High-Performance XDP BNG · CGNAT · QoS · Low-Latency · App-Aware
Broadband Gateway · QoS & App-Aware Traffic Management

Deliver the Plan Rate Precisely, Make It Feel Fast, and Keep Latency Low Under Load — All in One XDP Data Plane

Per-subscriber hierarchical shaping, burst-aware speed, VLAN/reseller aggregate caps, and application-category policy — enforced in the XDP fast path on the same box that does CGNAT and firewalling. No separate QoS appliance, no hairpin, no per-subscriber QoS licence. Because the shaper is built on the box's AQM and Interactive Flow Protection, shaping a heavy downloader does not add lag to the gamer or the VoIP call on the same line.
Most "QoS" boxes give you the plan rate at the cost of latency under load — and need their own appliance, their own licence, and a hairpin through extra hardware. This one shapes in the data plane you already run, and stays low-latency because of how it queues.
Up & Down
independent per-subscriber
rate caps from the RADIUS plan
Burst
short bursts hit full speed,
sustained held to plan rate
VLAN
GROUPS
aggregate / reseller caps with
per-subscriber shaping underneath
0
QoS appliances, hairpins,
or per-subscriber QoS licences

Every per-subscriber QoS rule — the upload cap, the download cap, the burst budget, the VLAN-group ceiling, the per-application policy — lives in the XDP pinned maps and runs at line rate inside the bngxdpd data plane, driven by the bngxdpctl control tool. Nothing leaves the box to be shaped. The same program that forwards the packet is the program that polices it, so the QoS cost is a few extra instructions on a packet you were already touching — not a round trip to a separate appliance.

1 · What "QoS in XDP" actually buys you

THE APPLIANCE MODEL
A separate shaper box in the path.
  • Subscriber traffic hairpins out to a dedicated QoS/DPI appliance and back — extra latency, extra failure domain.
  • Capacity is licensed by subscriber count or by Gbps; growth means buying more of it.
  • Shaping and forwarding are two different boxes, so they drift, and "who dropped this packet" spans two vendors.
  • The cost is hardware, licences, latency and operational seams.
THE XDP MODEL
Shaping is part of the forward.
  • The token-bucket shaper runs in the same XDP program that already forwards and NATs the packet — no hairpin, no second box.
  • All per-subscriber QoS state lives in pinned BPF maps at line rate; it scales with the box, not a per-subscriber licence.
  • Shaping, firewall, CGNAT and AQM are one data plane — one place to look, one vendor, one config.
  • The cost is a handful of instructions on a packet you were touching anyway.
One data plane, every QoS function. Per-subscriber up/down caps, burst, VLAN-group aggregates and application-category policy are all enforced in XDP on the box that already forwards the traffic. There is no QoS appliance to license, no hairpin to add latency, and no separate per-subscriber QoS fee — the shaper is a feature of the forwarder.

2 · Per-subscriber hierarchical shaping — the plan rate, exactly

Each subscriber gets independent upload and download rate caps, taken straight from their plan and provisioned over RADIUS at session bring-up. A token-bucket shaper in the XDP fast path enforces both directions per subscriber — this is line-rate policing without a separate QoS appliance. Change the plan in RADIUS, reconnect (or re-authorize), and the new rate is in the data plane.

UPLOAD SHAPER

Per-subscriber egress-to-network cap

token bucket
independent of the download cap
  • Rate set from the subscriber's plan via RADIUS
  • Enforced in XDP as the packet is forwarded
  • Protects the uplink/backhaul from a single heavy uploader
DOWNLOAD SHAPER

Per-subscriber to-subscriber cap

token bucket
independent of the upload cap
  • Same plan-driven model, opposite direction
  • Delivers the contracted down-rate precisely
  • Hierarchical: sits under any VLAN-group ceiling (Section 4)

Per-subscriber QoS view — IP to plan rate, queue and experience ILLUSTRATIVE FORMAT

The control tool resolves a subscriber IP to their live shaping state — the configured up/down plan rate, the burst budget, current queue behaviour and the Subscriber Experience Score (Section 6). Output is shown in this form:

root@NodeA:~# bngxdpctl sub show 10.16.5.130
=== subscriber 10.16.5.130 ===  iface ppp0 · plan "Home-200"
  shaping         down        up
    plan rate      200 Mbps   30 Mbps
    burst budget   48 MB      8 MB
    current       142 Mbps    6 Mbps  within plan
  group          vlan100 (reseller-A)  500M/500M  62% used
  latency        interactive flows protected (IFP on)
  experience score: 94 / 100  (good — shaped, low latency under load)
Illustrative format. The exact field labels, the plan-name attribute and the rate-attribute names are deployment- and config-specific (they depend on how your RADIUS dictionary and box are provisioned). The capability — per-subscriber up/down caps, burst budget, group membership and experience, read from the pinned maps — is real and runs in the XDP data plane.
Why "hierarchical" matters: the subscriber shaper is not the only ceiling. A subscriber shapes to their own plan rate and sits underneath a VLAN/reseller-group cap (Section 4). The data plane enforces both at once — the subscriber never exceeds their plan, and the aggregate never exceeds the wholesale ceiling, with no double-counting and no appliance in the middle.

3 · Burst — make customers feel fast without giving away capacity

A flat rate cap feels slow even when it is technically correct: every page load, every app launch, every speedtest is throttled from the first byte. The XDP shaper carries a configurable burst allowance — a burst-bytes budget — that lets short bursts hit full link speed while sustained traffic is held to the plan rate. The speedtest passes, the page snaps in, the OS update kicks off fast — and the heavy, sustained flows still settle back to exactly what the customer pays for.

THE BURST BUDGET
A bytes allowance, not a rate.
  • Refills over time; spends on demand
  • Short flows drain a little, settle back
  • Sustained flows exhaust it → plan rate
WHAT THE CUSTOMER FEELS
"My internet is fast."
  • Page loads & app launches hit full speed
  • Speedtests pass at or above plan
  • The line feels snappy, not throttled
WHAT YOU KEEP
Sustained capacity protected.
  • Bulk downloads settle to the plan rate
  • You don't give away sustained backhaul
  • Tunable per plan tier
The business effect: burst is the difference between a customer who renews because "it feels fast" and one who churns over a speedtest that reads low. It costs you almost nothing — short bursts are a rounding error against sustained capacity — but it directly moves the perception that drives retention and support-ticket volume.

4 · VLAN groups — aggregate & reseller caps with per-subscriber shaping underneath

Sometimes the thing you need to protect is not a subscriber — it is an aggregate: a VLAN, an OLT, a reseller's slice, a backhaul segment. A VLAN group caps that aggregate to a single group rate while every subscriber underneath it still shapes individually. Wholesale a 500 Mbps slice to a reseller and let their customers shape to their own plans inside it; protect a backhaul segment from collective overrun without touching individual plans.

root@NodeA:~# bngxdpctl groups add vlan100 500M/500M
  group 'vlan100' added — aggregate cap 500 Mbps down / 500 Mbps up
  subscribers on vlan100 continue to shape to their own plan rates
  underneath this aggregate ceiling.
The bngxdpctl groups add vlan100 500M/500M command form is real. The two confirmation lines beneath it are illustrative of the effect, not a verbatim capture.
Use caseWhat the VLAN group doesWhy it matters
Wholesale / reseller slice Cap the reseller's VLAN to the contracted aggregate (e.g. 500M/500M); their subscribers shape to individual plans inside it. Sell a bandwidth slice precisely, enforce the wholesale SLA in the data plane, no separate box per reseller.
OLT / backhaul protection Cap an OLT or backhaul segment's aggregate so no single segment can starve the rest at peak. One noisy segment can't collectively overrun shared backhaul; protection is per-aggregate, not per-plan.
Tiered aggregate offers Group a set of subscribers under a shared ceiling for a building, campus or bulk account. Sell aggregate products (a building's pipe) while still delivering each tenant their own shaped plan.
Aggregate and individual, at once. The group ceiling and the per-subscriber plan rate are both enforced in the same XDP pass. The reseller never exceeds their slice; each of their customers still gets exactly the plan they bought — no appliance, no per-reseller hardware, one command to provision.

5 · App-aware QoS — policy by application category

Beyond rate, the box can classify subscriber traffic into application categories and apply per-category bandwidth and usage policy — per-subscriber or fleet-wide. Cap bulk video so it can't crowd out everything else on a line; protect or prioritize real-time traffic; see which categories and which talkers dominate. The classification is category-level — it recognizes kinds of traffic (known video / CDN / real-time signatures) — and applies policy accordingly.

app categories
List the category set.
  • bngxdpctl app categories
  • The categories the box recognizes
  • Category set is config/deployment-specific
app show <ip>
Per-subscriber breakdown.
  • bngxdpctl app show 10.16.5.130
  • Per-category usage and caps for one subscriber
  • See what's actually consuming a line
app top
Top categories & talkers.
  • bngxdpctl app top
  • Which categories / subscribers dominate
  • Fleet-wide visibility for policy decisions

Per-subscriber application breakdown ILLUSTRATIVE FORMAT

root@NodeA:~# bngxdpctl app show 10.16.5.130
=== app categories: 10.16.5.130 ===  last 60s
  category          down      cap      status
  --------------------------------------------------
  video (bulk)     118 Mbps  120 Mbps  shaped
  web / cdn        19 Mbps    —      ok
  real-time (voip)   0.3 Mbps  protect  prioritized
  gaming          2 Mbps   protect  prioritized
  other            4 Mbps    —      ok

  policy: bulk video capped at 120M; real-time + gaming protected
Illustrative format. The app categories / app show <ip> / app top command family is real; the exact category names, caps and column layout are deployment-specific. Classification is category-level by protocol/port/CDN-endpoint signature — it identifies kinds of traffic, it does not decrypt payloads (see note).
Policy where it belongs — on the kind of traffic, not just the IP. Cap bulk video so one streaming binge can't crowd a household; keep real-time traffic protected so the call stays clean. Apply it per-subscriber for a specific line, or fleet-wide as a default. All of it runs in the same XDP pass as the rate shaper above.

6 · Low latency under load — QoS that doesn't add lag

The hard part of shaping is not hitting the rate — it is hitting the rate without adding latency to everything else on the line. A naive shaper builds a deep queue in front of the cap, and every interactive flow on that subscriber sits behind a bulk download. BNGSOFT QoS is integrated by design with the box's AQM — a dual-queue / CoDel-style active queue management with L4S support — and with Interactive Flow Protection (IFP). Thin interactive flows (TCP ACKs, DNS, gaming, VoIP signaling) are kept out of the bulk queue, so shaping a heavy downloader does not add lag to latency-sensitive traffic on the same line.

AQM (dual-queue / L4S)
The queue manages itself.
  • Active queue management keeps the shaping queue shallow instead of letting it bloat.
  • L4S support enables low-latency, scalable congestion signalling for traffic that opts in.
  • The shaper hits the plan rate without a deep buffer in front of it.
Interactive Flow Protection
Thin flows skip the bulk line.
  • ACKs, DNS, gaming and VoIP signaling are kept out of the bulk queue.
  • A heavy download on the same subscriber doesn't queue the gamer behind it.
  • Low latency under load, not just at idle.
This is why the shaper is safe to turn on. The reason BNGSOFT QoS stays low-latency is structural: it queues through AQM and protects interactive flows with IFP. Shaping and latency are not a trade-off here — you deliver the exact plan rate and keep the line responsive while it's full. (AQM/L4S and IFP each have their own detailed brief; here they are the reason shaping stays low-latency.)

Tied to the Subscriber Experience Score

Configured rates tell you what you set; they don't tell you what the customer got. Every subscriber carries a per-subscriber Subscriber Experience Score, so operators can see the QoS effect on actual experience — not just the numbers in the plan. A subscriber can be shaped exactly to plan and still score well because latency stayed low under load; the score is how you prove the QoS is doing its job.

Close the loop. Plan rate, burst, group cap, app policy — and then a score that reflects whether the subscriber actually had a good time on the line. QoS you can see the result of, per subscriber, from the same box that enforces it.

7 · What it means for the business

QoS & App-Aware · operator value
=
Deliver the plan rate preciselyIndependent per-subscriber up/down caps from the RADIUS plan, enforced at line rate in XDP. The customer gets exactly what they pay for — no more, no less.
Make customers feel fastBurst lets short flows hit full speed so speedtests pass and pages snap in — while sustained traffic settles to plan. Perception drives retention.
Protect aggregates & backhaulVLAN groups cap a reseller, OLT or backhaul slice while each subscriber still shapes individually. Sell wholesale slices and enforce the SLA in the data plane.
Shape by application categoryCap bulk video, protect real-time. Per-subscriber or fleet-wide policy on the kind of traffic, with visibility into top categories and talkers.
Low latency under loadAQM + Interactive Flow Protection keep interactive traffic responsive while a heavy downloader runs. Shaping that doesn't add lag — proven by the experience score.
0
No QoS appliance, no QoS licenceAll of it runs in the XDP data plane you already operate. No separate shaper box, no hairpin, no per-subscriber QoS fee.
Provision plans over RADIUS — per-subscriber up/down caps and burst budgets flow into the XDP maps at session bring-up.
Add aggregate ceilings with bngxdpctl groups add for resellers, OLTs or backhaul segments — subscribers keep shaping individually underneath.
Apply application-category policy with the app command family — cap bulk video, protect real-time, per-subscriber or fleet-wide.
Watch the Subscriber Experience Score to confirm the QoS effect on actual experience — low latency under load, not just configured rates.

The bottom line

Deliver plan rates precisely, make customers feel fast with burst, protect aggregates and backhaul with VLAN groups, shape by application category, and keep latency low under load — all in one XDP data plane, on the same box that already does forwarding, CGNAT and firewalling.

No QoS appliance. No hairpin. No per-subscriber QoS licence. The shaper is a feature of the forwarder, and it stays low-latency because it queues through AQM and protects interactive flows with IFP.

Methodology and honest framing: This brochure describes the QoS and application-aware traffic-management capabilities of the BNGSOFT XDP BNG product. The following are grounded product facts: per-subscriber hierarchical rate shaping provides independent upload and download rate caps per subscriber, set from the subscriber's plan via RADIUS and enforced in the XDP fast path with a token-bucket shaper (line-rate policing with no separate QoS appliance); a configurable burst allowance (a burst-bytes budget) lets short bursts hit full link speed while sustained traffic is held to the plan rate; VLAN groups cap an aggregate (a VLAN / OLT / reseller) to a group rate while each subscriber underneath still shapes individually, provisioned with the command form bngxdpctl groups add vlan100 500M/500M; application-aware QoS classifies subscriber traffic into application categories and applies per-category bandwidth / usage policy per-subscriber or fleet-wide, via the command family bngxdpctl app categories (list categories), bngxdpctl app show <ip> (per-subscriber per-category usage and caps) and bngxdpctl app top (top categories / talkers); QoS is integrated with the box's AQM (a dual-queue / CoDel-style active queue management with L4S support) and with Interactive Flow Protection (IFP) so that thin interactive flows — TCP ACKs, DNS, gaming, VoIP signaling — are kept out of the bulk queue and shaping a heavy downloader does not add lag to latency-sensitive traffic on the same line (low latency under load); QoS is tied to a per-subscriber Subscriber Experience Score so operators can see the QoS effect on actual experience; and all per-subscriber QoS state lives in the XDP pinned maps and runs at line rate, with nothing hairpinning through a separate shaper box. Illustrative terminal output: the three CLI blocks marked ILLUSTRATIVE FORMATbngxdpctl sub show (Section 2), bngxdpctl app show (Section 5) — and the two confirmation lines beneath the real bngxdpctl groups add vlan100 500M/500M command (Section 4) depict the form of the tools' output and are not verbatim captures; exact field labels, column layouts, the plan-name and rate-attribute names, category names and cap values are deployment- and config-specific and depend on how your RADIUS dictionary and box are provisioned. The command forms (sub show, groups add, and the app family) are real; the surrounding values and formatting in the examples are illustrative. Honest caveat on application classification: classification is category-level, using protocol / port / CDN-endpoint signatures (for example, recognizing known video, CDN or real-time traffic) — it identifies categories of traffic; it is not deep packet inspection of encrypted payloads and it does not decrypt. The exact category set and rate-attribute names are deployment- and config-specific. On latency: AQM/L4S and Interactive Flow Protection are detailed in their own separate product briefs; in this document they are referenced as the reason shaping stays low-latency, not described in full. Node and plan names used in examples (NodeA, vlan100, reseller-A, "Home-200") are generic placeholders. Prepared as a management and operations overview for large-scale operators.