In firmware version 7.2.52, a new QoS feature was introduced. The terms Quality of Service (QoS) and limiting are used interchangeably. This is a system-level QoS controller. It tracks ingress activity. The purpose of the QoSfeature is to protect the machine as a whole. QoS can guard against certain types of attacks, for example Distributed Denial of Service (DDoS) or brute-force password-guessing attacks. You can also use QoS to protect servers from being overwhelmed by too many requests at once.

An example scenario may be that a machine becomes resource-saturated, for example, 100% CPU utilization at 1,000 Connections Per Second (CPS) and 10,000 Requests Per Second (RPS). You may never want a machine to saturate. With the QoS feature in the LoadMaster, you can apply a system-level controller to cap or curtail levels of ingress traffic to the LoadMaster (for example, 800 CPS and 8,000 RPS).

You can configure:

  • Max connections (the maximum number of established connections)
  • Connections Per Second (CPS) rate
  • Requests Per Second (RPS) rate
  • Bandwidth limits
Note: In firmware version 7.2.53, the rate limiting and Quality of Service (QoS) capabilities have been enhanced to support bandwidth limiting at three levels.
  • Global: Across all clients accessing any Virtual Service.-
  • Client: For a single IP address or subnet accessing any Virtual Service.
  • Virtual Service: For any client accessing a specific Virtual Service or SubVS.
The global and client limits are available in the User Interface (UI) on the System Configuration > QoS/Limiting page, at the bottom of Global Limits and at the bottom of the Client Limiting section. A bandwidth limit set at the global level overrides one set at either the client or Virtual Service/SubVS levels.

You can also set bandwidth limits at the Virtual Service and SubVS levels using a new control at the bottom of the Virtual Service and SubVS QoS/Limiting section. A bandwidth limit set at the Virtual Service level overrides one set at the SubVS level. Similarly, a bandwidth limit set at the global level overrides one set at the client, Virtual Service, or SubVS level.

A log is generated every five seconds (this is configurable and is off by default) to include the following information:

  • Current active connections
  • Current CPS
  • Current RPS
  • Current CPS being rate-controlled (that is, the number being rejected)
  • Current RPS being rate controlled (that is, the number being rejected)