NetEnforcer ®

Carrier-Grade Deep Packet Inspection

and Service Control Platform

P2P throttling
class of service monitoring Vo I P
DDoS protection
tiered services quality of service

C arriers, cable operators, service providers (xSPs) and data centers

• Manage bandwidth at
Gigabit speeds
• Expand service offerings
• Classify, monitor and
control P2P traffic
seek to leverage their networks to maximize average revenue
per user (ARPU). By offering new lucrative services, they can develop
new revenue streams and reduce customer churn. New services include
controlling peer-to-peer (P2P) traffic, tiered services for home and
SOHO users, and SLAs to businesses for "triple-play" service packages
that combine voice, video and data. Large enterprises with Gigabit
backbones seek to ensure acceptable performance for business-critical
applications such as CRM, ERP and VoIP.

• Dynamically provision
subscribers and services
NetEnforcer
Policy-Powered Networking Features and Benefits
Allot Communications NetEnforcer® AC-1000 Series deep packet Manage Bandwidth at Gigabit Speed
inspection (DPI) devices offer carriers, service providers and enterprises The NetEnforcer AC-1000 Series offers hardware
a complete suite of traffic management tools for monitoring, classifying, and software especially designed for complex
and controlling your network traffic. The NetEnforcer offers flexible networking tasks at high speeds, providing DPI
deployment that supports your business goals. Deploying NetEnforcer service control where other devices cannot. Its
at your access point lets you enforce SLAs, deploy tired services, and
carrier-grade design conforms to NEBS and ETSI
implement advanced billing schemes. Deploying NetEnforcer at your
peering point lets you safely oversubscribe, control P2P, monitor VoIP standards.
and protect your network from DDoS attacks. Expand Service Offerings
Enterprise

Provisioning The NetEnforcer enables you to offer new

System
profitable services that better exploit your
network infrastructure.You can set a wide range
Access
of policies that guarantee or limit bandwidth as
well as prioritize traffic types for every subscriber,
NetEnforcer
AC-1010 RADIUS/
DHCP
Billing Customer
Care
class of service or session. This flexibility allows
you to set the exact policies that will let you
deliver services that meet the needs of your
Network Core
target markets.
SOHO
Switch NetEnforcer Router Classify, Monitor and Control P2P Traffic
AC-1020
The NetEnforcer's Deep Packet Inspection (DPI)
classifies P2P file-sharing applications by their
application signature (Layer-7 classification) so
Powerful Solutions for Your Type of Business you can monitor P2P traffic in real time and
Whatever your type of business, the NetEnforcer AC-1000 offers you control P2P activity. The NetEnforcer identifies
Home the industry's most powerful solution for active traffic management: hundreds of elusive P2P applications that are
Users
• Carriers, Cable Operators and Service Providers disguised by port-hopping, encryption and other
Control your network traffic so you can ensure the most profitable techniques.
use of your bandwidth resources. Limit unprofitable P2P uploads by
non-subscribers. Increase your average revenue per user (ARPU) Dynamically Provision Subscribers and
with new lucrative services for residential subscribers. Sell guaranteed Services
levels of bandwidth for business customers. Offer SLAs for "triple- The NetEnforcer AC-1000 Series provides a
play" service packages that combine voice, data and video. powerful API for dynamically provisioning tens
of thousands of subscribers with minimal
• Enterprises and Data Centers operational costs.The API enables fast integration
Use NetEnforcer to manage resource consumption for hosted with IP allocation systems, such as DHCP, to map
applications and servers. Control bandwidth consumption so you IP addresses to subscribers' ID. The API enables
can safely oversubscribe your services while guaranteeing customer integration with OSS and a captive portal, for
SLAs. Control the rate and number of connections to maximize
retrieving the subscriber's service package.
network performance and protect your data center against DDoS
attacks. Use NetEnforcer's real-time and long-term monitoring, and Video
its alert system to maintain control over your network and quickly
KaZaA Citrix
respond to network events.

Boardroom
Video conf
VoIP
Web, Email, GW PBX
FTP Servers
Internet/
SAP/Citrix VPN
Switch NetEnforcer Router Video
Oracle
AC-1020
KaZaA Citrix

PBX VoIP
GW

VoIP
GW PBX

Uncontrolled
Bandwidth
Before
(without NetEnforcer)
Total bandwidth control lets you limit unprofitable P2P uploads by non-subscribers and create tiered services that support VoIP, streaming media and more.
Manage Bandwidth on Redundant
Connections
Use the NetEnforcer with redundant switches
and redundant Internet access routers for high-
availability Internet/Intranet access. The
NetEnforcer AC-1020 offers support for two
Gigabit links while the NetEnforcer AC-1040
supports four Fast Ethernet links. Both devices
use a single traffic enforcement mechanism that
lets you monitor and control traffic across
multiple links with a single policy.
Monitor VoIP Traffics
NetEnforcer identifies VoIP traffic in your network
and can monitor it by protocol type (SIP, H.323)
and by service operator (Skype) and by
subscriber.
Understand Your Network
Use more than 100 views of traffic and
performance to understand your network.
Manage and monitor traffic using a Java-based,
customizable GUI that offers unrivalled usability.
Pinpoint individual users, VLANs or applications
and drill down to quickly troubleshoot network
congestion or to reveal actual network usage.
The Real-Time Traffic Monitor
P2P P2P Upload
P2P Download
P2P
VoIP
HTTP Controlled Gold HTTP
email
email
Bandwidth Silver HTTP
email
???
Bronze
After
(with NetEnforcer)
Receive Alerts for Major Networking Events DDoS Protection and Worm Scan Mitigation
NetEnforcer's intelligent alerts inform you about The NetEnforcer detects known types of
major networking events with SNMP traps to distributed denial-of-service (DDoS) attacks
your management station; email messages; or and worm scans. This acts an additional line of
SMS messages. These alerts enable you to take defense that enhances the performance of
corrective action before problems become firewalls and internal network devices. By
costly. In addition, a variety of preset or deploying NetEnforcer, you can monitor, record,
customized scripts can automate reactions to and block malicious traffic flows and alert users
specific events or alarms. of imminent attacks.
Implement IP Accounting (Optional)
The NetAccountant software add-on collects
traffic data per session, gathering information
on users, applications and policies that can be
used for usage-based billing.The NetAccountant
allows you to export the raw data to billing /
reporting systems.The NetAccountant Reporter
delivers a graphical system for creating detailed
usage and performance reports for improved
allocation of network resources.
Redirection to Captive Portals (Optional) The Long-Term Traffic Monitor
The NetRedirector software add-on redirects
traffic to authentication servers or captive portals
for automated authentication and self-
provisioning. The redirection is policy-based,
allowing you to pin-point the subscriber that
should be redirected.
Intuitive Policy Editor
The Java-based Policy Editor lets you access all
of your policy information from a single, intuitive
view. Special emphasis has been placed on ease-
of-use and customization so you can quickly
create and edit thousands of policies for tens
of thousands of subscribers. At the same time,
an easy duplication mechanism ("policy
templates") alleviates the need to repeatedly
define similar policies for different users and
lowers the risk of human error.
 Product Specifications
Interface Connections Network Security
• AC-1010: Two-port 1000BASE-SX/LX Gigabit Ethernet or two- • Access control - pass/reject/drop
port 1000BASE-T UTP-5 interface and one 10/100BASE-T • Protection from distributed denial-of-service (DDoS) attacks
management interface with a RJ-45 connector • Control number/rate of connections
• AC-1020: Four-port 1000BASE-SX/LX Gigabit Ethernet or four- Configuration
port 1000BASE-T UTP-5 interface and one 10/100BASE-TX • IP configuration and setup via integrated LCD and keypad
• Remote policy configuration via CLI or Web browser
management interface with a RJ-45 connector
• AC-1040: Eight-port 10/100BASE-T half/full duplex autosense QoS Policy Management
Ethernet interfaces and one 10/100BASE-T management interface, • Easy-to-manage, single-table view based on catalogs
• Easy expansion of VCs/Pipes (policies) to multiple subscribers
all with a RJ-45 connectors
• Policy distribution from primary NetEnforcer to other units
Traffic Classification (per Flow) • Customer-provisioned QoS via optional NetPolicy Provisioner
• IP address (with IP range, list or subnet option, host name); Monitoring and Accounting
retrieval via LDAP or text file • Monitoring - Protocol distribution, top hosts, top VCs, top Pipes,
• Network protocols (e.g., ARP, IPX, PPPoE), IP protocols (e.g., ICMP, VC/Pipe distribution, number and rate of connections, utilization,
IGMP, RSVP, EGP) and TCP/UDP applications bandwidth usage with 30-second granularity and storage of
• VLAN (ID, priority) historical data
• Accounting (via optional NetAccountant) - accounting of traffic
• ToS byte - DiffServ or IP Precedence bits
per session; powerful reporter; CSV interfaces
• Time of day/week/month/year • SNMP - Support statistics collection per VC/Pipe
Application classification Fail-Safe Performance (No Single Point of Failure)
• P2P applications - BitTorrent, DirectConnect, eDonkey/eMule, • Full functional backup redundancy implemented by two separate
Gnutella, Kazaa, Warez, WinMX and more systems connected by a backup cable
• VoIP protocols – SIP, Skype, H.323 • External fiber/copper bypass controlled by the main board
Americas • Instant Messaging – including distinction between file transfer and • Dual 200W load-sharing, hot-swappable power supplies, dual
7664 Golden Triangle Drive power feeds and redundant fans
chatting.
Eden Prairie, MN 55344
USA • Classification and authentication of HTTP on all port numbers Network Standards Support
Tel: (952) 944-3100 • E-mail Protocols • LDAP, DiffServ/ToS (RFCs 2474, 2475, 2597, 2598), IP
Fax: (952) 944-3555 Precedence (RFC 791) and SNMP
• Games
Browser Support
Europe Policy Enforcement
NCI - Les Centres d’Affaires
• MS Internet Explorer 5.5, 6.0
Village d’Entreprises “Green Side”
• Hierarchy of policy rules with outbound and inbound traffic
Dimensions & Weight
Batiment 1B management
• Standard 2U by 19-inch, rack mountable
400 Avenue Roumanille, BP309 • Minimum/maximum bandwidth enforcement per flow/VC/Pipe • 18.2 lbs (8.3 Kg)
06906 Sophia Antipolis Cedex
• Ten levels of priorities for VCs/Pipes
France Environmental Standards Compliance & Certification
Tel: 33 (0)4 93 00 11 67 • Per flow guaranteed bandwidth, burst rate, CBR (per flow) • Safety - UL 1950
Fax: 33 (0)4 93 00 11 65 • Maximum number of connections per VC/Pipe • EMC - FCC-Part 15 Class B; Directive 89/336/EEC; EN60950;
• Fairness between traffic flows/users/applications ETS 300 019-2-2; ETS 300 019-2-3; IEC-68; VCCI 2002 Class B
Asia Pacific
6, Ubi Road 1 • Admission control • NEBS/ETSI - Designed to comply with specification
Wintech Centre #06-12
Singapore 408726 Ordering Information* Part No./Model Links Type Bandwidth Pipes Policies
Tel: (65) 6841 3020
Fax: (65) 6747 9173
KAC-1010/155M-PS-I-IT 1 GigE 155 Mbps 2,048 8,192
KAC-1010/310M-PS-I-IT 1 GigE 310 Mbps 2,048 8,192
Japan
Yajima Bldg 8F
KAC-1010/622M-PS-I-IT 1 GigE 622 Mbps 2,048 8,192
7-11-3 Ginza, Chuo-Ku, KAC-1010/1G-PS-I-IT 1 GigE 1000 Mbps 2,048 8,192
Tokyo 104-0061
Tel: 81 3 5537-7114 KAC-1020/155M-PS-I-IT 2 GigE 155 Mbps 2,048 8,192
Fax: 81 3 5537-5281 KAC-1020/310M-PS-I-IT 2 GigE 310 Mbps 2,048 8,192
Middle East and Africa KAC-1020/622M-PS-I-IT 2 GigE 622 Mbps 2,048 8,192
5 Hanagar Street KAC-1020/1G-PS-I-IT 2 GigE 1000 Mbps 2,048 8,192
Industrial Zone
Hod Hasharon 45800 KAC-1040/400M-PS 4 FastE 400 Mbps 4,096 28,672
Israel KAC-1010/SP-155M-PS-I-IT 1 GigE 155 Mbps 10,000 80,896
Tel: 972 (0)9 761 9200
Fax: 972 (0)9 744 3626 KAC-1010/SP-310M-PS-I-IT 1 GigE 310 Mbps 10,000 80,896
KAC-1010/SP-622M-PS-I-IT 1 GigE 622 Mbps 10,000 80,896
www.allot.com
info@allot.com KAC-1010/SP-1G-PS-I-IT 1 GigE 1000 Mbps 10,000 80,896
KAC-1020/SP-155M-PS-I-IT 2 GigE 155 Mbps 10,000 80,896
KAC-1020/SP-310M-PS-I-IT 2 GigE 310 Mbps 10,000 80,896
KAC-1020/SP-622M-PS-I-IT 2 GigE 622 Mbps 10,000 80,896
KAC-1020/SP-1G-PS-I-IT 2 GigE 1000 Mbps 10,000 80,896

Note:
* When ordering, please specify: PS – power supply (AC or DC); I - interface (C – Copper or F - Fiber); IT – fiber interface (LX, SX or ZX).
Copyright © 2005, 2003, 1999 Allot Communications Ltd., All Rights Reserved. "Allot Communications," "NetEnforcer", "CacheEnforcer",
"NetBalancer", "NetReality" and the Allot logo are registered trademarks of Allot Communications Ltd. "Allot Communications - The
Traffic Management Company" is a trademark of Allot Communications Ltd. Any other brand or product names are trademarks of their
respective holders. Any information in this document is subject to change without notice. Allot Communications Ltd. and/or its affiliates
(collectively "Allot Communications") assume no responsibility for any errors that appear in this document. D242002 05/05