Managing Bandwidth

We also had been a PS shop until last fall. PS/Bluecoat has lost the plot, their product standing still while the world continues to move on.

Even staying current with code updates, the percentage of unclassified/misclassified traffic was growing every month.

We switched to a PacketLogic from Procera in December and have never looked back.

Have heard good things about Exinda as well.

Ron Kozsan
Director, Infrastructure Services, University Systems
University of Victoria
Victoria, BC   CANADA
rkozsan@uvic.ca
250.472.4825

It’s probably no secret that I’m a big Palo Alto fan, but it’s rate-shaping capabilities are basic.  If you want to rate-shape large blocks, or specific individuals, it’s good.  But if you want to globally control the bandwidth at the user-level, it isn’t a good solution.  We purchased the NetEqualizer appliance last year, and will be implementing it over the next month or so.. just in time for the Summer bandwidth crunch ;)

-Brian

From: The EDUCAUSE Network Management Constituent Group Listserv [mailto:NETMAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jim Dixon
Sent: Monday, April 09, 2012 8:51 AM
To: NETMAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [NETMAN] Managing Bandwidth

Here's a quick summary of how the three appliances mentioned in this thread -- Exinda, Procera and Palo Alto -- equalize bandwidth or handle host fairness shaping strategies.

The Exinda traffic shaping device has a similar function to PacketShaper's dynamic sub-partitions, called dynamic virtual circuits. You can either do simple host fairness, share all available bandwidth in the virtual circuit (partition) equally among hosts or you can set either a throughput guarantee and/or cap or maximum per host. You can also specify the maximum number of hosts that can populate the virtual circuit. In addition, Exinda has a feature called Adaptive Response that allows bandwidth quotas per day, week or month. What happens when a user exceed that quota depends on how you write the policy. Typically a lower throughput rate would be in effect for the remainder of the quota interval.

Procera's Packlogic traffic shaping device also has a "host fairness" feature that will evenly divide bandwidth among hosts. It can enforce per host, even per client, per server or per connection throughput limits as well as total connection limits per host. Procera also has a quota or volume based shaping mechanism that can designate several throughput levels, depending on the level of total bandwidth used over any time interval desired.

The Palo Alto Networks firewall doesn't have any host fairness or equalizing shaping strategies, but it does allow you to define 8 distinct quality of service levels and write as many QoS policies as you'd like to match traffic to those 8 traffic classes. Like Exinda and Procera, the Palo Alto Firewall is a DPI device that gives excellent application visibility with relatively little unidentified traffic. So, NetEqualizer could be a good compliment to Palo Alto when a host equal share shaping strategy is the main goal, with Palo Alto providing application visibility and also aggregate traffic class shaping options, neither of which are available with NetEqualizer.

Hope this information is useful.

Jim

Jim Dixon | Sr. Systems Engineer |
VistaOne Corporation
540.525.3782 (cell)

Jim,

Thank you for the summary. I would add a couple of points. One is that Cisco’s 6500’s can do per IP address rate limiting in hardware if you have the right supervisor.

I would also add that doing rate limiting by QOS level may serve your needs, but it has limitations. For example, you  can rate limit peer to peer, but we have found that these types of devices often leave a significant amount of traffic as uncategorized. Then you are left with the dilemma of rate limiting the uncategorized and possibly limiting (or stopping if you are trying to stop P2P) something that you don’t’ want to limit or leaving it alone and possibly allowing what you really don’t want to allow. At least that has been our experience with Packeteer, Allot and Palo Alto.

Pete Morrissey

Here's a quick summary of how the three appliances mentioned in this thread -- Exinda, Procera and Palo Alto -- equalize bandwidth or handle host fairness shaping strategies.

The Exinda traffic shaping device has a similar function to PacketShaper's dynamic sub-partitions, called dynamic virtual circuits. You can either do simple host fairness, share all available bandwidth in the virtual circuit (partition) equally among hosts or you can set either a throughput guarantee and/or cap or maximum per host. You can also specify the maximum number of hosts that can populate the virtual circuit. In addition, Exinda has a feature called Adaptive Response that allows bandwidth quotas per day, week or month. What happens when a user exceed that quota depends on how you write the policy. Typically a lower throughput rate would be in effect for the remainder of the quota interval.

Procera's Packlogic traffic shaping device also has a "host fairness" feature that will evenly divide bandwidth among hosts. It can enforce per host, even per client, per server or per connection throughput limits as well as total connection limits per host. Procera also has a quota or volume based shaping mechanism that can designate several throughput levels, depending on the level of total bandwidth used over any time interval desired.

The Palo Alto Networks firewall doesn't have any host fairness or equalizing shaping strategies, but it does allow you to define 8 distinct quality of service levels and write as many QoS policies as you'd like to match traffic to those 8 traffic classes. Like Exinda and Procera, the Palo Alto Firewall is a DPI device that gives excellent application visibility with relatively little unidentified traffic. So, NetEqualizer could be a good compliment to Palo Alto when a host equal share shaping strategy is the main goal, with Palo Alto providing application visibility and also aggregate traffic class shaping options, neither of which are available with NetEqualizer.

Hope this information is useful.

Jim

Jim Dixon | Sr. Systems Engineer |
VistaOne Corporation
540.525.3782 (cell)

We currently have a Palo Alto and we have/had a Procera that is currently a paperweight. Like several other people have stated the Palo Alto isn’t exactly designed to be a traffic shaper even though it can do some other that. It is designed to be a firewall and that is where it excels. For us the decision came down to money, we had to replace our firewall anyway and the Palo Alto could do that plus a lot more so we saved the cost of not replacing the traffic shaper and we got an IPS which we didn’t have before.

It’s probably no secret that I’m a big Palo Alto fan, but it’s rate-shaping capabilities are basic.  If you want to rate-shape large blocks, or specific individuals, it’s good.  But if you want to globally control the bandwidth at the user-level, it isn’t a good solution.  We purchased the NetEqualizer appliance last year, and will be implementing it over the next month or so.. just in time for the Summer bandwidth crunch ;)

-Brian

From: The EDUCAUSE Network Management Constituent Group Listserv [mailto:NETMAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jim Dixon
Sent: Monday, April 09, 2012 8:51 AM
To: NETMAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [NETMAN] Managing Bandwidth

Here's a quick summary of how the three appliances mentioned in this thread -- Exinda, Procera and Palo Alto -- equalize bandwidth or handle host fairness shaping strategies.

The Exinda traffic shaping device has a similar function to PacketShaper's dynamic sub-partitions, called dynamic virtual circuits. You can either do simple host fairness, share all available bandwidth in the virtual circuit (partition) equally among hosts or you can set either a throughput guarantee and/or cap or maximum per host. You can also specify the maximum number of hosts that can populate the virtual circuit. In addition, Exinda has a feature called Adaptive Response that allows bandwidth quotas per day, week or month. What happens when a user exceed that quota depends on how you write the policy. Typically a lower throughput rate would be in effect for the remainder of the quota interval.

Procera's Packlogic traffic shaping device also has a "host fairness" feature that will evenly divide bandwidth among hosts. It can enforce per host, even per client, per server or per connection throughput limits as well as total connection limits per host. Procera also has a quota or volume based shaping mechanism that can designate several throughput levels, depending on the level of total bandwidth used over any time interval desired.

The Palo Alto Networks firewall doesn't have any host fairness or equalizing shaping strategies, but it does allow you to define 8 distinct quality of service levels and write as many QoS policies as you'd like to match traffic to those 8 traffic classes. Like Exinda and Procera, the Palo Alto Firewall is a DPI device that gives excellent application visibility with relatively little unidentified traffic. So, NetEqualizer could be a good compliment to Palo Alto when a host equal share shaping strategy is the main goal, with Palo Alto providing application visibility and also aggregate traffic class shaping options, neither of which are available with NetEqualizer.

Hope this information is useful.

Jim

Jim Dixon | Sr. Systems Engineer |
VistaOne Corporation
540.525.3782 (cell)

Oh, I think it’s a great box (I have an HA pair as well) and I am doing basic rate-control with it to ensure we don’t continually burst over our contracted rate.  It’s just not designed to replace a NetEqualizer – where you may want to rate-shape large numbers of users on an individual basis (e.g setting everyone, individually, to no more than 10Mbs).  You can do that, but it has to be done by individual rules for each IP address .. or else the pooled IP’s SHARE the bandwidth cap.

-Brian

We currently have a Palo Alto and we have/had a Procera that is currently a paperweight. Like several other people have stated the Palo Alto isn’t exactly designed to be a traffic shaper even though it can do some other that. It is designed to be a firewall and that is where it excels. For us the decision came down to money, we had to replace our firewall anyway and the Palo Alto could do that plus a lot more so we saved the cost of not replacing the traffic shaper and we got an IPS which we didn’t have before.

It’s probably no secret that I’m a big Palo Alto fan, but it’s rate-shaping capabilities are basic.  If you want to rate-shape large blocks, or specific individuals, it’s good.  But if you want to globally control the bandwidth at the user-level, it isn’t a good solution.  We purchased the NetEqualizer appliance last year, and will be implementing it over the next month or so.. just in time for the Summer bandwidth crunch ;)

-Brian

From: The EDUCAUSE Network Management Constituent Group Listserv [mailto:NETMAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jim Dixon
Sent: Monday, April 09, 2012 8:51 AM
To: NETMAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [NETMAN] Managing Bandwidth

Here's a quick summary of how the three appliances mentioned in this thread -- Exinda, Procera and Palo Alto -- equalize bandwidth or handle host fairness shaping strategies.

The Exinda traffic shaping device has a similar function to PacketShaper's dynamic sub-partitions, called dynamic virtual circuits. You can either do simple host fairness, share all available bandwidth in the virtual circuit (partition) equally among hosts or you can set either a throughput guarantee and/or cap or maximum per host. You can also specify the maximum number of hosts that can populate the virtual circuit. In addition, Exinda has a feature called Adaptive Response that allows bandwidth quotas per day, week or month. What happens when a user exceed that quota depends on how you write the policy. Typically a lower throughput rate would be in effect for the remainder of the quota interval.

Procera's Packlogic traffic shaping device also has a "host fairness" feature that will evenly divide bandwidth among hosts. It can enforce per host, even per client, per server or per connection throughput limits as well as total connection limits per host. Procera also has a quota or volume based shaping mechanism that can designate several throughput levels, depending on the level of total bandwidth used over any time interval desired.

The Palo Alto Networks firewall doesn't have any host fairness or equalizing shaping strategies, but it does allow you to define 8 distinct quality of service levels and write as many QoS policies as you'd like to match traffic to those 8 traffic classes. Like Exinda and Procera, the Palo Alto Firewall is a DPI device that gives excellent application visibility with relatively little unidentified traffic. So, NetEqualizer could be a good compliment to Palo Alto when a host equal share shaping strategy is the main goal, with Palo Alto providing application visibility and also aggregate traffic class shaping options, neither of which are available with NetEqualizer.

Hope this information is useful.

Jim

Jim Dixon | Sr. Systems Engineer |
VistaOne Corporation
540.525.3782 (cell)

One downside to doing it at the local port level that I can think of is that it would also limit bandwidth to internal network resources.

Pete M.

Hello Brian,

Just of curiosity, why not use Cisco QoS at the port level on the switch to set the bandwidth cap of 10Mbs (in example below) instead of using the NetEqualizer? Question is open to everyone else as well.

We are looking at NetEqualizer mainly to cap each individual IP to 5 megs and comparing it to do just doing QoS on the Cisco switch to cap each port.


On 4/9/2012 2:35 PM, Brian Helman wrote:

Oh, I think it’s a great box (I have an HA pair as well) and I am doing basic rate-control with it to ensure we don’t continually burst over our contracted rate.  It’s just not designed to replace a NetEqualizer – where you may want to rate-shape large numbers of users on an individual basis (e.g setting everyone, individually, to no more than 10Mbs).  You can do that, but it has to be done by individual rules for each IP address .. or else the pooled IP’s SHARE the bandwidth cap.

-Brian

We currently have a Palo Alto and we have/had a Procera that is currently a paperweight. Like several other people have stated the Palo Alto isn’t exactly designed to be a traffic shaper even though it can do some other that. It is designed to be a firewall and that is where it excels. For us the decision came down to money, we had to replace our firewall anyway and the Palo Alto could do that plus a lot more so we saved the cost of not replacing the traffic shaper and we got an IPS which we didn’t have before.

It’s probably no secret that I’m a big Palo Alto fan, but it’s rate-shaping capabilities are basic.  If you want to rate-shape large blocks, or specific individuals, it’s good.  But if you want to globally control the bandwidth at the user-level, it isn’t a good solution.  We purchased the NetEqualizer appliance last year, and will be implementing it over the next month or so.. just in time for the Summer bandwidth crunch ;)

-Brian

From: The EDUCAUSE Network Management Constituent Group Listserv [mailto:NETMAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jim Dixon
Sent: Monday, April 09, 2012 8:51 AM
To: NETMAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [NETMAN] Managing Bandwidth

Here's a quick summary of how the three appliances mentioned in this thread -- Exinda, Procera and Palo Alto -- equalize bandwidth or handle host fairness shaping strategies.

The Exinda traffic shaping device has a similar function to PacketShaper's dynamic sub-partitions, called dynamic virtual circuits. You can either do simple host fairness, share all available bandwidth in the virtual circuit (partition) equally among hosts or you can set either a throughput guarantee and/or cap or maximum per host. You can also specify the maximum number of hosts that can populate the virtual circuit. In addition, Exinda has a feature called Adaptive Response that allows bandwidth quotas per day, week or month. What happens when a user exceed that quota depends on how you write the policy. Typically a lower throughput rate would be in effect for the remainder of the quota interval.

Procera's Packlogic traffic shaping device also has a "host fairness" feature that will evenly divide bandwidth among hosts. It can enforce per host, even per client, per server or per connection throughput limits as well as total connection limits per host. Procera also has a quota or volume based shaping mechanism that can designate several throughput levels, depending on the level of total bandwidth used over any time interval desired.

The Palo Alto Networks firewall doesn't have any host fairness or equalizing shaping strategies, but it does allow you to define 8 distinct quality of service levels and write as many QoS policies as you'd like to match traffic to those 8 traffic classes. Like Exinda and Procera, the Palo Alto Firewall is a DPI device that gives excellent application visibility with relatively little unidentified traffic. So, NetEqualizer could be a good compliment to Palo Alto when a host equal share shaping strategy is the main goal, with Palo Alto providing application visibility and also aggregate traffic class shaping options, neither of which are available with NetEqualizer.

Hope this information is useful.

Jim

Jim Dixon | Sr. Systems Engineer |
VistaOne Corporation
540.525.3782 (cell)

Forgive me as it’s been a while since I’ve done policing and other associated QoS in IOS; once its setup I rarely touch it again.

But one advantage I believe is that the NetEQ does not kick in until a configured percentage of the bandwidth is used.  Thereby allowing someone to use more bandwidth if the bandwidth is there to be used.  Can’t remember if this can be done in IOS and too busy to look it up at the moment.

Brian

Hello Brian,

Just of curiosity, why not use Cisco QoS at the port level on the switch to set the bandwidth cap of 10Mbs (in example below) instead of using the NetEqualizer? Question is open to everyone else as well.

We are looking at NetEqualizer mainly to cap each individual IP to 5 megs and comparing it to do just doing QoS on the Cisco switch to cap each port.


On 4/9/2012 2:35 PM, Brian Helman wrote:

Oh, I think it’s a great box (I have an HA pair as well) and I am doing basic rate-control with it to ensure we don’t continually burst over our contracted rate.  It’s just not designed to replace a NetEqualizer – where you may want to rate-shape large numbers of users on an individual basis (e.g setting everyone, individually, to no more than 10Mbs).  You can do that, but it has to be done by individual rules for each IP address .. or else the pooled IP’s SHARE the bandwidth cap.

-Brian

We currently have a Palo Alto and we have/had a Procera that is currently a paperweight. Like several other people have stated the Palo Alto isn’t exactly designed to be a traffic shaper even though it can do some other that. It is designed to be a firewall and that is where it excels. For us the decision came down to money, we had to replace our firewall anyway and the Palo Alto could do that plus a lot more so we saved the cost of not replacing the traffic shaper and we got an IPS which we didn’t have before.

It’s probably no secret that I’m a big Palo Alto fan, but it’s rate-shaping capabilities are basic.  If you want to rate-shape large blocks, or specific individuals, it’s good.  But if you want to globally control the bandwidth at the user-level, it isn’t a good solution.  We purchased the NetEqualizer appliance last year, and will be implementing it over the next month or so.. just in time for the Summer bandwidth crunch ;)

-Brian

From: The EDUCAUSE Network Management Constituent Group Listserv [mailto:NETMAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jim Dixon
Sent: Monday, April 09, 2012 8:51 AM
To: NETMAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [NETMAN] Managing Bandwidth

Here's a quick summary of how the three appliances mentioned in this thread -- Exinda, Procera and Palo Alto -- equalize bandwidth or handle host fairness shaping strategies.

The Exinda traffic shaping device has a similar function to PacketShaper's dynamic sub-partitions, called dynamic virtual circuits. You can either do simple host fairness, share all available bandwidth in the virtual circuit (partition) equally among hosts or you can set either a throughput guarantee and/or cap or maximum per host. You can also specify the maximum number of hosts that can populate the virtual circuit. In addition, Exinda has a feature called Adaptive Response that allows bandwidth quotas per day, week or month. What happens when a user exceed that quota depends on how you write the policy. Typically a lower throughput rate would be in effect for the remainder of the quota interval.

Procera's Packlogic traffic shaping device also has a "host fairness" feature that will evenly divide bandwidth among hosts. It can enforce per host, even per client, per server or per connection throughput limits as well as total connection limits per host. Procera also has a quota or volume based shaping mechanism that can designate several throughput levels, depending on the level of total bandwidth used over any time interval desired.

The Palo Alto Networks firewall doesn't have any host fairness or equalizing shaping strategies, but it does allow you to define 8 distinct quality of service levels and write as many QoS policies as you'd like to match traffic to those 8 traffic classes. Like Exinda and Procera, the Palo Alto Firewall is a DPI device that gives excellent application visibility with relatively little unidentified traffic. So, NetEqualizer could be a good compliment to Palo Alto when a host equal share shaping strategy is the main goal, with Palo Alto providing application visibility and also aggregate traffic class shaping options, neither of which are available with NetEqualizer.

Hope this information is useful.

Jim

Jim Dixon | Sr. Systems Engineer |
VistaOne Corporation
540.525.3782 (cell)