Warding off WAN Gridlock
We tested dedicated traffic shapers and found that Packeteer's keeps traffic flowing smoothly.
November 25, 2002
Once we decided to test traffic shapers, we needed to develop criteria. In this case, we opted to focus on devices that specialize in QoS. Why a dedicated box when many routers have QoS capabilities? Because the added overhead can affect performance; more on this point later.
We tested dedicated traffic shapers on a T3 Internet link at 45 Mbps. Vendors usually offer multiple iterations of a product that use the same engine and interface but operate at different speeds. You can buy an inexpensive shaper for a 128-Kbps link, or an expensive unit that can handle 200 Mbps. We graded traffic shapers on their bandwidth-management, reporting, management-interface and protocol-recognition capabilities and price.
We invited Allot Communications, Lightspeed Systems, NetReality, Packeteer, Radware and Sitara Networks to participate in our tests. Only NetReality declined, and we later learned that it had been acquired by Allot.
Snoop Time
Reporting is the first component you'll employ--even before you start shaping traffic. Job 1 is identifying bandwidth hogs that are trumping more mission-critical and latency-sensitive protocols. With good reporting, you see the most active protocols over time and the most active servers and clients. This is important: You can't effectively shape traffic if you can't identify the source of the troubles. Is Web traffic slowing down your network, or do you have just a few greedy users?Layer 7 inspection is crucial. Once upon a time, we mapped ports to protocols, but that simple solution no longer works. For instance, nowadays almost everything runs over Port 80, the standard HTTP port. There is a good chance traffic over Port 80 will be allowed to pass through the firewall. The best example of this problem is P2P (peer-to-peer) software, which is notorious for generating a huge amount of traffic. Ask any college IT administrator: P2P is clogging schools' WAN links like cafeteria burgers clog arteries. Say you're in a situation where P2P is dominating and you want to allocate more bandwidth for Web browsing. If the P2P client runs, by default, on Port 80, and your traffic shaper inspects only at Layer 4, you have a problem. P2P traffic will fall under the same policy as Web traffic (for more on the legal aspects of P2P traffic, see "Politics, Law and the Traffic-Shaping Admin"). We replicated this problem by running non-HTTP traffic on Port 80 and finding it classified as HTTP. We also found that traffic shapers do a better job at Layer 7 inspection than others.Bandwidth-management capabilities refer to the various methods of implementing QoS. There are several ways to control bandwidth, including TCP rate shaping and queuing. Packeteer and Sitara use TCP rate shaping, which entails intercepting and manipulating TCP window sizes. The other entries we tested use queuing. For a primer on queuing types and other shaping schemes see "Traffic Management Techniques."
Take the number of signatures a product claims to support with a grain of salt. Some of what is called a signature really means, "We know the default port it uses." And some protocols may support more than one signature--Packeteer counts Kazaa as one application signature but can identify and set granular policies on Kazaa uploads, downloads and searches independently. So while Kazaa is just one protocol, it has three data payload signatures. We tested this capability by running the Hotline Internet bulletin board system on Port 80 rather than on Port 5500, where it normally runs. All the products except Packeteer initially identified Hotline traffic as HTTP. When we added a rule called "http-authenticated," Allot's NetEnforcer performed deeper inspection of Port 80 and identified Hotline as non-HTTP traffic, while Sitara's QoSWorks QWX-10000 pegged the traffic as "other-content-type." Lightspeed and Radware couldn't perform deeper identity checks.
Why a Dedicated Device?
Lately it seems like everything but the kitchen sink is getting QoS capabilities. Firewalls, VPNs, routers, switches, and even some consumer and small-office products, such as the FortiNet FortiGate (see "FortiGate Fortifies Your Traffic Security") claim to have some form of QoS. However, sometimes the "jack-of-all-trades, master-of-none" syndrome applies--if you plan to use an add-on QoS capability, here are a few things to check:
• Does the device offer Layer 7 inspection?• Can you set policies per connection and per protocol?
• Is reporting available for the most active protocols and users?
Also, remember that performing traffic shaping costs CPU time, and your firewall may be overloaded before performing QoS.
Dedicated traffic shapers, on the other hand, move the overhead of QoS to a separate box and can offer granular control of bandwidth use. The QoS devices we tested support a wide range of speeds, and dedicated systems also have a higher limit on the number of policies you can set. This lets your traffic shaper grow with your WAN. Of course, there are benefits to integrated solutions, aside from price; for example, you're using a single management interface and want to have one less piece of infrastructure to take care of.
In the final tally, Packeteer and Allot ended up in first and second place, respectively, with the PacketShaper 4500 earning our Editor's Choice award. Sitara's solution also performed well but had a confusing interface. Lightspeed's Total Traffic Control has decent reporting capabilities, but its bandwidth control and management interface didn't measure up to those of its rivals. Radware's product is an add-on to its application switch and isn't as feature-rich as the other products we reviewed. However, if you own Radware switches, you can't beat the price. The PacketShaper 4500 is a 2U rackmount box with two 10/100 Ethernet ports (you can add two expansion modules as well, for up to six ports). Packeteer's product offers the most granularity in setting policies, has an impressive classification engine, and has what we consider the best user interface. Although it has a command-line interface, most configuration is performed via a Web browser. And unlike all the other vendors, the browser interface is standard HTML, not a Java applet or Win32 application.The box has a pass-through failover relay, which means it turns into a wire when the power is off. While downloading a file, we unplugged the PacketShaper and the transfer continued, though obviously with no QoS control. The products from Allot and Sitara also offer this capability.
Initially, you'll probably install the PacketShaper in monitor-only mode. This is so you can gather a list of protocols being used and determine what is causing problems. Protocols are assigned "classes," and policies can be set on any class. Protocols that use a lot of bandwidth or appear often will show up in the "traffic" class listing. Less frequently seen protocols end up in the "default" class. You can create subclasses as well, based on host name, address, subnet or ports; Citrix and HTTP traffic can be subdivided even further. Each class can be assigned a chunk of dedicated bandwidth, and you can set maximum and minimum rates per connection.
We set a policy to give HTTP a minimum of 20 Kbps and a burst of 50 Kbps per connection on a series of small HTTP transfers, and got an average of 21 Kbps. If there isn't enough bandwidth to fit the guarantees, you can choose to refuse the traffic, squeeze it into whatever is available no matter how small, or in the case of Web traffic, redirect to an alternate URL.
Priority Controls
In addition to assigning minimum and maximum bandwidth for a class, you can control traffic by giving it a priority from 0 to 7; traffic with a higher priority gets more bandwidth. You can assign bursty traffic a higher or lower priority as well. When priorities are equal, the bandwidth is weighted based on number transactions. We gave Web and FTP traffic the same priority and ran five Web and 10 FTP users. This resulted in Web traffic getting 15 Mbps instead of its standard 22 Mbps.One of the PacketShaper's coolest features is dynamic subpartitions. You can create a separate partition for every IP address or subnet encountered, from the inside or outside, automatically. We created a subpartition on the inbound class and said all inbound traffic could get only 1 Mbps. When we ran an FTP transfer and Web traffic on the same machine, combined we got only 1 Mbps. Allot's device has a similar feature but requires that you first create a list of IP addresses; Packeteer's capability is completely automated. You also can create dynamic partitions per protocol.
Report creation is straightforward but has room for improvement. Reports on classes and protocols are created from one part of the GUI, and network reports (such as throughput or retransmits) are created from another location. We would like to see these combined. In addition, we could not create graphs of live data, something Allot's product offers, but instead we looked at 1-minute historical charts. This requires you to refresh each graph manually. It's not a big functionality loss, but it is inconvenient.
PacketShaper 4500, $16,000. Packeteer, (408) 873-4400. www.packeteer.com Allot Communications NetEnforcer AC-302 4.2.2 | Sitara Networks QoSWorks QWX-10000 | Lightspeed Systems Total Traffic Control 3.0 | Radware FireProof SynApps 2.51
Allot Communications NetEnforcer AC-302 4.2.2
The 1U rackmount Allot box didn't wow us as much as the Packeteer device did, but it did finish a respectable second place. Configurable from the command line or through a Web browser via a Java applet, the management interface is the best of the rest but not nearly as simple as Packeteer's. This box comes with two 10/100 Ethernet ports and an extra Ethernet port that can be used for management only. This lets you manage from a separate management network instead of the LAN side. There are no expansion modules available for this unit.
Setting policies in NetEnforcer is easy, but seeing the relationships between policies can be difficult. This is because the QoS controls, such as maximum and minimum bandwidth, are not shown in the same window as the policy editor. On the other hand, it is easy to create policies that apply to multiple rules. For example, we created a policy called "2Mb max," which set a limit of 2 Mbps per connection. We were then able to apply that policy to HTTP, FTP and any other protocol. If we later changed the limit to 3 Mbps, it would be updated for all these protocols automatically and at once.
NetEnforcer also features an automated host-list generator, in case you want a host created for every IP address in your network. Hosts can be grouped, and policies can be applied to the groups. This capability can work for networks that have dynamic IP addresses so long as you include the entire DHCP pool in a group.We had the wizard create a host for every node in our /24 network and created a group called nwc.syr.edu. We then applied a policy to that group to limit traffic per IP address to 2 Mbps max. No matter what IP address we were assigned by the DHCP server, our test machines got only 2 Mbps.
A downside is that policy changes take effect for new connections only. While running a series of FTP transfers, we enabled a rule to limit FTP to 100 Kbps. But current FTP transfers continued to suck up all the bandwidth for a few minutes until they finished and a new set began.
We also ran into trouble with the streaming video test. We created a channel with 3 Mbps allotted to video at normal priority. However, when the pipe was saturated with Web traffic, our 1.6-Mbps QuickTime movie did not get the guaranteed bandwidth. Only when we increased the priority of the channel did we get the guaranteed bandwidth.
Keeping Track of Users
Features Chartclick to enlarge |
You can export Data to RADIUS for accounting purposes, a feature Packeteer also supports. ISPs will like this capability because it will help them keep tabs on bandwidth usage. NetEnforcer also provides some protection against DoS (denial of service) attacks in that you can specify a maximum number of connections, and maximum connections per second. Connections beyond these limits can either be admitted without QoS or dropped.The charts created by NetEnforcer are superior to Packeteer's, a consideration if you plan on presenting statistics to a group. Each chart can be displayed as line or area graph, a pie or bar chart, or as a table. Oddly enough, however, you can have only five charts open at once. When we tried opening a sixth graph, we were told we had to close one first. Allot says the next release of the software will allow as many as 10 charts to be open at once, but that limit still seems low and unnecessary. We also found a bug in the GUI that reversed FTP direction in the most active clients/servers list. The clients were listed under most active servers.
NetEnforcer AC-302 4.2.2, $12,000. Allot Communications, (800) 204-1364, (952) 944-3100. www.allot.com
Sitara Networks QoSWorks QWX-10000
Sitara's 2U rackmount QosWorks box can be managed through a Web interface or via telnet. It is also the most expensive unit, at nearly $20,000.
Bandwidth-management capabilities are limited compared with that of its competitors; there are only five priority levels, and you can't set a maximum bandwidth per connection. Adding protocols to a policy is also a pain. We were presented with a large hierarchical list of protocols and had to manually search just to get to the TCP protocols. And to add insult to injury, once we found our protocols, we could add only one at a time. To add more, we had to drill through the list again.Guaranteeing Bandwidth
The QosWorks policy screen let us see guaranteed bandwidth by bytes and percentage, burst amount, and priority amongst all the classes. Within a class, bandwidth is allocated evenly to each connection. Our streaming movie played fine without setting any QoS rules, even with 100 Web users. The devices from Allot and Packeteer let video get trampled when there were no policies set. Sitara's QoSWorks also supports HTTP caching from an external cache server.
We weren't thrilled by the reporting features QoSworks offers. In the policy report, we could see the bandwidth currently in use by each policy, its burst size and a thermometer showing how much of the allocated bandwidth was in use, but these are shown only as averages over the last 5, 15 and 30 minutes. Graphs for events past a half-hour are in the "historic reports" panel. Here you can see throughput or packet count for application, IP address, IP ToS (Type of Service) bits or by policy. That's the extent of the graphing.
Sitara has a decent product, but the management interface really drags it down, and it's overpriced by at least $5,000.
QoSWorks QWX-10000, $19,995. Sitara Networks, (888) 748-2720, (781) 487-5900. www.sitaranetworks.comLightspeed Systems Total Traffic Control 3.0
Lightspeed is the only vendor whose product we tested does not come on a standalone box; instead, it is installed on a Microsoft Windows 2000 server (in our case, a Dell PowerEdge 1650). Even including the price of the server, this product is one of the least expensive devices tested. However, it's also the most limited and has a confusing management interface.
To start, we had to draw our network. We dragged and dropped icons and connection points on a grid, similar to creating a Visio map. We needed to add icons for internal and external NICs, a filter to sort and analyze the traffic, and a queue to throttle the bandwidth. Fortunately, wizards and sample configurations are provided, but this interface is not intuitive and will have you scratching your head for a few hours.
Management is performed via a Windows program, and you can administer on console or remotely. Bandwidth shaping is done by defining a series of three priorities, with each priority getting a percentage of bandwidth, or by CBQ. We could create as many as eight classes and assign a total percentage of bandwidth and maximum delay. We could even control whether we wanted classes to borrow available bandwidth from other classes. All controls are based on source and destination IP addresses or port range. There is also integration with spam filtering.
In small environments where you know which programs will be running, this product could be sufficient. However, there are no guaranteed-bandwidth-per-session controls. We could only apply filters based on a whole class level, which meant no guaranteed rate per connection.Total Traffic Control 3.0, $6,495 (as tested). Lightspeed Systems, (877) 447-6244. www.lightspeedsystems.com
Radware FireProof SynApps 2.51
Radware's product is unique among the products we tested in that SynApps is an add-on to Radware's switch product line. Although it finished at the rear of the pack and can't match rivals in features, it does come at a bargain if you already have a Radware switch in your network. This product is well-suited as a supplement, but it's not a full-blown QoS device.
Overall, SynApps' management features are better than Lightspeed's, but its bandwidth control and reporting lag behind the standalone boxes. Bandwidth is controlled by weighted-fair queuing or CBQ. You can set policies based on source and destination IP addresses, port numbers, diffserv value, or IP ToS bits. The switch we tested had eight network ports, more than any other entry. Each port can have available bandwidth specified. There are seven priority levels, and a real-time level as well. Minimum bandwidth and maximum borrow bandwidths can be set, but only per class, not by connection.
SynApps offers virtually no reporting elements, except for showing current bandwidth usage per policy. Of course, if you have a predictable type of traffic flowing across the switch, that may be good enough, especially for the price.FireProof SynApps 2.51, module costs $4,000 on top of switch price. Radware, (888) 234-5763. www.radware.com
Michael J. DeMaria is an associate technology editor based at Network Computing's Syracuse University Real-World Labs®. Write to him at [email protected].
WAN bandwidth is expensive, but when congestion occurs, some administrators simply throw cash at the situation. This approach, however, doesn't address the underlying problem. Until you gain granular control over the way packets are prioritized, you'll be playing a zero-sum game, with users gobbling up your pricey bandwidth as fast as you bring it online. Moreover, as latency-sensitive applications, such as VoIP and videoconferencing, become more common and have to contend with FTP and P2P traffic for throughput, even fat pipes won't guarantee QoS.
What can give you the edge? Bandwidth management products, which rein in bandwidth-hogging applications, smooth out bursty traffic and guarantee minimum throughput for those users, groups or protocols you designate. We tested traffic shapers from Allot Communications, Lightspeed Systems, Packeteer, Radware and Sitara and gave Packeteer's product our Editor's Choice award for its granularity in setting policies, impressive classification engine and intuitive user interface.Install a traffic shaper and you're bound to feel some political heat--and we're not talking about how many people are streaming Limbaugh on your LAN. We're referring to the massive debate and flame mail you will get for limiting protocols.
You probably know which protocols are overwhelming your network. Are people clogging up your bandwidth with e-mail or P2P traffic? In the enterprise, expect each administrator--the person in charge of VoIP, the Web dudes, the e-mail admin--to want highest priority. Before you jump into this quagmire, get a fair, well-thought-out policy down on paper, and get CxO-level buy-in for that policy.
If you're in an educational setting, the problem protocol is almost guaranteed to be P2P. But do you block P2P protocols outright? This is where politics--more specifically, avoiding a student uprising--comes into play. Blocking P2P completely will likely get you hung in effigy. A larger concern, however, is the legal aspects of P2P. Most P2P material traversing your network--including Kazaa, Gnutella and the infamous Napster--is copyrighted. Such transfers fall outside fair-use rules and are in violation of federal copyright law.Does this mean allowing P2P traffic on your network or trying to rate-limit it opens you up to legal liabilities? So far, that's not likely, but check with your institution's lawyers. The Digital Millennium Copyright Act states that a service provider is not liable as long as the provider doesn't have actual knowledge that a material or activity is infringing on copyrights. And, while much P2P traffic is infringing, not all of it is.
At some point, however, content creators may discover an infringing user on your network and issue a notification. If this happens you need to disable or remove the content; failure to act can result in liability. However, this same thing will happen if a user hosts infringing material on an internal Web server as opposed to P2P. Based on precedents at print time, there is no indication that allowing or rate-controlling any particular protocol will open you up to liabilities. Because most content creators are interested in suing the people distributing infringing content--as opposed to users downloading files--several institutions have decided to severely limit or completely block outgoing P2P traffic. Others limit all P2P to just a few kilobits per seconds, thus allowing the traffic but at a rate so slow that nobody wants to use it. For client machines we used 10 Intel Celeron 500-MHz white box PCs running Microsoft Windows 2000 and an Apple Computer PowerBook G3 connected to the packet shapers at 100 Mbps through an Extreme Summit48 switch, and then to a dual NIC Dell Computer PowerEdge 2450 running Windows 2000 with routing enabled. A T3 (45 Mbps) link was simulated with a Shunra Software's Storm STX-100.
Our server was an Apple Macintosh dual 800-MHz G4 with 1 GB of RAM. We ran FTP, Apache Web server and the Apple Darwin streaming server and used Mercury Interactive's LoadRunner 7.5.1 to generate as many as 100 real TCP sessions. We broadcast "live" a large QuickTime movie set to nonterminating continuous loop. This movie output was, on average, 1.6 Mbps per stream.
LoadRunner let us generate real Windows TCP sessions, and we always ran enough users to oversaturate the T3. Our Web tests included simulating users downloading several multimegabyte pages as well as multiple small pages in succession.
We also tested transferring Web and FTP data simultaneously. We set a policy for a minimum of 20 Kbps per connection with a burst of 50 Kbps, a minimum of 500 Kbps per connection for Web traffic, and 20 Mbps maximum for FTP. We also tested streaming video while concurrently running 100 large Web transfers.Everybody wants more bandwidth. If you ask your staff if you should install an extra three OC-3s, they'll say yes. When applications become bogged down, one of the first responses is always, "Buy a bigger pipe."But do you actually need more bandwidth? If you have a 128-Kbps ISDN circuit and want to run 100 simultaneous VoIP sessions at 8 Kbps, you definitely do. No QoS (Quality of Service) device in the world can compensate for that much traffic.
However, if you have enough WAN bandwidth to run your mission-critical applications, and other applications can be pushed aside, you are faced with two options: Get more WAN bandwidth or use a traffic shaper. The decision can come down to ROI (return on investment).
On the surface, calculating ROI is a simple matter: Determine how much additional bandwidth mission-critical applications need. Take the price of that bandwidth per month and divide by the cost of a traffic shaper. That tells you how long until you'll see a return. But there are other considerations:
• If you buy more bandwidth, noncritical traffic will also increase--if the throughput is there, users will suck it up. This can mean a constant cat-and-mouse game.
• Factor management time into the equation. To do traffic shaping, an administrator must keep watch on the traffic and spend time developing and seeking approval for a policy defining which traffic gets priority. When your bandwidth is plentiful and rarely saturated, you won't need to worry. But as bandwidth gets tight, the amount of time spent watching traffic and making decisions increases.• Be prepared for decreased productivity. A multi-megabyte e-mail attachment could very well cause your e-mail server to swamp a slow WAN for minutes. Users might not be able to access resources they need, and that downtime equates to a monetary loss.
Also consider whether you can do QoS with existing equipment. Many firewall and router vendors, for example, offer bandwidth-control capabilities for their devices for free or a modest upgrade cost. Radware and Cisco routers have this feature, Nortel provides shaping on its Contivity VPN concentrator, and Check Point firewalls have the company's Floodgate bandwidth manager. These devices may be good enough for your environment, making a separate standalone QoS device unnecessary. But again, dig a bit deeper: Bandwidth shaping costs CPU time, so the device's performance may degrade. Also, the granularity of control, such as regulating individual connections, may not be up to the level of a standalone device.
Maybe a compromise is in order: Some QoS-device vendors sell monitor-only solutions that let you graph the dominant protocols; you can then use your existing infrastructure devices for shaping. This is a reasonable solution: If your existing devices have the shaping features and performance to work with your traffic, you're ahead of the game. Worst case, you upgrade the monitor-only product to a full-fledged traffic shaper.
R E V I E WWAN Traffic Shapers
Sorry,
your browser
is not Java
enabled
Welcome to
NETWORK COMPUTING's Interactive Report Card, v2. To launch it, click on the Interactive Report Card ® iconabove. The program components take a few moments to load.
Once launched, enter your own product feature weights and click the Recalc button. The Interactive Report Card ® will re-sort (and re-grade!) the products based on the new category weights you entered.
Click here for more information about our Interactive Report Card ®.
You May Also Like