Tools for slicing the pie
Cal Frye, Network Administrator
Bandwidth Management
1Wednesday, February 11, 2009
Bandwidth is a ProblemUnless you don’t have a problem...Oberlin enjoys a 90Mb/s connection, using two T3 lines from Qwest.More and more applications are hosted off-site.
•Course catalog•Blackboard•Web site CMS•Library catalogs, databases•Media services•The hidden cost of outsourcing...
2Wednesday, February 11, 2009
The Internet is for...
3Wednesday, February 11, 2009
One Man’s YouTube is Another Man’s Blackboard...
Which are your critical apps? Can you ever know?We do know there’s bad stuff going on...
4Wednesday, February 11, 2009
There Are Choices...
PacketshaperNetEnforcerNetEqualizer
Oberlin’s experiences
PacketlogicET/BWMGRAscensit, et al.
5Wednesday, February 11, 2009
Classify Every Traffic Type?
The “Traditional” approach“Traffic Discovery” resultsTreat each application separatelySingle out hosts for “special treatment”Very granular and detailed picture
6Wednesday, February 11, 2009
How to Spend All Your Time on Bandwidth Management
Granularity can be bad.Squish each new P2P application as it comes up...New app, new policy...And your job is very secure!
7Wednesday, February 11, 2009
How’s That Working Out for You?
8Wednesday, February 11, 2009
Oberlin’s Network
9Wednesday, February 11, 2009
Shaping “teh interTubes”Sort of the standard illustrationHow is this done?Adjusting TCP/IP parameters (window, flow control)Queueing buffers
10Wednesday, February 11, 2009
Deep Packet Inspection
Shaping by application is still necessaryLatency, jitter matterSome apps are more aggressive than others
To a degree,
11Wednesday, February 11, 2009
Oberlin’s Traffic12Wednesday, February 11, 2009
The Gulag ApplicationsPeer-to-Peer apps
Restrict inboundSquash outbound
Encryption is an issueSpam, infections, bots
13Wednesday, February 11, 2009
MunchkinLAN
14Wednesday, February 11, 2009
Our Partition SchemeGulag RestrictionsPromised_LANLANadaMunchkin_LANWork_LANPlay_LAN
15Wednesday, February 11, 2009
Dynamic Partitioning is part of the Answer
16Wednesday, February 11, 2009
Dynamic Partitions17Wednesday, February 11, 2009
What is “Procera?”
Not the mushroom, Lepiota procera.
Nor the beetle, Phyllotreta procera.
Not the ceramic denture material.Nor the tree Ulmus procera.
Google isn’t always your friend...
Procera = “tall”
18Wednesday, February 11, 2009
PacketLogic 7720 (7600)Procera Networks is a Los Gatos, CA company, inc. in 2002 and trading on AMEXPacketlogic is the product of a Swedish company, Netintact AB, now merged with Procera
•www.proceranetworks.com
•University of Cambridge
•Enterprises, ISPs, ILECs in Europe, Korea, SA, as well as US
19Wednesday, February 11, 2009
20Wednesday, February 11, 2009
Speed from SimplicityUntil the pipe is full, you don’t have a problem.Once the limit is reached, priority queueing speeds crucial or sensitive traffic.The most restrictive rule applies to each traffic type.Latency can be a shaping goal.
21Wednesday, February 11, 2009
TCP or UDPThere are many options for shaping TCP traffic.Connectionless flows don’t have the range of alternatives available.For UDP traffic, Packetshaper and Packetlogic approaches are essentially identical.
22Wednesday, February 11, 2009
A Week in the Life...23Wednesday, February 11, 2009
Host Objects Groups
LANada is just like here, but across the border...On-campus labs are treated like ResNet.There are a few other special cases.
24Wednesday, February 11, 2009
Many, many queues“Dynamic partitions” use one queue/host.Volume-based shaping creates queues for each host.My chat class creates a queue for each connection.A packet will be placed in several queues at once.Normally, the queue with the least bandwidth determines when the packet is released.
25Wednesday, February 11, 2009
When You Pirate mp3sReduce DMCA notifications...Severely restrict P2P uploads. Block altogether and you see other problems.Deep identification may improve the odds.
26Wednesday, February 11, 2009
Our shaping rules
The Largest groups “borrow” bandwidth from each otherDynamic partitioning remains in place for ResNet.Aid the needy, limit the greedy -- Network Socialism at work.Figures shown are for queues, not caps.
27Wednesday, February 11, 2009
Borrowing from queuesThe shaping rule includes three queues in order:
Packet in queue 1, priority 2Packet in queue 2, priority 3Packet in queue 3, priority 4
The first queue that releases its copy of the packet releases the packet onto the wire.Works best when queue 1 is full, but others are not
28Wednesday, February 11, 2009
Bandwidth Borrowing
The first shaping queue applies, butYou can borrow from others if assigned.Borrowing occurs at a reduced priority, on down the list.The first queue to release a packet transmits it.
Servers shaping rule:
29Wednesday, February 11, 2009
BitTorrent30Wednesday, February 11, 2009
Peer-to-PeerAppsare
numerous,
newdefinitionscome outfrequently
31Wednesday, February 11, 2009
The Internet is for...What if you need/want more controls?How deeply into the packet do these devices see?There are differences between the products.
32Wednesday, February 11, 2009
Content Filtering?Overall, bandwidth managers are better with types than content.But a crude degree of content identification might be available, based on filenames or keywords.Violates “NetNeutrality?” Depends on your use.If you intend to eliminate porn on your network, you’ll need several tools and approaches. Good luck with that!Music/video downloads may be simpler to catch, but still I wouldn’t expect 100% success.
33Wednesday, February 11, 2009
Copyright violators’ quarantine
Combine a set of subnets with the P2P class list to create a firewall rule for copyright violators.We used to block ALL network traffic in infringement cases.Now we just block P2P traffic.DHCP assigns addresses in these ranges.
34Wednesday, February 11, 2009
Firewall Rules35Wednesday, February 11, 2009
StormWorm in the Gulag
PL defines StormWorm as a traffic class by itself, and we firewall
on that basis.
36Wednesday, February 11, 2009
Surveillance AbilitiesIf we can’t prevent certain traffic types, can we at least spot ‘em when they go by?Was a host cited in a DMCA complaint really using BT at the time?Who’s connected to IRC -- any bots, there?
37Wednesday, February 11, 2009
BitTorrent38Wednesday, February 11, 2009
IRC identification39Wednesday, February 11, 2009
IRC investigation40Wednesday, February 11, 2009
CALEA
We believe we are exempt from CALEA compliance.But Procera offers the PL line to ISPs as a means of providing LE with CALEA information.Being Oberlin...
41Wednesday, February 11, 2009
Procera Networks Contacts
Mike HinklerDirector, Sales & Business DevelopmentProcera Networks [email protected]
Robert Auger Solutions EngineerProcera Networks [email protected]
David Ahee VP Sales , AmericasProcera Networks [email protected]
42Wednesday, February 11, 2009
Thanks! Questions? Let’s look at the live system.
Demonstration time
43Wednesday, February 11, 2009