SunGate ISP Solutions

SunGate has many features and functions designed specifically for the Service Provider/ISP market. This section highlights the use of some of these features and is not meant as a full SunGate module description. It is recommended that the reader first becomes acquainted with the general features of the module before reading this section.

Traffic and Bandwidth management for a service provider is different from a normal businesses requirement because it directly effects profitability and can be a primary service differentiator for marketing and sales purposes. This section will therefore keep these factors in mind and attempt to explain why SunGate is a leader in this respect.

As with all equipment of this type a return on investment (ROI) calculation becomes a balance between what features or functions are used (and how often) versus what services the client is prepared to pay for and how much. Every computer based device has a fairly finite ability to process things. The more features processed per client the lower will be the number of clients that can be managed on any particular unit. This is the simple fact of life in the traffic management world and applies in a similar way regardless of number of pre-processors or CPU’s applied to the task.

The Basics

All SunGate devices are specifically designed and engineered to receive packets on an Ethernet interface on one side of a unit, get it into main memory, and then get the packet out onto the other side as quickly as is possible, every interface, component, bus, and component has been selected and designed for this task. The drivers, ARP cache, bridge and other involved software have been specifically written and tuned by OSI to the stage where the extra latency added by an SunGate unit when it is added to a network is so negligible as to be virtually un-measurable.

While the packet is in memory all functions required by the features and policies set up have to be processed and decisions made about what to do. Prior to any such policies being set-up all that is done is statistics are collected. These statistics are host based but not session or stream based and this process is very efficient. As soon as the Interface speeds are set (so that we know what the link speed is) these statistics are used by our proprietary algorithm to calculate a fair bandwidth limit for every individual user and we begin to pace every host to that speed. The method used to pace hosts is also proprietary but suffice it to say that each host will slow down sending traffic onto the network until the network is balanced perfectly. Once this is achieved we do not build any buffers or queues unlike all our competitors. This immediately and without any rules or policies and provides the following benefits for the ISP:

• No more drops or re-transmissions means happier clients and reduced demand
• No more unruly users stealing more than their fair share of bandwidth
• More profit. This comes from less churn of clients and the ability to increase multiplex ratios without increasing churn or making clients unhappy
• Router offload. CPU and memory usage in your routers will suddenly drop to reasonable limits because we will only give packets to the router at the rate it can use them. We can also enhance this by doing packet marking more efficiently and more effectively than the router can

At this level of activity even our smallest unit can handle tens of thousands of users with many sessions each and our larger units hundreds of thousands. This is because we do not create or have to manage queues or buffers in our unit due to our pacing technology which simply does not require them. A nice side effect of no queues is still no added latency.

SunGate Solutions

SunGate solutions provide automatic bandwidth management and PPS limiting capabilities that allow highly elimilate all the possible P2P such as BitTorrent, YouTube, Skype and others – even if these applications use port-hopping, encryption, masking or other behaviors to hide their identity.

SunGate solution provides precision visibility into network traffic, allowing accurate management and optimization of bandwidth. Rules-based management and traffic shaping allows allocation of bandwidth by per user, application, department, time-of-day.

Managing Users

If you really need to manage users in addition to the automatic fair management outlined above then the most efficient method is to filter by IP address or subnet. The main reason that this is so efficient is that we have statistics and management in place for hosts anyway and we also have very efficient IP address indexing so lookups are very fast. Rules which use other match types (filters) require us to run through the ruleset looking for matches for every packet received and this can be a large amount of processing in a large ruleset. We do stop matching once we get a hit so it is always more efficient to put high packet rate rules early in the ruleset. Of course global rules always have to be run through for every packet as they do not cause a hit so due care should be taken with global rules.

In the simplest and most efficient way to manage per user each user IP address would have a rule which would set bandwidth and/or packet rates that this user is allowed to go up to if there is available bandwidth. Optionally minimum guarantees, burst rates, and priorities can also be allowed as can active time of a day or day of a week. Obviously if you can group together some users into a subnet and manage them as an entity then it will be even more efficient and we will still not allow an individual to use more than their fair share of bandwidth within that subnet. The advantage of doing this is that when there are fewer users in the subnet then they will on average get more bandwidth than when all users are active. This can be thought of as a simple group but without the behaviour modifiers that you would get with a group.

Managing Users

If you need individual rules for each user then these can be automatically generated by our reverse rules function. Essentially what a reverse rule does is create a copy of a rule template for every new IP address seen (Please read a full description in the SunGate manual). Reverse rules are actually powerful group generators with many options that modify rule and/or group behaviour but a full description is beyond this document. Suffice it to say that reverse rules will generate rule for an entire subnet or just an IP or a virtual host and by source or destination IP and/or port. It can generate rules that are copies of a template or rules that can share or balance bandwidth in a similar way to groups. You can set a maximum number of users or sessions and a rule timeout as well.

Profiles (Action Templates)

In any rule instead of setting specific parameters for any action (bandwidth, packets, or burst rates and priorities) you can setup profiles and use those instead. Profiles are basically templates that are setup separately and then can be used in any rule. This allows you to be able to change a single profile and any rule that uses that profile will be automatically changed. In the ISP world this normally equates to a service level that is sold so you would have a profile or a set of profiles for each service type. This allows modifications to services to be very easily implemented without having to change large numbers of rules.

Profiles can be an action template or a timed set of templates. Profiles have an ID and a name and sets are created by using the same id but a different name and then specifying a time of day or day of week for action activation. SunGate will automatically use the correct profile or action for the correct time of day on each rule that uses that profile id. For example if you had a template for Gold clients you could have an action of 512Kbs in and 512Kbs out from 8h00 to 17h00 and 1Mbs in and out from 17h00 to 10h00 and then 2Mbs in and out from 10h00 to 8h00.

Profiles (Action Templates)

Many ISP’s have different action requirements that are dependant on usage generally called a CAP but called a quota in SunGate. Two quota types are allowed by SunGate, a daily quota and a monthly quota and two profiles are required for each quota – one which is used when the rule or group is under quota and the other that is used when the rule or group is over quota. These profiles can also be sets of profiles.

Unfortunately, while profiles are very efficient, quotas are not and require a significant amount of CPU power so it may save you some bandwidth at peak times and stop user abuse but it will significantly reduce the number of users that a single unit can manage. This is caused by that fact that every rule or group that has a quota also needs long term statistics enabled (see below for a full description) and these stats must be interrogated for every rule to detect when it transitions from under to over quota. This is typically done once per hour to try and limit the load.

Groups

In SunGate groups can be thought of as buckets of managed bandwidth or virtual pipes. A group header has an action (bandwidth, packet, and burst) setting inside which all rules or groups within that group are managed. The root group in every ruleset is the Interface itself and inside that can be any number of sub-groups nested to any level. Naturally every group created has to be managed and therefore it will add some overhead to your unit but it is not a great deal in the scheme of things.

By default groups behave as if the combined rules and groups within it have a common or shared ceiling unless this behaviour is overridden by actions on a rule or a sub-group, or a behaviour modifier. Behaviour modifiers for groups are balanced and weighted and balanced. Balanced will apply fairness to each rule and weighted will invoke the priority algorithm mentioned above. A sub-group is treated in exactly the same way as a rule in the group above it in the hierarchy once its allocations and performance has been worked out.

Groups can be used in the ISP environment in a wide variety of ways to improve service offerings and/or manage clients. You could have groups to manage separate bandwidth to service levels such as a group for allocating specific bandwidth to Gold customers versus silver or bronze. Within those groups you could allocate or prioritize bandwidth by different application and it can be different by class. It often depends somewhat on how a network is numbered what you can achieve in a group. For example if you wanted to globally prioritize applications differently for each class of service then we would need to be able to globally identify those users ideally in a single rule with a single subnet. The alternative would be to have a global rule inside the group for each IP address which would be extremely inefficient and very hard to maintain.

You could have a group for every customer that will allow you very fine grained control over each and every element of that customer’s traffic but this can very quickly explode your rulesets if you are not careful. Just prioritization of applications can be 20 to 30 rules to cover each main application. If you had a unit which could handle 3,000 rules then this would reduce you to managing 100 users per unit and quickly change your ROI calculations. This is probably most cost effective if you are selling to groups of users like a business account that can be managed as a single subnet or a single NATed IP, or if you sell a superior service to a few individual customers who are prepared to pay more for the service.

Group Templates

SunGate makes having standard groups very easy to manage and maintain by having a facility for group templates. These templates are a group header and a standard set of rules that can be maintained in the rulesets as though they were an individual rule. As with profiles, if you wish to modify a template then all the groups that were created by using that template will be automatically modified for you.

Statistics

There are two types of statistics that can be maintained by SunGate. These are short term or real time, or long term statistics. Every Interface, group, and rule automatically has short term statistics maintained internally and these cannot be turned off because we need them to implement the rule management. Short terms statistics are maintained for a period which can be changed but by default is 20 seconds. Extending this period is good for load but reduces the grain at which we manage. Shortening it is not recommended and could result in choppiness in some rules. Long term statistics can be turned off or on by rule and some care is needed because these statistics need to be accumulated every period and written to an SQL database every 300 seconds. This is a very high load for any machine to cope with if there are lots of rules that have long term statistics.

API

SunGate has a set of API rules within that. This API allows ISP’s to develop external programs to fully manage rules and rulesets remotely as well as also having an ODBC interface so that all statistics are fully accessible and easy to integrate into billing and accounting systems. Anything that can be done via the user interface can also be done via the API manager.

Restricted Client Access

A very popular feature of the SunGate unit is the ability for ISP’s to allow clients to access their own statistics and reports without compromising other client’s data. This access can is by using a normal Web browser and can be HTTP, Secure HTTPS, or either. Every SunGate unit has a User Manager where secure access can be setup and each user can be restricted to which modules access is allowed and whether changes can be made or only viewing allowed. In addition in SunGate individual users can be restricted to viewing a rule, a group, or a set of either or both. Standard reports can be setup which will store and/or mail reports to users every day, week or month with just their own data visible.

Summary

SunGate allows for innovative new service plans and billing models designed to retain and attract subscribers, control Peer-to-Peer/Recreational usage, enable and manage triple play services and protect the network from malicious traffic.

SunGate enforces tiered service levels, allocates bandwidth minimums and maximums on a per-customer, per-user, per-application, or other basis, paces streaming media for optimum reception, manages over-subscription, and offers a variety of other features such as Quota’s and profile management.

Customers of premium bandwidth services have premium expectations and require more than Just a best-effort attempt at quality. We have shown you what types of services can be offered whilst still maintaining an efficient rule set. SunGate offers unrivalled flexibility so you can decide which features to use and the level of complexity you want. SunGate sits inline of the traffic and offers easy management of users through a web GUI interface or via an API for automated provisioning.

SunGate integrates smoothly with any SNMP-based management tool and has a CMS (central management server) for central management & reporting on large deployments.

It should also be clear now that certain configurations are much more processor intensive than others and therefore the rule sets and service offerings need to be carefully thought out with respect to the numbers of users to be managed.

• Solutions overview
  • Solutions overview
  • ISP Solutions
  • Higher-Education Solutions
  • Contact Sales
• Features overview
• QoS White Paper
• Compression White Paper
• Online demo
• Free trial