Réseau WAN vu de l`entreprise
Download
Report
Transcript Réseau WAN vu de l`entreprise
http://dl.free.fr/kFB3ljra4/cours3-WAN.pdf
Réseau WAN vu de
l’entreprise
Gilles Clugnac
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
1
Quelles demandes pour un fournisseur
d’infrastructure de communication? La quadrature
du cercle ?
Je veux pouvoir
Mon travail a évolué
accéder à mon SI où
de la production
et quand je le désire vers les transactions
avec le terminal le
et maintenant les
plus adapté !!
interactions
Flexibilité, Agilité
=> Valeur ajoutée
vers le client
Plus de services
pour moins cher
=> Contrôle des
coûts, risques &
complexité
HR
SALES
MANUFACTURING FINANCE
E-SALES
SUPPLY CHAIN
PROCESSES
BUSINESS
ERP
CORE
SECURITY
APPLICATIONS
ET SERVICES
IPT
Cisco Confidential
STORAGE
© 2006 Cisco Systems, Inc. All rights reserved.
WIRELESS
INFRASTRUCTURE
TECHNOLOGIQUE
Presentation_ID
2
Convergence des réseaux
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
3
Changement de paradigme
Exemple : Vidéosurveillance intégrée
Major Segments of Security
INTRUSION
DETECTION
ID CREDENTIAL
MANAGEMENT
CCTV & DIGITAL
VIDEO SURVEILLANCE
DATA & NETWORK
SECURITY
ACCESS
CONTROL
VISITOR
MANAGEMENT
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
FIRE
ALARM
Cisco Confidential
4
La vague suivante
L’Internet des
ordinateurs
L’Internet des objets
Products
PCs
Pallets
PDAs/Handhelds
Objets connectés
à travers les tags
Cartons
Tires
Shipping containers
Pharmaceuticals
Medical Assets
People
Pets
IP Telephones
Rations
Currency
Livestock
Weapons
Barcode Scanners
Temperature
Location
Video Cameras
Informations connectées
à travers les capteurs
Direction
Pressure
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Elevation
Intrusion
Speed
Shock/movement
Light
Chemicals
5
Le réseau va connecter des milliards
d’objets !!
Users
2005 Forecast,
Million Units
Réseaux
500 Computers
1,500
350
375
500
750
35,000
Actuels
Phones
Mobile
Assets
Réseaux
Etendus
Static Assets
Controllers
Les nouveaux
systèmes seront
connectés sur le
réseau IP universel
Smart Sensors
Microprocessors and
Microcontrollers
Source: Harbor Research, Inc., Forrester Research, Inc., IBSG
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
6
Un environnement IT complexe
Contrôle des coûts
Disponibilité et conformité
Internet
Data Center
Automatisation
Conformité
Enterprise Data Center
Engineering
Services
DNS
Securité
RADIUS
LDAP
Operations
Center
Data Classification
Consolidation
E-Commerce Application
• Operational Risk Management
Content Delivery
Public Web Site
100sVirtualisation
of Servers with
Integrated Storage
Continuité d’activités
E-Mail
IP Services
NAS Filers
Gestion de l’information
• On-Demand, Utility Infrastructure
4-Tier Application
Tiered Storage
• Information Lifecycle Management
App. Server
E-Mail
Appliances
Internet Data Center
Enterprise Data Center
JBOD
Engineering
Services
E-Mail
DNS
NAS Filers
Finance, HR,
Agilité
Payroll and
EDI
Tape Backup
Business
Multiple 2-Tier
ERP Instances
Agilité
RADI
US
LDAP
Operation
s Center
SLAs applicatifs
E-Commerce Application
Internet Data Center
4-Tier Application
App. Server
E-Mail
Appliances
Finance, HR,
Payroll and EDI
Public Web Site
100s of Servers with
Integrated Storage
IP Services
JBO
D
Tape Backup
Supply-Chain Management
Multiple 2-Tier
ERP Instances
Internet Data Center
Supply-Chain Management
Performance
Mainframe
Systems
Mainframe
Systems
Intégration applicative
NCR DB Server
Traditional
Voice PBX
NCR DB Server
Tradition
al Voice
PBX
In-House Developed
Apps
In-House Developed
Apps
Data
Warehousing
Croissance
• Service Oriented Architecture
Data Warehousing
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Infrastructure
actuelle
Cisco Confidential
2-Tier CRM
Application
2-Tier CRM
Application
Disponibilité
• Application Awareness and
Optimization
7
Architectures de bout-en-bout
Networked
Infrastructure
Layer
Approche modulaire
Network Areas
Server
Storage
Devices
Fondamentaux du réseau
Télétravailleur
Extranet
Internet
Agence
Règles d’architecture
• Architectures de référence par zone
• Interopérabilité forte entre les zones
• Continuité des Services
• Garantie des SLAs de bout-en-bout
Solution Cisco
WAN/MAN
Campus
Data Center
• Recommandations validées par zone
• Orientées déploiement de Services
• Architectures cohérentes et globales
COUCHE
D’INFRASTRUCTURE
EN RESEAU
Site B
Presentation_ID
Campus
Agence
Serveur
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Data
Extranet
Modules du réseau
Center
Internet
Stockage
WAN/MAN
Télétravaill
eur
Clients
8
Infrastructure Réseau WAN
Evolution des architectures de bout-en-bout
Users
BGP between PEs
BGP between PEs
MPLS MAN
(L1/2 P-P or
Ring)
MPLS MAN (L1/2 P-P
or Ring)
LAN/
WAN
RR 7301
RR 7301
Compute
P 12000
MPLS-BGP
VPN (2547-bis)
P 12000
RS
RS
MPLS-BGP VPN (2547bis)
RS
Disk/
Tape
VPN opéré
VRF-Data
VRF-Data
802.1Q
802.1Q
VRF-Data
P 7600
802.1Q
P 7600
VPN déployé
par l’Entreprise
Consolidated Data Center
Adaptable
Campus
PE
7600 802.1Q
VRF-Data
EoMPLSVRF-Voice
VRF-Voice
ORGA
Voice
VRF-Voice
VRF-Voice
SAN
NG WAN
IGP between VRFs
IGP between VRFs
L3 Switch
with VRFLite
PE 7600
NG WAN
ORG-A
ORGVoice A
Data
ORG-A
Data
EoMPLS
L3 Switch with VRFLite
COUCHE
D’INFRASTRUCTURE
EN RESEAU
NG WAN
Presentation_ID
Services de Virtualisation du réseau
Campus
© 2006 Cisco Systems, Inc. All rights reserved.
Agence
Cisco Confidential
Data
Center
MAN/WAN
WAN
Télétravail
9
Construire une infrastructure
cohérente
L’exemple de l’IP Communications
QoS
HA
Multicast
Sécurité
Network Management/Provisioning
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
10
Architectures WAN
Pourquoi une Nouvelle Génération?
Aujourd’hui
Hier
Le WAN est un problème
de transport
Le WAN est un problème de
généralisation de la
fourniture de services
Facteurs critiques
Facteurs critiques:
Coût
Coût/Disponibilité/Débit
Disponibilité
Sécurité
Débit
Intégration de Services
Approche architecturale
fragmentée
Approche architecturale
intégrée
Le WAN fait partie de l’architecture globale du réseau
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
11
Un Besoin de Segmentation
Accès invité
Internet access for customers, visitors, etc.
Contrôle d’Accès au Réseau
Quarantine and/or isolation during remediation
Accès partenaires
Onsite partners, limited server/application access
Séparation Groupes/Départments
Closed User Groups for divisions/teams sharing common work locations (e.g. Financial Banking/Trading)
L‘isolation des groupes est le principal besoin.
Les
attaques,
virus, vers sont plus facilement confinés.
Services
Externalisés
Participating in multiple client networks (e.g. India ITS model)
Ils ne se progagent pas partout
Isolation des Applications/Systèmes
Isolating critical applications or devices, such as IPC, factory robots, point-of-sale terminals, etc.
Filiales / Fusions & Acquisitions
Enabling staged network consolidation, while companies are being merged
Entreprise Fournisseur de Services Réseaux (éventuellement source de revenus)
Shared service locations (e.g. Munich Airport “virtual” gate access)
Retail stores providing kiosk/on-location network access (e.g. Best Buy, Albertson’s, etc.)
Cisco Connected Real Estate (CCRE) (e.g. multi-tenant, strip malls, etc.)
Dynamique forte de création de projets
Closed User Groups between multiple companies during joint-ventures/collaborations
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
12
Enjeux du WAN
ACHETER un service VPN
ou CONSTRUIRE son réseau VPN?
Reasons for NOT Out-Tasking a VPN
Reasons for Out-Tasking a VPN
~ 47% of Enterprises choose to BUY a VPN
Not a Core Business Activity
~ 53% of Enterprises choose for a DIY VPN
54%
Expect Cost Savings
51%
Lack of In-house Expertise
51%
45%
Lack of Staff
37%
To Gain More Value
0
20
40
60
Percent of CIOs
Source : Cisco FISH Study
8
ACHETER UN SERVICE L3,
IP VPN
Source : Cisco Study
7
ACHETER un Service L1
ou L2 VPN
Ratio is moving to 64% Mgd-VPN / 36%
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
13
Enjeux de l’agence
Amener les Services aux utilisateurs
•Information disponible dans
tous les sites de l’entreprise
•Besoin de performances dans
le DataCenter comme pour
l’utilisateur
•Fiabilité de tout le système
d’information
•Architecture et Services
réseaux transparents pour
l’utilisateur
•Les sites distants ou de
télétravail ont des besoins audelà de la simple connexion !
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
14
Au global :
Concentration des serveurs + utilisateurs distants
20% des utilisateurs
80% des utilisateurs
Backup
Consolidation des
Ressources
Tape Drives
And Libraries
Client Workstations
NAS
Disk Arrays
IP
Network
Application
Servers
Optimisation de
l’accès
Siège
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Consolidation
Engine
Printer
Agence
Cisco Confidential
15
Combien de routeurs ?
Siège
Opérateurs
Agence
IP VPN
Campus/
Data Center
Internet
(ISP, Broadband,
etc.)
WAN principalement fourni (IP, MPLS VPN, IPSEC) par un opérateur
de connectivité [driver principal : le coût; services: IP, VPN (+ QoS)]
Services d’entreprises fournis par un intégrateur ou un opérateur à
valeur ajouté [driver principal: le contrat de services; services: VPN
chiffré, QoS, sécurité, IP Com, mobilité, optimisation applicative]
Délégation de Services via Role Based Access Control
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
16
Combien de routeurs ?
Siège
Opérateurs
HSRP
GLBP
Agence
IP VPN
Campus/
Data Center
Internet
(ISP, Broadband,
etc.)
WAN principalement fourni (IP, MPLS VPN, IPSEC) par un opérateur
de connectivité [driver principal : le coût; services: IP, VPN (+ QoS)]
Services d’entreprises fournis par un intégrateur ou un opérateur à
valeur ajouté [driver principal: le contrat de services; services: VPN
chiffré, QoS, sécurité, IP Com, mobilité, optimisation applicative]
Délégation de Services via Role Based Access Control
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
17
VPN OPERE
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
18
MPLS – Virtualisation
Une hiérarchie de labels
VPN A
VPN A
MPLS
Core
VPN B
VPN B
VPN C
IP
data
IP
VPN
label
IP
© 2006 Cisco Systems, Inc. All rights reserved.
VPN
label
data
Core
label
Presentation_ID
VPN C
MP-iBGP
or
LDP
Cisco Confidential
VPN
label
IP
IP
data
data
data
19
L3 VPN – MPLS-VPN
Même service sur tous types de liens
Regional Site
TDM
MUX
Remote Sites
LL
INTERNET
Frame-Relay
ATM
MPLS
Branch
INTERNET
Home
(Fiber / WDM / POS / Ethernet
/ ATM / FR / PPP, Tunnel)
IPSec
Travel
PSTN
ISDN
Branch
ADSL/Cable
Home
Travel
Presentation_ID
Branch
Cisco Confidential
© 2006 Cisco Systems, Inc. All rights reserved.
Central
Site
Shared
Services
Home
20
L3 VPN – MPLS-VPN
Qos de bout en bout
Sites Regionaux
Sites Distants
QoS de bout en bout
MPLS
QoS niveau Application
IP-VPN
Modèle
Par Classe
ServiceL2
Level
Agreement
VPN
Transparence
QoS QoS
Sites Distants
Site
Central
End-to-End SLA mesurement
Domaine DiffServ Hiérarchique / Ajout de TE pour le core
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
21
L3 VPN – Exemple Typique de QoS
5 profiles et 4 Cos
150
140
135
120
100
First
Executive
Business
Classic
Standard
RELATIVE
PORT PRICE
100%
25%
25%
50%
75%
75%
Port % 50%
50%
100%
# CoS
75%
Real-Time
50%
25%
25%
25%
Data-Interactive
Data-LAN2LAN
Best-Effort
0%
Evolution vers 5 ou 6 Classes de Service PE-CE
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
22
L3 VPN – Carrier Supporting Carrier
Sub-VPNs
Customer
VRF
MPLS
Internet
IP VPN
mpls
Customer
routing
SP offre uniquement une VRF au client entreprise
Utilisation de labels entre le PE et CE (et non pas IP)
Le client utilise le backbone MPLS de l’opérateur pour construire son
propre service MPLS VPN
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
23
L3 VPN – Multi-VRF CE (VRF-lite)
VRF : Création de plusieurs tables
de routage et commutation
séparées
Tables de routage séparées
Tables de forwarding séparées (FIB)
Association des interfaces
(physiques ou logiques) dans les
VRFs
Aujourd’hui, une solution assez
classique
Demande plusieurs VRF sur le PE
– Dépendance forte envers le SP
802.1q
GRE
VRF
VRF
VRF
Exige plusieurs liens physiques ou
logiques entre le PE et le CE –
xDSL ? (utilisation possible de
tunnels GRE CE-PE)
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
24
L3 VPN – Multi-VRF (VRF-Lite)
Multi-VRF CE
Extension de la fonctionnalité VPN dans le CPE et dans le campus pour
continuer à fournir une segmentation sans avoir à mettre en place les
fonctionnalités d’un PE complet
PE2
Resources
PE1
Partners
Site 2
PE3
Guests/NAC
Quarantine
Site 1
Séparation Logique
dans le campus via
des VLANs ou même
VRF sur les Catalyst
Presentation_ID
Multi-VRF
CE2
SP
IP VPN
Contractors
Multi-VRF
CE1
Séparation logique de
niveau 3 à l’intérieur du
CE au travers de la
fonction Multi-VRF
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Le SP fournit
plusieurs VPNs pour
la même entreprise
Multi-VRF
CE3
Site 3
25
L2 VPNs
Le modèle de référence Pseudo Wire
Site A2
Site A1
PSN Tunnel
Pseudo Wires
PWES
PE
Site B1
PWES
PE
PWES
PWES
Site B2
EMULATED SERVICE
Un Pseudo Wire (PW) est une connexion entre deux PE permettant de connecter
deux Pseudo Wire End-Services (PWESs)
Les types de service Point à Point:
• Ethernet
• HDLC
• 802.1Q (VLAN)
PWES
• ATM VC or VP
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
• PPP
• Frame Relay VC
Cisco Confidential
26
L2 VPNs
AToM vs VPLS
Any Transport over MPLS
AToM
Service Point à point
Remote Sites
Central Site
Hub and Spoke au travers de plusieurs circuits
P2P circuits depuis le site central
Support interworking pour des circuits de type
différents
L2VPN
Idéal pour
Remplacement du WAN traditionnel (Modèle
Frame Relay)
L2 Hub and Spoke—
Point-to-Point
Liaison dédiée P2P dans le MAN
Virtual Private LAN Service
VPLS
• Service Multipoint
Remote Sites
Central Site
• Access Ethernet vers le SP
• Le backbone SP émule un bridge LAN
(réseau commuté à plat)
L2VPN
Evolutivité ?
Traitement des flux Multicast
L2 Full mesh—
Point-to-Multipoint
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
27
VPN DEPLOYE PAR L’ENTREPRISE
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
28
L2VPN – Interconnexion de
DataCenters
Utilisation de EoMPLS
pseudowire-class eompls
encapsulation mpls
Tunnel Label
VC Label
interface GigabitEthernet1/4.601
encapsulation dot1Q 601
xconnect 125.1.125.13 601 pw-class eompls
CE1
Data
Center 1
Loop0
125.1.125.13
PE1
Red-6500
103 89
MPLS
Network
7600-LC-PE2#sh mpls l2transport vc det
Local interface: Gi1/4.601 up, line protocol up, Eth VLAN 601 up
Destination address: 125.1.125.13, VC ID: 601, VC status: up
Tunnel label: 103, next hop 125.1.103.26
Output interface: Gi1/3, imposed label stack {103 89}
Create time: 1w3d, last status change time: 1d02h
Signaling protocol: LDP, peer 125.1.125.13:0 up
MPLS VC labels: local 49, remote 89
Group ID: local 0, remote 0
MTU: local 9000, remote 9000
Remote interface description:
Sequencing: receive disabled, send disabled
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Payload
CE2
PE2
Red-6500
Data
Center 2
Jumbo frame support:
Ensure all interfaces have it enabled
in the forwarding path
29
Service de L3 VPN
MPLS-VPN par l’entreprise elle-même
CE
CE
iBGP—VPNv4
Label Exchange
VRF
PE-CE
Routing
Protocol
LDP
LDP
VRF
LDP
PE
PE
iBGP—VPNv4
iBGP—VPNv4
CE
PE
CE
VRF
CE
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
30
IPSec VPN dans le WAN Enterprise
Applications Clients
Pourquoi utiliser un VPN IPSec ?
Encryption sur les liens WAN traditionnels (par exemple FR, ATM,
LL)
Conformité aux nouvelles législations : HIPAA, Sarbanes-Oxley (SOx), Basel Agreement (Europe), etc.
Migration d’un WAN traditionnel vers un service bas-coût (exemple
Internet, broadband)
Utilisation d’un service Internet comme WAN secondaire, comme
backup ou comme lien pour le trafic non critique et bande
passante importante
Extension des services de sites vers les télétravailleurs
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
31
Utilisation d’un IP-VPN Opérateur
Architecture Typique
SP
Internet
IP
VPN
eBGP
HSRP
Or
eBGP
iBGP
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
32
Utilisation de Tunnels sur IP-VPNs
Multi-point GRE
mGRE avec NHRP (RFC2332)
IPmptp
VPN
Internet
eBGP
eBGP
mptp
1. Backup avec les fonctionnalités de l’IGP
•
rapidité, réglable avec les backoff timers
2. Routage site isolé du SP
3. Support des flux multicast
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
33
Utilisation de Tunnels sur IP-VPNs
Multi-point GRE + IPSEC
DMVPN sur MPLS-VPN
IPmptp
VPN
Internet
eBGP
eBGP
mptp
1. Backup avec les fonctionnalités de l’IGP
•
rapidité, réglable avec les backoff timers
2. Routage site isolé du SP
3. Support des flux multicast
4. Les flux sont encryptés
5. Les PKI sont gérées par l’entreprise
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
34
Synthèse
Opéré versus Déployé par l’Entreprise
VPN OPERE
Stratégie d’outsourcing (CPE/Routage/QoS
managés)
Pas de MPLS demandé sur le CE
VPN DEPLOYE PAR ENTREPRISE
Stratégie d’insourcing
Services de Segmentation IP
Bien adapté pour un petit nombre de VRFs
Possibilité de garder la main sur quelques
services, mais assez peu
Mais
Augmentation dépendance envers le SP
Construction d’un réseau de type
SP à destination de clients
internes à l’entreprise
L’ajout d’un VPN se traduit par la création
d’une sous-interface sur tous les sites
concernés
Le coût peut devenir prohibitif en fonction
du nombre de VRF et de sites
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Accroissment de la Sécurité
(Closed Users Groups)
Isolation/réduction des vers
Facilité d’intégration des
nouvelles entités ou des
partenaires
Consolidation datacenter
Virtualisation accès Front-end
Centralisation services réseaux
extension VLAN via MAN/WAN
35
Qualité de service
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
36
Multiservice IP Applications
VoIP
Bandwidth in 10Kbps
Rare Loss
Latency < 150ms
Jitter < 30ms
ERP
Multimedia
Bandwidth in 10Kbps
TCP Controlled Loss
Latency < 300ms
No Jitter sensitivity
VPN
Bandwidth in Mbps
Rare Loss
Latency < 300ms
Jitter < 300ms
Latency in S
Jitter in S
Web/URL
Bursty Bandwidth
Resilient to Loss
No Latency control
Do not care of Jitter
Non-Uniform Network Traffic Demands QoS
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
37
So, What Is Quality of Service?
“Collection of technologies which
allows applications/users to request
and receive predictable service levels
in terms of data throughput capacity
(bandwidth), latency variations
(jitter) and delay”
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
38
QoS Factors
Delay
(Latency)
DelayVariation
(Jitter)
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Packet
Loss
39
Effects of Latency on Voice
Hello?
Avoid the
“Human Ethernet”
Hello?
CB Zone
Satellite Quality
Fax Relay, Broadcast
High Quality
0
100
200
300
400
500
600
700
800
Time (msec)
Delay Target
ITU’s G.114 Recommendation: ≤ 150msec One-Way Delay
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
40
Elements That Affect Latency and Jitter
PSTN
SRST
router
IP WAN
Branch Office
Campus
CODEC
G.729A: 25 ms
Queuing
Variable
Serialization
Propagation
& Network
Jitter Buffer
Variable
Fixed
(6.3 s / Km) +
Network Delay
(Variable)
20-50 ms
End-to-End Delay (Must be ≤ 150 ms)
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
41
Delay and Latency
Router Latency: less than 100 usec for Cisco 7500
(64-byte packets, varies with packet sizes)
Insertion Delay (a.k.a. Serialization Delay)
Example with 250-byte packet:
16
msec
on 256 Kbps link
1
msec
on 2 Mbps link
0,2
msec
on 10 Mbps link
0,02 msec
on 100Mbps link
Queuing Delay = queue depth x insertion delay
Example:
Queue-length = 40 at 256Kbps = 640ms delay
Queue-length = 40 at 2 Mbps = 80ms delay
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Effect of RTT with 16k window
500µs 270 Mbps
12ms 10 Mbps
120ms 1 Mbps 42
Packet Loss Limitations
Voice Voice Voice Voice
4
3
2
Voice Voice Voice Voice
1
4
3
2
1
Voice
3
Voice
3
Reconstructed Voice Sample
Cisco DSP Codecs can use predictor algorithms to compensate for a
single lost packet in a row
two lost packets in a row will cause an audible clip in the
conversation
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
43
QoS Requirements for Voice
Voice
Latency ≤ 150 ms
Jitter ≤ 30 ms
Loss ≤ 1%
One-way
requirements
17-106 kbps guaranteed priority
bandwidth per call
Smooth
Benign
Drop Sensitive
Delay Sensitive
UDP Priority
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
150 bps (+ layer 2 overhead) guaranteed
bandwidth for Voice-Control traffic per
call
44
QoS Requirements for Video-Conferencing
Video
Latency ≤ 150 ms
Jitter ≤ 30 ms
Bursty
Greedy
Drop Sensitive
Delay Sensitive
UDP Priority
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
One-way
requirements
Loss ≤ 1%
Minimum priority bandwidth
guarantee required is:
Video-Stream + 20%
e.g. a 384 kbps stream would
require 460 kbps of priority
bandwidth
45
QoS Requirements for Data
Data
Smooth/Bursty
Benign/Greedy
Drop Insensitive
Delay Insensitive
TCP Retransmits
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Different applications have different traffic
characteristics
Different versions of the same application can have
different traffic characteristics
Classify Data into relative-priority model with no more
than four classes:
Gold: Mission-Critical Apps
(ERP Apps, Transactions)
Silver: Guaranteed-Bandwidth
(Intranet, Messaging)
Bronze: Best-Effort
(Email, Internet)
Less-Than-Best-Effort: Scavenger
(FTP, Backups, Napster/Kazaa)
46
IntServ / DiffServ Models
No state
state
Best Effort
DiffServ
Per-flow state
IntServ / RSVP
2. Per application
flow reservation
1. The original
IP service
5. Per Class of Service
Bandwidth Reservation
SLA
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
47
Differentiated Services
DS field RFC 2474
DSCP
CU
Share ressources via Classes of Services
Voice
(ToIP / Video)
Video
distribution
Platinium
Real time queue (EF=RFC 3246)
Streaming
Guaranted service, (AF=RFC 2597)
Minimum / Maximum controled
Gold
Guaranted service, (AF=RFC 2597)
Guaranted bandwidth
low level of drop
Silver
Premium IP, (AF=RFC 2597)
Guaranted bandwidth
Bronze
Best effort
Minimum bandwidth guaranted
High level of Overbooking
Legacy
(SNA, …)
E-Commerce,
E-business
(ERP, SCM, ...)
E-mail,
Web
Architecture RFC 2474, 2475
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
48
Diffserv Architecture: RFC2475
Classification
Shaping
VoIP
Bus
BestEffort
Access queueing
VoIP
Bus
BestEffort
Policing
VoIP
Bus
BestEffort
Core Queueing
VoIP
Bus
BestEffort
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
49
Design Approach to Enabling QoS
Classification: Mark the packets with a specific priority denoting a
requirement for class of service from the network
Trust Boundary: Define and enforce a trust boundary at the network edge
Scheduling: Assign packets to one of multiple queues (based on
classification) for expedited treatment throughout the
network; use congestion avoidance for data
Provisioning: Accurately calculate the required bandwidth
for all applications plus element overhead
PSTN
IP WAN
Branch Office
Campus
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
50
QoS Tools Mapped To Design Requirements
PSTN
SRST
router
IP WAN
Bandwidth
Provisioning
Campus
Campus Access
Campus
Distribution
• Inline Power
• Multiple Queues
• Multiple Queues
• 802.1Q/p
• 802.1Q/p
• DSCP
• DSCP
• Fast link
convergence
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
WAN
Aggregator
• LLQ
• CBWFQ
• WRED
• LFI/FRF.12
• cRTP
• FRTS, dTS
• DSCP
Cisco Confidential
Branch Office
Branch Router
Branch Switch
• LLQ
• CBWFQ
• WRED
• LFI/FRF.12
• cRTP
• FRTS
• 802.1Q/p
• DSCP
• NBAR
• Inline Power
• Multiple Queues
• 802.1Q/p
51
QoS Toolset
Classification
Policing / Shaping
Scheduling / Queueing
Congestion Avoidance
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
52
Classification Tools:
Ethernet 802.1Q Class of Service
Pream. SFD
DA
Type
SA
TAG
4 bytes
PT
Data
Ethernet Frame
Three Bits Used for CoS
(802.1p User Priority)
PRI
CFI
• 802.1p User Priority field also
called Class of Service (CoS)
• Different types of traffic are
assigned different CoS values
• CoS 6 and 7 are reserved for
network use
Presentation_ID
FCS
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
802.1Q/p
Header
VLAN ID
CoS
Application
7
Reserved
6
Reserved
5
Voice Bearer
4
Video Conferencing
3
Call Signaling
2
High Priority Data
1
Medium Priority Data
0
Best Effort Data
53
Classification Tools:
IPv4 IP Precedence and DiffServ Code Points
ToS
Byte
Version
Length
Len
ID
Offset TTL Proto FCS IP SA IP DA Data
IPv4 Packet
7
6
5
4
3
2
1
0
Unused
DiffServ Code Point (DSCP) Flow Ctrl
IP Precedence
Standard IPv4
DiffServ Extensions
• IPv4: Three Most Significant Bits of ToS byte are
called IP Precedence (IPP)—other bits unused
• DiffServ: Six Most Significant Bits of ToS byte are
called DiffServ Code Point (DSCP)—remaining two
bits used for flow control
• DSCP is backward-compatible with IP Precedence
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
54
Classification Tools:
QoS Classification Summary
L3 Classification
IPP
PHB
DSCP
Application
L2
CoS
L2
MPLS EV
Reserved
7
-
56-63
7
7
Reserved
6
-
48-55
6
6
Voice Bearer
5
EF
46
5
5
Video Conferencing
4
AF41
34
4
4
Call Signaling
3
AF31
26
3
3
High Priority Data
2
AF2y
18,20,22
2
2
Medium Priority Data
1
AF1y
10,14,16
1
1
Best Effort Data
0
BE
0
0
0
Less-than-Best-Effort Data
0
-
2,4,6
0
0
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
55
Classification Tools:
Network-Based Application Recognition
Frame
TCP/UDP
Segment
IP Packet
ToS/
Source
Dest
Src
Dst
DSCP
IP
IP
Port
Port
Data Payload
NBAR PDLM
DATA
MAC/CoS
DE/CLP/MPLS EV
citrix
http
nntp
ssh
streamwork
cuseeme
imap
notes
smtp
syslog
custom
irc
novadigm
snmp
telnet
exchange
kerberos
pcanywhere
socks
Secure-telnet
fasttrack
ldap
pop3
sqlserver
tftp
ftp
napster
realaudio
sqlnet
vdolive
gnutella
netshow
rcmd
sunrpc
xwindows
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
56
Classification Tools:
Trust Boundaries
Endpoints
Access
Distribution
1
Core
Si
Si
Si
Si
WAN Agg.
2
3
Trust Boundary
A device is trusted if it correctly classifies packets
For scalability, classification should be done as close to the edge as
possible
The outermost trusted devices represent the
trust boundary
1 and 2 are optimal, 3 is acceptable (if access switch cannot
perform classification)
1
Presentation_ID
2
© 2006 Cisco Systems, Inc. All rights reserved.
3
Cisco Confidential
57
Classification Tools:
Connecting the IP Phone
PC VLAN = 10
Auxiliary VLAN = 110
(PVID)
Catalyst 6000
IP Phone
10.1.110.3
802.1Q Trunk
with 802.1p
Layer 2 CoS
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Desktop PC
171.1.10.3
Native VLAN (PVID); No
Configuration Changes
Needed on PC
Cisco Confidential
58
Classification Tools:
Extended Trust
.. A new concept of assigning trust to a device not directly
connected to the switch port…
Allows intermediate “trusted” device to modify priority assigned
by downstream device
Trusted Device
Un-Trusted Device
Data
Trust Boundary Feature will allow specification (via CDP)
of the priority of downstream (un-trusted) device by the trusted device
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
59
Classification Tools:
PC CoS Settings Are Not Trusted
CoS=5
CoS=0
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
60
Policers and Shapers
Line
Rate
without Traffic Shaping
with Traffic Shaping
Shaped
Rate
Traffic shaping limits the transmit rate to a value lower than line rate
Policers typically drop traffic (NO buffering, TCP retransmit), bi-directionnal
Shapers typically delay excess traffic, smoothing bursts and preventing
unnecessary drops
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
61
Traffic Shaping and Policing
Mechanisms
Shaping mechanisms:
Class-based shaping
Frame Relay traffic shaping (FRTS)
Generic traffic shaping (GTS)
Policing mechanisms:
Two rate policer
Class-based policing
Committed access rate (CAR)
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
62
RFC 2697: Single Rate Policer
overflow
Bc = Burst Commited
Bc = CIR * Tc
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
(Be = Burst Excess)
63
Scheduling Tools:
Queuing Algorithms
Voice
1
1 1 11
1
Video
Data
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1 2 12
3
1 3 1 3 13
congestion can occur at any point in the network where there are speed
mismatches
Low-Latency Queuing (LLQ) used for highest-priority traffic (voice/video)
Class-Based Weighted-Fair Queuing (CBWFQ) used for guaranteeing bandwidth
to data applications
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
64
Output Interface Queue Structure
Forwarder
Software
Queuing
System
Any supported
queuing mechanism
Hardware
Queue
(TxQ)
Output
Interface
Always FIFO
Each interface has its hardware and software queuing system.
The hardware queuing system (transmit queue, or TxQ) always uses FIFO
queuing.
The software queuing system can be selected and configured depending on
the platform and Cisco IOS version.
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
65
Class-Based Queueing
Multiple LLQ class
max bandwidth
shaping
DSCP
TOS
ACL
Expedite
Strict Priority
(15%)
Business
20%
Normal
30%
CBWFQ
...
Best Effort
Presentation_ID
LLQ
WRED threshold
. per classes
or
. overallCisco Confidential
© 2006 Cisco Systems, Inc. All rights reserved.
Transmit
Queue
FBWFQ
66
Scheduling Tools:
Congestion Avoidance Algorithms
TAIL
DROP
WRED
3
31
3
Queue
10
0
2
1
2
0
2
0
3
2
1
3
0
0
Queueing algorithms manage the front of the queue
i.e. which3 packets get transmitted first
Congestion Avoidance algorithms, like Weighted-Random Early-Detect
(WRED), manage the tail of the queue
i.e. which packets get dropped first when queueing buffers
fill
WRED can operate in a DiffServ compliant mode which will drop packets
according to their DSCP markings
WRED works best with TCP-based applications, like Data
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
67
Provisioning Tools:
Link-Fragmentation and Interleaving
Serialization can cause
excessive delay
Voice
DATA
DATA
DATA
DATA
Voice
DATA
With fragmentation and interleaving serialization delay is minimized
serialization delay is the finite amount of time required to put frames on a
wire
for links ≤ 768 kbps serialization delay is a major factor affecting latency and
jitter
for such slow links, large data packets need to be fragmented and
interleaved with smaller, more urgent voice packets
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
68
Fragment Size Recommendations
LFI Fragment Information
Serialization Delay Matrix
56kbps
1024
Bytes
64
Bytes
128
Bytes
256
Bytes
512
Bytes
1500
Bytes
9ms
18ms
36ms
72ms 144ms 214ms
64kbps
8ms
16ms
32ms
64ms 128ms 187ms
128kbps
4ms
8ms
16ms
32ms
64ms
93ms
Fragmentation Size Matrix
(based on 10msec delay)
Link
Speed
Frag
Size
56 kbps
70
Bytes
64 kbps
128 kbps
256 kbps
256kbps
2ms
4ms
8ms
16ms
32ms
46ms
512 kbps
512kbps
1ms
2ms
768kbps 640usec 1.2ms
Presentation_ID
4ms
8ms
16ms
23ms
768 kbps
2.6ms
5ms
10ms
15ms
1536 kbs
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
80
Bytes
160
Bytes
320
Bytes
640
Bytes
1000
Bytes
2000
Bytes
X
69
Provisioning for Voice:
VoIP Bandwidth Reference Tables
CODEC
Sampling Rate
Voice Payload
in Bytes
Packets per
Second
Bandwidth per
Conversion
G.711
20 msec
160
50
80 kbps
G.711
30 msec
240
33
74 kbps
G.729A
20 msec
20
50
24 kbps
G.729A
30 msec
30
33
19 kbps
A more accurate method for provisioning is to include
the Layer 2 Overhead into the bandwidth calculations:
CODEC
801.Q Ethernet
+ 32 L2 Bytes
MLP
+ 13 L2 Bytes
Frame-Relay
+ 8 L2 Bytes
ATM
+ Variable L2 Bytes
(Cell Padding)
G.711 at 50 pps
93 kbps
86 kbps
84 kbps
106 kbps
G.711 at 33 pps
83 kbps
78 kbps
77 kbps
84 kbps
G.729A at 50 pps
37 kbps
30 kbps
28 kbps
43 kbps
G.729A at 33 pps
27 kbps
22 kbps
21 kbps
28 kbps
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
70
Provisioning for Voice:
Call Admission Control (CAC): Why Is It Needed?
Circuit-Switched
Networks
Packet-Switched
Networks
IP WAN
PSTN
IP WAN
Link
Physical
Trunks
3rd call
rejected
PBX
Router/
Gateway
STOP
IP WAN link provisioned
for 2 VoIP calls (equivalent
to 2 “virtual” trunks)
Call
Manager
No physical
limitation on IP links
If 3rd call accepted,
voice quality of all
calls degrades
CAC limits # of VoIP calls on each WAN link
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
71
WAN Scheduling Design Principles
Voice
Video
Voice/Video
Control
Data
Routing +
L2 Overhead
33% of Link
75% of Link Capacity
Reserved
Link Capacity
LLQ (Voice) + LLQ (Video) ≤ 33% of Link Capacity
LLQ (Voice) + LLQ (Video) + CBWFQ (All Data) ≤ 75% of Link
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
72
Management Tools
QoS is efficiently scaled with a centralized management server
QoS deployment is best followed by ongoing monitoring to ensure that
targeted service-levels are being provided
QoS policies need periodic tuning to adjust to changing business needs
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
73
show policy
WAN-AGG-7200#show policy
Policy Map WAN-EDGE
Class VOICE
Weighted Fair Queueing
Strict Priority
Bandwidth 17 (%)
Class VIDEO
Weighted Fair Queueing
Strict Priority
Bandwidth 16 (%) Burst 30000 (Bytes)
Class VOICE-CONTROL
Weighted Fair Queueing
Bandwidth 2 (%) Max Threshold 64 (packets)
Class GOLD-DATA
Weighted Fair Queueing
Bandwidth 25 (%)
exponential weight 9
dscp
min-threshold
max-threshold
mark-probablity
---------------------------------------------------------…
af21
1/10
af22
1/10
af23
1/10
…
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
74
show policy interface
Presentation_ID
WAN-AGG-7200#show policy interface multilink 1
Multilink1
Service-policy output: WAN-EDGE
Class-map: VOICE (match-all)
235728 packets, 45259776 bytes
30 second offered rate 512000 bps, drop rate 0 bps
Match: ip dscp 46
Weighted Fair Queueing
Strict Priority
Output Queue: Conversation 264
Bandwidth 17 (%)
Bandwidth 522 (kbps) Burst 13050 (Bytes)
(pkts matched/bytes matched) 235729/45259968
(total drops/bytes drops) 0/0
Class-map: VIDEO (match-all)
64405 packets, 42852720 bytes
30 second offered rate 485000 bps, drop rate 0 bps
Match: ip dscp 34
Weighted Fair Queueing
Strict Priority
Output Queue: Conversation 264
Bandwidth 16 (%)
Bandwidth 491 (kbps) Burst 30000 (Bytes)
(pkts matched/bytes matched) 64538/42941550
(total
drops/bytes
© 2006 Cisco Systems,
Inc. All rights reserved.
Cisco Confidential drops) 0/0
75
show policy interface (continued) – Gold Data
Class-map: GOLD-DATA (match-any)
93422 packets, 118192896 bytes
30 second offered rate 1336000 bps, drop rate 32000 bps
Match: ip dscp 18
24386 packets, 36676544 bytes
30 second rate 415000 bps
Match: ip dscp 20
33676 packets, 41488832 bytes
30 second rate 469000 bps
Match: ip dscp 22
35360 packets, 40027520 bytes
30 second rate 451000 bps
Weighted Fair Queueing
Output Queue: Conversation 266
Bandwidth 25 (%)
Bandwidth 768 (kbps)
(pkts matched/bytes matched) 93816/118691420
(depth/total drops/no-buffer drops) 29/2327/0 deep queues + drops
exponential weight: 9
mean queue depth: 28
dscp
Transmitted
Random drop
Tail drop
Minimum Maximum Mark
pkts/bytes
pkts/bytes
pkts/bytes
thresh thresh prob
…
af21
24489/36831456
98/14700
0/0
32
40 1/10
af22
33061/40732666
458/932340
0/0
28
40 1/10
af23
33990/38479822
571/1775230
0/0
24
40 1/10
Presentation_ID
© 2006
Cisco Systems, Inc. All rights reserved.
Cisco
Confidential
76
Un élément CLE : L’administration du réseau
Objectifs
1. Faciliter la configuration des équipements
– Management embarqué
– Déploiement à grande échelle
2. Gérer les SLA
3. Apporter la visibilité : instrumentation NBAR, Netflow
Moyens
1. L’instrumentation :
– SLA : IOS IPSLA , CBQOS, CorviL
– Visibilité : NBAR, Netflow, RMON2 et extensions
2. Les outils intégrés
3. Plateformes logicielles
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
77
Security Device Manager (SDM)
Management embarqué
• Configuration graphique de
l’ensemble de la gamme ISR
• Wizards et outils de
management et
configuration de:
•Interfaces LAN/WAN/VLAN
•VPN: Easy VPN, DMVPN
•Firewall, IPS
•Routage
•QoS, NBAR
•NAC
• Connexion sécurisée SSH
• Fonction auto-secure
One Touch
Router Lockdown, Auto
Secure
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
78
Déploiement à grande échelle
Agents CNS et CNS configuration Engine
Cisco Configuration Engine
Solution de configuration et provisionning réseau supportant jusqu’à
5000 CPE Cisco par appliance. Communications sécurisées entre les
agents CNS embarqués dans l’IOS des devices et le Configuration
Engine.
Distribution des upgrades ou de modifications sur un parc de
routeurs Cisco ISR quelque soit la technologie d’accès.
Application embarquée (GUI web)
Technologie flexible pour génération de template de configuration
(Velocity template)
Interface de programmation XML-SOAP et Java/C++ based
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
79
Zero Touch Deployment
ISR expédié avec un bootstrap générique soit du manufacturing Cisco
(Cisco Configuration Express) soit du distributeur. Les techniciens
connectent les cables et mettent sous tension.
SP/Enterprise
Configuration Engine
Core
ISR
ISR
Avec la configuration de bootstrap
• ISR se synchronise pour obtenir la connectivité L1 L2
• ISR récupère une adresse IP (aggregator)
ISR contacte le Cisco Configuration Engine
• Identification unique
• Requête de configuration sur lien encryptés SSL
ISR notifie le Cisco Configuration Engine du résultat du déploiement
• les services clients peuvent maintenant être provisionnés
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
80
Gestion des SLAs
Enterprise and Small/Medium Business
Understand Network
Performance and
Ease Deployment
Verify Service Levels
Verify Outsourced SLAs
Métriques
© 2006 Cisco Systems, Inc. All rights reserved.
Measure and
Provide SLAs
• Process de prise en compte des anomalies
Disponibilité
Mean Time to diagnose (MTD)
Mean Time To Repair (MTTR)
Mean Time Between Failure (MTBF)
Performance des services différenciés
Bande passante
Latence
Perte de paquets
Variation de latence(Gigue)
MOS
Presentation_ID
Service Providers
Cisco Confidential
• Engagements de retour à la normale
• Pénalités
81
Stratégie de mesure de performances
Méthode d’échantillonnage
Observée
Synthétique
Méthode de collecte
Sondes Externes
Agent embarqué
Perspective des mesures
Utilisateur
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Réseau
Cisco Confidential
82
Technologies de mesures
Cisco IPSLAs
SNMP MIBs and Embedded Event
Management
MEASURES: CPU/Memory Utilization,
Availability, QoS
Sampling:
Passive
Collection:
Embedded
Scope:
Device/Link
Perspective:
User/Network
NBAR/NAM/CBQOS/CORVIL
MEASURES: Response Time of Live
Application Traffic to Server Device, QoS
Sampling: Passive
Collection: External Probe/Embedded
Scope:
Link/End-to-End
Perspective: User/Network
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
MEASURES: Latency and Jitter Between
Source Router and Specified Target
Sampling:
Collection:
Scope:
Perspective:
Active
Embedded
Link/End-to-End
User/Network
NetFlow
MEASURES: Device Interface Traffic Rate
by S/D IP Address, Port Number or AS
Sampling:
Collection:
Scope:
Perspective:
Passive
Embedded
Link/End-to-End
Network
Cisco CallManager
MEASURES: Voice Calls, Voice Quality, Cisco
CallManager Performance
Sampling:
Collection:
Scope:
Perspective:
Passive
Embedded
Link/End-to-End
User/Network
83
Mesures multi-protocolaires avec Cisco
IOS IP SLA
Applications
Network
Performance
Monitoring
Availability
Service Level
Agreement
(SLA)
Monitoring
VoIP
Monitoring
Network
Assessment
Multiprotocol
Label
Switching
(MPLS)
Monitoring
Trouble
Shooting
Measurement Metrics
Packet
Loss
Latency
Network
Jitter
Dist. of
Stats
Connectivity
Operations
Jitter
FTP
DNS
DHCP
DLSW
ICMP
UDP
TCP
HTTP
LDP
H.323
SIP
RTP
Radius
Video
IP Server
Defined Packet Size, Spacing
COS and Protocol
IP Server
Cisco IOS
Software
Source
IP SLAs
MIB Data
Active Generated Traffic to
measure the network
Cisco IOS
Software
Destination
Cisco IOS
Software
IP SLAs
IP SLAs
Responder
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
84
Fonctionnement IP SLA
1.
2.
3.
4.
5.
6.
Management
Application
Configure source
router
If needed, configure
responder
Schedule operations
If needed, set
thresholds
Measure Network
Poll SNMP or CLI for
measurement results
IP Host
Trigger Other Operations
Based on Thresholds/Timeouts
Target
Source Measure
IP SLAs
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
IP SLAs Responder
Measure Performance
85
Cisco IOS IP SLAs
Operation et Responder
Network
IP SLAs Source
IP SLAs Target
Time
Time
TS1
TS2
TS3
TS4
TS5
Source Processing
Time (TProc=TS5-TS4)
Round-Trip Delay (without Responder)
TS5 - TS1 – TProc(Source)
Round-Trip Delay (with Responder)
(TS5 – TS1) – T Proc(Source) – TProc(Target)
Target Processing Time
(TProc = TS3-TS2)
• Locally an IP SLAs packet will
perceive the same scheduling
latency as any packet from its class
One-Way Delay (with Responder)
TS2 – TS1
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
86
Exemple : Opération UDP Jitter
Sends train of packets with
constant Interval
Receives train of packets at
interval impacted by the network
IP Core
Responder
IP SLAs
Per-direction inter-packet delay (Jitter)
Per-direction packet loss
Average Round Trip Delay
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Add a receive time stamp and
calculate delta (the
processing time)
Responder replies to packets
(does not generate its own)
87
Exemple : Opération UDP Jitter
i1
P2
Receive packets
STx = sent tstamp
for packet x.
Send Packets
P1
ST2
P2
ST1
RT2
IP Core
IP SLAs
i2
P1
RT1
Responder
RTx = receive
tstamp for packet x.
Reflected packets
i3
P1
AT1
ATx = receive
tstamp for packet x.
Presentation_ID
Reply to packets
P2
P1
AT2
RT1+d1
i2
P2
dx = processing time
spent between
packet arrival and
treatment.
RT2+d2
Each packet contains STx, RTx, ATx, and dx
The source can now calculate:
JitterSD = (RT2-RT1)-(ST2-ST1) = i2-i1
JitterDS = (AT2-AT1)-((RT2+d2)-(RT1+d1)) = i3-i2
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
88
MIB Class-Based QoS (CBQoSMIB)
La MIB CBQoS permet de connaitre les statistiques des services
différenciés (par classe de service) :
-Trafic Avant application de la QoS
-Trafic Après application de la QoS
Visualisation de la bonne configuration et de l’efficacité de la QoS.
. L’exploitation de la MIB CBQOs est indispensable dans le cas de
déploiement de QoS pour accueillir de la téléphonie sur IP et/ou
des applications métier critiques.
• Dans chaque classe de service la bande passante peut être
estimée automatiquement en fonction d’un SLA (latence, perte de
paquets).
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
89
Class Map Stats Table
After QOS Policies have been
applied
Before QOS
CMPrePolicyPkt
CMPostPolicyPkt
CMPrePolicyByte
CMDropPkt
CMDropByte
CMNoBufDropPkt
Drop=Pre- Post
Bronze
Bronze
Silver
Silver
Bronze
Gold
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Gold
Cisco Confidential
Silver
90
Netflow – Fonctionnement
Cache NetFlow
critères
77identifiers
autres
data
Other data
Flow identifiers
Flow data update
Flow identifiers
Flow data
Flow identifiers
Flow data
Adresse IP Source
Adresse IP Destination
port Source
port Destination
Protocole L3
TOS byte
Ifindex interface d’entrée
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Data exportées
Cisco Confidential
91
Principales utilisations
Presentation_ID
Service Provider
Enterprise
Peering arrangements
Internet access monitoring (protocol
distribution, where traffic is going/coming)
Network planning
User monitoring
Traffic engineering
Application monitoring
Accounting and billing
Charge back billing for departments
Security monitoring
Security monitoring
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
92
NetFlow Cache : exemple
1. Create and update flows in NetFlow cache
Srclf
SrclPadd
Dstlf
DstlPadd
Protocol
TOS
Flgs
Pkts
Src
Port
Src
Msk
Src
AS
Dst
Port
Dst
Msk
Dst
AS
NextHop
Bytes/
Pkt
Active
Idle
Fa1/0
173.100.21.2
Fa0/0
10.0.227.12
11
80
10
11000
00A2
/24
5
00A2
/24
15
10.0.23.2
1528
1745
4
Fa1/0
173.100.3.2
Fa0/0
10.0.227.12
6
40
0
2491
15
/26
196
15
/24
15
10.0.23.2
740
41.5
1
Fa1/0
173.100.20.2
Fa0/0
10.0.227.12
11
80
10
10000
00A1
/24
180
00A1
/24
15
10.0.23.2
1428
1145.5
3
Fa1/0
173.100.6.2
Fa0/0
10.0.227.12
6
40
0
2210
19
/30
180
19
/24
15
10.0.23.2
1040
24.5
14
•
•
•
•
2. Expiration
Inactive timer expired (15 sec is default)
Active timer expired (30 min (1800 sec) is default)
NetFlow cache is full (oldest flows are expired)
RST or FIN TCP flag
Srclf
SrclPadd
Dstlf
DstlPadd
Protocol
TOS
Flgs
Pkts
Src
Port
Src
Msk
Src
AS
Dst
Port
Dst
Msk
Dst
AS
NextHop
Bytes/
Pkt
Active
Idle
Fa1/0
173.100.21.2
Fa0/0
10.0.227.12
11
80
10
11000
00A2
/24
5
00A2
/24
15
10.0.23.2
1528
1800
4
3. Aggregation
ie: Protocol-port aggregation
scheme becomes
4. Export version
5. Transport protocol
30 Flows per 1500 byte export packet
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Export
packet
Cisco Confidential
Heade
r
Non-aggregated flows—export Version5 or 9
Payload
(flows)
Protocol
Pkts
SrcPort
DstPort
Bytes/Pkt
11
11000
00A2
00A2
1528
Aggregated flows—export Version8 or 9
93
NetFlow – Infrastructure
Cisco
Cisco and Partners
Partners
Network
Planning
Accounting
Billing
RMON/NAM
Collector:
Router/Switch:
• Cache creation
• Data export
• Aggregation
Presentation_ID
•
•
•
•
© 2006 Cisco Systems, Inc. All rights reserved.
Collection
Filtering
Aggregation
Storage
Cisco Confidential
RMON
Application
Applications:
• Data processing
• Data presentation
94
Découverte des protocoles
Network-Based Application Recognition (NBAR)
Analyse des data L3 à L7
Utilisation dans la classification
“Stateful inspection” pour les trafics avec ports dynamiques
PDLM (Packet Description Language Modules) pour
définition des applications
Critères de reconnaissances configurables pour identifier
les applications basées TCP ou UDP
MIB NBAR- PROTOCOL DISCOVERY: bit/s,bytes, paquets
Voice Traffic
Data Traffic
•
•
•
Application volumes
MQC packet classification
Flexible threshold
notifications
Internet
Video Traffic
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
P2P
Cisco Confidential
95
Sondes d’analyses intégrées
“Visibilité” intégrée au réseau
• Configuration NAMs
• Agrégation/corrélation des données de trafic (y compris Netflow)
data sources:
SNMP
GUI analyseur NAM
HTTP/S
SPAN
RSPAN (remote SPAN)
Netflow v1/5/6/7/8 (broad)
VLAN ACL (specific)
Hardware
Layer 3-7
RMON I,II, HCRMON
SMON, DSMON
ART, Voice Analysis
Catalyst 6500/7600
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Layer 2
mini-RMON
par port, par interface
Cisco Confidential
Routeur d’accès Multiservice
2600/3660/3700/ISR2800/ISR3800
96
NAM : Analyse temps réel
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
97
Historisation, reporting et isolation,
troubleshooting
• 100 jours d’historisation des
rapports
• Informations détaillées aidant
au troubleshooting.
Complément d’outils tiers de
capacity planning
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Capture et décode de paquets
Filtres Pre et post capture ;
Save et Export
Déclenchement de capture sur
évènements prédéfinis
98
Objectif : Contrôler latence/perte
Controle Latence / perte
Ultra Low
(<1-10 ms, <0.001%)
Very Low
Grid Computing
Telepresence
(<10-100 ms, <0.01%)
VoIP
Low
Citrix
(<100 - 1000 ms,
<0.1%)
Web 2.0
Uncontrolled
(1ms - 10 Seconds)
Presentation_ID
Algorithmic Trading
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
e-Mail
FTP HTTP
Bandwidth
Quality
Manager
Outils traditionnels
de gestion de
performances
99
Caractéristiques des réseaux IP actuels
Consolidation des datacentres et
augmentation du nombre de sites
remote
Coût
de la bande passante
En 100 ms sur un LAN a 1 Gb/s
beaucoup de choses peuvent
arriver
Jusqu’à
12 MB de data générées
~100,000 paquets peuvent êtres
perdus !!
Diversisté des profils applicatifs
Sensibilité
à la latence, à la perte
REMOTE SITE
de paquets
WAN
Différence des débits LAN/WAN
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
DATA CENTER
REMOTE SITE
100
La micro-congestion peut conduire à un
comportement imprévisible des applications
La probabilité d’avoir des problèmes
de performances applicatives
s’accroit
Les outils courants sont
incapables de détecter,
troubleshooter et de déterminer
quoi faire :
Dynamic
network congestion
impacte les applications
micro
Granularité
des évènements ;
milliseconde
bursts
Analyse
La Solution n’est pas toujours
évidente
de Bande passante –au bon
endroit)
Plus
dans un contexte QoS
REMOTE SITE
Techniques
de QoS ( traffic shaping,
priority queuing )
WAN
DATA CENTER
REMOTE SITE
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
101
Mesure de latence
What is the Latency
of Market Data Feed
Traditional 1 Sec PING Latency View
to Trading Client A?
99% Latency of 4ms
BQM 2120
BQM 1180
BQM 2120
WAN
BQM 2120
Market
Data
Gigabit
Ethernet
99% Latency of 50ms
10Mb/s
BQM 2120
PNQM
BQM 2120
Trading
Client A
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
BQM PNQM Latency View
102
Mesure de trafic
What is the utilization
of the access link to
Traditional 5min View
Site A?
20% Link Utilization
BQM 1180
WAN
Fast
Citrix
Metaframe Ethernet
20,000% Link Utilization
2Mb/s
(0.5Mb/s for Citrix Class)
Site A
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
BQM 5ms View
103
Analyse de la bande passante
What is the Expected
Latency induced on
Site A link by Citrix
traffic?
BQM Expected Latency View
Up to 330ms of Latency induced
BQM 1180
WAN
Fast
Citrix
Ethernet
Metaframe
Upgrade to 2.5Mb/s for Citrix Class Required
2Mb/s
(0.5Mb/s for Citrix Class)
What is the
Bandwidth needed by
Citrix to achieve no
worse than 200ms for
99.9% of packets?
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Site A
BQM Bandwidth Requirement View
Cisco Confidential
104
Solution de SLM
“Turning a Cisco Network into a
powerful SLM solution”
Appliance avec un Portail Web
centralisant :
Les mesures de performance par les
probes IP-SLA
L’analyse des MIBs CBQos (classes
de service) & NBAR (protocol
discovery)
Le suivi des trafics Netflow
Graphiques détaillés des mesures
Solution évolutive pour :
Le suivi des SLA réseaux ….. et des
infrastructures VoIP
Préparer ou améliorer la mise en
œuvre d’applications « critiques »
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
105
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
106