If your not familiar with Allot Communications then check out my introduction of the Allot netEnforcer
Here are a few commands that are good to know while working on the Allot NetEnforcer ac-1440 appliance.
According to the Allot documentation, the ac-1440 doesn’t collect external IP information by default. This means that when you run an “external hosts” report, you will have a graph with no data. In order to have your ac-1440 track external IP’s in its database, run the following command on the ac-1440:
This command turns external host collection on:
go config data_collect -no_ext_host disable
This command turns external host collection off:
go config data_collect -no_ext_host enable
Just a side note, allot only recommends that you enable this for debugging. I have a pretty beefy box, so I have left this setting enabled for months with no issues.
To force the NetEnforcer into bypass mode, run the following command in the ac-1440 console:
go config network -dev_mode system:bypass
To go back to active mode type:
go config network -dev_mode system:active
If you ever have an issue with disk space during an upgrade and don’t have root acccess, clean up your home directory. Without root access, you also have access to delete files from the following directory:
To verify that your policy is in place after an upgrade, run the following command:
go list pipes
Baud rate for Serial access to the ac-1440 is 19200. A cisco console cable will be required as well.
Allot communications makes a very robust bandwidth traffic manager device which is also sometimes called a packet or traffic shaper. I had seen the Allot NetEnforcer in action before and was able to sway my current employer to purchase an ac-1440 in order to help shape and prioritize our WAN traffic. We typically have plenty of available bandwidth as we are working with a 1Gbps pipe. However, even a 1Gbps pipe can be saturated, especially when you start rolling out gigabit to the edge. The Allot NetEnforcer is a unique device, given that you can just place it directly in between your WAN edge device. With the device inline, no additional latency was detected. The Allot even comes with a bypass unit. If the NetEnforcer ac-1440 appliance decides it wants to choke, then the bypass unit takes over. This works great for when you decide to upgrade the firmware on the appliance as well. In my testing the bypass unit only dropped one or tow icmp packets when switched into bypass mode.
The first thing I did after installation was create rules to limit overall bandwidth being used on our dorm network subnets. I then created additional granular rules to limit how much bandwidth each IP in that subnet can be allotted. The Allot also does a great job in classifying different traffic types. P2P is almost always matched correctly. Even the pesky encrypted type too. You have to keep your protocol packs up to date, as signatures are constantly changing. Allot does a great job in getting classifications updated through their protocol pack updates. Blizzard WOW is even classified properly, which means as you throttle P2P, WOW will not be added in the P2P category. But hey we’re not here to make your P2P experience horrible; we just want to make sure everyone gets their fair share of bandwidth and the NetEnforcer allows you to do just that.
Here’s a picture of the top 15 protocols identified. The orange spike in the beginning are Apple Software updates. That was the spike we saw when around 500+ apple devices tried to download the new iOS version 7 all at the same time.