Professional Documents
Culture Documents
NetEnforcer AC-1000
Series
Carrier-Grade Service Control and QoS/SLA
Enforcement
Installation Guide
Version 6.1.1
(Doc. No. D354003)
Important Notice
Important Notice
Allot Communications Ltd. ("Allot") is not a party to the purchase agreement under which
NetEnforcer was purchased, and will not be liable for any damages of any kind whatsoever caused to
the end users using this manual, regardless of the form of action, whether in contract, tort (including
negligence), strict liability or otherwise.
SPECIFICATIONS AND INFORMATION CONTAINED IN THIS MANUAL ARE FURNISHED
FOR INFORMATIONAL USE ONLY, AND ARE SUBJECT TO CHANGE AT ANY TIME
WITHOUT NOTICE, AND SHOULD NOT BE CONSTRUED AS A COMMITMENT BY ALLOT
OR ANY OF ITS SUBSIDIARIES. ALLOT ASSUMES NO RESPONSIBILITY OR LIABILITY
FOR ANY ERRORS OR INACCURACIES THAT MAY APPEAR IN THIS MANUAL,
INCLUDING THE PRODUCTS AND SOFTWARE DESCRIBED IN IT.
Please read the End User License Agreement and Warranty Certificate provided with this product
before using the product. Please note that using the products indicates that you accept the terms of
the End User License Agreement and Warranty Certificate.
WITHOUT DEROGATING IN ANY WAY FROM THE AFORESAID, ALLOT WILL NOT BE
LIABLE FOR ANY SPECIAL, EXEMPLARY, INDIRECT, INCIDENTAL OR
CONSEQUENTIAL DAMAGES OF ANY KIND, REGARDLESS OF THE FORM OF ACTION
WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR
OTHERWISE, INCLUDING, BUT NOT LIMITED TO, LOSS OF REVENUE OR ANTICIPATED
PROFITS, OR LOST BUSINESS, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
Copyright
Copyright © 1997-2005 Allot Communications. All rights reserved. No part of this document may
be reproduced, photocopied, stored on a retrieval system, transmitted, or translated into any other
language without a written permission and specific authorization from Allot Communications Ltd.
Trademarks
Products and corporate names appearing in this manual may or may not be registered trademarks or
copyrights of their respective companies, and are used only for identification or explanation and to
the owners' benefit, without intent to infringe.
NetEnforcer®, NetBalancer®, CacheEnforcer® and the Allot Communications pyramid logo are
registered trademarks of Allot Communications Ltd.
NetPolicy™ is a trademark of Allot Communications Ltd.
Allot Communications
Europe Japan
NCI – Les Centres d’Affaires Yajima Building, 8F
Village d’Entreprises ‘Green Side’ 7-11-13 Ginza, Chuo-ku
Batiment 1B Tokyo 104-0061
400 Avenue Roumanille, BP309 Japan
06906 Sophia Antipolis Cedex Tel: 81-3-5537-7114
France Fax: 81-3-5537-5281
Tel: 33-(0)4-93-00-11-67
Fax: 33-(0)4-93-00-11-65
Asia Pacific
9 Raffles Place, #27-01
Republic Plaza
Singapore 048619
Tel: 65-6832-5663
Fax: 65-6832-5662
Printing History
Second Edition: May 2005, Version 6.1.1
Doc. No. D534003
Conventions
The following conventions are used in this manual:
Note Additional information that may be useful in understanding
or using functionality.
Tip A helpful hint for using functionality, for example, a
shortcut.
Security A note that has security implications.
Note
Caution Information that is important to consider when performing a
particular action and that may have hazardous implications.
Table of Contents
CHAPTER 1: INTRODUCING NETENFORCER AC-1000 SERIES FOR GIGA
BIT NETWORKS .............................................................................................. 1-1
Introducing the NetEnforcer AC-1000 Series......................................................................................... 1-2
NetEnforcer AC-1000 Environments ..................................................................................................... 1-3
NetEnforcer Usage Examples................................................................................................................... 1-5
Scenario 1: Internet Service Provider..................................................................................................... 1-5
Scenario 2: Internet Data Center ............................................................................................................ 1-8
Scenario 3: Enabling CATV Providers to Offer Advanced IP Services................................................. 1-9
Scenario 4: Enterprise Intranet ............................................................................................................. 1-11
Scenario 5: Enterprise Internet Connection with VPN......................................................................... 1-13
Scenario 6: Protecting Networks from DDoS Attacks ......................................................................... 1-15
List of Figures
FIGURE 1-1 – ISP POP NETWORK WITH GIGA BIT CONNECTIVITY AND QOS .......................... 1-7
FIGURE 1-2 – SAMPLE INTERNET DATA CENTER NETWORK....................................................... 1-9
FIGURE 1-3 – NETENFORCER IN CATV ENVIRONMENT .............................................................. 1-10
FIGURE 1-4 – CORPORATE NETWORK STRUCTURE WITH TWO OUTGOING WAN LINKS... 1-12
FIGURE 1-5 – SAMPLE CORPORATE NETWORK WITH TWO LOCATIONS CONNECTED
VIA MPLS VPN.............................................................................................................................. 1-14
FIGURE 1-6 – END TO END QOS MARKING ON PACKETS TRAVELING AN MPLS
NETWORK ..................................................................................................................................... 1-14
FIGURE 1-7 – PREVENTING A DOS ATTACK WITH NETENFORCER .......................................... 1-16
FIGURE 2-1 – NETENFORCER AC-1010: FIBER INTERFACE (TOP) NETENFORCER AC-1010:
COPPER INTERFACE (BOTTOM)................................................................................................. 2-1
FIGURE 2-2 – NETENFORCER AC-1010 FRONT PANEL: FIBER INTERFACE................................ 2-7
FIGURE 2-3 – NETENFORCER AC-1010 FRONT PANEL: COPPER INTERFACE ............................ 2-8
FIGURE 2-4 – NETENFORCER AC-1020 FRONT PANEL: FIBER INTERFACE................................ 2-9
FIGURE 2-5 – NETENFORCER AC-1040 FRONT PANEL .................................................................... 2-9
FIGURE 2-6 – NETENFORCER LCD PANEL....................................................................................... 2-12
FIGURE 2-7 – AC-1040 STATUS INDICATORS .................................................................................. 2-13
FIGURE 2-8 – MANAGEMENT PORT .................................................................................................. 2-15
FIGURE 2-9 – FIBER BYPASS MODULE............................................................................................. 2-19
FIGURE 2-10 – CONNECTING NETENFORCERAC-1010 TO FIBER BYPASS MODULE.............. 2-20
FIGURE 2-11 – COPPER BYPASS MODULE ....................................................................................... 2-21
FIGURE 2-12 – CONNECTING NETENFORCER AC-1010 TO COPPER BYPASS MODULE......... 2-22
FIGURE 2-13 – DOUBLE FIBER BYPASS MODULE.......................................................................... 2-24
FIGURE 2-14 – CONNECTING NETENFORCERAC-1020 TO DOUBLE FIBER BYPASS
MODULE ........................................................................................................................................ 2-25
FIGURE 2-15 – MULTI-PORT COPPER BYPASS MODULE .............................................................. 2-28
FIGURE 2-16 – LAN AND WAN PLACEMENT OF NETENFORCER AC-1010................................ 2-32
FIGURE 2-17 – PLACEMENT OF NETENFORCER AC-1020 (POLICY PER USER)........................ 2-32
FIGURE 2-18 – PLACEMENT OF NETENFORCER AC-1020 (POLICY BASED ON LINK)............ 2-33
FIGURE 2-19 – NETENFORCER SETUP MENU.................................................................................. 2-37
FIGURE 2-20 – NETWORK CONFIGURATION .................................................................................. 2-38
FIGURE 2-21 – CURRENT CONFIGURATION (1) .............................................................................. 2-40
This chapter introduces NetEnforcer and explains how it delivers Quality of Service.
Class of Service
NetEnforcer enables class of service in the following ways:
• Provides superior classification capabilities.
• Offers advanced classification capabilities up to Layer 7 while routers usually
support only up to Layer 4.
• Controls P2P traffic loads.
• Provides classed-based accounting for each subscriber.
• With NetPolicy Provisioner:
¾ Enables end-users (the business customer of the SP) to define their own classes,
and change them
¾ Provides per-pipe and per-class monitoring for each end-user
¾ Does not require changes in existing infrastructure
For example, the creation of a separate Pipe for each subscriber, dividing traffic
according to the customer needs.
Figure 1-1 – ISP POP Network with Giga Bit Connectivity and QoS
The ISP would like to control the maximum usage of each subscriber while limiting the
total bandwidth used. Moreover, the ISP needs to over-subscribe customers (there are
more customers than the available bandwidth can support for each Virtual
Channel/Pipe). The ISP would like to offer tiered services.
The NetEnforcer AC-1000 does the following for ISPs:
• Assigns tiered services (for example, Gold, Silver and Bronze service levels).
• Limits users and protocols to a maximum (for example, limit download/upload of
music using P2P).
• Sets a minimum to Smart Building tenants.
• Assigns a maximum to every home user.
• Using templates, the ISP is able to over-subscribe tenants (since, most probably, not
all of them will be active at the same time).
• Provides detailed call records for IP sessions.
• DoS Protection.
¾ Limit and monitor the number of connections handled by each server
• Real-time monitoring.
• Alerts.
• Reporting.
¾ All session data recording
¾ Exporting session data external server (CSV format files)
• Enable customers to monitor and control their bandwidth pipes with the optional
NetPolicy Provisioner.
Internet Data Center management requires detailed management of traffic flows to
hosted servers. IDC customers are protected with guaranteed traffic to and from hosted
servers. Preservation of network resources prevail upon malicious traffic attacks
including worms (such as Slammer) that cause heavy, superfluous, artificial traffic to
the server farm.
In addition to specific traffic enforcement requirements, IDC operators need to monitor
and manage traffic usage as well as the total access to each server. Monitoring
information in real time provides IDC operators the troubleshooting data they need,
should a network load issue arise. Recording and monitoring network and application
traffic and health statistics of the network resources provide management with
pro-active tools for daily operations.
The Internet Data Center hosts commercial servers for customers and guarantees a level
of service (SLA). Corporate customers enjoy wide bandwidth to the server farm (wide
and fast connection to the www backbone), redundancies and outsourced professional
management of the corporate data centers.
Residential users, when using “always-on” service, are abusing P2P and web
downloads. The cable technology is shared between users on a massive scale and raises
operational issues, such as decreasing speeds when the number of users grow, security
concerns from sharing the same media and difficulties differentiating key services (for
example, VOIP) from other non-time-sensitive applications (for example, file
downloads).
NetEnforcer provides the following:
• Easy, on demand provisioning.
• User fairness and/or tiered services.
• P2P limitations.
In this example, the Pipe feature enables the network manager to manage traffic to
different WAN links, creating a Pipe for each one of them.
Figure 1-4 – Corporate Network Structure with Two Outgoing WAN Links
The network manager would like to assign a maximum for each WAN link. The
multiple protocol traffic is going to different locations, based on the IP address.
Pipes are created as follows:
• Link 1 bandwidth is 45 Mbps. Traffic includes Oracle (business application) and
Multimedia, classified based on TOS marking.
• Link 2 bandwidth is 155 Mbps. Normal traffic includes Internet browsing, FTP and
backup to Oracle traffic.
• Link 3 bandwidth is 310 Mbps. A connection to an alternate disaster recovery
center.
All traffic to links is classified based on the destination address.
Figure 1-6 – End to End QoS Marking on Packets Traveling an MPLS Network
The Problem
Malicious worms were recently distributed and unwillingly duplicated throughout the
Internet. Unwilling accomplices' systems actively participated in scheduled and planned
DoS (Denial of Service) attacks on unsuspecting sites. Infected systems increased the
demand of bandwidth and server resources, thereby slowing down business-critical
applications.
DDoS (Distributed Denial of Service) attacks are more intense and damaging than DoS
attacks. In DDoS attacks, multiple machines unknowingly participate in an attack
against a single host target. In February 2000, a variant of the Smurf and DoS attacks
brought down Yahoo!, Buy.com, CNN.com, Amazon.com and other sites. In these
attacks, hacker "agents" were loaded on hundreds of "Zombie" client machines. A
master console then directed, past firewalls, all of the Zombie systems to become active
and attack the victim.
Malicious traffic, disguised as legitimate traffic, passes firewalls that normally filter out
illegal traffic. There is a need for a multilayer security system—one that enhances
firewalls and protects network resources from attacks.
The Solution
Use bandwidth management to protect your network from DoS attacks and malicious
traffic. Improving network performance by resource management creates a first line of
protection from illegitimate users and applications that seize an undeserved share of
resources.
NetEnforcer detects known DoS and DDoS attacks and intelligently blocks new flows
suspected as destructive traffic. Placing the NetEnforcer at the edge of the enterprise
network creates a first line of defense, enhancing performance of firewalls and internal
network devices. NetEnforcer discards malicious traffic packets that slip past routers
and firewalls to improve application performance and to enhance network security.
By deploying NetEnforcer, service providers and enterprises can monitor, record and
alert users of imminent attacks on network resources. Moreover, NetEnforcer's
accounting database registers traffic statistics of all sessions, and assists network
administrators to pinpoint attackers. NetEnforcer's Log gives abnormal-event
notifications, such as when packets are denied access.
This chapter describes the NetEnforcer AC-1000 series hardware and the initial
installation and setup of NetEnforcer. NetEnforcer is a transparent learning bridge that
is IEEE 802.1-compliant. NetEnforcer works with a Bypass module. The Bypass
module ensures that data continues flowing should any hardware or software problem
occur. While NetEnforcer is bypassed, all traffic goes through passive elements only
and still allows the network to function.
Hardware Description
NetEnforcer AC-1000 series offers carrier-grade design with redundant critical
components for fail-safe operation. Redundant hardware components include system’s
fans and dual hot-swappable power supplies. NetEnforcer AC-1000 series is designed to
meet ETSI standards.
The AC-1000 series comes with an additional Bypass module.
CAUTION:
The appropriate Bypass module must be connected to the AC-1000. This is to ensure continuous service in
the event of failure.
NOTE:
AC-1000 NetEnforcer NIC default factory setting is always Auto-Negotiation enabled, with one exception
of AC-1010 Copper that it’s default NIC setting is 1000 full, Auto-Negotiation disabled.
It is recommended to keep NetEnforcer default setting, changing NIC setting is done via LCD panel only.
Several NetEnforcer models are available to support large and small sites and different
data network speeds.
NetEnforcer AC-1020 is intended to be used in a mesh network configuration where
redundancy is kept by connecting each path to a different network device. The AC-1020
has two-line connectivity versus the AC-1010 that has one-line connectivity.
The NetEnforcer AC-1020 is managed by a single QoS policy that manages the traffic
through all of the NetEnforcer’s interfaces. Should one link fail, the traffic would still
flow through the other link.
The NetEnforcer AC-1000 models currently available are described in the table on the
following pages.
NOTE:
When ordering, please specify: PS – power supply (AC or DC); I – interface (C – Copper or F - Fiber);
IT – fiber interface (LX or SX).
Ordering Information
For ordering purposes, the following reference is used:
Code Definition Values Description
SP SP models have more policies
PS Power AC AC/DC 100-240V Power Supply
Supply DC DC/DC -48V Power Supply
I Interface F Fiber
C Copper 1000Base-T
IT Interface LX Fiber 1000Base-LX
Type SX Fiber 1000Base-SX
NetEnforcer AC-1000 - Carrier Grade - was designed to conform to ETSI and NEBS
standards. Furthermore it conforms to FCC, UL and CE standards. The front panel
display and 4-key keypad enables setup and activity monitoring and management and
console ports are included. The Link Connections interface includes two gigabit ports
with removable modules for fiber or copper (GBIC).
Unpacking NetEnforcer
Verify that the following items are included with NetEnforcer:
• NetEnforcer (hardware with pre-installed software)
• NetEnforcer User Guide
• 2 Power Cables
• 1 Serial Console Cable
• 2 19" Side Mounting Brackets
• 8 Mounting Bracket Screws
• Backup Cable: D-type High Density Cable
NOTE:
The maximum length for the Ethernet cable for Copper models is generally up to 50 meters.
LCD Panel
LCD Panel
LCD Panel
LCD Panel
The NetEnforcer LCD panel provides an indication of traffic usage and enables you to
configure NetEnforcer directly without the need to connect a terminal. You can also
start, reboot and shutdown NetEnforcer from the front panel.
Display Area
Standby Indicator
For a description of how to configure NetEnforcer using the LCD panel, refer to
Configuring Via the LCD Panel, page 2-44.
For a description of the Standby, Active and Power LEDs, refer to Interface Status
Indicators, page 2-11.
LINK
ACT
NOTE:
The Management port has its own MAC and IP address.
Power Supply
NetEnforcer includes two hot-swappable power supply modules and a dual line feed for
Redundancy purposes. Each line feed is driving one power supply.
NOTE:
The AC power supply automatically adapts to voltages between 100 V and 240 V, 50/60 Hz.
The DC power supply automatically adapts to voltages of 48 V or 60 V DC.
Should you need to, you can replace one of the power supplies while NetEnforcer is
connected and operating. Replacing a power supply while the unit is operating is
possible since the remaining power supply will take the full load and maintain full
operation.
NOTE:
To remove a power supply module, undo the two screws in the lower left and right corners, lift the handle
and slide the module out.
Each power supply has two LEDs located beneath the power supply handles. The LEDs
indicate the following:
LED Power Supply Status
Green The green LED indicates that the power supply is connected to
power and no failure condition exists.
Amber The amber LED indicates that a failure condition exists.
CAUTION:
The power entry modules (AC supply option) include two fuses (T2A 250 V, 5 x 20 mm) at each power
entry. One is a spare fuse for replacement purposes. You can open the fuse box and change when
necessary.
For continued protection against risk of fire, replace only with same type and rating of fuse.
Fault Tolerance
For fault tolerance, NetEnforcer includes the following:
• Redundant critical components
¾ Two hot-swappable, load sharing, redundant power supplies modules (AC/DC)
¾ Dual power line feed
¾ Dual redundant chassis fans and electrical feeds
• Hardware bypass
¾ Hardware or software failure will result in straight-through “wire” connection
• Redundancy (dual systems configuration)
¾ Alternate secondary NetEnforcer automatically takes over (with existing policies)
if primary unit fails
Bypass Modules
The AC-1000 series operates with an external Bypass module. The Bypass module is a
mission-critical subsystem designed to ensure network connectivity at all times. The
Bypass mechanism provides "connectivity insurance" in the event of a NetEnforcer
subsystems failure.
NetEnforcer is supplied with a Bypass module appropriate to the module. The AC-1010
Fiber operates with a Fiber Bypass and the AC-1010 Copper operates with a Copper
Bypass. The AC-1020 Fiber operates with a Double Fiber Bypass and the AC-1020
Copper operates with a Double Copper Bypass. The Bypass module is connected to
NetEnforcer by a series of leads and cables.
CAUTION:
NetEnforcer AC-1000 must be connected to the appropriate Bypass module. This is to ensure continuous
service in the event of failure.
NOTE:
Use 62.5/125µ or 50/125µ fiber optic cables to connect 1 Gbps ports (duplex SC connectors marked with
Internal and External labels).
The Fiber Bypass module includes two duplex SC connectors, two built in fiber cables
and two D-type 9-pin connectors for primary and redundant unit to backup connection.
1. Connect the fiber cable labeled External from the Bypass module 7 , to the External
port on NetEnforcer 1 .
2. Connect the fiber cable labeled Internal from the Bypass module 7 , to the Internal
port on NetEnforcer 2 .
3. Connect the D-type High Density connector from the Primary port on the Bypass
module 8 , to the Backup port on NetEnforcer 3 .
4. Connect a 62.5/125µ or 50/125µ External fiber optic cable from the External port on
the Bypass module 5 , to a 1 Gbps router.
5. Connect a 62.5/125µ or 50/125µ Internal fiber optic cable from the Internal port on
the Bypass module 6 , to a 1 Gbps switch.
6. To connect a secondary NetEnforcer for Full Redundancy, you need two
NetEnforcers and one Bypass module. Connect the backup D-type High Density
connector from the Secondary port on the Bypass module 4 , to another
NetEnforcer.
¾ Internal and external connectors of the redundant NetEnforcer should be
connected directly to the network. There is no need to connect via the Bypass
module.
To External
Router
To Internal Mode To Primary
Connector
Switch LED NetEnforcer
Connector Indicator Connector
NOTE:
It is recommended to use the Ethernet UTP CAT 5 cables that are supplied with the Copper Bypass
accessory kit to connect 1000Base-T ports (RJ-45 marked with Internal and External labels).
The Copper Bypass module includes RJ-45 connectors for Ethernet cables and two
D-type 9-pin connectors for primary and redundant unit to backup connection.
1. Connect the External cable from the External port on the Bypass module 7 , to the
External port on NetEnforcer 1 .
2. Connect the Internal cable from the Internal port on the Bypass module 8 , to the
Internal port on NetEnforcer 2 .
3. Connect the D-type High Density connector from the Primary port on the Bypass
module 9 , to the Backup port on NetEnforcer 3 .
4. Connect the External cable from the External port on the Bypass module 5 , to a
router (1000Base-T) connector.
5. Connect the Internal cable from the Internal port on the Bypass module 4 , to a
switch (1000Base-T) connector.
6. To connect a secondary NetEnforcer for Full Redundancy, you need two
NetEnforcers and one Bypass module. Connect the backup D-type High Density
connector from the Secondary port on the Bypass module 6 , to another
NetEnforcer.
¾ Internal and external connectors of the redundant NetEnforcer should be
connected directly to the network. There is no need to connect via the Bypass
module.
To External Router
Connector for Link 1
To NetEnforcer (External and
Internal Connectors) for Link 1
To Internal Switch
Connector for Link 1 To Secondary NetEnforcer To Primary
Backup Connector NetEnforcer Connector
NOTE:
Use 62.5/125µ or 50/125µ fiber optic cables to connect 1 Gbps ports (duplex SC connectors marked with
Internal and External labels).
The Double Fiber Bypass module includes connectors for connecting to Link 1 and
Link 2 on the AC-1020. The Link Connectors area for Link 1 includes two duplex SC
connectors, and two built in fiber cables with duplex LC connectors. The Link
Connectors area for Link 2 includes two duplex SC connectors, and two built in fiber
cables with duplex LC connectors. In addition, the Double Fiber Bypass module
includes two D-type 9-pin connectors for primary and redundant unit to backup
connection.
1. Connect the fiber cable labeled External from the Bypass module 7 (on the left), to
the External port on NetEnforcer 1 (Link 1).
2. Connect the fiber cable labeled Internal from the Bypass module 7 (on the left), to
the Internal port on NetEnforcer 2 (Link 1).
3. Connect a 62.5/125µ or 50/125µ External fiber optic cable from the External port on
the Bypass module 5 (on the left), to a 1 Gbps router.
4. Connect a 62.5/125µ or 50/125µ Internal fiber optic cable from the Internal port on
the Bypass module 6 (on the right), to a 1 Gbps switch.
5. Repeats Steps 1 to 4 for Link 2.
6. Connect the D-type High Density connector from the Primary port on the Bypass
module 8 , to the Backup port on NetEnforcer 3 .
7. To connect a secondary NetEnforcer for Full Redundancy, you need two
NetEnforcers and one Bypass module. Connect the backup D-type High Density
connector from the Secondary port on the Bypass module 4 , to another
NetEnforcer.
¾ Internal and external connectors of the redundant NetEnforcer should be
connected directly to the network. There is no need to connect via the Bypass
module.
1. Connect the External cable from the External port on the Bypass module 7 (on the
left), to the External port on NetEnforcer 1 (Link 1).
2. Connect the Internal cable from the Internal port on the Bypass module 9 (on the
left), to the Internal port on NetEnforcer 2 (Link 1).
3. Connect the External cable from the External port on the Bypass module 5 , to a
router (1000Base-T) connector.
4. Connect the External cable from the External port on the Bypass module 6 , to a
router (1000Base-T) connector.
6. Connect the D-type High Density connector from the Primary port on the Bypass
module 8 , to the Backup port on NetEnforcer 3 .
7. To connect a secondary NetEnforcer for Full Redundancy, you need two
NetEnforcers and one Bypass module. Connect the backup D-type High Density
connector from the Secondary port on the Bypass module 4 , to another
NetEnforcer.
¾ Internal and external connectors of the redundant NetEnforcer should be
connected directly to the network. There is no need to connect via the Bypass
module.
NOTE:
It is recommended to use the Ethernet UTP CAT 5 cables that are supplied with the Copper Bypass
accessory kit to connect 1000Base-T ports (RJ-45 marked with Internal and External labels).
6. Connect the D-type High Density connector from the Primary port on the Bypass
module to the Backup port on NetEnforcer.
7. To connect a secondary NetEnforcer for Full Redundancy, you need two
NetEnforcers and one Bypass module. Connect the backup D-type High Density
connector from the Secondary port on the Bypass module, to another NetEnforcer.
¾ Internal and external connectors of the redundant NetEnforcer should be
connected directly to the network. There is no need to connect via the Bypass
module.
For the NetEnforcer AC-1020 models, there are two basic network configurations that
depend on the way that the traffic is routed and the policy that you wish to implement.
In the first configuration, if you wish to set policy per user (for example, limiting the
bandwidth per user) and the user access by default to one of the switches (same switch
for all their traffic), NetEnforcer is connected as follows:
In the second configuration, if you wish to set policy based on link (for example, one
link to an ISP and the second link to an ISP) and you wish to set a global policy (for
example, limiting P2P traffic), you put a NetEnforcer per router, as follows:
Powering Up NetEnforcer
Powering up is done from the LCD panel.
NOTE:
NetEnforcer and the Bypass module have to be fully plugged and connected before power is turned on. This
is to ensure proper and systematic power up.
To power up NetEnforcer:
It is recommended to connect the two power line feeds to separate power sources to
have full power redundancy. The Power LED on the LCD panel is lit and the Mode
LED on the Bypass module is off, indicating that the power is on and NetEnforcer is
bypassed. NetEnforcer performs several power-on self-tests and the display area of the
LCD panel indicates power-on self-test messages.
After a few seconds, the display area of the LCD panel indicates the following:
System Loading *
Once the system has completed loading, the Active LED on the LCD panel is lit and the
Mode LED on the Bypass module is lit, meaning that NetEnforcer is now connected to
the network. The display area of the LCD panel indicates the default view - the current
bandwidth consumption.
For example:
Inbound: XXX.X
Outbound: YYY.Y
You can now proceed to configure NetEnforcer, as required.
Setting Up NetEnforcer
In order to manage and configure NetEnforcer policies remotely from your Web
browser, several basic parameters must be configured on NetEnforcer. You can
configure these basic parameters using a terminal connected to NetEnforcer or by using
the LCD panel.
3. At the terminal, access a Microsoft DOS window, and at the C:\ prompt, enter
Telnet (IP address of NetEnforcer). Press <Enter>. The system boots up and you
are prompted for a login and a password.
4. Enter root for the login, bagabu for the password and the command menu. (To
change the password, see page 2-43.)
Device Host name The host name for your NetEnforcer, for example,
NetEnforcer.
Primary name server IP If you have a Domain Name Server (DNS), enter its
address IP address. If you do not have a DNS, enter none.
Secondary name server IP If you entered a primary name server IP address and
address you have a second DNS, enter the IP address of the
secondary DNS.
1. In the Device Setup Menu, enter 1 (List current configuration) and press <Enter>.
The current network configuration parameters are displayed. A sample screen is
shown below:
CAUTION:
You must change the default passwords to ensure a minimum level of security.
NOTE:
The new user name and password will be used in the NetEnforcer Log In window when accessing
NetEnforcer through a browser.
3. At the terminal, access a Microsoft DOS window, and at the C:\ prompt, enter
Telnet (IP address of NetEnforcer). Press <Enter>. The system boots up and you
are prompted for a login and a password.
4. Enter root for the login and bagabu for the password, and then press <Enter>.
6. Enter a new password and press <Enter>. The password must be between 5 and 8
characters. You can use a combination of upper and lower case letters and numbers.
7. Re-enter the new password and press <Enter>.
CAUTION:
If you forget this password, contact Allot Customer Support.
When all necessary parameters are set, NetEnforcer prompts you to reboot. After
rebooting is completed, NetEnforcer is ready to be connected and to add Quality of
Service in your network.
TIP:
You can further protect the access to NetEnforcer by limiting the hosts that are allowed to manage the unit.
To configure the allowed host list, refer to Access Control in Chapter 4, Configuring NetEnforcer.
Main Menu
The LCD panel provides one main menu from where you can perform the following
operations:
• Configure NIC settings for the Management port, page 2-46.
• Set the NetEnforcer IP address, page 2-47.
• Activate Bypass, page 2-48.
• Reboot, shutdown or exit NetEnforcer, page 2-49.
The illustration below is a list of the main menu options from the LCD panel.
1. NIC_Setting
2. Setup_IP Setup IP Menu
2-1 Set_IP
3. Bypass 2-2 Set_Mask
2-3 Gateway
4. Reboot
5. Shutdown
6. Exit
In order to start working with NetEnforcer, press the Power button on the LCD panel.
Once the system has completed loading, the display area of the LCD indicates its
default view, the current bandwidth consumption of NetEnforcer. For example:
Inbound: XX.XM
Outbound: YYY.YM
You can now proceed to configure NetEnforcer, as required.
NOTE:
If QoS functionality is not included in your NetEnforcer (not enabled by your activation key), the default
view indicates the following: Inbound:-, Outbound:-.
3. Use the arrow buttons to select the duplex type for the Management port and press
the Enter button. The display area indicates the following:
Speed: [A]uto or
[100]/[10] Mbps
4. Use the arrow buttons to select the link speed of the Management port and press the
Enter button. The display area indicates the following:
[S]ave/[C]ancel
5. Use the arrow buttons to select whether to save the settings or cancel and press the
Enter button. The new NIC settings are applied and after a few moments, the
display area displays its default view, the current bandwidth consumption.
9. Press the Enter button. The display area indicates the following:
[S]ave/[C]ancel
10. Use the arrow buttons to select whether to save the settings or cancel and press the
Enter button. The new IP and gateway settings are applied and after a few moments,
the display area displays its default view, the current bandwidth consumption.
Activating Bypass
This section describes how to activate Bypass mode.
To configure a Bypass:
1. With the display area displaying the default view, press the Select button. The Main
menu is displayed.
2. Press the down arrow three times to display the following:
Main menu:
3. Bypass
3. Press the Select button. If the system is not in Bypass mode, the display area
indicates the following:
Go into Bypass?
[Y]es/[N]o
4. Use the arrow buttons to select whether to enter Bypass mode and press the Enter
button. NetEnforcer switches to Bypass mode and after a few moments, the display
area displays its default view, the current bandwidth consumption.
NOTE:
When the system is already in Bypass mode, you are prompted to select whether to exit Bypass mode.
Use the arrow buttons to select whether to exit Bypass mode and press the Enter button.
To reboot NetEnforcer:
1. With the display area displaying the default view, press the Select button. The Main
menu is displayed.
2. Press the down arrow four times to display the following:
Main menu:
4. Reboot
3. Press the Select button. The display area indicates the following:
Reboot?
[Y]es/[N]o
4. Use the arrow buttons to select whether to reboot NetEnforcer and press the Enter
button. NetEnforcer reboots and the display area indicates the following:
System
Rebooting * (blinking asterisk)
NOTE:
This message is also displayed in the display area when NetEnforcer is rebooted using a terminal.
To shutdown NetEnforcer:
1. With the display area displaying the default view, press the Select button. The Main
menu is displayed.
2. Press the down arrow five times to display the following:
Main menu:
5. Shutdown
3. Press the Select button. The display area indicates the following:
Shutdown?
[Y]es/[N]o
NOTE:
Pressing the Power button on the LCD panel at any time while NetEnforcer is powered on displays this
option.
4. Use the arrow buttons to select whether to reboot NetEnforcer and press the Enter
button. NetEnforcer reboots and the display area indicates the following:
System
Shutting down * (blinking asterisk)
After a few seconds, the display area indicates that NetEnforcer may be powered off.
NOTE:
This message is also displayed in the display area when NetEnforcer is shutdown using a terminal.
To power up NetEnforcer after a shutdown, press the Power button on the LCD panel.
To exit NetEnforcer:
1. With the display area displaying the default view, press the Select button. The Main
menu is displayed.
2. Press the down arrow six times to display the following:
Main menu:
6. Exit
3. Press the Enter or the Select button. The display area displays its default view, the
current bandwidth consumption.
Failure Indications
The following cases of failure may be indicated in the display area of the LCD panel:
Message Option Description
NIC definitions NIC setting 1. Validity check failed (auto mode and
save failed non auto speed or vise versa)
This chapter explains how to connect to your client management station and provides an
overview of the NetEnforcer interface. It also describes how to install the Java Plug-in.
Accessing NetEnforcer
Once you have completed the initial setup, as described in the previous chapter, you can
access NetEnforcer via your Web browser. The first time that you connect to
NetEnforcer, you may be prompted to install Java plug-in 1.3.1. Refer to Installing the
Java Plug-in 1.3.1, page 3-3, for further information.
To connect to NetEnforcer:
1. Open your browser, and enter http://(IP address of NetEnforcer). The NetEnforcer
Log On dialog box is displayed:
2. In the User Name field, enter admin and in the Password field, enter allot or the
password that was established at setup. This is the default user name and password.
They may be different if you changed them during the initial configuration. Refer to
the Setting Up NetEnforcer section in Chapter 2, Installing NetEnforcer.
3. Click Log On. The NetEnforcer Control Panel is displayed.
NOTE:
It may take a few moments to display the Control Panel.
2. Click the Install Java 1.4.2 JRE first link. The following window is displayed.
3. Click on the appropriate link and follow the on-screen instructions to install the Java
1.4.2 JRE on your computer.
Initializing WebStart
1. With the Java 1.4.2 JRE installed, access http://<IP address of NetEnforcer> once
again. The Java Web Start window is displayed.
When the loading process is complete, the Security Warning is displayed, prompting
your to confirm that you want to allow NetEnforcer User Interface software access
to your computer.
Automatic Updates
One of the benefits of WebStart is that future NetEnforcer software updates are
transparent to you when accessing the NetEnforcer User Interface. Simply continue to
double-click the icon to access the NetEnforcer.
Double-clicking the icon, , displays the Java Web Start Application Manager.
Troubleshooting
In the event that the NetEnforcer User Interface fails to load, consider the following
actions:
• Verify that popup blocking is disabled in the browser, or, alternatively, that it is
disabled for the NetEnforcer address.
• For Internet Explorer users, disable the Empty Temporary Internet Files folder
when browser closed option as follows:
(a) From the Tools menu, select Internet Options. The Internet Options window
is displayed.
(b) Select the Advanced tab.
(c) In the Security area, verify that the Empty Temporary Internet Files folder
when browser closed checkbox is not selected.
(d) Click OK to close the dialog, and attempt to access the NetEnforcer through
the browser.
• In Internet Explorer, make sure the browser cache file is not saturated:
(a) From the Tools menu, select Internet Options. The Internet Options
window is displayed.
(b) In the Temporary Internet files area, click Delete Files.
(c) Select the Delete all offline content checkbox and click OK.
(d) Click OK to close the Internet Options window.
• Consider using another browser, e.g. Mozilla Firefox.
• If the problem still persists, the NetEnforcer can still be accessed from the WebStart
Desktop Manager, as follows:
(a) Double-click the Java Web Start icon on the desktop.
(b) In the Location field, type:
http://<ip-addr>/pmx.jnlp
where <ip-addr> is the IP address of the NetEnforcer.
(c) Press Enter.
(d) Click Start.
This appendix lists the hardware specifications for all NetEnforcer models.
Dimensions
Standard 2U by 19-inch, rack mountable
Height 3.46 in (87 mm)
Width 17.22 in (438 mm)
Depth 11.81 in (300 mm)
Weight 18.2 lbs (8.3 kg)
Power Requirements
AC Supply option
Input Voltage 100 - 240 V AC
Frequency 50/60 Hz
Current 2-1A
Power consumption 80 W
DC Supply option
Input Voltage 48 / 60 V DC
Current 6/4A
Power consumption 80 W
Operating Environment
Temperature 32° F to 104° F (0° to 40° C)
Humidity 5% to 95% (non condensing)
Heat Dissipation 273 BTU/Hour
EMI Residential, commercial and
light industry.
Safety
• IEC 60950:1999 with Japanese deviations
• EN 60950:2000
• NEBS: GR-1089-Core*
UL
• 1950 NetEnforcer UL File number: E206586
• CAN/CSA C22.2 No.60950-00 * UL 60950, third edition
Environmental
• ETS 300 019-2-2 T 2.1
• ETS 300 019-2-3 T 3.1
• NEBS: GR-63-Core*
• * NetEnforcer is designed to meet these standards.
Bypass Mode
The AC-1000 series comes with an additional Bypass module - a Fiber Bypass, a
Copper Bypass or a Double Fiber Bypass.
CAUTION:
The appropriate Bypass module must be connected to the AC-1000. This is to ensure continuous service in
the event of failure.
Bypass Initiation
When a single NetEnforcer is installed, it will go into Bypass mode under the following
conditions:
• Upon a subsystem failure.
• During the booting of NetEnforcer.
• Upon any NetEnforcer power feed failure and power OFF conditions.
• When the Bypass module is not connected properly to the NetEnforcer Backup
connector, even with all other connectors fully plugged.
Please note that NetEnforcers in serial Redundancy configuration that have gone into
Bypass mode indication upon a subsystem failure will not restart automatically. It is
recommended to perform a reboot.
NOTE:
NetEnforcer, in standalone configuration, reinitializes the Ethernet link upon detection of the Ethernet
cable's disconnection.
CAUTION:
The appropriate Bypass module must be connected to the AC-1000. This is to ensure continuous service in
the event of failure.
IMPORTANT NOTE:
To work properly, NetEnforcer and the Bypass module have to be fully plugged and connected before
power is turned on.
The Fiber Bypass module works in conjunction with the NetEnforcer AC-1010 models
with a Fiber interface and the Double Fiber Bypass module works in conjunction with
the NetEnforcer AC-1020 models with a Fiber interface.
The Fiber Bypass module for the AC-1010 Fiber models is shown below.
A separate NetEnforcer Fiber Bypass package is included with your AC-1000 shipment.
An optional Fiber TAP package is shipped with your AC-1000 shipment. The Fiber
TAP package includes two Multimode Couplers.
Each Coupler has three built-in Multimode fiber cables with SC connectors. One side of
the coupler has a single Multimode fiber that is marked as Tx, and on the other side,
there are two built-in Multimode fiber cables marked as Rx [1] and Rx [2].
IMPORTANT NOTE:
The Multimode Coupler is not a standard part of the NetEnforcer AC-1000 series.
1. Connect the fiber cable labeled External from the Bypass module 7 , to the External
1
port on NetEnforcer .
2. Connect the fiber cable labeled Internal from the Bypass module 7 , to the Internal
2
port on NetEnforcer .
3. Connect the D-type High Density connector from the Primary port on the Bypass
8 3
module , to the Backup port on NetEnforcer .
4. Connect the first Multimode coupler as follows:
• Connect the coupler Tx fiber optic cable to the Tx output of a 1 Gbps router
(1000Base-SX port).
• Connect the coupler Rx [1] fiber optic cable to the Rx input of a 1 Gbps switch
(1000Base-SX port).
• Connect the coupler Rx [2] fiber optic cable to the External Rx input of the Fiber
bypass module (5).
5. Connect the second Multimode coupler as follows:
• Connect the coupler Tx fiber optic cable to the Tx output of a 1 Gbps switch
(1000Base-SX port).
• Connect the coupler Rx [1] fiber optic cable to the Rx input of a 1 Gbps router
(1000Base-SX port).
• Connect the coupler Rx [2] fiber optic cable to the Internal Rx input of the Fiber
bypass module (6).
NOTE:
In you have an AC-1020 model, adapt the above procedure to connect both Link 1 and Link 2.
The modes of operation of the indicators are described in the following table:
Standby Active Power Mode Analysis
LED LED LED LED
(Bypass)
Primary OFF ON ON ON Primary NetEnforcer is
Unit in Active mode.
Secondary ON OFF ON OFF Secondary NetEnforcer
Unit is in Standby mode,
ready to take over.
Table B-1 – LED Conditions: NetEnforcer and Bypass, Serial Redundancy Mode
NOTE:
A Backup cable is included with the accessory cables, and it can be ordered from Allot Communications.
If the Primary system fails, the Secondary system automatically takes control of the
traffic, and enables its External interface. The following shows how the LEDs indicate
the Secondary system status change:
• The Standby LED of the Secondary system will turn off.
• The Active LED of the Secondary system stops blinking and turns ON.
After ensuring identical configuration, test each NetEnforcer (while connected to the
network as a single device) and verify that they are operating identically to one another.
1. Designate one of your NetEnforcers to be the default Primary, and connect the end
of the Backup cable marked Primary to the Primary connector of the Primary Bypass
module.
2. Connect the other end of the backup cable to the Secondary connector of the
Secondary Bypass module.
NOTE:
For more information, see Bypass Modules in Chapter 2, Installing NetEnforcer.
3. Ensure that the status indicators of both systems are indicating that the systems are
configured correctly, as follows:
• The Active LED of the Primary NetEnforcer is ON.
• The Standby LED of the Primary NetEnforcer is OFF.
• The Active LED of the Secondary NetEnforcer is OFF.
• The Standby LED of the Secondary NetEnforcer is ON.
Power Redundancy
NetEnforcer includes two hot-swappable power supply modules and a dual line feed for
Redundancy purposes. Each line feed is driving one power supply. It is recommended to
connect the two power line feeds to separate power sources to have full power
redundancy.
Should you need to, you can replace one of the power supplies while NetEnforcer is
connected and operating. Replacing a power supply, while the unit is operating, is
possible since the remaining power supply will take the full load and maintain full
operation.
• If one power module fails or turns OFF, the other module will take over the load.
• When the power supply output is short to GND, it will shut down. Auto recovery is
possible when the short circuit condition is removed.
• Each module has over voltage and short circuit protection.
Firewall Ports
If your NetEnforcer is working behind a firewall, the following ports must be opened on
the firewall to enable access to the NetEnforcer management functions:
If you want to use secure transmission methods, the following ports must be opened:
The NetEnforcer and the Bypass module may be mounted in an open or closed
standard 19-inch (48.26 mm) rack using the rack-mount bracket kit. This
appendix describes how to prepare the device and rack for installation and
how to mount the device in the rack.
Ambient Temperature
The device has a maximum operation ambient of 104° F (40° C). The ambient
temperatures around the rack should not exceed this temperature.
Airflow
To ensure proper cooling, airflow should be unrestricted within or around the
rack. Keep the area four to six inches behind the enclosure unobstructed.
Make sure that there is proper airflow around all of the NetEnforcer's vent
openings.
CAUTION:
The NetEnforcer unit has multiple power sources; disconnect all power before servicing.
Connection to AC Supply
Power supply cords are intended to serve as the disconnect device. The user
can power down the device only by removing the two-power cords from the
power source or the device itself.
CAUTION:
Make sure the wall socket outlet is installed near the equipment and that the socket is easy to
access.
It is recommended that the wall socket outlet be connected to the building installation
protection.
When connecting NetEnforcer to 120 / 240 VAC supply, plug into 10 A service receptacles,
type N5/10 or NEMA 5-10R.
Ensure that each site has a suitable ground. Ground all metal racks,
enclosures, boxes and raceways. The NetEnforcer equipment should be
reliably grounded through the power supply cord.
Connection to DC Supply
Unit is intended for RESTRICTED ACCESS LOCATIONS in accordance
with NEC (National Electric Code) or the authority having jurisdiction.
Power supply cable comprises two sets of 2x14 AWG copper wire; use UL-
listed cable only.
Reliable Grounding
CAUTION:
NetEnforcer equipment has a connection between the earthed conductor of the DC supply
circuit and the grounding conductor.
Glossary of Terms
Access Control
An action that specifies the access for a connection. You can select the Access
Control to accept, drop, or reject a connection.
Access Link
Internal and External logical interfaces. Access links may be smaller or equal to the
Ethernet Adapter values.
Action
The operation performed on a connection once it matches a rule. A combination of
Access Control, QoS and Connection Control.
Address – IP
A list of logical entities representing IP Version 4 (IPv4) addresses, which are
comprised of 32 bits.
Address – MAC
A list of logical entities representing Media Access Control (MAC) addresses, which
are comprised of a 48-bit source or destination address. The source address is the
sender's globally unique device address.
Admin
The default user name for administrating NetEnforcer, with the default password
allot. It is strongly recommended to change this password.
Admission Control
A step in every flow activation, when the required bandwidth is allocated (or not)
according to user demand (minimum bandwidth and maximum number of
connections) and system state.
ADSL
Asymmetric Digital Subscriber Line - Modems attached to twisted pair copper
wiring that transmit from 1.5 Mbps to 9 Mbps downstream (to the subscriber) and
from 16 kbps to 800 kbps upstream, depending on line distance.
Application Binding
The process of finding the correct application type for a flow (in case the flow is
TCP or UDP).
Application Recognition
The classification of protocols/applications by their unique "signature".
Application Type
The application type is defined by the destination port number.
ATM
Asynchronous Transfer Mode. This high speed network protocol is composed of 53
byte "cells" having 5 byte headers and 48 byte payloads. Because of its short packet
length, it is especially good for real time voice and video.
Backplane Watchdog Timer
The backplane internal hardware timer that initiates the bypass in case there was no
software visit (the software visit restarts the timer).
Bandwidth
A parameter that defines the rate at which data flows.
Blocked Queue
A queue that holds packets that are over the maximum bandwidth defined for the
connection/Virtual Channel/Pipe.
Borrowing Bandwidth
A Pipe/Virtual Channel defined with a minimum bandwidth will receive only the
minimum necessary bandwidth, even if that value falls below the guaranteed
minimum. For example, if a Virtual Channel is currently defined for 100 Kb
minimum but needs only 50 Kb, 50 Kb is all that will be reserved, and the remainder
of the bandwidth will be allocated to another Virtual Channel. This means that
unused bandwidth is never wasted.
Burst Mode
When burst size is defined, the system will allow traffic to burst for a certain amount
of time, but the average traffic for the whole period will still be bounded by the
maximum.
Cache Redirection
A network device that intercepts client HTTP requests and forwards them to one or
more cache servers.
Catalog
A list of user-defined entries used when defining Pipes, Virtual Channels and rules
in the Policy Editor.
CBR
See Constant Bit Rate.
CCITT
Consultative Committee for International Telegraph and Telephone
Central Office
A circuit switch that terminates all the local access lines in a particular geographic
serving area; a physical building where the local switching equipment is found.
xDSL lines running from a subscriber's home connect at their serving central office.
Centralized Monitoring and Accounting
Provision of centralized policy-based accounting and remote monitoring services.
The Allot Communications NetPolicy provides a comprehensive, policy-based
system that allows the network manager to define, in a concise and organized
fashion, policies that automatically effect change on specific equipment in the
network environment.
Classification
The procedure by which a flow or connection is associated to a Pipe and a Virtual
Channel. This procedure occurs every time a new flow passes through NetEnforcer.
Classification Element
Definition of partial criteria for a match to an attribute of network traffic. One rule is
a set of five classification elements or conditions. See Condition.
CLEC
Competitive Local Exchange Carrier
CO
See Central Office
CODEC
An abbreviation for coder/decoder. Specifically it converts a voice grade analog
signal to u-law or A-law encoded samples at an 8KHz sampling rate. DSL bypasses
the CODECs at the central office by separating the frequencies in a POTS splitter
and passing the DSL signal to a DSLAM, the DSL equivalent of a CODEC.
COC
See Connection Control.
Condition
A criteria with which to classify traffic. Conditions include Connection Source,
Connection Destination, Service, ToS, and Time.
Connection
A flow from a source to a destination and from the destination back to the source.
Connection Control
Defines whether a flow is directed to Load balancing, cache redirection, or
pass as is.
Connection Control Catalog
A Catalog that enables the user to define different load-balancing and
cache-redirection definitions.
Constant Bit Rate
Offers constant throughput. When CBR is defined, the system will not allow traffic
to exceed the maximum boundary defined.
Constant Connection
Offers constant throughput. When CBR is defined, the system will not allow traffic
to exceed the maximum boundary defined.
Content Inspection
The ability to analyze packet content on a per-flow basis. This feature is the
capability to filter packets per user’s content requests. Content based packet
classification is based on any combination of source address, destination address,
protocol, type, or content URL, including URL patterns.
CPE
See Customer Premise (or Provided) Equipment
CSU
Channel Service Unit
Customer Premise (or Provided) Equipment
A wide range of customer-premises terminating equipment which is connected to the
local telecommunications network. This includes telephones, modems, terminals,
routers, settop boxes, etc.
Delay
Specifies the maximum delay that a packet stays in NetEnforcer. If the packet
exceeds this delay, the packet is discarded.
DDoS Attack
Distributed Denial of Service Attack. These attacks are more intense and damaging
than DoS attacks. In DDoS attacks, multiple machines unknowingly participate in an
attack against a single host target.
DHCP
Dynamic Host Configuration Protocol. Used for automated allocation, configuration
and management of IP addresses and TCP/IP protocol stack parameters.
DCE
Data Communication (or Circuit-Terminating) Equipment
Digital Gateway to IP
Digital Gateway to IP provides a seamless, dedicated connection to the Internet,
utilizing available channels on the customer's channeled T1 local access. It allows
increased usage of their local access by providing multiple services over a single
facility and the ability of designating multiple DS0 channels on the T1 access for
voice, data, and Internet.
DSL
Digital Subscriber Line - Modems on either end of a single twisted pair wire that
delivers ISDN Basic Rate Access.
DSLAM
Digital Subscriber Line Access Multiplexer
DSU
Data Service Unit - A digital interface device that connects end user data
communications equipment to the digital access lines, and which provides framing
of sub-64Kbps customer access channels onto higher rate data circuits. A DSU may
be combined with a CSU into a single device called a CSU/DSU. See Channel
Service Unit/Data Service Unit.
DTE
Data Terminal (or Termination) Equipment Typically the device that transmits data
such as a personal computer or data terminal.
DoS Attack
Denial of Service Attack. Most DoS attacks are overloading servers with redundant
traffic. All servers can handle traffic volume up to a maximum, beyond which they
become disabled.
Drop
All packets are dropped. The user is disconnected and may see the message
Connection timed-out.
Flow
A series of packets with common attributes. Since these attributes do not change in
time, it is possible to identify a flow by its first packet only. TCP and UDP flows are
identified by the IP and port of the source and destination. Any other IP flow is
identified by the source IP, destination IP and protocol number. Non-IP flows are
identified by protocol number only. See Connection.
Flow Attribute
Data belonging to a flow that differentiates that flow from others.
Fraggle Attack
When a perpetrator sends a large number of UDP echo (ping) traffic at IP broadcast
addresses, all of it having a fake source address. This is a simple rewrite of the
Smurf code.
Guaranteed Bandwidth
A per-connection parameter, which means that every connection will be granted
“N bytes/bits per second”.
HDSL
High bit-rate Digital Subscriber Line - Modems on either end of one or more twisted
wire pair that deliver T1 speeds. At present, this requires two lines.
Host Catalog
A Catalog that enables the user to define the Connection Source and Connection
Destination, two of the classification elements or conditions of a rule. Hosts can be
network IP addresses, IP address ranges, host names, IP Subnet addresses or MAC
addresses.
Inbound Traffic
Traffic that flows into the External link and out from the Internal link.
LOCAL LOOP
A pair of wires, moderately twisted for the entire length between the telephone
company's end office and the user premises (the common telephone set) form a loop,
so it is referred to as the local loop. This loop provides a user with access to the
global telecommunications infrastructure that is installed all over the world. DSL
extends the capability by using modern technology to increase the data rates and
distances spanned.
Light Directory Access Protocol (LDAP)
A standard communication protocol that allows clients, servers and applications to
access directory services. NetEnforcer includes an LDAP client for communication
with the LDAP directory.
Load Balancing
A mechanism that enables balancing traffic between different servers. All traffic is
directed to a single IP, but the load-balancer smartly divides the traffic between the
different servers.
Maximum Bandwidth
A parameter that defines the upper limit of the bandwidth provision of NetEnforcer,
a Pipe, a Virtual Channel or a connection. NetEnforcer ensures that the bandwidth
will not exceed this value.
Minimum Bandwidth
A parameter that defines the lower limit of bandwidth provision, and states that
NetEnforcer will provide a particular Pipe, Virtual Channel or connection with “at
least N bytes/bits per second”. NetEnforcer guarantees that the bandwidth will not
fall below this value.
Mbps
Megabits Per Second
NAT
Network Address Translation is the translation of an Internet Protocol address (IP
address) used within one network to a different IP address known within another
network. One network is designated the inside network and the other is the outside.
Typically, a company maps its local inside network addresses to one or more global
outside IP addresses and unmaps the global IP addresses on incoming packets back
into local IP addresses. This helps ensure security since each outgoing or incoming
request must go through a translation process that also offers the opportunity to
qualify or authenticate the request or match it to a previous request. NAT also
conserves on the number of global IP addresses that a company needs and it lets the
company use a single IP address in its communication with the world.
NEBS
Network Equipment Building Standards
Monitor
The default basic user name for monitoring NetEnforcer, with the default password
allot. It is strongly recommended to change this password.
MPLS
Multi-protocol Label Switching. This protocol, relevant in networking technology,
provides scalable infrastructure for the Internet. MPLS uses the concept of label
switching to create a 'virtual circuit' between two-end points. The main use of MPLS
is to create high quality VPNs (Virtual Private Networks). In addition, MPLS may
be used to allow integrated-access services such as voice/video and data over IP.
MRTG
Multirouter Traffic Grapher. The MRTG tool generates HTML pages that present
traffic statistic graphs. Using a standard Web browser, you can view pages, each
containing graphs showing daily, weekly, monthly and yearly information.
NetAccountant
An add-on software module that enhances the application performance management
and SLA/QoS enforcement capabilities of NetEnforcer with accurate data collection
and server-based reporting.
NetAccountant Reporter
Part of the NetAccountant software module. NetAccountant Reporter enables you to
create sophisticated graphical reports based on the traffic data collected by
NetEnforcer. In addition to basic reports such as "most active clients" or "top
protocols", NetAccountant Reporter offers drill down reports such as "most active
clients per a specific Pipe" or "top protocols per server."
NetHistory
A software module that enables the user to view network behavior at any time in the
past.
NIC
Network Interface Card. Located in one device and physically connected to the
Ethernet cable going into another device.
Number of Connections
The number of open connections (sessions from the software point of view) in
NetEnforcer.
OC3 & OC12
Optical Carrier Level circuits. These are ultra-fast multimeg circuits able to carry
large amounts of information such as voice/data applications. (OC3= level 3 &
OC12= level 12). For more information on these circuits, visit our OC3/OC12 page.
ODBC
Microsoft Open Database Connectivity interface. An application programming
interface (API) for database access. It uses Structured Query Language (SQL) as its
database access language.
Outbound Traffic
Traffic that flows into the Internal link and out from the External link.
P2P Applications
These "Peer-to-Peer" applications turn network clients into servers, using expensive
WAN bandwidth and potentially distributing worms throughout the network. KazaA
is a well-known P2P application.
Packets Per Second (PPS)
The number of packets that were sent by NetEnforcer in a second.
PCM
Pulse Code Modulation
POP
Point of Presence - A node of an ISP containing a DSU-CSU, terminal server and
router and sometimes one or more hosts, but no network information center or
network operations center.
PPP
Point to Point Protocol
PVC
Permanent Virtual Circuit - A frame relay logical link, whose endpoints and class of
service are defined by network management. Analogous to an X.25 permanent
virtual circuit, a PVC (often referred to as a PVC) consists of the originating frame
relay network element address, originating data link control identifier, terminating
frame relay network element address, and termination data link control identifier.
Originating refers to the access interface from which the PVC is initiated.
Terminating refers to the access interface at which the PVC stops. Many data
network customers require a PVC between two points. Data terminating equipment
with a need for continuous communication use PVCs.
Priority
A parameter that identifies the relative importance of traffic on a particular Pipe or
Virtual Channel compared to other Pipes or Virtual Channels. Priority does not
explicitly define the speed of communication, but assigns a weight value, for
example, for every 2 bytes of priority 3, send 4 bytes of priority 7. It does not define
how long it takes to send priority 7 or priority 3 bytes.
Process Watchdog
A software process that is responsible for keeping the system in a normal operation
state. It watches the aliveness of processes and restarts a process or the whole system
when required.
QoS
See Quality of Service.
QoS Action
Defines a level of bandwidth agreement using parameters such as
minimum/maximum bandwidth, priority, and so on. You can select the QoS action
for Pipes, Virtual Channels and connections.
QoS Catalog
A Catalog that enables the user to define possible values for the QoS action.
QoS Gateway
Provision of end-to-end policy enforcement and management via standards-based
signal provisioning protocols, including Differentiated Services, ToS, RSVP, MPLS,
and 802.1P.
QoS of UDP Traffic
Allot Communications supports QoS for UDP traffic by using the token bucket
mechanism (for CBR sessions), combined with the leaky bucket mechanism (to
supply rate limits).
Quality of Service
Enforcing a network policy that will impact bandwidth, delay (jitter), or traffic
reliability.
Queuing
Method used by routers to control the flow of traffic. Packets are placed in holding
queues and retransmitted based on CBQ and WFQ algorithms. When traffic
overflows the queue, packets are discarded to reduce network congestion.
RADIUS
Remote Authentication Dial In User Services protocol. Specifies accounting, log and
analysis parameters for IP users accessing via dial in services.
RADSL
Rate Adaptive Digital Subscriber Line - A version of ADSL where modems test the
line at start up and adapt their operating speed to the fastest the line can handle.
Redundancy Configuration
A configuration in which two NetEnforcers are connected in parallel using a flat
cable. If one NetEnforcer goes down, the other one takes over immediately. One
NetEnforcer is automatically the primary system (defined by the flat cable
hardware), and the Primary and Active LEDs on the front panel are lit. The other
NetEnforcer is the secondary system, and the Secondary LED on the front panel is
lit. The flat cable is connected between the Backup connectors.
Reject
All packets are dropped. In TCP traffic, an RST packet is sent to the client and the
user may see the message Connection Closed by Server.
Reserve on Demand
A minimum bandwidth demand mode that reserves allocated bandwidth and, even if
it is not all used or required, does not provide it for other traffic.
Rule
A combination of classification elements or conditions comprised of Connection
Source, Connection Destination, Service, TOS and Time. Together these conditions
form complete criteria for classifying network traffic. Conjunction is made with the
AND operator.
Rule Matching
The process of finding the first matching rule for a flow or connection.
Schedule Queue
A queue in which the packets wait to be transmitted. The schedule is defined by the
minimum bandwidth and priority parameters.
Service
Protocol- or application-based criteria for traffic classification.
Service Catalog
A Catalog that enables the user to define possible values for the Service condition. It
includes a list of different network/transport/applications protocols defined by the
protocol number (L2, L3, L4 or L5 layer) and destination port number (L4).
Smurf Attack
When a perpetrator sends a large number of ICMP echo (ping) traffic at IP broadcast
addresses, using a fake source address. The source address will be flooded with
simultaneous replies.
SNMP
Simple Network Management Protocol. Sets up the rules for exchanging network
information through messages (which contain variables with values). The following
types of messages are defined: read, write and trap.
SOHO
Small Office Home Office - A type of DSL connection possessing qualities better
than ADSL. Designed especially for smaller businesses
Spanning Tree
A link management protocol that provides path redundancy while preventing
undesirable loops in the network.
Spoofing
When an attacker uses a fake Internet address so that the source address of an IP
packet is not the actual source. An attacker from outside of the network (meaning,
from the Internet) may send packets with a source address on the LAN. This
deceives the internal servers into identifying the attacker as a legitimate internal
network user and the internal address becomes the victim. Spoofing is used in most
of the well-known DOS attacks.
Standalone Configuration
A configuration in which only one NetEnforcer is connected to the network (in
contrast to the redundancy configuration). In case of system crash, NetEnforcer
becomes a wire, meaning that NetEnforcer continues to forward traffic without
performing policy enforcement functions.
SYN Attack
When an attacker sends a series of SYN requests to a target (victim). The target
sends a SYN ACK in response and waits for an ACK to come back to complete the
session set up. Since the source address was fake, the response never comes, filling
the victim's memory buffers so that it can no longer accept legitimate session
requests.
TELCO
Telephone Company - Generic name for telephone companies throughout the world
which encompasses RBOCs, LECs and PTTs.
Template – Virtual Channel or Pipe
A master Virtual Channel or Pipe that represents a class of Virtual Channels or
Pipes, that only differ in one of their Host catalog conditions.
Time Catalog
A Catalog that enables the user to define possible values for the Time condition.
NetEnforcer is capable of classifying traffic based on packet and time parameters.
ToS
See Type of Service.
ToS Catalog
A Catalog that enables the user to define possible values for the ToS condition.
Traffic Classification
NetEnforcer classifies traffic per IP source/destination including networks, subnets,
hostnames, list and ranges of addresses; TCP/UDP ports including lists of ports, port
ranges and HTTP header parameters; URL (including wildcards - *), methods, host
names (in the header) and FTP control to data connection correlation.
Type of Service
A byte in the IP header that defines the Type of Service that should be given to that
packet. Two types are implemented: IP Precedence bits (mostly in Cisco equipment)
or DiffServ (IETF standard). When used for IP Precedence, utilizes bits 0-2 to
signify 8 priority values 0-7. When used as DiffServ Code Point Description
(DSCP), utilizes only 6 out of the 8 bits. IP Precedence and DiffServ are prioritizing
methods for IP traffic going through the network.
By setting the Type of Service (ToS) bits in accordance with network policy,
end-to-end QoS can be achieved in a heterogeneous environment.
UBR
Unspecified Bit Rate.
UTP
Unshielded Twisted Pair - A cable with one or more twisted copper wires bound in a
plastic sheath. Preferred method to transport data and voice to business workstations
and telephones. Unshielded wire is preferred for transporting high speed data
because at higher speeds, radiation is created. If shielded cabling is used, the
radiation is not released and creates interference.
Virtual Channel
A grouping of traffic defined by conditions (rules) and actions that can be owned by
Pipes.
Virtual Connection
Class of network traffic that defines traffic classification criteria and policies.
VLAN
Virtual Local Area Network refers to LANs that are interconnected by a virtual
Layer 2. The NetEnforcer enables you to apply VLAN tags to its management
traffic. VLANs are commonly used with campus environment networks. This
enables network changes to be made without physically moving cables or
equipment.
Well-Known Ports
Some services are conventionally assigned a permanent port number. For a
well-known port list see, for example: http://www.isi.edu/in-notes/iana/assignments/
port-numbers.
Worms
This self-propagating code floods networks with email and adds Registry entries to
users' clients. Worms may be transmitted via email, sharing infected files, or via
Internet Chat. Worms take advantage of "back doors" or "holes" in popularly used
email software and operation systems. "Malicious" worms may also erase or hide
certain types of files.
Protocols, C-1
I Redundancy, B-8
Scenarios, 1-5
Internet Data Centers, 1-3, 1-8 Setting Up, 2-35
Internet Service Providers, 1-3, 1-5 Shutting Down, 2-49
IP Parameters Standards Compliance, A-2
Configuring, 2-47 Technology, 1-2
Unpacking, 2-6
L Network Parameters
Configuring, 2-37
LCD Panel, 2-44 NIC Settings
Failure Indications, 2-51 Configuring, 2-46
Main Menu, 2-44
LCD Panel, 2-11 P
M Password
Changing Login, 2-41
Management Port, 2-14 Changing Root, 2-43
Multi-Port Copper Bypass Module, 2-27 Power Redundancy, B-14
Connecting, 2-28 Power Supply, 2-15
LEDs, 2-16
N Powering Up NetEnforcer, 2-33
NetEnforcer S
Accessing, 3-2
Changing Password, 2-41 Serial Redundancy, 2-16
Connecting to Network, 2-30 Setting Up NetEnforcer, 2-35
Copper Interface, 2-8, 2-9 Shutting Down NetEnforcer, 2-49
Current Configuration, 2-39 Status Indicator, 2-11
Dimensions, A-1
Environments, 1-3 T
Failure Indications, 2-51
Fiber Interface, 2-7 TAP Mode, B-3
Front Panel, 2-7 Time and Date Settings, 2-42
Hardware, 2-2
Hardware Specifications, A-1 U
LCD Panel, 2-11
LEDs, 2-11 Unpacking
Models, 2-2 NetEnforcer, 2-6
Modifying Date Settings, 2-42
Modifying Time Settings, 2-42 V
MPLS Environment, 1-6
Network Placement, 2-30 Voice and Video Applications, 1-4
Operating Environment, A-2 VPN, 1-13
Overview, 1-2
Ports, C-1
Power Requirements, A-1
Powering Up, 2-33