© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Réseau WAN vu de lentreprise Gilles Clugnac

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1

Réseau WAN vu de l’entreprise

Gilles Clugnac

http://dl.free.fr/kFB3ljra4/cours3-WAN.pdf


Quelles demandes pour un fournisseur d’infrastructure de communication? La quadrature du cercle ?

Je veux pouvoir accéder à mon SI où et quand je le désire avec le terminal le

plus adapté !! Flexibilité, Agilité

Mon travail a évolué de la production

vers les transactions et maintenant les

interactions=> Valeur ajoutée

vers le client

Plus de services pour moins cher

=> Contrôle des coûts, risques &

complexité

PR

OC

ES

SE

S B

US

INE

SS

PR

OC

ES

SE

S B

US

INE

SS

MA

NU

FA

CT

UR

ING

HR

SA

LE

S

FIN

AN

CE

INF

RA

ST

RU

CT

UR

E

TE

CH

NO

LO

GIQ

UE

INF

RA

ST

RU

CT

UR

E

TE

CH

NO

LO

GIQ

UE

CO

RE

ST

OR

AG

E

SE

CU

RIT

YW

IRE

LE

SS

IPT

AP

PL

ICA

TIO

NS

ET

SE

RV

ICE

SA

PP

LIC

AT

ION

SE

T S

ER

VIC

ES

ER

PE

-SA

LE

SS

UP

PL

Y C

HA

IN


Convergence des réseaux


Changement de paradigmeExemple : Vidéosurveillance intégrée

ID CREDENTIAL ID CREDENTIAL MANAGEMENT

CCTV & DIGITAL CCTV & DIGITAL VIDEO SURVEILLANCEVIDEO SURVEILLANCE

DATA & NETWORK SECURITYSECURITY

VISITOR MANAGEMENT

ACCESSCONTROL

Major Segments of Security

INTRUSIONINTRUSIONDETECTION

FIREALARM


TemperatureTemperature

La vague suivante

L’Internet des ordinateurs

L’Internet des ordinateurs

IP TelephonesIP Telephones

Barcode ScannersBarcode Scanners

PCsPCs

PDAs/HandheldsPDAs/HandheldsObjets connectésObjets connectés à travers les tagsà travers les tags

Informations connectées Informations connectées à travers les capteursà travers les capteurs

Informations connectées Informations connectées à travers les capteursà travers les capteurs

ProductsProducts

LivestockLivestock

TiresTires

CurrencyCurrency

PharmaceuticalsPharmaceuticals

Shipping containersShipping containersCartonsCartons

PalletsPallets

RationsRations WeaponsWeapons

PeoplePeople PetsPetsMedical AssetsMedical Assets

Video CamerasVideo CamerasLocationLocation

IntrusionIntrusion

Shock/movementShock/movement

ElevationElevation

DirectionDirection

PressurePressure LightLight ChemicalsChemicals

SpeedSpeed

L’Internet des objetsL’Internet des objets


Computers

Phones

Mobile Assets

Static Assets

Controllers

Smart Sensors

Microprocessors and Microcontrollers

Users

2005 Forecast, Million Units

500

1,500

350

375

500

750

35,000

Source: Harbor Research, Inc., Forrester Research, Inc., IBSG

Réseaux

Actuels

Réseaux Etendus

Les nouveaux systèmes seront connectés sur le réseau IP universel

Le réseau va connecter des milliards d’objets !!


Enterprise Data CenterInternet Data Center

Public Web Site

100s of Servers with Integrated Storage

E-Commerce Application

4-Tier Application App. Server

Internet Data Center

Supply-Chain Management

Traditional Voice PBX

In-House Developed Apps

2-Tier CRM Application

NCR DB Server

Data Warehousing

Finance, HR, Payroll and EDI

Mainframe Systems

Tape Backup Multiple 2-Tier ERP Instances

Engineering Services

NAS Filers

E-Mail

E-Mail Appliances

IP Services

DNS RADIUS LDAP

JBOD

Operations Center

Un environnement IT complexe

Infrastructureactuelle

Disponibilité et conformité

• Operational Risk Management

Continuité d’activités

Agilité Business

• Service Oriented Architecture

Intégration applicative

Contrôle des coûts

• On-Demand, Utility Infrastructure

Automatisation

Consolidation

Gestion de l’information

• Information Lifecycle Management

SLAs applicatifs

• Application Awareness and Optimization

Securité

Conformité

Virtualisation

Croissance

Agilité

Disponibilité

Performance

Tiered Storage

Content Delivery

Data Classification

Enterprise Data CenterInternet Data Center

Public Web Site

100s of Servers with Integrated Storage

E-Commerce Application

4-Tier Application App. Server

Internet Data CenterSupply-Chain Management

Traditional Voice

PBX

In-House Developed Apps

2-Tier CRM Application

NCR DB Server

Data Warehousing

Finance, HR, Payroll and EDI

Mainframe Systems

Tape Backup Multiple 2-Tier ERP Instances

Engineering Services

NAS Filers

E-Mail

E-Mail Appliances

IP Services

DNS RADIUS

LDAP

JBOD

Operations Center


Approche modulaireArchitectures de bout-en-bout

Data Data CenterCenter

Data Data CenterCenterAgenceAgence

AgenceAgenceCampusCampus

CampusCampus TélétravaillTélétravailleureur

TélétravaillTélétravailleureurWAN/MANWAN/MAN

WAN/MANWAN/MAN

ServeurServeur StockageStockage ClientsClientsCO

UC

HE

C

OU

CH

E

D’IN

FR

AS

TR

UC

TU

RE

D

’INF

RA

ST

RU

CT

UR

E

EN

RE

SE

AU

EN

RE

SE

AU

ExtranetExtranetInternetInternet

ExtranetExtranetInternetInternet

Site B

Fondamentaux du réseauRègles d’architecture• Architectures de référence par zone• Interopérabilité forte entre les zones • Continuité des Services• Garantie des SLAs de bout-en-bout

Solution Cisco• Recommandations validées par zone• Orientées déploiement de Services• Architectures cohérentes et globales

CampusData Center

ExtranetInternet

WAN/MAN

Agence

Télétravailleur

Modules du réseauModules du réseau

Net

wo

rked

In

fras

tru

ctu

re

Lay

er

Server Storage Devices

Network Areas


CampusCampusCampusCampus AgenceAgenceAgenceAgence Data Data CenterCenterData Data

CenterCenterMAN/WANMAN/WANMAN/WANMAN/WAN TélétravailTélétravailTélétravailTélétravail

CO

UC

HE

C

OU

CH

E

D’I

NF

RA

ST

RU

CT

UR

E

D’I

NF

RA

ST

RU

CT

UR

E

EN

RE

SE

AU

EN

RE

SE

AU

CO

UC

HE

C

OU

CH

E

D’I

NF

RA

ST

RU

CT

UR

E

D’I

NF

RA

ST

RU

CT

UR

E

EN

RE

SE

AU

EN

RE

SE

AU

Services de Virtualisation du réseauServices de Virtualisation du réseauServices de Virtualisation du réseauServices de Virtualisation du réseau

Consolidated Data Center

RR 7301

L3 Switch with VRF-

Lite

802.1Q 802.1QVRF-Data

VRF-Voice

PE 7600

IGP between VRFs

BGP between PEsMPLS MAN (L1/2 P-P or

Ring)

P 12000

P 7600

EoMPLS

ORG-A

VoiceVRF-Data

VRF-Data

VRF-VoiceVRF-Voice

ORG-A

Data

MPLS-BGP VPN (2547-bis)

NG WAN

Users

LAN/WAN

Compute

SAN

Disk/Tape

RSRSRS

Adaptable Campus

RR 7301

L3 Switch with VRF-Lite

802.1Q 802.1QVRF-Data

VRF-Voice

PE 7600

IGP between VRFs

BGP between PEsMPLS MAN (L1/2 P-P

or Ring)

P 12000

P 7600

EoMPLS

ORG-A VoiceVRF-Data

VRF-Data

VRF-VoiceVRF-Voice

ORG-A Data

MPLS-BGP VPN (2547-bis)

NG WAN

WANWANWANWAN

VPN opéré

VPN déployé par l’Entreprise

VPN opéré

VPN déployé par l’Entreprise

NG WANNG WAN

Infrastructure Réseau WANEvolution des architectures de bout-en-bout


HAHA QoSQoSMulti-cast

Multi-cast SécuritéSécurité

Network Management/ProvisioningNetwork Management/Provisioning

Construire une infrastructure cohérente L’exemple de l’IP Communications


Architectures WAN Pourquoi une Nouvelle Génération?

Hier Aujourd’hui

Le WAN est un problème de transport

Facteurs critiquesCoût

Disponibilité

Débit

Approche architecturale fragmentée

Le WAN est un problème de généralisation de la fourniture de services

Facteurs critiques:Coût/Disponibilité/Débit

Sécurité

Intégration de Services

Approche architecturale intégrée

Le WAN fait partie de l’architecture globale du réseau


Un Besoin de Segmentation Accès invité

Internet access for customers, visitors, etc.

Contrôle d’Accès au RéseauQuarantine and/or isolation during remediation

Accès partenairesOnsite partners, limited server/application access

Séparation Groupes/Départments Closed User Groups for divisions/teams sharing common work locations (e.g. Financial Banking/Trading)

Isolation des Applications/SystèmesIsolating critical applications or devices, such as IPC, factory robots, point-of-sale terminals, etc.

Services ExternalisésParticipating in multiple client networks (e.g. India ITS model)

Filiales / Fusions & Acquisitions Enabling staged network consolidation, while companies are being merged

Entreprise Fournisseur de Services Réseaux (éventuellement source de revenus)Shared service locations (e.g. Munich Airport “virtual” gate access)Retail stores providing kiosk/on-location network access (e.g. Best Buy, Albertson’s, etc.)Cisco Connected Real Estate (CCRE) (e.g. multi-tenant, strip malls, etc.)

Dynamique forte de création de projetsClosed User Groups between multiple companies during joint-ventures/collaborations

L‘isolation des groupes est le principal besoin.Les attaques, virus, vers sont plus facilement confinés.

Ils ne se progagent pas partout

L‘isolation des groupes est le principal besoin.Les attaques, virus, vers sont plus facilement confinés.

Ils ne se progagent pas partout


777Source : Cisco Study

Reasons for NOT Out-Tasking a VPN

~ 53% of Enterprises choose for a DIY VPN

888

Reasons for Out-Tasking a VPN

To Gain More Value

Lack of Staff

Lack of In-house Expertise

Expect Cost Savings

Not a Core Business Activity

37%

45%

51%

51%

54%

0 20 40 60

Percent of CIOs

Source : Cisco FISH Study

~ 47% of Enterprises choose to BUY a VPN

ACHETER UN SERVICE L3, ACHETER UN SERVICE L3, IP VPNIP VPN

ACHETER un Service L1 ACHETER un Service L1 ou L2 VPNou L2 VPN

Ratio is moving to 64% Mgd-VPN / 36%

Enjeux du WANACHETER un service VPN ou CONSTRUIRE son réseau VPN?


Enjeux de l’agenceAmener les Services aux utilisateurs

•Information disponible dans tous les sites de l’entreprise

•Besoin de performances dans le DataCenter comme pour l’utilisateur

•Fiabilité de tout le système d’information

•Architecture et Services réseaux transparents pour l’utilisateur

•Les sites distants ou de télétravail ont des besoins au-delà de la simple connexion !


Backup

NAS

ApplicationServers

Siège

Consolidation des Ressources

Optimisation de l’accès

Agence

IPNetwork

Tape DrivesAnd Libraries

Disk Arrays

Client Workstations

Printer

Consolidation Engine

20% des utilisateurs 80% des utilisateurs

Au global :Concentration des serveurs + utilisateurs distants


Siège AgenceOpérateurs

Campus/Data Center Internet

(ISP, Broadband, etc.)

IP VPN

WAN principalement fourni (IP, MPLS VPN, IPSEC) par un opérateur de connectivité [driver principal : le coût; services: IP, VPN (+ QoS)]

Services d’entreprises fournis par un intégrateur ou un opérateur à valeur ajouté [driver principal: le contrat de services; services: VPN chiffré, QoS, sécurité, IP Com, mobilité, optimisation applicative]

Délégation de Services via Role Based Access Control

Combien de routeurs ?


Siège AgenceOpérateurs

Campus/Data Center Internet

(ISP, Broadband, etc.)

IP VPN

HSRPGLBP

WAN principalement fourni (IP, MPLS VPN, IPSEC) par un opérateur de connectivité [driver principal : le coût; services: IP, VPN (+ QoS)]

Services d’entreprises fournis par un intégrateur ou un opérateur à valeur ajouté [driver principal: le contrat de services; services: VPN chiffré, QoS, sécurité, IP Com, mobilité, optimisation applicative]

Délégation de Services via Role Based Access Control

Combien de routeurs ?


VPN OPERE


MPLSMPLSCoreCore

VPN A

VPN B

VPN C

VPN A

VPN B

VPN C

Core label

VPN label

IP data

VPN label

IP data VPN label

IP data

IP data IP data

MP-iBGPMP-iBGP or or

LDP LDP

MPLS – VirtualisationUne hiérarchie de labels


MPLSMPLS

PSTNISDNBranch

Home

Travel

ADSL/Cable

BranchHome

INTERNET

SharedServices

Regional Site

LL

Frame-RelayATM

Remote Sites

INTERNET

Branch

Home

Travel

IPSec Central Site

TDMMUX

(Fiber / WDM / POS / Ethernet / ATM / FR / PPP, Tunnel)

L3 VPN – MPLS-VPN Même service sur tous types de liens


Site Central

Sites Distants

Sites Distants

Sites Regionaux

End-to-End SLA mesurement

MPLSMPLSIP-IP-VPNVPNL2 VPNL2 VPN

QoSQoS

Domaine DiffServ Hiérarchique / Ajout de TE pour le core

QoS de bout en boutQoS niveau Application

Modèle Par ClasseService Level Agreement

Transparence QoS

L3 VPN – MPLS-VPNQos de bout en bout


50%

75%

100%

25%

25%25%

25%

100%

75%

50%

25%

0%

Business Classic StandardExecutiveFirst

Port %

Best-Effort

Data-LAN2LAN

Data-Interactive

Real-Time

# CoS50%

75%

50%

135 120 100140150 RELATIVEPORT PRICE

Evolution vers 5 ou 6 Classes de Service PE-CE

L3 VPN – Exemple Typique de QoS5 profiles et 4 Cos


L3 VPN – Carrier Supporting Carrier

InternetMPLS

IP VPN

mpls

mpls

mpls

mpls

mpls

mpls

Customer VRFSub-VPNs

Customerrouting

SP offre uniquement une VRF au client entreprise

Utilisation de labels entre le PE et CE (et non pas IP)

Le client utilise le backbone MPLS de l’opérateur pour construire son propre service MPLS VPN


L3 VPN – Multi-VRF CE (VRF-lite)

VRF : Création de plusieurs tables de routage et commutation séparées

Tables de routage séparéesTables de forwarding séparées (FIB)Association des interfaces (physiques ou logiques) dans les VRFs

Aujourd’hui, une solution assez classique

Demande plusieurs VRF sur le PE – Dépendance forte envers le SP

Exige plusieurs liens physiques ou logiques entre le PE et le CE – xDSL ? (utilisation possible de tunnels GRE CE-PE)

802.1qGRE

VRF

VRF

VRF


Multi-VRF CEMulti-VRF CEExtension de la fonctionnalité VPN dans le CPE et dans le campus pour continuer à fournir une segmentation sans avoir à mettre en place les

fonctionnalités d’un PE complet

Partners

Contractors

Resources

Guests/NAC Quarantine

SPIP VPN

PE2

PE1

PE3

Multi-VRF CE1

Multi-VRF CE2

Multi-VRF CE3

Site 1

Site 2

Site 3Séparation Logique dans le campus via

des VLANs ou même VRF sur les Catalyst

Séparation logique de niveau 3 à l’intérieur du

CE au travers de la fonction Multi-VRF

Le SP fournit plusieurs VPNs pour la même entreprise

L3 VPN – Multi-VRF (VRF-Lite)


L2 VPNsLe modèle de référence Pseudo Wire

• Ethernet

• 802.1Q (VLAN)

• ATM VC or VP

• HDLC

• PPP

• Frame Relay VC

Les types de service Point à Point:

PWES

EMULATED SERVICE

PWES PWES

PSN Tunnel

PWES PWES

Site A2Site A1

Site B1 Site B2

PEPEPEPEPseudo Wires

Un Pseudo Wire (PW)Pseudo Wire (PW) est une connexion entre deux PE permettant de connecter deux Pseudo Wire End-Services (PWESs)Pseudo Wire End-Services (PWESs)


L2 VPNsAToM vs VPLS

Central Site

L2VPN

Remote Sites

L2 Full mesh—Point-to-Multipoint

Virtual Private LAN ServiceVirtual Private LAN ServiceVPLSVPLS • Service Multipoint

• Access Ethernet vers le SP

• Le backbone SP émule un bridge LAN (réseau commuté à plat)

Evolutivité ?

Traitement des flux Multicast

Central Site

L2VPN

Remote Sites

L2 Hub and Spoke— Point-to-Point

Any Transport over MPLSAny Transport over MPLSAToMAToM

Service Point à point

Hub and Spoke au travers de plusieurs circuits P2P circuits depuis le site central

Support interworking pour des circuits de type différents

Idéal pour Remplacement du WAN traditionnel (Modèle Frame Relay)

Liaison dédiée P2P dans le MAN


VPN DEPLOYE PAR L’ENTREPRISE


L2VPN – Interconnexion de DataCentersUtilisation de EoMPLS

pseudowire-class eompls encapsulation mpls

interface GigabitEthernet1/4.601 encapsulation dot1Q 601 xconnect 125.1.125.13 601 pw-class eompls

7600-LC-PE2#sh mpls l2transport vc detLocal interface: Gi1/4.601 up, line protocol up, Eth VLAN 601 up Destination address: 125.1.125.13, VC ID: 601, VC status: up Tunnel label: 103, next hop 125.1.103.26 Output interface: Gi1/3, imposed label stack {103 89} Create time: 1w3d, last status change time: 1d02h Signaling protocol: LDP, peer 125.1.125.13:0 up MPLS VC labels: local 49, remote 89 Group ID: local 0, remote 0 MTU: local 9000, remote 9000 Remote interface description: Sequencing: receive disabled, send disabled

PE2PE1

Red-6500 Red-6500

CE2CE1103 89 Payload

VC Label

Tunnel Label

Data Center 1

Data Center 2

MPLSNetwork

Jumbo frame support:Ensure all interfaces have it enabled in the forwarding path

Loop0125.1.125.13


VRF

VRF

VRF

LDP LDPLDP

iBGP—VPNv4 Label Exchange

iBGP—VPNv4 iBGP—VPNv4

PE

PE

PE

CE

CE

CE

CE

CE

PE-CE Routing Protocol

Service de L3 VPN MPLS-VPN par l’entreprise elle-même


IPSec VPN dans le WAN EnterpriseApplications Clients

Encryption sur les liens WAN traditionnels (par exemple FR, ATM, LL)

Conformité aux nouvelles législations : HIPAA, Sarbanes-Oxley (S-Ox), Basel Agreement (Europe), etc.

Migration d’un WAN traditionnel vers un service bas-coût (exemple Internet, broadband)

Utilisation d’un service Internet comme WAN secondaire, comme backup ou comme lien pour le trafic non critique et bande passante importante

Extension des services de sites vers les télétravailleurs

Pourquoi utiliser un VPN IPSec ?Pourquoi utiliser un VPN IPSec ?


Utilisation d’un IP-VPN Opérateur Architecture Typique

InternetSPSP

IP VPNIP VPNeBGPeBGP

eBGPeBGP

HSRPHSRP

OrOr

iBGPiBGP


InternetIP VPNeBGP

eBGP

mptp

mptp

1. Backup avec les fonctionnalités de l’IGP

• rapidité, réglable avec les backoff timers

2. Routage site isolé du SP

3. Support des flux multicast

mGRE avec NHRP mGRE avec NHRP (RFC2332)(RFC2332)

Utilisation de Tunnels sur IP-VPNs Multi-point GRE


InternetIP VPNeBGP

eBGP

mptp

mptp

DMVPN sur MPLS-VPNDMVPN sur MPLS-VPN

Utilisation de Tunnels sur IP-VPNs Multi-point GRE + IPSEC

1. Backup avec les fonctionnalités de l’IGP

• rapidité, réglable avec les backoff timers

2. Routage site isolé du SP

3. Support des flux multicast

4. Les flux sont encryptés

5. Les PKI sont gérées par l’entreprise


SynthèseOpéré versus Déployé par l’Entreprise

VPN OPEREVPN OPERE Stratégie d’outsourcing (CPE/Routage/QoS

managés) Pas de MPLS demandé sur le CE Bien adapté pour un petit nombre de VRFs Possibilité de garder la main sur quelques

services, mais assez peu MaisMais Augmentation dépendance envers le SP L’ajout d’un VPN se traduit par la création

d’une sous-interface sur tous les sites concernés

Le coût peut devenir prohibitif en fonction du nombre de VRF et de sites

VPN DEPLOYE PAR ENTREPRISEVPN DEPLOYE PAR ENTREPRISE Stratégie d’insourcing Services de Segmentation IP

Accroissment de la Sécurité (Closed Users Groups)Isolation/réduction des vers

Construction d’un réseau de type SP à destination de clients internes à l’entreprise

Facilité d’intégration des nouvelles entités ou des partenaires

Consolidation datacenterVirtualisation accès Front-endCentralisation services réseauxextension VLAN via MAN/WAN


Qualité de service


Multiservice IP Applications

Bandwidth in 10KbpsRare Loss

Latency < 150msJitter < 30ms

VoIP ERP Multimedia VPN Web/URL

Non-Uniform Network Traffic Demands QoSNon-Uniform Network Traffic Demands QoS

Bursty BandwidthResilient to Loss

No Latency controlDo not care of Jitter

Bandwidth in MbpsRare Loss

Latency < 300msJitter < 300msLatency in S

Jitter in S

Bandwidth in 10KbpsTCP Controlled Loss

Latency < 300msNo Jitter sensitivity


“Collection of technologies which allows applications/users to request and receive predictable service levels in terms of data throughput capacity (bandwidth), latency variations(jitter) and delay””

So, What Is Quality of Service?


QoS Factors

DelayDelay(Latency)(Latency)

Delay-Delay-VariationVariation

(Jitter)(Jitter)

PacketPacketLossLoss


Avoid the Avoid the “Human Ethernet”“Human Ethernet”

Time (msec)

0 100 200 300 400

CB ZoneCB Zone

Satellite QualitySatellite Quality

Fax Relay, BroadcastFax Relay, BroadcastHigh QualityHigh Quality

Delay Target

500 600 700 800

ITU’s G.114 Recommendation: ITU’s G.114 Recommendation: ≤ ≤ 150msec One-Way Delay150msec One-Way DelayITU’s G.114 Recommendation: ITU’s G.114 Recommendation: ≤ ≤ 150msec One-Way Delay150msec One-Way Delay

Effects of Latency on Voice

Hello? Hello?


Elements That Affect Latency and Jitter

Campus Branch Office

SRSTrouter

IP WAN

PSTN

G.729A: 25 msG.729A: 25 ms

CODECCODEC

VariableVariable

SerializationSerialization

FixedFixed (6.3 (6.3 s / Km) +s / Km) +Network DelayNetwork Delay

(Variable)(Variable)

PropagationPropagation& Network& Network

20-50 ms20-50 ms

Jitter BufferJitter Buffer

End-to-End Delay (Must be End-to-End Delay (Must be ≤≤ 150 ms) 150 ms)

VariableVariable

QueuingQueuing


Router LatencyRouter Latency: less than 100 usec for Cisco 7500 (64-byte packets, varies with packet sizes)

Insertion DelayInsertion Delay (a.k.a. Serialization Delay)Example with 250-byte packet:

16 msec on 256 Kbps link 1 msec on 2 Mbps link 0,2 msec on 10 Mbps link 0,02 msec on 100Mbps link

Queuing DelayQueuing Delay = queue depth x insertion delay

Example:

Queue-length = 40 at 256Kbps = 640ms delay

Queue-length = 40 at 2 Mbps = 80ms delay

Effect of RTT with 16k window500µs 270 Mbps 12ms 10 Mbps120ms 1 Mbps

Delay and Latency


Voice

1

Voice

1

Voice

2

Voice

2

Voice

3

Voice

3

Voice

4

Voice

4

Packet Loss Limitations

Cisco DSP Codecs can use predictor algorithms to compensate for a single lost packet in a row

two lost packets in a row will cause an audible clip in the conversation

Voice

1

Voice

1

Voice

2

Voice

2

Voice

3

Voice

3

Voice

4

Voice

4

Voice

3

Voice

3

Voice

3

Voice

3Reconstructed Voice Sample


Latency ≤ 150 ms

Jitter ≤ 30 ms

Loss ≤ 1%

17-106 kbps guaranteed priority bandwidth per call

150 bps (+ layer 2 overhead) guaranteed bandwidth for Voice-Control traffic per call

QoS Requirements for Voice

SmoothBenignDrop SensitiveDelay SensitiveUDP Priority

VoiceVoice

One-wayrequirements


QoS Requirements for Video-Conferencing

Latency ≤ 150 ms Jitter ≤ 30 ms Loss ≤ 1% Minimum priority bandwidth

guarantee required is:

Video-Stream + 20% e.g. a 384 kbps stream would require 460 kbps of priority bandwidth

BurstyBurstyGreedyGreedyDrop SensitiveDelay SensitiveUDP Priority

VideoVideo

One-wayrequirements


QoS Requirements for Data

Smooth/BurstySmooth/BurstyBenign/GreedyBenign/GreedyDrop InsensitiveDrop InsensitiveDelay InsensitiveDelay InsensitiveTCP RetransmitsTCP Retransmits

DataData

Different applications have different traffic characteristics

Different versions of the same application can have different traffic characteristics

Classify Data into relative-priority model with no more than four classes:

Gold: Mission-Critical AppsGold: Mission-Critical Apps(ERP Apps, Transactions)(ERP Apps, Transactions)

Silver: Guaranteed-BandwidthSilver: Guaranteed-Bandwidth(Intranet, Messaging)(Intranet, Messaging)

Bronze: Best-EffortBronze: Best-Effort(Email, Internet)(Email, Internet)

Less-Than-Best-Effort: ScavengerLess-Than-Best-Effort: Scavenger(FTP, Backups, Napster/Kazaa)(FTP, Backups, Napster/Kazaa)


No state Per-flow state

IntServ / DiffServ Models

2. Per applicationflow reservation

1. The original IP service

state

Best Effort IntServ / RSVPDiffServ

5. Per Class of Service Bandwidth Reservation

SLA


Differentiated ServicesShare ressources via Classes of Services

GoldGold

BronzeBronze

Silver

Guaranted service, (AF=RFC 2597)Guaranted bandwidth low level of drop

Best effortMinimum bandwidth guarantedHigh level of Overbooking

Premium IP, (AF=RFC 2597)Guaranted bandwidth

Legacy(SNA, …)

E-mail,Web

E-Commerce,E-business (ERP, SCM, ...)

PlatiniumPlatiniumVoice

(ToIP / Video)Real time queue (EF=RFC 3246)

StreamingStreamingGuaranted service, (AF=RFC 2597)Minimum / Maximum controledVideo

distribution

Architecture RFC 2474, 2475

DSCPDSCP CUCU

DS field DS field RFC 2474


ClassificationClassification

ShapingShaping

Access queueingAccess queueing

Core QueueingCore QueueingPolicingPolicing

VoIP

Bus

Best- Effort

VoIP

Bus

Best- Effort

VoIP Bus Best- Effort

VoIP Bus Best- Effort

Diffserv Architecture: RFC2475


Design Approach to Enabling QoS


IP WAN

PSTN

Classification:Classification: Mark the packets with a specific priority denoting a Mark the packets with a specific priority denoting a requirement for class of service from the networkrequirement for class of service from the network

Trust Boundary:Trust Boundary: Define and enforce a trust boundary at the network edge Define and enforce a trust boundary at the network edge

Provisioning:Provisioning: Accurately calculate the required bandwidth Accurately calculate the required bandwidth for all applications plus element overheadfor all applications plus element overhead

Scheduling:Scheduling: Assign packets to one of multiple queues (based on Assign packets to one of multiple queues (based on classification) for expedited treatment throughout theclassification) for expedited treatment throughout the

network; use congestion avoidance for datanetwork; use congestion avoidance for data


QoS Tools Mapped To Design Requirements


SRSTrouter

IP WAN

PSTN

• Multiple QueuesMultiple Queues• 802.1Q/p802.1Q/p• DSCPDSCP

Campus Campus DistributionDistribution

• LLQLLQ• CBWFQ CBWFQ • WREDWRED• LFI/FRF.12LFI/FRF.12• cRTPcRTP• FRTS, dTSFRTS, dTS• DSCPDSCP

WAN WAN AggregatorAggregator

• LLQLLQ• CBWFQCBWFQ• WREDWRED• LFI/FRF.12LFI/FRF.12• cRTPcRTP• FRTSFRTS• 802.1Q/p802.1Q/p• DSCPDSCP• NBARNBAR

Branch RouterBranch Router

• Inline PowerInline Power• Multiple QueuesMultiple Queues• 802.1Q/p802.1Q/p

Branch SwitchBranch Switch

BandwidthBandwidthProvisioningProvisioning

• Inline PowerInline Power• Multiple QueuesMultiple Queues• 802.1Q/p802.1Q/p• DSCPDSCP• Fast linkFast link convergence convergence

Campus AccessCampus Access


QoS Toolset

Classification

Policing / Shaping

Scheduling / Queueing

Congestion Avoidance


Classification Tools:Ethernet 802.1Q Class of Service

TAGTAG4 bytes4 bytes

Three Bits Used for CoS(802.1p User Priority)

DataData FCSFCSPTPTSASADADASFDSFDPream.Pream. TypeType

802.1Q/pHeader

PRIPRI VLAN IDVLAN IDCFICFI

Ethernet Frame

• 802.1p User Priority field also called Class of Service (CoS)

• Different types of traffic are assigned different CoS values

• CoS 6 and 7 are reserved for network use 11

22

33

44

55

66

77

00 Best Effort DataBest Effort Data

Medium Priority DataMedium Priority Data

High Priority DataHigh Priority Data

Call SignalingCall Signaling

Video ConferencingVideo Conferencing

Voice BearerVoice Bearer

ReservedReserved

ReservedReserved

CoSCoS ApplicationApplication


77 66 55 44 33 22 11 00

Classification Tools:IPv4 IP Precedence and DiffServ Code Points

ID Offset TTL Proto FCS IP SA IP DA DataLenVersionLength

ToSByte

DiffServ Code Point (DSCP)DiffServ Code Point (DSCP) Flow CtrlFlow Ctrl

IPv4 Packet

IP PrecedenceIP Precedence UnusedUnused Standard IPv4Standard IPv4

DiffServ ExtensionsDiffServ Extensions

• IPv4: Three Most Significant Bits of ToS byte are called IP Precedence (IPP)—other bits unused

• DiffServ: Six Most Significant Bits of ToS byte are called DiffServ Code Point (DSCP)—remaining two bits used for flow control

• DSCP is backward-compatible with IP Precedence


Classification Tools:QoS Classification Summary

Best Effort DataBest Effort Data

Medium Priority DataMedium Priority Data

High Priority DataHigh Priority Data

Call SignalingCall Signaling

Video ConferencingVideo Conferencing

Voice BearerVoice Bearer

ReservedReserved

ReservedReserved

ApplicationApplication

Less-than-Best-Effort DataLess-than-Best-Effort Data

10,14,1610,14,16

18,20,2218,20,22

2626

3434

4646

48-5548-55

56-6356-63

00

AF1yAF1y

AF2yAF2y

AF31AF31

AF41AF41

EFEF

--

--

BEBE

11

22

33

44

55

66

77

00

IPPIPP PHBPHB DSCPDSCP

L3 ClassificationL3 Classification

2,4,62,4,6--00

CoSCoS

11

22

33

44

55

66

77

00

L2L2

00

MPLS EVMPLS EV

11

22

33

44

55

66

77

00

L2L2

00


Classification Tools:Network-Based Application Recognition

DATA

Frame

MAC/CoSDE/CLP/MPLS EV

IP Packet

ToS/

DSCP

Source

IP

Dest

IP

TCP/UDP Segment

Src

Port

Dst

Port

Data Payload

NBAR PDLM

citrixcitrix httphttp nntpnntp sshssh

cuseemecuseeme

customcustom

exchangeexchange

fasttrackfasttrack

ftpftp

gnutellagnutella

imapimap

ircirc

kerberoskerberos

ldapldap

napsternapster

netshownetshow

notesnotes

novadigmnovadigm

pcanywherepcanywhere

pop3pop3

realaudiorealaudio

rcmdrcmd

smtpsmtp

snmpsnmp

sockssocks

sqlserversqlserver

sqlnetsqlnet

sunrpcsunrpc

streamworkstreamwork

syslogsyslog

telnettelnet

Secure-telnetSecure-telnet

tftptftp

vdolivevdolive

xwindowsxwindows


Classification Tools: Trust Boundaries

A device is trusted if it correctly classifies packets For scalability, classification should be done as close to the edge as

possible The outermost trusted devices represent the

trust boundary 1 and 2 are optimal, 3 is acceptable (if access switch cannot

perform classification)

SiSi

SiSi

SiSi

SiSi

Endpoints Access Distribution Core WAN Agg.

Trust BoundaryTrust Boundary

11

22

33

11 22 33


Classification Tools:Connecting the IP Phone

Auxiliary VLAN = 110 PC VLAN = 10

(PVID)

Desktop PC 171.1.10.3

IP Phone 10.1.110.3

802.1Q Trunk with 802.1p Layer 2 CoS

Native VLAN (PVID); No Configuration Changes

Needed on PC

Catalyst 6000


Classification Tools:Extended Trust

.. A new concept of assigning trust to a device not directly connected to the switch port…

Allows intermediate “trusted” device to modify priority assignedby downstream device

Trusted Device Un-Trusted Device

Trust Boundary Feature will allow specification (via CDP) of the priority of downstream (un-trusted) device by the trusted device

Data


Classification Tools:PC CoS Settings Are Not Trusted

CoS=5

CoS=0


Policers and Shapers

PolicersPolicers typically drop traffic (NO buffering, TCP retransmit), bi-directionnal

ShapersShapers typically delay excess traffic, smoothing bursts and preventing unnecessary drops

LineLineRateRate

ShapedShapedRateRate

Traffic shaping limits the transmit rate to a value lower than line rateTraffic shaping limits the transmit rate to a value lower than line rate

without Traffic Shapingwithout Traffic Shaping

with Traffic Shapingwith Traffic Shaping


Traffic Shaping and Policing Mechanisms

Shaping mechanisms:

Class-based shaping

Frame Relay traffic shaping (FRTS)

Generic traffic shaping (GTS)

Policing mechanisms:

Two rate policer

Class-based policing

Committed access rate (CAR)


RFC 2697: Single Rate Policer

overflow

Bc = Burst CommitedBc = CIR * Tc (Be = Burst Excess)


1 111 11 111 1 11 1

Scheduling Tools:Queuing Algorithms

congestion can occur at any point in the network where there are speed mismatches

Low-Latency Queuing (LLQ) used for highest-priority traffic (voice/video)

Class-Based Weighted-Fair Queuing (CBWFQ) used for guaranteeing bandwidth to data applications

Voice

Video

Data3 33 3

2 2

1 11 1 1

1 1 1

1 1 1

1 1

1 1 11


HardwareQueue(TxQ)

HardwareQueue(TxQ)

SoftwareQueuingSystem

SoftwareQueuingSystem

OutputInterfaceForwarderForwarder

Any supported queuing mechanism

Always FIFO

Output Interface Queue Structure

Each interface has its hardware and software queuing system.

The hardware queuing system (transmit queue, or TxQ) always uses FIFO queuing.

The software queuing system can be selected and configured depending on the platform and Cisco IOS version.


Best Effort

Transmit Queue

...

DSCPTOSACL

20%

30%

Strict Priority(15%)

LLQ

CB-WFQ

FB-WFQ

WRED threshold . per classes or . overall

Multiple LLQ classmax bandwidth

shapingExpedite

Business

Normal

Class-Based Queueing


Scheduling Tools:Congestion Avoidance Algorithms

312302021201

TAIL DROP

3

3

3

WRED

01

0

1

0

3

Queue

Queueing algorithms manage the front of the queue

i.e. which packets get transmitted first Congestion Avoidance algorithms, like Weighted-Random Early-Detect

(WRED), manage the tail of the queue

i.e. which packets get dropped first when queueing buffers fill

WRED can operate in a DiffServ compliant mode which will drop packets according to their DSCP markings

WRED works best with TCP-based applications, like Data


Provisioning Tools:Link-Fragmentation and Interleaving

serialization delay is the finite amount of time required to put frames on a wire

for links ≤ 768 kbps serialization delay is a major factor affecting latency and jitter

for such slow links, large data packets need to be fragmented and interleaved with smaller, more urgent voice packets

VoiceVoice

VoiceVoice DATADATADATADATADATADATADATADATA

DATADATASerialization can causeexcessive delay

With fragmentation and interleaving serialization delay is minimized


Fragment Size RecommendationsLFI Fragment InformationLFI Fragment Information

56kbps

64kbps

128kbps

256kbps

512kbps

64Bytes

9ms

8ms

4ms

2ms

1ms

18ms

128Bytes

16ms

8ms

4ms

2ms

36ms

256Bytes

32ms

16ms

8ms

4ms

72ms

512Bytes

64ms

32ms

16ms

8ms

144ms

1024Bytes

128ms

64ms

32ms

16ms

1500Bytes

46ms

214ms

187ms

93ms

23ms

Serialization Delay Matrix

768kbps 640usec 1.2ms 2.6ms 5ms 10ms 15ms

56 kbps 70Bytes

FragSize

64 kbps 80Bytes

128 kbps 160Bytes

256 kbps

512 kbps

768 kbps

1536 kbs

320Bytes640

Bytes1000Bytes

2000Bytes

LinkSpeed

Fragmentation Size MatrixFragmentation Size Matrix(based on 10msec delay)(based on 10msec delay)

Fragmentation Size MatrixFragmentation Size Matrix(based on 10msec delay)(based on 10msec delay)

X


Provisioning for Voice:VoIP Bandwidth Reference Tables

CODECCODEC Sampling RateSampling Rate Voice Payloadin Bytes

Voice Payloadin Bytes

Packets per Second

Packets per Second

Bandwidth perConversion

Bandwidth perConversion

G.711G.711 20 msec20 msec 160160 5050 80 kbps80 kbps

240240 3333

2020 5050

G.711G.711

G.729AG.729A

G.729AG.729A

30 msec30 msec

20 msec20 msec

30 msec30 msec 3030 3333

74 kbps74 kbps

24 kbps24 kbps

19 kbps19 kbps

CODECCODEC 801.Q Ethernet+ 32 L2 Bytes

801.Q Ethernet+ 32 L2 Bytes

MLP+ 13 L2 Bytes

MLP+ 13 L2 Bytes

Frame-Relay+ 8 L2 BytesFrame-Relay+ 8 L2 Bytes

ATM+ Variable L2 Bytes

(Cell Padding)

ATM+ Variable L2 Bytes

(Cell Padding)

G.711 at 50 ppsG.711 at 50 pps 93 kbps93 kbps 86 kbps86 kbps 84 kbps84 kbps 106 kbps106 kbps

78 kbps78 kbps 77 kbps77 kbps

30 kbps30 kbps 28 kbps28 kbps

G.711 at 33 ppsG.711 at 33 pps

G.729A at 50 ppsG.729A at 50 pps

G.729A at 33 ppsG.729A at 33 pps

83 kbps83 kbps

37 kbps37 kbps

27 kbps27 kbps 22 kbps22 kbps 21 kbps21 kbps

84 kbps84 kbps

43 kbps43 kbps

28 kbps28 kbps

A more accurate method for provisioning is to include the Layer 2 Overhead into the bandwidth calculations:


IP WAN

Router/Gateway

CallManager

Provisioning for Voice:Call Admission Control (CAC): Why Is It Needed?

PSTN

Circuit-Switched Circuit-Switched NetworksNetworks

Packet-Switched Packet-Switched NetworksNetworks

PBX

PhysicalTrunks

STOPSTOP

IP WANLink

IP WAN link provisionedIP WAN link provisionedfor 2 VoIP calls (equivalentfor 2 VoIP calls (equivalent

to 2 “virtual” trunks)to 2 “virtual” trunks)

3rd callrejected

No No physicalphysical limitation on IP linkslimitation on IP links

If 3If 3rdrd call accepted, call accepted,voice quality of voice quality of allall

calls degradescalls degrades

No No physicalphysical limitation on IP linkslimitation on IP links

If 3If 3rdrd call accepted, call accepted,voice quality of voice quality of allall

calls degradescalls degrades

CAC limits # of VoIP calls on each WAN linkCAC limits # of VoIP calls on each WAN linkCAC limits # of VoIP calls on each WAN linkCAC limits # of VoIP calls on each WAN link


Link CapacityLink Capacity

WAN Scheduling Design Principles

LLQ (Voice) + LLQ (Video) LLQ (Voice) + LLQ (Video) ≤ 33% of Link Capacity≤ 33% of Link Capacity

LLQ (Voice) + LLQ (Video) + CBWFQ (All Data) ≤ 75% of LinkLLQ (Voice) + LLQ (Video) + CBWFQ (All Data) ≤ 75% of Link

LLQ (Voice) + LLQ (Video) LLQ (Voice) + LLQ (Video) ≤ 33% of Link Capacity≤ 33% of Link Capacity

LLQ (Voice) + LLQ (Video) + CBWFQ (All Data) ≤ 75% of LinkLLQ (Voice) + LLQ (Video) + CBWFQ (All Data) ≤ 75% of Link

75% of Link Capacity75% of Link Capacity

Voice

Reserved

Video Voice/VideoControl

Data Routing +L2 Overhead

33% of Link33% of Link


Management Tools

QoS is efficiently scaled with a centralized management server

QoS deployment is best followed by ongoing monitoring to ensure that targeted service-levels are being provided

QoS policies need periodic tuning to adjust to changing business needs


show policy

WAN-AGG-7200#show policy Policy Map WAN-EDGE Class VOICE Weighted Fair Queueing Strict Priority Bandwidth 17 (%) Class VIDEO Weighted Fair Queueing Strict Priority Bandwidth 16 (%) Burst 30000 (Bytes) Class VOICE-CONTROL Weighted Fair Queueing Bandwidth 2 (%) Max Threshold 64 (packets) Class GOLD-DATA Weighted Fair Queueing Bandwidth 25 (%) exponential weight 9 dscp min-threshold max-threshold mark-probablity ----------------------------------------------------------… af21 - - 1/10 af22 - - 1/10 af23 - - 1/10…


show policy interface

WAN-AGG-7200#show policy interface multilink 1 Multilink1 Service-policy output: WAN-EDGE Class-map: VOICE (match-all) 235728 packets, 45259776 bytes 30 second offered rate 512000 bps, drop rate 0 bps Match: ip dscp 46 Weighted Fair Queueing Strict Priority Output Queue: Conversation 264 Bandwidth 17 (%) Bandwidth 522 (kbps) Burst 13050 (Bytes) (pkts matched/bytes matched) 235729/45259968 (total drops/bytes drops) 0/0 Class-map: VIDEO (match-all) 64405 packets, 42852720 bytes 30 second offered rate 485000 bps, drop rate 0 bps Match: ip dscp 34 Weighted Fair Queueing Strict Priority Output Queue: Conversation 264 Bandwidth 16 (%) Bandwidth 491 (kbps) Burst 30000 (Bytes) (pkts matched/bytes matched) 64538/42941550 (total drops/bytes drops) 0/0


show policy interface (continued) – Gold DataClass-map: GOLD-DATA (match-any) 93422 packets, 118192896 bytes 30 second offered rate 1336000 bps, drop rate 32000 bps Match: ip dscp 18 24386 packets, 36676544 bytes 30 second rate 415000 bps Match: ip dscp 20 33676 packets, 41488832 bytes 30 second rate 469000 bps Match: ip dscp 22 35360 packets, 40027520 bytes 30 second rate 451000 bps Weighted Fair Queueing Output Queue: Conversation 266 Bandwidth 25 (%) Bandwidth 768 (kbps) (pkts matched/bytes matched) 93816/118691420 (depth/total drops/no-buffer drops) 29/2327/0 deep queues + drops exponential weight: 9 mean queue depth: 28dscp Transmitted Random drop Tail drop Minimum Maximum Mark pkts/bytes pkts/bytes pkts/bytes thresh thresh prob…af21 24489/36831456 98/14700 0/0 32 40 1/10af22 33061/40732666 458/932340 0/0 28 40 1/10af23 33990/38479822 571/1775230 0/0 24 40 1/10


Un élément CLE : L’administration du réseau

ObjectifsObjectifs 1. Faciliter la configuration des équipements

– Management embarqué– Déploiement à grande échelle

2. Gérer les SLA 3. Apporter la visibilité : instrumentation NBAR, Netflow

MoyensMoyens1. L’instrumentation :

– SLA : IOS IPSLA , CBQOS, CorviL– Visibilité : NBAR, Netflow, RMON2 et extensions

2. Les outils intégrés3. Plateformes logicielles


• Configuration graphique de l’ensemble de la gamme ISR

• Wizards et outils de management et configuration de:• Interfaces LAN/WAN/VLAN

•VPN: Easy VPN, DMVPN•Firewall, IPS•Routage•QoS, NBAR•NAC

• Connexion sécurisée SSH• Fonction auto-secure

One Touch Router Lock-down, Auto Secure

Security Device Manager (SDM) Management embarqué


Déploiement à grande échelle Agents CNS et CNS configuration Engine

Cisco Configuration EngineCisco Configuration Engine Solution de configuration et provisionning réseau supportant jusqu’à 5000 CPE Cisco par appliance. Communications sécurisées entre les agents CNS embarqués dans l’IOS des devices et le Configuration Engine.

Distribution des upgrades ou de modifications sur un parc de routeurs Cisco ISR quelque soit la technologie d’accès.

Application embarquée (GUI web) Technologie flexible pour génération de template de configuration

(Velocity template) Interface de programmation XML-SOAP et Java/C++ based


Configuration Engine

SP/EnterpriseSP/Enterprise

CoreCoreISRISR

ISR expédié avec un bootstrap générique soit du manufacturing Cisco (Cisco Configuration Express) soit du distributeur. Les techniciensconnectent les cables et mettent sous tension.

Avec la configuration de bootstrap • ISR se synchronise pour obtenir la connectivité L1 L2• ISR récupère une adresse IP (aggregator)

ISR contacte le Cisco Configuration Engine • Identification unique• Requête de configuration sur lien encryptés SSL

ISR notifie le Cisco Configuration Engine du résultat du déploiement• les services clients peuvent maintenant être provisionnés

Zero Touch Deployment


MétriquesDisponibilité

Mean Time to diagnose (MTD)

Mean Time To Repair (MTTR)

Mean Time Between Failure (MTBF)

Performance des services différenciés

Bande passante

Latence

Perte de paquets

Variation de latence(Gigue)

MOS

Gestion des SLAs

Enterprise and Small/Medium Business Service Providers

Understand NetworkUnderstand NetworkPerformance andPerformance andEase DeploymentEase Deployment

Verify Service LevelsVerify Service LevelsVerify Outsourced SLAsVerify Outsourced SLAs

Measure and Measure and Provide SLAsProvide SLAs

• Process de prise en compte des anomalies

• Engagements de retour à la normale

• Pénalités


ObservéeObservée SynthétiqueSynthétiqueMéthode d’échantillonnageMéthode d’échantillonnage

Agent embarquéAgent embarquéSondes Externes Sondes Externes Méthode de collecteMéthode de collecte

UtilisateurUtilisateur RéseauRéseauPerspective des mesuresPerspective des mesures

Stratégie de mesure de performances


Technologies de mesuresCisco IPSLAs

MEASURES: Latency and Jitter Between Source Router and Specified Target

Sampling: ActiveCollection: EmbeddedScope: Link/End-to-EndPerspective: User/Network

NBAR/NAM/CBQOS/CORVIL

MEASURES: Response Time of Live Application Traffic to Server Device, QoS

Sampling: PassiveCollection: External Probe/EmbeddedScope: Link/End-to-EndPerspective: User/Network

SNMP MIBs and Embedded Event Management

MEASURES: CPU/Memory Utilization, Availability, QoS

Sampling: PassiveCollection: EmbeddedScope: Device/LinkPerspective: User/Network

Cisco CallManagerMEASURES: Voice Calls, Voice Quality, Cisco CallManager Performance

Sampling: PassiveCollection: EmbeddedScope: Link/End-to-EndPerspective: User/Network

NetFlowMEASURES: Device Interface Traffic Rateby S/D IP Address, Port Number or AS

Sampling: PassiveCollection: EmbeddedScope: Link/End-to-EndPerspective: Network


Latency NetworkJitter

Dist. ofStats ConnectivityPacket

Loss

FTP DNS DHCP TCPJitter ICMP UDPDLSW HTTP

NetworkPerformanceMonitoring

Service Level Service Level AgreementAgreement

(SLA)(SLA)MonitoringMonitoring

NetworkNetworkAssessmentAssessment

Multiprotocol Label

Switching (MPLS)

Monitoring

VoIP VoIP MonitoringMonitoringAvailability Trouble

Shooting

OperationsOperations

Measurement MetricsMeasurement Metrics

ApplicationsApplications

IP ServerIP Server

MIB Data Active Generated Traffic to measure the network

DestinationDestinationSourceSource

Defined Packet Size, SpacingDefined Packet Size, SpacingCOS and ProtocolCOS and Protocol

IP Server

ResponderResponder

LDP H.323 SIP RTP

IP SLAsIP SLAs

Cisco IOS Software

IP SLAsIP SLAs

Cisco IOS Software IP SLAsIP SLAs

Cisco IOS Software

Mesures multi-protocolaires avec Cisco IOS IP SLA

Radius Video


IP HostIP Host

Fonctionnement IP SLA

ManagementApplication

ManagementApplication

Trigger Other Operations Based on Thresholds/Timeouts Trigger Other Operations Based on Thresholds/Timeouts

IP SLAsIP SLAs

Mea

sure

Mea

sure

MeasureMeasure

Measure PerformanceMeasure Performance

IP SLAs ResponderIP SLAs Responder

TargetTarget

SourceSource

1. Configure source router

2. If needed, configure responder

3. Schedule operations4. If needed, set

thresholds5. Measure Network6. Poll SNMP or CLI for

measurement results


Cisco IOS IP SLAsOperation et Responder

Round-Trip Delay (without Responder)TS5 - TS1 – TProc(Source)

Round-Trip Delay (with Responder)(TS5 – TS1) – T Proc(Source) – TProc(Target)

One-Way Delay (with Responder)TS2 – TS1

IP SLAs Source IP SLAs Target

Network

Time Time

TS1

TS3

TS2

TS4

TS5

• Locally an IP SLAs packet will perceive the same scheduling latency as any packet from its class

Source Processing Time (TProc=TS5-TS4)

Target Processing Time (TProc = TS3-TS2)


Exemple : Opération UDP Jitter

IP SLAs

IP CoreResponder

Sends train of packets with constant Interval

Receives train of packets atinterval impacted by the network

Add a receive time stamp and calculate delta (the processing time) Responder replies to packets (does not generate its own)

Per-direction inter-packet delay (Jitter)

Per-direction packet loss

Average Round Trip Delay


Exemple : Opération UDP Jitter

IP SLAsRTx = receive tstamp for packet x.

Send Packets

ST2

P2

ST1

P1P2 i1

RT2 RT1

Receive packets

P2 P1i2

RT1+d1 RT2+d2

Reply to packets

P2P1 i2

AT1 AT2

Reflected packets

P2P1 i3

Responder

dx = processing time spent between packet arrival and treatment.

IP Core

STx = sent tstamp for packet x.

Each packet contains STx, RTx, ATx, and dxThe source can now calculate:JitterSD = (RT2-RT1)-(ST2-ST1) = i2-i1JitterDS = (AT2-AT1)-((RT2+d2)-(RT1+d1)) = i3-i2

ATx = receive tstamp for packet x.


MIB Class-Based QoS (CBQoSMIB)

La MIB CBQoS permet de connaitre les statistiques des services différenciés (par classe de service) :

-Trafic Avant application de la QoS

-Trafic Après application de la QoS

Visualisation de la bonne configuration et de l’efficacité de la QoS.

. L’exploitation de la MIB CBQOs est indispensable dans le cas de déploiement de QoS pour accueillir de la téléphonie sur IP et/ou des applications métier critiques.

• Dans chaque classe de service la bande passante peut être estimée automatiquement en fonction d’un SLA (latence, perte de paquets).


Class Map Stats Table

CMPrePolicyPkt

CMPrePolicyByte

Bronze

Silver

Gold

Bronze

Silver

Gold

CMPostPolicyPkt CMDropPkt

CMDropByte

CMNoBufDropPkt

Drop=Pre- Post

Bronze

Silver

After QOS Policies have been applied

Before QOS


Netflow – Fonctionnement

Data exportées

Cache NetFlow

7 identifiers Other dataFlow identifiers Flow data

Flow identifiers Flow data

Flow data update

Flow identifiers Flow data

7 critères autres data

Adresse IP Source Adresse IP Destination port Source port Destination Protocole L3 TOS byte Ifindex interface d’entrée


Principales utilisations

Service Provider Enterprise

Peering arrangementsInternet access monitoring (protocol

distribution, where traffic is going/coming)

Network planning User monitoring

Traffic engineering Application monitoring

Accounting and billing Charge back billing for departments

Security monitoring Security monitoring


NetFlow Cache : exemple1. Create and update flows in NetFlow cache

Srclf SrclPadd Dstlf DstlPadd Protocol TOS Flgs PktsSrcPort

SrcMsk

SrcAS

DstPort

DstMsk

DstAS

NextHopBytes/

PktActive Idle

Fa1/0 173.100.21.2 Fa0/0 10.0.227.12 11 80 10 11000 00A2 /24 5 00A2 /24 15 10.0.23.2 1528 1745 4

Fa1/0 173.100.3.2 Fa0/0 10.0.227.12 6 40 0 2491 15 /26 196 15 /24 15 10.0.23.2 740 41.5 1

Fa1/0 173.100.20.2 Fa0/0 10.0.227.12 11 80 10 10000 00A1 /24 180 00A1 /24 15 10.0.23.2 1428 1145.5 3

Fa1/0 173.100.6.2 Fa0/0 10.0.227.12 6 40 0 2210 19 /30 180 19 /24 15 10.0.23.2 1040 24.5 14

• Inactive timer expired (15 sec is default)• Active timer expired (30 min (1800 sec) is default)• NetFlow cache is full (oldest flows are expired)• RST or FIN TCP flag

2. Expiration

Srclf SrclPadd Dstlf DstlPadd Protocol TOS Flgs PktsSrcPort

SrcMsk

SrcAS

DstPort

DstMsk

DstAS

NextHopBytes/

PktActive Idle

Fa1/0 173.100.21.2 Fa0/0 10.0.227.12 11 80 10 11000 00A2 /24 5 00A2 /24 15 10.0.23.2 1528 1800 4

3. Aggregation

4. Export version

5. Transport protocol

ie: Protocol-port aggregation scheme becomes

Aggregated flows—export Version8 or 9

Exportpacket

Payload(flows)

Non-aggregated flows—export Version5 or 9

YesNo

Protocol Pkts SrcPort DstPort Bytes/Pkt

11 11000 00A2 00A2 1528

He

ad

er

30 Flows per 1500 byte export packet


NetFlow – Infrastructure

Router/Switch:• Cache creation• Data export• Aggregation

Cisco

Collector:• Collection• Filtering• Aggregation• Storage

Cisco and Partners

RMON/NAM

Applications:

Accounting Billing

Network Planning

• Data processing• Data presentation

Partners

RMON Application


Découverte des protocolesNetwork-Based Application Recognition (NBAR)

Analyse des data L3 à L7 Utilisation dans la classification “Stateful inspection” pour les trafics avec ports dynamiques PDLM (Packet Description Language Modules) pour

définition des applications Critères de reconnaissances configurables pour identifier

les applications basées TCP ou UDP MIB NBAR- PROTOCOL DISCOVERY: bit/s,bytes, paquets

Voice Traffic

Data TrafficP2P

• Application volumes• MQC packet classification• Flexible threshold

notifications

InternetVideo Traffic


Sondes d’analyses intégrées

HTTP/SSNMP

Hardware

• Configuration NAMs• Agrégation/corrélation des données de trafic (y compris Netflow)

GUI analyseur NAM

data sources:SPAN

RSPAN (remote SPAN)Netflow v1/5/6/7/8 (broad)

VLAN ACL (specific)

data sources:SPAN

RSPAN (remote SPAN)Netflow v1/5/6/7/8 (broad)

VLAN ACL (specific)

“Visibilité” intégrée au réseau

Catalyst 6500/7600Routeur d’accès Multiservice

2600/3660/3700/ISR2800/ISR3800

Layer 3-7 RMON I,II, HCRMON

SMON, DSMONART, Voice Analysis

Layer 2 mini-RMON

par port, par interface


NAM : Analyse temps réel


• 100 jours d’historisation des rapports

• Informations détaillées aidant au troubleshooting. Complément d’outils tiers de capacity planning

Capture et décode de paquets

Filtres Pre et post capture ; Save et Export

Déclenchement de capture sur évènements prédéfinis

Historisation, reporting et isolation, troubleshooting


Uncontrolled(1ms - 10 Seconds)

Low(<100 - 1000 ms,

<0.1%)

Very Low(<10-100 ms, <0.01%)

Ultra Low(<1-10 ms, <0.001%)

Contr

ole

La

tence

/ p

ert

e

Algorithmic Trading

Grid Computing

Telepresence

VoIP

Citrix

Web 2.0

e-Mail

FTP HTTP

Objectif : Contrôler latence/perte

Outils traditionnels de

gestion de performances

BandwidthQuality

Manager


En 100 ms sur un LAN a 1 Gb/s beaucoup de choses peuvent arriver

Jusqu’à 12 MB de data générées~100,000 paquets peuvent êtres perdus !!

Diversisté des profils applicatifs

Sensibilité à la latence, à la perte de paquets

Caractéristiques des réseaux IP actuels

Consolidation des datacentres et augmentation du nombre de sites remote

Coût de la bande passante

Différence des débits LAN/WAN

DATA CENTER

REMOTE SITE

REMOTE SITE

WAN


Les outils courants sont incapables de détecter, troubleshooter et de déterminer quoi faire :

Granularité des évènements ; milliseconde

Analyse dans un contexte QoS

La micro-congestion peut conduire à un comportement imprévisible des applications La probabilité d’avoir des problèmes

de performances applicatives s’accroit

Dynamic network congestion impacte les applications

micro bursts

La Solution n’est pas toujours évidente

Plus de Bande passante –au bon endroit)

Techniques de QoS ( traffic shaping, priority queuing )

DATA CENTER

REMOTE SITE

REMOTE SITE

WAN


Mesure de latence

BQM 1180

BQM 2120

MarketData

GigabitEthernet

10Mb/s

TradingClient A

Traditional 1 Sec PING Latency View

BQM PNQM Latency View

99% Latency of 4ms

99% Latency of 50ms

WAN

BQM 2120

BQM 2120

BQM 2120

BQM 2120

PNQM

What is the Latency of Market Data Feed

to Trading Client A?

What is the Latency of Market Data Feed

to Trading Client A?


Mesure de trafic

Traditional 5min View

BQM 5ms View

20% Link Utilization

20,000% Link Utilization

BQM 1180

CitrixMetaframe

FastEthernet

2Mb/s(0.5Mb/s for Citrix Class)

Site A

WAN

What is the utilization of the access link to

Site A?

What is the utilization of the access link to

Site A?


Analyse de la bande passante

BQM Expected Latency View

BQM Bandwidth Requirement View

Up to 330ms of Latency induced

Upgrade to 2.5Mb/s for Citrix Class Required

BQM 1180

CitrixMetaframe

FastEthernet

2Mb/s(0.5Mb/s for Citrix Class)

Site A

WAN

What is the Expected Latency induced on Site A link by Citrix

traffic?

What is the Expected Latency induced on Site A link by Citrix

traffic?

What is the Bandwidth needed by Citrix to achieve no

worse than 200ms for 99.9% of packets?

What is the Bandwidth needed by Citrix to achieve no

worse than 200ms for 99.9% of packets?


Solution de SLM

Graphiques détaillés des mesures

“Turning a Cisco Network into a powerful SLM solution”

Appliance avec un Portail Web centralisant :

Les mesures de performance par les probes IP-SLA

L’analyse des MIBs CBQos (classes de service) & NBAR (protocol discovery)

Le suivi des trafics Netflow

Solution évolutive pour :Le suivi des SLA réseaux ….. et des infrastructures VoIP

Préparer ou améliorer la mise en œuvre d’applications « critiques »


Documents

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Réseau WAN vu de lentreprise Gilles Clugnac