AC1000 InstallGuide 6.11

®
NetEnforcer AC-1000
Series
Carrier-Grade Service Control and QoS/SLA
Enforcement
Installation Guide
Version 6.1.1
(Doc. No. D354003)
Important Notice
Important Notice
Allot Communications Ltd. ("Allot") is not a party to the purchase agreement under which
NetEnforcer was purchased, and will not be liable for any damages of any kind whatsoever caused to
the end users using this manual, regardless of the form of action, whether in contract, tort (including
negligence), strict liability or otherwise.
SPECIFICATIONS AND INFORMATION CONTAINED IN THIS MANUAL ARE FURNISHED
FOR INFORMATIONAL USE ONLY, AND ARE SUBJECT TO CHANGE AT ANY TIME
WITHOUT NOTICE, AND SHOULD NOT BE CONSTRUED AS A COMMITMENT BY ALLOT
OR ANY OF ITS SUBSIDIARIES. ALLOT ASSUMES NO RESPONSIBILITY OR LIABILITY
FOR ANY ERRORS OR INACCURACIES THAT MAY APPEAR IN THIS MANUAL,
INCLUDING THE PRODUCTS AND SOFTWARE DESCRIBED IN IT.
Please read the End User License Agreement and Warranty Certificate provided with this product
before using the product. Please note that using the products indicates that you accept the terms of
the End User License Agreement and Warranty Certificate.
WITHOUT DEROGATING IN ANY WAY FROM THE AFORESAID, ALLOT WILL NOT BE
LIABLE FOR ANY SPECIAL, EXEMPLARY, INDIRECT, INCIDENTAL OR
CONSEQUENTIAL DAMAGES OF ANY KIND, REGARDLESS OF THE FORM OF ACTION
WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR
OTHERWISE, INCLUDING, BUT NOT LIMITED TO, LOSS OF REVENUE OR ANTICIPATED
PROFITS, OR LOST BUSINESS, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
Copyright
Copyright © 1997-2005 Allot Communications. All rights reserved. No part of this document may
be reproduced, photocopied, stored on a retrieval system, transmitted, or translated into any other
language without a written permission and specific authorization from Allot Communications Ltd.
Trademarks
Products and corporate names appearing in this manual may or may not be registered trademarks or
copyrights of their respective companies, and are used only for identification or explanation and to
the owners' benefit, without intent to infringe.
NetEnforcer®, NetBalancer®, CacheEnforcer® and the Allot Communications pyramid logo are
registered trademarks of Allot Communications Ltd.
NetPolicy™ is a trademark of Allot Communications Ltd.
ii NetEnforcer AC-1000 Series Installation Guide

Important Notice
Allot Communications
Americas Middle East and Africa

7664 Golden Triangle Drive 5 Hanagar Street
Eden Prairie, MN 55344 Industrial Zone B,
Tel: (952) 944-3100 Hod-Hasharon, 45800, Israel
Toll free: (877) 255-6826 Tel: 972-9-761-9200
Fax: (952) 944-3555 Fax: 972-9-744-3626
Europe Japan
NCI – Les Centres d’Affaires Yajima Building, 8F
Village d’Entreprises ‘Green Side’ 7-11-13 Ginza, Chuo-ku
Batiment 1B Tokyo 104-0061
400 Avenue Roumanille, BP309 Japan
06906 Sophia Antipolis Cedex Tel: 81-3-5537-7114
France Fax: 81-3-5537-5281
Tel: 33-(0)4-93-00-11-67
Fax: 33-(0)4-93-00-11-65
Asia Pacific
9 Raffles Place, #27-01
Republic Plaza
Singapore 048619
Tel: 65-6832-5663
Fax: 65-6832-5662
Printing History
Second Edition: May 2005, Version 6.1.1
Doc. No. D534003
NetEnforcer AC-1000 Series Installation Guide iii

About This Manual
About This Manual

The NetEnforcer AC-1000 series User Guide describes how to install and configure
NetEnforcer AC-1000 series in your network, and use NetEnforcer AC-1000 series to
prioritize your network traffic.
This manual contains the following chapters:

Chapter 1, Introducing NetEnforcer AC-1000 for Giga Bit Networks, introduces
NetEnforcer AC-1000 series and provides an overall description of the architecture and
functioning of the system.
Chapter 2, Installing NetEnforcer, describes NetEnforcer AC-1000 series hardware
and the initial installation and setup requirements.
Chapter 3, Getting Started, describes how to connect to NetEnforcer AC-1000 series
through your Web browser, and install the Java 1.4.2 JRE, which is a prerequisite for
running the NetEnforcer application.
Appendix A, Hardware Specifications, lists the hardware specifications for
NetEnforcer AC-1000 series.
Appendix B, Fail-Safe Operation, describes the fail-safe methods implemented in
NetEnforcer AC-1000 series, such as how NetEnforcer can operate parallel to another
NetEnforcer to provide full redundancy.
Appendix C, NetEnforcer Port Reference, describes the required ports for
NetEnforcer AC-1000 series.
Appendix D, Rack Mounting Installation, describes how to prepare the device and
rack for installation and how to mount the device in the rack.
Appendix E, Glossary, describes the terms used in this guide.
iv NetEnforcer AC-1000 Series Installation Guide

About This Manual
Conventions
The following conventions are used in this manual:
Note Additional information that may be useful in understanding
or using functionality.
Tip A helpful hint for using functionality, for example, a
shortcut.
Security A note that has security implications.
Note
Caution Information that is important to consider when performing a
particular action and that may have hazardous implications.
NetEnforcer AC-1000 Series Installation Guide v

Table of Contents
Table of Contents
CHAPTER 1: INTRODUCING NETENFORCER AC-1000 SERIES FOR GIGA
BIT NETWORKS .............................................................................................. 1-1
Introducing the NetEnforcer AC-1000 Series......................................................................................... 1-2
NetEnforcer AC-1000 Environments ..................................................................................................... 1-3
NetEnforcer Usage Examples................................................................................................................... 1-5
Scenario 1: Internet Service Provider..................................................................................................... 1-5
Scenario 2: Internet Data Center ............................................................................................................ 1-8
Scenario 3: Enabling CATV Providers to Offer Advanced IP Services................................................. 1-9
Scenario 4: Enterprise Intranet ............................................................................................................. 1-11
Scenario 5: Enterprise Internet Connection with VPN......................................................................... 1-13
Scenario 6: Protecting Networks from DDoS Attacks ......................................................................... 1-15
CHAPTER 2: INSTALLING NETENFORCER .................................................. 2-1

Hardware Description .............................................................................................................................. 2-2
Unpacking NetEnforcer.......................................................................................................................... 2-6
NetEnforcer Front Panel......................................................................................................................... 2-7
Bypass Modules ................................................................................................................................... 2-17
Placement in the Network....................................................................................................................... 2-30
Connecting NetEnforcer to the Network .............................................................................................. 2-30
Powering Up NetEnforcer .................................................................................................................... 2-33
Setting Up NetEnforcer .......................................................................................................................... 2-35
Configuring Via a Terminal ................................................................................................................. 2-35
Configuring Via the LCD Panel ........................................................................................................... 2-44
vi NetEnforcer AC-1000 Series Installation Guide

Table of Contents
CHAPTER 3: GETTING STARTED ..................................................................3-1

Accessing NetEnforcer ..............................................................................................................................3-2
Java, WebStart and the NetEnforcer User Interface..............................................................................3-3
Installing Java 1.4.2 JRE.........................................................................................................................3-3
Initializing WebStart...............................................................................................................................3-6
Automatic Updates..................................................................................................................................3-8
Managing Multiple Devices....................................................................................................................3-8
WebStart Application Manager...............................................................................................................3-8
Troubleshooting ......................................................................................................................................3-9
APPENDIX A: HARDWARE SPECIFICATIONS ............................................. A-1
APPENDIX B: FAIL-SAFE OPERATION......................................................... B-1

Bypass Mode ............................................................................................................................................. B-2
Bypass Initiation .................................................................................................................................... B-3
Fiber Bypass and TAP for the AC-1000 Series ..................................................................................... B-3
Connecting Two NetEnforcers in Serial Redundancy........................................................................... B-8
Status Indicators in Serial Redundancy Mode ....................................................................................... B-8
Secondary NetEnforcer Activation ...................................................................................................... B-10
Primary and Secondary Definitions ..................................................................................................... B-11
Power Redundancy................................................................................................................................. B-14
APPENDIX C: NETENFORCER PORT REFERENCE .................................... C-1

Firewall Ports ............................................................................................................................................ C-1
APPENDIX D: RACK MOUNTING INSTALLATION........................................ D-1
APPENDIX E: GLOSSARY.............................................................................. E-1
NetEnforcer AC-1000 Series Installation Guide vii

List of Figures
List of Figures
FIGURE 1-1 – ISP POP NETWORK WITH GIGA BIT CONNECTIVITY AND QOS .......................... 1-7
FIGURE 1-2 – SAMPLE INTERNET DATA CENTER NETWORK....................................................... 1-9
FIGURE 1-3 – NETENFORCER IN CATV ENVIRONMENT .............................................................. 1-10
FIGURE 1-4 – CORPORATE NETWORK STRUCTURE WITH TWO OUTGOING WAN LINKS... 1-12
FIGURE 1-5 – SAMPLE CORPORATE NETWORK WITH TWO LOCATIONS CONNECTED
VIA MPLS VPN.............................................................................................................................. 1-14
FIGURE 1-6 – END TO END QOS MARKING ON PACKETS TRAVELING AN MPLS
NETWORK ..................................................................................................................................... 1-14
FIGURE 1-7 – PREVENTING A DOS ATTACK WITH NETENFORCER .......................................... 1-16
FIGURE 2-1 – NETENFORCER AC-1010: FIBER INTERFACE (TOP) NETENFORCER AC-1010:
COPPER INTERFACE (BOTTOM)................................................................................................. 2-1
FIGURE 2-2 – NETENFORCER AC-1010 FRONT PANEL: FIBER INTERFACE................................ 2-7
FIGURE 2-3 – NETENFORCER AC-1010 FRONT PANEL: COPPER INTERFACE ............................ 2-8
FIGURE 2-4 – NETENFORCER AC-1020 FRONT PANEL: FIBER INTERFACE................................ 2-9
FIGURE 2-5 – NETENFORCER AC-1040 FRONT PANEL .................................................................... 2-9
FIGURE 2-6 – NETENFORCER LCD PANEL....................................................................................... 2-12
FIGURE 2-7 – AC-1040 STATUS INDICATORS .................................................................................. 2-13
FIGURE 2-8 – MANAGEMENT PORT .................................................................................................. 2-15
FIGURE 2-9 – FIBER BYPASS MODULE............................................................................................. 2-19
FIGURE 2-10 – CONNECTING NETENFORCERAC-1010 TO FIBER BYPASS MODULE.............. 2-20
FIGURE 2-11 – COPPER BYPASS MODULE ....................................................................................... 2-21
FIGURE 2-12 – CONNECTING NETENFORCER AC-1010 TO COPPER BYPASS MODULE......... 2-22
FIGURE 2-13 – DOUBLE FIBER BYPASS MODULE.......................................................................... 2-24
FIGURE 2-14 – CONNECTING NETENFORCERAC-1020 TO DOUBLE FIBER BYPASS
MODULE ........................................................................................................................................ 2-25
FIGURE 2-15 – MULTI-PORT COPPER BYPASS MODULE .............................................................. 2-28
FIGURE 2-16 – LAN AND WAN PLACEMENT OF NETENFORCER AC-1010................................ 2-32
FIGURE 2-17 – PLACEMENT OF NETENFORCER AC-1020 (POLICY PER USER)........................ 2-32
FIGURE 2-18 – PLACEMENT OF NETENFORCER AC-1020 (POLICY BASED ON LINK)............ 2-33
FIGURE 2-19 – NETENFORCER SETUP MENU.................................................................................. 2-37
FIGURE 2-20 – NETWORK CONFIGURATION .................................................................................. 2-38
FIGURE 2-21 – CURRENT CONFIGURATION (1) .............................................................................. 2-40
viii NetEnforcer AC-1000 Series Installation Guide

List of Figures
FIGURE 2-22 – CURRENT CONFIGURATION (2)............................................................................... 2-41

FIGURE 2-23 – PASSWORD................................................................................................................... 2-42
FIGURE 2-24 – TIME SETUP.................................................................................................................. 2-44
FIGURE 3-1 – NETENFORCER LOG ON DIALOG BOX.......................................................................3-2
FIGURE 3-3 – NETENFORCER CONTROL PANEL...............................................................................3-4
FIGURE 3-4 – JAVA JRE DOWNLOADS ................................................................................................3-5
FIGURE 3-5 – NETENFORCER JAVA WEB START WINDOW ..........................................................3-6
FIGURE 3-6 – SECURITY WARNING .....................................................................................................3-6
FIGURE 3-7 – NETENFORCER DESKTOP INTEGRATION .................................................................3-7
FIGURE 3-8 – NETENFORCER LOG ON WINDOW..............................................................................3-7
FIGURE 3-9 – JAVA WEB START APPLICATION MANAGER...........................................................3-9
FIGURE B-1 – FIBER BYPASS MODULE.............................................................................................. B-4
FIGURE B-2 – MULTIMODE COUPLER UNIT ..................................................................................... B-5
FIGURE B-3 – CONNECTING NETENFORCER AC-1010 TO FIBER BYPASS AND TAP ............... B-6
FIGURE B-4 – SERIAL REDUNDANCY SETUP FOR NETENFORCER AC-1010 ........................... B-12
NetEnforcer AC-1000 Series Installation Guide ix

List of Figures
x NetEnforcer AC-1000 Series Installation Guide

Chapter 1: Introducing NetEnforcer AC-1000
Series for Giga Bit Networks
This chapter introduces NetEnforcer and explains how it delivers Quality of Service.
This chapter includes the following sections:

Introducing the NetEnforcer AC-1000 Series, page 1-2, introduces NetEnforcer,
providing an overview of its functionality and describing typical environments for its
use.
NetEnforcer Usage Examples, page 1-5, presents scenarios that provide examples of
how NetEnforcer can optimize network traffic in a variety of working environments.
NetEnforcer AC-1000 Series Installation Guide 1-1

Chapter 1: Introducing NetEnforcer AC-1000 Series for Giga Bit Networks
Introducing the NetEnforcer AC-1000

Series
Allot Communications NetEnforcer® AC-1000 Series policy enforcement devices offer
carriers, service providers and enterprises a complete suite of bandwidth management
tools for monitoring, classifying, and controlling your network traffic. Uniquely
positioned to answer customer demand for more processing power, NetEnforcer
AC-1000 accurately identifies your network traffic using Allot's Deep Packet Inspection
(DPI) technology that combines Layer-7 application signatures and patterns and content
inspection. NetEnforcer monitors, categorizes, and optimizes your network traffic by
assigning QoS to specified classes of traffic, and gives you the power to intelligently
shape network bandwidth and deliver system-wide service level guarantees with
network connectivity speeds and throughput up to multi-gigabit per second.
The NetEnforcer offers flexible deployment that supports your business goals.
Deploying NetEnforcer at your access point enables you to enforce SLAs, deploy tried
services, and implement advanced billing schemes. Deploying NetEnforcer at your
peering point lets you safely oversubscribe, control P2P, monitor VoIP and protect your
network from DDoS attacks.
Use the NetEnforcer AC-1010 for managing traffic over a single link and use the AC-
1020 and AC-1040 for fully meshed Internet/Intranet access with redundant switches
and Internet access routers. The NetEnforcer AC-1020 offers support for two Gigabit
links while the NetEnforcer AC-1040 offers support for four Fast Ethernet links. Both
devices use a single traffic enforcement mechanism that lets you simply manage traffic
across multiple links with a single policy.
1-2 NetEnforcer AC-1000 Series Installation Guide

NetEnforcer AC-1000 Environments

Typical application environments for the NetEnforcer product family include:
• Internet Service Providers: NetEnforcer manages and enforces SLAs (Service
Level Agreements) at the POP level. ISPs are able to deliver advanced bandwidth
capabilities to customers, provide differentiated services and partition bandwidth.
Class of Service is enabled. NetEnforcer is geared for ISP operations providing full
SLA support and integration with ODBC-based billing packages, in addition to
interfacing to LDAP-based user directories.
• Internet Data Centers: NetEnforcer controls traffic flows to hosted servers. It
guarantees maximum traffic to and from hosted servers and provides protection
from worms (such as Slammer) that cause heavy, superfluous, artificial traffic to
server farms. NetEnforcer monitors usage on total access to the server and enables
troubleshooting of network load issues resulting from hackers' attacks or abnormal
traffic patterns. Additionally, NetEnforcer enables the monitoring of network
application health by using alert notifications and collects traffic flow statistics (by
hosted server or by protocol) for network planning.
• Corporate Networks: NetEnforcer controls traffic flows from Web-based
customers, internal users and remote offices to centralized corporate networks and
services. Network managers can give high priority to mission-critical applications
and ensure necessary bandwidth to timing-critical applications such as voice and
video. NetEnforcer’s extensive monitoring capabilities, including long-term
monitoring, enable network managers to manage the usage of resources like servers
and links. Furthermore, protecting from overuse of non-critical applications and
non-business usage increases network security (by eliminating worms and infected
Web pages). Finally, NetEnforcer’s ability to limit traffic connections enhances
network security and reduces the risk of DDoS (Distributed Denial of Service)
attacks.
• Educational Networks: NetEnforcer limits the use of low priority traffic such as
music and file-sharing applications, and assigns QoS for specific user groups.
NetEnforcer can limit students' access to particular sites and applications during
business hours, while allowing high priority access to faculty members or
administrators.

• Cable Networks: NetEnforcer controls traffic flows to and from cable-based

customers and ensures fairness to all subscribers. Providing an SLA to subscribers
is essential for subscribers who signed up for a speedy connection and wish to enjoy
a fast Internet connection. Failing to protect the innocent subscribers from other
subscribers’ overuse of bandwidth may result in unhappy customers. For example,
when a subscriber registers a PC as a P2P member in a busy network and thereby
generates heavy download traffic of music during most of the day and night. The
generation of traffic usage reports using NetEnforcer enables management of
resources and elimination of network resource abuse by subscribers.
• Voice and Video Applications: NetEnforcer enables the prioritization of data
applications and the guaranteeing of bandwidth to timing-critical, real-time
applications like voice over IP and video. NetEnforcer enables control of your data
and voice traffic. Through NetEnforcer, specific voice, video and multimedia traffic
flows can be identified and the following actions can be assigned: minimum and
maximum bandwidth, priorities, guaranteed rate, fairness and admission control.

NetEnforcer Usage Examples

The following scenarios provide examples of how NetEnforcer can optimize network
traffic in a variety of working environments.
Scenario 1: Internet Service Provider

Internet Service Providers (ISP or SP) require high-speed connections and the ability to
manage and enforce SLAs (Service Level Agreements) at the POP level. ISPs that
provide advanced services such as tiered services (for example ensuring the best service
level - Gold Service - to high-paying customers and a lesser level of services to
customers who pay less) and the ability to partition bandwidth stay ahead of the
competition. In addition to SLA support, ISPs require integration with CRM (Customer
Relationship Management) and billing packages as well as an interface to LDAP based
user directories.
IP Service Control at the POP

• Improve ROI by installing a layer 7 device at the carrier's POP.
¾ One device serves thousands of customers
• Enable carriers to provide supplementary IP services.

¾ Tiered/differentiated services (Gold/Silver/Bronze)
¾ Critical traffic prioritization
¾ Reducing P2P traffic
¾ With NetPolicy Provisioner – a New innovative service for customers to
monitor and control their own traffic
• Control DOS attacks.

Class of Service
NetEnforcer enables class of service in the following ways:
• Provides superior classification capabilities.
• Offers advanced classification capabilities up to Layer 7 while routers usually
support only up to Layer 4.
• Controls P2P traffic loads.
• Provides classed-based accounting for each subscriber.
• With NetPolicy Provisioner:
¾ Enables end-users (the business customer of the SP) to define their own classes,
and change them
¾ Provides per-pipe and per-class monitoring for each end-user
¾ Does not require changes in existing infrastructure
Services Based on MPLS

With more Metro Optical networks employed in the field, SPs are able to offer cost
effective Giga Ethernet connectivity. Carriers use this infrastructure with MPLS to
transport WAN with QoS.
Giga Ethernet is offered as layer 2 or layer 3 connectivity with additional L3+ offering
as well. ISPs offer VPN services based on MPLS.
QoS is offered, rather than Best Effort, based on packet marking using DSCP (also
known as TOS) marking. DiffServ (DSCP) marked packets can be mapped to MPLS
LSP. Another way of mapping QoS to MPLS is mapping 802.1p User Priority Bits to
EXP bits in the MPLS.
An Internet Service Provider sells slices of bandwidth to subscribers (defined in Pipes),
with an advanced offering of tiered services (for example, Gold, Silver and Bronze
customers). Managing customer traffic with high granularity is needed.

For example, the creation of a separate Pipe for each subscriber, dividing traffic
according to the customer needs.
Figure 1-1 – ISP POP Network with Giga Bit Connectivity and QoS
The ISP would like to control the maximum usage of each subscriber while limiting the
total bandwidth used. Moreover, the ISP needs to over-subscribe customers (there are
more customers than the available bandwidth can support for each Virtual
Channel/Pipe). The ISP would like to offer tiered services.
The NetEnforcer AC-1000 does the following for ISPs:
• Assigns tiered services (for example, Gold, Silver and Bronze service levels).
• Limits users and protocols to a maximum (for example, limit download/upload of
music using P2P).
• Sets a minimum to Smart Building tenants.
• Assigns a maximum to every home user.
• Using templates, the ISP is able to over-subscribe tenants (since, most probably, not
all of them will be active at the same time).
• Provides detailed call records for IP sessions.

Scenario 2: Internet Data Center

The benefits of NetEnforcer AC-1000 in data centers include:
• SLA monitoring enforcement.
¾ Operators can limit servers that exceed traffic SLA parameters
• DoS Protection.
¾ Limit and monitor the number of connections handled by each server
• Real-time monitoring.
• Alerts.
• Reporting.
¾ All session data recording
¾ Exporting session data external server (CSV format files)
• Enable customers to monitor and control their bandwidth pipes with the optional
NetPolicy Provisioner.
Internet Data Center management requires detailed management of traffic flows to
hosted servers. IDC customers are protected with guaranteed traffic to and from hosted
servers. Preservation of network resources prevail upon malicious traffic attacks
including worms (such as Slammer) that cause heavy, superfluous, artificial traffic to
the server farm.
In addition to specific traffic enforcement requirements, IDC operators need to monitor
and manage traffic usage as well as the total access to each server. Monitoring
information in real time provides IDC operators the troubleshooting data they need,
should a network load issue arise. Recording and monitoring network and application
traffic and health statistics of the network resources provide management with
pro-active tools for daily operations.

Other features provided by NetEnforcer include:

• Alert notifications that produce quick turnaround on customers’ issues. (You can
deal with the problem before the customer is even aware of it.)
• IP-CDRs (IP Call Detail Record), which are used for billing and customer support
systems.
Figure 1-2 – Sample Internet Data Center Network
The Internet Data Center hosts commercial servers for customers and guarantees a level
of service (SLA). Corporate customers enjoy wide bandwidth to the server farm (wide
and fast connection to the www backbone), redundancies and outsourced professional
management of the corporate data centers.
Scenario 3: Enabling CATV Providers to

Offer Advanced IP Services
NetEnforcer enables CATV providers to offer the following advanced services and
benefits:
• SLAs, tiered services and fairness per subscriber.
• Reduced bandwidth costs through P2P throttling, usage limitations.

• Implementation of usage-based billing.

• Prevention of unauthorized use.
Cable carriers are now commonly offering broadband Internet to residential users. The
cable infrastructure is distributing both TV programs and new high-speed IP services to
generate more revenue from the same cabling system.
Figure 1-3 – NetEnforcer in CATV Environment
Residential users, when using “always-on” service, are abusing P2P and web
downloads. The cable technology is shared between users on a massive scale and raises
operational issues, such as decreasing speeds when the number of users grow, security
concerns from sharing the same media and difficulties differentiating key services (for
example, VOIP) from other non-time-sensitive applications (for example, file
downloads).
NetEnforcer provides the following:
• Easy, on demand provisioning.
• User fairness and/or tiered services.
• P2P limitations.

• Time-based bandwidth management.

• Seamless interface with billing systems.
The latest DOCSIS 2.0 standard version is only capable of managing the bandwidth per
modem, and not at the user level and layer 7 application recognition (for example, P2P
service control).
Scenario 4: Enterprise Intranet

Corporate Intranets have become key repositories of business information needed by
employees across the enterprise. Companies also rely on the existence of network-based
services for their businesses, running mission-critical applications for ERP, CRM,
eCommerce, and more. Poor application response times, caused by the mix of
business-critical and non-critical traffic on the same network, quickly translate into
decreased productivity, lost revenues and increased business costs.
Corporate network managers demand full accountability of users, services servers,
WAN traffic and network resources. Whether it's accessing a remote branch, inter-
branch traffic or traffic to the Internet, it's about managing applications, separating
resources, and protecting them, monitoring traffic and usage and management and
control issues.
Network managers can give high priority to mission-critical applications and assure
necessary bandwidth to timing-critical applications such as voice and video as well as
limiting non-business applications, such as P2P. Extensive monitoring capabilities,
including long term monitoring, enables network manages to manage the usage of
resources like servers and links. Protecting from overuse of non-critical applications and
non-business usage increase network security (by eliminating worms and infected Web
pages); limiting traffic connections enhances network security and reduces the risk of
DDoS (Distributed Denial of Service) attacks.

In this example, the Pipe feature enables the network manager to manage traffic to
different WAN links, creating a Pipe for each one of them.
Figure 1-4 – Corporate Network Structure with Two Outgoing WAN Links
The network manager would like to assign a maximum for each WAN link. The
multiple protocol traffic is going to different locations, based on the IP address.
Pipes are created as follows:
• Link 1 bandwidth is 45 Mbps. Traffic includes Oracle (business application) and
Multimedia, classified based on TOS marking.
• Link 2 bandwidth is 155 Mbps. Normal traffic includes Internet browsing, FTP and
backup to Oracle traffic.
• Link 3 bandwidth is 310 Mbps. A connection to an alternate disaster recovery
center.
All traffic to links is classified based on the destination address.

Scenario 5: Enterprise Internet Connection

with VPN
In addition to the ever growing need for time-sensitive video conferencing and voice
over IP (VoIP), modern corporate networks require fast, secured VPN connections
between different locations of the company offices. As a low-cost alternative to
expensive legacy telephone calls, and fast access to company data resources, companies
are building their networks with Giga bit Ethernet connections to ISP POP.
NetEnforcer AC-1010 serves as a "gateway" to enable the moving of information from
public networks to private ones. Utilizing newly offered services based on MPLS,
corporate network managers can take advantage of MPLS-based VPN services.
In addition to offering better response time to mission-critical applications by
prioritizing their traffic or guaranteeing them a portion of bandwidth, NetEnforcer
AC-1010 ensures the smooth transition from DSCP (DiffServ)-based network to an
MPLS-based backbone while classifying and preserving application QoS. Traffic is
classified according to network policy and less critical and less time-sensitive
applications receive a limited amount of bandwidth or a lower priority. NetEnforcer
guarantees the performance of business-critical applications. Packets are colored with
DSCP marking so that MPLS routers can "understand" and treat the packets
accordingly.
By mapping the DSCP bits to the MPLS labels, the ISP preserves the enterprise
customer QoS marking. The ISP provides whatever class of service is specified all the
way to the far end.
In general, NetEnforcer AC-1010 controls important network resources such as
bandwidth, servers, applications and users. It also monitors and records traffic usage
information based on clients, servers, application, time and DiffServ tagging. When
combined with the Differentiated Services standard (DiffServ) the network operator
(ISP) may combine service level (implemented by DiffServ) and traffic engineering
(implemented by MPLS) into one system in which the DiffServ behavior is managed by
the MPLS routing.

Figure 1-5 – Sample Corporate Network with Two Locations Connected

via MPLS VPN
Figure 1-6 – End to End QoS Marking on Packets Traveling an MPLS Network

Scenario 6: Protecting Networks from DDoS

Attacks
One of the best security practices for the enterprise is to design a multi-layered security
system. You can use NetEnforcer to monitor, alert and block DoS attacks, and enhance
the overall security of your enterprise network.
The Problem
Malicious worms were recently distributed and unwillingly duplicated throughout the
Internet. Unwilling accomplices' systems actively participated in scheduled and planned
DoS (Denial of Service) attacks on unsuspecting sites. Infected systems increased the
demand of bandwidth and server resources, thereby slowing down business-critical
applications.
DDoS (Distributed Denial of Service) attacks are more intense and damaging than DoS
attacks. In DDoS attacks, multiple machines unknowingly participate in an attack
against a single host target. In February 2000, a variant of the Smurf and DoS attacks
brought down Yahoo!, Buy.com, CNN.com, Amazon.com and other sites. In these
attacks, hacker "agents" were loaded on hundreds of "Zombie" client machines. A
master console then directed, past firewalls, all of the Zombie systems to become active
and attack the victim.
Malicious traffic, disguised as legitimate traffic, passes firewalls that normally filter out
illegal traffic. There is a need for a multilayer security system—one that enhances
firewalls and protects network resources from attacks.
The Solution
Use bandwidth management to protect your network from DoS attacks and malicious
traffic. Improving network performance by resource management creates a first line of
protection from illegitimate users and applications that seize an undeserved share of
resources.

NetEnforcer detects known DoS and DDoS attacks and intelligently blocks new flows
suspected as destructive traffic. Placing the NetEnforcer at the edge of the enterprise
network creates a first line of defense, enhancing performance of firewalls and internal
network devices. NetEnforcer discards malicious traffic packets that slip past routers
and firewalls to improve application performance and to enhance network security.
By deploying NetEnforcer, service providers and enterprises can monitor, record and
alert users of imminent attacks on network resources. Moreover, NetEnforcer's
accounting database registers traffic statistics of all sessions, and assists network
administrators to pinpoint attackers. NetEnforcer's Log gives abnormal-event
notifications, such as when packets are denied access.
Preventing a DoS Attack with NetEnforcer

NetEnforcer can prevent a DoS attack in the following way:
1. Attacker sends broadcast ICMP with victim’s spoofed address.
2. Unwitting accomplices send ICMP eco reply (with victim’s address).
3. NetEnforcer detects high number of ICMP connections and blocks them.
Figure 1-7 – Preventing a DoS Attack with NetEnforcer

Chapter 2: Installing NetEnforcer
This chapter describes the NetEnforcer AC-1000 series hardware and the initial
installation and setup of NetEnforcer. NetEnforcer is a transparent learning bridge that
is IEEE 802.1-compliant. NetEnforcer works with a Bypass module. The Bypass
module ensures that data continues flowing should any hardware or software problem
occur. While NetEnforcer is bypassed, all traffic goes through passive elements only
and still allows the network to function.

Hardware Description, page 2-2, describes the NetEnforcer platform and models, and
provides a physical description of the NetEnforcer front panel, as well as a description
of the external Bypass module.
Placement in the Network, page 2-28, describes where to place NetEnforcer in a
network and how to connect NetEnforcer to the network.
Setting Up NetEnforcer, page 2-35, describes how to configure the initial basic
parameters required to work with NetEnforcer, using a terminal or via the LCD panel.
Figure 2-1 – NetEnforcer AC-1010: Fiber Interface (Top) NetEnforcer AC-1010:

Copper Interface (Bottom)

Hardware Description
NetEnforcer AC-1000 series offers carrier-grade design with redundant critical
components for fail-safe operation. Redundant hardware components include system’s
fans and dual hot-swappable power supplies. NetEnforcer AC-1000 series is designed to
meet ETSI standards.
The AC-1000 series comes with an additional Bypass module.
CAUTION:
The appropriate Bypass module must be connected to the AC-1000. This is to ensure continuous service in
the event of failure.
NOTE:
AC-1000 NetEnforcer NIC default factory setting is always Auto-Negotiation enabled, with one exception
of AC-1010 Copper that it’s default NIC setting is 1000 full, Auto-Negotiation disabled.
It is recommended to keep NetEnforcer default setting, changing NIC setting is done via LCD panel only.
Several NetEnforcer models are available to support large and small sites and different
data network speeds.
NetEnforcer AC-1020 is intended to be used in a mesh network configuration where
redundancy is kept by connecting each path to a different network device. The AC-1020
has two-line connectivity versus the AC-1010 that has one-line connectivity.
The NetEnforcer AC-1020 is managed by a single QoS policy that manages the traffic
through all of the NetEnforcer’s interfaces. Should one link fail, the traffic would still
flow through the other link.
The NetEnforcer AC-1000 models currently available are described in the table on the
following pages.

No. of Bandwidth Pipes Policies Connections

Interfaces
NetEnforcer® AC-1000 Carrier-Grade Platform
KAC-1010/155M-PS-I-IT 2 x 1000 155 Mbps 2,048 8,192 128,000

NetEnforcer AC-1010/155M Mbps
Version 6.x
KAC-1010/310M-PS-I-IT 2 x 1000 310 Mbps 2,048 8,192 128,000

Version 5.x
KAC-1010/622M-PS-I-IT 2 x 1000 622 Mbps 2,048 8,192 256,000

Version 6.x
KAC-1010/1G-PS-I-IT 2 x 1000 1000 Mbps 2,048 8,192 256,000

NetEnforcer AC-1010/1G Mbps
Version 6.x
KAC-1020/155M-PS-I-IT 4 x 1000 155 Mbps 2,048 8,192 128,000

Version 6.x
KAC-1020/310M-PS-I-IT 4 x 1000 310 Mbps 2,048 8,192 128,000

Version 6.x
KAC-1020/622M-PS-I-IT 4 x 1000 622 Mbps 2,048 8,192 256,000

Version 6.x


Interfaces
KAC-1020/1G-PS-I-IT 4 x 1000 1000 Mbps 2,048 8,192 256,000

NetEnforcer AC-1020/1G Mbps
Version 6.x
KAC-1040/400M-PS-I-IT 8 x 100 400 Mbps 4,096 28,672 1,000,000

NetEnforcer AC-1040 Mbps
Version 6.x
NetEnforcer® AC-1000 Carrier-Grade Platform for Service Providers
KAC-1010/SP-155M-PS-I-IT 2 x 1000 155 Mbps 10,000 80,000 1,000,000

NetEnforcer AC-1010/SP- Mbps
155M Version 6.x

310M Version 6.x

622M Version 6.x
KAC-1010/SP-1G-PS-I-IT 2 x 1000 1000 Mbps 10,000 80,000 1,000,000

NetEnforcer AC-1010/SP-1G Mbps
Version 6.x

155M Version 6.x

310M Version 6.x


Interfaces

622M Version 6.x
KAC-1020/SP-1G-PS-I-IT 2 x 1000 1000 Mbps 10,000 80,000 500,000

NetEnforcer AC-1020/SP-1G Mbps
Version 6.x
NOTE:
When ordering, please specify: PS – power supply (AC or DC); I – interface (C – Copper or F - Fiber);
IT – fiber interface (LX or SX).
Ordering Information
For ordering purposes, the following reference is used:
Code Definition Values Description
SP SP models have more policies
PS Power AC AC/DC 100-240V Power Supply
Supply DC DC/DC -48V Power Supply
I Interface F Fiber
C Copper 1000Base-T
IT Interface LX Fiber 1000Base-LX
Type SX Fiber 1000Base-SX
NetEnforcer AC-1000 - Carrier Grade - was designed to conform to ETSI and NEBS
standards. Furthermore it conforms to FCC, UL and CE standards. The front panel
display and 4-key keypad enables setup and activity monitoring and management and
console ports are included. The Link Connections interface includes two gigabit ports
with removable modules for fiber or copper (GBIC).

Unpacking NetEnforcer
Verify that the following items are included with NetEnforcer:
• NetEnforcer (hardware with pre-installed software)
• NetEnforcer User Guide
• 2 Power Cables
• 1 Serial Console Cable
• 2 19" Side Mounting Brackets
• 8 Mounting Bracket Screws
• Backup Cable: D-type High Density Cable
NOTE:
The maximum length for the Ethernet cable for Copper models is generally up to 50 meters.

NetEnforcer Front Panel

The AC-1000 series connects to your network via Link Connection connectors. The
LCD panel, connectors and LED indicators on the front panel, are shown in the
following diagrams.
The network connectors vary according to the interface on the model. The AC-1010
with Fiber interface is shown below:
Link Connections Area
LCD Panel
Power Supply Modules Accessory Area
Figure 2-2 – NetEnforcer AC-1010 Front Panel: Fiber Interface

CAUTION:
The NetEnforcer AC-1010 Fiber models are CLASS 1 LASER PRODUCTS. DANGER! Invisible laser
radiation when opened. AVOID DIRECT EXPOSURE TO BEAM.

The AC-1010 with Copper interface is shown below
LCD Panel
Figure 2-3 – NetEnforcer AC-1010 Front Panel: Copper Interface

The AC-1020 with Fiber interface is shown below.
LCD Panel

Figure 2-4 – NetEnforcer AC-1020 Front Panel: Fiber Interface

Figure 2-5 – NetEnforcer AC-1040 Front Panel

The front panel of NetEnforcer is laid out as follows:
• LCD panel, described on page 2-10.
• Power supply modules, described on page 2-15.
• Accessory area, including the following:
¾ Management port, described on page 2-13
¾ Management LEDs, described on page 2-13
¾ Console connector
¾ Backup High Density D-type Connector
¾ Two power cable connectors
The Link Connections area varies slightly according to the NetEnforcer model.
• For AC-1010 models, the Link Connection area includes the following:
¾ External port, hot-swappable GBIC module (RJ-45 connector for AC1010
Copper or duplex SC fiber optic connector for AC-1010 Fiber)
¾ External LEDs, described on page 2-13
¾ Internal port, hot-swappable GBIC module (RJ-45 connector for AC1010 Copper
or duplex SC fiber optic connector for AC-1010 Fiber)

¾ Internal LEDs, described on page 2-11

¾ Link 1 (left)
¾ External port, hot-swappable SFP module (RJ-45 connector for AC1020
Copper or duplex LC fiber optic connector for AC-1020 Fiber)
¾ Internal port, hot-swappable SFP module (RJ-45 connector for AC1020
¾ Link 2 (right)
¾ External port, hot-swappable SFP module (RJ-45 connector for AC1020
¾ Internal port, hot-swappable SFP module (RJ-45 connector for AC1020
¾ Link 1 (upper left)
¾ External port, RJ-45 connector
¾ Internal port, RJ-45 connector
¾ Link 2 (upper right)
¾ Link 3 (lower left)
¾ Link 4 (lower right)

LCD Panel
The NetEnforcer LCD panel provides an indication of traffic usage and enables you to
configure NetEnforcer directly without the need to connect a terminal. You can also
start, reboot and shutdown NetEnforcer from the front panel.
Display Area
Standby Indicator
Up Arrow Active Indicator

Left Arrow
Power Indicator
Down Arrow
Right Arrow On/Off Select Enter
Figure 2-6 – NetEnforcer LCD Panel
For a description of how to configure NetEnforcer using the LCD panel, refer to
Configuring Via the LCD Panel, page 2-44.
For a description of the Standby, Active and Power LEDs, refer to Interface Status
Indicators, page 2-11.
Interface Status Indicators

Status Indicators – AC-1000 Series
The front panel of the AC-1000 series contains link LEDS, Management port LEDs and
LCD panel LEDs.
The modes of operation of the Link (External and Internal) and Management port LEDs
are described in the table below.

Ext/Int/Mgmnt LED NetEnforcer Status

Green A lit green LED indicates that a link is detected.
Amber A blinking amber LED indicates that traffic is detected on
the interface.
Off An unlit LED indicates that neither links nor activities were
detected.
Table 2-1 – External/Internal/Management LED Conditions
Status Indicators – AC-1040
LINK
ACT
Figure 2-7 – AC-1040 Status Indicators
Ext/Int/ LED NetEnforcer Status

Green A lit green LED indicates that a link is detected.
Red A blinking red LED indicates that traffic is detected on the
interface.
Off An unlit LED indicates that neither links nor activities were
detected.

Unit Status Indicators

The modes of operation of the Standby, Active and Power LEDs on the LCD panel are
described in the table below.
Indicator Status NetEnforcer Status
Standby On Two NetEnforcers are connected in Redundancy mode and
this NetEnforcer is the secondary system.
Off This NetEnforcer is the primary system. If you have one
NetEnforcer, this should be the normal state of the LED. If
you have two NetEnforcers configured in Redundancy
mode, this NetEnforcer is the primary system.
Active On NetEnforcer is in Active mode.
Off NetEnforcer is in Bypass mode, or this is the secondary
NetEnforcer in a Full Redundancy configuration and it is
not active. Traffic passes through NetEnforcer with no
Quality of Service or traffic shaping.
Power On NetEnforcer is powered up.
Off NetEnforcer is shut down.
Table 2-2 – Standby/Active/Power LED Conditions
Out-of-Band Management (Port)

Out-of-band management provides the following:
• Offers physical separation between shaped traffic and management traffic.
• Enables access to NetEnforcer even if there is a problem in the network (for
example, DoS attack).
• Prevents management traffic from interfering with shaped traffic.
• Permits NetEnforcer management from DMZ.

NetEnforcer includes a dedicated Management port for out-of-band management of the

NetEnforcer. The dedicated Management port provides a secure solution for device
management for enterprise and service providers. It enables you to permit access solely
to a closed group of network administrators, so that ISP customers cannot "see" the
Management port and therefore cannot access the NetEnforcer management. Operating
through the Management port denies management access to the device from Internal or
External ports. Moreover, when there is a problem in the regular network, for example,
a DoS (Denial of Service) attack, you can still manage and monitor the NetEnforcer.
Figure 2-8 – Management Port
Using a Management port has the following benefits:

• Provides a security feature that prevents ISP customers from "seeing" the
Management port and thus prevents access to NetEnforcer. The Internal and
External ports are functioning solely to forward traffic, consequently only the
administrator (the only one who has access to the Management port) has access to
NetEnforcer.
• Enables configuring, installing and upgrading while the unit is in Bypass mode.
This is particularly important when NetEnforcer is in carrier environments.

• Improves NetEnforcer's forwarding performance by separating the management

traffic from the regular traffic. In addition, if a problem exists in the regular network
you can still communicate with NetEnforcer in order to repair the problem.
• Provides an infrastructure for improvement of the redundancy capabilities.
NOTE:
The Management port has its own MAC and IP address.
Power Supply
NetEnforcer includes two hot-swappable power supply modules and a dual line feed for
Redundancy purposes. Each line feed is driving one power supply.
NOTE:
The AC power supply automatically adapts to voltages between 100 V and 240 V, 50/60 Hz.
The DC power supply automatically adapts to voltages of 48 V or 60 V DC.
Should you need to, you can replace one of the power supplies while NetEnforcer is
connected and operating. Replacing a power supply while the unit is operating is
possible since the remaining power supply will take the full load and maintain full
operation.
NOTE:
To remove a power supply module, undo the two screws in the lower left and right corners, lift the handle
and slide the module out.

Each power supply has two LEDs located beneath the power supply handles. The LEDs
indicate the following:
LED Power Supply Status
Green The green LED indicates that the power supply is connected to
power and no failure condition exists.
Amber The amber LED indicates that a failure condition exists.
CAUTION:
The power entry modules (AC supply option) include two fuses (T2A 250 V, 5 x 20 mm) at each power
entry. One is a spare fuse for replacement purposes. You can open the fuse box and change when
necessary.
For continued protection against risk of fire, replace only with same type and rating of fuse.
Fault Tolerance
For fault tolerance, NetEnforcer includes the following:
• Redundant critical components
¾ Two hot-swappable, load sharing, redundant power supplies modules (AC/DC)
¾ Dual power line feed
¾ Dual redundant chassis fans and electrical feeds
• Hardware bypass
¾ Hardware or software failure will result in straight-through “wire” connection
• Redundancy (dual systems configuration)
¾ Alternate secondary NetEnforcer automatically takes over (with existing policies)
if primary unit fails

Bypass Modules
The AC-1000 series operates with an external Bypass module. The Bypass module is a
mission-critical subsystem designed to ensure network connectivity at all times. The
Bypass mechanism provides "connectivity insurance" in the event of a NetEnforcer
subsystems failure.
NetEnforcer is supplied with a Bypass module appropriate to the module. The AC-1010
Fiber operates with a Fiber Bypass and the AC-1010 Copper operates with a Copper
Bypass. The AC-1020 Fiber operates with a Double Fiber Bypass and the AC-1020
Copper operates with a Double Copper Bypass. The Bypass module is connected to
NetEnforcer by a series of leads and cables.
CAUTION:
NetEnforcer AC-1000 must be connected to the appropriate Bypass module. This is to ensure continuous
service in the event of failure.
A separate NetEnforcer Bypass package is included with your AC-1000 series

shipment. The box includes the following:
• The appropriate NetEnforcer Bypass module
• 2 19” side mounting brackets
• 4 Ethernet UTP CAT 5 cables are supplied with a Copper Bypass module
• 8 Ethernet UTP CAT 5 cables are supplied with a Double Copper Bypass module

Fiber Bypass Module

The Fiber Bypass module works in conjunction with NetEnforcer AC-1010 Fiber.
To Internal Network To Secondary NetEnforcer
Connector Backup Connector
To External Network Fiber Cable To Primary NetEnforcer

Connector Connector
Figure 2-9 – Fiber Bypass Module
NOTE:
Use 62.5/125µ or 50/125µ fiber optic cables to connect 1 Gbps ports (duplex SC connectors marked with
Internal and External labels).
The Fiber Bypass module includes two duplex SC connectors, two built in fiber cables
and two D-type 9-pin connectors for primary and redundant unit to backup connection.

Connecting the Fiber Bypass Module

The following procedure describes how to connect a Fiber Bypass module to
NetEnforcer A-1010. The procedure contains circled numbers, for example 1 , relating
to reference numbers used in the diagram.
Figure 2-10 – Connecting NetEnforcerAC-1010 to Fiber Bypass Module
To connect the Fiber Bypass to NetEnforcer:
1. Connect the fiber cable labeled External from the Bypass module 7 , to the External
port on NetEnforcer 1 .
2. Connect the fiber cable labeled Internal from the Bypass module 7 , to the Internal
port on NetEnforcer 2 .
3. Connect the D-type High Density connector from the Primary port on the Bypass
module 8 , to the Backup port on NetEnforcer 3 .
4. Connect a 62.5/125µ or 50/125µ External fiber optic cable from the External port on
the Bypass module 5 , to a 1 Gbps router.

5. Connect a 62.5/125µ or 50/125µ Internal fiber optic cable from the Internal port on
the Bypass module 6 , to a 1 Gbps switch.
6. To connect a secondary NetEnforcer for Full Redundancy, you need two
NetEnforcers and one Bypass module. Connect the backup D-type High Density
connector from the Secondary port on the Bypass module 4 , to another
NetEnforcer.
¾ Internal and external connectors of the redundant NetEnforcer should be
connected directly to the network. There is no need to connect via the Bypass
module.
Copper Bypass Module

The Copper Bypass module works in conjunction with NetEnforcer AC-1010 Copper.
To Secondary
NetEnforcer
External Internal Backup
Connector Connector Connector
To External
Router
To Internal Mode To Primary
Connector
Switch LED NetEnforcer
Connector Indicator Connector
Figure 2-11 – Copper Bypass Module
NOTE:
It is recommended to use the Ethernet UTP CAT 5 cables that are supplied with the Copper Bypass
accessory kit to connect 1000Base-T ports (RJ-45 marked with Internal and External labels).

The Copper Bypass module includes RJ-45 connectors for Ethernet cables and two
D-type 9-pin connectors for primary and redundant unit to backup connection.
Connecting the Copper Bypass Module

The following procedure describes how to connect a Copper Bypass module to
NetEnforcer AC-1010. The procedure contains circled numbers, for example 1 ,
relating to reference numbers used in the diagram.
Figure 2-12 – Connecting NetEnforcer AC-1010 to Copper Bypass Module
To connect the Copper Bypass to NetEnforcer:
1. Connect the External cable from the External port on the Bypass module 7 , to the
External port on NetEnforcer 1 .
2. Connect the Internal cable from the Internal port on the Bypass module 8 , to the
Internal port on NetEnforcer 2 .

4. Connect the External cable from the External port on the Bypass module 5 , to a
router (1000Base-T) connector.
5. Connect the Internal cable from the Internal port on the Bypass module 4 , to a
switch (1000Base-T) connector.
NetEnforcer.
module.

Double Fiber Bypass Module

The Double Fiber Bypass module works in conjunction with NetEnforcer AC-1020
Fiber.
To External Router
Connector for Link 2 To Internal Switch
Connector for Link 2
Mode LED Indicators To NetEnforcer (External and
Internal Connectors) for Link 2
To External Router
Connector for Link 1
To NetEnforcer (External and
Internal Connectors) for Link 1
To Internal Switch
Connector for Link 1 To Secondary NetEnforcer To Primary
Backup Connector NetEnforcer Connector
Figure 2-13 – Double Fiber Bypass Module
NOTE:
Use 62.5/125µ or 50/125µ fiber optic cables to connect 1 Gbps ports (duplex SC connectors marked with
Internal and External labels).
The Double Fiber Bypass module includes connectors for connecting to Link 1 and
Link 2 on the AC-1020. The Link Connectors area for Link 1 includes two duplex SC
connectors, and two built in fiber cables with duplex LC connectors. The Link
Connectors area for Link 2 includes two duplex SC connectors, and two built in fiber
cables with duplex LC connectors. In addition, the Double Fiber Bypass module
includes two D-type 9-pin connectors for primary and redundant unit to backup
connection.

Connecting the Double Fiber Bypass Module

The following procedure describes how to connect a Double Fiber Bypass module to
Figure 2-14 – Connecting NetEnforcerAC-1020 to Double Fiber Bypass Module
To connect the Double Fiber Bypass to NetEnforcer:
1. Connect the fiber cable labeled External from the Bypass module 7 (on the left), to
the External port on NetEnforcer 1 (Link 1).
2. Connect the fiber cable labeled Internal from the Bypass module 7 (on the left), to
the Internal port on NetEnforcer 2 (Link 1).
3. Connect a 62.5/125µ or 50/125µ External fiber optic cable from the External port on
the Bypass module 5 (on the left), to a 1 Gbps router.
4. Connect a 62.5/125µ or 50/125µ Internal fiber optic cable from the Internal port on
the Bypass module 6 (on the right), to a 1 Gbps switch.
5. Repeats Steps 1 to 4 for Link 2.

NetEnforcer.
module.
Double Copper Bypass Module

The Double Copper Bypass module works in conjunction with NetEnforcer AC-1020
Copper.
NOTE:

Connecting the Double Copper Bypass Module to NetEnforcer AC-

1020
The following procedure describes how to connect a Double Copper Bypass module to
Figure 2-13 – Connecting NetEnforcerAC-1020 to Double Copper Bypass Module
To connect the Double Copper Bypass to NetEnforcer:
1. Connect the External cable from the External port on the Bypass module 7 (on the
left), to the External port on NetEnforcer 1 (Link 1).
2. Connect the Internal cable from the Internal port on the Bypass module 9 (on the
left), to the Internal port on NetEnforcer 2 (Link 1).

5. Repeats Steps 1 to 4 for Link 2.
NetEnforcer.
module.
Multi-Port Copper Bypass Module

The Multi-port Copper Bypass module works in conjunction with NetEnforcer AC-
1040.
Figure 2-15 – Multi-Port Copper Bypass Module
NOTE:

Connecting the Multi-Port Copper Bypass Module to NetEnforcer

AC-1040
The following procedure describes how to connect the Bypass module to NetEnforcer
AC-1040.
External Routers Internal Routers
(Internet) (Local Net)
Figure 2-13 – Connecting NetEnforcerAC-1040 to the Bypass Module

To connect the Bypass module to NetEnforcer 1040:

1. Connect the External cable from the External port on the Bypass module (on the left)
to the External port on NetEnforcer (Link 1).
2. Connect the Internal cable from the Internal port on the Bypass module (on the left)
to the Internal port on NetEnforcer (Link 1).
3. Connect the External cable from the External port on the Bypass module to a router
(100Base-T) connector.
4. Connect the External cable from the External port on the Bypass module to a router
(100Base-T) connector.
5. Repeats Steps 1 to 4 for Link 2 to 4.
module to the Backup port on NetEnforcer.
connector from the Secondary port on the Bypass module, to another NetEnforcer.
module.

Placement in the Network

NetEnforcer is supplied with two Gigabit Ethernet interfaces. NetEnforcer is normally
placed on the internal side of your access router. The Internal port of NetEnforcer
interfaces with your Local Area Network (LAN) and the External port of NetEnforcer
interfaces with your access router. Refer to the following diagrams to see NetEnforcer’s
placement in a network.
Connecting NetEnforcer to the Network

When connecting NetEnforcer to the network, use the proper fiber or Ethernet cable.
The following diagram shows a typical method of connecting a NetEnforcer AC-1010
model in a network.
Figure 2-16 – LAN and WAN Placement of NetEnforcer AC-1010
For the NetEnforcer AC-1020 models, there are two basic network configurations that
depend on the way that the traffic is routed and the policy that you wish to implement.

In the first configuration, if you wish to set policy per user (for example, limiting the
bandwidth per user) and the user access by default to one of the switches (same switch
for all their traffic), NetEnforcer is connected as follows:
Figure 2-17 – Placement of NetEnforcer AC-1020 (Policy Per User)

In the second configuration, if you wish to set policy based on link (for example, one
link to an ISP and the second link to an ISP) and you wish to set a global policy (for
example, limiting P2P traffic), you put a NetEnforcer per router, as follows:
Figure 2-18 – Placement of NetEnforcer AC-1020 (Policy Based on Link)
NetEnforcer is capable of operating parallel to another NetEnforcer to provide Full

Redundancy. If you are using NetEnforcers in Redundancy mode, refer to Appendix B,
Fail-Safe Operation.

To connect NetEnforcer to your network:

1. Connect the Bypass module to NetEnforcer, as described in Bypass Modules,
page 2-16.
2. Connect the LAN side of your network to the Internal connector on the front panel
of the Bypass module. (With AC-1020 models, do this for Link 1 and Link 2).)
3. Connect the cable connected to the WAN side of your network to the External
connector on the front panel of the Bypass module. (With AC-1020 models, do this
for Link 1 and Link 2).)
¾ To connect AC-1010 or AC-1020 Fiber, use fiber optic cables 62.5/125µ or

50/125µ, duplex SC connectors.
¾ To connect AC-1000 Series SM Fiber (LX5, LX20, ZX), use SM fiber optic
cables 9/125m, duplex SC connectors.
¾ To connect AC-1000 Series Copper, use Ethernet UTP CAT 5 cables.
4. Power up NetEnforcer. Refer to Powering Up NetEnforcer, page 2-34.

Powering Up NetEnforcer
Powering up is done from the LCD panel.
NOTE:
NetEnforcer and the Bypass module have to be fully plugged and connected before power is turned on. This
is to ensure proper and systematic power up.
To power up NetEnforcer:
It is recommended to connect the two power line feeds to separate power sources to
have full power redundancy. The Power LED on the LCD panel is lit and the Mode
LED on the Bypass module is off, indicating that the power is on and NetEnforcer is
bypassed. NetEnforcer performs several power-on self-tests and the display area of the
LCD panel indicates power-on self-test messages.
After a few seconds, the display area of the LCD panel indicates the following:
System Loading *
Once the system has completed loading, the Active LED on the LCD panel is lit and the
Mode LED on the Bypass module is lit, meaning that NetEnforcer is now connected to
the network. The display area of the LCD panel indicates the default view - the current
bandwidth consumption.
For example:
Inbound: XXX.X
Outbound: YYY.Y
You can now proceed to configure NetEnforcer, as required.

Setting Up NetEnforcer
In order to manage and configure NetEnforcer policies remotely from your Web
browser, several basic parameters must be configured on NetEnforcer. You can
configure these basic parameters using a terminal connected to NetEnforcer or by using
the LCD panel.
Configuring Via a Terminal

You can use a standard terminal, or a PC running terminal emulation software. Most
standard windows-based PC systems have a terminal emulation program called
HyperTerminal that can be used for this purpose. Configure the terminal to run VT100
terminal emulation with the following parameters:
• 19200 baud rate (9600 baud in older version, rev A/B)
• 8 bits
• Stop bits 1
• No flow control
• No parity
To connect a terminal to NetEnforcer:

1. Use the supplied serial cable to connect the terminal to the Console connector on the
front panel of NetEnforcer.
2. Ensure NetEnforcer is powered up. Refer to Powering Up NetEnforcer, page 2-34.
3. At the terminal, access a Microsoft DOS window, and at the C:\ prompt, enter
Telnet (IP address of NetEnforcer). Press <Enter>. The system boots up and you
are prompted for a login and a password.
4. Enter root for the login, bagabu for the password and the command menu. (To
change the password, see page 2-43.)

5. Press <Enter>. The Device Setup Menu is displayed:
Figure 2-19 – NetEnforcer Setup Menu
From this menu, you can perform the following tasks:
¾ Configure network parameters, page 2-37.

¾ Display the current configuration, page 2-39.
¾ Change the login password, page 2-41.
¾ Modify the date and time settings, page 2-42.
When all necessary parameters are set, NetEnforcer prompts you to reboot. After
rebooting is completed, NetEnforcer is ready to be connected and to add Quality of
Service in your network.

Configuring Network Parameters

You can configure network parameters, for example, the IP address, netmask and
default gateway for NetEnforcer.
To define network parameters:

1. In the Device Setup Menu, enter 2 (Network configuration) and press <Enter>. The
Network Configuration menu is displayed:
Figure 2-20 – Network Configuration
2. Enter 2 (Manual configuration) and press <Enter>.
3. Enter values for the following IP parameters:
Device IP Address The IP address for your NetEnforcer, for example,

10.10.10.1.
Network mask The netmask for your NetEnforcer, for example,

255.255.255.0.

Device Host name The host name for your NetEnforcer, for example,
NetEnforcer.
Domain name A domain name for your NetEnforcer, for example,

MyDomain.com. Do not provide a leading ‘.’.
Default gateway IP address The IP address of your default gateway. If you do

not have a default gateway, enter none.
Primary name server IP If you have a Domain Name Server (DNS), enter its
address IP address. If you do not have a DNS, enter none.
Secondary name server IP If you entered a primary name server IP address and
address you have a second DNS, enter the IP address of the
secondary DNS.
Enable VLAN If you have a Virtual LAN, enter enable. If you do

environment not have a VLAN, enter disable.
VLAN ID If you enabled a VLAN environment, enter the ID

for your VLAN.
4. Press <Enter> to finish and return to the Network Configuration menu.
5. To save your configuration, enter 3 (Save latest settings as current configuration)

from the Network Configuration menu. A message is displayed, asking whether you
wish to make your changes effective immediately. Enter y or n.

Displaying the Current Configuration

You can display and view the currently set network configuration parameters at any
time.
To display the current configuration:
1. In the Device Setup Menu, enter 1 (List current configuration) and press <Enter>.
The current network configuration parameters are displayed. A sample screen is
shown below:
Figure 2-21 – Current Configuration (1)

2. Press <Enter> to show the second screen of parameters:
Figure 2-22 – Current Configuration (2)
3. Press <Enter> to return to the Device Setup Menu.

Changing the Passwords

You can change the login password for either the Admin user or the Monitor user. The
Admin user has access to all NetEnforcer functions, while the Monitor user has
read-only access. It is strongly recommended to change the default password (allot).
NetEnforcer might enable access from anywhere on the Internet, and should therefore
be protected with a unique password.
To change the users’ password:
1. In the Device Setup Menu, enter 3 (Change password) and press <Enter>. The
Password screen is displayed:
Figure 2-23 – Password

2. Enter 1 or 2 to specify the type of user whose password you want to change and
press <Enter>.
3. Enter a new password and press <Enter>. The password must be between 5 and 8
characters. You can use a combination of upper and lower case letters and numbers.
4. Re-enter the password and press <Enter>. If NetEnforcer detects a simple password,
a warning is displayed on the screen.

CAUTION:
You must change the default passwords to ensure a minimum level of security.
NOTE:
The new user name and password will be used in the NetEnforcer Log In window when accessing
NetEnforcer through a browser.
Modifying Date and Time Settings

You can modify date and time settings as required. You can set the system time
manually, or you can set up NetEnforcer to receive time checks from an NTP (Network
Time Protocol) server, if you have one on your network.
To modify the date and time settings:
1. In the Device Setup Menu, enter 4 (Set time) and press <Enter>. The Time Setup
screen is displayed:
Figure 2-24 – Time Setup

The current day, date, system time and time zone are displayed at the top of the
screen.

2. To change the time zone, perform the following steps:

¾ Enter 1 and press <Enter>.
¾ Enter y and press <Enter>. NetEnforcer displays a list of time zones.
¾ Enter the required time zone and press <Enter>.
3. To change the system time, perform the following steps:
¾ Enter 2 and press <Enter>.
¾ Enter the new date and time in the format DD-MM-YYYY -HH-mm. For
example, 12-02-2003-11-20 for 12th February 2003, 11:20 am.
¾ Press <Enter> to set the time.
Changing the Root User Password

You can change the root password that provides access to super-user rights.
To change the root password:

1. Use the supplied serial cable to connect the terminal to the Console connector on the
front panel of NetEnforcer.
2. Ensure NetEnforcer is powered up. Refer to Powering Up NetEnforcer, page 2-34.
3. At the terminal, access a Microsoft DOS window, and at the C:\ prompt, enter
Telnet (IP address of NetEnforcer). Press <Enter>. The system boots up and you
are prompted for a login and a password.
4. Enter root for the login and bagabu for the password, and then press <Enter>.
5. Enter passwd and then press <Enter>.
6. Enter a new password and press <Enter>. The password must be between 5 and 8
characters. You can use a combination of upper and lower case letters and numbers.
7. Re-enter the new password and press <Enter>.
CAUTION:
If you forget this password, contact Allot Customer Support.

When all necessary parameters are set, NetEnforcer prompts you to reboot. After
rebooting is completed, NetEnforcer is ready to be connected and to add Quality of
Service in your network.
TIP:
You can further protect the access to NetEnforcer by limiting the hosts that are allowed to manage the unit.
To configure the allowed host list, refer to Access Control in Chapter 4, Configuring NetEnforcer.
Configuring Via the LCD Panel

The LCD panel enables you to configure basic NetEnforcer parameters without
connecting a terminal. This enables quick and easy setting of basic parameters such as
the IP address of NetEnforcer as well as NIC settings for the Management port.
When you are not configuring NetEnforcer, the display area in the LCD panel indicates
its default view, which is the current inbound and outbound bandwidth usage. The units
are in Mbps with one digit after the point and the display is refreshed every five
seconds.
NOTE:
When you are configuring NetEnforcer and there is no activity for more than 30 seconds, the display area
returns to the default view and any modifications to parameters that were not saved, are lost.
Main Menu
The LCD panel provides one main menu from where you can perform the following
operations:
• Configure NIC settings for the Management port, page 2-46.
• Set the NetEnforcer IP address, page 2-47.
• Activate Bypass, page 2-48.
• Reboot, shutdown or exit NetEnforcer, page 2-49.

The illustration below is a list of the main menu options from the LCD panel.
1. NIC_Setting
2. Setup_IP Setup IP Menu
2-1 Set_IP
3. Bypass 2-2 Set_Mask
2-3 Gateway
4. Reboot
5. Shutdown
6. Exit
In order to start working with NetEnforcer, press the Power button on the LCD panel.
Once the system has completed loading, the display area of the LCD indicates its
default view, the current bandwidth consumption of NetEnforcer. For example:
Inbound: XX.XM
Outbound: YYY.YM
You can now proceed to configure NetEnforcer, as required.
NOTE:
If QoS functionality is not included in your NetEnforcer (not enabled by your activation key), the default
view indicates the following: Inbound:-, Outbound:-.

Configuring NIC Settings for the Management Port

Configuring NIC settings enables you to configure the Management port to either
automatically sense the direction and speed of traffic, or use a predetermined duplex
type and speed.
To configure NIC settings for the Management port:

1. With the display area displaying the default view, press the Select button. The main
menu is displayed as follows:
Main menu:
1. NIC Setting
2. Press the Select button. The display area indicates the following:
Mode: [A]uto or
[F]ull/[H]alf du
NOTE:
The cursor blinks at the current setting.
3. Use the arrow buttons to select the duplex type for the Management port and press
the Enter button. The display area indicates the following:
Speed: [A]uto or
[100]/[10] Mbps
4. Use the arrow buttons to select the link speed of the Management port and press the
Enter button. The display area indicates the following:
[S]ave/[C]ancel
5. Use the arrow buttons to select whether to save the settings or cancel and press the
Enter button. The new NIC settings are applied and after a few moments, the
display area displays its default view, the current bandwidth consumption.

Setting the NetEnforcer IP Address

Setting the NetEnforcer IP address enables you to specify the IP address, netmask and
default gateway for NetEnforcer.
To configure the IP address:

1. With the display area displaying the default view, press the Select button. The Main
menu is displayed.
2. Press the down arrow once to display the following:
Main menu:
2. Setup IP
2-1.Set IP:
xxx.xxx.xxx.xxx (the current IP address definitions are displayed)
4. Specify the IP address of NetEnforcer. Use the up and down arrow buttons to select
the required number and the left and right arrow buttons to move between the digits.
5. Press the Enter button. The display area indicates the following:
2-2.Set mask:
xxx.xxx.xxx.xxx (the current netmask definitions are displayed)
6. Specify the netmask of NetEnforcer. Use the up and down arrow buttons to select
the required number and the left and right arrow buttons to move between the digits.
2-3.Gateway:
xxx.xxx.xxx.xxx (the current gateway definitions are displayed)
8. Specify the IP address of the default gateway. Use the up and down arrow buttons to
select the required number and the left and right arrow buttons to move between the
digits.

[S]ave/[C]ancel
10. Use the arrow buttons to select whether to save the settings or cancel and press the
Enter button. The new IP and gateway settings are applied and after a few moments,
the display area displays its default view, the current bandwidth consumption.
Activating Bypass
This section describes how to activate Bypass mode.
To configure a Bypass:
menu is displayed.
2. Press the down arrow three times to display the following:
Main menu:
3. Bypass
3. Press the Select button. If the system is not in Bypass mode, the display area
indicates the following:
Go into Bypass?
[Y]es/[N]o
4. Use the arrow buttons to select whether to enter Bypass mode and press the Enter
button. NetEnforcer switches to Bypass mode and after a few moments, the display
area displays its default view, the current bandwidth consumption.
NOTE:
When the system is already in Bypass mode, you are prompted to select whether to exit Bypass mode.
Use the arrow buttons to select whether to exit Bypass mode and press the Enter button.

Rebooting, Shutting Down and Exiting NetEnforcer

You can reboot or shut down NetEnforcer and exit from LCD configuration as required.
To reboot NetEnforcer:
menu is displayed.
2. Press the down arrow four times to display the following:
Main menu:
4. Reboot
Reboot?
[Y]es/[N]o
4. Use the arrow buttons to select whether to reboot NetEnforcer and press the Enter
button. NetEnforcer reboots and the display area indicates the following:
System
Rebooting * (blinking asterisk)
NOTE:
This message is also displayed in the display area when NetEnforcer is rebooted using a terminal.
To shutdown NetEnforcer:
menu is displayed.
2. Press the down arrow five times to display the following:
Main menu:
5. Shutdown

Shutdown?
[Y]es/[N]o
NOTE:
Pressing the Power button on the LCD panel at any time while NetEnforcer is powered on displays this
option.
4. Use the arrow buttons to select whether to reboot NetEnforcer and press the Enter
button. NetEnforcer reboots and the display area indicates the following:
System
Shutting down * (blinking asterisk)
After a few seconds, the display area indicates that NetEnforcer may be powered off.
NOTE:
This message is also displayed in the display area when NetEnforcer is shutdown using a terminal.
To power up NetEnforcer after a shutdown, press the Power button on the LCD panel.
To exit NetEnforcer:
menu is displayed.
2. Press the down arrow six times to display the following:
Main menu:
6. Exit
3. Press the Enter or the Select button. The display area displays its default view, the
current bandwidth consumption.

Failure Indications
The following cases of failure may be indicated in the display area of the LCD panel:
Message Option Description
NIC definitions NIC setting 1. Validity check failed (auto mode and
save failed non auto speed or vise versa)
2. System error (missing files)

Fail: IP get IP setup Failed retrieving IP (system error)
Chk NE IP config
Fail: IP save IP setup Failed saving IP
Chk NE IP config
Fail: Mgnt save IP setup Failed saving IP
Chk NE IP config
Fail: MASK save IP setup Failed saving netmask
Chk NE IP config
Fail: GW save IP setup Failed saving gateway
Chk NE IP config


Chapter 3: Getting Started
This chapter explains how to connect to your client management station and provides an
overview of the NetEnforcer interface. It also describes how to install the Java Plug-in.

Accessing NetEnforcer, page 3-1, describes how to access NetEnforcer from your Web
browser.
Java, WebStart and the NetEnforcer User Interface, page 3-3, describes how to
install the Java 1.4.2 JRE, which is a prerequisite for running the NetEnforcer
application.

Accessing NetEnforcer
Once you have completed the initial setup, as described in the previous chapter, you can
access NetEnforcer via your Web browser. The first time that you connect to
NetEnforcer, you may be prompted to install Java plug-in 1.3.1. Refer to Installing the
Java Plug-in 1.3.1, page 3-3, for further information.
To connect to NetEnforcer:
1. Open your browser, and enter http://(IP address of NetEnforcer). The NetEnforcer
Log On dialog box is displayed:
Figure 3-1 – NetEnforcer Log On Dialog Box
2. In the User Name field, enter admin and in the Password field, enter allot or the
password that was established at setup. This is the default user name and password.
They may be different if you changed them during the initial configuration. Refer to
the Setting Up NetEnforcer section in Chapter 2, Installing NetEnforcer.
3. Click Log On. The NetEnforcer Control Panel is displayed.
NOTE:
It may take a few moments to display the Control Panel.

Java, WebStart and the NetEnforcer User

Interface
NetEnforcer 6.1.1. works with a technology known as WebStart from Sun
Microsystems. WebStart enables you to run the NetEnforcer User Interface software by
simply double-clicking an icon on your computer’s desktop. This mode of operation is
more convenient than having to access the NetEnforcer User Interface through an
Internet browser.
Installing Java 1.4.2 JRE

The Java 1.4.2 JRE must be installed on your computer as a prerequisite to working
with the NetEnforcer User Interface.

To install Java 1.4.2. JRE:

1. Open your Internet browser, and access http://<your-netenforcer-address-here>. The
following window is displayed.
Figure 3-2 – NetEnforcer Control Panel

2. Click the Install Java 1.4.2 JRE first link. The following window is displayed.
Figure 3-3 – Java JRE Downloads
3. Click on the appropriate link and follow the on-screen instructions to install the Java
1.4.2 JRE on your computer.

Initializing WebStart
1. With the Java 1.4.2 JRE installed, access http://<IP address of NetEnforcer> once
again. The Java Web Start window is displayed.
Figure 3-4 – NetEnforcer Java Web Start Window
When the loading process is complete, the Security Warning is displayed, prompting
your to confirm that you want to allow NetEnforcer User Interface software access
to your computer.
Figure 3-5 – Security Warning

2. Click Start to continue. The NetEnforcer Desktop Integration window is displayed.
Figure 3-6 – NetEnforcer Desktop Integration
3. Select Yes to place a shortcut icon on your desktop
4. To access the NetEnforcer, double-click the shortcut icon on your desktop.

The NetEnforcer Log On window is displayed.
Figure 3-7 – NetEnforcer Log On Window

Automatic Updates
One of the benefits of WebStart is that future NetEnforcer software updates are
transparent to you when accessing the NetEnforcer User Interface. Simply continue to
double-click the icon to access the NetEnforcer.
Managing Multiple Devices

If you intend to manage multiple NetEnforcers, follow the above procedure for each
NetEnforcer. A separate NetEnforcer WebStart desktop icon will be added for each
NetEnforcer.
WebStart Coexistence with Java 1.3.x Plugins From

Earlier Versions
You can use the same computer to manage earlier versions of a NetEnforcer based on
Java Plugin 1.3.x together with a NetEnforcer based on Java 1.4.2 JRE, however you
need to be aware of fact that installing Java 1.4.2 JRE on a computer that already has a
Java 1.3.x Plugin prevents the Java Plugin 1.3.x –based NetEnforcer User Interface
from working correctly. To ensure that both systems can work correctly, the Java 1.4.2
JRE must be installed before the Java 1.3.x Plugin. If your computer already has a Java
1.3.x Plugin installed, you should uninstall it before installing the Java 1.4.2 JRE (as
discussed in this section) and then re-install the Java 1.3.x Plugin.
WebStart Application Manager

After installing the Java 1.4.2 JRE, a Java Web Start shortcut icon is displayed on your
desktop.
Double-clicking the icon, , displays the Java Web Start Application Manager.

Figure 3-8 – Java Web Start Application Manager
A list of NetEnforcer applications downloaded is displayed in the window. To launch

the NetEnforcer User Interface from this window, select the application and click Start.
Troubleshooting
In the event that the NetEnforcer User Interface fails to load, consider the following
actions:
• Verify that popup blocking is disabled in the browser, or, alternatively, that it is
disabled for the NetEnforcer address.
• For Internet Explorer users, disable the Empty Temporary Internet Files folder
when browser closed option as follows:
(a) From the Tools menu, select Internet Options. The Internet Options window
is displayed.
(b) Select the Advanced tab.

(c) In the Security area, verify that the Empty Temporary Internet Files folder
when browser closed checkbox is not selected.
(d) Click OK to close the dialog, and attempt to access the NetEnforcer through
the browser.
• In Internet Explorer, make sure the browser cache file is not saturated:
(a) From the Tools menu, select Internet Options. The Internet Options
window is displayed.
(b) In the Temporary Internet files area, click Delete Files.
(c) Select the Delete all offline content checkbox and click OK.
(d) Click OK to close the Internet Options window.
• Consider using another browser, e.g. Mozilla Firefox.
• If the problem still persists, the NetEnforcer can still be accessed from the WebStart
Desktop Manager, as follows:
(a) Double-click the Java Web Start icon on the desktop.
(b) In the Location field, type:
http://<ip-addr>/pmx.jnlp
where <ip-addr> is the IP address of the NetEnforcer.
(c) Press Enter.
(d) Click Start.

Appendix A: Hardware Specifications
This appendix lists the hardware specifications for all NetEnforcer models.
Dimensions
Standard 2U by 19-inch, rack mountable
Height 3.46 in (87 mm)
Width 17.22 in (438 mm)
Depth 11.81 in (300 mm)
Weight 18.2 lbs (8.3 kg)
Power Requirements
AC Supply option
Input Voltage 100 - 240 V AC
Frequency 50/60 Hz
Current 2-1A
Power consumption 80 W
DC Supply option
Input Voltage 48 / 60 V DC
Current 6/4A
Power consumption 80 W
NetEnforcer AC-1000 Series Installation Guide A-1

Operating Environment
Temperature 32° F to 104° F (0° to 40° C)
Humidity 5% to 95% (non condensing)
Heat Dissipation 273 BTU/Hour
EMI Residential, commercial and
light industry.
Standards, Compliance and Certifications

All NetEnforcer models hold certificates and comply with the standards listed
below.
EMC
• EMC Directive 89/336/EEC, article 7(1)
• EN 55022:1998+A1(00) class A
• EN 61000-3-2:1995_A1(98)+A2(98)
• EN 61000-3-3:1995
• EN 55024:1998+A1(01)
• FCC 47 CFR part 15, subpart B, class A
• ICES-003:1997, class A
• VCCI:2002, class B
• NEBS: GR-1089-Core*
A-2 NetEnforcer AC-1000 Series Installation Guide

Safety
• IEC 60950:1999 with Japanese deviations
• EN 60950:2000
UL
• 1950 NetEnforcer UL File number: E206586
• CAN/CSA C22.2 No.60950-00 * UL 60950, third edition
Environmental
• ETS 300 019-2-2 T 2.1
• ETS 300 019-2-3 T 3.1
• * NetEnforcer is designed to meet these standards.
NetEnforcer AC-1010 Installation Guide A-3

A-4 NetEnforcer AC-1000 Series Installation Guide

Appendix B: Fail-Safe Operation
This appendix describes the fail-safe operation implemented in NetEnforcer.

NetEnforcer has two fail-safe features that ensure proper and continuous network
function: Bypass and Serial Redundancy.
NetEnforcer AC-1000 series utilizes an external Bypass module that connects the
Internal connector to the External connector in the case of a subsystem failure in
NetEnforcer or a power loss. This mechanism ensures that traffic continues to pass
through the passive elements of NetEnforcer should any hardware or software problem
occur.
Serial Redundancy is a backup mechanism that handles the failure of a network device,
and ensures that the network continues to function. Serial Redundancy is provided by
connecting two NetEnforcers in parallel. The Primary NetEnforcer handles the traffic
and the Secondary NetEnforcer is designed to be in Standby mode as long as the
Primary NetEnforcer is active. Only if, for any reason, the Primary NetEnforcer is not
able to function properly, does the Secondary NetEnforcer become active.
When NetEnforcer is in Serial Redundancy mode, Bypass mode will be activated, in the
event that both the Primary and Secondary NetEnforcer systems fail.
As part of the fail-safe considerations, power redundancy is also provided.
NetEnforcer AC-1000 Series Installation Guide B-1

Bypass Mode
The AC-1000 series comes with an additional Bypass module - a Fiber Bypass, a
Copper Bypass or a Double Fiber Bypass.
CAUTION:
The Bypass module is a mission-critical subsystem designed to handle the failure of a

network device and still ensure that the network functions properly. The Bypass module
provides "connectivity insurance" in the event of a NetEnforcer subsystems failure.
NetEnforcer is factory configured to ensure normal network operation during power
loss and other critical hardware and software failure.
The Bypass module works by shorting the Internal interface to the External interface.
While the NetEnforcer is bypassed, all traffic goes through passive elements only.
When the system goes into Bypass mode, the status indicators immediately indicate it,
in the following way:
• The Active LED on the front panel of NetEnforcer turns OFF.
• The Standby LED on the front panel of NetEnforcer is OFF.
• The Mode LED on the Bypass module turns OFF.
For more information regarding the status indicators, refer to Chapter 2, Installing
NetEnforcer.
B-2 NetEnforcer AC-1000 Series Installation Guide

Bypass Initiation
When a single NetEnforcer is installed, it will go into Bypass mode under the following
conditions:
• Upon a subsystem failure.
• During the booting of NetEnforcer.
• Upon any NetEnforcer power feed failure and power OFF conditions.
• When the Bypass module is not connected properly to the NetEnforcer Backup
connector, even with all other connectors fully plugged.
Please note that NetEnforcers in serial Redundancy configuration that have gone into
Bypass mode indication upon a subsystem failure will not restart automatically. It is
recommended to perform a reboot.
NOTE:
NetEnforcer, in standalone configuration, reinitializes the Ethernet link upon detection of the Ethernet
cable's disconnection.
Fiber Bypass and TAP for the AC-1000 Series

‘Monitoring only’ or TAP mode enables the operator to install and use NetEnforcer in a
listen-only mode. Using this mode has the following benefits:
• It enables listening to network traffic without active interference in the network
activity.
• It enables gradual installation of NetEnforcer – first without active interference and
later with policy enforcement.
TAP mode can only be operated from a NetEnforcer AC-1000 with a Fiber interface
that works with a Fiber Bypass module or a Double Fiber Bypass module.
CAUTION:

IMPORTANT NOTE:
To work properly, NetEnforcer and the Bypass module have to be fully plugged and connected before
power is turned on.
The Fiber Bypass module works in conjunction with the NetEnforcer AC-1010 models
with a Fiber interface and the Double Fiber Bypass module works in conjunction with
the NetEnforcer AC-1020 models with a Fiber interface.
The Fiber Bypass module for the AC-1010 Fiber models is shown below.
To Internal Network To Secondary NetEnforcer

Connector Backup Connector
To External Network Fiber Cable To Primary NetEnforcer

Connector Connector
Figure B-1 – Fiber Bypass Module
A separate NetEnforcer Fiber Bypass package is included with your AC-1000 shipment.
An optional Fiber TAP package is shipped with your AC-1000 shipment. The Fiber
TAP package includes two Multimode Couplers.

Each Coupler has three built-in Multimode fiber cables with SC connectors. One side of
the coupler has a single Multimode fiber that is marked as Tx, and on the other side,
there are two built-in Multimode fiber cables marked as Rx [1] and Rx [2].
Figure B-2 – Multimode Coupler Unit
IMPORTANT NOTE:
The Multimode Coupler is not a standard part of the NetEnforcer AC-1000 series.

Connecting the Fiber Bypass and the TAP

The following procedure describes how to connect the Fiber Bypass module and the
TAP to NetEnforcer AC-1010. The procedure contains circled numbers, for
1
example, , relating to reference numbers used in the following diagram.
Figure B-3 – Connecting NetEnforcer AC-1010 to Fiber Bypass and TAP
To connect the Fiber Bypass to the AC-1010:
1. Connect the fiber cable labeled External from the Bypass module 7 , to the External
1
port on NetEnforcer .
2. Connect the fiber cable labeled Internal from the Bypass module 7 , to the Internal
2
port on NetEnforcer .

8 3
module , to the Backup port on NetEnforcer .
4. Connect the first Multimode coupler as follows:
• Connect the coupler Tx fiber optic cable to the Tx output of a 1 Gbps router
(1000Base-SX port).
• Connect the coupler Rx [1] fiber optic cable to the Rx input of a 1 Gbps switch
(1000Base-SX port).
• Connect the coupler Rx [2] fiber optic cable to the External Rx input of the Fiber
bypass module (5).
5. Connect the second Multimode coupler as follows:
• Connect the coupler Tx fiber optic cable to the Tx output of a 1 Gbps switch
(1000Base-SX port).
• Connect the coupler Rx [1] fiber optic cable to the Rx input of a 1 Gbps router
(1000Base-SX port).
• Connect the coupler Rx [2] fiber optic cable to the Internal Rx input of the Fiber
bypass module (6).
NOTE:
In you have an AC-1020 model, adapt the above procedure to connect both Link 1 and Link 2.

Connecting Two NetEnforcers in Serial

Redundancy
Failure of a network device can be catastrophic, causing network downtime and lost
business. The key to designing any mission-critical network is to recognize that these
failures can occur, and to design a network that can handle failures and still allow the
network to function. In order to do this, it is important to use the most reliable
equipment, with redundancy built in to all mission-critical equipment.
NetEnforcer can operate to provide serial Redundancy. Serial Redundancy requires two
NetEnforcer systems and a double Bypass module.
The Primary NetEnforcer handles the traffic and the Secondary NetEnforcer is
configured to be in Standby mode as long as the Primary NetEnforcer is active. The
Secondary NetEnforcer becomes active only if, for any reason, the Primary NetEnforcer
is unable to function properly.
Status Indicators in Serial Redundancy Mode

When operating in serial Redundancy mode, two NetEnforcer units are connected in
serial to the Copper or Fiber Bypass module. The Primary NetEnforcer unit is
connected to the Primary port of its Bypass module. The Secondary NetEnforcer unit
connected to the Secondary port of its Bypass module. During operation, the LED
indicators on NetEnforcer and on the Bypass module give various readings. The LEDs
relevant to operations in Serial Redundancy mode are the Standby, Active and Power
LEDs on the NetEnforcers LCD panel, and the Mode LED on the Bypass modules.

The modes of operation of the indicators are described in the following table:
Standby Active Power Mode Analysis
LED LED LED LED
(Bypass)
Primary OFF ON ON ON Primary NetEnforcer is
Unit in Active mode.
Secondary ON OFF ON OFF Secondary NetEnforcer
Unit is in Standby mode,
ready to take over.
Primary ON OFF ON OFF Primary NetEnforcer

Unit fails or is now booting.
Secondary OFF ON ON ON Secondary NetEnforcer

Unit took over and is now in
Active mode.
Primary OFF OFF OFF OFF Primary NetEnforcer is

Unit powered OFF.
Secondary OFF ON ON ON Secondary NetEnforcer

Unit took over and is now in
Active mode
Primary OFF ON ON ON Primary NetEnforcer is

Unit in Active mode.
Secondary OFF OFF OFF OFF Secondary NetEnforcer

Unit is not powered ON. The
only fail-safe mode
available now is Bypass.
Primary OFF OFF ON OFF Primary NetEnforcer

Unit failed or did not
complete booting.

Standby Active Power Mode Analysis

LED LED LED LED
(Bypass)
Secondary OFF OFF ON OFF Secondary NetEnforcer
Unit failed or did not
complete booting.
Bypass is now active
and all traffic is going
through Bypass.
Table B-1 – LED Conditions: NetEnforcer and Bypass, Serial Redundancy Mode
Secondary NetEnforcer Activation

When two NetEnforcers are connected in serial redundancy configuration, the
Secondary NetEnforcer will take control and become the active unit under the following
conditions:
• Upon a Primary subsystem failure.
• During booting of the Primary NetEnforcer platform. When booting is completed,
the Primary unit automatically takes control again.
• Upon any Primary NetEnforcer power feed failure and power OFF condition.
• Upon the Primary NetEnforcer Ethernet cable disconnecting from either the Internal
or External ports. After reconnecting the cable and rebooting, the Primary
NetEnforcer takes control again.
• When the Bypass module is not connected properly to the NetEnforcer Backup
connector, even with all other connectors fully plugged.

Primary and Secondary Definitions

The NetEnforcer can be connected to a bypass unit Primary or Secondary ports via a
backup cable. The connector indicates whether the NetEnforcer and Bypass function as
Primary or Secondary. No other settings are required in order to distinguish Primary
from Secondary.
Serial redundancy configuration requires an additional proprietary backup cable to
connect the Primary NetEnforcer to the Secondary NetEnforcer. The cable which can be
ordered from Allot is different then the standard backup cable used to connect the
NetEnforcer to the Bypass.
The Secondary connector on the Primary Unit bypass should be connected to the
Primary connector on the Secondary unit bypass.
In addition, in order to enable serial redundancy, the following command should be
entered via the NetEnforcer CLI “acmode +redund (cr)”. Executing the command is
required on both NetEnforcers, Primary and Secondary.
NOTE:
A Backup cable is included with the accessory cables, and it can be ordered from Allot Communications.
A Primary configuration is indicated by LEDs, as follows:

• The Active LED on the front panel of NetEnforcer is ON.
• The Standby LED on the front panel of NetEnforcer is OFF.
A NetEnforcer that is connected to the Secondary connector of its Bypass module is
automatically configured to act as the Secondary system.
A Secondary configuration is indicated by LEDs, as follows:
• The Standby LED on the front panel of NetEnforcer is ON.
• The Active LED on the front panel of NetEnforcer is OFF.

The following diagram shows the layout of Serial Redundancy setup.
Figure B-4 – Serial Redundancy Setup for NetEnforcer AC-1010
If the Primary system fails, the Secondary system automatically takes control of the
traffic, and enables its External interface. The following shows how the LEDs indicate
the Secondary system status change:
• The Standby LED of the Secondary system will turn off.
• The Active LED of the Secondary system stops blinking and turns ON.

To connect two NetEnforcers in Serial Redundancy:

Before using NetEnforcers in Serial Redundancy mode, make sure that the
configuration of both NetEnforcers is identical; except for their IP addresses, which
must be unique for each unit. You can use the Save & Distribute option to distribute
the same QoS policy to both NetEnforcers. For more information, refer to NetEnforcer
AC-1000 Series User Guide.
NOTE:
You can distribute policy to other NetEnforcers, only if they are of the same model as the one from which
you are distributing.
After ensuring identical configuration, test each NetEnforcer (while connected to the
network as a single device) and verify that they are operating identically to one another.
1. Designate one of your NetEnforcers to be the default Primary, and connect the end
of the Backup cable marked Primary to the Primary connector of the Primary Bypass
module.
2. Connect the other end of the backup cable to the Secondary connector of the
Secondary Bypass module.
NOTE:
For more information, see Bypass Modules in Chapter 2, Installing NetEnforcer.
3. Ensure that the status indicators of both systems are indicating that the systems are
configured correctly, as follows:
• The Active LED of the Primary NetEnforcer is ON.
• The Standby LED of the Primary NetEnforcer is OFF.
• The Active LED of the Secondary NetEnforcer is OFF.
• The Standby LED of the Secondary NetEnforcer is ON.

Power Redundancy
NetEnforcer includes two hot-swappable power supply modules and a dual line feed for
Redundancy purposes. Each line feed is driving one power supply. It is recommended to
connect the two power line feeds to separate power sources to have full power
redundancy.
Should you need to, you can replace one of the power supplies while NetEnforcer is
connected and operating. Replacing a power supply, while the unit is operating, is
possible since the remaining power supply will take the full load and maintain full
operation.
• If one power module fails or turns OFF, the other module will take over the load.
• When the power supply output is short to GND, it will shut down. Auto recovery is
possible when the short circuit condition is removed.
• Each module has over voltage and short circuit protection.

Appendix C: NetEnforcer Port Reference
This appendix describes the required ports for NetEnforcer.
Firewall Ports
If your NetEnforcer is working behind a firewall, the following ports must be opened on
the firewall to enable access to the NetEnforcer management functions:
Firewall Port Gives Access To

TCP Port: 23 Telnet
TCP Port: 80 Web Server/GUI
TCP Port: 56000 Internal Accountant GUI

Access
TCP Port: 51000 Policy Editor GUI Access
TCP Port: 52000 Monitoring GUI Access
TCP Port: 53000 Alerts GUI Access

TCP Port: 53306 MySQL Access
TCP Port: 56000 External Accounting Data
Transfer Access
NetEnforcer AC-1000 Series Installation Guide C-1

Appendix C: NetEnforcer Port Reference
If you want to use secure transmission methods, the following ports must be opened:
Firewall Port Gives Access To

TCP Port: 443 Encrypted HTTP (HTTPS)
TCP Port: 22 SSH (Encrypted Telnet)
C-2 NetEnforcer AC-1000 Series Installation Guide

Appendix D: Rack Mounting Installation
The NetEnforcer and the Bypass module may be mounted in an open or closed
standard 19-inch (48.26 mm) rack using the rack-mount bracket kit. This
appendix describes how to prepare the device and rack for installation and
how to mount the device in the rack.
Preparing the NetEnforcer for Rack Installation

Attach the mounting brackets of the device included in the NetEnforcer
accessory kit to both sides of the device using all eight Phillips pan-head
screws included in the NetEnforcer accessory kit. Insert the screws into the
holes on both sides of the device.
Prepare the Bypass Module for Rack Installation

Use a Philips screwdriver to remove the six Phillips flat-head screws from
each side of the Bypass module device.
Attach the mounting brackets of the Bypass module included in the Bypass
accessory kit to both sides of the device. Re-insert the flat-head screws into
the holes from which the screws were removed.
Rack Mechanical Loading

When mounting the device in the rack, ensure that a hazardous condition does
not result due to uneven mechanical loading.
Ambient Temperature
The device has a maximum operation ambient of 104° F (40° C). The ambient
temperatures around the rack should not exceed this temperature.
NetEnforcer AC-1000 User Guide D-1

Airflow
To ensure proper cooling, airflow should be unrestricted within or around the
rack. Keep the area four to six inches behind the enclosure unobstructed.
Make sure that there is proper airflow around all of the NetEnforcer's vent
openings.
CAUTION:
The NetEnforcer unit has multiple power sources; disconnect all power before servicing.
Connection to AC Supply
Power supply cords are intended to serve as the disconnect device. The user
can power down the device only by removing the two-power cords from the
power source or the device itself.
CAUTION:
Make sure the wall socket outlet is installed near the equipment and that the socket is easy to
access.
It is recommended that the wall socket outlet be connected to the building installation
protection.
When connecting NetEnforcer to 120 / 240 VAC supply, plug into 10 A service receptacles,
type N5/10 or NEMA 5-10R.
Ensure that each site has a suitable ground. Ground all metal racks,
enclosures, boxes and raceways. The NetEnforcer equipment should be
reliably grounded through the power supply cord.
Connection to DC Supply
Unit is intended for RESTRICTED ACCESS LOCATIONS in accordance
with NEC (National Electric Code) or the authority having jurisdiction.
Power supply cable comprises two sets of 2x14 AWG copper wire; use UL-
listed cable only.
D-2 NetEnforcer AC-1000 User Guide

When connecting NetEnforcer to 48/60 VDC supply, use a UL-listed 10A

circuit breaker between the centralized DC power system and NetEnforcer
power entry module as the disconnect device incorporated in the fixed wiring.
The circuit breaker must be close to the NetEnforcer and easily accessible.
The DC supply source is to be located within the same premises as this
equipment. There shall be no switching or disconnecting devices in the
earthed circuit conductor between the DC source and the point of connection
of the grounding electrode conductor.
Reliable Grounding
CAUTION:
NetEnforcer equipment has a connection between the earthed conductor of the DC supply
circuit and the grounding conductor.
Connect to a reliably grounded SELV source. Grounding is achieved through

connection of the power entry module grounding terminal to one power port
of the terminal block by min. No. 14 AWG green/yellow conductor.
This equipment shall be connected directly to the DC supply system
grounding electrode conductor or to a bonding jumper from an grounding
terminal bar or bus to which the DC supply system grounding electrode is
connected.
When connecting the supply wires to the DC main supply, the earth conductor
is connected first and disconnected last.
This equipment shall be located in the same immediate area (such as, adjacent
cabinets or any other equipment that has a connection between the earthed
conductor of the same DC supply circuit and the grounding conductor, and
also the point of grounding of the DC system. The DC system shall not be
earthed elsewhere.
NetEnforcer AC-1000 User Guide D-3

D-4 NetEnforcer AC-1000 User Guide

Appendix E: Glossary
This appendix defines the terms used throughout the guide.
Glossary of Terms
Access Control
An action that specifies the access for a connection. You can select the Access
Control to accept, drop, or reject a connection.
Access Link
Internal and External logical interfaces. Access links may be smaller or equal to the
Ethernet Adapter values.
Action
The operation performed on a connection once it matches a rule. A combination of
Access Control, QoS and Connection Control.
Address – IP
A list of logical entities representing IP Version 4 (IPv4) addresses, which are
comprised of 32 bits.
Address – MAC
A list of logical entities representing Media Access Control (MAC) addresses, which
are comprised of a 48-bit source or destination address. The source address is the
sender's globally unique device address.
Admin
The default user name for administrating NetEnforcer, with the default password
allot. It is strongly recommended to change this password.
NetEnforcer AC-1000 Series Installation Guide E-1

Admission Control
A step in every flow activation, when the required bandwidth is allocated (or not)
according to user demand (minimum bandwidth and maximum number of
connections) and system state.
ADSL
Asymmetric Digital Subscriber Line - Modems attached to twisted pair copper
wiring that transmit from 1.5 Mbps to 9 Mbps downstream (to the subscriber) and
from 16 kbps to 800 kbps upstream, depending on line distance.
Application Binding
The process of finding the correct application type for a flow (in case the flow is
TCP or UDP).
Application Recognition
The classification of protocols/applications by their unique "signature".
Application Type
The application type is defined by the destination port number.
ATM
Asynchronous Transfer Mode. This high speed network protocol is composed of 53
byte "cells" having 5 byte headers and 48 byte payloads. Because of its short packet
length, it is especially good for real time voice and video.
Backplane Watchdog Timer
The backplane internal hardware timer that initiates the bypass in case there was no
software visit (the software visit restarts the timer).
Bandwidth
A parameter that defines the rate at which data flows.
E-2 NetEnforcer AC-1000 Series Installation Guide

Blocked Queue
A queue that holds packets that are over the maximum bandwidth defined for the
connection/Virtual Channel/Pipe.
Borrowing Bandwidth
A Pipe/Virtual Channel defined with a minimum bandwidth will receive only the
minimum necessary bandwidth, even if that value falls below the guaranteed
minimum. For example, if a Virtual Channel is currently defined for 100 Kb
minimum but needs only 50 Kb, 50 Kb is all that will be reserved, and the remainder
of the bandwidth will be allocated to another Virtual Channel. This means that
unused bandwidth is never wasted.
Burst Mode
When burst size is defined, the system will allow traffic to burst for a certain amount
of time, but the average traffic for the whole period will still be bounded by the
maximum.
Cache Redirection
A network device that intercepts client HTTP requests and forwards them to one or
more cache servers.
Catalog
A list of user-defined entries used when defining Pipes, Virtual Channels and rules
in the Policy Editor.
CBR
See Constant Bit Rate.
CCITT
Consultative Committee for International Telegraph and Telephone

Central Office
A circuit switch that terminates all the local access lines in a particular geographic
serving area; a physical building where the local switching equipment is found.
xDSL lines running from a subscriber's home connect at their serving central office.
Centralized Monitoring and Accounting
Provision of centralized policy-based accounting and remote monitoring services.
The Allot Communications NetPolicy provides a comprehensive, policy-based
system that allows the network manager to define, in a concise and organized
fashion, policies that automatically effect change on specific equipment in the
network environment.
Classification
The procedure by which a flow or connection is associated to a Pipe and a Virtual
Channel. This procedure occurs every time a new flow passes through NetEnforcer.
Classification Element
Definition of partial criteria for a match to an attribute of network traffic. One rule is
a set of five classification elements or conditions. See Condition.
CLEC
Competitive Local Exchange Carrier
CO
See Central Office
CODEC
An abbreviation for coder/decoder. Specifically it converts a voice grade analog
signal to u-law or A-law encoded samples at an 8KHz sampling rate. DSL bypasses
the CODECs at the central office by separating the frequencies in a POTS splitter
and passing the DSL signal to a DSLAM, the DSL equivalent of a CODEC.

COC
See Connection Control.
Condition
A criteria with which to classify traffic. Conditions include Connection Source,
Connection Destination, Service, ToS, and Time.
Connection
A flow from a source to a destination and from the destination back to the source.
Connection Control
Defines whether a flow is directed to Load balancing, cache redirection, or
pass as is.
Connection Control Catalog
A Catalog that enables the user to define different load-balancing and
cache-redirection definitions.
Constant Bit Rate
Offers constant throughput. When CBR is defined, the system will not allow traffic
to exceed the maximum boundary defined.
Constant Connection
Offers constant throughput. When CBR is defined, the system will not allow traffic
to exceed the maximum boundary defined.
Content Inspection
The ability to analyze packet content on a per-flow basis. This feature is the
capability to filter packets per user’s content requests. Content based packet
classification is based on any combination of source address, destination address,
protocol, type, or content URL, including URL patterns.

CPE
See Customer Premise (or Provided) Equipment
CSU
Channel Service Unit
Customer Premise (or Provided) Equipment
A wide range of customer-premises terminating equipment which is connected to the
local telecommunications network. This includes telephones, modems, terminals,
routers, settop boxes, etc.
Delay
Specifies the maximum delay that a packet stays in NetEnforcer. If the packet
exceeds this delay, the packet is discarded.
DDoS Attack
Distributed Denial of Service Attack. These attacks are more intense and damaging
than DoS attacks. In DDoS attacks, multiple machines unknowingly participate in an
attack against a single host target.
DHCP
Dynamic Host Configuration Protocol. Used for automated allocation, configuration
and management of IP addresses and TCP/IP protocol stack parameters.
DCE
Data Communication (or Circuit-Terminating) Equipment
Digital Gateway to IP
Digital Gateway to IP provides a seamless, dedicated connection to the Internet,
utilizing available channels on the customer's channeled T1 local access. It allows
increased usage of their local access by providing multiple services over a single
facility and the ability of designating multiple DS0 channels on the T1 access for
voice, data, and Internet.

DSL
Digital Subscriber Line - Modems on either end of a single twisted pair wire that
delivers ISDN Basic Rate Access.
DSLAM
Digital Subscriber Line Access Multiplexer
DSU
Data Service Unit - A digital interface device that connects end user data
communications equipment to the digital access lines, and which provides framing
of sub-64Kbps customer access channels onto higher rate data circuits. A DSU may
be combined with a CSU into a single device called a CSU/DSU. See Channel
Service Unit/Data Service Unit.
DTE
Data Terminal (or Termination) Equipment Typically the device that transmits data
such as a personal computer or data terminal.
DoS Attack
Denial of Service Attack. Most DoS attacks are overloading servers with redundant
traffic. All servers can handle traffic volume up to a maximum, beyond which they
become disabled.
Drop
All packets are dropped. The user is disconnected and may see the message
Connection timed-out.

Flow
A series of packets with common attributes. Since these attributes do not change in
time, it is possible to identify a flow by its first packet only. TCP and UDP flows are
identified by the IP and port of the source and destination. Any other IP flow is
identified by the source IP, destination IP and protocol number. Non-IP flows are
identified by protocol number only. See Connection.
Flow Attribute
Data belonging to a flow that differentiates that flow from others.
Fraggle Attack
When a perpetrator sends a large number of UDP echo (ping) traffic at IP broadcast
addresses, all of it having a fake source address. This is a simple rewrite of the
Smurf code.
Guaranteed Bandwidth
A per-connection parameter, which means that every connection will be granted
“N bytes/bits per second”.
HDSL
High bit-rate Digital Subscriber Line - Modems on either end of one or more twisted
wire pair that deliver T1 speeds. At present, this requires two lines.
Host Catalog
A Catalog that enables the user to define the Connection Source and Connection
Destination, two of the classification elements or conditions of a rule. Hosts can be
network IP addresses, IP address ranges, host names, IP Subnet addresses or MAC
addresses.
Inbound Traffic
Traffic that flows into the External link and out from the Internal link.

Internet Service Provider

An entity that provides commercial access to the Internet. These can range in size
from someone operating dial-up access with a 56 kilobit line and several dozens of
customers to providers with multiple pops in multiple cities and substantial
backbones and thousands or even tens of thousands of customers.
IP Service Control
NetEnforcer, as an IP Service Control system, enables carriers to monitor IP
application traffic and subscriber traffic usage. NetEnforcer controls traffic patterns
to increase subscriber satisfaction, provides quick ROI by saving network operation
costs (for example, by managing over-subscription) and enables new revenue
sources without upgrading the network infrastructure.
ISP
See Internet Service Provider
ITU
International Telecommunications Union
IXC
Inter-exchange Carrier - Post-1984 name for long distance phone companies in the
United States. AT&T is the largest, followed by MCI and Sprint, but several more
small IXCs exist.
Java Applet
A program written in the Java™ (Sun Microsystems Inc trademark) language. The
applet's code is transferred to your system and executed by the browser's Java
Virtual Machine (JVM) (see more at: http://java.sun.com/applets/).
LEC
Local Exchange Carrier - One of the U.S. telephone access and service providers
that have grown up with the recent deregulation of telecommunications.

LOCAL LOOP
A pair of wires, moderately twisted for the entire length between the telephone
company's end office and the user premises (the common telephone set) form a loop,
so it is referred to as the local loop. This loop provides a user with access to the
global telecommunications infrastructure that is installed all over the world. DSL
extends the capability by using modern technology to increase the data rates and
distances spanned.
Light Directory Access Protocol (LDAP)
A standard communication protocol that allows clients, servers and applications to
access directory services. NetEnforcer includes an LDAP client for communication
with the LDAP directory.
Load Balancing
A mechanism that enables balancing traffic between different servers. All traffic is
directed to a single IP, but the load-balancer smartly divides the traffic between the
different servers.
Maximum Bandwidth
A parameter that defines the upper limit of the bandwidth provision of NetEnforcer,
a Pipe, a Virtual Channel or a connection. NetEnforcer ensures that the bandwidth
will not exceed this value.
Minimum Bandwidth
A parameter that defines the lower limit of bandwidth provision, and states that
NetEnforcer will provide a particular Pipe, Virtual Channel or connection with “at
least N bytes/bits per second”. NetEnforcer guarantees that the bandwidth will not
fall below this value.
Mbps
Megabits Per Second

NAT
Network Address Translation is the translation of an Internet Protocol address (IP
address) used within one network to a different IP address known within another
network. One network is designated the inside network and the other is the outside.
Typically, a company maps its local inside network addresses to one or more global
outside IP addresses and unmaps the global IP addresses on incoming packets back
into local IP addresses. This helps ensure security since each outgoing or incoming
request must go through a translation process that also offers the opportunity to
qualify or authenticate the request or match it to a previous request. NAT also
conserves on the number of global IP addresses that a company needs and it lets the
company use a single IP address in its communication with the world.
NEBS
Network Equipment Building Standards
Monitor
The default basic user name for monitoring NetEnforcer, with the default password
allot. It is strongly recommended to change this password.
MPLS
Multi-protocol Label Switching. This protocol, relevant in networking technology,
provides scalable infrastructure for the Internet. MPLS uses the concept of label
switching to create a 'virtual circuit' between two-end points. The main use of MPLS
is to create high quality VPNs (Virtual Private Networks). In addition, MPLS may
be used to allow integrated-access services such as voice/video and data over IP.
MRTG
Multirouter Traffic Grapher. The MRTG tool generates HTML pages that present
traffic statistic graphs. Using a standard Web browser, you can view pages, each
containing graphs showing daily, weekly, monthly and yearly information.
NetAccountant
An add-on software module that enhances the application performance management
and SLA/QoS enforcement capabilities of NetEnforcer with accurate data collection
and server-based reporting.

NetAccountant Reporter
Part of the NetAccountant software module. NetAccountant Reporter enables you to
create sophisticated graphical reports based on the traffic data collected by
NetEnforcer. In addition to basic reports such as "most active clients" or "top
protocols", NetAccountant Reporter offers drill down reports such as "most active
clients per a specific Pipe" or "top protocols per server."
NetHistory
A software module that enables the user to view network behavior at any time in the
past.
NIC
Network Interface Card. Located in one device and physically connected to the
Ethernet cable going into another device.
Number of Connections
The number of open connections (sessions from the software point of view) in
NetEnforcer.
OC3 & OC12
Optical Carrier Level circuits. These are ultra-fast multimeg circuits able to carry
large amounts of information such as voice/data applications. (OC3= level 3 &
OC12= level 12). For more information on these circuits, visit our OC3/OC12 page.
ODBC
Microsoft Open Database Connectivity interface. An application programming
interface (API) for database access. It uses Structured Query Language (SQL) as its
database access language.
Outbound Traffic
Traffic that flows into the Internal link and out from the External link.

P2P Applications
These "Peer-to-Peer" applications turn network clients into servers, using expensive
WAN bandwidth and potentially distributing worms throughout the network. KazaA
is a well-known P2P application.
Packets Per Second (PPS)
The number of packets that were sent by NetEnforcer in a second.
PCM
Pulse Code Modulation
POP
Point of Presence - A node of an ISP containing a DSU-CSU, terminal server and
router and sometimes one or more hosts, but no network information center or
network operations center.
PPP
Point to Point Protocol
PVC
Permanent Virtual Circuit - A frame relay logical link, whose endpoints and class of
service are defined by network management. Analogous to an X.25 permanent
virtual circuit, a PVC (often referred to as a PVC) consists of the originating frame
relay network element address, originating data link control identifier, terminating
frame relay network element address, and termination data link control identifier.
Originating refers to the access interface from which the PVC is initiated.
Terminating refers to the access interface at which the PVC stops. Many data
network customers require a PVC between two points. Data terminating equipment
with a need for continuous communication use PVCs.

Per Flow Queuing (PFQ)

Allot Communications QoS algorithm that defines a process where the scheduler
empties the queue according to each flow policy and fairness. Allot Communications
implements a smart queue scheduling algorithm, with accurate timing for receiving
and sending packets. The timing is such that the applications on both sides are within
the timing tolerances, while NetEnforcer precisely controls the bandwidth.
Allot Communications PFQ maximizes WAN link utilization and minimizes
bandwidth waste. Allot Communications utilizes standard mechanisms built in to the
TCP to maximize WAN utilization. It also uses a unique combination of PFQ and
Smart Queue Scheduling to precisely control bandwidth for both the incoming and
outgoing traffic. Policies are based on a variety of criteria, including when needed,
data located within the traffic, and so on.
Ping of Death
When an attacker sends illegitimate, oversized ICMP (ping) packets. These attacks
are targeted at specific TCP stacks that cannot handle this type of packet and
overload the victim's servers.
Pipe
A grouping of traffic defined by conditions (rules) and actions that owns
sub-groupings called Virtual Channels.
Policy
The regulation of access to network resources and services based on (business)
administrative criteria.
Policy Server
A server which administers QoS requests and sends out information necessary
(policy) to enforce QoS.
Port Number
A 16-bit integer appended to a message and passed between client and server
transport layers.

Priority
A parameter that identifies the relative importance of traffic on a particular Pipe or
Virtual Channel compared to other Pipes or Virtual Channels. Priority does not
explicitly define the speed of communication, but assigns a weight value, for
example, for every 2 bytes of priority 3, send 4 bytes of priority 7. It does not define
how long it takes to send priority 7 or priority 3 bytes.
Process Watchdog
A software process that is responsible for keeping the system in a normal operation
state. It watches the aliveness of processes and restarts a process or the whole system
when required.
QoS
See Quality of Service.
QoS Action
Defines a level of bandwidth agreement using parameters such as
minimum/maximum bandwidth, priority, and so on. You can select the QoS action
for Pipes, Virtual Channels and connections.
QoS Catalog
A Catalog that enables the user to define possible values for the QoS action.
QoS Gateway
Provision of end-to-end policy enforcement and management via standards-based
signal provisioning protocols, including Differentiated Services, ToS, RSVP, MPLS,
and 802.1P.
QoS of UDP Traffic
Allot Communications supports QoS for UDP traffic by using the token bucket
mechanism (for CBR sessions), combined with the leaky bucket mechanism (to
supply rate limits).

Quality of Service
Enforcing a network policy that will impact bandwidth, delay (jitter), or traffic
reliability.
Queuing
Method used by routers to control the flow of traffic. Packets are placed in holding
queues and retransmitted based on CBQ and WFQ algorithms. When traffic
overflows the queue, packets are discarded to reduce network congestion.
RADIUS
Remote Authentication Dial In User Services protocol. Specifies accounting, log and
analysis parameters for IP users accessing via dial in services.
RADSL
Rate Adaptive Digital Subscriber Line - A version of ADSL where modems test the
line at start up and adapt their operating speed to the fastest the line can handle.
Redundancy Configuration
A configuration in which two NetEnforcers are connected in parallel using a flat
cable. If one NetEnforcer goes down, the other one takes over immediately. One
NetEnforcer is automatically the primary system (defined by the flat cable
hardware), and the Primary and Active LEDs on the front panel are lit. The other
NetEnforcer is the secondary system, and the Secondary LED on the front panel is
lit. The flat cable is connected between the Backup connectors.
Reject
All packets are dropped. In TCP traffic, an RST packet is sent to the client and the
user may see the message Connection Closed by Server.
Reserve on Demand
A minimum bandwidth demand mode that reserves allocated bandwidth and, even if
it is not all used or required, does not provide it for other traffic.

Rule
A combination of classification elements or conditions comprised of Connection
Source, Connection Destination, Service, TOS and Time. Together these conditions
form complete criteria for classifying network traffic. Conjunction is made with the
AND operator.
Rule Matching
The process of finding the first matching rule for a flow or connection.
Schedule Queue
A queue in which the packets wait to be transmitted. The schedule is defined by the
minimum bandwidth and priority parameters.
Service
Protocol- or application-based criteria for traffic classification.
Service Catalog
A Catalog that enables the user to define possible values for the Service condition. It
includes a list of different network/transport/applications protocols defined by the
protocol number (L2, L3, L4 or L5 layer) and destination port number (L4).
Smurf Attack
When a perpetrator sends a large number of ICMP echo (ping) traffic at IP broadcast
addresses, using a fake source address. The source address will be flooded with
simultaneous replies.
SNMP
Simple Network Management Protocol. Sets up the rules for exchanging network
information through messages (which contain variables with values). The following
types of messages are defined: read, write and trap.
SOHO
Small Office Home Office - A type of DSL connection possessing qualities better
than ADSL. Designed especially for smaller businesses

Spanning Tree
A link management protocol that provides path redundancy while preventing
undesirable loops in the network.
Spoofing
When an attacker uses a fake Internet address so that the source address of an IP
packet is not the actual source. An attacker from outside of the network (meaning,
from the Internet) may send packets with a source address on the LAN. This
deceives the internal servers into identifying the attacker as a legitimate internal
network user and the internal address becomes the victim. Spoofing is used in most
of the well-known DOS attacks.
Standalone Configuration
A configuration in which only one NetEnforcer is connected to the network (in
contrast to the redundancy configuration). In case of system crash, NetEnforcer
becomes a wire, meaning that NetEnforcer continues to forward traffic without
performing policy enforcement functions.
SYN Attack
When an attacker sends a series of SYN requests to a target (victim). The target
sends a SYN ACK in response and waits for an ACK to come back to complete the
session set up. Since the source address was fake, the response never comes, filling
the victim's memory buffers so that it can no longer accept legitimate session
requests.
TELCO
Telephone Company - Generic name for telephone companies throughout the world
which encompasses RBOCs, LECs and PTTs.
Template – Virtual Channel or Pipe
A master Virtual Channel or Pipe that represents a class of Virtual Channels or
Pipes, that only differ in one of their Host catalog conditions.

Time Catalog
A Catalog that enables the user to define possible values for the Time condition.
NetEnforcer is capable of classifying traffic based on packet and time parameters.
ToS
See Type of Service.
ToS Catalog
A Catalog that enables the user to define possible values for the ToS condition.
Traffic Classification
NetEnforcer classifies traffic per IP source/destination including networks, subnets,
hostnames, list and ranges of addresses; TCP/UDP ports including lists of ports, port
ranges and HTTP header parameters; URL (including wildcards - *), methods, host
names (in the header) and FTP control to data connection correlation.
Type of Service
A byte in the IP header that defines the Type of Service that should be given to that
packet. Two types are implemented: IP Precedence bits (mostly in Cisco equipment)
or DiffServ (IETF standard). When used for IP Precedence, utilizes bits 0-2 to
signify 8 priority values 0-7. When used as DiffServ Code Point Description
(DSCP), utilizes only 6 out of the 8 bits. IP Precedence and DiffServ are prioritizing
methods for IP traffic going through the network.
By setting the Type of Service (ToS) bits in accordance with network policy,
end-to-end QoS can be achieved in a heterogeneous environment.
UBR
Unspecified Bit Rate.

UTP
Unshielded Twisted Pair - A cable with one or more twisted copper wires bound in a
plastic sheath. Preferred method to transport data and voice to business workstations
and telephones. Unshielded wire is preferred for transporting high speed data
because at higher speeds, radiation is created. If shielded cabling is used, the
radiation is not released and creates interference.
Virtual Channel
A grouping of traffic defined by conditions (rules) and actions that can be owned by
Pipes.
Virtual Connection
Class of network traffic that defines traffic classification criteria and policies.
VLAN
Virtual Local Area Network refers to LANs that are interconnected by a virtual
Layer 2. The NetEnforcer enables you to apply VLAN tags to its management
traffic. VLANs are commonly used with campus environment networks. This
enables network changes to be made without physically moving cables or
equipment.
Well-Known Ports
Some services are conventionally assigned a permanent port number. For a
well-known port list see, for example: http://www.isi.edu/in-notes/iana/assignments/
port-numbers.
Worms
This self-propagating code floods networks with email and adds Registry entries to
users' clients. Worms may be transmitted via email, sharing infected files, or via
Internet Chat. Worms take advantage of "back doors" or "holes" in popularly used
email software and operation systems. "Malicious" worms may also erase or hide
certain types of files.

Index
Copper Bypass Module, 2-20
A Connecting, 2-21
Corporate Networks, 1-3, 1-11, 1-13
Accessing
NetEnforcer, 3-2 D
B Date and Time Settings, 2-42
DoS Attacks, 1-15
Bypass, 2-2, B-1, B-2 Double Copper Bypass Module, 2-25
Activating, 2-48 Connecting, 2-26
Initiation, B-3
Bypass Module, 2-17 E
Copper, 2-20
Double Copper, 2-25 Educational Networks, 1-3
Double Fiber, 2-22
Fiber, 2-18, B-3 F
Multi-Port Copper, 2-27
Fail-Safe
C Operation, B-1
Fault Tolerance, 2-16
Cable Networks, 1-4 Fiber Bypass Module, 2-18, 2-22, B-3
CATV Providers, 1-9 Connecting, 2-19, 2-24
Configuring Firewall Ports, C-1
IP Parameters, 2-47 Front Panel
Network Parameters, 2-37 NetEnforcer, 2-7
NIC Settings, 2-46 Full Redundancy, B-1, B-8
Configuring NetEnforcer Status Indicators, B-8
Via LCD Panel, 2-44
Via Terminal, 2-35 H
Connecting
Copper Bypass Module, 2-21 Hardware Specifications
Double Copper Bypass Module, 2-26 NetEnforcer, A-1
Double Fiber Bypass Module, 2-24
Fiber Bypass Module, 2-19
Multi-Port Copper Bypass Module, 2-28
NetEnforcer to Network, 2-30
Terminal, 2-35
NetEnforcer AC-1000 Series Installation Guide I-1

Index
Protocols, C-1
I Redundancy, B-8
Scenarios, 1-5
Internet Data Centers, 1-3, 1-8 Setting Up, 2-35
Internet Service Providers, 1-3, 1-5 Shutting Down, 2-49
IP Parameters Standards Compliance, A-2
Configuring, 2-47 Technology, 1-2
Unpacking, 2-6
L Network Parameters
Configuring, 2-37
LCD Panel, 2-44 NIC Settings
Failure Indications, 2-51 Configuring, 2-46
Main Menu, 2-44
LCD Panel, 2-11 P
M Password
Changing Login, 2-41
Management Port, 2-14 Changing Root, 2-43
Multi-Port Copper Bypass Module, 2-27 Power Redundancy, B-14
Connecting, 2-28 Power Supply, 2-15
LEDs, 2-16
N Powering Up NetEnforcer, 2-33
NetEnforcer S
Accessing, 3-2
Changing Password, 2-41 Serial Redundancy, 2-16
Connecting to Network, 2-30 Setting Up NetEnforcer, 2-35
Copper Interface, 2-8, 2-9 Shutting Down NetEnforcer, 2-49
Current Configuration, 2-39 Status Indicator, 2-11
Dimensions, A-1
Environments, 1-3 T
Failure Indications, 2-51
Fiber Interface, 2-7 TAP Mode, B-3
Front Panel, 2-7 Time and Date Settings, 2-42
Hardware, 2-2
Hardware Specifications, A-1 U
LCD Panel, 2-11
LEDs, 2-11 Unpacking
Models, 2-2 NetEnforcer, 2-6
Modifying Date Settings, 2-42
Modifying Time Settings, 2-42 V
MPLS Environment, 1-6
Network Placement, 2-30 Voice and Video Applications, 1-4
Operating Environment, A-2 VPN, 1-13
Overview, 1-2
Ports, C-1
Power Requirements, A-1
Powering Up, 2-33
I-2 NetEnforcer AC-1000 Series Installation Guide

AC1000 InstallGuide 6.11

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AC1000 InstallGuide 6.11

Uploaded by

Copyright:

Available Formats

®

ii NetEnforcer AC-1000 Series Installation Guide

Americas Middle East and Africa

NetEnforcer AC-1000 Series Installation Guide iii

About This Manual

This manual contains the following chapters:

iv NetEnforcer AC-1000 Series Installation Guide

NetEnforcer AC-1000 Series Installation Guide v

CHAPTER 2: INSTALLING NETENFORCER .................................................. 2-1

vi NetEnforcer AC-1000 Series Installation Guide

CHAPTER 3: GETTING STARTED ..................................................................3-1

APPENDIX A: HARDWARE SPECIFICATIONS ............................................. A-1

APPENDIX B: FAIL-SAFE OPERATION......................................................... B-1

APPENDIX C: NETENFORCER PORT REFERENCE .................................... C-1

APPENDIX D: RACK MOUNTING INSTALLATION........................................ D-1

APPENDIX E: GLOSSARY.............................................................................. E-1

NetEnforcer AC-1000 Series Installation Guide vii

viii NetEnforcer AC-1000 Series Installation Guide

FIGURE 2-22 – CURRENT CONFIGURATION (2)............................................................................... 2-41

NetEnforcer AC-1000 Series Installation Guide ix

x NetEnforcer AC-1000 Series Installation Guide

This chapter includes the following sections:

NetEnforcer AC-1000 Series Installation Guide 1-1

Introducing the NetEnforcer AC-1000

1-2 NetEnforcer AC-1000 Series Installation Guide

NetEnforcer AC-1000 Environments

NetEnforcer AC-1000 Series Installation Guide 1-3

• Cable Networks: NetEnforcer controls traffic flows to and from cable-based

1-4 NetEnforcer AC-1000 Series Installation Guide

NetEnforcer Usage Examples

Scenario 1: Internet Service Provider

IP Service Control at the POP

• Enable carriers to provide supplementary IP services.

• Control DOS attacks.

NetEnforcer AC-1000 Series Installation Guide 1-5

Services Based on MPLS

1-6 NetEnforcer AC-1000 Series Installation Guide

NetEnforcer AC-1000 Series Installation Guide 1-7

Scenario 2: Internet Data Center

1-8 NetEnforcer AC-1000 Series Installation Guide

Other features provided by NetEnforcer include:

Figure 1-2 – Sample Internet Data Center Network

Scenario 3: Enabling CATV Providers to

NetEnforcer AC-1000 Series Installation Guide 1-9

• Implementation of usage-based billing.

Figure 1-3 – NetEnforcer in CATV Environment

1-10 NetEnforcer AC-1000 Series Installation Guide

• Time-based bandwidth management.

Scenario 4: Enterprise Intranet

NetEnforcer AC-1000 Series Installation Guide 1-11

1-12 NetEnforcer AC-1000 Series Installation Guide

Scenario 5: Enterprise Internet Connection

NetEnforcer AC-1000 Series Installation Guide 1-13

Figure 1-5 – Sample Corporate Network with Two Locations Connected

1-14 NetEnforcer AC-1000 Series Installation Guide

Scenario 6: Protecting Networks from DDoS

NetEnforcer AC-1000 Series Installation Guide 1-15

Preventing a DoS Attack with NetEnforcer

2. Unwitting accomplices send ICMP eco reply (with victim’s address).

3. NetEnforcer detects high number of ICMP connections and blocks them.

Figure 1-7 – Preventing a DoS Attack with NetEnforcer

1-16 NetEnforcer AC-1000 Series Installation Guide