Hillstone T-Series Intelligent Next-Generation Firewall Whitepaper: Enhanced Intelligent QoS

Similar documents
First Steps to Using a PacketShaper

Mobility Optimized Access Layer

Optimize and Accelerate Your Mission- Critical Applications across the WAN

The administrators capability to shape these four aspects is enabled through the firewalls service quality measurements, such as:

Hillstone T-Series Intelligent Next-Generation Firewall Whitepaper: Abnormal Behavior Analysis

How can we gain the insights and control we need to optimize the performance of applications running on our network?

Grandstream Networks, Inc. GWN7000 QoS - VoIP Traffic Management

Supercharge your virtual app and desktop user experience

90 % of WAN decision makers cite their

JURUMANI MERAKI CLOUD MANAGED SECURITY & SD-WAN

Sun Mgt Bonus Lab 5: Application-Based Quality of Service on Palo Alto Networks Firewalls

Cisco ASR 1000 Series Aggregation Services Routers: QoS Architecture and Solutions

APP-ID. A foundation for visibility and control in the Palo Alto Networks Security Platform

Features. HDX WAN optimization. QoS

WhitePaper: XipLink Real-Time Optimizations

Defining QoS for Multiple Policy Levels

SD-WAN Deployment Guide (CVD)

Not all SD-WANs are Created Equal: Performance Matters

Technology Overview. Frequently Asked Questions: MX Series 3D Universal Edge Routers Quality of Service. Published:

Optimal Network Connectivity Reliable Network Access Flexible Network Management

HP Intelligent Management Center Connection Resource Manager (Virtual Application Network Manager)

INTEGRATED APPLICATION ASSURANCE

BIG-IP Access Policy Manager : Secure Web Gateway. Version 13.0

Network Configuration Example

NGF0401 Instructor Slides

Quality of Service (QoS): Managing Bandwidth More Effectively

HP Intelligent Management Center

Yealink VCS Network Deployment Solution

Cisco Meraki MX products come in 6 models. The chart below outlines MX hardware properties for each model:

Why can t I just do that with a switch? Joseph Magee Chief Security Officer Top Layer Networks

WAN Edge MPLSoL2 Service

Configuring QoS. Finding Feature Information. Prerequisites for QoS

WX CENTRAL MANAGEMENT SYSTEM

Prioritizing Services

Resource Guide Implementing QoS for WX/WXC Application Acceleration Platforms

Configuring QoS. Finding Feature Information. Prerequisites for QoS. General QoS Guidelines

App-ID. PALO ALTO NETWORKS: App-ID Technology Brief

Meraki MX Family Cloud Managed Security Appliances

PeerApp Case Study. November University of California, Santa Barbara, Boosts Internet Video Quality and Reduces Bandwidth Costs

Satellite-Based Cellular Backhaul in the Era of LTE

The Future of Application Acceleration

Ethernet Wide Area Networking, Routers or Switches and Making the Right Choice

Why Performance Matters When Building Your New SD-WAN

A Real-world Demonstration of NetSocket Cloud Experience Manager for Microsoft Lync

EVERYTHING YOU NEED TO KNOW ABOUT NETWORK FAILOVER

Technology Brief. VeloCloud Dynamic. Multipath Optimization. Page 1 TECHNOLOGY BRIEF

Cisco IOS Commands for the Catalyst 6500 Series Switches with the Supervisor Engine 32 PISA wrr-queue cos-map

Optimizing your network for the cloud-first world

VMware vshield App Design Guide TECHNICAL WHITE PAPER

Next-Generation HCI: Fine- Tuned for New Ways of Working

Configuring QoS CHAPTER

Future-ready security for small and mid-size enterprises

Configuring Modular QoS on Link Bundles

Performance of Multicast Traffic Coordinator Framework for Bandwidth Management of Real-Time Multimedia over Intranets

Internet Load Balancing Guide. Peplink Balance Series. Peplink Balance. Internet Load Balancing Solution Guide

Before configuring standard QoS, you must have a thorough understanding of these items:

Versa Software-Defined Solutions for Service Providers

Troubleshooting with Network Analysis Module

IBM Best Practices Working With Multiple CCM Applications Draft

Seven Criteria for a Sound Investment in WAN Optimization

A Flow Label Based QoS Scheme for End-to-End Mobile Services

CENTRALIZED MANAGEMENT DELL POWERVAULT DL 2100 POWERED BY SYMANTEC

Application Intelligence and Integrated Security Using Cisco Catalyst 6500 Supervisor Engine 32 PISA

RingCentral White Paper UCaaS Connectivity Options in the New Age. White Paper. UCaaS Connectivity Options in the New Age: Best Practices

Meraki MX Family Cloud Managed Security Appliances

1110 Cool Things Your Firewall Should Do. Extend beyond blocking network threats to protect, manage and control application traffic

White Paper. Massive Capacity Can Be Easier with 4G-Optimized Microwave Backhaul

Radware AppDirector Load Balancing Microsoft LCS servers, LCS Director and LCS Access Proxy Servers.

Application-Aware Network INTRODUCTION: IT CHANGES EVOLVE THE NETWORK. By Zeus Kerravala -

H3C S5120V2-LI Gigabit Access Switch Series

Barracuda Link Balancer

MX Sizing Guide. 4Gon Tel: +44 (0) Fax: +44 (0)

[MS-TURNBWM]: Traversal using Relay NAT (TURN) Bandwidth Management Extensions

Technology Overview. Overview CHAPTER

Distributing Bandwidth Between Queues

Configuring QoS CHAPTER

Citrix SD-WAN for Optimal Office 365 Connectivity and Performance

SERVICE DESCRIPTION SD-WAN. from NTT Communications

Configuring QoS CHAPTER

STEELCENTRAL NETPLANNER

Never Drop a Call With TecInfo SIP Proxy White Paper

H3C S5130S-LI Gigabit Access & 10G Uplink Switch Series

GUARANTEED END-TO-END LATENCY THROUGH ETHERNET

Point-to-Multipoint and Multipoint-to-Multipoint Services on PBB-TE System

Request for Proposal (RFP) for Supply and Implementation of Firewall for Internet Access (RFP Ref )

WHITE PAPER. Applying Software-Defined Security to the Branch Office

Implement the Quality of Service (QoS) for Microsoft Teams V1. Overview:

EXAMGOOD QUESTION & ANSWER. Accurate study guides High passing rate! Exam Good provides update free of charge in one year!

ISG-600 Cloud Gateway

Optimizing Pulse Secure Access Suite with Pulse Secure Virtual Application Delivery Controller solution

Simplifying the Branch Network

HST-3000 Class of Service (CoS) Test Suite

HTG XROADS NETWORKS. Network Appliance How To Guide: EdgeBPR (Shaping) How To Guide

Video Surveillance Technology Brief

QoS Configuration. Overview. Introduction to QoS. QoS Policy. Class. Traffic behavior

Making Enterprise Branches Agile and Efficient with Software-defined WAN (SD-WAN)

Traffic and Performance Visibility for Cisco Live 2010, Barcelona

Table of Contents 1 QoS Overview QoS Policy Configuration Priority Mapping Configuration 3-1

Best Practices in Optimizing WAN Performance. by Dr. Jim Metzler Ashton, Metzler & Associates

Aggregate Interfaces and LACP

Transcription:

Hillstone T-Series Intelligent Next-Generation Firewall Whitepaper: Enhanced Intelligent QoS Keywords: Hillstone T-Series Intelligent Next-Generation Firewall (ingfw), Enhanced Intelligent QoS (iqos),, Two-Layer and Eight-Level, Application-based Differentiated Service, Monitoring, Allocation of Remaining Bandwidth, Traffic Shaping, Bandwidth Management. Abstract: This paper describes the unique Enhanced Intelligent QoS (iqos) capabilities of the Hillstone T-Series Intelligent Next Generation Firewall (ingfw). Compared to traditional QoS, iqos is equipped with rich features including two-layer and eight-level tunnel embedding, tunnel monitoring, prioritybased differentiated services and allocation of remaining bandwidth. These QoS features can be deployed flexibly to realize traffic shaping based on organizational structure, to implement traffic shaping decisions based on application and user, to guarantee the successful operation of key services, and to utilize bandwidth resources to their full extent. The iqos features help the network administrator maximize network performance and maintain business service levels. 1 Overview Network traffic is increasingly complex and diverse. Modern enterprises are distributed across multiple locations, both large and small, as well as remote employees who access the network from various locations at any given time. Extremely large files may be sent between different departments or regions and can waste precious network bandwidth, slow down critical services and inadvertently increase operational costs. Traditional traffic shaping devices can often not meet increasing demands at the user level, including the: Inability to perform flexible, multi-layer embedded traffic shaping based on organizational structure, or based on application or user. Inability to perform traffic shaping with fine granularity. Most existing QoS solutions support only traditional 5-tuple (including source IP address, source port number, destination IP address, destination port number, protocol) traffic shaping. Lack of QoS management visibility, and easy-to-use dashboards. www.hillstonenet.com Phone: 1-800-889-9860

Difficulty in prioritizing key services. Inefficient bandwidth utilization. The Hillstone ingfw system includes patented Enhanced iqos features which enable two-layer, eight-level embedded tunnel traffic shaping with fine granularity in identifying and treating applications and users. These features meet the demands of hierarchical network deployment and modern addressing characteristics which are often left unaddressed by traditional QoS technologies. 2 Hillstone Intelligent QoS (iqos) Capabilities The ingfw system includes unique, patented Enhanced iqos capabilities that provide the network administrator with superior quality of service traffic handling and management features, including: Traffic shaping based not only on traditional 5-tuple traffic attributes, but also based on applications and users. The iqos unified configuration offers the ability to make (or change) traffic configurations and includes a dashboard to monitor the impact of these configurations in real time. Priority-based categorization of application traffic based on service criticality. Flexible bandwidth management for all applications to guarantee bandwidth to key services, and to better utilize existing bandwidth. 2.1 Application Traffic Control The Hillstone iqos technology offers two layers of traffic shaping, and each layer supports four levels of embedded tunnel control. Together, this offers granular two-layer, eight-level network application control. 2.1.1 Two-Layer Traffic Shaping The two layers of traffic shaping enable traffic shaping in different dimensions such as users and applications. For example, general requirements for an enterprise network may include the following: Cap the financial director s bandwidth use at 50Mbps Cap regular financial office employees aggregate bandwidth use at 30Mbps Cap overall peer-to-peer (P2P) download traffic at 30Mbps With only one layer of traffic shaping available, possible configurations for the network may be: 1. Restrict the financial director s bandwidth at 50Mbps, and restrict his P2P download bandwidth to 20Mbps 2. Restrict regular employees bandwidth to 30Mbps, and their P2P download bandwidth to 10Mbps This configuration meets the requirement of capping aggregate P2P download bandwidth at 30Mbps, but it offers no flexibility in terms of the end user. If the financial director is using only a small portion of his allocation of 20Mbps P2P traffic, that remaining unused P2P bandwidth cannot be used instead by the other financial employees (who are capped at 10Mbps P2P traffic).

In a two-layer traffic shaping model, the first layer can be used for control in the user dimension, while the second layer is used for control in the application dimension. Considering the earlier enterprise network example again, the user dimension requires capping the financial director s bandwidth at 50Mbps and regular employees bandwidth at 30Mbps. The first layer of traffic control is used to enforce these user-based limits. The second traffic shaping layer is then used to cap aggregate P2P application bandwidth to 30Mbps, regardless of which user uses it. This configuration is much more flexible and does not require restricting application (P2P) traffic per user. Figure 1 shows the operation of two-layer traffic shaping. Level 1 Traffic Shaping Level 2 Traffic Shaping Level 1 Level 2 Level 1 Level 2 Level 2 Level 2 Traffic Inbound Traffic Outbound Level 1 Default Default Figure 1: Two-Layer Traffic Shaping 2.1.2 Four-Level Embedding in a Single Layer The Hillstone iqos feature set supports four levels, or tunnels, embedded in each layer of traffic shaping. The configuration specifies the bandwidth allocated to each tunnel. Unallocated bandwidth is given to a pre-defined default tunnel. Each level, or tunnel, has rules governing its traffic shaping behavior. Traffic that matches the rules is controlled according to the traffic shaping plan. These rules may include the following: Source security domain Source port Source address entry Destination security domain Destination port Destination address entry User, or user group Service, or service group Application, or application group Type of Service (TOS) value set for the traffic

Virtual Local Area network (VLAN) identifier Traffic can be managed according to a certain rule with a single entry, such as the source address. Traffic can also be managed according to a combination of rules (with AND logic), for example based on matching all of: source port, destination address entry, and application HTTP. Traffic matching this combined rule will include HTTP traffic from a certain source port to a certain destination address. This allows very granular traffic shaping for traffic streams. Moreover, each tunnel can have multiple rules. Traffic matching any of the rules is managed according to the configured traffic shaping behavior. Figure 2 shows an example of traffic rule configuration. Figure 2: Rule Configuration Figure 3 illustrates how multiple tunnels can be embedded to provide a hierarchy of traffic control. At level 1, a top-level tunnel can be constructed based on geography, separating out the traffic from different locations or branch offices. Level 2 can be used to separate out traffic control organizationally, that is by department such that there is granular control of the traffic from the R&D department within each specific branch location. Additional tunnel levels can be used to control traffic at the user (IP address) level, and lastly by application (per user). Figure 3: Rule Logic 2.1.3 Traffic Shaping Behavior

The ingfw iqos feature set supports bandwidth control, bandwidth guarantees and various traffic shaping behaviors to optimize network traffic. These capabilities include: Minimum bandwidth guarantees for specific applications or users Maximum bandwidth restrictions for specific applications or users Bandwidth restrictions for non-critical applications Bandwidth guarantees and quality of service for critical applications Inbound, outbound or bidirectional bandwidth control and management Different traffic shaping strategies for traffic flowing to different destination addresses Different bandwidth services during different time periods for specific applications such as P2P traffic 2.2 Monitoring In addition to traditional traffic monitoring based on applications and users, the Hillstone ingfw system supports tunnel-specific monitoring and unifies the configuration and monitoring of tunnels. monitoring provides traffic ranking, as well as the percentage of traffic observed in each tunnel inside both layers 1 and 2. Ranking can be done based on conditions such as tunnel status, traffic direction, segmentation by time, ranking order, and is shown as a graphic display. The display also shows a comparison between traffic in different tunnels, abandoned traffic, and traffic in different directions. In addition, the tunnel detailed pages display traffic ranking related to users, historical trends based on applications, and trends in abandoned traffic. Figure 4 shows the tunnel configuration of an example company conducting traffic shaping for different branch offices: Figure 4: iqos Configuration igure 5 shows the level 1 (root tunnel) display of Layer 1 traffic for each branch office of the company.

Figure 5: Traffic Monitoring of the First Layer, Level 1 s Figure 6 shows the level 2 tunnel display of Layer 1 traffic for the Hong Kong branch office of the company. Figure 6: Traffic Monitoring of the First Layer, Level 2 s Figure 7 shows the level 3 tunnel display of Layer 1 traffic control for each group in the Hong Kong R&D department of the company. Figure 7: Traffic Monitoring of First Layer, Level 3 s

Figure 8 shows the level 4 tunnel display of each application in group1 of the Hong Kong R&D department of the company. Figure 8: Traffic Monitoring of First Layer, Level 4 s 2.3 Differentiated Service Based on Application Profile Traditional traffic shaping devices often do not differentiate between application complexity or type, or if they have the ability to do this, they often cannot determine the bandwidth consumed by non-critical applications such as P2P or multi-threaded downloads. To address this gap, enterprises have to keep increasing bandwidth to meet application demand. The Hillstone iqos feature set supports differentiated services based on seven levels of priority categorization. Application types can be identified and monitored to achieve the following results: Identify applications that must be guaranteed bandwidth at high priority Identify applications that must be controlled at low priority Identify applications that must be blocked When the bandwidth use of each application type is determined, a prioritized application strategy can be created to allocate bandwidth at higher priority to key applications. 2.4 Full Bandwidth Utilization The ingfw iqos feature set offers flexible bandwidth management for all applications, including the option to restrict high-bandwidth applications (P2P applications), to guarantee bandwidth for key services in the network, and better utilize existing bandwidth. The ingfw affects traffic control based on tunnel configuration. Any remaining bandwidth can be allocated to sub-tunnels to fully utilize all available bandwidth. If there are multiple sub-tunnels with the same priority, the remaining bandwidth is allocated on a first-come, first-served basis. If different priorities exist between the sub-tunnels, they share the parent bandwidth according to their priorities, thus providing more bandwidth for higher priority applications. This operation guarantees that bandwidth is utilized predictably and efficiently.

3 Conclusion The Hillstone T-Series ingfw Enhanced iqos feature set provides superior quality of service capabilities in handling and monitoring network traffic. The iqos features include the following specific advantages: Two-layer, eight-level embedded tunnel traffic shaping with flexible bandwidth management Fine granularity in network traffic segmentation and separation Priority-based differentiated service guarantees to applications, and therefore guarantees to high priority key business services Full utilization of all bandwidth resources by offering flexible allocation of remaining bandwidth The ingfw iqos capabilities significantly enhance management and monitoring of network traffic, the quality of service offered to specific users and applications, as well as maximizes bandwidth management efficiency. 292 Gibraltar Drive, Suite 105, Sunnyvale, CA 94089 Tel: 1-800-889-9860 Email: inquiry@hillstonenet.com Stay Connected

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback