Rules of the WAN

Traffic classes on a network aren't all that different from those on an airplane. High-priority traffic gets the same benefit as a first-class ticket holder - the first to get on and the last to get bumped. It makes sense to prioritize traffic based on its contribution to business, both in the air and on your network. Not every network packet deserves extra leg room, and traffic managers can distinguish those that do.

Essentially, policy-based network management devices make decisions about what to do with each packet of data passing through them based on a set of rules or policies. For this review, we looked at three different kinds of products that tackle such traffic management. We chose one product from each category to test: a software router package from Ukiah Software, a Layer 3 switch from 3Com and a dedicated bridge/router from Allot Communications.

The results? All three products deliver. All traffic passing through them flowed without intervention if bandwidth was available, and as soon as the T-1 connection became congested, traffic management rules kicked in and the products throttled back all lower priority traffic.

We found that each product has different strengths. Selecting which one to use depends on how much traffic you want to manage and the effort you're willing to invest. In our scores, Ukiah's NetRoad TrafficWare Gateway edged out the other two products and earned our Blue Ribbon Award because of its flexibility, comprehensive rules and link to directory services.

The primary advantage of TrafficWare, which is deployed next to the WAN access router, is that it allows you to do more than just manage a WAN connection, and you don't need to install a whole new switching infrastructure. The traffic classes you create with TrafficWare can incorporate existing users and groups defined in Novell's Novell Directory Services (NDS), Microsoft's NT domains and other Lightweight Directory Access Protocol-compliant directory services. If your users routinely log on to the network from different locations, traffic management is a lot easier when you don't have to continually change IP addresses.

3Com's CoreBuilder 3500, a Layer 3 switch, also targets policy-based management at the enterprise level, although it requires modifying your switching infrastructure to do so. That said, the CoreBuilder 3500 packs a lot of punch in a small space. The chassis can be configured for up to 24 10/100M Ethernet ports or 18 10/100M Ethernet ports and one Gigabit Ethernet port; and all modules, including the power supply, are hot-swappable. 3Com claims Layer 3 forwarding capacity of 4 million packet/sec even when applying traffic management, thanks to bridging and routing software embedded in programmable Application Specific Integrated Circuits.

More of a point solution, the Allot AC 200 is an excellent product for busy Web site managers and smaller ISPs concerned primarily with managing expensive WAN bandwidth. Designed to manage traffic between a single WAN port and a 10/100M Ethernet LAN, the AC 200 can also perform traffic load balancing to mirrored servers. The AC 200 supports up to a 10M bit/sec WAN connection. For sites requiring higher throughput, Allot's AC 300 supports up to a 45M bit/sec WAN connection.

Tickets, please

After installing each device, we created and applied traffic shaping policies. We configured Ukiah TrafficWare directly from the Windows NT interface. We used a PC on the LAN running a browser to apply the traffic shaping rules for the 3Com and Allot products.

Creating rules is easiest with TrafficWare. While it doesn't have as many options as the 3Com CoreBuilder or Allot AC 200, TrafficWare does what it's supposed to do with a minimum of effort. To monitor traffic shaping, TrafficWare relies on the standard Windows NT Performance Monitor to provide a graphic display and log of the results. While adequate, the NT monitor isn't as good as the AC 200's proprietary performance monitor.

With TrafficWare, you can create rules for seven traffic control categories. Allowable settings in each category include user and group definitions that may already exist if you use Novell's NDS or Microsoft's NT domain structure. The quality-of-service (QoS) traffic control category, for example, supports four flexible priorities: priority by IP address, and low, medium and high priority based on traffic type.

The 3Com CoreBuilder 3500's rules are the most comprehensive and far reaching of the three products we tested; they're also the most complex to configure. The sequence of steps you must follow to create a rule is not intuitive. But the clean user interface helps, and it didn't take us long to get comfortable enough to properly configure the switch.

The CoreBuilder 3500 supports four traffic control categories as well as several settings within each category. For example, the forward tag category contains six different settings: high priority, low priority, absolute filter, congestion activated filter, bandwidth filter and a combination congestion-activated bandwidth filter.

Once you have established a rule for the CoreBuilder 3500, you have to apply it to specific switch ports or IP addresses. You can apply a rule to all major types of traffic, including IP, IPX, AppleTalk, TCP, User Datagram Protocol, File Transfer Protocol and HTTP. You can also apply a rule to specific switch ports and particular subnets or sources.

The CoreBuilder 3500 includes a configuration wizard designed to allow the creation and application of simple rules in a single step. However, the wizard didn't give us the amount of control we needed.

The user interface for Allot's AC 200 is very intuitive. There are more initial choices than with either the 3Com or Ukiah offerings, and at first, it's a little confusing. But once we got going, creating the rules was easy. The AC 200 also provides very good monitoring capabilities.

With Allot's product, you can create rules from six traffic control categories and multiple settings. For example, the QoS traffic control category supports up to 10 priorities plus maximum bandwidth, minimum bandwidth, maximum number of connections and guaranteed bandwidth. As an example of guaranteeing bandwidth, if you were to use the WAN connection for video conferencing over IP, then you would specify minimum bandwidth sufficient to guarantee the QoS required by a video signal.

Getting started

We installed all three products without much difficulty. Because the Allot AC 200 is a dedicated two-port bridge/router, installing it was pretty much plug and play. You can set up the device as either a router or a bridge and configure it either from a terminal session connected to a serial port or by connecting a monitor and a keyboard directly to the unit. We experienced some difficulty setting up console sessions, but we were able to bypass these problems once we connected the monitor and keyboard. The manager's console interface is logical and easy to use.

Getting Ukiah's TrafficWare software online took a little longer than the AC 200 because we first had to set up a Windows NT 4.0 Server and then load TrafficWare, which runs as a nondedicated NT service, on it. But this went very smoothly.

The 3Com CoreBuilder 3500 took the longest to install, but we expected that. Traffic shaping of different IP protocols is only available on routed segments, so the CoreBuilder 3500 must first be set up as a Layer 3 switch. The manager's console is typical of the current generation of multiport Layer 3 switches and includes a display that lets you select and manage each port. In addition to the embedded console and Web-based device management, 3Com's Transcend Enterprise Manager is also available for remotely monitoring and managing multiple Core-Builder switches and other 3Com switches.

Traffic standards

One problem with new policy-based management devices is a lack of standards for prioritizing traffic and allocating bandwidth. The closest to a standard we have today is the IETF 802.1p draft recommendation, which suggests placing tags on each packet to establish its priority. Several companies are developing products based on this standard, including 3Com. How-ever, these tags are not consistent from vendor to vendor, so two companies could market 802.1p-compliant tools that are not interoperable.

There's also a trend among vendors to establish and monitor traffic policies through network directory services. This tactic allows you to administer traffic from a single location and designate traffic-shaping zones or groups that are consistent with existing network subnets and domains.

If you haven't already done so, maybe it's time you start actively managing network traffic. The payback is increased business productivity despite heavily congested networks. You can't please everyone, but any one of these three traffic management devices can help you satisfy those who matter most.
RELATED LINKS

The politics of policy
How to devise network policies that won't ignite civil war. Network World, 10/12/98.

James is vice president of lab services and Anderson is a network test engineer at LANQuest Labs, an independent test lab specializing in network quality assurance, certification and performance testing services. James and Anderson can be reached at gjames@ lanquest.com and panderson@ lanquest.com, respectively.