Introducing In-Line Platforms

Training
What is NetEnforcer?

GUI Client
• A bandwidth management platform
which:
• Collects network statistics
• Shapes network traffic
• In conjunction with NetXplorer enables:
NetXplorer
• Viewing & troubleshooting network issues Server
in real-time
• Collection of long-term usage information
for reporting & billing
• Policy enforcement

NetEnforcer
2
 Common Concepts:
Physical Links

• NE/SG may have: 1 or more physical link

• Each physical link is comprised of:
• External interface
• Internal interface
• Classification of traffic is independent of physical
link, unless specified
• Same management for all physical links
Physical
External
Internal Links

3
Common Concepts:
Bypass Functionality

• Ensures connectivity in the event NE/SG fails

• External unit for all products except AC-500 (internal module)
• Must be connected or boot will fail

Core
BRAS/CMTS Bypass
Switch

AC-3000
Subscribers
Turned off when NE has
switched to bypass mode

Passive Bypass –
4
Traffic is not blocked on power outage
AC-500 Family

Model Ports Physical Links

502 2 1
504 4 2

• Targeted at Enterprise Networks, Satellite and Small SP

• QoS Enforcement Levels: 5, 10, 50, 100 and 200Mbps (Full Duplex)
• 1U 19” rack mount
• AC Power Supply
• Copper Network Interfaces - 10/100/1000BaseT
• Extra Copper Ports for Active Redundancy
• AC-502: 2 ports X 10/100/1000BaseT (Copper Only)
• AC-504: 4 ports X 10/100/1000BaseT (Copper Only)
• Internal Bypass 5
AC-502

Front View Management

Port
Bypass
Console Port Connector
External (not in use)

LEDs Redundancy Internal

• System Ports
• PS

6
Where in the Network Can Allot Help?

Device Placement Depends on Customer Requirements

Service Providers Enterprises

• Is SG/NE deployed for: • Is NE deployed for:
– Network Services – Internet and WAN Link Optimization
– Subscriber Services – Ensure application performance
– Application Control – Manage branches

In-line platform should be located where it can manage the required needs
7
Placement Examples:
Service Provider Networks (Fixed)

Access Point Peering Point

Subscribers BRAS/CMTS
NE/SG

NE/SG NE/SG
BRAS/CMTS
Internet
Subscribers
BRAS/CMTS
NE/SG NE/SG

NE/SG
BRAS/CMTS
Subscribers

\
For visibility and For visibility and
management of control of
subscribers applications
8
Placement Examples:
Service Provider Networks (Mobile)

• Allot SG/NE can work together with SMP as

PCEF/TDF in a 3G mobile environment
• Covered in SMP Course \

9
Placement Examples:
Enterprise Networks

Private Cloud Public Internet

Campus Cloud Apps
Data Center
HQ Employees
VDI
Paris
Web, Email,
Citrix
Servers

SAP/Oracle Email, Citrix

LAN/
WAN
Core
Video Tokyo

For visibility & For visibility &

management of management of
PBX VoIP
Employees Internet Access
Internet Access ERP, CRM
GW
\ For visibility &
management of
Branches
10
Placement Examples:
Enterprise Firewalls

Firewall
NetEnforcer NetEnforcer

WAN/Internet

LAN

Before Firewall After Firewall

NetEnforcer cannot NAT on firewall prevents

manage traffic to and NetEnforcer from filtering
from DMZ internal traffic by host

DMZ

11
Order Of Connectivity

1. Validate traffic flow – for example by using ping

2. Connect the bypass only
– Verify traffic flow
3. Connect in-line platform to the bypass with ethernet
cables and the bypass cable
4. Power up the in-line platform
– Verify traffic flow

Access Switch
router

NetEnforcer 12
Port Usage Configuration via GUI

 Open Device configuration – >Interface Tab > NIC Sub Tab

 Click on the relevant blade and double click the port to set the port usage

13
Setting the IP Address

User Default Accesses

Password
sysadmin sysadmin CLI

go config ips –ip ip_address:netmask

Login: sysadmin
Password: sysadmin
sysadmin@host-prc:~#: go config ips –ip
10.50.1.7:255.0.0.0

Note: for SG-Tera each blade holds 2 IPs

14
Viewing General Config Information (1)

go config view

sysadmin@host-prc:~# go config view

==== IP & Host Name ====

Host Name host-prc
Domain Name allot
Primary Domain Name Server none
Secondary Domain Name Server none
Primary NTP Time Server 10.4.70.10
Secondary NTP Time Server none
Tertiary NTP Time Server none
IP Address 10.4.30.1
Network Mask 255.255.0.0
Vlan ID -1
Out-of-band Gateway 10.4.0.1
In-band IP Address none
In-band Mask none
In-band Gateway none

15
Viewing General Config Information (2)

==== NIC settings ====

Interface EXTERNAL0 (nic_ext_0 Mode full
Speed 10000 Mbps
Status enable
Action on Failure none
Interface INTERNAL0 (nic_int_0 Mode full
Speed 10000 Mbps
Status enable
Action on Failure none
Interface MGMNT (eth0): Mode auto
Speed auto
Status enable
Action on Failure none
Supported Modes full, half, auto
Supported Speeds 10, 100, 1000, auto

==== Networking ====

Device Mode active Shows if the system is
Redundancy Mode standalone “active” or in “bypass”
Bypass Unit disable
Bypass Setting disconnected
Bypass Status non-bypass
Remote Bypass Status N/A

16
What is NetXplorer?

Management Umbrella for Allot In-Line Platforms and Services

• In-line platform configuration

• Policy provisioning capabilities
• Real-time monitoring for network
troubleshooting and problem analysis
• Long-term reporting for capacity planning,
usage tracking and trend analysis
• Management of traffic and system alerts
• Accounting information collection and export
for billing purposes
• Analytics of mobile Internet sessions
NetXplorer Options

Part Number Description H/W S/W

Virtualized NetXplorer template,
Virtual NX based on VMware ESXi (V5.5 and X ✓
above)”

NetXplorer Server Software

SNX-LIN-3/15/U
SNX-WIN-3/15/U
License (Linux or Windows ) for X ✓
up to 3, 15 or unlimited NEs/SGs

NetXplorer standalone server

SNX-SRV
package
✓ ✓

NetXplorer High-Availability
SNX-SRV-HAP
package
✓ ✓
What is External Data Collector?

Data Resolution: NX
Built-in Database
30 Seconds (Default)
5 Minutes
1 Hour
OR

Short Term
Collector
External Data Collector
STC-NX-GENX
Data Resolution:
1 Hour
1 Day NX
1 Month Built-in Database

Long Term
Collector
NX Data Collector
Why Deploy External Data Collector?

Collect short term statistics GUI

• Increases the number of NEs supported by a
single NX Server
• Required for Every SG deployment
NetXplorer
• Overcomes connectivity issues Server
• Enables collection redundancy

Collectors

Service NetEnforcers
Gateway
NX Client Requirements

Minimum Requirements:
• 1G RAM
• Windows 7
• Microsoft Internet Explorer

NOTE: History logs will be kept on the client and can consume up to 150M
NX Client Installation

• Installation process:
http://<NetXplorer_IP>

Install JRE 8.0

Launch
NetXplorer
Download JRE 8.0

Install JRE
8.0

Launch
NetXplorer
Launch NetXplorer

Install JRE
8.0

Launch
NetXplorer

• GUI is
launched
• Icon is placed
on desktop
Main Screen Areas

Menu bar

Toolbar

Navigation
Pane
Details area

Alerts Log
Registering the NetXplorer
Adding a NetEnforcer or Service Gateway

Under Network:
• NetEnforcers
• Service Gateway

Under Servers:
• Data Collectors
• SMP
• Data Mediator
• VideoClass
Expansion Chassis
• ClearSee Servers
Verifying NE/SG Configuration

restart

shutdown
NE/SG Configuration: ID & Key
NE/SG Configuration: Date/Time

NetXplorer NTP Server

Server

Default Configure
via CLI
Rich Set of Graphs

Essential Graphs:
• Statistics
• Policy Entity Graphs
• Protocols / Monitored Service Groups
• Hosts
Additional Graphs:
• Utilization
• Percentile
• Popularity
• Typical Time
• Integrated Services / WebSafe / HTTP
• Asymmetric Traffic
• Autonomous System
• Subscriber / Service Plans
• Mobile Analytics
31
Different Chart Styles

Top Graphs:
 Bar Chart
 Pie Chart Most Active Entities

Distribution Graphs:

 Line Chart
 Stack Area Chart
Selected Objects

32
Different Chart Styles: Table View

33
Criteria for Displaying Data

 In / Out Bandwidth

 Live/ New/ Dropped Connections

 Subscribers

 Inspected Requests
 Illegal URLs

 Sessions
 Mobile Devices

34
Real-Time Monitoring vs.
Long-Term Reporting

Real-time Monitoring Long-term Reporting

Statistics  30-second over  2 hrs  Hour over  2 months
Time  5-minute  36 hrs  Day  6 months
resolution
 1-hour  36 hrs  Month  12 months

Refresh Optional Auto Refresh Static

Benefits  See it as it happens
 Quickly diagnose network
problems
 Top-down approach with
intuitive drill-down capabilities
 Highly granular information
 Understand bandwidth usage
 Analyze network trends
 Perform capacity planning
 Post-mortem analysis

NOTE: Real Time Monitoring Requires A Key

35
4-Step Configuration Process

Shows type
of graph to
be expected

• Time
• Objects
• Limits
• Display

36
Essential Graphs

• Statistics
• Policy Elements:
NetEnforcers/ Lines/ Pipes/ VCs
• Protocols / Monitored Service
Groups
• Hosts

37
NetEnforcers / Lines / Pipes / VCs

Demo

Network NE Line Pipe

 Can run “Most Active Object” Or
“Object Distribution” graphs NE
Line
 On which entities can you run each
Pipe
graph type?
VC
38
 Protocols / Monitored Service Groups

 Can run “Most Active Protocols” or

“Protocol Distribution” graphs
 Graph can be run on any network
entity: Network, NE, Line, Pipe or VC

 Protocol Distribution graph can be

run on:
 individual applications
 service groups
 Monitored Service Group graph is run on
 Monitored service groups

39
Hosts

Hosts are defined as internal or external on the basis of

which interface they are connected to on the bypass

External Bypass Unit Internal

hosts hosts

40
Hosts / Internal / External / Conversations

Demo

NOTE: External
Host Collection is
disabled by default

 Vertical axis: total b/w, in b/w, out b/w, live connections, new
connections
 Graphs can be run on any entity – Network, NE, Line, Pipe or VC 41
Drill Down

 Easy way to move

from report to
report
 Context sensitive
drill-down
 Zoom into specific
usage patterns on
the fly
 Quickly Identify
Network problems

42
Stacking

 Adds a third dimension to your

graphs
 More visibility in a single graph
 Stack by:
 NE
 Line
 Pipe
 VC
 Protocol
 Host depending
on the graph
 Monitored Service Group selected
 Available only for “top” graphs
 Stack results by up to 50 instances
43
Limiting

 Limits the scope of your

chosen graph
 Enables you to focus on the
specific objects you are
interested in
 Graphs can be limited by:
 NE, Line, Pipe, VC
 Internal / External Host
 Autonomous System
 Protocol / Service Group
 Monitored Service Group
 Data can be displayed
separately per limiting object
44
Building the Enforcement Policy

45
NetXplorer Classification Tree
Primary Policy

Network Classification from

NetEnforcer / Service Gateway top to bottom

Line

Virtual Channel
Pipe Virtual Channel
Fallback
Fallback Virtual Channel

Virtual Channel
Pipe Virtual Channel
Fallback Virtual Channel

Fallback
Pipe

NetEnforcer / Service Gateway

Secondary Policy Available, Offering Additional Dimension 46

The Enforcement Policy Table

Line
Pipe

Virtual
Channels

47
Editing Conditions and Actions

Who established the connection:

o Internal host is the client,
sending the TCP SYN
o External host is the server

Edit Conditions from

Drop Down Lists

48
Example: Pipe Rule

Int Hosts = Service = Time = QoS = Max

IF AND AND THEN
Gold Users P2P Apps Weekend 2.5Mbps

49
Templates

10.10.10.1 P2P Max 1.5M

• Instead of creating a Pipe 10.10.10.2 P2P Max 1.5M

/ VC for every possible
host 10.10.10.3 P2P Max 1.5M

• Create a single “master” 10.10.10.4 P2P Max 1.5M

Pipe / VC and define a set
of hosts to expand it 10.10.10.5 P2P Max 1.5M

• Template creates multiple

Pipes / VCs whenever
traffic is generated Pipe Template 10.10.10.2
10.10.10.1 – 10.10.10.5
to/from one of the
P2P
specified hosts 10.10.10.4
Max 1.5M

50
Pipes vs Pipe Templates

Pipes
Using Pipes London

Traffic is classified into Pipes

Example: A different Pipe for
each branch Paris

Tokyo

Pipe Template
Using Pipe Templates
Pipes are created based
on traffic Large Branches

Example: Pipe template

for each branch type

Small branches
51
Inserting a Pipe Template

There is only one rule in a template –

you cannot add an additional one

52
Using Policy Distribution

Choose which NEs / SGs

or Groups
to Distribute Policy to

Can choose to abort

on first error

Progress Report

53
Example of QoS Definitions

54