About subnet side rules
The appliance processes the subnet side LAN rules before the QoS outbound rules.
Certain virtual in-path network topologies where the LAN-bound traffic traverses the WAN interface might require that the local appliance bypass LAN-bound traffic so that it’s not included in the rate limit determined by the recommended maximum root bandwidth.
Figure: In-path configuration where default LAN gateway is accessible over the appliance’s WAN interface illustrates topologies where the default LAN gateway or router is accessible over the WAN interface of the SteelHead. If there are two clients in the local subnet, traffic between the two clients is routable after reaching the LAN gateway. As a result, this traffic traverses the WAN interface of the appliance.
In-path configuration where default LAN gateway is accessible over the appliance’s WAN interface
In a QoS configuration for these topologies, suppose you’ve created several classes and the root class is configured with the WAN interface rate. The remainder of the classes use a percentage of the root class. In this scenario, the LAN traffic is rate limited because the appliance classifies it into one of the classes under the root class. You can use the LAN bypass feature to exempt certain subnets from QoS enforcement, bypassing the rate limit. The LAN bypass feature is enabled by default and comes into effect when subnet side rules are configured.
Filtering LAN traffic from WAN traffic with subnet side rules
1. Enable QoS shaping for inbound or outbound traffic, or both.
2. Add a subnet side rule, specifying the client-side appliance subnet and specifying that the subnet address is on the LAN side of the appliance.
View the report for inbound and outbound QoS verify that the traffic classification is correct.