NetEnforcer also features an automated host-list generator, in case you want a host created for every IP address in your network. Hosts can be grouped, and policies can be applied to the groups. This capability can work for networks that have dynamic IP addresses so long as you include the entire DHCP pool in a group.
We had the wizard create a host for every node in our /24 network and created a group called nwc.syr.edu. We then applied a policy to that group to limit traffic per IP address to 2 Mbps max. No matter what IP address we were assigned by the DHCP server, our test machines got only 2 Mbps.
A downside is that policy changes take effect for new connections only. While running a series of FTP transfers, we enabled a rule to limit FTP to 100 Kbps. But current FTP transfers continued to suck up all the bandwidth for a few minutes until they finished and a new set began.
We also ran into trouble with the streaming video test. We created a channel with 3 Mbps allotted to video at normal priority. However, when the pipe was saturated with Web traffic, our 1.6-Mbps QuickTime movie did not get the guaranteed bandwidth. Only when we increased the priority of the channel did we get the guaranteed bandwidth.
Keeping Track of Users
You can export Data to RADIUS for accounting purposes, a feature Packeteer also supports. ISPs will like this capability because it will help them keep tabs on bandwidth usage. NetEnforcer also provides some protection against DoS (denial of service) attacks in that you can specify a maximum number of connections, and maximum connections per second. Connections beyond these limits can either be admitted without QoS or dropped.
The charts created by NetEnforcer are superior to Packeteer's, a consideration if you plan on presenting statistics to a group. Each chart can be displayed as line or area graph, a pie or bar chart, or as a table. Oddly enough, however, you can have only five charts open at once. When we tried opening a sixth graph, we were told we had to close one first. Allot says the next release of the software will allow as many as 10 charts to be open at once, but that limit still seems low and unnecessary. We also found a bug in the GUI that reversed FTP direction in the most active clients/servers list. The clients were listed under most active servers.
NetEnforcer AC-302 4.2.2, $12,000. Allot Communications, (800) 204-1364, (952) 944-3100. www.allot.com
Sitara Networks QoSWorks QWX-10000
Sitara's 2U rackmount QosWorks box can be managed through a Web interface or via telnet. It is also the most expensive unit, at nearly $20,000.
Bandwidth-management capabilities are limited compared with that of its competitors; there are only five priority levels, and you can't set a maximum bandwidth per connection. Adding protocols to a policy is also a pain. We were presented with a large hierarchical list of protocols and had to manually search just to get to the TCP protocols. And to add insult to injury, once we found our protocols, we could add only one at a time. To add more, we had to drill through the list again.
Guaranteeing Bandwidth
The QosWorks policy screen let us see guaranteed bandwidth by bytes and percentage, burst amount, and priority amongst all the classes. Within a class, bandwidth is allocated evenly to each connection. Our streaming movie played fine without setting any QoS rules, even with 100 Web users. The devices from Allot and Packeteer let video get trampled when there were no policies set. Sitara's QoSWorks also supports HTTP caching from an external cache server.
We weren't thrilled by the reporting features QoSworks offers. In the policy report, we could see the bandwidth currently in use by each policy, its burst size and a thermometer showing how much of the allocated bandwidth was in use, but these are shown only as averages over the last 5, 15 and 30 minutes. Graphs for events past a half-hour are in the "historic reports" panel. Here you can see throughput or packet count for application, IP address, IP ToS (Type of Service) bits or by policy. That's the extent of the graphing.
Sitara has a decent product, but the management interface really drags it down, and it's overpriced by at least $5,000.
QoSWorks QWX-10000, $19,995. Sitara Networks, (888) 748-2720, (781) 487-5900. www.sitaranetworks.com
Lightspeed Systems Total Traffic Control 3.0
Lightspeed is the only vendor whose product we tested does not come on a standalone box; instead, it is installed on a Microsoft Windows 2000 server (in our case, a Dell PowerEdge 1650). Even including the price of the server, this product is one of the least expensive devices tested. However, it's also the most limited and has a confusing management interface.
To start, we had to draw our network. We dragged and dropped icons and connection points on a grid, similar to creating a Visio map. We needed to add icons for internal and external NICs, a filter to sort and analyze the traffic, and a queue to throttle the bandwidth. Fortunately, wizards and sample configurations are provided, but this interface is not intuitive and will have you scratching your head for a few hours.
Management is performed via a Windows program, and you can administer on console or remotely. Bandwidth shaping is done by defining a series of three priorities, with each priority getting a percentage of bandwidth, or by CBQ. We could create as many as eight classes and assign a total percentage of bandwidth and maximum delay. We could even control whether we wanted classes to borrow available bandwidth from other classes. All controls are based on source and destination IP addresses or port range. There is also integration with spam filtering.
In small environments where you know which programs will be running, this product could be sufficient. However, there are no guaranteed-bandwidth-per-session controls. We could only apply filters based on a whole class level, which meant no guaranteed rate per connection.
Total Traffic Control 3.0, $6,495 (as tested). Lightspeed Systems, (877) 447-6244. www.lightspeedsystems.com
Radware FireProof SynApps 2.51
Radware's product is unique among the products we tested in that SynApps is an add-on to Radware's switch product line. Although it finished at the rear of the pack and can't match rivals in features, it does come at a bargain if you already have a Radware switch in your network. This product is well-suited as a supplement, but it's not a full-blown QoS device.
Overall, SynApps' management features are better than Lightspeed's, but its bandwidth control and reporting lag behind the standalone boxes. Bandwidth is controlled by weighted-fair queuing or CBQ. You can set policies based on source and destination IP addresses, port numbers, diffserv value, or IP ToS bits. The switch we tested had eight network ports, more than any other entry. Each port can have available bandwidth specified. There are seven priority levels, and a real-time level as well. Minimum bandwidth and maximum borrow bandwidths can be set, but only per class, not by connection.
SynApps offers virtually no reporting elements, except for showing current bandwidth usage per policy. Of course, if you have a predictable type of traffic flowing across the switch, that may be good enough, especially for the price.
FireProof SynApps 2.51, module costs $4,000 on top of switch price. Radware, (888) 234-5763. www.radware.com
Michael J. DeMaria is an associate technology editor based at Network Computing's Syracuse University Real-World Labs®. Write to him at mdemaria@nwc.com.
REPORTS
ANALYTICS
Follow 
