The Traffic Management Handbook for Enterprises

The Traffic Management Handbook for Enterprises n n A comprehensive review of traffic management for enterprise networks and network managers a mind for networks

The Traffic Management Handbook for Enterprises A comprehensive review of traffic management for enterprise networks and network managers Allot Communications Ltd., 2006 First Edition: September, 2006 Part Number: D501101, Revision A i

Copyright 2006 by Allot Communications Ltd. This book contains works of authorship owned and published by Allot Communications Ltd. that are protected under copyright laws and international treaties. All Rights Reserved. No part of this publication may be reproduced, distributed, translated, stored in a retrieval system or transmitted in any form or by any means without the prior written permission of Allot Communications Ltd. Although every reasonable effort has been made to provide reliable data and information, Allot Communications does not guarantee the accuracy or completeness of any information published herein, and shall not be responsible for any errors, omissions or damages arising from the use of or reliance upon this information. Brand and product names mentioned herein are trademarks of their respective owners. International Headquarters Allot Communications Ltd. 22 Hanagar Street Industrial Zone B Hod-Hasharon, 45240 Israel Tel: +972 9 761 9200 US Office Allot Communications, Inc. 7664 Golden Triangle Drive Eden Prairie, MN 55344 Minneapolis, USA Tel: (952) 944-3100 ISBN 965-91002-0-5 ii

Table of Contents Preface 1 Chapter 1 About Traffic Management and Why You Probably Need It 3 Chapter 2 The Business Case for Strategic Traffic Management 9 Chapter 3 Network Monitoring Part I 17 Chapter 4 Network Monitoring Part II 23 Chapter 5 Creating a Network Policy: Classification 29 Chapter 6 Creating a Network Policy: Assigning Actions 35 Chapter 7 Managing Shared IP VPN and Internet Connections 41 Chapter 8 A Look Inside HTTP 45 Chapter 9 Taming Peer-to-Peer Traffic 49 Chapter 10 When Voice and Video Join the Network 57 Chapter 11 IT and Business Alignment 63 Chapter 12 Network Topology Alternatives 69 Chapter 13 Quality of Service (QoS) in an MPLS Environment 75 Chapter 14 Strategies for Universities 79 Chapter 15 Gaining an Edge Through Strategic Networking 87 Chapter 16 Network Business Intelligence Data Mining for Strategic Performance Management 97 Chapter 17 Case Study of Louisiana State University 101 iii

Preface This book contains a collection of articles written over a period of 2 years by Allot Communications. Based on the company s extensive experience and leading worldwide position in the area of network traffic management for service providers, carriers and enterprises, these articles cover a range of subjects, starting with a description of what network traffic management is and why you probably need it. Other chapters deal with the relevance of network monitoring, taming peer-to-peer traffic, the importance of integrating Layer 7 deep packet inspection for monitoring of network traffic, the significance of voice and video joining the network, ensuring quality of service, and gaining an edge through strategic networking. The bottom line is that in today s networks, there are cost effective alternatives to adding more bandwidth in order to meet the demands of users. More and more, traffic management devices are being employed to ensure mission-critical applications and contain WAN costs in enterprise networks. Used to manage enterprise network LAN/WAN traffic, they offer robust, policy-powered networking that directly links between board-level strategic priorities and the priorities of the IT infrastructure. This is achieved by monitoring network and bandwidth usage to automatically discover applications and determine the protocols that affect performance and require management; defining the policies that link business priorities to computing needs and determine the quality of service (QoS) attributes, such as minimum and maximum bandwidth percentages and traffic prioritization; and finally, enforcing the rules, allowing the traffic management device to examine all traffic crossing the WAN link and continually monitor resources to maintain network control and application performance. 1

Chapter 1 About Traffic Management and Why You Probably Need It A relatively new category of network management is fast becoming a necessity in converged business networks. Mid-sized and large organizations are finding they must control network traffic behavior to assure that their strategic applications always get the resources they need to perform optimally. Controlling network traffic requires limiting bandwidth to certain applications, guaranteeing minimum bandwidth to others, and marking traffic with high or low priorities. This exercise is called traffic management. You might also hear variations of this activity described as WAN optimization, application performance management, traffic shaping, bandwidth management, bandwidth optimization, and quality of service (QoS). There are some subtle technical differences among these terms. For example, traffic management makes use of QoS mechanisms, such as traffic classification, prioritization, queuing, and rate limiting. However, when used informally, these terms all loosely describe setting rules, or policies, for how particular application traffic should behave and then ensure that the network automatically enforces those rules. 3

Today s traffic management systems let network managers control network traffic flows based on application type, protocol type, source and destination addresses, and other variables. To provide this level of granularity, traffic management tools operate up through Layer 7 of the OSI model (the application layer). These tools are software-centric, but are often embodied in standalone devices. Network monitoring and reporting through Layer 7, both historical and real-time, are fundamental to successfully managing application performance. For example, Layer 7 monitoring identifies Oracle databases by user and application name, auto-detects Citrix published application names, and tracks Hyper Text Transfer Protocol (HTTP) traffic by signature and on any port number it may use. These functions will be discussed in detail in Chapters 3 and 4. How Organizations Are Using Traffic Management There are many reasons that enterprises use traffic management to set and enforce traffic policies, including: To guarantee minimum bandwidth to Citrix and Voice over IP (VoIP) traffic at all times To ensure that delay-sensitive VoIP has priority over other traffic types To eliminate expensive, real-time international frame relay permanent virtual circuits (PVCs) To enforce service-level agreements (SLAs) with their WAN service providers To block music or video downloads To block music file-sharing and avoid copyright infringement liability To eliminate congestion in real-time data replication to mirrored data centers To eliminate usage-based ISDN costs for videoconferences To delay investments in additional network capacity Do You Need Traffic Management? Most organizations migrating multiple application types to an integrated packet-switched wide area network (WAN) service will benefit from traffic management tools. This is because the WAN is usually more bandwidth-constrained than the local area network (LAN), causing potential congestion bottlenecks. Also, as a network shared among many customers, WAN performance is often less predictable. That said, the 4

extent and configuration of the traffic management policies you establish depend on: The number of remote sites on your network The degree of diversity in your application mix The number of user groups you must support with disparate policies Another indication that your network could benefit from traffic management is if performance degradation did not improve much when you added WAN bandwidth. The behavior of certain protocols in a converged, packet-switched environment renders adding network bandwidth an ineffective fix, particularly for applications sensitive to latency. The Impact of Convergence The main driver behind the growing use of traffic management is the industry s migration from time-division multiplexing (TDM) networks to converged, packet-switched WANs, such as IP virtual private networks (VPNs) and public Internet connections. With packet switching, businesses gain large bandwidth efficiencies, thanks to the statistical multiplexing nature of the technology. Packet switching uses any available bandwidth across the aggregate capacity of the transmission facility to transport packets. Converged packet-switched networks make optimum use of network bandwidth, saving businesses significant amounts of money on monthly service transmission fees. They also enable both enterprises and service providers to transmit all types of traffic over a single infrastructure, dramatically reducing capital and operational expenses (Figure 1). Figure 1: The Efficiencies of Packet Switching Packet-switched networks make full use of available network capacity. However, the different traffic types contending for a common bandwidth pool require enterprises to groom traffic flows for consistent, predictable performance 5

Convergence also fosters innovative new applications that merge packetbased voice, video, and data. For example, companies can create web sites that combine real-time voice conversations with a live operator, virtual tours, text chat, music, and other functions into an integrated multimedia experience. However, the TCP/IP protocols in packet-switched IP VPNs and Internet services are best effort technologies, with no inherent mechanisms for performance management. With IP traffic volumes doubling every year and applications all contending for a shared pool of WAN bandwidth, it is up to network managers to ensure that each application gets the resources it needs to consistently perform well. WAN Edge Deployment Usually, traffic management is deployed at the WAN edge of an enterprise site. This is where the high-speed LAN meets the lower-speed WAN access link. The LAN-WAN juncture is also where both Internet and Intranet traffic enters and exits the enterprise. So it is the ideal place to tame traffic to mitigate the impact of non-critical and even suspicious traffic picked up on the Internet. Limiting or blocking the network resources available to frivolous or undesirable traffic boosts the performance of enterprise resource planning (ERP), customer relationship management (CRM), and other strategic, business-critical applications. In addition to policing traffic at the network edge, there are pure performance issues to consider. The WAN access network is usually slower than the LAN, generally for budgetary reasons. Businesses pay recurring monthly fees for WAN services, while LAN bandwidth is free (after upfront equipment investments have been made). With high-speed LAN traffic throttling back to a lower-speed access circuit, the LAN-WAN edge is where congestion is most likely to occur. Most applications have been developed to run on LANs. Local networks are generally free from congestion and fall under the total control of an internal IT department. LAN-optimized applications behave differently in the WAN environment. Not only is the WAN access link slower, but WAN services also can fall under the management purview of multiple network providers. 6

Managing traffic in this network segment aids distributed organizations that depend on the WAN to serve remote users with centralized resources. Doing so is a reasonably simple matter. In most cases, a network administrator uses a GUI to set parameters for some business-critical policies in plain English. The administrator then pushes a button to propagate those policies to the various network segments where they should be enforced. Chapter Summary Traffic management describes the use of software tools to set policies that govern how network traffic flows should behave when traversing a WAN or Internet connection. The tools enable granular control over traffic, often on a per-flow basis. Network administrators can set policies that the network automatically enforces based on application type, protocol type, user, source address, destination address, and other variables. Traffic management involves classifying and marking traffic according to priority. For example, delay-sensitive applications like VoIP usually would have a small amount of bandwidth guaranteed to them, and VoIP packets would be marked for placement in the top priority queue. Traffic management has become a fundamental element of network management in an era where enterprises and service providers are merging all traffic onto packet-switched networks. Converged networks afford many efficiencies and application innovation. But they also require monitoring and control to ensure that the various applications all contending for a common pool of bandwidth do not negatively affect one another. 7

8

Chapter 2 The Business Case for Strategic Traffic Management Most network implementers have determined that the operational efficiencies and multimedia capabilities of converged, packet-switched networks justify the conversion to this architecture. Furthermore, all businesses want employees to readily accept and utilize the strategic applications that IT organizations deploy. Today, most of these applications rely on WAN technologies such as IP virtual private networks (VPNs), frame relay and ATM services for user access. For enterprise deployments of networked applications to succeed, they must consistently deliver response times that users find acceptable. Ensuring suitable response times across converged WAN connections requires some level of monitoring and control over applications, which all contend for a common pool of often-unpredictable WAN resources. IT managers ignoring the contention-management issue risk allowing low-priority, bandwidth-intensive applications and users to negatively impact the strategic, revenue-generating applications of their organizations. This risk can have costly ramifications (see The High Cost of Poor Performance below). Instead, it generally pays to control the amount of total bandwidth that lower-priority traffic is allowed to consume in the presence of more strategic application traffic. This is a preventive measure that mitigates the impact of any WAN congestion on user productivity and business 9

revenue. Most organizations, for example, would prefer that email and web browsing slow down slightly during peak usage periods rather than negatively impact CRM, e-commerce or Citrix sessions. The Hefty Price Tag of Peer-to-Peer (P2P) Another more recent economic driver for this type of strategic traffic management is the much-publicized emergence of P2P traffic in most universities and also in many enterprises. P2P protocols enable one client device to serve content directly to another client device. This content is generally multimedia (music and movies) in nature and thus consumes massive volumes of bandwidth. With very few exceptions, P2P content is not business-related, yet it can cost an organization dearly in terms of bandwidth consumption and poor productivity. Because P2P content is not hosted by a server managed by the enterprise IT department, it is difficult to even detect, let alone control, without special application-recognition tools. However, left unchecked, P2P can monopolize network resources to the detriment of other applications, leaving users frustrated by poor response times while network managers scratch their heads. There are also thorny legal issues with P2P applications when they are used to share copyright-protected content. A full chapter devoted to managing the impact of P2P traffic appears later in this book. Left unmanaged, lower-priority traffic will overtake network bandwidth, preventing strategic business applications, such as enterprise resource management (ERP) and customer relationship management (CRM), from delivering the productivity and revenue returns expected by the organizations that deploy them. As discussed in Chapter 1, most business applications have been designed to run in a high-speed LAN environment, controlled by a single entity (the enterprise IT department). Those same applications will not run as well across a WAN topology. WAN services are shared by multiple enterprises, often managed by multiple network operators, and, as a result, offer less predictable service levels. Failed or diminished use of business-critical applications carries a high cost to enterprises, as reflected by research presented in the section below. 10

The High Cost of Poor Performance Application design and server processing resources play a role in application performance. However, poor management of network links is most often to blame for network application bottlenecks. A study conducted by international researcher Infonetics Inc., for example, reveals that network downtime a combination of both network outages and performance degradation costs enterprises millions per year and thousands per hour in lost revenues (see Figure 1). Industry Annual Revenue Annual Downtime Cost Downtime Cost per Hour Portion of Cost Due to Network Outage Portion of Cost Due to Network Degradation Energy $6.75B $4.3M $1,624 72% 28% Hi-tech $1.3B $10.2M $4,167 15% 85% Healthcare $44B $74.6M $96,632 33% 67% Travel $850M $2.4M $38,710 56% 44% Finance (US) Finance (Europe) $4B $10.6M $28,342 53% 47% $1.2B $379,000 $1,573 51% 49% Figure 1: Cost of Enterprise Downtime 2003 Source: Infonetics Inc. study based on six companies in different industries with some of the world s most advanced IT organizations From this research, it is apparent that companies could seriously improve their bottom lines simply by doing a better job of tracking and managing network performance. Inadequate network and application performance compromises a company s ability to compete in an economy that depends on real-time network transactions. Application bottlenecks can impede communication between companies and their customers and dramatically degrade internal productivity. The cumulative bottom line impact can be staggering. 11

Your Baseline ROI For most organizations, the most tangible and immediate payback from an investment in traffic management results from delaying the acquisition of additional bandwidth, or even reducing current bandwidth needs. Most networks experience peak usage at several predictable periods of the day, and the typical network manager s response is to purchase additional capacity to alleviate congestion issues during these periods. While this approach seems logical and prudent, it is a tactical short-term solution that rarely resolves this long term strategic issue. A better strategy is to forecast and purchase incremental capacity based on long-term average usage levels, and to utilize traffic management tools to help smooth out the peak periods. Some applications utilize protocols that readily adapt to incremental capacity, scaling to absorb the available bandwidth. These bandwidthhungry applications are often non-critical in nature so new capacity is quickly consumed. Worse yet, many business-critical applications use protocols that cannot effectively scale, so the incremental bandwidth does not alleviate performance problems with many core business applications. Rather than incurring the on-going monthly expense of additional network capacity, most network managers discover that implementing traffic management policies can easily resolve their congestion problems. By allocating a portion of bandwidth to strategic applications, protocols or user groups, or by setting relative priorities on various traffic types, highpriority sessions flow unimpeded, while low-priority traffic is queued or throttled momentarily to provide logical traffic control. This is the essence of intelligent traffic management. Depending on where the network congestion resides, this component of the overall ROI for traffic management solutions is easily calculated. If, for instance, implementing a $10,000 traffic management device on an Internet access link delays the monthly lease of $2,000 in additional Internet bandwidth, the ROI is five months. Similarly, a $40,000 solution that forestalls a $10,000 per month upgrade to an international WAN link would yield a four month ROI. These types of calculations are relevant for service provider, university, government and enterprise networks and virtually every type of network topology. 12

Using Monitoring to Calculate Payback Monitoring and reporting exercises will help you quantify the financial justification for traffic management in your organization. Note that there are different types of network monitoring used for different purposes. Monitoring takes place at different layers of the Open Systems Interconnection (OSI) protocol stack, for example, depending on what information you are trying to glean and how you will apply it. Real-time monitoring is used for troubleshooting and resolution, while longerterm monitoring and reporting assists with fine-tuning the network and capacity planning, ensuring that you have adequately sized your network capacity. Figure 2: Examples of 7 Layer Monitoring WAN Performance The most critical first step in assessing whether traffic management is required is to monitor WAN performance for a week or two using a device capable of monitoring all seven OSI layers. Most reputable vendors will provide an evaluation unit for this purpose. This type of product provides detailed information about the applications resident on the network, how they are behaving, and whether any applications, users, or protocols require careful control to improve the performance of strategic business applications. An additional component of your business case involves the productivity of users of your business-critical applications. Armed with your historical monitoring information, you can identify problem areas and estimate the downtime and response time issues that applications are experiencing, as well as calculate what those periods of lost productivity are costing your organization (see Figure 3). 13

Application Downtime Cost per Minute CRM $2,200 Data warehouse $5,800 E-commerce $2,500 ERP $6,500 Supply-chain management $4,400 Figure 3: Cost of Application Downtime to Enterprises Source: The Standish Group, as reported by Software Magazine Another consideration involves an analysis of your current (or planned future) costs for network monitoring solutions. Most organizations utilize one or more platforms for their ongoing monitoring and reporting needs. There are many such solutions on the market, although most have some notable limitations, such as inability to monitor traffic above Layer 4. Alternatively, several traffic management vendors offer sophisticated Layer 7 monitoring and reporting capabilities in addition to their core traffic shaping technologies. Some even offer monitoring only versions of their products, where the traffic shaping features are software key disabled. These versions typically sell for much less than the full-featured products, and may provide an alternative to your current monitoring and reporting systems, thereby enhancing overall ROI for a traffic management solution. Furthermore, once the need to begin actively managing your traffic is validated, monitoring-only solutions can be easily field upgraded to full-functional traffic management platforms. Every seasoned executive understands that employees are the organization s most valuable assets, and that the primary responsibility of management is to align employee resources and actions behind the organization s key strategic goals. A consistent and unwavering focus on employee alignment generates synergy, leverage and focus the key ingredients to success. The organizational costs to achieve this focus are high and the ROI is impossible to calculate, yet the need for it is unquestioned. 14

In today s networked economy, where real-time results are demanded and reliance on the IT/network infrastructure is extraordinary, organizations are increasingly recognizing that their network resources deserve a similar focus. A focus on prioritizing, allocating and aligning critical resources in support of corporate goals and objectives. Traffic management technologies offer a simple yet effective method of imparting this intelligence to networks, so that a CRM or e-commerce transaction is given preferential treatment to an email or FTP session. Thankfully, network managers are discovering that, unlike employee alignment, the cost of strategic network alignment is low and the ROI calculations are straightforward. The next two chapters will discuss network monitoring and reporting in more depth. Chapter Summary Enterprises would like to gain the benefits of converged WAN services while still maintaining the application response times that will suit users and make application deployments successful. To win on both counts, it is likely that some level of traffic management will be required. Enterprises can build a business case for traffic management by first estimating the cumulative savings from delayed bandwidth upgrades. The next step involves examining the high cost of network and application downtime to their organizations bottom lines, then monitoring the status of their networks to see if any core business applications are creating productivity losses during periods of congestion. Monitoring-only traffic management systems offer the dual benefits of providing this baseline business case data, and potentially replacing current or planned network monitoring platforms. The aggregate savings from implementing a traffic management solution are almost always a compelling business case with a rapid ROI for the organization. 15

16

Chapter 3 Network Monitoring Part I Successfully managing network and application performance requires certain information about your network. First, you must know the application and protocol mix present on your network and how the traffic associated with each is currently performing. For example: Is there congestion on the network? If so, is the congestion occurring at consistent periods during the day, week or month? What applications, protocols, servers and users are contributing to the congestion? At what utilization level is the network running, both on average and during the periods of peak congestion? Gaining this knowledge requires monitoring the network to gather usage statistics and then analyzing them via graphical reports from several perspectives. Many network managers are frequently surprised at the application traffic that has sneaked onto their networks. Armed with this information, you can logically determine how to manage it effectively. Multiple Monitoring Flavors There are many types of monitoring products, each designed to collect and analyze specific types of network information. Legacy monitors, for example, primarily monitor Layers 1 3. They generate reports on whether WAN service level agreements (SLAs) for network availability have been met, about performance levels for permanent virtual circuits (PVCs) in frame relay and ATM networks, and whether (and when) traffic is bursting above its Committed Information Rate (CIR). 17

Figure 1: Identification of Top Talkers Some of these products also identify top talkers the PCs, servers and users generating the highest volumes of network traffic based on IP or MAC address. These monitors provide useful reports for tracking network behavior patterns. If congestion is present regularly, or if overall bandwidth utilization levels are growing steadily, network managers know that they will need to take action soon to ensure that sufficient capacity remains available for all applications. A newer breed of monitoring products focuses on network Layers 4 7. Such products often identify applications by port number, given that many applications consistently use the same port number. Unlike the earlier category of products, these products are able to calculate response times on a per-application basis. Both types of products perform important functions, and each has its limitations. The lower-layer products can draw general conclusions about overall network traffic, but not about specific applications. The higherlevel devices can measure application response time, but are unable to correlate relationships between application performance degradation and network conditions. Neither types of monitoring can take dynamic action to improve application performance that is degrading. Deep Packet Inspection In today s converged-network environment, savvy organizations will use monitors that combine the functionality of the two product types described to inspect traffic at all seven OSI layers. The most useful 18

products will also have the ability to take real-time action to control application performance using integrated network classification and policy-enforcement capabilities. These seven-layer monitors provide a foundation of information upon which network policies can be built, and the key to the statistics-gathering capabilities of these products is deep packet inspection (DPI). Layer 2 Layer 3 Layer 4 Layer 7 Layer 7 Protocol (Frame Relay, ATM, Ethernet, etc.) Protocol (IP, IPX, SNA, etc.) Protocol (TCP, UDP, etc.) and Port No. Packet Header (identifies application type) Payload DPI provides the ability to accurately identify application types by looking inside the packet header when the port number alone is insufficient. This is particularly useful for applications using dynamic port numbers, such as Voice over IP (VoIP), HTTP-based applications, Citrix-based remote-access applications, and the Microsoft NetMeeting conferencing application. While HTTP consistently uses port 80, for example, a number of web applications and traffic types utilize HTTP. For such applications, a port number alone is insufficient for identifying specifically which HTTP applications are running. Both real-time and long-term monitoring should be used to fine-tune policies about network behavior. In both cases, DPI is necessary for understanding traffic behavior and patterns so that policies can be implemented for each traffic type. Figure 2: Examples of Real-Time and Long-Term Monitoring of Network Behavior 19

As explained in Chapter 2, to determine whether traffic management is required, it is best to start by monitoring the network for one to two weeks, after which it is possible to review the historical reports and analyze many aspects of your network traffic, including the following: The composition of your network traffic at all OSI layers Which applications consume the most resources, and which applications are bandwidth-constrained The impact of low-priority applications on core business applications Which servers and users are the top talkers Average utilization levels, including highest and lowest utilization periods The affect of congestion on critical business applications and user productivity The presence of non-sanctioned applications on the network The existence of recreational traffic which you want to limit or block, as well as the users responsible for this traffic Once you have collected and analyzed these statistics and more, you can apply policies to the traffic. Continuing to monitor and fine-tune network behavior helps ensure you have applied the appropriate policies to indeed optimize the performance of core business applications. This fine-tuning includes classifying traffic based on its relative importance to your business objectives. Traffic Classification Classification is a component of setting and enforcing network policies, which will be examined more closely in Chapters 5 and 6. The more types of application traffic that are running on your network and the more diverse your user base is, the more traffic classes you are likely to need. Classification involves an exercise in which you organize your applications into categories based on traits that you wish to group together. The classification can have multiple dimensions, such as SAP traffic generated by Server A in the Human Resources department. Depending on the diversity of your network traffic and requirements, you could set up anything from two to thousands of classes. A general traffic class, for example, might be all HTTP traffic. If you need to be more precise, you might stratify HTTP carrying text, HTTP carrying images/ video, HTTP carrying audio, HTTP going to Server A, HTTP going to Server B, all HTTP carrying text going to Server B and so forth. 20

The number of classes you might wish to establish can quickly multiply, depending on how closely you wish to control your traffic. Figure 3: Graphic Display of Classes for Control of Traffic Furthermore, as already mentioned, DPI will be needed to differentiate among all these traffic types running over HTTP. Once you have classified traffic, you can assign actions and attributes to those classes. These parameters will be discussed in more detail in Chapter 6. Chapter Summary Before you can successfully manage application performance across a network by setting network policies and classifying traffic, you must have a way to discover the various applications, protocols and users on the network, and evaluate how they are behaving. Consequently, the first step to successful management is monitoring these attributes using products that inspect network-layer behavior and conditions as well as specific application-performance levels and have the ability to correlate the two. This type of monitoring requires DPI to enable identification of applications that do not utilize fixed port assignments, or use fixed ports but carry different traffic types. Once you have discovered what is running on your network, you can classify traffic as to its priority during periods of congestion. 21

22

Chapter 4 Network Monitoring Part II We have learned that network monitoring is a critical first step in traffic management, but it does not stop there. Ongoing monitoring is necessary to ensure continued network optimization and application performance because your network and its supported applications are constantly changing. As mentioned in Chapter 3, monitoring at Layers 1 7 using deep packet inspection (DPI) enables network managers to always know exactly what traffic is traversing their networks and how it is behaving. By combining monitoring with classification and policy-based traffic shaping, it is also possible to take action to control the performance of certain traffic flows based on your organization s goals, priorities and corporate policies. A monitoring system without active traffic management features is like having a low fuel indicator on your automobile, but not being able to fill up the tank. Once you detect problems, you want a simple and straightforward way to address them. With active traffic management systems, you define what actions should be taken on specific traffic flows by assigning a policy to a particular classification of traffic or a particular network event. As explained in Chapter 3, traffic management policies can be few or many, simple or multidimensional. 23

Centralized Management Software Devices that perform seven-layer monitoring and traffic management usually reside at network points where high capacity links connect to lower capacity circuits. Examples include a 100 Mbps LAN connecting to a 1.5 Mbps T-1 Internet link, or a DS-3 access circuit connecting to a 256 Kbps Frame circuit. Units deployed in these natural congestion points continually communicate with associated management software. If the management application offers a centralized window into all the circuits being monitored for a comprehensive network view, a single individual or small group of individuals can tune and manage application performance from a central location, rather than having to be distributed out to the various network locations. Server-based management software that collects statistics from each monitoring/shaping device is often available with the purchase of the devices from the vendor. The server polls the various monitoring devices over the network to gather performance information. Generally, this network utilization data is stored in a centralized database (see Figure 1) and displayed on a management console in report form. It is important that this information be available in an intuitive graphical format that is easy and quick for the network manager to interpret, particularly when troubleshooting real-time performance issues on the network. Figure 1: Common Monitoring System Architecture 24

Real-Time Monitoring for Troubleshooting Monitoring the network in real time refers to gathering networks statistics and generating reports on network behavior in time intervals of seconds or minutes. This form of monitoring assists in troubleshooting immediate problems. For example, the user interface may display something like a topology tree of all network circuits, with color-coding to quickly identify the health of each network segment. A green circuit turning to yellow may indicate network congestion on the circuit. If the circuit s health degrades beyond a certain point, the condition may trigger an alarm (typically color-coded in red) which is passed to a network manager either on the network management console or forwarded to a pager, cell phone, or other device. Figure 2: Alarm Drill-Down Capabilities Once the alarm is seen, it is possible to quickly drill down on the problem circuit by viewing multiple layers of reports and graphs. In some cases, double-clicking or right-clicking on the screen icons will produce increasingly granular information. For instance, your first step might be to display a pie chart of top protocols in use on the problem circuit in order to identify irregularities. If this view reveals a very high proportion of HTTP-streaming activity, right-clicking on that pie slice could display 25

a bar chart of top clients and servers utilizing that protocol, along with the amount of bandwidth each is consuming. In this example, two simple mouse clicks transform a general alarm into the knowledge that 30 of your employees are using 25% of your bandwidth to watch a streaming video file on the CNN web site. Figure 3: Pie Chart of Top Protocols on Problem Circuit and Bar Chart of Top Clients and Servers Utilizing the Most Used Protocol Armed with this real-time information on applications, protocols and users, it is possible to quickly correct the problem if your monitoring system also offers active traffic management features. For example, by returning to the pie chart of top protocols, you could right-click on the HTTP-streaming pie slice and add a traffic management policy instructing your system to limit this traffic to 10% of total bandwidth, or to block it entirely. You could also start with line-level utilization to determine how much of a physical port is being utilized at the moment. If a port reaches 95% utilization, for example, this could cause congestion and performance degradation. Furthermore, it is possible to use reports to see if there is a permanent virtual circuit (PVC)-level problem on a frame relay or ATM link. If congestion is occurring at a head-end location, such as a data center WAN link, it is simple to drill down in your reporting system to determine if one PVC is heavily utilized or bursting beyond its committed information rate (CIR). The following are some of the types of reports that enable quick troubleshooting and performance management: Pie charts showing total protocol and application distribution of traffic currently on the network, which can then be used to more finely classify and manage that traffic. Event reports, which include details about specific network events. 26

These are a good starting point from which to drill down to discover the source of the problem and implement a policy to eliminate the problem. Trend reports that reveal a detailed, minute-by-minute view of fluctuations in network utilization. These will likely include average and peak usage values for each circuit. Response-time reports for tracking real-time and historical round-trip delay on all monitored circuits. Historical Reports for Planning Historical reporting generated on a daily, weekly or monthly basis is more useful for capacity planning and spotting longer term trends. In general, it is possible to select a time frame and filter the data used to create a report customized to what you wish to analyze. Using these reports, you should be able to see if you have the appropriate amount of bandwidth to each site or whether tuning the performance of the traffic on existing links would free up enough bandwidth that you can delay the cost of additional capacity. These reports are particularly useful if you want to verify that the servicelevel agreements (SLAs) for which you have contracted with your WAN service provider are being met each month. For example, reports should be able to both summarize and provide detailed views of your network service level, circuit by circuit. This information can be shown to your service provider to prove any breaches from a contracted SLA. Chapter Summary A high-quality seven-layer monitoring tool should also provide easy access to a wide variety of real-time and long-term reporting features. Real-time reports are invaluable in troubleshooting immediate network problems, while long-term reporting is best for analyzing network trends such as daily congestion conditions on a given circuit. Use of a full-stack (seven-layer) device is especially powerful, because it pinpoints issues down to individual sessions, applications, protocols, and users. The most useful and versatile systems also provide policy-based traffic management capabilities, since you will want to address the problems identified by your reports. Chapters 5 and 6 explore policy setting and enforcement in greater detail. 27

28

Chapter 5 Creating a Network Policy: Classification For many organizations, the biggest challenge in implementing a traffic management solution has more to do with the executive committee than the IT department. Before you install and configure such a strategic technology capable of aligning critical IT resources with corporate goals it is imperative that you establish your organization s policy framework before creating the policies you would like your system to enforce. Depending on your organization culture, size and type of business, determining the relative importance of your organization s various traffic types might require input from the IT department, as well as other departments and business units. Creating a general strategy regarding what is most important to your organization as a whole allows the IT department to then ensure that the network s behavior reflects those priorities. Increasingly, organizations are recognizing that traffic management technology can be a strategic weapon to their business, and may in fact hold the potential to offer a strategic advantage over their competitors. As corporations have sharpened their focus on core competencies and streamlined operations, the need for precise resource alignment has never been greater. To achieve this, all key resources must be focused on the organization s top strategic priorities. As shown in Figure 1 below, the 29

mission-critical nature of IT and networking means that strategic direction regarding resource alignments and traffic priorities originates in the boardroom. Figure 1: The Strategic Role of Traffic Management Systems Traffic management solutions provide a foolproof method of ensuring alignment between corporate strategy and IT/network resources For instance, a company whose top three strategic objectives are customer service, revenue growth, and improved e-commerce results, could easily use their traffic management system to their competitive and strategic advantage. For example, they could classify all CRM traffic into a customer service group, all Sales Force Automation (SFA) traffic into a revenue group, and all traffic to and from their e-commerce servers into an e-commerce group. By assigning each service group the highest possible priority on the network, the IT department s alignment with corporate goals is exceptional. Internal SLA Considerations To ensure that business goals are supported in the IT infrastructure, networking departments are increasingly required to strike service-level agreements (SLAs) with their internal customers. These internal SLAs might emerge because the IT department is viewed in a role similar to that of a third-party service provider within an organization, particularly if the IT department charges back internal departments or cost centers for networking services. An example would be a SLA to deliver high quality QoS on VoIP calls to an overseas subsidiary. 30

Additionally, internal SLAs might serve as a performance criterion for evaluating IT and networking staff. The bottom line if your organization utilizes internal SLAs in support of business goals or interdepartmental relationships, you should factor these considerations into your policy framework. Classifying Traffic Classifying traffic involves dividing traffic into categories or groups, each of which is deemed to have enough in common that all packet/session flows within the group should be treated in the same way. You can have two groups or 10,000 groups, depending on the complexity of your network, the size of your organization and the level of granularity you have incorporated into your policy framework. As described in previous chapters, most traffic management systems offer a monitoring-only mode, allowing the collection of vital usage information for your network. The data and reports from this monitoring phase will provide vital insight into statistics and trends that should form the technical foundation of your classification strategy. For example, if your most pressing issues exist at a given location, or are user-, application- or time-of-day-oriented, your framework should factor in these variables. Most systems offer a hierarchical approach to classification. The highest level might represent a physical or logical circuit (a pipe ) to which you wish to apply traffic management or QoS policies. For instance, a DS3 (45 Mbps) Internet link could be allocated such that your e-commerce data center receives 30 Mbps and your HQ employees share the other 15 Mbps. This separation might be achieved via IP address ranges or IP subnets. In such a scenario, each pipe can be managed as if it was a separate physical circuit. Within each pipe, you can further classify your traffic into logical service groups you wish to manage (see Table 1). Returning to our example, Customer Service, Revenue and E-commerce service groups would exist within either or both pipes, allowing you the flexibility to manage them separately, while still providing strong linkage to your corporate goals. 31

Data Center Traffic (30 Mbps) Subnet 1 E-commerce (high priority) HTTPS HTTP Oracle (high priority) Email (low priority) MS Exchange Lotus Notes FTP-business hours (low priority) FTP-after hours (high priority) All Other Traffic (low priority) HQ Traffic (15 Mbps) Subnet 2 Customer Service (Subnet 2a) (high priority) CRM HTTP Revenue (high priority) SFA VoIP (high priority) H.323 SIP Email (medium priority) MS Exchange Lotus Notes FTP-all hours (low priority) All Other Traffic (low priority) Table 1: A Hierarchical Approach to Traffic Classification You may also wish to take it one step further and classify traffic and assign policies uniquely with a service group, such as assigning one policy to your Lotus Notes email sessions and a different policy for your MS Exchange traffic. Similarly, a service group called VoIP could contain both H.323 and SIP policies, so that each H.323 session by a HQ employee could potentially be handled differently from a SIP session. The logical structure of these traffic groupings will form the foundation for your traffic management framework, and will dictate how your network and application traffic will behave. Your approach should carefully consider the many options available to your traffic management 32

implementation, including setting policies based on: MAC or IP addresses, ranges of IP addresses which may represent a department, location or business unit application, subnets, VLANs, protocol, location, traffic direction (inbound vs. outbound) time of day, or groupings/combinations of all the above, and many other variables. User-Defined Traffic To help you establish policies for user-definable traffic sessions, or even applications developed in-house, most systems allow you the flexibility to easily add new entries to a service catalog. For instance, you may wish to give priority treatment to your executive team s Monday morning IP videoconference. This is easily accomplished by creating a new service called Monday Executive Conference, specifying each member s source IP address, selecting H.323 protocol (for instance), and indicating the timeframe for the call. Once the new service is defined, you are ready to create a traffic management policy to handle it appropriately. This is discussed in Chapter 6. Chapter Summary Establishing a policy framework for your traffic management system should be closely tied to your strategic corporate goals, and affords you the opportunity to align your IT and networking resources with those goals. Consequently, setting enterprise-wide network policies should be a joint effort between the executive staff, departments and business units, and the IT organization. Once your policy framework is defined, most systems make it easy to create service groups to help classify traffic based on variables such as application, user, server, time of day, and time of week. When you are comfortable that your traffic is being classified and grouped according to your objectives, policies can be created that direct your traffic management system on the proper handling of each traffic type. Together, classification and assigning actions to traffic classes form a network policy that will optimize your bandwidth utilization, application performance and business/it resource alignment. Assigning traffic management actions to traffic classes is discussed in Chapter 6. 33

34

Chapter 6 Creating a Network Policy: Assigning Actions Once your network traffic has been classified, as described in Chapter 5, actions must be assigned to the various classes. The assigning of actions to service classes represents the application of quality of service (QoS) to your traffic types. Together with classification, assigning actions to your traffic constitutes setting rules or policies about how those packet flows should be handled. Collectively, these policies form your traffic management framework. Let s take a look at the actions that you can assign to the network classes you have created and why you might wish to assign these actions. Rate Limiting This action involves setting a limit to the amount of bandwidth that can be consumed by a specified subset of your traffic. You could rate limit either by an entire traffic class such as email, by a given traffic flow within a class such as a VoIP session, or even by a range of IP addresses which might constitute a department, such as the HR Department. Furthermore, bandwidth can be rate limited to a percentage of overall available capacity or to an absolute amount. For example, email might be limited such that it can consume no more than 10% of overall bandwidth; VoIP might be rate limited to 64 Kbps per flow or user session, and the HR Department might be limited to no more than 764 Kbps. 35

The purpose of bandwidth rate limiting is to ensure that a certain traffic class or traffic flow does not consume more than a reasonable amount of available network resources. This is helpful to keep bandwidth-hungry applications, such as certain peer-to-peer and streaming applications, from monopolizing all network capacity. Similarly, even mission-critical applications should generally not be allowed to completely starve out other applications, which are necessary to conduct day-to-day business. Bandwidth Guarantees Rather than restrict (rate limit) bandwidth, the opposite approach is to guarantee a minimum amount of bandwidth to a traffic subset. Using this methodology, a particular class or traffic flow within a class is always sure to have the bandwidth it needs to perform as expected. As with rate limiting, the amount of bandwidth allocated can be guaranteed to an entire class, to a flow within a class, or to a range of IP addresses. In fact, you could even guarantee bandwidth to your CEO s IP address, to avoid complaints from the corner office. As with rate limiting, bandwidth guarantees can be specified in terms of an absolute amount of bandwidth or a percentage of total capacity. It is important to note that the overriding principle of traffic management algorithms is to maximize the efficient utilization of available network capacity. With that in mind, the term bandwidth guarantee should not be taken too literally. If 40% of capacity is guaranteed for e-commerce transactions yet only 25% is being used at a given point in time, the system would temporarily allow other applications to utilize the 15% that is available. Similarly, these complex algorithms account for the reality that even the lowest priority traffic must be allocated some amount of capacity during periods of 100% utilization. Bandwidth Reservation Bandwidth reservation is similar to bandwidth guarantees, but is applied when the network manager wishes to dynamically reserve bandwidth once certain conditions are met. This action could be referred to as reserve when active. Bandwidth reservation is used most often for delay-sensitive applications requiring constant-bit-rate (CBR) service, such as VoIP and real-time video. With this type of bandwidth reservation, as with guaranteed bandwidth, if there is no active flow i.e., no VoIP traffic, the bandwidth 36

is dynamically released for use by other classes for maximum bandwidth efficiency. The moment the system detects a VoIP session, bandwidth is reserved for that call. Another version of bandwidth reservation would be to always reserve bandwidth for a traffic class even when no active session is present. This action, typically called reserve always, might be invoked for sessions that must start particularly quickly or in non-session-oriented applications when users want user datagram protocol (UDP) packets to reach their destinations quickly, such as in continuous SNMP-based management data transfers. With both types of bandwidth reservation as well as with bandwidth guarantee bandwidth usage by a given class can exceed the guarantee, provided that capacity is available, in a best-effort manner. In addition, all these actions rate limiting, bandwidth guarantee and both types of bandwidth reservation allow control over the number of concurrent flows in a class. This is extremely helpful, because a given flow might require a minimum amount of bandwidth to deliver an adequate user experience. Figure 1: Assigning Actions to Traffic Classes Once traffic is classified, specific actions can be assigned to each class or flows within classes to control network performance 37

Traffic Blocking Network managers can assign a traffic class or flow to be blocked, or dropped entirely. This action is useful for guarding against unwanted recreational traffic that might pose a liability or security risk to an organization. For example, this might be some type of peer-to-peer application that carries potential copyright or privacy infringement ramifications with its use; or an organization seeking to block certain network ports or traffic types known to be associated with malicious worms or network-borne viruses. With some traffic management systems, you can choose to block in one of two ways: drop or reject. Network managers usually select the drop option when they do not wish the source of the traffic to know about the blocking for security purposes. Relative Prioritization Most traffic management products also provide ways to establish relative priorities to traffic classes. This is a fairly simple and logical way to ensure that, in the event of congestion, certain traffic flows are passed through the network ahead of others. For example, you might decide that CRM traffic is high priority, email is medium priority, and FTP is low priority. If a congestion situation arises, FTP session(s) may be queued temporarily to ensure that the Customer Service Department s CRM traffic flows uninterrupted. Network Rules In the final analysis, traffic management policies are designed to alter the behavior of traffic flows so that your network and network applications perform consistently with the manner in which you operate your business. The ultimate goal is to create a policy framework that aligns your network resources with your strategic business goals, and produces optimal application performance. Returning to the traffic classification example from Chapter 5, the following are the QoS actions (and their implications) associated with this configuration: 38

Unwanted Traffic Peer-to-Peer (drop) KaZaA WinMX Other P2P Known Worms/Viruses (drop) Blaster/Port XXXX Slammer/Port XXXX Other Worms Data Center Traffic (guarantee 30 Mbps) E-commerce (high priority) HTTPS HTTP Oracle (high priority) Email (medium priority) MS Exchange Lotus Notes FTP-business hours (low priority) FTP-after hours (high priority) All Other Traffic (low priority) HQ Traffic Customer Service (guarantee 5 Mbps) CRM HTTP Revenue (high priority) SFA VoIP H.323 (reserve 32 Kbps/session when active) SIP (reserve 64 Kbps/session when active) Email (medium priority) MS Exchange Lotus Notes FTP-all hours (low priority) All Other Traffic (low priority) Table 1: A Hierarchical Approach to Traffic Classification 39

In most cases, although possible, it is not desirable to create policies that form a hard partition between classes, such as HQ and the Data Center. If the Data Center is only consuming 10 Mbps at a point in time (of the guaranteed 30 Mbps), it would be highly inefficient to allow the remaining 20 Mbps to go unused. For this reason, the typical policy framework is designed to allow maximum bandwidth efficiency/ utilization, and only enforce limits and guarantees when certain congestion conditions are met. Finally, while it might seem that policy creation and maintenance can quickly become very time-consuming, today s automated traffic management tools have come a long way in simplifying the process for building and propagating rules network-wide. Most products offer tools to replicate rules between devices and circuits throughout the enterprise network. Policy building for enterprise-wide environments can often be completed in an hour or two. Chapter Summary Assigning actions to traffic classes constitutes applying QoS parameters/ traffic shaping actions to your network traffic. Together, all network rules form a traffic management policy framework. Generally, Layer 7 traffic management systems enable IT and network managers to guarantee minimum amounts of bandwidth and set ceilings on bandwidth of entire classes or on a per-flow basis within a class. They can also reserve bandwidth for real-time sessions and block or drop certain types of traffic. Despite the incredible advances in networking technologies over the last twenty years, all packet-based networks still operate on the original FIFO (first-in-first-out) principle of packet handling. They do this to achieve goals of speed, simplicity and operational efficiency. The purpose of traffic management systems is to overlay that FIFO methodology with a unique, custom-designed series of policies that strategically alters the behavior of network traffic. Your ultimate goals are strategic IT/business alignment and optimal performance and efficiency from your IT and network infrastructure. 40

Chapter 7 Managing Shared IP VPN and Internet Connections Enterprises often wish to use a single physical WAN access circuit at a given site to carry both unencrypted Internet traffic and encrypted IP virtual private network (VPN) traffic to other corporate sites. This is often the case in enterprises that require remote sites to access the public Internet from a single central site for security reasons. Such organizations might, for example, have a high bandwidth (T1/T3 or faster) IP connection at the headquarter s data center, linking HQ and all remote sites to each other and to the Internet. VPN services come in two basic forms: a telco-provided service offering special routing of unencrypted VPN sessions, and a do-it-yourself version in which IT staff utilize the organization s basic Internet infrastructure and overlay it with VPN encryption software or hardware devices. This chapter primarily deals with the latter alternative. According to researcher Vertical Systems Group, the number of IP VPN sites in the U.S. is expected to triple to about 345,000 by the end of 2007. This represents a compound annual growth rate of 29%. One growth driver is that, increasingly, many enterprises are migrating from Layer 2 WAN services such as Frame Relay to Layer 3 Internet-based encrypted 41

VPN services. Because Internet-based services are less expensive than private network services, this migration allows enterprises to enjoy significant savings on recurring WAN service costs. The ability to partition a single physical link into multiple virtual connections for both public Internet and private IP VPN Intranet connections yields additional savings on monthly recurring access circuit fees. Savings are even greater in international locations, where rates are generally more expensive than in the U.S. Smoothing out Bottlenecks Traffic management devices enable network administrators to classify and manage traffic sessions to both public and private destinations across a shared access circuit. Traffic can be classified as Internet or VPN traffic, with policies applied accordingly. Managing shared Internet and VPN traffic in this way gives users an experience similar to a leased private line (at much lower cost) by smoothing out bottlenecks at the LAN-WAN junction. Without a traffic management capability, for example, a user on a shared access link might conduct a large download such as the latest Microsoft Service Pack from the Internet. VPN users sharing the access link for interactive Citrix or CRM might suddenly find themselves with little or no bandwidth during that time. By the time the network support staff is able to look into the problem, the issue is likely to have cleared up, with no one knowing what happened to cause the bottleneck. Encrypted Traffic Depending on where the traffic management device is installed, network administrators have varying levels of flexibility in how they can apply policies to VPN traffic. If the traffic management device is positioned such that it sees the traffic before it is encrypted (namely, on the LAN side of a VPN concentrator, firewall, router or other encryption-capable device), the traffic management device can classify traffic and apply policies to classes of traffic on a per-vpn-tunnel basis (see Figure 1). 42

Figure 1: Placement for Managing VPN Traffic (Pre-Encryption) Placing the traffic management device between the LAN and the encryption device allows for deep pack inspection, and thus more granular control of VPN traffic If the traffic management system does not inspect traffic until it has been encrypted (on the WAN side of the encryption device), Deep Packet Inspection (DPI) is impossible and traffic management capabilities will be limited accordingly. In this scenario, policies can be applied to either all VPN traffic as a service class, each individual VPN session, or to individual sessions based on source or destination address. Internet traffic, which is unencrypted, is unaffected by these VPN considerations and has no limitations on the policies that can be applied. VPN Traffic to Site 2 (512K max) VoIP (64K/session) Citrix (priority 10) CRM (priority 8) Email (priority 5) VPN Traffic to Site 3 (256K max) VoIP (64K/session) Citrix (priority 10) CRM (priority 8) Email (priority 5) Internet Traffic Web (priority 7) FTP (priority 3) P2P (drop) Other (priority 1) Figure 2: Sample Policies Shared T1 with Unencrypted VPN 43

In the sample policy in Figure 2, VPN traffic is unencrypted, allowing for Layer 7 classification and associated policies. In this case, all VPN traffic is limited to 768 Kbps to avoid contention with Internet sessions. Over time, this policy should be monitored to ensure that high-priority VPN (and Internet) applications are receiving the bandwidth they require. Chapter Summary Increasingly, enterprises are using the public Internet plus encryption to build VPN tunnels that form corporate network backbones. This form of convergence saves on recurring WAN service costs as compared to the cost of true private network services. Often, it makes fiscal sense to share a physical access circuit for both Internet and VPN traffic and to manage application traffic policies across the shared circuit accordingly. A shared access link can be split into two virtual circuits (VCs) one for Internet applications and the other for VPN traffic. If the traffic manager examines traffic before it has been encrypted, it can examine the application, protocol, port number, and other variables and apply granular policy parameters to the traffic flow based on this deep packet inspection information. It can also do this for any Internet-bound traffic. If VPN traffic is examined after encryption, the traffic management system cannot identify individual application sessions, making it necessary to creatively establish policies based on variables that the system can readily identify and manage. 44

Chapter 8 A Look Inside HTTP As mentioned frequently throughout this handbook, the ability to identify and classify the multitude of applications traversing networks is integral to the function of traffic management systems. In the early days of the Internet, differentiating one application type from another was fairly simple, because each application had a fixed port number associated with it. In such an environment, classifying traffic by logical port number was straightforward. For example, if you needed to restrict the use of a particular type of application, you could block access to the application s TCP or UDP port number, assigned by the Internet Assigned Numbers Authority (IANA), using a router access control list or a simple firewall. Well-known port 0-1023 Registered port 1024-49151 Dynamic and/or private ports 49152-65535 Figure 1: TCP Port Number Assignments IANA divides TCP port numbers into three ranges. To the extent possible, the same assignments are used for UDP traffic. Port assignments can be found at http://www.iana.org/assignments/port-numbers 45

Port numbers assigned by IANA are used in TCP application transmissions, and where possible, these same port assignments are used with UDP application transmissions as well. Still, some ports must be left open for a network to function. For example, in today s networks, most web browsing is done using the Hyper Text Transfer Protocol (HTTP). HTTP uses the well-known port 80 or the registered port 8080, so even the most restrictive networks are likely to leave these ports open. However, other applications sometimes use these ports. These might include multimedia, entertainment and instant file-sharing applications which use port 80 or 8080 to circumvent blocked ports in firewalls. Sometimes, businesses and universities block the well-known or registered ports for some of these applications, if they believe that the applications have no business productivity benefit to the organization, carry too great a security risk or pose a corporate legal liability. Filesharing and peer-to-peer applications fall most often in the last category, and they will be described more closely in an upcoming chapter. For now, consider a case in which you choose to thwart use of the desktop audio-streaming application RealAudio in your business for productivity reasons. You might do this by simply blocking the entire range of UDP ports 6970 7170 in your firewall. RealAudio, however, could theoretically bypass those network restrictions and hop over to HTTP s port 80 by default upon finding those ports blocked. Furthermore, some non-web traffic can hide in an HTTP tunnel, sometimes using encryption to evade detection. You might also wish to establish different policies for applications that use the HTTP protocol and port 80, given that a wide mix of traffic types use HTTP, and not all web traffic using HTTP deserves the same network treatment in your organization. Less critical web traffic and non-web traffic masquerading as HTTP traffic can both degrade the performance of highly critical HTTP traffic, such as revenue-generating e-commerce transactions. Because numerous applications with widely varying levels of importance can sneak in under the guise of HTTP, many organizations leverage the deep-packet inspection (DPI) capabilities of sophisticated traffic management devices to differentiate among these traffic types. First, they might classify and separate the actual HTTP (traffic deemed OK to be on the network) from the non-http traffic (traffic deemed unacceptable for network admission) and apply appropriate policies to each. For example, 46

you might wish to provide high priority to actual HTTP and block all non-http. HTTP Types Based on the policies you have established, traffic management systems perform a number of classification activities in real time. One such activity includes parsing sessions into categories based on certain variables, including: source and destination addresses, host names, browser type, etc. If, for example, you have a policy restricting the amount of bandwidth available to people accessing the CNN web site, your system must inspect each traffic session for destination address in order to enforce this policy. If you have no policies based on destination, your system will not bother to inspect or classify based on this variable. The second activity is more complicated and requires more sophisticated DPI techniques. In this process, certain data attributes of traffic flows are used to create an application signature which uniquely identifies that traffic. Think of this as akin to a human fingerprint. In real time, these signatures are compared against a database of known application signatures in order to correctly classify and enforce your policies. Many P2P applications utilize HTTP but cannot be accurately identified without this DPI technique. Given that some traffic management devices are capable of performing these DPI processes on up to half a million simultaneous sessions (with virtually no added latency), it is possible to begin to understand the power and sophistication of today s more advanced systems. In addition, HTTP could be the transport protocol used to carry different types of traffic belonging to the same application, some of which are desirable while others are not. For example, you might wish to block ZIP or EXE files that could contain hidden viruses while allowing all other HTML traffic types. Remember, as described in Chapter 6, there is much more to policies than either blocking or allowing application traffic; and there are varying levels of bandwidth allocation, rate limiting and marking techniques to guarantee bandwidth and to ensure application performance levels. 47

Figure 2: Sample Policies for Managing Various HTTP Traffic Types Many organizations are recognizing the need for DPI-based traffic management systems to manage the multitude of traffic types utilizing HTTP and/or port 80 Simpler network devices (without DPI capabilities) which rely exclusively on the TCP/UDP port inspection method, remain vulnerable to the classification and security limitations of port 80 and multiple application types running across HTTP. So, of course, checking on a device s ability to support DPI and the number of application signatures supported in the device s library are among the variables you should investigate when evaluating vendors products, if managing HTTP performance and its impact on the rest of your network traffic is important to you. Chapter Summary HTTP, the transport protocol used to transport web browsing traffic which utilizes well-known port 80, is an excellent example of why sophisticated traffic management systems with DPI capabilities are increasingly required for managing application traffic. Many applications of wildly varying importance to your organization utilize (or hide behind) this protocol and/or this port, each with unique issues and requirements. E-commerce transactions, web browsing and illegal P2P downloads are prime examples of this disparity, and help illustrate why blocking port 80 at the firewall is not a practical solution. Utilizing DPI, application signatures and other techniques, traffic management systems are adept at identifying the multitude of HTTP sub-classes of traffic and managing each type based on the policies established. Empowered with this level of granularity, traffic management systems are able to handle e-commerce as a critical priority, while minimizing legal liabilities by blocking P2P downloads altogether. 48

Chapter 9 Taming Peer-to-Peer Traffic The term Peer-to-Peer, or P2P, often conjures up visions of Mountain Dew-guzzling teenagers clogging cable networks by downloading hundreds of songs for their new ipod, while mom and dad unwittingly think junior is studiously doing his homework. These days, it should also conjure up images of 20% of your employees hogging your valuable corporate bandwidth for their own recreational use, while their supervisors unwittingly think they are working on their budget reports. It should also evoke fears of multi-million dollar corporate lawsuits, widespread virus attacks and staggering losses in productivity. All this from potent third- and fourth-generation offspring from the now-harmless Napster. P2P applications transform computers into peers that act as both client and server. In current generation P2P architectures, each peer can directly access the available resources of other peers for free, bypassing security safeguard checks and billing services handled by servers in the middle and creating the potential for the bootlegging of private material. To find the files they want, peers send floods of queries to other peers, often scouring thousands before a result is found. This process naturally consumes large volumes of network bandwidth. P2P networks revolve around directories or indexes of shared files housed on the computers of all the peer network s members. The client software 49

that each member must install always includes a search mechanism for locating files. Search results generally list multiple sources for each of the requested files, from which the requestor selects the desired source for each file. This process creates a list of requested files for download, then queues them up for download often with many files downloading simultaneously. As you may expect, downloading every song ever produced by the Rolling Stones during work hours is not generally regarded as a productive use of network resources. Typical examples of P2P applications are emule, BitTorrent, edonkey, Limewire, Hotline, Jabber, KaZaA, Napster, Audiogalaxy, Madster- Aimster, Morpheus, Gnutella, Skype, WinMx, Imesh, Bearshare and Grokster. Why P2P Can be a Headache Because the Internet has become an essential business tool, P2P can become a major source of congestion on corporate networks and a big headache to network managers if not controlled. By some estimates, recreational P2P traffic accounts for up to 40% of broadband enterprise traffic and has nothing to do with work that contributes in a productive way to the enterprise. According to a research from AssetMetrix Research Labs, the larger the company, the smaller the percentage of P2P use. This might be because larger organizations are likely to be more IT-savvy and to have put controls in place to limit P2P use. Whatever the reason, the AssetMetrix study shows that companies with more than 1,000 users displayed a maximum P2P usage of less than 10%, while up to 58% of users in companies with 10-100 users used P2P applications. In addition to bottlenecks, application slowdowns and productivity drains, P2P traffic is known to be a major source of viruses and other malware if not detected and managed. This is because viruses were once constrained to a push transmission mode, in that they were sent to the next victim via an infected email or diskette. With direct file-sharing, however, users can unknowingly pull infections from any of thousands of peer PCs, and then quickly share the malady with the other members of the file sharing network. P2P applications can evade network security safeguards using several methods, if deep packet inspection (DPI)-based traffic management systems are not installed to foil them: 50

Port hopping. Rather than using a fixed port number which could be easily blocked, some P2P applications use a random or manually defined port number. Also, some protocols initiate communication over a fixed, well-known port but then hop to one or more additional random ports during a session. Using a well-known port. Most web browsing is done using HTTP. Because HTTP uses the well-known port 80 or the registered port 8080, these ports are generally left open by network administrators. As a result, many P2P applications utilize these ports to circumvent firewall restrictions. HTTP Tunneling. P2P traffic can hide in an HTTP tunnel or HTTP proxy tunnel, using encryption or HTTP proxy protocols to avoid detection. Identifying and controlling P2P traffic that can hinder the productivity of mission-critical applications such as enterprise resource planning (ERP), Citrix, e-commerce transactions and many others can be difficult using traditional network management tools that do not have the ability to examine a packet s payload. This is particularly the case with new P2P protocols that disguise the nature of the traffic from the network administrator in the ways described above. Using DPI to Unmask Abusive Applications Not all P2P applications are necessarily undesirable. Some, in fact, are highly beneficial business tools that deserve attention and access to network resources. Differentiating between the two requires detailed network monitoring to gain visibility into precisely which P2P applications are on the network, which ones are consuming excessive volumes of bandwidth to the detriment of the organization, and which users are utilizing the applications. Then, network administrators can decide whether to block or rate-limit certain P2P applications based on policies established by application, user, user group, and so forth. Since most undesirable P2P applications use random port numbers or disguise themselves on the network in the other ways mentioned, packets must be inspected at the application layer to correctly identify them. Layer-7 traffic management systems inspect the payload section of the transport protocol (e.g., TCP) for a specific pattern indicating the application type. 51

Figure1: Identifying P2P Applications Using DPI Layer 7 traffic management systems properly identify applications masquerading as others by looking inside a packet s TCP payload for the application s true pattern Mitigating the Impact With the ability to monitor and identify different types of P2P traffic, it is possible to assign different actions to different classes of P2P. Since not all P2P traffic is necessarily undesirable, this offers the flexibility to treat different types of traffic in different ways. Enterprise Strategies Once P2P traffic is correctly identified, classified and monitored, the establishing of traffic management policies to control it should fall nicely into the overall policy framework discussed throughout this handbook. You might, for instance, have a policy to entirely block certain P2P protocols, such as KaZaA, edonkey and others specific to music and video downloading. More important uses, such as instant messaging or desktop voice-over-ip applications (like Skype) may even deserve high-priority treatment depending on their relative importance to your organization. Alternatively, you might choose to rate-limit or assign lowest priority to this traffic. Some universities, for example, have policies that allows students to download MP3 music files but blocks them from being uploaded via their network because of the potential for copyright infringement liabilities. 52

ISP Strategies Similarly, service providers must manage P2P traffic in some way to prevent untamed traffic volumes from overwhelming their network and hindering service levels to their enterprise and residential customers. ISPs generally have several factors to consider in their strategy, including: Downstream capacity (for subscriber downloads) is generally higher than upstream capacity (for uploads) due to the asymmetrical nature of many network architectures. Uploads could be requested from their subscribers, or from non-paying users around the world. The courts may some day rule (although they have not yet done so) that ISPs have some role and responsibility in controlling the transmission/flow of copyright-protected media files. P2P file sharing is a key driver behind many subscriber s decision to purchase, so burdensome restrictions may limit the ISPs subscriber base. Significant P2P usage typically degrades the performance of other application traffic. Heavy P2P users can monopolize available bandwidth and degrade the user experience of other subscribers (including casual P2P users). As a general rule, ISPs set low priority for most downstream P2P traffic, and cap its total available bandwidth. Since high-volume P2P users can degrade the experience for lower volume P2P downloaders, many also implement a per-session limit (both upstream and downstream) so all users have equal access to available capacity. A more recent trend among forward-thinking ISPs is to utilize certain advanced traffic management features to offer a different class of service (that carries an associated higher price tag) to users with high volumes of P2P traffic. Some, in fact, utilize their systems to implement usage-based billing plans wherein high-volume customers (such as frequent P2P users) are billed monthly according to their aggregate P2P data throughput (in Gigabits). Conservative ISPs are inclined to block P2P traffic altogether, even at the risk of losing their Mountain Dew-drinking customers. 53

Figure 2: One Approach to P2P Management for ISPs Service providers can implement multi-tiered policies on both upstream and downstream P2P traffic in order to manage its total impact, and to ensure fairness among users Chapter Summary P2P applications came sharply into focus in 2001 when the Recording Industry Association of America succeeded in shutting down Napster as a free P2P music-sharing service. The reasons behind the activity stemmed from a belief that free song downloads were cutting into the recording industry s profits. However, the free file-sharing concept remained, spawning hundreds of similar applications using the decentralized, desktop-to-desktop communications model. Because of the bandwidth-hogging nature of most of these applications and the often non-business-related nature of the applications, P2P traffic carries the potential to threaten the performance of both enterprise and service provider networks. Fortunately, businesses and universities have the availability of intelligent traffic management systems which not only 54

identify traffic that is P2P in nature, but also identify exactly what type of P2P traffic a packet represents even when that traffic is disguised as HTTP traffic or hopping across different port numbers. Most high-end traffic management vendors place a strong emphasis on feverishly researching new and evolving P2P protocols and applications. In many respects, this is akin to the work performed by anti-virus vendors who must stay abreast of emerging viruses so that they can quickly develop protection mechanisms. Because of the rapidly evolving nature of the P2P ecosystem, most vendors try to focus on developing signatures for the more popular applications, since this will likely provide the greatest congestion relief to their customers. Once identified, network administrators can classify the traffic and assign appropriate actions to tame its impact on the performance of other networked applications, either by blocking, rate limiting, or otherwise assigning relative priorities to various classes of P2P applications. Universities and ISPs are increasingly adopting the strategy of throttling P2P downloads, while severely limiting file uploads to non-paying users. In the interest of avoiding potential legal liabilities, many enterprise network managers distinguish between good and bad P2P applications, and set policies for each category accordingly. Savvy network managers know to keep close tabs on their HTTP traffic volume, looking for wild variations, peaky behavior or specific users with inordinate web traffic. Such trends likely indicate the presence of recreational P2P activity, and the need for a Layer 7 traffic management solution. 55

56

Chapter 10 When Voice and Video Join the Network Voice over IP (VoIP) and, increasingly, IP video are joining the WAN traffic mix. Now that these technologies have had time to mature, enterprises around the globe are turning to them to save money on toll charges and to free themselves from the computer-telephony integration (CTI) restrictions of circuit-switched environments. Interactive, real-time voice and video are more challenging to manage for optimal performance than streaming voice and video sessions, where availability of adequate bandwidth is the primary requirement. In the case of streaming applications, network managers might wish to limit the overall aggregate bandwidth allowed for such traffic in order to protect other applications from bandwidth contention issues. In the case of interactive traffic, of course, delay and jitter must be minimized to ensure that phone conversations and video sessions are of comprehensible and useful quality. This involves several challenges: Many IP data networks are not well-suited for the added complexities associated with voice and video traffic. Upfront network assessments, along with ongoing traffic monitoring and reporting are essential to proactively addressing these unique demands. While sessions do not require a lot of bandwidth, each session must consistently have the minimum bandwidth required to perform well. This requires that some form of call admission control be put in place. 57

Voice and video are particularly sensitive to serialization delay the length of time it takes to stuff a long data packet that might precede the real-time packet onto a slow link as well as other types of delay. Voice traffic hops from the User Datagram Protocol (UDP) port to the UDP port, so it cannot be identified and controlled by port number. Interactive video using standard MPEG2 compression, which searches for frame-by-frame differences, and requires that voice and video components be identified separately but shaped in sync with one another. Let s take a look at how these issues are met using traffic management equipment and related WAN techniques. Assessing and Monitoring Savvy network managers recognize that VoIP and large-scale deployments involve considerable upfront analysis and planning. The average data network has plenty of problems to start with, and layering new real-time applications on top of a poor infrastructure is ill-advised. A number of system integrators offer VoIP assessment services utilizing high-end traffic management systems for data collection and analysis. The level of detail required for these assessments varies widely depending on the scope of the existing network and the scope of the VoIP deployment, but clearly should be comprehensive enough to give the IT and network staff confidence that things should run smoothly. As discussed in detail in Chapters 3 and 4, creating traffic management policies and monitoring them on a consistent basis is fundamental to maintaining a high performance network. VoIP and video convergence further elevate the need for frequent network monitoring. While many users will tolerate occasional response time issues with data applications, you can rest assured that every bad voice or video session will result in a call to the help desk. Traffic management systems are designed to help troubleshoot network issues if and when they occur, but more importantly, to avoid problems through regular monitoring and reporting. Call Admission Control To ensure that every voice call is of high quality, there is a limit to the number of calls that can be in progress at the same time, irrespective of whether the environment is circuit-switched or packet-switched (IP). It is important to guarantee the minimum amount of bandwidth necessary for a high-performance call on a per-call basis and to preset a limit on the number of simultaneous calls that can be made. In this case, N high- 58

quality concurrent calls can be made, but N+1 might get a busy signal, for example, rather than N+1 resulting in poor-quality calls for all calls. The amount of bandwidth to guarantee per call will depend on the signaling protocol in use, such as the industry-standard Session Initiation Protocol (SIP), H.323, and Media Gateway Control Protocol (MGCP), or the codec used in the phone equipment (such as a PBX or gateway, for example). Generally speaking, 120 Kbps per session is a very safe bet if you are unaware of the signaling protocol or codec in use. However, the best approach is to dig deeper and determine the precise throughput needed in order to avoid over-allocation of bandwidth. For both VoIP and IP video, you are likely to have options for controlling delay that are specific to the traffic management device being used. In the Allot Communications NetEnforcer, for example, you can choose between two connection-allocation features. The Constant Bit Rate (CBR) option allows you to define a minimum guaranteed amount of bandwidth per session (say, 256 Kbps) and maximum amount of delay (say, 300 microseconds). This approach limits jitter caused by large variations in minimum and maximum bandwidth rates common on data-oriented networks. The Burst Mode alternative enables you to define a minimum guaranteed amount of bandwidth per session and a maximum bandwidth to which you can burst (to achieve better quality) for a period of one second, if and when bandwidth is available. Using bandwidth guarantees for real-time traffic alongside per-flow priority queuing for data creates an optimum flow of traffic based on application and priority requirements (Figure 1). Figure 1: Guaranteeing Real-Time Traffic Rates By incorporating guaranteed bandwidth and priority action assignments into the traffic management policy, each voice session receives a guaranteed traffic rate and missioncritical data packets take priority over less important ones 59

Most traffic management systems can identify and classify the standard signaling suites mentioned, as well as voice over frame relay (also known as the FRF.11.1 implementation agreement). There are also some proprietary voice protocols used by different vendors which are typically not recognized by traffic managers. In such cases, the traffic manager will be limited in its ability to classify the voice traffic correctly. However, some functionality may still be available. For example, if every IP packet from a time-division-multiplexed (TDM)-to- IP gateway is known to be a VoIP packet, VoIP could be classified using the IP address of that gateway. Combating Delay Interactive voice and video over IP require minimal latency and jitter. This becomes most challenging in cases where data and voice share the same circuits and has been a major factor contributing to the growing popularity of traffic management systems. Data may over-utilize circuits when transmitting large frames, causing voice and video over IP to get stacked behind those frames and arrive too late to be of consistent, comprehensible quality. The serialization delay challenge can be handled with different linkoptimization technologies that involve fragmenting (or chopping up ) larger data packets into smaller ones before placing them on WAN links. This function typically happens in the router, where setting a maximum transmission unit (MTU) size is fairly standard practice. In cases where frame relay WAN circuits are in use, the industry-standard way of doing this is via the FRF.12 implementation agreement for fragmentation and interleaving. Whatever the mechanism, the function ensures that no long frames are transmitted on the WAN circuit, allowing the interleaving of voice packets among fragments of larger data frames. Other types of delay include encoding, propagation and queuing delays. The International Telecommunications Union-Telecommunications (ITU-T) Recommendation G.114 defines that the one-way end-to-end latency should be less than 150 ms (with echo-cancellation) for toll quality voice calls. So in addition to proper bandwidth and fragmentation, marking packets classified as VoIP or video so that they are first in line in high-priority queues is also important for lowering delay (see Chapter 6). If your WAN service provider offers premium service classes, the provider can treat your traffic across the entire WAN according to the 60

way you have marked it. For example, if congestion occurs in the WAN backbone and you have bought a premium service class for voice or video traffic, your service provider will recognize packets marked as premium traffic and route them into the top-priority queue. Port Hopping Many types of VoIP traffic use dynamic port numbers. New VoIP services and products among them, Vonage and Skype, for example, begin as real-time transport protocol (RTP) sessions dynamically assigned on a UDP port. Therefore, it is not possible to set up a static VoIP application classification based solely on port number to manage VoIP traffic. Consequently, for managing VoIP (and other dynamic applications), it is important to employ a system that can track an application at the session layer and follow its connection as it hops across ports. VoIP tends to use UDP often for its efficiency and low-delay characteristics (no time-consuming acknowledgements and retransmissions are required). So it is possible that if the only traffic you are running that uses the UDP protocol is VoIP, you could set up a policy that recognizes all UDP as VoIP traffic and classifies it accordingly with an associated policy that guarantees bandwidth and marks priority. If there are multiple traffic types using UDP on your network, the traffic manager can identify the VoIP application by signaling protocol, such as SIP (Session Initiation Protocol), which is a Layer 7 protocol and can be identified using deep packet inspection mentioned earlier in this handbook. Once you have classified your VoIP traffic by signaling protocol, you can create a policy for it (minimum bandwidth, limited number of concurrent sessions), and the traffic management system will enforce it. Videoconferencing Considerations MPEG2, the current industry-standard compression algorithm for full-motion video, compresses using a scheme called differencing, noting the differences between consecutive video frames. For example, if two consecutive frames are nearly identical, the second frame can be stored using very few bits. This sampling technique of sensing the scope of information changes on a frame-by-frame basis requires that interactive, real-time video traffic be shaped such that the voice and video components end up synchronized, even though voice is a steady, consistent stream while video packet sizes change. 61

A high-end, sophisticated traffic manager should be not only be able to identify and classify this type of traffic, but also to shape the components in this manner (Figure 2). Figure 2: Assigning Highest Priority to VoIP and Video Protocols Traffic management systems are fast becoming required equipment for voice and video deployments in converged IP networks Chapter Summary Increasingly, VoIP is joining the corporate network, with IP video not far behind. With phone conversations being a core, mission-critical business application, IT managers have long worried about sacrificing TDM voice quality to gain the operational savings and convergence benefits associated with running voice traffic over their IP data networks. However, now that VoIP technology has matured and advances in Layer 7 traffic managers are available to classify and manage these sessions within the mix of WAN traffic, organizations can feel much more comfortable that piggybacking VoIP onto their WANs will enable them to maintain high quality voice, while also delivering the operational and economic benefits that have long been promised. 62

Chapter 11 IT and Business Alignment This chapter takes a step back from the mechanics of traffic management to examine how putting controls on network traffic facilitates one of the top priorities of businesses today: the alignment of IT and network resources with strategic business goals. IT/business alignment is a phrase that has been on the lips of IT managers and CIOs for years. Traditionally, it meant IT personnel teaming with business managers to understand the varied needs of the business and then working to support them using IT resources at the lowest cost. Only recently, however, with the advent of traffic management systems, has the ability to actually embed business priorities into the network become possible. So what is the relationship between the business and the IT infrastructure? Critical business applications lie at the heart of every organization. An enterprise s key business applications mirror the big-picture corporate goals that drive an enterprise s everyday tactical plans and actions. With many businesses now distributed across states and even continents, networks have become a highly strategic IT asset one that powers the applications that fuel the business. Because applications reflect business strategy, it follows that the IT infrastructure must have the intelligence to differentiate among all applications, favoring those that most directly support corporate goals. 63

Conversely, if applications and the infrastructure supporting them are out of sync, then an organization s tactical activities, its business goals and its ultimate success will all topple in domino-like fashion. Matching Business Goals to Network Behavior So how do you manage the IT infrastructure to tightly align it with business goals and priorities? This has grown increasingly challenging in recent years, given the broad array of traffic types that can easily sneak onto corporate networks traffic that is often totally unrelated to corporate goals. This is particularly the case as users become increasingly computer- and network-savvy, often downloading dozens of their favorite programs and utilities. Yet devoting resources to support recreational (and potentially illegal) network traffic, for example, is likely at odds with key business goals, such as increasing revenue, containing costs and improving customer satisfaction in your organization. This is one of the reasons that the traditional approach of designing networks to accommodate peak traffic loads and treating all traffic on a first-come, first-served basis is out-of-step with IT/business alignment. Over-provisioning can potentially result in spending millions for additional bandwidth to accommodate traffic that might have no relationship to your business goals in the first place. Furthermore, some of those applications are cleverly designed to expand and fully consume all available capacity, leaving none for strategic business traffic. Conducting a network assessment for application-readiness is always a good first step towards achieving proper alignment. Often, however, a lack of detailed visibility into the network plagues businesses during the assessment phase. Many think they are running N applications, when, in fact, they may be running Nx2 or Nx3, throwing business and network alignment out of whack. Sometimes the unknown applications on the network generate recreational traffic that lowers productivity and causes congestion, impeding the high-priority traffic that aligns with top business priorities. In 2003, for example, researcher Infonetics Inc. estimated that network degradation plus outages could cost an enterprise from $2 million to $75 million per year, depending on size and industry. Using traffic management systems to gain visibility into the network as a first step toward conducting a proper network assessment and combating misalignment is outlined in Chapters 2, 3 and 4. 64

Translating Business Goals Into Network Policy One of the harsh realities of organizational life is that board-level goals are often blurred and diluted beyond recognition by the time they descend six management layers and reach frontline employees and IT systems. A new CRM system, for example, may be well intended and highly strategic, but it will not perform well if hundreds of users are watching streaming CNN content or listening to Internet radio. Likewise, new VoIP initiatives could be destined for failure if a hundred Citrix users decide to print a newly-released employee manual at the same time. Traffic management systems solve these dilemmas by directly mapping strategic corporate goals into network resource priorities, bypassing potentially conflicting organizational confusion (see Figure 1). Figure 1: Translating Corporate Strategies into Network Priorities Armed with your organization s strategic goals and your network assessment reports, you will want to determine if any recreational or potentially malicious traffic should be blocked or otherwise controlled to support such business goals as improving employee productivity, containing costs, or reducing corporate risk. From there, you can move on to determine which traffic management policies may make sense in order to ensure that top business priorities are also top network priorities. Let s say, for example, that reducing operational costs is your firm s #2 strategic imperative, and your new VoIP infrastructure is one project supporting that goal. As a result of your network assessment, you have determined that streaming video web sessions and Citrix print traffic 65

is sporadically interfering with VoIP quality. You will want to further investigate these problems, drilling down into the data with your traffic manager to answer some key questions. Who are the primary users? How many are local and how many are remote? What is the minimum bandwidth required to support a session with the desired performance? Are there time-of-day trends to consider? Should this activity be blocked, controlled or simply prioritized lower than VoIP? Other than VoIP, what other applications are more important than the problem applications? Once you have learned everything you can about the application, you can easily build traffic management policies that will be reflected in your network s behavior (see Figure 2). Corporate Goal Improve customer satisfaction Decrease operational costs Improve employee productivity Mitigate corporate risk Overall Corporate Priority Sample IT Action(s) 1 Implement CRM system (after conducting network readiness assessment) 2 Implement VoIP for toll bypass savings Prohibit or limit recreational network traffic to decrease network bandwidth costs 3 Prohibit or limit recreational network traffic 4 Minimize legal liability from music/video downloads and/or other P2P traffic Enhance network security by minimizing worm, virus and DoS attacks Related Network Traffic Management Policy Guarantee bandwidth based on minimum required per module, per session. Rate-limit lower priority, less delay-sensitive applications on the same link. If customer care is not a 24/7 operation, limits might be based on time of day. Assign bandwidth guarantee of reserve when active to VoIP traffic class. Mark VoIP packets as premium traffic if using a premium service class from carrier. Block MP3 and MPEG4 and/or other P2P protocols using drop or reject action. Block MP3 and MPEG4 and/or other P2P protocols using drop or reject action. Block MP3 and MPEG4 and/or other P2P protocols using drop or reject action. Block malicious packets, ports and unusual connection rate activity. Figure 2: Business-to-IT Alignment Flow 66

Chapter Summary In a world of almost total reliance on mission-critical networked business applications, the measure of business success is limited by how well your network performs. Your employees, customers and partners depend on your network to get their jobs done or conduct business with you. Yet every day, your network is more and more strained by increased user demands, more applications and larger and larger files. Managers have long known the importance of aligning employee s efforts behind key strategic goals, and most devote countless hours to achieve this. Given the strategic importance of network performance to most businesses, many IT managers are now beginning to understand that business/network alignment is every bit as important as business/ employee alignment. One simple solution is to continually increase spending on bandwidth upgrades to accommodate user demands. Call this The Brawn Approach. Savvy IT managers, however, are learning that this is a short-term tactical solution to a long-term strategic issue. Fortunately, intelligent network technology is now available to allow IT managers to translate the goals and priorities set by upper management into network behavior and performance. This type of automated control, in the form of traffic management systems, ensures that IT resources and business goals are properly aligned. Call this The Brains Approach. Given the extent to which organizations rely on networks to support their business-critical applications, intelligently managing network priorities makes perfect sense in today s business climate. Call it Brains over Brawn. 67

68

Chapter 12 Network Topology Alternatives When implementing a traffic management solution in your network, there are important choices to be made concerning where to place your devices for optimum benefit. First, you must determine at which site or sites you should install them. From there, you need to decide where the devices will reside in the context of your network configuration. The topology strategy you choose will be based on your existing network and application data-flow design, your organization s particular traffic management requirements, and your budget. Determining Which Sites Require Traffic Managers You may or may not deploy traffic management systems at more than one site. One point to consider, however, is that you must position your system in such a way that it is able to see all the traffic that you intend it to manage. Traffic management devices can help you ensure performance and response time of mission-critical applications only if application traffic passes through them. In most enterprises, application servers are located in one or more data centers. Client software at distributed branch offices connects to the data center, with traffic flowing in a hub-and-spoke fashion. In this common model, almost all network traffic will travel in and out of the data center, allowing for central deployment of traffic management solutions and without the cost and complexity of branch deployment. If you operate 69

more than one data center for load sharing and high availability, you will probably need traffic management devices in those additional locations. Let s take a look at some scenarios of where you might wish to deploy traffic management: At Your Central or Primary-Site Intranet Connection In many organizations, this link tends to hold the greatest trafficbottleneck potential. Generally, most distributed locations tap the central site for resources, and many organizations also require branches to access the Internet via the main site for security reasons. Because this major intersection can easily become clogged, most organizations wish to at least apply application monitoring and management capabilities in this busy network segment, in order to protect the performance of critical network traffic. If you choose to also use this device to manage traffic at branch sites, your network must be configured in a hub-and-spoke topology so that all branch traffic travels through the device for shaping (direct branchto-branch traffic, or meshed traffic, for example, would not be seen by the data center device and therefore cannot be monitored or shaped). This may require that such site-to-site traffic will travel beyond the core router, into the LAN. At Your Primary-Site Internet Access/IP VPN Connection This connection might support public Internet traffic alongside Internet-based virtual private network (VPN) links to branch sites across a shared circuit (see Figure 1 for a simple illustration of a centralized deployment). Figure 1: Centralized Topology If the traffic management device at the primary site is also to manage branch office traffic, the network design must be a hub-and-spoke topology, with all traffic made available for the centralized device to classify and shape 70

At Both Your Primary Site(s) and Branch Sites This topology allows the greatest degree of management of all your networked traffic, organization-wide. It also enables meshing among sites, since not all traffic from branches must be shuttled through a primary site. Meshed or partially-meshed topologies boost the performance of latency-sensitive applications such as Voice over IP (VoIP) and other real-time collaborative applications. This configuration also enables branch locations to support their own Internet access links, rather than forcing all Internet traffic through a central site. However, this functionality comes at a cost. Deploying traffic management devices at every remote office involves extremely high capital expenses. Furthermore, deployment, service contracts, and trained personnel needed to manage and support tens, or even hundreds, of devices come at significant recurring operating costs. The addition of even more devices runs counter to industry trends of consolidating equipment, introduces undesirable system complexity, and increases the number of failure points. See Figure 2 for a simple illustration of how a distributed topology works. Figure 2: Distributed Topology With traffic management devices at the primary site and at branch offices, remote traffic can be directly managed, latency-sensitive applications get the performance benefits of meshing, and independent Internet connections at branches can be shaped Where Within Your Network Configuration? Once you have figured out which sites will host a traffic management system, you also have to select where to install the device. Some typical considerations here are whether your traffic management device should be a LAN device or a software capability within your WAN access router; 71

on which side of your firewall or gateway (with encryption capabilities) should the device operate; and, if you run a compression device, on which side of it should the device reside? These decisions are important, because they affect at what juncture the device will see each packet and, consequently, the condition of the packet. For example, if the packet is already encrypted or compressed, your system may not be able to identify and classify it for shaping. Similarly, it can be problematic if packets that require shaping fail to fall into the device s path because of the actual location of the device in relation to the router. LAN Side Deployment It is quite common for many organizations to install traffic management systems on the LAN side of their WAN access routers. Operationally, this is simple, in that LAN side devices integrate transparently with the existing network infrastructure, imposing no changes on the configuration of routers and other network equipment. Additionally, when the management system is deployed in this way, all outbound traffic that you intend to manage can usually be inspected, classified, and shaped before encryption or compression takes place. Encryption and compression are usually performed either in the router or in a device between the LAN and the WAN access router. If encryption or compression occurs in a specialized device, you would want to install your traffic shaper between that specialized device and the LAN, so that your shaper can see packets before they are encrypted or compressed. Similarly, you would usually connect your traffic management device on the LAN side of a network address translation (NAT) firewall. If you have a lot of so-called DMZ traffic (publicly-available content that is not protected by the firewall) to be monitored, you have two options: place your management device between the firewall and the router (seeing translated and potentially encrypted packets); or use a multi-port traffic manager that can consolidate traffic from both the LAN and DMZ (see Figure 3). 72

Figure 3: LAN-Side Configuration with Firewall On the LAN side of the firewall, the traffic management device will only see internal IP addresses (instead of one external IP address) and unencrypted traffic, enabling it to accurately identify and classify packets When choosing a LAN-based solution, you must verify that the device selected is WAN-aware i.e., it will monitor WAN circuit utilization and availability, which is crucial for accurate traffic shaping. For example, if an organization wished to build a policy to allow Napster traffic only during periods of time that the WAN is under-utilized, a LAN-based device can only enforce that policy if it can monitor WAN utilization levels. Within the WAN Access Router Some WAN access routers perform traffic management functions directly within their operating software. The benefit of using this approach, of course, is that no extra hardware investments are necessary to use traffic management. However, in general, both the performance and the capabilities of router-based systems lag those of purpose-built traffic management devices. Furthermore, in data center locations, many organizations prefer to leverage the full power of their routers for routing packets, and the full performance of a traffic management device for quality of service (QoS). Packet-processing performance is not the only limiting factor in using router-based QoS. Routers offer less granularity in creating traffic classes, 73

allowing for only a small number of classes. Additionally, routers are restricted to shaping based on class, and cannot shape down to the persession level, which is a capability offered by most traffic management device vendors. Such session-based shaping permits you to allocate bandwidth per flow, which is an essential capability if you are looking at improving application performance. Another area where routers usually lack required functionality is in application decoding. Even with enhanced application recognition modules, routers do not have the processing power and frequent protocoldirectory updates needed to allow them to decode and identify the majority of network applications. On the other hand, traffic management device vendors offer deep packet inspection (DPI) and frequent updates to allow their devices to identify most network traffic (for a discussion of DPI, see Chapter 3). In addition, from an organizational perspective, separate individuals may be responsible for routing, network quality of service and security. In such a situation, difficulties may arise if the router configuration modifications performed by one administrator have an affect on the responsibilities of another administrator. It is not uncommon for organizations particularly those with thousands of distributed sites to deploy standalone traffic management systems in primary sites for heavy-duty traffic shaping, and leverage the router capabilities in smaller sites with less robust requirements. Such standalone data center systems need to support a very large number of classes or policies, and are also likely to need devices that support multiple links to allow connection to two or more load-balanced, redundant routers and links. Chapter Summary The location of your traffic management device(s) is important and will depend in part on your existing network design (hub and spoke vs. mesh, for example) and on the traffic you want to monitor and shape. You can deploy effective traffic management at just one, many, or all of your sites; the important thing to keep in mind is that the traffic management device must be able to see all the traffic that you want to manage. Traffic visibility, network topology design and configuration will determine at which locations you locate and run a traffic management device. 74

Chapter 13 Quality of Service (QoS) in an MPLS Environment Many enterprises are migrating to IP-based virtual private network (VPN) WAN services for the economic and functional benefits of converging voice, data, and video onto a single infrastructure. The most widespread carrier platform for the delivery of VPN services is the Multi-Protocol Label Switching (MPLS) backbone, often touted for combining the intelligence of Layer 3 routing with the high performance of Layer 2 switching. MPLS-based VPN services are available from a number of network operators. The services are aimed primarily at customers that, for privacy and performance reasons, do not wish their corporate Intranet traffic to traverse the public Internet. However, many MPLS VPN offerings do provide a gateway to the public Internet for web browsing and external IP traffic so that customers can purchase a single access link to both services. LAN-to-WAN Communication An MPLS user-to-network interface (UNI) implementation agreement has been specified by the MPLS and Frame Relay Alliance. However, as of this writing, MPLS is primarily deployed inside carrier networks. With few exceptions, the technology has yet to extend in a meaningful way into enterprise networks. Consequently, while many enterprises are using MPLS-based VPNs that offer differentiated service classes, carrier networks require some way 75

to learn the traffic priorities of each customer network so that they can enforce them across the MPLS WAN. For this reason, traffic management devices placed where the LAN meets the WAN are a natural complement to MPLS-based VPN services. They enable enterprises to add important non-mpls quality-of-service (QoS) functions and to manage their VPNs precisely. For example, enterprises can: Control which users can access the MPLS network service Guarantee minimum levels of bandwidth for mission-critical, delaysensitive traffic Limit bandwidth supplied to specific applications and users Monitor usage to gather real-time and long-term information about network behavior Previous chapters have examined how traffic management systems are extremely useful for unclogging the intersection where the high-speed LAN meets the often lower-speed WAN and enabling granular, perflow policies to be upheld at the WAN edge. This chapter discusses how the QoS capabilities in MPLS technology help complete the traffic management story for end-to-end support of user traffic policies across the entire WAN, in cases where congestion might arise inside the carrier network. How MPLS Supports Traffic Priorities MPLS supports two primary methods of delivering QoS from provider edge (PE) router to PE router across the carrier s MPLS WAN backbone: By interpreting type-of-service (ToS) priority markings in the first three bits of the 8-bit Differentiated Services Code Point (DSCP) in an IP packet and mapping those markings into the 3-bit experimental (EXP) field in MPLS s so-called shim header. Marking directs high-priority traffic classes into separate, high-priority forwarding queues. For this communication about traffic priorities to take place between enterprise LAN and carrier MPLS WAN, the enterprise network must mark its WAN-bound packets accordingly. Generally, a traffic management system residing at the edge of the enterprise network automates this marking according to the enterprise s policy (see Chapter 6, Creating a Network Policy: Assigning Actions ). By using traffic engineering, which involves creating multiple Label Switch Paths (LSPs) between customer sites. Priority traffic can be sent along predetermined paths in which links or routers are not congested or via high-priority paths, allowing traffic to arrive at its destination with levels of delay, packet loss, and jitter that are within the policy boundaries defined by the enterprise. 76

Complementary Technologies MPLS and traffic management systems work together to support an enterprise s class-of-service policies, end-to-end across the WAN. From its position in the network, the traffic management device assigns each packet a ToS marking, which is readable by the service provider s MPLScapable PE router. The ToS marking assignment uses the enterprisedefined policies based on addresses, protocols, application data, and time of day, and takes advantage of the deep packet inspection (DPI) capabilities of Layer 7 traffic management systems, which allow the identification of applications and per-flow traffic control. The service provider s PE router reads the ToS marking and maps it into MPLS s EXP field, where it is forwarded, interpreted, and enforced, hop by hop, across the MPLS backbone. Should congestion occur at any hop, the enterprise customer s priorities for traffic treatment are known by that router and can be enforced (see Figure 1). For example, if you have purchased a premium MPLS service class for voice traffic, your service provider will recognize voice packets as premium traffic because of their ToS marking as mapped into the EXP bit, and route them into the toppriority queue. Figure 1: MPLS QoS extends the capabilities of CPE-based traffic managers, endto-end, across the WAN backbone 77

For enterprises, combining a traffic management system with an MPLS service allows taking advantage of the MPLS class-of-service offerings, while enabling other key benefits: Greater WAN Control: Combining the service provider s MPLS service classes with the granular policy options of a traffic management device expands the enterprise s end-to-end policy options from just a few classes of service offered by the carrier to the ability to specify exact bandwidth allocation, priority, admission control, and number of concurrent connections for each traffic class. Offloading Router Tasks: Performing the ToS marking in a traffic management system offloads this function from the CPE router, which is a major advantage. Particularly in traffic-heavy data center locations, many organizations prefer using the full power of their routers for routing packets and the full performance of a traffic-management device for QoS. Also, as mentioned in Chapter 12, both the performance and the capabilities of router-based traffic-management software lag those of purpose-built traffic management devices. Chapter Summary When combined, MPLS and traffic management systems deliver end-toend support of enterprise-defined class-of-service policies. Alone, traffic management systems control the bottleneck at the WAN edge, and MPLS can prioritize traffic into limited numbers of classes across the backbone. However, unless all traffic from a given site is to be mapped into a particular service class, MPLS relies on a mechanism on the enterprise side to know exactly how the enterprise customer wishes to have its different traffic classes treated. Enterprises can purchase and install the traffic management system on their premises for communication with the service provider s MPLS network. Alternatively, service providers can install and operate the traffic management system on the customer premises as part of a managed router service and set the priority ToS bits on behalf of the enterprise. While MPLS alone may accelerate application performance, it does have some limitations and is best combined with a traffic management device. Together, the two technologies provide an end-to-end QoS solution for WAN traffic management. 78

Chapter 14 Strategies for Universities They re b-a-a-a-a-c-k. As university students return to campus with their laptops, network managers must brace themselves for a new crop of peer-to-peer (P2P) application traffic on their networks and an infusion of unknown network infections. Student laptops will have picked up new applications and exposures over the summer, and the university IT personnel must be prepared to control the impact they might have on overall network performance, including a potential surge in bandwidth consumption. Today s students are so computer savvy about P2P file sharing, Voice over IP (VoIP), and online gaming that they can easily dominate all available network resources, causing mission-critical e-learning, administration and research network activities to grind to a halt. Without traffic management tools for guaranteeing, rate-limiting, and blocking certain traffic, universities would be forever stuck in a cycle of adding bandwidth to their networks without experiencing much, if any performance improvement. In fact, because of P2P s almost limitless propensity to consume bandwidth resources, many networks at say 80% capacity have doubled bandwidth, only to find themselves at 80% capacity the following day. This never-ending cycle is a key driver behind the dramatic increase in demand for traffic management systems among higher education institutions. 79

Wrestling with P2P and Viruses P2P applications are particularly popular with university students, especially for music sharing, transforming computers into peers that act as both client and server. Each peer can directly access the available resources of other peers, and for free. These applications consume incredible amounts of network bandwidth for several reasons: A typical music file is about 5 Mb much larger than a typical file transmission Once downloaded, student files are automatically accessible to users around the world, potentially consuming vast amounts of upstream bandwidth Heavy P2P users tend to queue up many downloads simultaneously and then walk away, leaving their PC and the network to grapple with a Herculean 4-hour file transfer marathon P2P-enabled PCs left running all night long remain available to other users, meaning your network will likely be pounded all night long by a never-ending barrage of file transfer sessions. Viruses and other infections often generate an exceptionally large volume of connections or server requests, tying up server and network resources in what is essentially a Denial of Service (DoS) attack. For well-known viruses, Intrusion Detection Systems (IDSs) are programmed to identify them and patches are created and deployed on host systems. For newly emerging viruses such as those resident on arriving students laptops traffic management devices can identify the symptomatic jump in new connections and rate-limit that traffic to control a nasty DoS attack. It quickly becomes obvious that back-to-school network activity has the potential to wreak havoc with capacity planning and IT budgets. Some universities have agreements with their ISP whereby they pay a premium for bandwidth used over a base amount. Others may simply continue leasing ever-increasing amounts of capacity each month for larger and larger recurring monthly fees. Consequently, the overriding challenge for university IT departments is to maintain network accessibility to all users, ensure a high level of performance for business-critical and delay-sensitive traffic, and control misuse in order to stay within the confines of their budgets. In addition, P2P traffic involving copyrighted material, such as music and video content, can create liability exposure for the university with organizations such as the Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA). So limiting this 80

exposure is an important goal, too. Lastly, some schools take great pride in their networking services, even to the point of touting it as a differentiator for recruiting purposes. Some even view it as a revenue source and offer premium service packages to students. Serving a Diverse User Population For these reasons, many universities have chosen to manage their networks in a segmented fashion; in effect, behaving both as a service provider and as an enterprise network operator. The university assumes a service provider role in deploying services to the student body and as an enterprise supporting the networking requirements of the faculty and administration staff (see Figure 1). Figure 1: Segmenting Student and Enterprise Traffic Universities can offer different tiers of service to different populations of users, depending on how mission critical the traffic is and, in the case of students, willingness to pay Most institutions manage traffic differently among the three groups, applying unique rules based on subnets or IP address ranges. For instance, dormitories may be permitted to utilize certain P2P applications during certain hours, but aggregate P2P may be limited to say 40% of total capacity. For the other two groups, P2P is disallowed. 81

Additionally, while P2P student downloads are permitted, downloads from other peers within the university network are prohibited, as are uploads to off-net P2P clients. Some institutions have adopted this policy because of the potential liability associated with being deemed an unauthorized provider of copyrighted material. The more robust traffic management products have the flexibility to offer this granular level of control. Behaving Like an ISP It makes sense to think of the network operation like an ISP serving two business customers (the faculty and administration) and many residential subscribers (the students). In one way or another, each group is paying for their services, and some may be willing to pay more for premium service levels. And like an ISP, these customers have needs that change substantially between daytime and nighttime hours. A school offering a premium service package may also want to think of these users as an additional customer group, and treat them uniquely. And again, all of these customer groups can be easily identified based on subnet or IP address. The following are a few additional considerations in planning your traffic management strategy: Allocate bandwidth to each customer group Prioritize traffic based on relative importance Offer premium service packages to students Implement a threat management strategy Create scheduled reports for ongoing planning Allocate Bandwidth to Each Customer Group If your three core customer groups are paying for their IP service, whether through student housing fees or departmental charge-backs, you might consider implementing policies that proportionally allocate the available bandwidth among the groups. For instance, students may receive 50% of network resources while faculty gets 20% and administration receives 30% (see Figure 2). While this approach is clean and logical, it will probably not offer the most efficient of resources, since the students will not be able to overflow into the administration group s resources, even though they have gone home for the day. 82

Figure 2: Allocating Bandwidth to Your Customer Groups Prioritize Traffic Based on Relative Importance As discussed in previous chapters, this involves setting relative priorities for applications and user capacity. If, for instance, your institution operates applications for e-learning, VoIP, videoconferencing, Citrix and research databases, you will want to prioritize these as the highest priority access to your network. Web browsing, FTP, Internet radio, email and a host of others may be set for medium priority, giving them all the bandwidth they need after the higher priority needs are satisfied. P2P could be set as lowest priority for access to bandwidth as available. Some universities choose to set priorities for the three main user groups first, and then prioritize applications within each group. If Administration users were considered the highest priority user group and all email traffic was a medium priority, this group s email would be handled ahead of student emails. Offer Premium Service Packages to Students In the interest of satisfying the unique needs of a diverse student population, some colleges have moved to a more advanced ISP service model. Given that some users have basic needs for email and web browsing, these schools might include a basic, rate-limited 128 Kbps service as a part of the student housing fees. Other power users may have a need for higher bandwidth and support for things like VoIP and online gaming, and are willing and able to pay a monthly premium for these services. High-quality traffic management solutions may offer facilities for setting a series of network triggers that alert IT personnel of a potential problem. For example, traffic levels dropping to zero could be one trigger that might be configured to send an SMS message to a technician s cell phone. P2P levels that exceed 70% of bandwidth could be another, while a different alert may be set to send an email in the event of a sudden spike in the connection rate, which could be indication of a possible DoS attack. 83

Implement a Threat Management Strategy Because of their vantage point in the network, traffic managers are ideally suited to offer a series of powerful security capabilities. Since they have full visibility to all layers of the OSI stack, port-based traffic behavior is easily monitored and controlled. As one basic measure, many universities implement a series of standard policies that monitor and block unexpected traffic on ports commonly exploited by viruses. Any activity on these ports should also be configured to generate a network alert. Many of the most devastating security attacks manifest themselves as a rapid increase in incoming or outgoing network connections, perhaps doubling total connections in a matter of minutes. Some traffic management devices can be configured to look for either a significant jump in total connections, or a dramatic change in the number of new connections established per second. This could be an incoming DoS attack or a student s infected PC suddenly generating a slew of outgoing SPAM sessions. Any sudden change in the number of network connections can trigger a traffic management device to take steps to block or minimize this activity, and simultaneously generate an alert to the appropriate IT personnel. Given the highly detailed and accurate visibility available through a traffic management system, most network threats can be quickly traced to the offending port, application or user PC. This in-depth visibility gives administrators the information they need to isolate and repair infected machines, and to implement new policies to prevent a similar attack in the future. Create Scheduled Reports for Ongoing Planning No network is static, and traffic management policies should be reviewed regularly to keep pace. The rapid emergence of Skype for free VoIP calls is an excellent example of a new trend that may point to the need for an adjustment. Scheduling a set of customized traffic reports to run each week is one way to be sure your strategy is still intact. 84

Chapter Summary Universities have a disproportionately large number of users introducing traffic onto the network, creating daunting management, capacity and budget challenges. Furthermore, many students are savvy power users, constantly pushing the envelope with the latest new technologies. P2P is a perfect example, and one that can negatively impact operations in multiple ways, including creating potential exposure to copyright infringement liabilities. Given their diverse user needs, many institutions have opted to run their networks, at least in part, like a service provider, offering enterprise-like services to university staff, while maintaining high-quality, residential-like services to students. While there are many strategies for achieving this balance, most start with global policies to place some controls on P2P traffic and to protect against many types of malicious traffic. From there, a logical approach is to set policies that prioritize key users and business-critical and delaysensitive applications ahead of all others, and to configure other users and applications as lower relative priorities. Given the competition among institutions for new student enrollees, forward-thinking universities are taking a very strategic view of their network infrastructure, evaluating new services like IPTV, VoIP, tiered rate plans and other premium packages as institutional differentiators. High-end traffic management systems are designed to empower IT departments with a suite of powerful capabilities to accomplish all this, and still maintain appropriate budget controls. 85

86

Chapter 15 Gaining an Edge Through Strategic Networking Calculating a Traffic Management Return on Investment (ROI) As discussed in Chapter 2, a large component of the business case for using traffic management rests with the high cost of lost productivity when network application performance degrades. In addition, postponement, avoidance, or reduction of investments in additional bandwidth by simply managing bandwidth more efficiently factors largely into the equation. This chapter helps you calculate a basic ROI for using traffic management. From there, it suggests supplementary questions to help determine whether there is additional business justification for using traffic management based on variables in your specific network environment. Capital investments and the cost of ongoing maintenance of the added traffic management equipment, of course, must also be figured into the formulae shown. Those costs will be accounted for in a sample university case study presented. 87

The Basic Math Industry averages show that most organizations enterprises, universities, and service providers alike save about 30% annually by investing in a traffic management solution. This estimate accounts for savings in the following IT areas: Reduction in the negative effects of peer-to-peer traffic on network service and, in the case of service providers, customer churn Prevention of many denial-of-service (DoS) attacks before they can negatively impact network service Avoidance or reduction of bandwidth upgrades by making more efficient use of existing bandwidth Lowering of troubleshooting costs by preventing network degradation through network monitoring and traffic flow management If you already have a general idea of what your organization spends annually in these areas, multiply that number by.30, and you will see how much you are likely to save per year: Estimated cost savings using traffic management = (P2P costs + DoS costs + annual upgrade costs + troubleshooting costs) x.30 The Intermediate Math If you would like to determine more specifically what you might be able to save using traffic management in each of these four areas, use the following formulae: 1. Savings in Annual Bandwidth Increases It is common for organizations to have bandwidth utilization increases of 5-25% per year. Traffic management can often help reduce both the direct and indirect costs associated with these increases. These include investments in additional capacity, as well as staffing and incremental costs per employee. Depending on many factors actual bandwidth service costs, organizational growth, and utilization increases you can generally expect average annual savings of 1-8% by managing bandwidth more efficiently using a traffic management device. To approximate your return on bandwidth savings, estimate the annual cost savings of reduced bandwidth upgrades as a percentage (p) of your annual bandwidth costs: Bandwidth upgrade cost savings = annual bandwidth costs x (p) $ 88

2. Savings in Bandwidth Troubleshooting Using the historical monitoring capabilities supported by many traffic management systems enables organizations to efficiently track network behavior and prevent future network degradation issues. Preventive action resulting from network monitoring typically reduces annual IT troubleshooting costs by 5-15%. To approximate what you could save annually in IT troubleshooting costs because of decreased bandwidth-related issues (such as congestion impacting business applications), estimate the annual cost savings of reduced bandwidth-related troubleshooting costs as a percentage (p) of your annual IT troubleshooting costs, accounting for how many employees are involved in troubleshooting, how much time they spend on network bandwidth troubleshooting, and their average hourly pay rate: Annual troubleshooting savings = total annual bandwidth troubleshooting costs x (p) $ 3. Savings in Reduced or Eliminated Viruses/Denial of Service (DoS) Attacks Just one virus or DoS attack on your network can be financially devastating. Setting alerts and corrective actions in a traffic management system will automatically halt many DoS attacks before they significantly impact network service. To approximate what you could save annually in network downtime caused by viruses and DoS attacks, estimate the total annual number of hours of network downtime associated with security attacks that you think you experience each year (n). The potential for savings assumes an aggregate average cost of $28,500 per hour to an organization across industries (source: Infonetics Research). Potential annual savings in network downtime caused by virus and DoS attacks = (n) x $28,500 $ 89

4. Savings by P2P Traffic Limiting or Blocking Many organizations particularly service providers and universities are experiencing large volumes of unnecessary P2P traffic on their networks. Identifying P2P packet flows using deep packet inspection and setting rules to rate limit or block both inbound and outbound P2P traffic helps avoid unnecessary bandwidth investments and ensure fulfillment of service level agreements (SLAs) for network uptime, performance, and quality of service (QoS). Consistent fulfillment of SLAs is fundamental to retaining customers in the service provider market, as well as in educational environments that function as part service provider, part enterprise. To approximate your return on controlling P2P, estimate the percentage of total subscribers you would be likely to retain because of improved QoS due to controlling P2P. Then plug the percentage (p) into this formula: Annual value of retained customers = (Total no. of subscribers) x (Average annual cost per subscriber) x (p) $ Total for Basic Annual Savings (items 1-4) $ As the sample case scenario below shows, the ability of a service provider or university to retain customers by using traffic management to ensure user service levels in large part by controlling P2P traffic can significantly boost the business case by delivering an immediate ROI. An ROI Sample Case Scenario Consider the fictional case of Universal University, a private highereducation facility in Anytown, USA, serving both faculty and students in effect, behaving as part enterprise and part service provider. There are 20,000 students, and three quarters (15,000) live in dormitories. Most of these students and the university s faculty members access the Internet by the school s two Internet access connections, one operating at 155 Mbit/s (OC3), which costs the university $12,000 per month, and one at 45 Mbit/s (DS3), which costs the university $4,000 per month. Let s say 10,000 students pay $15 a month (or $180 per year) for Internet data services. 90

Potential Annual Savings and Revenues at Universal University Using Traffic Management Savings on Bandwidth Upgrade Costs: 192,000 in annual bandwidth costs x 5% in expected percentage savings of annual bandwidth costs = $9,600 Retained Subscribers by Managing P2P Traffic: 10,000 subscribers x $180/subscriber/year x 5% subscribers expected to be retained = $90,000 Savings in Troubleshooting Costs Presuming two employees at $50 per hour, each spending 8 hours per week on bandwidth troubleshooting and presuming a 15% reduction in troubleshooting costs using traffic management. ($50 x 8 hours/week x 2 people x 50 weeks/year) = $40,000 in annual bandwidth troubleshooting costs x 15% in expected savings = $6,000 Savings Due To No More Downtime Due To DoS, Viruses: 3 hours of expected downtime x $28,500 per hour (cost of downtime source: Infonetics Research) = $85,500 Total Gross Savings $191,100 Minus approximate cost of 155 Mbit/s-capable traffic management device (one time) $35,000 Interim Balance $156,100 Minus approximate cost of 45 Mbit/s-capable traffic management device (one time) $15,000 Interim Balance $141,100 Minus yearly maintenance fee on equipment (15% of $50,000) $7500 ROI/Savings (Year 1*) $133,600 91

Case-Specific ROI Questions Additionally, in many cases there are other questions to ask, specific to your circumstances, which might further justify the business case for traffic management. 1. Do you have specific major business application traffic that you need to prioritize on your network? Downtime of enterprise business applications is a significant financial and resource drain on organizations. According to The Standish Group, the cost of downtime for major enterprise applications such as customer resource management (CRM), data warehousing, e-commerce, enterprise resource planning, and supply chain management ranges from $2200 to $6400 per minute (see Chapter 2). Typically, enterprises can expect significant savings using the prioritization and guaranteed bandwidth capabilities in traffic management systems, which boost the uptime of mission-critical network traffic. To approximate what you could save annually in application downtime costs, conservatively estimate the annual cost of each major application downtime at $2200 per minute. Estimate the number of annual minutes usually lost due to downtime of each major application (n) and plug it into the following formula: Total annual savings per application = (n) x $2200 This figure does not account for difficult-to-calculate losses in damaged reputation or lost customers when CRM and other applications that touch customers do not perform as expected. 2. Do you need to mitigate legal risks and liabilities on your network? Recent court cases have confirmed that corporations are liable for each instance of copyright infringement by their employees as a result of improper music and video downloads. These can include materials downloaded over corporate networks or those downloaded at home yet resident on employee PCs. Each instance of copyright infringement can carry a penalty as high as $150,000, as well as attorney fees (see http:// www.copyright.gov/title17/92chap5.html#504). To approximate what you could save annually in copyright infringement liability costs, estimate the annual number of illegally downloaded copyrighted songs or videos resident on your employee s computers (n) and plug it into the following formula: Potential annual savings in copyright infringement liability costs = (n) x $150,000 92 $

3. What is your current oversubscription ratio? The greater the oversubscription ratio that is successfully supported with appropriate quality of service, the greater the savings in bandwidth costs and the more money service providers can make. Traffic management systems enable the higher ratios by allowing application traffic prioritization and management of existing bandwidth. The oversubscription ratio represents the number of times the same network bandwidth is sold by assuming that all users will not be contending for all capacity at exactly the same times. If a subscriber sells services in 1 Mbps increments on a 10 Mbps link to 200 subscribers, the link is oversubscribed 20 times, or, put another way, has a 20:1 oversubscription ratio. In the service provider environment, traffic management systems help effectively manage oversubscription ratios of 100:1 and higher. Oversubscription ratio = no. of subscribers x Mbps per subscriber/mbps capacity of link Ratio Enter here the additional revenues you could expect to generate by adding subscribers without having to add bandwidth (increasing your oversubscription ratio) $ 4. Are you interested in adding new revenue-building services to your network? Having the ability to differentiate and prioritize traffic based on user, application, protocol type, IP source address, and so forth enables network operators to offer innovative new services to various groups of customers. Among them are differentiated service classes at varying prices and real-time services such as gaming, VoIP, and streaming video. Traffic management systems, as has been discussed, also deliver detailed subscriber use information, helping to target new services and service packages to very specific customer needs. To approximate your return using traffic management to add revenuegenerating services to your network, estimate the annual percentage increase in subscriber revenue you would expect by adding new revenuebuilding services and plug that percentage (p) into this formula: Annual increase in subscriber revenue = Existing annual total subscriber revenue x (p) $ Total for Additional Savings/Revenue (items 1-4) $ 93

Additional Services for Universal University In the case of Universal University, let s say that in addition to the school s 10,000 paid Internet data users, another 3,000 dorm students mooch free services by hanging unauthorized 802.11 (Wi-Fi) wireless access points in their dorm rooms. Using the traffic manager to identify and block the unauthorized Wi-Fi users, it is likely that the university could convert at least 50% (if not 100%) of those students into paying customers at $15 a month, given that students require network access. Let s also consider that the university might be able to sign up half of its existing subscriber base to use VoIP services for $5 per month. Given this, and applying the formulae above with conservative variables added in, let s see what additional revenues the university could generate and how they affect its ROI. Additional revenues by converting unauthorized Wi-Fi users into legitimate data users 1500 new users @ $15/month x 12 months = $270,000 Adding VoIP service revenue @ $5/month for 50% of 10,000 subscriber base $5/month x 12 months x 5,000 = $300,000 Summary of ROI Potential new service revenues $570,000 Savings (Year 1) $133,600 Total ROI Year 1* $703,600 * ROI/savings increase as capital investment depreciates. 94

Chapter Summary As shown, having insight into traffic behavior and the ability to then control it can quickly impact yearly savings and revenue. Such visibility and control afford network operators the ability to avoid adding bandwidth, keep undesirable traffic off the network, and retain customers. The exact gains will vary from network operator to network operator, existing bandwidth volume discounts, number of users and subscribers, vertical industry and other factors that relate to how each organization manages its network. To run an automated version of similar calculations for your own environment, use the Allot Communications ROI Calculator at http://www.allot.com. 95

96

Chapter 16 Network Business Intelligence Data Mining for Strategic Performance Management In reading this handbook, you have learned that the discipline of network management now extends beyond the ability to monitor the health status of networked devices and generate basic trending information about performance. Today, traffic management systems that use deep packet inspection (DPI) the ability to identify packets by application type, user, user group, and machine provide you with both real-time and longterm data mining capabilities for your network. As a result, you can strategically control the performance of the traffic flows that your network carries. Combining DPI with classification, policy enforcement, and reporting capabilities delivers network business intelligence. Network business intelligence leverages the traffic management system to mine information about exactly what is running on the network, generating reports that combine application, user, and server information and views. Network operators can then determine the network s application and protocol mix, how applications are performing, what impact they are having on other traffic flows, and what the network requirements are for all traffic. For example, DPI identifies application types when the port number alone is not enough by looking further inside the packet header. This is particularly useful for applications using dynamic port numbers, such as voice over IP (VoIP), Hyper Text Transfer Protocol (HTTP), 97

Citrix-based remote-access applications, and the Microsoft NetMeeting conferencing application. HTTP consistently uses port 80; however, many web applications and traffic types use HTTP. So a port number alone is insufficient for identifying specific HTTP applications. Armed with information about user, application, protocol, and machine behavior on the network, you can configure your traffic management system to automatically classify and shape all traffic in a way that optimizes your network usage to maximize your return on investment (ROI). For private enterprises, this means giving the network the ability to prioritize, rate limit, or guarantee bandwidth to certain traffic to enforce service-level requirements for internal users. Enterprise network operators can maintain high-quality performance of mission-critical applications and those with low tolerance for packet loss, delay, and jitter. Service providers, for their part, are able to shape bandwidth and application traffic not only to deliver high service levels to customers, but also to control traffic in ways that make it possible to deploy new types of subscription services, such as tiered bandwidth offerings or IP voice. Universities often operate in a dual-mode function: as an enterprise required to meet certain network service levels for internal staff and faculty and as a service provider deploying and managing fee-based services to student subscribers. Why Build Smarter Networks? Having network business intelligence is especially important given today s converged networks, which merge applications with different behaviors and requirements onto a statistically multiplexed packet network. In yesterday s circuit-switched network model, separate networks were used for separate applications or separate DS0 channels of a time-division multiplexed (TDM) circuit were nailed up to specific applications. This worked well for giving each application sufficient bandwidth, but was inefficient in the use of network capacity and expensive. From there, merging traffic onto a packet-switched, converged network bought network operators bandwidth efficiency by allowing all traffic to intermingle to maximize bandwidth use. Packet switching precluded circuits from occasionally sitting idle when their dedicated applications 98

had no data to send. Still, some applications have different bandwidth, latency, packet loss, and jitter requirements than others; in a best-effort scenario (without traffic management), when one critical application is not performing, the solution is to simply buy more bandwidth. However, often this does not fix the problem for very long, because certain P2P and other file-transfer applications consume all available bandwidth. Now, by making the network more intelligent and having greater insight into how traffic is behaving, network operators can improve the quality of experience for users without necessarily having to continually invest in additional network capacity. As a result, organizations can build highervalue networks networks that use resources in a much smarter fashion while improving performance. Traffic management systems that operate at all seven layers of the network protocol stack mine information from the network and display it in graphical, drill-down reports to allow network operators to determine the following: Is there congestion on the network? Does the network get congested at certain times of the day? What applications, protocols, servers, and users are causing congestion? At what utilization level is the network running, both on average and at different times of the day? Knowing this, operators can set policies so that the network automatically tunes traffic behavior to reflect a given organization s business priorities and the respective needs of its various applications. This is particularly efficient in organizations with centralized networks, enabling IT personnel to view the information listed above from a network-wide perspective. Certain systems generate reports that consolidate information about all WAN traffic, which is more actionable than having to view and correlate multiple reports for each WAN link on your own. The Distributed Organization Many businesses have become distributed geographically as the real estate savings and hiring flexibility associated with branch offices have grown appealing. As a result, the WAN that links the various sites with enterprise data resources has become a strategic IT vehicle that powers the applications, which, in turn, fuel the business. Intelligence in the WAN allows network operators to understand and execute upon the business s priorities about each application and its performance requirements. 99

From a network design standpoint, traffic management systems can be configured so that every pair of communicating sites requires matching systems in order to work. Alternatively, and most economical, are systems that take the data center approach. This means that only one system is required at the head end and not in every branch office, thus reducing capital and operational expenditures by eliminating the need to distribute equipment across the entire branch office network. Chapter Summary Network business intelligence in traffic management systems mines information about the WAN, which has become a strategic IT asset as organizations have grown more distributed. Traffic management systems gather information about application and protocol mix, how applications are performing, and what impact they are having on other traffic flows. This information enables network operators to control traffic to maximize network efficiency and maximize return on investment (ROI). Both real-time and long-term monitoring is recommended for finetuning policies about network behavior. In both cases, DPI is necessary for understanding what traffic is on the network so that policies can be associated with each traffic type. The report-generation capability of seven-layer monitoring that also enables policy setting and traffic shaping is important for real-time troubleshooting and resolution of network performance degradation. It also enables you to see longer-term trends, allowing you to determine whether your traffic requires further management, whether you need additional bandwidth (or less bandwidth), or a combination. Traffic management devices that must only be installed in head-end locations and generate reports about WAN links network-wide are particularly useful and efficient. Chapter 17, the final chapter in this handbook, profiles a university that deployed traffic management to curb frequent investments in additional bandwidth and to reallocate network resources during the Katrina hurricane disaster of 2005 on the Gulf Coast of the U.S. 100

Chapter 17 Case Study of Louisiana State University School Curbs Bandwidth Use, Supports Emergency Hurricane Communications Chapter 14 described the unique set of problems encountered by network administrators in educational environments. This chapter moves the traffic management discussion from the theoretical to the practical by taking a look at a university production environment. Louisiana State University in Baton Rouge, La., deployed a traffic management system to control P2P application use by students that was bogging down the network with unprecedented bandwidth consumption. More recently, the university was called upon to provide guaranteed communications to emergency responders during Hurricane Katrina. The university used an Allot Communications NetEnforcer traffic management device to address both situations. More Bandwidth, Please! When its computer-savvy students returned to school in the fall of 2001, LSU found itself subject to a huge demand for more bandwidth. The network administrator strongly suspected that the unprecedented drain on existing bandwidth came from the students using the latest in P2P applications. But that suspicion was difficult to prove. 101

So LSU increased its Internet access bandwidth from 24 to 45 Mbps. But the additional capacity was instantly consumed, said Terry Doub, director of the LSU network operation center. The obvious solution was to add still more bandwidth. That next spring LSU moved to 62 Mbps, and in July upgraded yet again to a blazing 155 Mbps. The upgrades represented an increase of 130 Mbps in less than 16 months. Mystifyingly, however, after these repeated upgrades and expenditures, the network was just as clogged if not more so than it was a year earlier. Doub noted that the nominal bandwidth management available by manually tweaking routers was a time-intensive and mistake-prone activity. Unmasking the Culprit Faced with the budgetary impossibility of adding still more bandwidth that users would quickly consume, LSU started to evaluate bandwidth management tools. After reviewing numerous options from a variety of vendors, Doub decided on a test evaluation of Allot Communications 155 Mbps NetEnforcer AC-701 traffic management device. Deep packet inspection-based monitoring with the NetEnforcer definitively revealed the culprit to be P2P applications in use by the student population. From there, Doub set up rules to limit P2P traffic and block P2P uploads to outside recipients, to stem the runaway bandwidth consumption. The results were dramatic. After installing the NetEnforcer evaluation unit, the impact was immediate and when the trial period was over, we didn t let them take the unit out, said Doub. The university upgraded to the NetEnforcer AC-1000, Allot Communications gigabit-speed traffic management device, as soon as it was available for future-proofing. Doub is able to shape the network traffic by allocating IP addresses to three basic groups of users: students, faculty, and staff. Different rules apply to these groups for the purpose of controlling network traffic. The students are free to use P2P, but have limits on the amount of bandwidth available to them. For liability reasons, the system blocks students from sending P2P files to users outside the university system. The other two groups, faculty and staff, cannot use P2P applications at all. 102

No More Upgrades LSU has not added bandwidth since installing the NetEnforcer; in other words, the traffic management system has virtually eliminated the need for bandwidth increases at the university. The device has allowed Doub to shape and control the network quickly and easily, adapting it to transient contingencies while continuing to fully support core application performance requirements. Visibility into network behavior is the key to both bandwidth management and troubleshooting network problems. For example, recently Doub was able to track and detect misuse on the network by isolating a particular network pipe and allowing only the suspected offender s traffic to travel over that link. The NetEnforcer allowed him to detect and document the network abuse and terminate the offending traffic quickly. Reallocating Resources during Katrina Besides benefiting from the control and network insight provided by the NetEnforcer, Doub has found the solution to be particularly adaptable to contingency needs. A case in point: NetEnforcer enabled LSU not only to manage its own resources, but also to extend its network resources during Hurricane Katrina, a time of U.S. national crisis. For hurricane season, we guaranteed bandwidth for data for the Southern Regional Climate Center, which was tied into the National Hurricane Center in Miami, explained Doub. Following Hurricane Katrina s devastating effects on New Orleans and other parts of the Gulf Coast, LSU was called upon to house support personnel from the U.S. Federal Emergency Management Agency (FEMA) and the U.S. Army. It also provided Internet access to these personnel at a time when basic communications infrastructure had become all but nonexistent. Doub had to act fast to meet the emergency needs. The adaptability and flexibility made possible by the NetEnforcer allowed Doub and his team to set up temporary services for FEMA and the army with incredible speed. Within literally minutes, we had a guaranteed pipe established for them off campus, said Doub. Using NetEnforcer policy enforcement capabilities, Doub was also able to ensure that the university, FEMA, and army services did not interfere with one another. 103

NetEnforcer At-A-Glance Allot s NetEnforcer offers educational institutions distinct business and technical advantages: Increased control of network performance Detailed monitoring and accounting Denial of service (DoS) protection Recovery of lost bandwidth Diagnostic problem solving Chapter Summary For better or worse, today s technically sophisticated student population poses new challenges for network administrators, especially the need to control P2P and other bandwidth-hungry applications. Rather than adding bandwidth, which is costly and does not guarantee successful resolution of the problem, network monitoring and control using a traffic manager such as Allot s NetEnforcer provides a cost-effective and adaptable solution. Traffic management allows educational institutions to control and shape traffic by assigning bandwidth based on IP addresses, thereby controlling network usage and guaranteeing resources to mission-critical applications and users, such as faculty and staff. The solution has enabled LSU to avoid bandwidth increases for nearly four years. Additionally, traffic management allows network administrators to track usage and thwart network misuse by discovering problems through deep packet inspection. Network administrators can also use the system to set up new networks quickly and easily when unexpected contingencies arise, such as those faced by LSU in the aftermath of Hurricane Katrina. 104

105

About Allot Communications Allot Communications (www.allot.com) is a leading provider of intelligent IP service optimization solutions. Designed for carriers, service providers and enterprises, Allot solutions apply deep packet inspection (DPI) technology to transform broadband pipes into smart networks. This creates the visibility and control vital to manage applications and services, guarantee quality of service (QoS), contain operating costs and maximize revenue. Facilitate inspection, visibility and active control in networks Achieve Network Business Intelligence: provide crucial visibility of network usage and business behavior Control traffic and maximize average revenue per user (ARPU) for carriers and service providers Ensure mission-critical applications and contain network costs for enterprises Expertise in a line of products: NetEnforcer family of traffic management devices and NetXplorer centralized management platform Allot s success is based on the company s commitment to leading the market in ease-of-use, price/performance, scalability and customer support. Listening to customers, employees, partners and industry analysts, Allot offers the products, services and worldwide support programs that the market demands. Today, Allot s award-winning products are sold by a dedicated global team of partners, trained service integrators and distributors, and are deployed in a diverse range of industries including telecommunications (carrier and broadband, wireless, cable and satellite service providers), education, banking, manufacturing, retail and transportation. 106

n n The Traffic Management Handbook for Enterprises A comprehensive review of network traffic management for enterprise networks and network managers Looking to manage and control your network traffic? Want to contain WAN costs? Seeking a way to ensure that your mission-critical applications are always up and running? Now's the time to invest in network traffic management. The Traffic Management Handbook for Enterprises is a comprehensive guide for network managers to understand the robust, policy-powered networking opportunities offered by traffic management solutions. Efficient management of traffic crossing the LAN/WAN boundary of an enterprise is achieved in three simple steps: monitor network and bandwidth usage to automatically discover applications and to determine the protocols that affect network performance and require management; define the policies that link business priorities to computing needs and determine the QoS attributes, such as minimum and maximum bandwidth percentages and traffic prioritization; enforce the rules, allowing the traffic management device to examine all traffic crossing the WAN link and continually monitor resources to maintain network control and application performance. www.allot.com $19.99 ISBN 965910020-5 International Headquarters Allot Communications Ltd. 22 Hanagar Street Industrial Zone B Hod-Hasharon, 45240 Israel Tel: +972 9 7619200 US Office Allot Communications 7664 Golden Triangle Drive Eden Prairie, MN 55344 Minneapolis, USA Tel: (952) 944-3100 a mind for networks