Databus Issue: 2003 3 07/15/2003
Packeteer’s PacketShaper Helps Schools Manage and Secure Networks
Phil Scrivano -
PDF
This is the third in a series of articles about network appliances that help schools districts manage and secure networks. The first product reviewed was Lightspeed Systems’ Total Traffic Control -- P. Scrivano and J. Perry, “Total Traffic Control: Implementation and Maintenance Review” in the July 2002 issue of DataBus. The second product reviewed was Vericept’s VIEW appliance in the April 2003 issue. This article is about Packeteer’s PacketShaper.
For each article, we worked with a school district that did not have the product. The product was evaluated for at least a month. We looked at such things as ease of self-setup, functionality, information management and value for the K-12 school environment.
Packeteer’s PacketShaper Setup
Packeteer’s PacketShaper has some unique features that make this appliance a “must look at” product. We installed this product in a K-12 school district with 4,300 ADA and seven sites. It took less than an hour to install and within 30 minutes of data retrieval, the system administrator was able to solve a network issue that had troubled the district for three months.
The PacketShaper operates as an in-line bridge. We installed the appliance between the district firewall and the head-in switch for all internal networks. The initial installation is a simple UNIX command line interface that sets basic parameters, such as an internal IP address for connecting to the Web interface and time zone. From this point on, the appliance can be configured and used from a Web interface.
A unique feature of this product is a fail-over system. Each network card has a physical switch on it that, when initiated, bridges the cards together. This feature was tested in two ways. First, once in operation, the power plug was pulled from the UPS device. Before initiating this test a ping –t command was started to an outside location. When the power was abruptly stopped, a click of the switches was heard and no ping replies were lost. The second test was to do a software upgrade to the system. When the appliance went off-line again, no interruption of service was recorded by the ping –t reply.
Functionality
The PacketShaper works in real-time mode discovering all network traffic in both directions and classifying what this traffic is. One unique feature here is traffic discovery, such as music downloads based on what is being passed through the appliance vs identifying the traffic based on an IP, port or domain feature. Specifically, if a popular music download protocol has the ability to switch ports or travel over the HTTP port 80, the PacketShaper still identifies what it is. Anything that the PacketShaper can identify, it can then control the amount of bandwidth it can use or where it can go on your network.
Packet Shaping gives the network administrator the ability to both identify and stop unauthorized use of the network and the ability to dedicate and shape exactly how the network is used. The example of a music download protocol, utilizing 80 percent of a network by three users, can be curtailed by limiting this protocol to one percent of the network. Users will be able to connect, but the average song will takes months to download.
A practical application of shaping packets in this manner is to limit the use of steaming protocols that will take as much bandwidth as they can get. If you shut off the superintendent’s ability to listen to classical music over the Internet, you may get a phone call. If you limit this source to 30K, the user will not know the difference and the steaming protocols will no longer spike all your bandwidth when the programs start up.
The company states that the PacketShaper can measure a wide variety of network performance statistics, including dropped packets, network efficiency, aborted or dropped connections, active flows, top talkers and listeners, effective user speed distributions, average bandwidth utilization, peak bandwidth utilization, instantaneous bandwidth utilization, total bytes transmitted, active conversation pairs, etc. All of this is measured for the link, virtual portion of link (partition or pvc), and on a per-class or per-application basis.
The appliance enables the network administrator to evaluate network efficiency on an ongoing basis. The PacketShaper is like having a network-sniffing device on steroids that puts complicated data in plain English. The appliance shows the amount of wasted TCP traffic. It displays the percentage of throughput that was good – that is, packets that are not retransmits. It identifies network congestion and overflowing router queues that can cause packet loss and timeouts.
The initial problem that was discovered on the district network concerned the district Voice-Over-IP system. The digital phones at one of the district sites continually displayed the wrong time. The time was manually reset each week by a technician. The data from the PacketShaper identified three VOP switches requesting time verification from a site on the Internet. There are four of these VOIP switches in the district. Once it was identified that this site’s switch was not polling for time, the issue was reported to the company and remotely fixed.
Information Management
All of this data can be viewed directly from the PacketShaper using a standard Web browser – no special polling or extra analysis software is required. There are many standard reports available such as Top Talkers and Listeners and Worst Servers. Reports are easily available that include information on excessive connection errors to a server which might indicate a failed or failing server, SLA threshold crossings which might indicate a violation or impending violation, excessive connection attempts which might indicate a hacker attack, etc. The user can also create custom reports based on any aspect of the data discovery and packet shaping features. Alerts can be activated based on reports or rules.
Value for the K-12 School Environment
As K-12 technologists, we are painfully aware of the rapid growth of our networks and importance of keeping the network secure, reliable and fast. We have all fielded phone calls that state the network is down or slow and had to explain that the particular Web site out on the Internet is down or that during lunch the library users at the high school are taking all the bandwidth. With this device, the system administrator can quickly evaluate the status of the district network and shape how much that library group of 30 computers can use.
We are also being asked to account for the funding departments receive and to justify why upgrades are needed. At a time when districts are cutting whatever expenses can be cut, the ability to upgrade from a T1 to a DS3 regardless of the discounts is a hard sell. With this type of appliance, existing bandwidth can be made more efficient and utilization data can be used in the decision making process.
Visit http://www.packeteer.com
