AC1000_InstallGuide_6.11

NetEnforcer® AC-1000 Series

Carrier-Grade Service Control and QoS/SLA Enforcement

Installation Guide Version 6.1.1

(Doc. No. D354003)

Important Notice

Important Notice Allot Communications Ltd. ("Allot") is not a party to the purchase agreement under which NetEnforcer was purchased, and will not be liable for any damages of any kind whatsoever caused to the end users using this manual, regardless of the form of action, whether in contract, tort (including negligence), strict liability or otherwise. SPECIFICATIONS AND INFORMATION CONTAINED IN THIS MANUAL ARE FURNISHED FOR INFORMATIONAL USE ONLY, AND ARE SUBJECT TO CHANGE AT ANY TIME WITHOUT NOTICE, AND SHOULD NOT BE CONSTRUED AS A COMMITMENT BY ALLOT OR ANY OF ITS SUBSIDIARIES. ALLOT ASSUMES NO RESPONSIBILITY OR LIABILITY FOR ANY ERRORS OR INACCURACIES THAT MAY APPEAR IN THIS MANUAL, INCLUDING THE PRODUCTS AND SOFTWARE DESCRIBED IN IT. Please read the End User License Agreement and Warranty Certificate provided with this product before using the product. Please note that using the products indicates that you accept the terms of the End User License Agreement and Warranty Certificate. WITHOUT DEROGATING IN ANY WAY FROM THE AFORESAID, ALLOT WILL NOT BE LIABLE FOR ANY SPECIAL, EXEMPLARY, INDIRECT, INCIDENTAL OR CONSEQUENTIAL DAMAGES OF ANY KIND, REGARDLESS OF THE FORM OF ACTION WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, INCLUDING, BUT NOT LIMITED TO, LOSS OF REVENUE OR ANTICIPATED PROFITS, OR LOST BUSINESS, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Copyright Copyright © 1997-2005 Allot Communications. All rights reserved. No part of this document may be reproduced, photocopied, stored on a retrieval system, transmitted, or translated into any other language without a written permission and specific authorization from Allot Communications Ltd.

Trademarks Products and corporate names appearing in this manual may or may not be registered trademarks or copyrights of their respective companies, and are used only for identification or explanation and to the owners' benefit, without intent to infringe. NetEnforcer®, NetBalancer®, CacheEnforcer® and the Allot Communications pyramid logo are registered trademarks of Allot Communications Ltd. NetPolicy™ is a trademark of Allot Communications Ltd.

ii NetEnforcer AC-1000 Series Installation Guide

Important Notice

Allot Communications

Americas 7664 Golden Triangle Drive Eden Prairie, MN 55344 Tel: (952) 944-3100 Toll free: (877) 255-6826 Fax: (952) 944-3555

Middle East and Africa 5 Hanagar Street Industrial Zone B, Hod-Hasharon, 45800, Israel Tel: 972-9-761-9200 Fax: 972-9-744-3626

Europe NCI – Les Centres d’Affaires Village d’Entreprises ‘Green Side’ Batiment 1B 400 Avenue Roumanille, BP309 06906 Sophia Antipolis Cedex France Tel: 33-(0)4-93-00-11-67 Fax: 33-(0)4-93-00-11-65

Japan Yajima Building, 8F 7-11-13 Ginza, Chuo-ku Tokyo 104-0061 Japan Tel: 81-3-5537-7114 Fax: 81-3-5537-5281

Asia Pacific 9 Raffles Place, #27-01 Republic Plaza Singapore 048619 Tel: 65-6832-5663 Fax: 65-6832-5662

Printing History Second Edition: May 2005, Version 6.1.1

Doc. No. D534003

NetEnforcer AC-1000 Series Installation Guide iii

About This Manual

About This Manual The NetEnforcer AC-1000 series User Guide describes how to install and configure NetEnforcer AC-1000 series in your network, and use NetEnforcer AC-1000 series to prioritize your network traffic.

This manual contains the following chapters:

Chapter 1, Introducing NetEnforcer AC-1000 for Giga Bit Networks, introduces NetEnforcer AC-1000 series and provides an overall description of the architecture and functioning of the system.

Chapter 2, Installing NetEnforcer, describes NetEnforcer AC-1000 series hardware and the initial installation and setup requirements.

Chapter 3, Getting Started, describes how to connect to NetEnforcer AC-1000 series through your Web browser, and install the Java 1.4.2 JRE, which is a prerequisite for running the NetEnforcer application.

Appendix A, Hardware Specifications, lists the hardware specifications for NetEnforcer AC-1000 series.

Appendix B, Fail-Safe Operation, describes the fail-safe methods implemented in NetEnforcer AC-1000 series, such as how NetEnforcer can operate parallel to another NetEnforcer to provide full redundancy.

Appendix C, NetEnforcer Port Reference, describes the required ports for NetEnforcer AC-1000 series.

Appendix D, Rack Mounting Installation, describes how to prepare the device and rack for installation and how to mount the device in the rack.

Appendix E, Glossary, describes the terms used in this guide.

iv NetEnforcer AC-1000 Series Installation Guide

About This Manual

Conventions The following conventions are used in this manual:

Note Additional information that may be useful in understanding

or using functionality.

Tip A helpful hint for using functionality, for example, a

shortcut.

Security Note

A note that has security implications.

Caution Information that is important to consider when performing a

particular action and that may have hazardous implications.

NetEnforcer AC-1000 Series Installation Guide v

Table of Contents

Table of Contents CHAPTER 1: INTRODUCING NETENFORCER AC-1000 SERIES FOR GIGA BIT NETWORKS .............................................................................................. 1-1 Introducing the NetEnforcer AC-1000 Series......................................................................................... 1-2

NetEnforcer AC-1000 Environments ..................................................................................................... 1-3 NetEnforcer Usage Examples................................................................................................................... 1-5

Scenario 1: Internet Service Provider ..................................................................................................... 1-5 Scenario 2: Internet Data Center ............................................................................................................ 1-8 Scenario 3: Enabling CATV Providers to Offer Advanced IP Services................................................. 1-9 Scenario 4: Enterprise Intranet ............................................................................................................. 1-11 Scenario 5: Enterprise Internet Connection with VPN......................................................................... 1-13 Scenario 6: Protecting Networks from DDoS Attacks ......................................................................... 1-15

CHAPTER 2: INSTALLING NETENFORCER.................................................. 2-1 Hardware Description .............................................................................................................................. 2-2

Unpacking NetEnforcer.......................................................................................................................... 2-6 NetEnforcer Front Panel......................................................................................................................... 2-7 Bypass Modules ................................................................................................................................... 2-17

Placement in the Network....................................................................................................................... 2-30 Connecting NetEnforcer to the Network .............................................................................................. 2-30 Powering Up NetEnforcer .................................................................................................................... 2-33

Setting Up NetEnforcer .......................................................................................................................... 2-35 Configuring Via a Terminal ................................................................................................................. 2-35 Configuring Via the LCD Panel ........................................................................................................... 2-44

vi NetEnforcer AC-1000 Series Installation Guide

Table of Contents

CHAPTER 3: GETTING STARTED ..................................................................3-1 Accessing NetEnforcer ..............................................................................................................................3-2 Java, WebStart and the NetEnforcer User Interface..............................................................................3-3

Installing Java 1.4.2 JRE.........................................................................................................................3-3 Initializing WebStart ...............................................................................................................................3-6 Automatic Updates..................................................................................................................................3-8 Managing Multiple Devices....................................................................................................................3-8 WebStart Application Manager...............................................................................................................3-8 Troubleshooting ......................................................................................................................................3-9

APPENDIX A: HARDWARE SPECIFICATIONS ............................................. A-1

APPENDIX B: FAIL-SAFE OPERATION......................................................... B-1 Bypass Mode ............................................................................................................................................. B-2

Bypass Initiation .................................................................................................................................... B-3 Fiber Bypass and TAP for the AC-1000 Series ..................................................................................... B-3

Connecting Two NetEnforcers in Serial Redundancy........................................................................... B-8 Status Indicators in Serial Redundancy Mode ....................................................................................... B-8 Secondary NetEnforcer Activation ...................................................................................................... B-10 Primary and Secondary Definitions ..................................................................................................... B-11

Power Redundancy................................................................................................................................. B-14

APPENDIX C: NETENFORCER PORT REFERENCE .................................... C-1 Firewall Ports ............................................................................................................................................C-1

APPENDIX D: RACK MOUNTING INSTALLATION........................................ D-1

APPENDIX E: GLOSSARY.............................................................................. E-1

NetEnforcer AC-1000 Series Installation Guide vii

List of Figures

List of Figures

FIGURE 1-1 – ISP POP NETWORK WITH GIGA BIT CONNECTIVITY AND QOS .......................... 1-7 FIGURE 1-2 – SAMPLE INTERNET DATA CENTER NETWORK....................................................... 1-9 FIGURE 1-3 – NETENFORCER IN CATV ENVIRONMENT .............................................................. 1-10 FIGURE 1-4 – CORPORATE NETWORK STRUCTURE WITH TWO OUTGOING WAN LINKS... 1-12 FIGURE 1-5 – SAMPLE CORPORATE NETWORK WITH TWO LOCATIONS CONNECTED

VIA MPLS VPN.............................................................................................................................. 1-14 FIGURE 1-6 – END TO END QOS MARKING ON PACKETS TRAVELING AN MPLS

NETWORK ..................................................................................................................................... 1-14 FIGURE 1-7 – PREVENTING A DOS ATTACK WITH NETENFORCER .......................................... 1-16 FIGURE 2-1 – NETENFORCER AC-1010: FIBER INTERFACE (TOP) NETENFORCER AC-1010:

COPPER INTERFACE (BOTTOM)................................................................................................. 2-1 FIGURE 2-2 – NETENFORCER AC-1010 FRONT PANEL: FIBER INTERFACE................................ 2-7 FIGURE 2-3 – NETENFORCER AC-1010 FRONT PANEL: COPPER INTERFACE ............................ 2-8 FIGURE 2-4 – NETENFORCER AC-1020 FRONT PANEL: FIBER INTERFACE................................ 2-9 FIGURE 2-5 – NETENFORCER AC-1040 FRONT PANEL.................................................................... 2-9 FIGURE 2-6 – NETENFORCER LCD PANEL....................................................................................... 2-12 FIGURE 2-7 – AC-1040 STATUS INDICATORS .................................................................................. 2-13 FIGURE 2-8 – MANAGEMENT PORT .................................................................................................. 2-15 FIGURE 2-9 – FIBER BYPASS MODULE............................................................................................. 2-19 FIGURE 2-10 – CONNECTING NETENFORCERAC-1010 TO FIBER BYPASS MODULE.............. 2-20 FIGURE 2-11 – COPPER BYPASS MODULE....................................................................................... 2-21 FIGURE 2-12 – CONNECTING NETENFORCER AC-1010 TO COPPER BYPASS MODULE......... 2-22 FIGURE 2-13 – DOUBLE FIBER BYPASS MODULE.......................................................................... 2-24 FIGURE 2-14 – CONNECTING NETENFORCERAC-1020 TO DOUBLE FIBER BYPASS

MODULE........................................................................................................................................ 2-25 FIGURE 2-15 – MULTI-PORT COPPER BYPASS MODULE.............................................................. 2-28 FIGURE 2-16 – LAN AND WAN PLACEMENT OF NETENFORCER AC-1010................................ 2-32 FIGURE 2-17 – PLACEMENT OF NETENFORCER AC-1020 (POLICY PER USER)........................ 2-32 FIGURE 2-18 – PLACEMENT OF NETENFORCER AC-1020 (POLICY BASED ON LINK)............ 2-33 FIGURE 2-19 – NETENFORCER SETUP MENU.................................................................................. 2-37 FIGURE 2-20 – NETWORK CONFIGURATION .................................................................................. 2-38 FIGURE 2-21 – CURRENT CONFIGURATION (1) .............................................................................. 2-40

viii NetEnforcer AC-1000 Series Installation Guide

List of Figures

FIGURE 2-22 – CURRENT CONFIGURATION (2)...............................................................................2-41 FIGURE 2-23 – PASSWORD...................................................................................................................2-42 FIGURE 2-24 – TIME SETUP..................................................................................................................2-44 FIGURE 3-1 – NETENFORCER LOG ON DIALOG BOX.......................................................................3-2 FIGURE 3-3 – NETENFORCER CONTROL PANEL...............................................................................3-4 FIGURE 3-4 – JAVA JRE DOWNLOADS ................................................................................................3-5 FIGURE 3-5 – NETENFORCER JAVA WEB START WINDOW ..........................................................3-6 FIGURE 3-6 – SECURITY WARNING.....................................................................................................3-6 FIGURE 3-7 – NETENFORCER DESKTOP INTEGRATION .................................................................3-7 FIGURE 3-8 – NETENFORCER LOG ON WINDOW..............................................................................3-7 FIGURE 3-9 – JAVA WEB START APPLICATION MANAGER...........................................................3-9 FIGURE B-1 – FIBER BYPASS MODULE.............................................................................................. B-4 FIGURE B-2 – MULTIMODE COUPLER UNIT ..................................................................................... B-5 FIGURE B-3 – CONNECTING NETENFORCER AC-1010 TO FIBER BYPASS AND TAP ............... B-6 FIGURE B-4 – SERIAL REDUNDANCY SETUP FOR NETENFORCER AC-1010 ........................... B-12

NetEnforcer AC-1000 Series Installation Guide ix

List of Figures

x NetEnforcer AC-1000 Series Installation Guide

Chapter 1: Introducing NetEnforcer AC-1000 Series for Giga Bit Networks

This chapter introduces NetEnforcer and explains how it delivers Quality of Service.

This chapter includes the following sections:

Introducing the NetEnforcer AC-1000 Series, page 1-2, introduces NetEnforcer, providing an overview of its functionality and describing typical environments for its use.

NetEnforcer Usage Examples, page 1-5, presents scenarios that provide examples of how NetEnforcer can optimize network traffic in a variety of working environments.

NetEnforcer AC-1000 Series Installation Guide 1-1


Introducing the NetEnforcer AC-1000 Series

Allot Communications NetEnforcer® AC-1000 Series policy enforcement devices offer carriers, service providers and enterprises a complete suite of bandwidth management tools for monitoring, classifying, and controlling your network traffic. Uniquely positioned to answer customer demand for more processing power, NetEnforcer AC-1000 accurately identifies your network traffic using Allot's Deep Packet Inspection (DPI) technology that combines Layer-7 application signatures and patterns and content inspection. NetEnforcer monitors, categorizes, and optimizes your network traffic by assigning QoS to specified classes of traffic, and gives you the power to intelligently shape network bandwidth and deliver system-wide service level guarantees with network connectivity speeds and throughput up to multi-gigabit per second.

The NetEnforcer offers flexible deployment that supports your business goals. Deploying NetEnforcer at your access point enables you to enforce SLAs, deploy tried services, and implement advanced billing schemes. Deploying NetEnforcer at your peering point lets you safely oversubscribe, control P2P, monitor VoIP and protect your network from DDoS attacks.

Use the NetEnforcer AC-1010 for managing traffic over a single link and use the AC-1020 and AC-1040 for fully meshed Internet/Intranet access with redundant switches and Internet access routers. The NetEnforcer AC-1020 offers support for two Gigabit links while the NetEnforcer AC-1040 offers support for four Fast Ethernet links. Both devices use a single traffic enforcement mechanism that lets you simply manage traffic across multiple links with a single policy.



NetEnforcer AC-1000 Environments Typical application environments for the NetEnforcer product family include:

•

•

•

•

Internet Service Providers: NetEnforcer manages and enforces SLAs (Service Level Agreements) at the POP level. ISPs are able to deliver advanced bandwidth capabilities to customers, provide differentiated services and partition bandwidth. Class of Service is enabled. NetEnforcer is geared for ISP operations providing full SLA support and integration with ODBC-based billing packages, in addition to interfacing to LDAP-based user directories.

Internet Data Centers: NetEnforcer controls traffic flows to hosted servers. It guarantees maximum traffic to and from hosted servers and provides protection from worms (such as Slammer) that cause heavy, superfluous, artificial traffic to server farms. NetEnforcer monitors usage on total access to the server and enables troubleshooting of network load issues resulting from hackers' attacks or abnormal traffic patterns. Additionally, NetEnforcer enables the monitoring of network application health by using alert notifications and collects traffic flow statistics (by hosted server or by protocol) for network planning.

Corporate Networks: NetEnforcer controls traffic flows from Web-based customers, internal users and remote offices to centralized corporate networks and services. Network managers can give high priority to mission-critical applications and ensure necessary bandwidth to timing-critical applications such as voice and video. NetEnforcer’s extensive monitoring capabilities, including long-term monitoring, enable network managers to manage the usage of resources like servers and links. Furthermore, protecting from overuse of non-critical applications and non-business usage increases network security (by eliminating worms and infected Web pages). Finally, NetEnforcer’s ability to limit traffic connections enhances network security and reduces the risk of DDoS (Distributed Denial of Service) attacks.

Educational Networks: NetEnforcer limits the use of low priority traffic such as music and file-sharing applications, and assigns QoS for specific user groups. NetEnforcer can limit students' access to particular sites and applications during business hours, while allowing high priority access to faculty members or administrators.



•

•

Cable Networks: NetEnforcer controls traffic flows to and from cable-based customers and ensures fairness to all subscribers. Providing an SLA to subscribers is essential for subscribers who signed up for a speedy connection and wish to enjoy a fast Internet connection. Failing to protect the innocent subscribers from other subscribers’ overuse of bandwidth may result in unhappy customers. For example, when a subscriber registers a PC as a P2P member in a busy network and thereby generates heavy download traffic of music during most of the day and night. The generation of traffic usage reports using NetEnforcer enables management of resources and elimination of network resource abuse by subscribers.

Voice and Video Applications: NetEnforcer enables the prioritization of data applications and the guaranteeing of bandwidth to timing-critical, real-time applications like voice over IP and video. NetEnforcer enables control of your data and voice traffic. Through NetEnforcer, specific voice, video and multimedia traffic flows can be identified and the following actions can be assigned: minimum and maximum bandwidth, priorities, guaranteed rate, fairness and admission control.



NetEnforcer Usage Examples The following scenarios provide examples of how NetEnforcer can optimize network traffic in a variety of working environments.

Scenario 1: Internet Service Provider Internet Service Providers (ISP or SP) require high-speed connections and the ability to manage and enforce SLAs (Service Level Agreements) at the POP level. ISPs that provide advanced services such as tiered services (for example ensuring the best service level - Gold Service - to high-paying customers and a lesser level of services to customers who pay less) and the ability to partition bandwidth stay ahead of the competition. In addition to SLA support, ISPs require integration with CRM (Customer Relationship Management) and billing packages as well as an interface to LDAP based user directories.

IP Service Control at the POP •

•

•

Improve ROI by installing a layer 7 device at the carrier's POP. One device serves thousands of customers

Enable carriers to provide supplementary IP services. Tiered/differentiated services (Gold/Silver/Bronze) Critical traffic prioritization Reducing P2P traffic With NetPolicy Provisioner – a New innovative service for customers to monitor and control their own traffic

Control DOS attacks.



Class of Service NetEnforcer enables class of service in the following ways:

• •

• • •

Provides superior classification capabilities. Offers advanced classification capabilities up to Layer 7 while routers usually support only up to Layer 4.

Controls P2P traffic loads.

Provides classed-based accounting for each subscriber.

With NetPolicy Provisioner: Enables end-users (the business customer of the SP) to define their own classes, and change them

Provides per-pipe and per-class monitoring for each end-user Does not require changes in existing infrastructure

Services Based on MPLS With more Metro Optical networks employed in the field, SPs are able to offer cost effective Giga Ethernet connectivity. Carriers use this infrastructure with MPLS to transport WAN with QoS.

Giga Ethernet is offered as layer 2 or layer 3 connectivity with additional L3+ offering as well. ISPs offer VPN services based on MPLS.

QoS is offered, rather than Best Effort, based on packet marking using DSCP (also known as TOS) marking. DiffServ (DSCP) marked packets can be mapped to MPLS LSP. Another way of mapping QoS to MPLS is mapping 802.1p User Priority Bits to EXP bits in the MPLS.

An Internet Service Provider sells slices of bandwidth to subscribers (defined in Pipes), with an advanced offering of tiered services (for example, Gold, Silver and Bronze customers). Managing customer traffic with high granularity is needed.



For example, the creation of a separate Pipe for each subscriber, dividing traffic according to the customer needs.

Figure 1-1 – ISP POP Network with Giga Bit Connectivity and QoS

The ISP would like to control the maximum usage of each subscriber while limiting the total bandwidth used. Moreover, the ISP needs to over-subscribe customers (there are more customers than the available bandwidth can support for each Virtual Channel/Pipe). The ISP would like to offer tiered services.

The NetEnforcer AC-1000 does the following for ISPs:

• •

• • •

•

Assigns tiered services (for example, Gold, Silver and Bronze service levels).

Limits users and protocols to a maximum (for example, limit download/upload of music using P2P).

Sets a minimum to Smart Building tenants.

Assigns a maximum to every home user.

Using templates, the ISP is able to over-subscribe tenants (since, most probably, not all of them will be active at the same time).

Provides detailed call records for IP sessions.



Scenario 2: Internet Data Center The benefits of NetEnforcer AC-1000 in data centers include:

•

•

• • •

•

SLA monitoring enforcement. Operators can limit servers that exceed traffic SLA parameters

DoS Protection. Limit and monitor the number of connections handled by each server

Real-time monitoring.

Alerts.

Reporting. All session data recording Exporting session data external server (CSV format files)

Enable customers to monitor and control their bandwidth pipes with the optional NetPolicy Provisioner.

Internet Data Center management requires detailed management of traffic flows to hosted servers. IDC customers are protected with guaranteed traffic to and from hosted servers. Preservation of network resources prevail upon malicious traffic attacks including worms (such as Slammer) that cause heavy, superfluous, artificial traffic to the server farm.

In addition to specific traffic enforcement requirements, IDC operators need to monitor and manage traffic usage as well as the total access to each server. Monitoring information in real time provides IDC operators the troubleshooting data they need, should a network load issue arise. Recording and monitoring network and application traffic and health statistics of the network resources provide management with pro-active tools for daily operations.



Other features provided by NetEnforcer include:

•

•

Alert notifications that produce quick turnaround on customers’ issues. (You can deal with the problem before the customer is even aware of it.)

IP-CDRs (IP Call Detail Record), which are used for billing and customer support systems.

Figure 1-2 – Sample Internet Data Center Network

The Internet Data Center hosts commercial servers for customers and guarantees a level of service (SLA). Corporate customers enjoy wide bandwidth to the server farm (wide and fast connection to the www backbone), redundancies and outsourced professional management of the corporate data centers.

Scenario 3: Enabling CATV Providers to Offer Advanced IP Services NetEnforcer enables CATV providers to offer the following advanced services and benefits:

• •

SLAs, tiered services and fairness per subscriber.

Reduced bandwidth costs through P2P throttling, usage limitations.



• •

Implementation of usage-based billing.

Prevention of unauthorized use.

Cable carriers are now commonly offering broadband Internet to residential users. The cable infrastructure is distributing both TV programs and new high-speed IP services to generate more revenue from the same cabling system.

Figure 1-3 – NetEnforcer in CATV Environment

Residential users, when using “always-on” service, are abusing P2P and web downloads. The cable technology is shared between users on a massive scale and raises operational issues, such as decreasing speeds when the number of users grow, security concerns from sharing the same media and difficulties differentiating key services (for example, VOIP) from other non-time-sensitive applications (for example, file downloads).

NetEnforcer provides the following:

• • •

Easy, on demand provisioning.

User fairness and/or tiered services.

P2P limitations.



• •

Time-based bandwidth management.

Seamless interface with billing systems.

The latest DOCSIS 2.0 standard version is only capable of managing the bandwidth per modem, and not at the user level and layer 7 application recognition (for example, P2P service control).

Scenario 4: Enterprise Intranet Corporate Intranets have become key repositories of business information needed by employees across the enterprise. Companies also rely on the existence of network-based services for their businesses, running mission-critical applications for ERP, CRM, eCommerce, and more. Poor application response times, caused by the mix of business-critical and non-critical traffic on the same network, quickly translate into decreased productivity, lost revenues and increased business costs.

Corporate network managers demand full accountability of users, services servers, WAN traffic and network resources. Whether it's accessing a remote branch, inter-branch traffic or traffic to the Internet, it's about managing applications, separating resources, and protecting them, monitoring traffic and usage and management and control issues.

Network managers can give high priority to mission-critical applications and assure necessary bandwidth to timing-critical applications such as voice and video as well as limiting non-business applications, such as P2P. Extensive monitoring capabilities, including long term monitoring, enables network manages to manage the usage of resources like servers and links. Protecting from overuse of non-critical applications and non-business usage increase network security (by eliminating worms and infected Web pages); limiting traffic connections enhances network security and reduces the risk of DDoS (Distributed Denial of Service) attacks.



In this example, the Pipe feature enables the network manager to manage traffic to different WAN links, creating a Pipe for each one of them.

Figure 1-4 – Corporate Network Structure with Two Outgoing WAN Links

The network manager would like to assign a maximum for each WAN link. The multiple protocol traffic is going to different locations, based on the IP address.

Pipes are created as follows:

•

•

•

Link 1 bandwidth is 45 Mbps. Traffic includes Oracle (business application) and Multimedia, classified based on TOS marking.

Link 2 bandwidth is 155 Mbps. Normal traffic includes Internet browsing, FTP and backup to Oracle traffic.

Link 3 bandwidth is 310 Mbps. A connection to an alternate disaster recovery center.

All traffic to links is classified based on the destination address.



Scenario 5: Enterprise Internet Connection with VPN In addition to the ever growing need for time-sensitive video conferencing and voice over IP (VoIP), modern corporate networks require fast, secured VPN connections between different locations of the company offices. As a low-cost alternative to expensive legacy telephone calls, and fast access to company data resources, companies are building their networks with Giga bit Ethernet connections to ISP POP.

NetEnforcer AC-1010 serves as a "gateway" to enable the moving of information from public networks to private ones. Utilizing newly offered services based on MPLS, corporate network managers can take advantage of MPLS-based VPN services.

In addition to offering better response time to mission-critical applications by prioritizing their traffic or guaranteeing them a portion of bandwidth, NetEnforcer AC-1010 ensures the smooth transition from DSCP (DiffServ)-based network to an MPLS-based backbone while classifying and preserving application QoS. Traffic is classified according to network policy and less critical and less time-sensitive applications receive a limited amount of bandwidth or a lower priority. NetEnforcer guarantees the performance of business-critical applications. Packets are colored with DSCP marking so that MPLS routers can "understand" and treat the packets accordingly.

By mapping the DSCP bits to the MPLS labels, the ISP preserves the enterprise customer QoS marking. The ISP provides whatever class of service is specified all the way to the far end.

In general, NetEnforcer AC-1010 controls important network resources such as bandwidth, servers, applications and users. It also monitors and records traffic usage information based on clients, servers, application, time and DiffServ tagging. When combined with the Differentiated Services standard (DiffServ) the network operator (ISP) may combine service level (implemented by DiffServ) and traffic engineering (implemented by MPLS) into one system in which the DiffServ behavior is managed by the MPLS routing.



Figure 1-5 – Sample Corporate Network with Two Locations Connected

via MPLS VPN

Figure 1-6 – End to End QoS Marking on Packets Traveling an MPLS Network



Scenario 6: Protecting Networks from DDoS Attacks One of the best security practices for the enterprise is to design a multi-layered security system. You can use NetEnforcer to monitor, alert and block DoS attacks, and enhance the overall security of your enterprise network.

The Problem Malicious worms were recently distributed and unwillingly duplicated throughout the Internet. Unwilling accomplices' systems actively participated in scheduled and planned DoS (Denial of Service) attacks on unsuspecting sites. Infected systems increased the demand of bandwidth and server resources, thereby slowing down business-critical applications.

DDoS (Distributed Denial of Service) attacks are more intense and damaging than DoS attacks. In DDoS attacks, multiple machines unknowingly participate in an attack against a single host target. In February 2000, a variant of the Smurf and DoS attacks brought down Yahoo!, Buy.com, CNN.com, Amazon.com and other sites. In these attacks, hacker "agents" were loaded on hundreds of "Zombie" client machines. A master console then directed, past firewalls, all of the Zombie systems to become active and attack the victim.

Malicious traffic, disguised as legitimate traffic, passes firewalls that normally filter out illegal traffic. There is a need for a multilayer security system—one that enhances firewalls and protects network resources from attacks.

The Solution Use bandwidth management to protect your network from DoS attacks and malicious traffic. Improving network performance by resource management creates a first line of protection from illegitimate users and applications that seize an undeserved share of resources.



NetEnforcer detects known DoS and DDoS attacks and intelligently blocks new flows suspected as destructive traffic. Placing the NetEnforcer at the edge of the enterprise network creates a first line of defense, enhancing performance of firewalls and internal network devices. NetEnforcer discards malicious traffic packets that slip past routers and firewalls to improve application performance and to enhance network security.

By deploying NetEnforcer, service providers and enterprises can monitor, record and alert users of imminent attacks on network resources. Moreover, NetEnforcer's accounting database registers traffic statistics of all sessions, and assists network administrators to pinpoint attackers. NetEnforcer's Log gives abnormal-event notifications, such as when packets are denied access.

Preventing a DoS Attack with NetEnforcer NetEnforcer can prevent a DoS attack in the following way:

1. Attacker sends broadcast ICMP with victim’s spoofed address.

2. Unwitting accomplices send ICMP eco reply (with victim’s address).

3. NetEnforcer detects high number of ICMP connections and blocks them.

Figure 1-7 – Preventing a DoS Attack with NetEnforcer


Chapter 2: Installing NetEnforcer

This chapter describes the NetEnforcer AC-1000 series hardware and the initial installation and setup of NetEnforcer. NetEnforcer is a transparent learning bridge that is IEEE 802.1-compliant. NetEnforcer works with a Bypass module. The Bypass module ensures that data continues flowing should any hardware or software problem occur. While NetEnforcer is bypassed, all traffic goes through passive elements only and still allows the network to function.


Hardware Description, page 2-2, describes the NetEnforcer platform and models, and provides a physical description of the NetEnforcer front panel, as well as a description of the external Bypass module.

Placement in the Network, page 2-28, describes where to place NetEnforcer in a network and how to connect NetEnforcer to the network.

Setting Up NetEnforcer, page 2-35, describes how to configure the initial basic parameters required to work with NetEnforcer, using a terminal or via the LCD panel.

Figure 2-1 – NetEnforcer AC-1010: Fiber Interface (Top) NetEnforcer AC-1010: Copper Interface (Bottom)



Hardware Description NetEnforcer AC-1000 series offers carrier-grade design with redundant critical components for fail-safe operation. Redundant hardware components include system’s fans and dual hot-swappable power supplies. NetEnforcer AC-1000 series is designed to meet ETSI standards.

The AC-1000 series comes with an additional Bypass module.

CAUTION:

The appropriate Bypass module must be connected to the AC-1000. This is to ensure continuous service in the event of failure.

NOTE:

AC-1000 NetEnforcer NIC default factory setting is always Auto-Negotiation enabled, with one exception of AC-1010 Copper that it’s default NIC setting is 1000 full, Auto-Negotiation disabled.

It is recommended to keep NetEnforcer default setting, changing NIC setting is done via LCD panel only.

Several NetEnforcer models are available to support large and small sites and different data network speeds.

NetEnforcer AC-1020 is intended to be used in a mesh network configuration where redundancy is kept by connecting each path to a different network device. The AC-1020 has two-line connectivity versus the AC-1010 that has one-line connectivity.

The NetEnforcer AC-1020 is managed by a single QoS policy that manages the traffic through all of the NetEnforcer’s interfaces. Should one link fail, the traffic would still flow through the other link.

The NetEnforcer AC-1000 models currently available are described in the table on the following pages.



No. of Interfaces

Bandwidth Pipes Policies Connections

NetEnforcer® AC-1000 Carrier-Grade Platform

KAC-1010/155M-PS-I-IT NetEnforcer AC-1010/155M Version 6.x

2 x 1000 Mbps

155 Mbps 2,048 8,192 128,000


2 x 1000 Mbps

310 Mbps 2,048 8,192 128,000


2 x 1000 Mbps

622 Mbps 2,048 8,192 256,000

KAC-1010/1G-PS-I-IT NetEnforcer AC-1010/1G Version 6.x

2 x 1000 Mbps

1000 Mbps 2,048 8,192 256,000


4 x 1000 Mbps

155 Mbps 2,048 8,192 128,000


4 x 1000 Mbps

310 Mbps 2,048 8,192 128,000


4 x 1000 Mbps

622 Mbps 2,048 8,192 256,000



No. of Interfaces


KAC-1020/1G-PS-I-IT NetEnforcer AC-1020/1G Version 6.x

4 x 1000 Mbps

1000 Mbps 2,048 8,192 256,000

KAC-1040/400M-PS-I-IT NetEnforcer AC-1040 Version 6.x

8 x 100 Mbps

400 Mbps 4,096 28,672 1,000,000

NetEnforcer® AC-1000 Carrier-Grade Platform for Service Providers

KAC-1010/SP-155M-PS-I-IT NetEnforcer AC-1010/SP-155M Version 6.x

2 x 1000 Mbps

155 Mbps 10,000 80,000 1,000,000


2 x 1000 Mbps

310 Mbps 10,000 80,000 1,000,000


2 x 1000 Mbps

622 Mbps 10,000 80,000 1,000,000

KAC-1010/SP-1G-PS-I-IT NetEnforcer AC-1010/SP-1G Version 6.x

2 x 1000 Mbps

1000 Mbps 10,000 80,000 1,000,000


4 x 1000 Mbps

155 Mbps 10,000 80,000 1,000,000


4 x 1000 Mbps

310 Mbps 10,000 80,000 1,000,000



No. of Interfaces



4 x 1000 Mbps

622 Mbps 10,000 80,000 1,000,000

KAC-1020/SP-1G-PS-I-IT NetEnforcer AC-1020/SP-1G Version 6.x

2 x 1000 Mbps

1000 Mbps 10,000 80,000 500,000

NOTE:

When ordering, please specify: PS – power supply (AC or DC); I – interface (C – Copper or F - Fiber); IT – fiber interface (LX or SX).

Ordering Information

For ordering purposes, the following reference is used:

Code Definition Values Description SP SP models have more policies

AC AC/DC 100-240V Power Supply PS Power Supply DC DC/DC -48V Power Supply

F Fiber I Interface C Copper 1000Base-T LX Fiber 1000Base-LX IT Interface

Type SX Fiber 1000Base-SX

NetEnforcer AC-1000 - Carrier Grade - was designed to conform to ETSI and NEBS standards. Furthermore it conforms to FCC, UL and CE standards. The front panel display and 4-key keypad enables setup and activity monitoring and management and console ports are included. The Link Connections interface includes two gigabit ports with removable modules for fiber or copper (GBIC).



Unpacking NetEnforcer Verify that the following items are included with NetEnforcer:

• • • • • • •

NetEnforcer (hardware with pre-installed software)

NetEnforcer User Guide

2 Power Cables

1 Serial Console Cable

2 19" Side Mounting Brackets

8 Mounting Bracket Screws Backup Cable: D-type High Density Cable

NOTE:

The maximum length for the Ethernet cable for Copper models is generally up to 50 meters.



NetEnforcer Front Panel The AC-1000 series connects to your network via Link Connection connectors. The LCD panel, connectors and LED indicators on the front panel, are shown in the following diagrams.

The network connectors vary according to the interface on the model. The AC-1010 with Fiber interface is shown below:

LCD Panel

Power Supply Modules Accessory Area

Link Connections Area

LCD PanelLCD Panel

Power Supply ModulesPower Supply Modules Accessory AreaAccessory Area


Figure 2-2 – NetEnforcer AC-1010 Front Panel: Fiber Interface

CAUTION: The NetEnforcer AC-1010 Fiber models are CLASS 1 LASER PRODUCTS. DANGER! Invisible laser radiation when opened. AVOID DIRECT EXPOSURE TO BEAM.



The AC-1010 with Copper interface is shown below

LCD Panel



LCD PanelLCD Panel

Power Supply ModulesPower Supply Modules Accessory AreaAccessory Area


Figure 2-3 – NetEnforcer AC-1010 Front Panel: Copper Interface

The AC-1020 with Fiber interface is shown below.



LCD Panel



LCD Panel

Figure 2-4 – NetEnforcer AC-1020 Front Panel: Fiber Interface



Figure 2-5 – NetEnforcer AC-1040 Front Panel

The front panel of NetEnforcer is laid out as follows:

• • •

•

LCD panel, described on page 2-10.

Power supply modules, described on page 2-15.

Accessory area, including the following: Management port, described on page 2-13 Management LEDs, described on page 2-13 Console connector Backup High Density D-type Connector Two power cable connectors

The Link Connections area varies slightly according to the NetEnforcer model.

For AC-1010 models, the Link Connection area includes the following: External port, hot-swappable GBIC module (RJ-45 connector for AC1010

Copper or duplex SC fiber optic connector for AC-1010 Fiber) External LEDs, described on page 2-13 Internal port, hot-swappable GBIC module (RJ-45 connector for AC1010 Copper

or duplex SC fiber optic connector for AC-1010 Fiber)



Internal LEDs, described on page 2-11

•

•

For AC-1020 models, the Link Connection area includes the following: Link 1 (left)

External port, hot-swappable SFP module (RJ-45 connector for AC1020 Copper or duplex LC fiber optic connector for AC-1020 Fiber)

External LEDs, described on page 2-13 Internal port, hot-swappable SFP module (RJ-45 connector for AC1020

Copper or duplex LC fiber optic connector for AC-1020 Fiber) Internal LEDs, described on page 2-11

Link 2 (right) External port, hot-swappable SFP module (RJ-45 connector for AC1020

Copper or duplex LC fiber optic connector for AC-1020 Fiber) External LEDs, described on page 2-13 Internal port, hot-swappable SFP module (RJ-45 connector for AC1020

Copper or duplex LC fiber optic connector for AC-1020 Fiber) Internal LEDs, described on page 2-11

For AC-1040 models, the Link Connection area includes the following: Link 1 (upper left)

External port, RJ-45 connector Internal port, RJ-45 connector

Link 2 (upper right) External port, RJ-45 connector Internal port, RJ-45 connector

Link 3 (lower left) External port, RJ-45 connector Internal port, RJ-45 connector

Link 4 (lower right) External port, RJ-45 connector Internal port, RJ-45 connector



LCD Panel The NetEnforcer LCD panel provides an indication of traffic usage and enables you to configure NetEnforcer directly without the need to connect a terminal. You can also start, reboot and shutdown NetEnforcer from the front panel.

On/Off Enter

Up Arrow

Display Area

Select

Power Indicator

Active Indicator

Standby Indicator

Left Arrow

Right Arrow

Down Arrow

On/Off Enter

Up Arrow

Display Area

Select

Power Indicator

Active Indicator

Standby Indicator

Left Arrow

Right Arrow

Down Arrow

Figure 2-6 – NetEnforcer LCD Panel

For a description of how to configure NetEnforcer using the LCD panel, refer to Configuring Via the LCD Panel, page 2-44.

For a description of the Standby, Active and Power LEDs, refer to Interface Status Indicators, page 2-11.

Interface Status Indicators Status Indicators – AC-1000 Series

The front panel of the AC-1000 series contains link LEDS, Management port LEDs and LCD panel LEDs.

The modes of operation of the Link (External and Internal) and Management port LEDs are described in the table below.



Ext/Int/Mgmnt LED NetEnforcer Status Green A lit green LED indicates that a link is detected.

Amber A blinking amber LED indicates that traffic is detected on the interface.

Off An unlit LED indicates that neither links nor activities were detected.

Table 2-1 – External/Internal/Management LED Conditions

Status Indicators – AC-1040

LINK ACT

Figure 2-7 – AC-1040 Status Indicators

Ext/Int/ LED NetEnforcer Status Green A lit green LED indicates that a link is detected.

Red A blinking red LED indicates that traffic is detected on the interface.

Off An unlit LED indicates that neither links nor activities were detected.



Unit Status Indicators The modes of operation of the Standby, Active and Power LEDs on the LCD panel are described in the table below.

Indicator Status NetEnforcer Status Standby On Two NetEnforcers are connected in Redundancy mode and

this NetEnforcer is the secondary system. Off This NetEnforcer is the primary system. If you have one

NetEnforcer, this should be the normal state of the LED. If you have two NetEnforcers configured in Redundancy mode, this NetEnforcer is the primary system.

Active On NetEnforcer is in Active mode. Off NetEnforcer is in Bypass mode, or this is the secondary

NetEnforcer in a Full Redundancy configuration and it is not active. Traffic passes through NetEnforcer with no Quality of Service or traffic shaping.

Power On NetEnforcer is powered up. Off NetEnforcer is shut down.

Table 2-2 – Standby/Active/Power LED Conditions

Out-of-Band Management (Port) Out-of-band management provides the following:

• •

• •

Offers physical separation between shaped traffic and management traffic.

Enables access to NetEnforcer even if there is a problem in the network (for example, DoS attack).

Prevents management traffic from interfering with shaped traffic.

Permits NetEnforcer management from DMZ.



NetEnforcer includes a dedicated Management port for out-of-band management of the NetEnforcer. The dedicated Management port provides a secure solution for device management for enterprise and service providers. It enables you to permit access solely to a closed group of network administrators, so that ISP customers cannot "see" the Management port and therefore cannot access the NetEnforcer management. Operating through the Management port denies management access to the device from Internal or External ports. Moreover, when there is a problem in the regular network, for example, a DoS (Denial of Service) attack, you can still manage and monitor the NetEnforcer.

Figure 2-8 – Management Port

Using a Management port has the following benefits:

•

•

Provides a security feature that prevents ISP customers from "seeing" the Management port and thus prevents access to NetEnforcer. The Internal and External ports are functioning solely to forward traffic, consequently only the administrator (the only one who has access to the Management port) has access to NetEnforcer.

Enables configuring, installing and upgrading while the unit is in Bypass mode. This is particularly important when NetEnforcer is in carrier environments.



•

•

Improves NetEnforcer's forwarding performance by separating the management traffic from the regular traffic. In addition, if a problem exists in the regular network you can still communicate with NetEnforcer in order to repair the problem.

Provides an infrastructure for improvement of the redundancy capabilities.

NOTE:

The Management port has its own MAC and IP address.

Power Supply NetEnforcer includes two hot-swappable power supply modules and a dual line feed for Redundancy purposes. Each line feed is driving one power supply.

NOTE:

The AC power supply automatically adapts to voltages between 100 V and 240 V, 50/60 Hz.

The DC power supply automatically adapts to voltages of 48 V or 60 V DC.

Should you need to, you can replace one of the power supplies while NetEnforcer is connected and operating. Replacing a power supply while the unit is operating is possible since the remaining power supply will take the full load and maintain full operation.

NOTE:

To remove a power supply module, undo the two screws in the lower left and right corners, lift the handle and slide the module out.



Each power supply has two LEDs located beneath the power supply handles. The LEDs indicate the following:

LED Power Supply Status Green The green LED indicates that the power supply is connected to

power and no failure condition exists.

Amber The amber LED indicates that a failure condition exists.

CAUTION:

The power entry modules (AC supply option) include two fuses (T2A 250 V, 5 x 20 mm) at each power entry. One is a spare fuse for replacement purposes. You can open the fuse box and change when necessary.

For continued protection against risk of fire, replace only with same type and rating of fuse.

Fault Tolerance For fault tolerance, NetEnforcer includes the following:

•

•

•

Redundant critical components Two hot-swappable, load sharing, redundant power supplies modules (AC/DC) Dual power line feed Dual redundant chassis fans and electrical feeds

Hardware bypass Hardware or software failure will result in straight-through “wire” connection

Redundancy (dual systems configuration) Alternate secondary NetEnforcer automatically takes over (with existing policies)

if primary unit fails



Bypass Modules The AC-1000 series operates with an external Bypass module. The Bypass module is a mission-critical subsystem designed to ensure network connectivity at all times. The Bypass mechanism provides "connectivity insurance" in the event of a NetEnforcer subsystems failure.

NetEnforcer is supplied with a Bypass module appropriate to the module. The AC-1010 Fiber operates with a Fiber Bypass and the AC-1010 Copper operates with a Copper Bypass. The AC-1020 Fiber operates with a Double Fiber Bypass and the AC-1020 Copper operates with a Double Copper Bypass. The Bypass module is connected to NetEnforcer by a series of leads and cables.

CAUTION:

NetEnforcer AC-1000 must be connected to the appropriate Bypass module. This is to ensure continuous service in the event of failure.

A separate NetEnforcer Bypass package is included with your AC-1000 series shipment. The box includes the following:

• • • •

The appropriate NetEnforcer Bypass module

2 19” side mounting brackets

4 Ethernet UTP CAT 5 cables are supplied with a Copper Bypass module

8 Ethernet UTP CAT 5 cables are supplied with a Double Copper Bypass module



Fiber Bypass Module The Fiber Bypass module works in conjunction with NetEnforcer AC-1010 Fiber.

To External NetworkConnector

To Primary NetEnforcerConnector

To Secondary NetEnforcerBackup Connector

Fiber Cable

To Internal NetworkConnector




Fiber Cable


Figure 2-9 – Fiber Bypass Module

NOTE:

Use 62.5/125µ or 50/125µ fiber optic cables to connect 1 Gbps ports (duplex SC connectors marked with Internal and External labels).

The Fiber Bypass module includes two duplex SC connectors, two built in fiber cables and two D-type 9-pin connectors for primary and redundant unit to backup connection.



Connecting the Fiber Bypass Module

The following procedure describes how to connect a Fiber Bypass module to NetEnforcer A-1010. The procedure contains circled numbers, for example 11 , relating to reference numbers used in the diagram.

Figure 2-10 – Connecting NetEnforcerAC-1010 to Fiber Bypass Module

To connect the Fiber Bypass to NetEnforcer:

1. Connect the fiber cable labeled External from the Bypass module 77 , to the External port on NetEnforcer 11 .

2. Connect the fiber cable labeled Internal from the Bypass module 77 , to the Internal port on NetEnforcer 22 .

3. Connect the D-type High Density connector from the Primary port on the Bypass module 88 , to the Backup port on NetEnforcer 33 .

4. Connect a 62.5/125µ or 50/125µ External fiber optic cable from the External port on the Bypass module 55 , to a 1 Gbps router.



5. Connect a 62.5/125µ or 50/125µ Internal fiber optic cable from the Internal port on the Bypass module 66 , to a 1 Gbps switch.

6. To connect a secondary NetEnforcer for Full Redundancy, you need two NetEnforcers and one Bypass module. Connect the backup D-type High Density connector from the Secondary port on the Bypass module 44 , to another NetEnforcer. Internal and external connectors of the redundant NetEnforcer should be

connected directly to the network. There is no need to connect via the Bypass module.

Copper Bypass Module The Copper Bypass module works in conjunction with NetEnforcer AC-1010 Copper.

To External Router

Connector To Internal Switch

Connector

External Connector

Internal Connector

Mode LED

Indicator

To Secondary NetEnforcer

Backup Connector

To Primary NetEnforcer Connector

To External Router

Connector To Internal Switch

Connector

External Connector

Internal Connector

Mode LED

Indicator

To Secondary NetEnforcer

Backup Connector


Figure 2-11 – Copper Bypass Module

NOTE:

It is recommended to use the Ethernet UTP CAT 5 cables that are supplied with the Copper Bypass accessory kit to connect 1000Base-T ports (RJ-45 marked with Internal and External labels).



The Copper Bypass module includes RJ-45 connectors for Ethernet cables and two D-type 9-pin connectors for primary and redundant unit to backup connection.

Connecting the Copper Bypass Module

The following procedure describes how to connect a Copper Bypass module to NetEnforcer AC-1010. The procedure contains circled numbers, for example 11 , relating to reference numbers used in the diagram.

Figure 2-12 – Connecting NetEnforcer AC-1010 to Copper Bypass Module

To connect the Copper Bypass to NetEnforcer:

1. Connect the External cable from the External port on the Bypass module 77 , to the External port on NetEnforcer 11 .

2. Connect the Internal cable from the Internal port on the Bypass module 88 , to the Internal port on NetEnforcer 22 .




4. Connect the External cable from the External port on the Bypass module 55 , to a router (1000Base-T) connector.

5. Connect the Internal cable from the Internal port on the Bypass module 44 , to a switch (1000Base-T) connector.

6. To connect a secondary NetEnforcer for Full Redundancy, you need two NetEnforcers and one Bypass module. Connect the backup D-type High Density connector from the Secondary port on the Bypass module

66 , to another NetEnforcer. Internal and external connectors of the redundant NetEnforcer should be




Double Fiber Bypass Module The Double Fiber Bypass module works in conjunction with NetEnforcer AC-1020 Fiber.

To External Router Connector for Link 1

To Internal Switch Connector for Link 1

Mode LED Indicators


To Secondary NetEnforcer Backup Connector

To NetEnforcer (External and Internal Connectors) for Link 1

To External Router Connector for Link 2 To Internal Switch

Connector for Link 2To NetEnforcer (External and Internal Connectors) for Link 2

To External Router Connector for Link 1

To Internal Switch Connector for Link 1

Mode LED Indicators


To Secondary NetEnforcer Backup Connector

To NetEnforcer (External and Internal Connectors) for Link 1

To External Router Connector for Link 2 To Internal Switch

Connector for Link 2To NetEnforcer (External and Internal Connectors) for Link 2

Figure 2-13 – Double Fiber Bypass Module

NOTE:

Use 62.5/125µ or 50/125µ fiber optic cables to connect 1 Gbps ports (duplex SC connectors marked with Internal and External labels).

The Double Fiber Bypass module includes connectors for connecting to Link 1 and Link 2 on the AC-1020. The Link Connectors area for Link 1 includes two duplex SC connectors, and two built in fiber cables with duplex LC connectors. The Link Connectors area for Link 2 includes two duplex SC connectors, and two built in fiber cables with duplex LC connectors. In addition, the Double Fiber Bypass module includes two D-type 9-pin connectors for primary and redundant unit to backup connection.



Connecting the Double Fiber Bypass Module

The following procedure describes how to connect a Double Fiber Bypass module to NetEnforcer AC-1020. The procedure contains circled numbers, for example 11 , relating to reference numbers used in the diagram.

Figure 2-14 – Connecting NetEnforcerAC-1020 to Double Fiber Bypass Module

To connect the Double Fiber Bypass to NetEnforcer:

1. Connect the fiber cable labeled External from the Bypass module 77 (on the left), to the External port on NetEnforcer 11 (Link 1).

2. Connect the fiber cable labeled Internal from the Bypass module 77 (on the left), to the Internal port on NetEnforcer 22 (Link 1).

3. Connect a 62.5/125µ or 50/125µ External fiber optic cable from the External port on the Bypass module 55

(on the left), to a 1 Gbps router.

4. Connect a 62.5/125µ or 50/125µ Internal fiber optic cable from the Internal port on the Bypass module 66

(on the right), to a 1 Gbps switch.

5. Repeats Steps 1 to 4 for Link 2.




7. To connect a secondary NetEnforcer for Full Redundancy, you need two NetEnforcers and one Bypass module. Connect the backup D-type High Density connector from the Secondary port on the Bypass module 44 , to another NetEnforcer. Internal and external connectors of the redundant NetEnforcer should be


Double Copper Bypass Module The Double Copper Bypass module works in conjunction with NetEnforcer AC-1020 Copper.

NOTE:




Connecting the Double Copper Bypass Module to NetEnforcer AC-1020

The following procedure describes how to connect a Double Copper Bypass module to NetEnforcer AC-1020. The procedure contains circled numbers, for example 11 , relating to reference numbers used in the diagram.

Figure 2-13 – Connecting NetEnforcerAC-1020 to Double Copper Bypass Module

To connect the Double Copper Bypass to NetEnforcer:

1. Connect the External cable from the External port on the Bypass module 77 (on the

left), to the External port on NetEnforcer 11 (Link 1).

2. Connect the Internal cable from the Internal port on the Bypass module 99 (on the left), to the Internal port on NetEnforcer 22 (Link 1).

3. Connect the External cable from the External port on the Bypass module 55 , to a router (1000Base-T) connector.

4. Connect the External cable from the External port on the Bypass module 66 , to a

router (1000Base-T) connector.



5. Repeats Steps 1 to 4 for Link 2.


7. To connect a secondary NetEnforcer for Full Redundancy, you need two NetEnforcers and one Bypass module. Connect the backup D-type High Density connector from the Secondary port on the Bypass module 44 , to another NetEnforcer.

Internal and external connectors of the redundant NetEnforcer should be connected directly to the network. There is no need to connect via the Bypass module.

Multi-Port Copper Bypass Module The Multi-port Copper Bypass module works in conjunction with NetEnforcer AC-1040.

Figure 2-15 – Multi-Port Copper Bypass Module

NOTE:




Connecting the Multi-Port Copper Bypass Module to NetEnforcer AC-1040

The following procedure describes how to connect the Bypass module to NetEnforcer AC-1040.

External Routers (Internet)

Internal Routers (Local Net)

Figure 2-13 – Connecting NetEnforcerAC-1040 to the Bypass Module



To connect the Bypass module to NetEnforcer 1040:

1. Connect the External cable from the External port on the Bypass module (on the left) to the External port on NetEnforcer (Link 1).

2. Connect the Internal cable from the Internal port on the Bypass module (on the left) to the Internal port on NetEnforcer (Link 1).

3. Connect the External cable from the External port on the Bypass module to a router (100Base-T) connector.

4. Connect the External cable from the External port on the Bypass module to a router (100Base-T) connector.

5. Repeats Steps 1 to 4 for Link 2 to 4.

6. Connect the D-type High Density connector from the Primary port on the Bypass module to the Backup port on NetEnforcer.

7. To connect a secondary NetEnforcer for Full Redundancy, you need two NetEnforcers and one Bypass module. Connect the backup D-type High Density connector from the Secondary port on the Bypass module, to another NetEnforcer.

Internal and external connectors of the redundant NetEnforcer should be connected directly to the network. There is no need to connect via the Bypass module.



Placement in the Network NetEnforcer is supplied with two Gigabit Ethernet interfaces. NetEnforcer is normally placed on the internal side of your access router. The Internal port of NetEnforcer interfaces with your Local Area Network (LAN) and the External port of NetEnforcer interfaces with your access router. Refer to the following diagrams to see NetEnforcer’s placement in a network.

Connecting NetEnforcer to the Network When connecting NetEnforcer to the network, use the proper fiber or Ethernet cable.

The following diagram shows a typical method of connecting a NetEnforcer AC-1010 model in a network.

Figure 2-16 – LAN and WAN Placement of NetEnforcer AC-1010

For the NetEnforcer AC-1020 models, there are two basic network configurations that depend on the way that the traffic is routed and the policy that you wish to implement.



In the first configuration, if you wish to set policy per user (for example, limiting the bandwidth per user) and the user access by default to one of the switches (same switch for all their traffic), NetEnforcer is connected as follows:

Figure 2-17 – Placement of NetEnforcer AC-1020 (Policy Per User)



In the second configuration, if you wish to set policy based on link (for example, one link to an ISP and the second link to an ISP) and you wish to set a global policy (for example, limiting P2P traffic), you put a NetEnforcer per router, as follows:

Figure 2-18 – Placement of NetEnforcer AC-1020 (Policy Based on Link)

NetEnforcer is capable of operating parallel to another NetEnforcer to provide Full Redundancy. If you are using NetEnforcers in Redundancy mode, refer to Appendix B, Fail-Safe Operation.



To connect NetEnforcer to your network:

1. Connect the Bypass module to NetEnforcer, as described in Bypass Modules, page 2-16.

2. Connect the LAN side of your network to the Internal connector on the front panel of the Bypass module. (With AC-1020 models, do this for Link 1 and Link 2).)

3. Connect the cable connected to the WAN side of your network to the External connector on the front panel of the Bypass module. (With AC-1020 models, do this for Link 1 and Link 2).)

To connect AC-1010 or AC-1020 Fiber, use fiber optic cables 62.5/125µ or 50/125µ, duplex SC connectors.

To connect AC-1000 Series SM Fiber (LX5, LX20, ZX), use SM fiber optic cables 9/125m, duplex SC connectors.

To connect AC-1000 Series Copper, use Ethernet UTP CAT 5 cables.

4. Power up NetEnforcer. Refer to Powering Up NetEnforcer, page 2-34.



Powering Up NetEnforcer Powering up is done from the LCD panel.

NOTE:

NetEnforcer and the Bypass module have to be fully plugged and connected before power is turned on. Thisis to ensure proper and systematic power up.

To power up NetEnforcer:

It is recommended to connect the two power line feeds to separate power sources to have full power redundancy. The Power LED on the LCD panel is lit and the Mode LED on the Bypass module is off, indicating that the power is on and NetEnforcer is bypassed. NetEnforcer performs several power-on self-tests and the display area of the LCD panel indicates power-on self-test messages.

After a few seconds, the display area of the LCD panel indicates the following: System Loading *

Once the system has completed loading, the Active LED on the LCD panel is lit and the Mode LED on the Bypass module is lit, meaning that NetEnforcer is now connected to the network. The display area of the LCD panel indicates the default view - the current bandwidth consumption.

For example: Inbound: XXX.X

Outbound: YYY.Y

You can now proceed to configure NetEnforcer, as required.



Setting Up NetEnforcer In order to manage and configure NetEnforcer policies remotely from your Web browser, several basic parameters must be configured on NetEnforcer. You can configure these basic parameters using a terminal connected to NetEnforcer or by using the LCD panel.

Configuring Via a Terminal You can use a standard terminal, or a PC running terminal emulation software. Most standard windows-based PC systems have a terminal emulation program called HyperTerminal that can be used for this purpose. Configure the terminal to run VT100 terminal emulation with the following parameters:

• • • • •

19200 baud rate (9600 baud in older version, rev A/B)

8 bits

Stop bits 1

No flow control

No parity

To connect a terminal to NetEnforcer:

1. Use the supplied serial cable to connect the terminal to the Console connector on the front panel of NetEnforcer.

2. Ensure NetEnforcer is powered up. Refer to Powering Up NetEnforcer, page 2-34.

3. At the terminal, access a Microsoft DOS window, and at the C:\ prompt, enter Telnet (IP address of NetEnforcer). Press <Enter>. The system boots up and you are prompted for a login and a password.

4. Enter root for the login, bagabu for the password and the command menu. (To change the password, see page 2-43.)



5. Press <Enter>. The Device Setup Menu is displayed:

Figure 2-19 – NetEnforcer Setup Menu

From this menu, you can perform the following tasks:

Configure network parameters, page 2-37. Display the current configuration, page 2-39. Change the login password, page 2-41. Modify the date and time settings, page 2-42.

When all necessary parameters are set, NetEnforcer prompts you to reboot. After rebooting is completed, NetEnforcer is ready to be connected and to add Quality of Service in your network.



Configuring Network Parameters You can configure network parameters, for example, the IP address, netmask and default gateway for NetEnforcer.

To define network parameters:

1. In the Device Setup Menu, enter 2 (Network configuration) and press <Enter>. The Network Configuration menu is displayed:

Figure 2-20 – Network Configuration

2. Enter 2 (Manual configuration) and press <Enter>.

3. Enter values for the following IP parameters:

Device IP Address The IP address for your NetEnforcer, for example, 10.10.10.1.

Network mask The netmask for your NetEnforcer, for example, 255.255.255.0.



Device Host name The host name for your NetEnforcer, for example, NetEnforcer.

Domain name A domain name for your NetEnforcer, for example, MyDomain.com. Do not provide a leading ‘.’.

Default gateway IP address The IP address of your default gateway. If you do not have a default gateway, enter none.

Primary name server IP address

If you have a Domain Name Server (DNS), enter its IP address. If you do not have a DNS, enter none.

Secondary name server IP address

If you entered a primary name server IP address and you have a second DNS, enter the IP address of the secondary DNS.

Enable VLAN environment

If you have a Virtual LAN, enter enable. If you do not have a VLAN, enter disable.

VLAN ID If you enabled a VLAN environment, enter the ID for your VLAN.

4. Press <Enter> to finish and return to the Network Configuration menu.

5. To save your configuration, enter 3 (Save latest settings as current configuration) from the Network Configuration menu. A message is displayed, asking whether you wish to make your changes effective immediately. Enter y or n.



Displaying the Current Configuration You can display and view the currently set network configuration parameters at any time.

To display the current configuration:

1. In the Device Setup Menu, enter 1 (List current configuration) and press <Enter>. The current network configuration parameters are displayed. A sample screen is shown below:

Figure 2-21 – Current Configuration (1)



2. Press <Enter> to show the second screen of parameters:

Figure 2-22 – Current Configuration (2)

3. Press <Enter> to return to the Device Setup Menu.



Changing the Passwords You can change the login password for either the Admin user or the Monitor user. The Admin user has access to all NetEnforcer functions, while the Monitor user has read-only access. It is strongly recommended to change the default password (allot). NetEnforcer might enable access from anywhere on the Internet, and should therefore be protected with a unique password.

To change the users’ password: 1. In the Device Setup Menu, enter 3 (Change password) and press <Enter>. The

Password screen is displayed:

Figure 2-23 – Password

2. Enter 1 or 2 to specify the type of user whose password you want to change and press <Enter>.

3. Enter a new password and press <Enter>. The password must be between 5 and 8 characters. You can use a combination of upper and lower case letters and numbers.

4. Re-enter the password and press <Enter>. If NetEnforcer detects a simple password, a warning is displayed on the screen.



CAUTION:

You must change the default passwords to ensure a minimum level of security.

NOTE:

The new user name and password will be used in the NetEnforcer Log In window when accessing NetEnforcer through a browser.

Modifying Date and Time Settings You can modify date and time settings as required. You can set the system time manually, or you can set up NetEnforcer to receive time checks from an NTP (Network Time Protocol) server, if you have one on your network.

To modify the date and time settings: 1. In the Device Setup Menu, enter 4 (Set time) and press <Enter>. The Time Setup

screen is displayed:

Figure 2-24 – Time Setup

The current day, date, system time and time zone are displayed at the top of the screen.



2. To change the time zone, perform the following steps: Enter 1 and press <Enter>. Enter y and press <Enter>. NetEnforcer displays a list of time zones. Enter the required time zone and press <Enter>.

3. To change the system time, perform the following steps: Enter 2 and press <Enter>. Enter the new date and time in the format DD-MM-YYYY -HH-mm. For

example, 12-02-2003-11-20 for 12th February 2003, 11:20 am. Press <Enter> to set the time.

Changing the Root User Password You can change the root password that provides access to super-user rights.

To change the root password:

1. Use the supplied serial cable to connect the terminal to the Console connector on the front panel of NetEnforcer.

2. Ensure NetEnforcer is powered up. Refer to Powering Up NetEnforcer, page 2-34.

3. At the terminal, access a Microsoft DOS window, and at the C:\ prompt, enter Telnet (IP address of NetEnforcer). Press <Enter>. The system boots up and you are prompted for a login and a password.

4. Enter root for the login and bagabu for the password, and then press <Enter>.

5. Enter passwd and then press <Enter>.

6. Enter a new password and press <Enter>. The password must be between 5 and 8 characters. You can use a combination of upper and lower case letters and numbers.

7. Re-enter the new password and press <Enter>.

CAUTION:

If you forget this password, contact Allot Customer Support.



When all necessary parameters are set, NetEnforcer prompts you to reboot. After rebooting is completed, NetEnforcer is ready to be connected and to add Quality of Service in your network.

TIP:

You can further protect the access to NetEnforcer by limiting the hosts that are allowed to manage the unit. To configure the allowed host list, refer to Access Control in Chapter 4, Configuring NetEnforcer.

Configuring Via the LCD Panel The LCD panel enables you to configure basic NetEnforcer parameters without connecting a terminal. This enables quick and easy setting of basic parameters such as the IP address of NetEnforcer as well as NIC settings for the Management port.

When you are not configuring NetEnforcer, the display area in the LCD panel indicates its default view, which is the current inbound and outbound bandwidth usage. The units are in Mbps with one digit after the point and the display is refreshed every five seconds. NOTE:

When you are configuring NetEnforcer and there is no activity for more than 30 seconds, the display area returns to the default view and any modifications to parameters that were not saved, are lost.

Main Menu The LCD panel provides one main menu from where you can perform the following operations:

• • • •

Configure NIC settings for the Management port, page 2-46.

Set the NetEnforcer IP address, page 2-47.

Activate Bypass, page 2-48.

Reboot, shutdown or exit NetEnforcer, page 2-49.



The illustration below is a list of the main menu options from the LCD panel.

1. NIC_Setting

2. Setup_IP Setup IP Menu

3. Bypass

4. Reboot

5. Shutdown

2-1 2-2 2-3

Set_IP Set_Mask Gateway

6. Exit

In order to start working with NetEnforcer, press the Power button on the LCD panel. Once the system has completed loading, the display area of the LCD indicates its default view, the current bandwidth consumption of NetEnforcer. For example: Inbound: XX.XM

Outbound: YYY.YM

You can now proceed to configure NetEnforcer, as required. NOTE:

If QoS functionality is not included in your NetEnforcer (not enabled by your activation key), the default view indicates the following: Inbound:-, Outbound:-.



Configuring NIC Settings for the Management Port Configuring NIC settings enables you to configure the Management port to either automatically sense the direction and speed of traffic, or use a predetermined duplex type and speed.

To configure NIC settings for the Management port:

1. With the display area displaying the default view, press the Select button. The main menu is displayed as follows: Main menu:

1. NIC Setting

2. Press the Select button. The display area indicates the following: Mode: [A]uto or

[F]ull/[H]alf du

NOTE:

The cursor blinks at the current setting.

3. Use the arrow buttons to select the duplex type for the Management port and press the Enter button. The display area indicates the following: Speed: [A]uto or

[100]/[10] Mbps

4. Use the arrow buttons to select the link speed of the Management port and press the Enter button. The display area indicates the following: [S]ave/[C]ancel

5. Use the arrow buttons to select whether to save the settings or cancel and press the Enter button. The new NIC settings are applied and after a few moments, the display area displays its default view, the current bandwidth consumption.



Setting the NetEnforcer IP Address Setting the NetEnforcer IP address enables you to specify the IP address, netmask and default gateway for NetEnforcer.

To configure the IP address:

1. With the display area displaying the default view, press the Select button. The Main menu is displayed.

2. Press the down arrow once to display the following: Main menu:

2. Setup IP

3. Press the Select button. The display area indicates the following: 2-1.Set IP:

xxx.xxx.xxx.xxx (the current IP address definitions are displayed)

4. Specify the IP address of NetEnforcer. Use the up and down arrow buttons to select the required number and the left and right arrow buttons to move between the digits.

5. Press the Enter button. The display area indicates the following: 2-2.Set mask:

xxx.xxx.xxx.xxx (the current netmask definitions are displayed)

6. Specify the netmask of NetEnforcer. Use the up and down arrow buttons to select the required number and the left and right arrow buttons to move between the digits.

7. Press the Enter button. The display area indicates the following: 2-3.Gateway:

xxx.xxx.xxx.xxx (the current gateway definitions are displayed)

8. Specify the IP address of the default gateway. Use the up and down arrow buttons to select the required number and the left and right arrow buttons to move between the digits.



9. Press the Enter button. The display area indicates the following: [S]ave/[C]ancel

10. Use the arrow buttons to select whether to save the settings or cancel and press the Enter button. The new IP and gateway settings are applied and after a few moments, the display area displays its default view, the current bandwidth consumption.

Activating Bypass This section describes how to activate Bypass mode.

To configure a Bypass:


2. Press the down arrow three times to display the following: Main menu:

3. Bypass

3. Press the Select button. If the system is not in Bypass mode, the display area indicates the following: Go into Bypass?

[Y]es/[N]o

4. Use the arrow buttons to select whether to enter Bypass mode and press the Enter button. NetEnforcer switches to Bypass mode and after a few moments, the display area displays its default view, the current bandwidth consumption.

NOTE:

When the system is already in Bypass mode, you are prompted to select whether to exit Bypass mode. Use the arrow buttons to select whether to exit Bypass mode and press the Enter button.



Rebooting, Shutting Down and Exiting NetEnforcer You can reboot or shut down NetEnforcer and exit from LCD configuration as required.

To reboot NetEnforcer:


2. Press the down arrow four times to display the following: Main menu:

4. Reboot

3. Press the Select button. The display area indicates the following: Reboot?

[Y]es/[N]o

4. Use the arrow buttons to select whether to reboot NetEnforcer and press the Enter button. NetEnforcer reboots and the display area indicates the following: System

Rebooting * (blinking asterisk)

NOTE:

This message is also displayed in the display area when NetEnforcer is rebooted using a terminal.

To shutdown NetEnforcer:


2. Press the down arrow five times to display the following: Main menu:

5. Shutdown



3. Press the Select button. The display area indicates the following: Shutdown?

[Y]es/[N]o

NOTE:

Pressing the Power button on the LCD panel at any time while NetEnforcer is powered on displays this option.

4. Use the arrow buttons to select whether to reboot NetEnforcer and press the Enter button. NetEnforcer reboots and the display area indicates the following: System

Shutting down * (blinking asterisk) After a few seconds, the display area indicates that NetEnforcer may be powered off.

NOTE:

This message is also displayed in the display area when NetEnforcer is shutdown using a terminal.

To power up NetEnforcer after a shutdown, press the Power button on the LCD panel.

To exit NetEnforcer:


2. Press the down arrow six times to display the following: Main menu:

6. Exit

3. Press the Enter or the Select button. The display area displays its default view, the current bandwidth consumption.



Failure Indications The following cases of failure may be indicated in the display area of the LCD panel:

Message Option Description NIC definitions

save failed NIC setting 1. Validity check failed (auto mode and

non auto speed or vise versa)

2. System error (missing files) Fail: IP get

Chk NE IP config IP setup Failed retrieving IP (system error)

Fail: IP save

Chk NE IP config IP setup Failed saving IP

Fail: Mgnt save

Chk NE IP config IP setup Failed saving IP

Fail: MASK save

Chk NE IP config IP setup Failed saving netmask

Fail: GW save

Chk NE IP config IP setup Failed saving gateway




Chapter 3: Getting Started

This chapter explains how to connect to your client management station and provides an overview of the NetEnforcer interface. It also describes how to install the Java Plug-in.


Accessing NetEnforcer, page 3-1, describes how to access NetEnforcer from your Web browser.

Java, WebStart and the NetEnforcer User Interface, page 3-3, describes how to install the Java 1.4.2 JRE, which is a prerequisite for running the NetEnforcer application.



Accessing NetEnforcer Once you have completed the initial setup, as described in the previous chapter, you can access NetEnforcer via your Web browser. The first time that you connect to NetEnforcer, you may be prompted to install Java plug-in 1.3.1. Refer to Installing the Java Plug-in 1.3.1, page 3-3, for further information.

To connect to NetEnforcer:

1. Open your browser, and enter http://(IP address of NetEnforcer). The NetEnforcer Log On dialog box is displayed:

Figure 3-1 – NetEnforcer Log On Dialog Box

2. In the User Name field, enter admin and in the Password field, enter allot or the password that was established at setup. This is the default user name and password. They may be different if you changed them during the initial configuration. Refer to the Setting Up NetEnforcer section in Chapter 2, Installing NetEnforcer.

3. Click Log On. The NetEnforcer Control Panel is displayed. NOTE:

It may take a few moments to display the Control Panel.



Java, WebStart and the NetEnforcer User Interface

NetEnforcer 6.1.1. works with a technology known as WebStart from Sun Microsystems. WebStart enables you to run the NetEnforcer User Interface software by simply double-clicking an icon on your computer’s desktop. This mode of operation is more convenient than having to access the NetEnforcer User Interface through an Internet browser.

Installing Java 1.4.2 JRE The Java 1.4.2 JRE must be installed on your computer as a prerequisite to working with the NetEnforcer User Interface.




To install Java 1.4.2. JRE:

1. Open your Internet browser, and access http://<your-netenforcer-address-here>. The following window is displayed.

Figure 3-2 – NetEnforcer Control Panel



2. Click the Install Java 1.4.2 JRE first link. The following window is displayed.

Figure 3-3 – Java JRE Downloads

3. Click on the appropriate link and follow the on-screen instructions to install the Java 1.4.2 JRE on your computer.



Initializing WebStart 1. With the Java 1.4.2 JRE installed, access http://<IP address of NetEnforcer> once

again. The Java Web Start window is displayed.

Figure 3-4 – NetEnforcer Java Web Start Window

When the loading process is complete, the Security Warning is displayed, prompting your to confirm that you want to allow NetEnforcer User Interface software access to your computer.

Figure 3-5 – Security Warning



2. Click Start to continue. The NetEnforcer Desktop Integration window is displayed.

Figure 3-6 – NetEnforcer Desktop Integration

3. Select Yes to place a shortcut icon on your desktop

4. To access the NetEnforcer, double-click the shortcut icon on your desktop. The NetEnforcer Log On window is displayed.

Figure 3-7 – NetEnforcer Log On Window


Automatic Updates One of the benefits of WebStart is that future NetEnforcer software updates are transparent to you when accessing the NetEnforcer User Interface. Simply continue to double-click the icon to access the NetEnforcer.

Managing Multiple Devices If you intend to manage multiple NetEnforcers, follow the above procedure for each NetEnforcer. A separate NetEnforcer WebStart desktop icon will be added for each NetEnforcer.

WebStart Coexistence with Java 1.3.x Plugins From Earlier Versions You can use the same computer to manage earlier versions of a NetEnforcer based on Java Plugin 1.3.x together with a NetEnforcer based on Java 1.4.2 JRE, however you need to be aware of fact that installing Java 1.4.2 JRE on a computer that already has a Java 1.3.x Plugin prevents the Java Plugin 1.3.x –based NetEnforcer User Interface from working correctly. To ensure that both systems can work correctly, the Java 1.4.2 JRE must be installed before the Java 1.3.x Plugin. If your computer already has a Java 1.3.x Plugin installed, you should uninstall it before installing the Java 1.4.2 JRE (as discussed in this section) and then re-install the Java 1.3.x Plugin.

WebStart Application Manager After installing the Java 1.4.2 JRE, a Java Web Start shortcut icon is displayed on your desktop.

Double-clicking the icon, , displays the Java Web Start Application Manager.



Figure 3-8 – Java Web Start Application Manager

A list of NetEnforcer applications downloaded is displayed in the window. To launch the NetEnforcer User Interface from this window, select the application and click Start.

Troubleshooting In the event that the NetEnforcer User Interface fails to load, consider the following actions:

•

•

Verify that popup blocking is disabled in the browser, or, alternatively, that it is disabled for the NetEnforcer address.

For Internet Explorer users, disable the Empty Temporary Internet Files folder when browser closed option as follows:

(a) From the Tools menu, select Internet Options. The Internet Options window is displayed.

(b) Select the Advanced tab.



(c) In the Security area, verify that the Empty Temporary Internet Files folder when browser closed checkbox is not selected.

(d) Click OK to close the dialog, and attempt to access the NetEnforcer through the browser.

•

• •

In Internet Explorer, make sure the browser cache file is not saturated:

(a) From the Tools menu, select Internet Options. The Internet Options window is displayed.

(b) In the Temporary Internet files area, click Delete Files.

(c) Select the Delete all offline content checkbox and click OK.

(d) Click OK to close the Internet Options window.

Consider using another browser, e.g. Mozilla Firefox.

If the problem still persists, the NetEnforcer can still be accessed from the WebStart Desktop Manager, as follows:

(a) Double-click the Java Web Start icon on the desktop.

(b) In the Location field, type: http://<ip-addr>/pmx.jnlp where <ip-addr> is the IP address of the NetEnforcer.

(c) Press Enter.

(d) Click Start.


Appendix A: Hardware Specifications

This appendix lists the hardware specifications for all NetEnforcer models.

Dimensions Standard 2U by 19-inch, rack mountable

Height 3.46 in (87 mm)

Width 17.22 in (438 mm)

Depth 11.81 in (300 mm)

Weight 18.2 lbs (8.3 kg)

Power Requirements AC Supply option

Input Voltage 100 - 240 V AC

Frequency 50/60 Hz

Current 2 - 1 A

Power consumption 80 W

DC Supply option

Input Voltage 48 / 60 V DC

Current 6 / 4 A

Power consumption 80 W

NetEnforcer AC-1000 Series Installation Guide A-1


Operating Environment Temperature 32° F to 104° F (0° to 40° C)

Humidity 5% to 95% (non condensing)

Heat Dissipation 273 BTU/Hour

EMI Residential, commercial and light industry.

Standards, Compliance and Certifications All NetEnforcer models hold certificates and comply with the standards listed below.

EMC

• • • • • • • • •

EMC Directive 89/336/EEC, article 7(1)

EN 55022:1998+A1(00) class A

EN 61000-3-2:1995_A1(98)+A2(98)

EN 61000-3-3:1995

EN 55024:1998+A1(01)

FCC 47 CFR part 15, subpart B, class A

ICES-003:1997, class A

VCCI:2002, class B

NEBS: GR-1089-Core*



Safety

• • •

• •

• • • •

IEC 60950:1999 with Japanese deviations

EN 60950:2000

NEBS: GR-1089-Core*

UL

1950 NetEnforcer UL File number: E206586

CAN/CSA C22.2 No.60950-00 * UL 60950, third edition

Environmental

ETS 300 019-2-2 T 2.1

ETS 300 019-2-3 T 3.1

NEBS: GR-63-Core*

* NetEnforcer is designed to meet these standards.

NetEnforcer AC-1010 Installation Guide A-3



Appendix B: Fail-Safe Operation

This appendix describes the fail-safe operation implemented in NetEnforcer. NetEnforcer has two fail-safe features that ensure proper and continuous network function: Bypass and Serial Redundancy.

NetEnforcer AC-1000 series utilizes an external Bypass module that connects the Internal connector to the External connector in the case of a subsystem failure in NetEnforcer or a power loss. This mechanism ensures that traffic continues to pass through the passive elements of NetEnforcer should any hardware or software problem occur.

Serial Redundancy is a backup mechanism that handles the failure of a network device, and ensures that the network continues to function. Serial Redundancy is provided by connecting two NetEnforcers in parallel. The Primary NetEnforcer handles the traffic and the Secondary NetEnforcer is designed to be in Standby mode as long as the Primary NetEnforcer is active. Only if, for any reason, the Primary NetEnforcer is not able to function properly, does the Secondary NetEnforcer become active.

When NetEnforcer is in Serial Redundancy mode, Bypass mode will be activated, in the event that both the Primary and Secondary NetEnforcer systems fail.

As part of the fail-safe considerations, power redundancy is also provided.

NetEnforcer AC-1000 Series Installation Guide B-1


Bypass Mode The AC-1000 series comes with an additional Bypass module - a Fiber Bypass, a Copper Bypass or a Double Fiber Bypass.

CAUTION:


The Bypass module is a mission-critical subsystem designed to handle the failure of a network device and still ensure that the network functions properly. The Bypass module provides "connectivity insurance" in the event of a NetEnforcer subsystems failure. NetEnforcer is factory configured to ensure normal network operation during power loss and other critical hardware and software failure.

The Bypass module works by shorting the Internal interface to the External interface. While the NetEnforcer is bypassed, all traffic goes through passive elements only.

When the system goes into Bypass mode, the status indicators immediately indicate it, in the following way:

• • •

The Active LED on the front panel of NetEnforcer turns OFF.

The Standby LED on the front panel of NetEnforcer is OFF.

The Mode LED on the Bypass module turns OFF.

For more information regarding the status indicators, refer to Chapter 2, Installing NetEnforcer.



Bypass Initiation When a single NetEnforcer is installed, it will go into Bypass mode under the following conditions:

• • • •

Upon a subsystem failure.

During the booting of NetEnforcer.

Upon any NetEnforcer power feed failure and power OFF conditions.

When the Bypass module is not connected properly to the NetEnforcer Backup connector, even with all other connectors fully plugged.

Please note that NetEnforcers in serial Redundancy configuration that have gone into Bypass mode indication upon a subsystem failure will not restart automatically. It is recommended to perform a reboot.

NOTE:

NetEnforcer, in standalone configuration, reinitializes the Ethernet link upon detection of the Ethernet cable's disconnection.

Fiber Bypass and TAP for the AC-1000 Series ‘Monitoring only’ or TAP mode enables the operator to install and use NetEnforcer in a listen-only mode. Using this mode has the following benefits:

•

•

It enables listening to network traffic without active interference in the network activity.

It enables gradual installation of NetEnforcer – first without active interference and later with policy enforcement.

TAP mode can only be operated from a NetEnforcer AC-1000 with a Fiber interface that works with a Fiber Bypass module or a Double Fiber Bypass module.

CAUTION:




IMPORTANT NOTE:

To work properly, NetEnforcer and the Bypass module have to be fully plugged and connected before power is turned on.

The Fiber Bypass module works in conjunction with the NetEnforcer AC-1010 models with a Fiber interface and the Double Fiber Bypass module works in conjunction with the NetEnforcer AC-1020 models with a Fiber interface.

The Fiber Bypass module for the AC-1010 Fiber models is shown below.




Fiber Cable





Fiber Cable


Figure B-1 – Fiber Bypass Module

A separate NetEnforcer Fiber Bypass package is included with your AC-1000 shipment. An optional Fiber TAP package is shipped with your AC-1000 shipment. The Fiber TAP package includes two Multimode Couplers.



Each Coupler has three built-in Multimode fiber cables with SC connectors. One side of the coupler has a single Multimode fiber that is marked as Tx, and on the other side, there are two built-in Multimode fiber cables marked as Rx [1] and Rx [2].

Figure B-2 – Multimode Coupler Unit

IMPORTANT NOTE:

The Multimode Coupler is not a standard part of the NetEnforcer AC-1000 series.



Connecting the Fiber Bypass and the TAP The following procedure describes how to connect the Fiber Bypass module and the TAP to NetEnforcer AC-1010. The procedure contains circled numbers, for example, 11 , relating to reference numbers used in the following diagram.

Figure B-3 – Connecting NetEnforcer AC-1010 to Fiber Bypass and TAP

To connect the Fiber Bypass to the AC-1010:

1. Connect the fiber cable labeled External from the Bypass module 77 , to the External port on NetEnforcer 11 .

2. Connect the fiber cable labeled Internal from the Bypass module 77 , to the Internal port on NetEnforcer 22 .




4. Connect the first Multimode coupler as follows: Connect the coupler Tx fiber optic cable to the Tx output of a 1 Gbps router (1000Base-SX port).

•

•

•

•

•

•

Connect the coupler Rx [1] fiber optic cable to the Rx input of a 1 Gbps switch (1000Base-SX port). Connect the coupler Rx [2] fiber optic cable to the External Rx input of the Fiber bypass module (5).

5. Connect the second Multimode coupler as follows: Connect the coupler Tx fiber optic cable to the Tx output of a 1 Gbps switch (1000Base-SX port). Connect the coupler Rx [1] fiber optic cable to the Rx input of a 1 Gbps router (1000Base-SX port). Connect the coupler Rx [2] fiber optic cable to the Internal Rx input of the Fiber bypass module (6).

NOTE:

In you have an AC-1020 model, adapt the above procedure to connect both Link 1 and Link 2.



Connecting Two NetEnforcers in Serial Redundancy

Failure of a network device can be catastrophic, causing network downtime and lost business. The key to designing any mission-critical network is to recognize that these failures can occur, and to design a network that can handle failures and still allow the network to function. In order to do this, it is important to use the most reliable equipment, with redundancy built in to all mission-critical equipment.

NetEnforcer can operate to provide serial Redundancy. Serial Redundancy requires two NetEnforcer systems and a double Bypass module.

The Primary NetEnforcer handles the traffic and the Secondary NetEnforcer is configured to be in Standby mode as long as the Primary NetEnforcer is active. The Secondary NetEnforcer becomes active only if, for any reason, the Primary NetEnforcer is unable to function properly.

Status Indicators in Serial Redundancy Mode When operating in serial Redundancy mode, two NetEnforcer units are connected in serial to the Copper or Fiber Bypass module. The Primary NetEnforcer unit is connected to the Primary port of its Bypass module. The Secondary NetEnforcer unit connected to the Secondary port of its Bypass module. During operation, the LED indicators on NetEnforcer and on the Bypass module give various readings. The LEDs relevant to operations in Serial Redundancy mode are the Standby, Active and Power LEDs on the NetEnforcers LCD panel, and the Mode LED on the Bypass modules.



The modes of operation of the indicators are described in the following table:

Standby LED

Active LED

Power LED

Mode LED

(Bypass)

Analysis

Primary Unit

OFF ON ON ON Primary NetEnforcer is in Active mode.

Secondary Unit

ON OFF ON OFF Secondary NetEnforcer is in Standby mode, ready to take over.

Primary Unit

ON OFF ON OFF Primary NetEnforcer fails or is now booting.

Secondary Unit

OFF ON ON ON Secondary NetEnforcer took over and is now in Active mode.

Primary Unit

OFF OFF OFF OFF Primary NetEnforcer is powered OFF.

Secondary Unit

OFF ON ON ON Secondary NetEnforcer took over and is now in Active mode

Primary Unit

OFF ON ON ON Primary NetEnforcer is in Active mode.

Secondary Unit

OFF OFF OFF OFF Secondary NetEnforcer is not powered ON. The only fail-safe mode available now is Bypass.

Primary Unit

OFF OFF ON OFF Primary NetEnforcer failed or did not complete booting.



Standby LED

Active LED

Power LED

Mode LED

(Bypass)

Analysis

Secondary Unit

OFF OFF ON OFF Secondary NetEnforcer failed or did not complete booting. Bypass is now active and all traffic is going through Bypass.

Table B-1 – LED Conditions: NetEnforcer and Bypass, Serial Redundancy Mode

Secondary NetEnforcer Activation When two NetEnforcers are connected in serial redundancy configuration, the Secondary NetEnforcer will take control and become the active unit under the following conditions:

• •

• •

•

Upon a Primary subsystem failure.

During booting of the Primary NetEnforcer platform. When booting is completed, the Primary unit automatically takes control again.

Upon any Primary NetEnforcer power feed failure and power OFF condition.

Upon the Primary NetEnforcer Ethernet cable disconnecting from either the Internal or External ports. After reconnecting the cable and rebooting, the Primary NetEnforcer takes control again.

When the Bypass module is not connected properly to the NetEnforcer Backup connector, even with all other connectors fully plugged.



Primary and Secondary Definitions The NetEnforcer can be connected to a bypass unit Primary or Secondary ports via a backup cable. The connector indicates whether the NetEnforcer and Bypass function as Primary or Secondary. No other settings are required in order to distinguish Primary from Secondary.

Serial redundancy configuration requires an additional proprietary backup cable to connect the Primary NetEnforcer to the Secondary NetEnforcer. The cable which can be ordered from Allot is different then the standard backup cable used to connect the NetEnforcer to the Bypass.

The Secondary connector on the Primary Unit bypass should be connected to the Primary connector on the Secondary unit bypass.

In addition, in order to enable serial redundancy, the following command should be entered via the NetEnforcer CLI “acmode +redund (cr)”. Executing the command is required on both NetEnforcers, Primary and Secondary.

NOTE:

A Backup cable is included with the accessory cables, and it can be ordered from Allot Communications.

A Primary configuration is indicated by LEDs, as follows:

• •

• •

The Active LED on the front panel of NetEnforcer is ON.

The Standby LED on the front panel of NetEnforcer is OFF.

A NetEnforcer that is connected to the Secondary connector of its Bypass module is automatically configured to act as the Secondary system.

A Secondary configuration is indicated by LEDs, as follows:

The Standby LED on the front panel of NetEnforcer is ON.

The Active LED on the front panel of NetEnforcer is OFF.



The following diagram shows the layout of Serial Redundancy setup.

Figure B-4 – Serial Redundancy Setup for NetEnforcer AC-1010

If the Primary system fails, the Secondary system automatically takes control of the traffic, and enables its External interface. The following shows how the LEDs indicate the Secondary system status change:

• •

The Standby LED of the Secondary system will turn off.

The Active LED of the Secondary system stops blinking and turns ON.



To connect two NetEnforcers in Serial Redundancy:

Before using NetEnforcers in Serial Redundancy mode, make sure that the configuration of both NetEnforcers is identical; except for their IP addresses, which must be unique for each unit. You can use the Save & Distribute option to distribute the same QoS policy to both NetEnforcers. For more information, refer to NetEnforcer AC-1000 Series User Guide.

NOTE:

You can distribute policy to other NetEnforcers, only if they are of the same model as the one from which you are distributing.

After ensuring identical configuration, test each NetEnforcer (while connected to the network as a single device) and verify that they are operating identically to one another.

1. Designate one of your NetEnforcers to be the default Primary, and connect the end of the Backup cable marked Primary to the Primary connector of the Primary Bypass module.

2. Connect the other end of the backup cable to the Secondary connector of the Secondary Bypass module. NOTE:

For more information, see Bypass Modules in Chapter 2, Installing NetEnforcer.

3. Ensure that the status indicators of both systems are indicating that the systems are configured correctly, as follows:

• • • •

The Active LED of the Primary NetEnforcer is ON.

The Standby LED of the Primary NetEnforcer is OFF.

The Active LED of the Secondary NetEnforcer is OFF.

The Standby LED of the Secondary NetEnforcer is ON.



Power Redundancy NetEnforcer includes two hot-swappable power supply modules and a dual line feed for Redundancy purposes. Each line feed is driving one power supply. It is recommended to connect the two power line feeds to separate power sources to have full power redundancy.

Should you need to, you can replace one of the power supplies while NetEnforcer is connected and operating. Replacing a power supply, while the unit is operating, is possible since the remaining power supply will take the full load and maintain full operation.

• •

•

If one power module fails or turns OFF, the other module will take over the load.

When the power supply output is short to GND, it will shut down. Auto recovery is possible when the short circuit condition is removed.

Each module has over voltage and short circuit protection.


Appendix C: NetEnforcer Port Reference

This appendix describes the required ports for NetEnforcer.

Firewall Ports If your NetEnforcer is working behind a firewall, the following ports must be opened on the firewall to enable access to the NetEnforcer management functions:

Firewall Port Gives Access To

TCP Port: 23 Telnet

TCP Port: 80 Web Server/GUI

TCP Port: 56000 Internal Accountant GUI Access

TCP Port: 51000 Policy Editor GUI Access

TCP Port: 52000 Monitoring GUI Access

TCP Port: 53000 Alerts GUI Access

TCP Port: 53306 MySQL Access

TCP Port: 56000 External Accounting Data Transfer Access

NetEnforcer AC-1000 Series Installation Guide C-1

Appendix C: NetEnforcer Port Reference

If you want to use secure transmission methods, the following ports must be opened:

Firewall Port Gives Access To

TCP Port: 443 Encrypted HTTP (HTTPS)

TCP Port: 22 SSH (Encrypted Telnet)

NetEnforcer AC-1000 Series Installation Guide C-2

Appendix D: Rack Mounting Installation

The NetEnforcer and the Bypass module may be mounted in an open or closed standard 19-inch (48.26 mm) rack using the rack-mount bracket kit. This appendix describes how to prepare the device and rack for installation and how to mount the device in the rack.

Preparing the NetEnforcer for Rack Installation Attach the mounting brackets of the device included in the NetEnforcer accessory kit to both sides of the device using all eight Phillips pan-head screws included in the NetEnforcer accessory kit. Insert the screws into the holes on both sides of the device.

Prepare the Bypass Module for Rack Installation Use a Philips screwdriver to remove the six Phillips flat-head screws from each side of the Bypass module device.

Attach the mounting brackets of the Bypass module included in the Bypass accessory kit to both sides of the device. Re-insert the flat-head screws into the holes from which the screws were removed.

Rack Mechanical Loading

When mounting the device in the rack, ensure that a hazardous condition does not result due to uneven mechanical loading.

Ambient Temperature The device has a maximum operation ambient of 104° F (40° C). The ambient temperatures around the rack should not exceed this temperature.

NetEnforcer AC-1000 User Guide D-1


Airflow To ensure proper cooling, airflow should be unrestricted within or around the rack. Keep the area four to six inches behind the enclosure unobstructed. Make sure that there is proper airflow around all of the NetEnforcer's vent openings.

CAUTION:

The NetEnforcer unit has multiple power sources; disconnect all power before servicing.

Connection to AC Supply Power supply cords are intended to serve as the disconnect device. The user can power down the device only by removing the two-power cords from the power source or the device itself.

CAUTION:

Make sure the wall socket outlet is installed near the equipment and that the socket is easy to access. It is recommended that the wall socket outlet be connected to the building installation protection.

When connecting NetEnforcer to 120 / 240 VAC supply, plug into 10 A service receptacles, type N5/10 or NEMA 5-10R.

Ensure that each site has a suitable ground. Ground all metal racks, enclosures, boxes and raceways. The NetEnforcer equipment should be reliably grounded through the power supply cord.

Connection to DC Supply Unit is intended for RESTRICTED ACCESS LOCATIONS in accordance with NEC (National Electric Code) or the authority having jurisdiction.

Power supply cable comprises two sets of 2x14 AWG copper wire; use UL-listed cable only.



When connecting NetEnforcer to 48/60 VDC supply, use a UL-listed 10A circuit breaker between the centralized DC power system and NetEnforcer power entry module as the disconnect device incorporated in the fixed wiring. The circuit breaker must be close to the NetEnforcer and easily accessible.

The DC supply source is to be located within the same premises as this equipment. There shall be no switching or disconnecting devices in the earthed circuit conductor between the DC source and the point of connection of the grounding electrode conductor.

Reliable Grounding

CAUTION:

NetEnforcer equipment has a connection between the earthed conductor of the DC supply circuit and the grounding conductor.

Connect to a reliably grounded SELV source. Grounding is achieved through connection of the power entry module grounding terminal to one power port of the terminal block by min. No. 14 AWG green/yellow conductor.

This equipment shall be connected directly to the DC supply system grounding electrode conductor or to a bonding jumper from an grounding terminal bar or bus to which the DC supply system grounding electrode is connected.

When connecting the supply wires to the DC main supply, the earth conductor is connected first and disconnected last.

This equipment shall be located in the same immediate area (such as, adjacent cabinets or any other equipment that has a connection between the earthed conductor of the same DC supply circuit and the grounding conductor, and also the point of grounding of the DC system. The DC system shall not be earthed elsewhere.




Appendix E: Glossary

This appendix defines the terms used throughout the guide.

Glossary of Terms Access Control

An action that specifies the access for a connection. You can select the Access Control to accept, drop, or reject a connection.

Access Link

Internal and External logical interfaces. Access links may be smaller or equal to the Ethernet Adapter values.

Action

The operation performed on a connection once it matches a rule. A combination of Access Control, QoS and Connection Control.

Address – IP

A list of logical entities representing IP Version 4 (IPv4) addresses, which are comprised of 32 bits.

Address – MAC

A list of logical entities representing Media Access Control (MAC) addresses, which are comprised of a 48-bit source or destination address. The source address is the sender's globally unique device address.

Admin The default user name for administrating NetEnforcer, with the default password allot. It is strongly recommended to change this password.

NetEnforcer AC-1000 Series Installation Guide E-1


Admission Control A step in every flow activation, when the required bandwidth is allocated (or not) according to user demand (minimum bandwidth and maximum number of connections) and system state.

ADSL

Asymmetric Digital Subscriber Line - Modems attached to twisted pair copper wiring that transmit from 1.5 Mbps to 9 Mbps downstream (to the subscriber) and from 16 kbps to 800 kbps upstream, depending on line distance.

Application Binding The process of finding the correct application type for a flow (in case the flow is TCP or UDP).

Application Recognition The classification of protocols/applications by their unique "signature".

Application Type The application type is defined by the destination port number.

ATM

Asynchronous Transfer Mode. This high speed network protocol is composed of 53 byte "cells" having 5 byte headers and 48 byte payloads. Because of its short packet length, it is especially good for real time voice and video.

Backplane Watchdog Timer

The backplane internal hardware timer that initiates the bypass in case there was no software visit (the software visit restarts the timer).

Bandwidth

A parameter that defines the rate at which data flows.



Blocked Queue

A queue that holds packets that are over the maximum bandwidth defined for the connection/Virtual Channel/Pipe.

Borrowing Bandwidth

A Pipe/Virtual Channel defined with a minimum bandwidth will receive only the minimum necessary bandwidth, even if that value falls below the guaranteed minimum. For example, if a Virtual Channel is currently defined for 100 Kb minimum but needs only 50 Kb, 50 Kb is all that will be reserved, and the remainder of the bandwidth will be allocated to another Virtual Channel. This means that unused bandwidth is never wasted.

Burst Mode

When burst size is defined, the system will allow traffic to burst for a certain amount of time, but the average traffic for the whole period will still be bounded by the maximum.

Cache Redirection A network device that intercepts client HTTP requests and forwards them to one or more cache servers.

Catalog

A list of user-defined entries used when defining Pipes, Virtual Channels and rules in the Policy Editor.

CBR See Constant Bit Rate.

CCITT

Consultative Committee for International Telegraph and Telephone



Central Office

A circuit switch that terminates all the local access lines in a particular geographic serving area; a physical building where the local switching equipment is found. xDSL lines running from a subscriber's home connect at their serving central office.

Centralized Monitoring and Accounting

Provision of centralized policy-based accounting and remote monitoring services. The Allot Communications NetPolicy provides a comprehensive, policy-based system that allows the network manager to define, in a concise and organized fashion, policies that automatically effect change on specific equipment in the network environment.

Classification

The procedure by which a flow or connection is associated to a Pipe and a Virtual Channel. This procedure occurs every time a new flow passes through NetEnforcer.

Classification Element

Definition of partial criteria for a match to an attribute of network traffic. One rule is a set of five classification elements or conditions. See Condition.

CLEC

Competitive Local Exchange Carrier

CO

See Central Office

CODEC

An abbreviation for coder/decoder. Specifically it converts a voice grade analog signal to u-law or A-law encoded samples at an 8KHz sampling rate. DSL bypasses the CODECs at the central office by separating the frequencies in a POTS splitter and passing the DSL signal to a DSLAM, the DSL equivalent of a CODEC.



COC

See Connection Control.

Condition

A criteria with which to classify traffic. Conditions include Connection Source, Connection Destination, Service, ToS, and Time.

Connection

A flow from a source to a destination and from the destination back to the source.

Connection Control

Defines whether a flow is directed to Load balancing, cache redirection, or pass as is.

Connection Control Catalog

A Catalog that enables the user to define different load-balancing and cache-redirection definitions.

Constant Bit Rate

Offers constant throughput. When CBR is defined, the system will not allow traffic to exceed the maximum boundary defined.

Constant Connection

Offers constant throughput. When CBR is defined, the system will not allow traffic to exceed the maximum boundary defined.

Content Inspection

The ability to analyze packet content on a per-flow basis. This feature is the capability to filter packets per user’s content requests. Content based packet classification is based on any combination of source address, destination address, protocol, type, or content URL, including URL patterns.



CPE

See Customer Premise (or Provided) Equipment

CSU

Channel Service Unit

Customer Premise (or Provided) Equipment

A wide range of customer-premises terminating equipment which is connected to the local telecommunications network. This includes telephones, modems, terminals, routers, settop boxes, etc.

Delay

Specifies the maximum delay that a packet stays in NetEnforcer. If the packet exceeds this delay, the packet is discarded.

DDoS Attack

Distributed Denial of Service Attack. These attacks are more intense and damaging than DoS attacks. In DDoS attacks, multiple machines unknowingly participate in an attack against a single host target.

DHCP

Dynamic Host Configuration Protocol. Used for automated allocation, configuration and management of IP addresses and TCP/IP protocol stack parameters.

DCE

Data Communication (or Circuit-Terminating) Equipment

Digital Gateway to IP

Digital Gateway to IP provides a seamless, dedicated connection to the Internet, utilizing available channels on the customer's channeled T1 local access. It allows increased usage of their local access by providing multiple services over a single facility and the ability of designating multiple DS0 channels on the T1 access for voice, data, and Internet.



DSL

Digital Subscriber Line - Modems on either end of a single twisted pair wire that delivers ISDN Basic Rate Access.

DSLAM

Digital Subscriber Line Access Multiplexer

DSU

Data Service Unit - A digital interface device that connects end user data communications equipment to the digital access lines, and which provides framing of sub-64Kbps customer access channels onto higher rate data circuits. A DSU may be combined with a CSU into a single device called a CSU/DSU. See Channel Service Unit/Data Service Unit.

DTE

Data Terminal (or Termination) Equipment Typically the device that transmits data such as a personal computer or data terminal.

DoS Attack

Denial of Service Attack. Most DoS attacks are overloading servers with redundant traffic. All servers can handle traffic volume up to a maximum, beyond which they become disabled.

Drop

All packets are dropped. The user is disconnected and may see the message Connection timed-out.



Flow

A series of packets with common attributes. Since these attributes do not change in time, it is possible to identify a flow by its first packet only. TCP and UDP flows are identified by the IP and port of the source and destination. Any other IP flow is identified by the source IP, destination IP and protocol number. Non-IP flows are identified by protocol number only. See Connection.

Flow Attribute

Data belonging to a flow that differentiates that flow from others.

Fraggle Attack

When a perpetrator sends a large number of UDP echo (ping) traffic at IP broadcast addresses, all of it having a fake source address. This is a simple rewrite of the Smurf code.

Guaranteed Bandwidth

A per-connection parameter, which means that every connection will be granted “N bytes/bits per second”.

HDSL

High bit-rate Digital Subscriber Line - Modems on either end of one or more twisted wire pair that deliver T1 speeds. At present, this requires two lines.

Host Catalog

A Catalog that enables the user to define the Connection Source and Connection Destination, two of the classification elements or conditions of a rule. Hosts can be network IP addresses, IP address ranges, host names, IP Subnet addresses or MAC addresses.

Inbound Traffic

Traffic that flows into the External link and out from the Internal link.



Internet Service Provider

An entity that provides commercial access to the Internet. These can range in size from someone operating dial-up access with a 56 kilobit line and several dozens of customers to providers with multiple pops in multiple cities and substantial backbones and thousands or even tens of thousands of customers.

IP Service Control

NetEnforcer, as an IP Service Control system, enables carriers to monitor IP application traffic and subscriber traffic usage. NetEnforcer controls traffic patterns to increase subscriber satisfaction, provides quick ROI by saving network operation costs (for example, by managing over-subscription) and enables new revenue sources without upgrading the network infrastructure.

ISP

See Internet Service Provider

ITU

International Telecommunications Union

IXC

Inter-exchange Carrier - Post-1984 name for long distance phone companies in the United States. AT&T is the largest, followed by MCI and Sprint, but several more small IXCs exist.

Java Applet

A program written in the Java™ (Sun Microsystems Inc trademark) language. The applet's code is transferred to your system and executed by the browser's Java Virtual Machine (JVM) (see more at: http://java.sun.com/applets/).

LEC

Local Exchange Carrier - One of the U.S. telephone access and service providers that have grown up with the recent deregulation of telecommunications.



LOCAL LOOP

A pair of wires, moderately twisted for the entire length between the telephone company's end office and the user premises (the common telephone set) form a loop, so it is referred to as the local loop. This loop provides a user with access to the global telecommunications infrastructure that is installed all over the world. DSL extends the capability by using modern technology to increase the data rates and distances spanned.

Light Directory Access Protocol (LDAP)

A standard communication protocol that allows clients, servers and applications to access directory services. NetEnforcer includes an LDAP client for communication with the LDAP directory.

Load Balancing

A mechanism that enables balancing traffic between different servers. All traffic is directed to a single IP, but the load-balancer smartly divides the traffic between the different servers.

Maximum Bandwidth

A parameter that defines the upper limit of the bandwidth provision of NetEnforcer, a Pipe, a Virtual Channel or a connection. NetEnforcer ensures that the bandwidth will not exceed this value.

Minimum Bandwidth

A parameter that defines the lower limit of bandwidth provision, and states that NetEnforcer will provide a particular Pipe, Virtual Channel or connection with “at least N bytes/bits per second”. NetEnforcer guarantees that the bandwidth will not fall below this value.

Mbps

Megabits Per Second



NAT

Network Address Translation is the translation of an Internet Protocol address (IP address) used within one network to a different IP address known within another network. One network is designated the inside network and the other is the outside. Typically, a company maps its local inside network addresses to one or more global outside IP addresses and unmaps the global IP addresses on incoming packets back into local IP addresses. This helps ensure security since each outgoing or incoming request must go through a translation process that also offers the opportunity to qualify or authenticate the request or match it to a previous request. NAT also conserves on the number of global IP addresses that a company needs and it lets the company use a single IP address in its communication with the world.

NEBS

Network Equipment Building Standards

Monitor

The default basic user name for monitoring NetEnforcer, with the default password allot. It is strongly recommended to change this password.

MPLS

Multi-protocol Label Switching. This protocol, relevant in networking technology, provides scalable infrastructure for the Internet. MPLS uses the concept of label switching to create a 'virtual circuit' between two-end points. The main use of MPLS is to create high quality VPNs (Virtual Private Networks). In addition, MPLS may be used to allow integrated-access services such as voice/video and data over IP.

MRTG

Multirouter Traffic Grapher. The MRTG tool generates HTML pages that present traffic statistic graphs. Using a standard Web browser, you can view pages, each containing graphs showing daily, weekly, monthly and yearly information.

NetAccountant

An add-on software module that enhances the application performance management and SLA/QoS enforcement capabilities of NetEnforcer with accurate data collection and server-based reporting.



NetAccountant Reporter

Part of the NetAccountant software module. NetAccountant Reporter enables you to create sophisticated graphical reports based on the traffic data collected by NetEnforcer. In addition to basic reports such as "most active clients" or "top protocols", NetAccountant Reporter offers drill down reports such as "most active clients per a specific Pipe" or "top protocols per server."

NetHistory

A software module that enables the user to view network behavior at any time in the past.

NIC

Network Interface Card. Located in one device and physically connected to the Ethernet cable going into another device.

Number of Connections

The number of open connections (sessions from the software point of view) in NetEnforcer.

OC3 & OC12

Optical Carrier Level circuits. These are ultra-fast multimeg circuits able to carry large amounts of information such as voice/data applications. (OC3= level 3 & OC12= level 12). For more information on these circuits, visit our OC3/OC12 page.

ODBC

Microsoft Open Database Connectivity interface. An application programming interface (API) for database access. It uses Structured Query Language (SQL) as its database access language.

Outbound Traffic

Traffic that flows into the Internal link and out from the External link.



P2P Applications

These "Peer-to-Peer" applications turn network clients into servers, using expensive WAN bandwidth and potentially distributing worms throughout the network. KazaA is a well-known P2P application.

Packets Per Second (PPS)

The number of packets that were sent by NetEnforcer in a second.

PCM

Pulse Code Modulation

POP

Point of Presence - A node of an ISP containing a DSU-CSU, terminal server and router and sometimes one or more hosts, but no network information center or network operations center.

PPP

Point to Point Protocol

PVC

Permanent Virtual Circuit - A frame relay logical link, whose endpoints and class of service are defined by network management. Analogous to an X.25 permanent virtual circuit, a PVC (often referred to as a PVC) consists of the originating frame relay network element address, originating data link control identifier, terminating frame relay network element address, and termination data link control identifier. Originating refers to the access interface from which the PVC is initiated. Terminating refers to the access interface at which the PVC stops. Many data network customers require a PVC between two points. Data terminating equipment with a need for continuous communication use PVCs.



Per Flow Queuing (PFQ)

Allot Communications QoS algorithm that defines a process where the scheduler empties the queue according to each flow policy and fairness. Allot Communications implements a smart queue scheduling algorithm, with accurate timing for receiving and sending packets. The timing is such that the applications on both sides are within the timing tolerances, while NetEnforcer precisely controls the bandwidth.

Allot Communications PFQ maximizes WAN link utilization and minimizes bandwidth waste. Allot Communications utilizes standard mechanisms built in to the TCP to maximize WAN utilization. It also uses a unique combination of PFQ and Smart Queue Scheduling to precisely control bandwidth for both the incoming and outgoing traffic. Policies are based on a variety of criteria, including when needed, data located within the traffic, and so on.

Ping of Death

When an attacker sends illegitimate, oversized ICMP (ping) packets. These attacks are targeted at specific TCP stacks that cannot handle this type of packet and overload the victim's servers.

Pipe

A grouping of traffic defined by conditions (rules) and actions that owns sub-groupings called Virtual Channels.

Policy

The regulation of access to network resources and services based on (business) administrative criteria.

Policy Server

A server which administers QoS requests and sends out information necessary (policy) to enforce QoS.

Port Number

A 16-bit integer appended to a message and passed between client and server transport layers.



Priority

A parameter that identifies the relative importance of traffic on a particular Pipe or Virtual Channel compared to other Pipes or Virtual Channels. Priority does not explicitly define the speed of communication, but assigns a weight value, for example, for every 2 bytes of priority 3, send 4 bytes of priority 7. It does not define how long it takes to send priority 7 or priority 3 bytes.

Process Watchdog

A software process that is responsible for keeping the system in a normal operation state. It watches the aliveness of processes and restarts a process or the whole system when required.

QoS

See Quality of Service.

QoS Action

Defines a level of bandwidth agreement using parameters such as minimum/maximum bandwidth, priority, and so on. You can select the QoS action for Pipes, Virtual Channels and connections.

QoS Catalog

A Catalog that enables the user to define possible values for the QoS action.

QoS Gateway

Provision of end-to-end policy enforcement and management via standards-based signal provisioning protocols, including Differentiated Services, ToS, RSVP, MPLS, and 802.1P.

QoS of UDP Traffic Allot Communications supports QoS for UDP traffic by using the token bucket mechanism (for CBR sessions), combined with the leaky bucket mechanism (to supply rate limits).



Quality of Service

Enforcing a network policy that will impact bandwidth, delay (jitter), or traffic reliability.

Queuing Method used by routers to control the flow of traffic. Packets are placed in holding queues and retransmitted based on CBQ and WFQ algorithms. When traffic overflows the queue, packets are discarded to reduce network congestion.

RADIUS Remote Authentication Dial In User Services protocol. Specifies accounting, log and analysis parameters for IP users accessing via dial in services.

RADSL

Rate Adaptive Digital Subscriber Line - A version of ADSL where modems test the line at start up and adapt their operating speed to the fastest the line can handle.

Redundancy Configuration

A configuration in which two NetEnforcers are connected in parallel using a flat cable. If one NetEnforcer goes down, the other one takes over immediately. One NetEnforcer is automatically the primary system (defined by the flat cable hardware), and the Primary and Active LEDs on the front panel are lit. The other NetEnforcer is the secondary system, and the Secondary LED on the front panel is lit. The flat cable is connected between the Backup connectors.

Reject

All packets are dropped. In TCP traffic, an RST packet is sent to the client and the user may see the message Connection Closed by Server.

Reserve on Demand

A minimum bandwidth demand mode that reserves allocated bandwidth and, even if it is not all used or required, does not provide it for other traffic.



Rule

A combination of classification elements or conditions comprised of Connection Source, Connection Destination, Service, TOS and Time. Together these conditions form complete criteria for classifying network traffic. Conjunction is made with the AND operator.

Rule Matching

The process of finding the first matching rule for a flow or connection.

Schedule Queue

A queue in which the packets wait to be transmitted. The schedule is defined by the minimum bandwidth and priority parameters.

Service

Protocol- or application-based criteria for traffic classification.

Service Catalog

A Catalog that enables the user to define possible values for the Service condition. It includes a list of different network/transport/applications protocols defined by the protocol number (L2, L3, L4 or L5 layer) and destination port number (L4).

Smurf Attack

When a perpetrator sends a large number of ICMP echo (ping) traffic at IP broadcast addresses, using a fake source address. The source address will be flooded with simultaneous replies.

SNMP

Simple Network Management Protocol. Sets up the rules for exchanging network information through messages (which contain variables with values). The following types of messages are defined: read, write and trap.

SOHO

Small Office Home Office - A type of DSL connection possessing qualities better than ADSL. Designed especially for smaller businesses



Spanning Tree

A link management protocol that provides path redundancy while preventing undesirable loops in the network.

Spoofing

When an attacker uses a fake Internet address so that the source address of an IP packet is not the actual source. An attacker from outside of the network (meaning, from the Internet) may send packets with a source address on the LAN. This deceives the internal servers into identifying the attacker as a legitimate internal network user and the internal address becomes the victim. Spoofing is used in most of the well-known DOS attacks.

Standalone Configuration

A configuration in which only one NetEnforcer is connected to the network (in contrast to the redundancy configuration). In case of system crash, NetEnforcer becomes a wire, meaning that NetEnforcer continues to forward traffic without performing policy enforcement functions.

SYN Attack

When an attacker sends a series of SYN requests to a target (victim). The target sends a SYN ACK in response and waits for an ACK to come back to complete the session set up. Since the source address was fake, the response never comes, filling the victim's memory buffers so that it can no longer accept legitimate session requests.

TELCO

Telephone Company - Generic name for telephone companies throughout the world which encompasses RBOCs, LECs and PTTs.

Template – Virtual Channel or Pipe

A master Virtual Channel or Pipe that represents a class of Virtual Channels or Pipes, that only differ in one of their Host catalog conditions.



Time Catalog

A Catalog that enables the user to define possible values for the Time condition. NetEnforcer is capable of classifying traffic based on packet and time parameters.

ToS

See Type of Service.

ToS Catalog

A Catalog that enables the user to define possible values for the ToS condition.

Traffic Classification

NetEnforcer classifies traffic per IP source/destination including networks, subnets, hostnames, list and ranges of addresses; TCP/UDP ports including lists of ports, port ranges and HTTP header parameters; URL (including wildcards - *), methods, host names (in the header) and FTP control to data connection correlation.

Type of Service

A byte in the IP header that defines the Type of Service that should be given to that packet. Two types are implemented: IP Precedence bits (mostly in Cisco equipment) or DiffServ (IETF standard). When used for IP Precedence, utilizes bits 0-2 to signify 8 priority values 0-7. When used as DiffServ Code Point Description (DSCP), utilizes only 6 out of the 8 bits. IP Precedence and DiffServ are prioritizing methods for IP traffic going through the network.

By setting the Type of Service (ToS) bits in accordance with network policy, end-to-end QoS can be achieved in a heterogeneous environment.

UBR

Unspecified Bit Rate.



UTP

Unshielded Twisted Pair - A cable with one or more twisted copper wires bound in a plastic sheath. Preferred method to transport data and voice to business workstations and telephones. Unshielded wire is preferred for transporting high speed data because at higher speeds, radiation is created. If shielded cabling is used, the radiation is not released and creates interference.

Virtual Channel

A grouping of traffic defined by conditions (rules) and actions that can be owned by Pipes.

Virtual Connection

Class of network traffic that defines traffic classification criteria and policies.

VLAN

Virtual Local Area Network refers to LANs that are interconnected by a virtual Layer 2. The NetEnforcer enables you to apply VLAN tags to its management traffic. VLANs are commonly used with campus environment networks. This enables network changes to be made without physically moving cables or equipment.

Well-Known Ports

Some services are conventionally assigned a permanent port number. For a well-known port list see, for example: http://www.isi.edu/in-notes/iana/assignments/ port-numbers.

Worms

This self-propagating code floods networks with email and adds Registry entries to users' clients. Worms may be transmitted via email, sharing infected files, or via Internet Chat. Worms take advantage of "back doors" or "holes" in popularly used email software and operation systems. "Malicious" worms may also erase or hide certain types of files.


Index

A Accessing

NetEnforcer, 3-2

B Bypass, 2-2, B-1, B-2

Activating, 2-48 Initiation, B-3

Bypass Module, 2-17 Copper, 2-20 Double Copper, 2-25 Double Fiber, 2-22 Fiber, 2-18, B-3 Multi-Port Copper, 2-27

C Cable Networks, 1-4 CATV Providers, 1-9 Configuring

IP Parameters, 2-47 Network Parameters, 2-37 NIC Settings, 2-46

Configuring NetEnforcer Via LCD Panel, 2-44 Via Terminal, 2-35

Connecting Copper Bypass Module, 2-21 Double Copper Bypass Module, 2-26 Double Fiber Bypass Module, 2-24 Fiber Bypass Module, 2-19 Multi-Port Copper Bypass Module, 2-28 NetEnforcer to Network, 2-30 Terminal, 2-35

Copper Bypass Module, 2-20 Connecting, 2-21

Corporate Networks, 1-3, 1-11, 1-13

D Date and Time Settings, 2-42 DoS Attacks, 1-15 Double Copper Bypass Module, 2-25

Connecting, 2-26

E Educational Networks, 1-3

F Fail-Safe

Operation, B-1 Fault Tolerance, 2-16 Fiber Bypass Module, 2-18, 2-22, B-3

Connecting, 2-19, 2-24 Firewall Ports, C-1 Front Panel

NetEnforcer, 2-7 Full Redundancy, B-1, B-8

Status Indicators, B-8

H Hardware Specifications

NetEnforcer, A-1

NetEnforcer AC-1000 Series Installation Guide I-1

Index

I Internet Data Centers, 1-3, 1-8 Internet Service Providers, 1-3, 1-5 IP Parameters

Configuring, 2-47

L LCD Panel, 2-44

Failure Indications, 2-51 Main Menu, 2-44

LCD Panel, 2-11

M Management Port, 2-14 Multi-Port Copper Bypass Module, 2-27

Connecting, 2-28

N NetEnforcer

Accessing, 3-2 Changing Password, 2-41 Connecting to Network, 2-30 Copper Interface, 2-8, 2-9 Current Configuration, 2-39 Dimensions, A-1 Environments, 1-3 Failure Indications, 2-51 Fiber Interface, 2-7 Front Panel, 2-7 Hardware, 2-2 Hardware Specifications, A-1 LCD Panel, 2-11 LEDs, 2-11 Models, 2-2 Modifying Date Settings, 2-42 Modifying Time Settings, 2-42 MPLS Environment, 1-6 Network Placement, 2-30 Operating Environment, A-2 Overview, 1-2 Ports, C-1 Power Requirements, A-1 Powering Up, 2-33

Protocols, C-1 Redundancy, B-8 Scenarios, 1-5 Setting Up, 2-35 Shutting Down, 2-49 Standards Compliance, A-2 Technology, 1-2 Unpacking, 2-6

Network Parameters Configuring, 2-37

NIC Settings Configuring, 2-46

P Password

Changing Login, 2-41 Changing Root, 2-43

Power Redundancy, B-14 Power Supply, 2-15

LEDs, 2-16 Powering Up NetEnforcer, 2-33

S Serial Redundancy, 2-16 Setting Up NetEnforcer, 2-35 Shutting Down NetEnforcer, 2-49 Status Indicator, 2-11

T TAP Mode, B-3 Time and Date Settings, 2-42

U Unpacking

NetEnforcer, 2-6

V Voice and Video Applications, 1-4 VPN, 1-13

NetEnforcer AC-1000 Series Installation Guide I-2

Documents

AC1000_InstallGuide_6.11