Policy-Based Packet Policing

Traffic policing could sometimes be called Layer 4 switching. A device that reads the port numbers and manages traffic based on port numbers can be inserted into the network just before the router. Some people also call this method Common Open Policy System (COPS). In Figure 8.13 we see a network with a policing box in place.

Figure 8.13: Applications Policing

COPS units can manage traffic in several ways; one is to change the sliding window size in TCP sessions. Other methods would include refusing connections for less important traffic.

After traffic is policed, it can be further managed using queuing management. Queue management is also used to control traffic behavior within devices. There are several methods to manage queues. One method that randomly drops packets when queues become full is called Random Early Detection (RED). Other methods allow engineers to establish a priority system to determine how packets can be dropped. These methods include Fair-Weighted Queuing (FWQ), Weighted Fair-Weighted Queuing (WFWQ), and Priority Queuing.

One method used to achieve QoS is not a protocol at all, but a piece of hardware. A policy-based switch is placed on the edge of a network, between the router and firewall, to monitor, mark, classify, and police traffic. One vendor calls its box a packet shaper and another calls it Net Enforcer. A policy-based switch monitors traffic by looking at packet content at Layers 2-4, marking the packets according to pre-established policies.

How Can You Monitor and Police These Problems?

Here is a brief checklist to help you handle these problems:

• Test your network to determine your saturation point under test conditions. This measurement varies greatly. Some networks saturate at 8%, while others saturate at 80%. You will find that the data-failure point differs from the voice-failure criteria.

• Continuously monitor your network utilization. Know your peak busy day, peak busy hour, and peak bandwidth usage (i.e., which of your network's applications are bandwidth hogs). Although there are several systems available commercially to track this data, I have found the best overall system to be the Finisar Surveyor 4.1.

• Police your network. In order to gain full QoS functions, you have to be able to police bandwidth in order to prevent applications from monopolizing your network. Vendors make multi-layer switches that incorporate Layer-4 policy switching (e.g., the Nortel Business Policy Switch 2000). I personally prefer stand-alone components to perform policing and traffic accounting. The argument is as old as the stereo-system arguments that pitted integrated systems against component-based systems. I like to have component-based policing and accounting, because it gives network analysts control over their data.

There are several policy-based policing 'switches' available on the market. I have had good luck with Allot's NetEnforcer (www.allot.com/html/products_netenforcer.shtm) for policy-management and accounting purposes.

More advanced policy switches (www.allot.com/html/products_netenforcer.shtm) allow a network manager to even segregate one protocol (port) into several elements. For example, take HTTP running on port 80. In that port, several applications can run, from web conferences to downloading MP3s. Some of these applications have a higher priority than others.

A policy-based device allows for policing bandwidth per application, and it also provides accounting services. You can determine the most-used applications and track when and how they have been used.