get bandwidth first. If two classes share the same priority, the remaining bandwidth is split proportionally to their guaranteed bandwidth ratio.
Let’s do an example with the same 100Mbps pipe and three classes:
- VoIP: guaranteed 20%, max 100%, priority High
- Web: guaranteed 30%, max 80%, priority Medium
- General: guaranteed 10%, max 100%, priority Low
When the pipe is NOT congested, for example only 40Mbps is used, nobody cares about priorities or guarantees. Each class just uses what it needs, up to its maximum.
When the pipe IS congested, for example 150Mbps of demand hitting a 100Mbps pipe, it matters.
- Honor the guarantees: VoIP gets 20Mbps, Web gets 30Mbps, General gets 10Mbps
- 40Mbps remains. VoIP (High priority) gets first dibs on leftovers, up to its maximum of 100Mbps. VoIP could take all remaining 40Mbps if it wanted. Let’s say it only needs 25Mbps more.
- 15Mbps remains. Web (Medium priority) gets next dibs on leftovers, up to its maximum of 80Mbps. Web could take all remaining 15Mbps if it wanted. Let’s say it only needs 5Mbps more.
- 10Mbps remains. General (Low priority) gets next dibs on leftovers, up to its maximum of 100Mbps. Let’s say it needs 20 Mbps more. It takes the remaining 10Mbps and another 10Mbps of its traffic is dropped or queued.
Summary
Guaranteed bandwidth protects you during congestion, regardless of priority. Priority determines who gets dibs on the leftover bandwidth.
Fortinet NSE8/FCX Certification 
Leave a comment