An Intro to the Allot NetEnforcer Bandwidth Management Device

Allot communications makes a very robust bandwidth traffic manager device which is also sometimes called a packet or traffic shaper. I had seen the Allot NetEnforcer in action before and was able to sway my current employer to purchase an ac-1440 in order to help shape and prioritize our WAN traffic. We typically have plenty of available bandwidth as we are working with a 1Gbps pipe. However, even a 1Gbps pipe can be saturated, especially when you start rolling out gigabit to the edge. The Allot NetEnforcer is a unique device, given that you can just place it directly in between your WAN edge device. With the device inline, no additional latency was detected. The Allot even comes with a bypass unit. If the NetEnforcer ac-1440 appliance decides it wants to choke, then the bypass unit takes over. This works great for when you decide to upgrade the firmware on the appliance as well. In my testing the bypass unit only dropped one or tow icmp packets when switched into bypass mode.

The first thing I did after installation was create rules to limit overall bandwidth being used on our dorm network subnets. I then created additional granular rules to limit how much bandwidth each IP in that subnet can be allotted. The Allot also does a great job in classifying different traffic types. P2P is almost always matched correctly. Even the pesky encrypted type too. You have to keep your protocol packs up to date, as signatures are constantly changing. Allot does a great job in getting classifications updated through their protocol pack updates. Blizzard WOW is even classified properly, which means as you throttle P2P, WOW will not be added in the P2P category. But hey we’re not here to make your P2P experience horrible; we just want to make sure everyone gets their fair share of bandwidth and the NetEnforcer allows you to do just that.

Here’s a picture of the top 15 protocols identified. The orange spike in the beginning are Apple Software updates. That was the spike we saw when around 500+ apple devices tried to download the new iOS version 7 all at the same time.


Feel free to share.


  • Fernando Garcia

    Hello, my company wants to acquire a traffic shaper and the finalist are Allot ac-1440 and Bluecoat 12000. Can you please provide some guidelines and/or opinions about both? Thank you.

    • I have never been able to use the bluecoat, but after looking at a few site reviews it looks promising. My first recommendation would be that you demo, demo, demo the units. Your sales vendor shouldn’t have any issues with getting you a demo unit and some taps. I recommend using taps that way you’re never affecting live traffic. Your probably asking, well what’s the point of demoing the unit if you’re not going to shape the traffic? Don’t worry about shaping for now. What you want to test is that the unit can detect the type of traffic you want to throttle or shape. There’s no point in getting a device that can’t properly detect the traffic that’s hogging your pipe. See how much traffic shows up in the infamous “other” category. You don’t really want to place a throttle on that traffic because there may be legitimate traffic in there. The Allot receives protocol pack updates around once every 2 months or so. These updates typically have P2P identification updates because that’s always changing. I’m not sure on how often or how well the bluecoat keeps up with classification updates.

      If you already have gone through your identification test, figure out if you can create a rule base the way you want it. I’m not going to lie, the Allot takes some time to learn, but once you’ve mastered how the rule base works, you’ll be extremely satisfied. The Allot makes it easy to track down applications that start to run rampant. You can easily create a rule that limits each IP across all traffic using what the Allot calls a VC template. You can also set a maximum whole limit on the subnet block, which is what we do for our dorm subnets, then you can drill down and give each IP a smaller bandwidth limit. You can also create sub groups based on application types. This is why I personally like the Allot and why it beat the Procera in our tests. The granularity is pretty powerful.

Leave a Reply

Your email address will not be published. Required fields are marked *