|
The new world of Traffic Shaping
Having just read a thread about why someone's P2P isn't working correctly I though that I would share this with you all :)
http://www.cymphonix.com This is the company that I've just started working for, and while the device is every administrators wet dream and best friend it does present a new level in user intervention. The Composer is incredible, it's not just marketing this thing actually WORKS! Personally some of the big brother things that it's capable of make me a bit nervous, but sadly in the modern world they're not only necessary they're required by law in a lot of instances. Two things I'd like this thread to cover, what do you think of the device, and second what's your take on the current status of "big brother" in the technological world? I've already mentioned I love this thing, I wish I'd had one as an admin it would've solved soooo many headaches. As for the monitoring, my only real stance is a little vague. As a principle I don't really like it, but it depends very much on who is doing the monitoring and of course the only real reason I would have to object is because I'm doing things that I'm not really supposed to be doing. |
Quote:
|
College and work networks are different, however. Most colleges and university's have a data access fee, which means that the student is PAYING for their internet access. At my university, $70 a semester covers the cable/internet fee. Downloading movies/music is still illegal, but to say that the college can control what we do, that isn't acceptable.
HOWEVER, at work, you are being paid to do work and the internet can distract an employee from doing actual work. |
and another thing about college networks is that there are people living on campus... I can understand limiting p2p and monitoring traffic in the academic/public accessible areas.
but in the dorms we shouldnt have to suffer the limited access... *grumble* *grumble* i cant connect to IRC anymore in my own room... |
Ditto soccer and jstrider. Work and college networks are two totally seperate things. I've got no problem with interference at work, but when you are paying for your internet connection, and don't have any other way to access the internet (i.e., live in a dorm room), there's no reason for the school to censor. There's no liability for them--that gets passed on to you, just like there's no liability for any other ISP.
|
So other people in the dorms should suffer because you want to be able to d/l pr0n and gamez? I don't get it. The ONLY way we can guarantee that the network works in your dorm is to throttle P2P, otherwise we'd have a handful of people gobbling all the bandwidth.
Students are certainly welcome to run these things at the college I work at, but they are throttled to about ISDN line speed (128k). I don't agree with completely blocking anything (unless there is no other way around it). Anyway, back on topic ... liquidlight, how does that thing compare to a Packeteer? |
It embarasses the Packeteer. . . it does Layer 3 and Layer 7 shaping and identification, so we can more accurately and more quickly identify what the traffic is and give you more options on what to do with it.
Pair that with the built-in content filter, spyware scanning/filtering, and inline Anti-virus and our solution is much more impressive, and that's just some of the feature set. |
soccerchamp et al - You're paying $70 a semester for some bandwidth. That's only a little more than what I pay per month for the internet I have. Paying a fee entitles you only to what the provider is offering for the fee, nothing more or less than that.
I have no idea what the typical college network topology is like, but I think that a major concern is that people in their dorms using the internet recreationally are taking up a fair bit of bandwidth. Give them too much and you won't have enough for things like research, or as has been stated you'll have a small group of people running p2p or other bandwidth-intensive applications and filling the pipe, leaving nothing left for everyone else. Bandwidth is always a limited commodity and when you're serving it to as many people as you are on a college campus controlling that traffic and keeping it usable for everyone involved becomes a major concern. So yeah, I think it's only fair to use traffic shaping in order to throttle down a lot of stuff and given that many/most p2p programs (the primary concern here) use non-standard ports it's understandable that occasionally some other app will kept caught up in it. I don't think censoring is what needs to happen, just controlling the traffic and keeping everything running smoothly. An office sysadmin has every right to outright block certain types of traffic (I'd even go so far as to say he's not doing his job if he doesn't) and a college sysadmin has every right to throttle types of traffic. The environments aren't identical, but they are closely related. |
Generally, campuses tend to highly segregate the research and dormitory networks (or at least that's the way it's done here). No matter how bad the dorm network gets, it can never infringe upon the research network's bandwidth. Now, the dormitory network might get so bogged down it's impossible for people to communicate across it, but that's an entirely different story. But any good netadmin should be able to segregate the two links.
My views on this are as follows: P2P and other filesharing applications should be given lowest priority. There are legitimate uses for these programs, but the probability of a given student using it for legitimate purposes is rather low, and so those that do use it for legal uses (i.e.: downloading a Linux/BSD ISO off BitTorrent) will just have to deal with slower traffic. There are plenty of ways to shape the traffic such that the kids who use the most traffic will still be able to do what they want (though maybe not as fast) while those who rarely use any can surf the web in peace. And just because someone uses a lot of traffic doesn't mean they're up to no good. I transfer gigs of data a day back and forth across the campus network (analyzing Snort logs, TCPDump captures, etc., for work). I would draw the line at when a campus netadmin starts to block types of traffic - as students don't have a choice about what ISP they use when they live on campus, or whether or not to pay to upgrade to a better plan, or basically any other choice whatsoever about their network connection. As a result, that's fine if their filesharing (legal or not) goes slow - but don't block it altogether, unless they start drawing the attention of the RIAA/MPAA. Now, as for a workplace (and I've been that netadmin before), by all means I'd block every last thing in/out except legitimate workplace traffic. If I ever caught an employee browsing porn, downloading warez, using a P2P network, I'd shut down their jack on the spot and call their supervisor. |
I have no problem with people downloading/uploading whatever they want to. I have a problem when people call me and tell me that "my" network sucks because they can't check their email. The network doesn't suck ... it's just being killed by bandwidth hogs.
Each dorm is in it's own subnet. The students can flood the network in their own dorms all day and night and it won't affect me. But it does affect their neighbors and those are the people I have to deal with. Packet shaping is a great answer to all of these problems -- until someone finds a way around it. |
The only real way around packetshaping that I've found (and use) is VPN - depending upon how the packet shaper prioritizes VPN traffic (and it generally receives at least medium priority - or at least much higher than P2P) I've found it's possible to get much faster speeds by VPNing to a server (either off-campus or at least outside of whatever the dormitory network is) and then firing up P2P software from there.
Of course, the admins can probably take a good guess what's going on - especially if you VPN to their server - but it'll get around the P2P ruleset for the packetshaper, at least. |
Quote:
God, I'm starting to think like our salesmen! *shudders* I read that and the first reaction was "Hell stick a NC200 in each of the dorms or a bigger box at the gateway and then make it so the users can view their neighbors network usage, all your problems suddenly go away after about 3 lynchings." hehe but that's just the sadist in me. |
I personally would not buy something like what cymphonix sells.
1) I just don't really like appliances. More rack space, and I could probably consolidate with another server. 2U for this thing? What in the world is in it to make it a 2U server? Make a blade or something that can fit in my Dell 1855 Blade Chassis and we'll talk. 2) I haven't ever heard of the company nor have I seen reviews of the company and products. I'm looking for a filtering solution currently, and so far I'm looking at Websense and Blue Coat. The only thing about Blue Coat is that it is yes, an appliance. I like how on the FAQ of the website, it says, "If you are using a Cisco PIX firewall, we recommend the use of a cross-over cable between Network Composer and the firewall." -- Yeah, because it really won't work otherwise. I'm not bashing the product by any means, I just don't know anything about it. I'm not going to use it for the company I work for unless I see good reviews against how it stacks up to Blue Coat and Websense. I might actually request an eval. unit as well. But, if I were to buy one, I need to buy another rack as well and I'm not looking to do that. |
Now Bendsley you're just being pessimistic :)
Awesome feedback though - here's some answers: To keep costs down we don't conform to proprietary form-factors like Dell's Blade servers, the unit is 2U because it made it incredibly more cost effective to keep it at a decent operation temperature, and we're a young company so we don't have much name recognition, but it is a killer product. We've had quite a few customers that have used the Composers web content filtering to replace Websense, at a decent cost savings too I might add. The website has been sadly neglected of late due to some of the major feature revisions that have been added to the Composer (things like incorporating SunBelt's spyware SDK into the unit) and I'm still working on generating traffic to the user forum to get a lot of the other questions answered. As for rack mounting it, don't block the fans and you can stick it anywhere, hell prop it on it's side and let it go crazy :) Last point :) the NIC's in the Composer will allow for auto-negotiation of ports, including auto-sensing standard/crossover, we've just found that if you're not on a crossover to Cisco equipment it generates interface errors! Eval units are also something that we really like to setup, we're proud of the Composer and the unit typically sells itself once admins get their hands on it and see for themselves what it can do, if you're at all interested it would probably be pretty easy to get you the info you'd need for the risk free trial. |
On the other hand, appliances are good if they have specialized hardware to do the job better. Packet flows are not cheap (speaking in terms of computing resources) to manage. Assuming this thing could handle classifying and shaping a LOT of traffic (say around the 1Gb/s range), it might be worth the money. But at only 90Mb/s, 40kpps? Give me a break.
|
What's the price for one of these daddies?
Is there a UK reseller? |
The irony in reading this thread is that I'm in a CAD class right now, on my school-provided laptop, on the school's open wireless network.
|
Good lord Oberon, you'd be pure fiber/fiber to get 1Gb/s . . .most HARDDRIVES don't transfer that fast!! What in the world could you possibly be shaping on that scale?!
WilleyPete - I'm sure that there is, but if you contact sales at cymphonix.com they can give you specific information. |
Yea - you'd have to be up around pure fiber/fiber to get that traffic range - you wouldn't be packetshaping traffic as it came out of your computer - but at the same time, that range would be up where you'd be needing it the most (university dormitory networks, corporate enterprise borders, ISP uplinks, etc.). That's where you'd need the capability of packetshaping massive amounts of traffic with minimal slowdown.
|
Heh, when I lived in the dorms at Kentucky last semester, we got cable internet, as in cable went into each of the rooms, into a splitter, and then one coax into a TV and one into a cable modem/router. It was the same Adelphia resedential service that, say, my friend that lives in his own house right down the street got. Solves the problem of eating bandwith by being a crappy connection to begin with. It was usually as slow as the wireless internet that we have here at home.
|
Quote:
I'm not saying that the Composer is the end all/do all, at least not yet :) but it's very good at what it does. |
Quote:
What do they do for redundancy? |
Good question :) I didn't say that they were good ISP's. . .
I run with the Telco, and since it's Qwest even though they suck I'm sure the pipes are huge :P |
Obviously I don't think someone who'd buy a traffic shaper like this would attach it directly to a computer, but rather a network.
45Mb/s is piddly these days. I've worked on networks with bandwidth measured in the gigabits, sometimes with several 10Gb/s links. 1Gb/s aggregate is rapidly becoming the minimum for any ISP that calls themselves a regional ISP. I think shaping traffic under 100Mb/s can be done easily with a cheap general purpose computer. |
The only real answer is that currently we're not targetting players on that level, sadly there's really not enough demand on that scale and too much competition for our little outfit, though that isn't to say that we won't grow into that at some point.
Currently we're set to support small to medium business networks, up to 6000 simultaneous users. We ARE young, but we're improving, and it really is a great product. |
I actualy work at a WISP, and we do traffic shape our users (Using some linux based stuff I developed). Shaping is first split off into low priority (P2P, long-running file transfers), High priority (HTTP GET requests, games, chat, etc) everything else, then within those catagories it's split off per user ip into equal sized queues. Works pretty well for keeping our customers happy.
|
I was running copper gige ring back in 2001, I think 2003 we had all npe-1g's on core eq. We were running 500Mbit/s 200kpps average traffic over single peer back then already, I'd imagine they're saturating stm-48 now.
Traffic shaping in the core is dumb shit anyways. Maybe after a aggregator for dsl lines or something. |
| All times are GMT -8. The time now is 04:21 PM. |
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
Search Engine Optimization by vBSEO 3.6.0 PL2
© 2002-2012 Tilted Forum Project