application visibility and control (avc) overview
Post on 03-Dec-2014
1.754 Views
Preview:
DESCRIPTION
TRANSCRIPT
© 2012 Cisco and/or its affiliates. All rights reserved. 1
Application Visibility and Control Overview
Jean-Marc Barozet (jmb@cisco.com) Technical Leader
November 2012
Network Operating Systems Technology Group
© 2012 Cisco and/or its affiliates. All rights reserved. 2
Proliferation of Devices
Users/ Machines
VDI | IaaS
Private Cloud
Public/Hybrid Cloud
SaaS/IaaS
NETWORK THE
Storage
Database
Drastic Change in Application Type, Delivery, and Consumption
60% of IT professional cites performance as key challenge for cloud
How applications are Delivered and Consumed Type of Applications
© 2012 Cisco and/or its affiliates. All rights reserved. 3
Application complexity increases
Identify growing applications using more than just port
number
Cloud and Virtualization centralize application
delivery
Understand application performance from end users
perspective
Multiple entities involved in delivering
applications
Problem isolation to minimize downtime and business
impact
© 2012 Cisco and/or its affiliates. All rights reserved. 4
Use QoS or PfR to control application network usage to
improve application performance
ASR1K
ISR G2
Control
High
Med
Low
Advanced reporting tool aggregates
and reports application
performance
App Visibility & User Experience Report
Management Tool
ISR G2 & ASR collect application
performance metrics, and export to management tool
ASR1K
ISR G2
Reporting Tool Perf. Collection & Exporting
Reporting Tools
NFv9/IPFIX
3
App BW Transaction Time
…
SAP 3M 150 ms …Sharepoint 10M 500 ms …
Identify applications using L3 to L7
information
ASR1K
ISR G2
Application Recognition
© 2012 Cisco and/or its affiliates. All rights reserved. 5
• NBAR2 QoS
• PfR
ASR1K
ISR G2
Control
High
Med
Low
• Cisco Prime Infrastructure
• Cisco Insight • 3rd Party Tools
App Visibility & User Experience Report
Management Tool
• FNF • ART • MMON
ASR1K
ISR G2
Reporting Tool Perf. Collection & Exporting
Reporting Tools
NFv9/IPFIX
3
App BW Transaction Time
…
SAP 3M 150 ms …Sharepoint 10M 500 ms …
• NBAR2
ASR1K
ISR G2
Application Recognition
© 2012 Cisco and/or its affiliates. All rights reserved. 6
Deep Packet Inspection engine (NBAR2) identifies applications using
L7 signatures
ASR1K
ISR G2
Application Classification
AGENDA
© 2012 Cisco and/or its affiliates. All rights reserved. 7
HTTP
FTP
SMTP
POP3
IMAP
HTTPS
Are these applications?
Or just ports?
80
20/21
25
110
143
443
What about these?
© 2012 Cisco and/or its affiliates. All rights reserved. 8
• NBAR2 is a complete rebuild and the next generation in classification engine development New DPI component which provide Advanced Application Classification and Field Extraction Capabilities taken from SCE
• NBAR2 is adopted as a Cisco cross platform protocol classification mechanism • Backward compatibility to preserve existing NBAR investments • In-service field upgradable Protocol Definition – no IOS upgrade required • NBAR application library:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6558/ps6616/product_bulletin_c25-627831.html
NBAR2
IOS NBAR +150 Signatures
SCE Classification +1000 Signatures
Advanced Classification Techniques
Innovations
Native IPv6 Classification Open API 3rd Party Integration..
Supports ~1400 protocols and sub-
classification
© 2012 Cisco and/or its affiliates. All rights reserved. 9
Categorization of protocols into meaningful terms simplifies config and report aggregation
NBAR2 Category NBAR2 Sub-category NBAR2 Application Group P2P Technology Encrypted Tunnel
browsing authentication-services apple-talk-group skype-group n n n business-and-productivity-tools backup-systems banyan-group smtp-group y y y email client-server bittorrent-group snmp-group unassigned unassigned unassigned file-sharing commercial-media-distribution corba-group sqlsvr-group gaming control-and-signaling edonkey-emule-group stun-group industrial-protocols database fasttrack-group telepresence-group instant-messaging epayement flash-group tftp-group internet-privacy file-sharing fring-group vmware-group layer2-non-ip inter-process-rpc ftp-group vnc-group layer3-over-ip internet-privacy gnutella-group wap-group location-based-services license-manager gtalk-group webex-group net-admin naming-services icq-group windows-live-messanger-group newsgroup network-management imap-group xns-xerox-group obsolete network-protocol ipsec-group yahoo-messenger-group other other irc-group trojan p2p-file-transfer kerberos-group voice-and-video p2p-networking ldap-group
remote-access-terminal netbios-group rich-media-http-content nntp-group routing-protocol npmp-group storage other streaming p2p-file-transfer terminal pop3-group tunneling-protocols prm-group voice-video-chat-collaboration skinny-group
© 2012 Cisco and/or its affiliates. All rights reserved. 10
• Ability to extract certain fields out of protocol
Protocol Fields Length FNF Configuration Syntax HTTP URL * collect application http url HTTP Host 50 collection application http host HTTP User-agent 200 collection appllication http user-agent HTTP Referer * collect application http referer RTSP Host 50 collection application rtsp host-name SMTP Server 50 collect application smtp server SMTP Sender 50 collect application smtp sender POP3 Server 50 collect application pop3 server NNTP Group Name 50 collect application nntp group-name SIP Source Domain 50 collect application sip source SIP Destination Domain 50 collect application sip destination
© 2012 Cisco and/or its affiliates. All rights reserved. 11
GET /weather/getForecast?time=37&&zipCode=95035 HTTP/1.1 Host: svcs.cnn.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Referer: http://www.cnn.com/US/
www.cnn.com (IP=157.166.255.18)
http://www.cnn.com/US Se0/0/0
(IP=192.168.100.100)
Ability to extract information from HTTP message
collect application http url collect application http host
collect application http user-agent
collect application http referer
© 2012 Cisco and/or its affiliates. All rights reserved. 12
• Discover application protocols transiting an interface, and populate CISCO-NBAR-PROTOCOL-DISCOVERY-MIB
• Supports both input and output traffic • Detection of IPv6 in IPv4 traffic (ISATAP, Teredo,6to4,..)
• Stateful application classification for IPv6 in IPv4 traffic
BR BR
HQ
MC/BR MC/BR BR MC/BR
WAN2 (IPVPN, DMVPN)
WAN1 (IP-‐VPN)
interface GigabitEthernet0/0/2!
ip nbar protocol-discovery!
ASR-1000#sh ip nbar protocol-discovery top-n !
!
GigabitEthernet0/0/2 !
[snip]!
Input Output !
----- ------ !
Protocol Packet Count Packet Count !
Byte Count Byte Count !
5min Bit Rate (bps) 5min Bit Rate (bps) !
5min Max Bit Rate (bps) 5min Max Bit Rate (bps) !
------------------------ ------------------------ ------------------------!
itunes 1352704 413286 !
2042671577 28254387 !
3395000 18000 !
15000000 208000 !
secure-http 584678 330847 !
640511303 76683682 !
2357000 196000 !
8847000 353000 !
youtube 139631 66440 !
207492818 3869014 !
1296000 17000 !
3575000 80000 !
bittorrent 37186 82432 !
11025469 113101301 !
81000 248000 !
84000 2465000 !
© 2012 Cisco and/or its affiliates. All rights reserved. 13
• New IOS and IOS XE release ship with new PDLs – Protocol Description Language (show ip nbar version)
• PDLM defines an update to or new application (PDLM can be downloaded from CCO)
• Bundle of multiple PDLMs will be released as protocol pack (show ip nbar protocol-pack)
PDLM e.g.
bittorrent.pdlm citrix.pdlm
Protocol Pack
PD
LM
PD
LM
PD
LM
NBAR2 ip nbar pdlm <path_to_pdlm_file>!
ip nbar protocol-pack <path_to_protocol_pack>!
router#sh ip nbar protocol-pack active !!ACTIVE protocol pack: !!Name: Default Protocol Pack!Version: 1.0!Publisher: Cisco Systems Inc.!!router#!
router#show ip nbar protocol-pack active!!ACTIVE protocol pack: !Name: Advanced Protocol Pack!Version: 3.0!Publisher: Cisco Systems Inc.!File: flash:pp-adv-asr1k-15.2(04)S-13-1.1(0).pack!
© 2012 Cisco and/or its affiliates. All rights reserved. 14
AGENDA
Deep Packet Inspection engine (NBAR2) identifies applications using
L7 signatures
ASR1K
ISR G2
Application Classification
ISR G2 & ASR collect application
bandwidth and response time
metrics, and export to management tool
ASR1K
ISR G2
FNFv9 IPFIX
FNF IOS PA
Reporting Tool Perf. Collection & Exporting
Reporting Tools
© 2012 Cisco and/or its affiliates. All rights reserved. 15
What applications, how much bandwidth, flow direction? (Flexible Netflow and NBAR/NBAR2) Basic Monitoring
• Integrated performance monitoring available for different type of applications and use cases
HTTP HTTP
Voice and Video Performance (Media Monitoring)
Advanced Monitoring
30% of traffic is voice and video
Critical Applications Performance(Performance Agent)
40% of traffic is critical applications
© 2012 Cisco and/or its affiliates. All rights reserved. 16
• Evolution from Traditional Netflow (TNF) • Feature to collect and export network information and
statistics Backward compatible with TNF records
Flexibility in defining fields and flow record format
Utilize Netflow Version 9 Format which is extensible
UDP-based transport
• Consist of data collection (flow monitor) and data export (flow export)
• Flow export format can be Netflow version 9 (RFC 3954) or IPFIX (RFC 5101)
• Open-standard, can be analyzed by Cisco Insight, Cisco Prime NAM, Cisco Prime Assurance Manager, and 3rd Party Tools
• Is required to collect application info from NBAR2
BR
HQ
MC/BR MC/BR BR MC/BR
WAN2 (IPVPN, DMVPN)
WAN1 (IP-‐VPN)
NetFlow Collector
NetFlow Export Packets: 1. Templates 2. Data Records
Applica(ons Performance Security Billing …
BR
© 2012 Cisco and/or its affiliates. All rights reserved. 17
• Key fields are unique per flow record (match statement)
• Non-key fields are attributes or characteristics of a flow (collect statement)
• If packet key fields are unique, new entry in flow record is created
• Otherwise, update the non-key fields, i.e. packet count
Key Fields Packet 1
Source IP 1.1.1.1
Destination IP 2.2.2.2
Source port 23
Destination port 22078
Layer 3 Protocol TCP - 6
TOS Byte 0
Non-key Fields Packet 1
Length 1250
1 2 1 2
Key Fields Packet 2
Source IP 3.3.3.3
Destination IP 4.4.4.4
Source port 80
Destination port 22079
Layer 3 Protocol TCP - 6
TOS Byte 0
Non-key Fields Packet 2
Length 519
Source IP Dest. IP Dest. I/F Protocol TOS … Pkts
1.1.1.1 2.2.2.2 E1 6 0 … 11000
Source IP Dest. IP Dest. I/F Protocol TOS … Pkts
3.3.3.3 4.4.4.4 E1 6 0 … 50
1.1.1.1 2.2.2.2 E1 6 0 … 11000
Netflow Cache After Packet 1 Netflow Cache After Packet 2
© 2012 Cisco and/or its affiliates. All rights reserved. 18
• Matching ID numbers are the way to associate template to the data records • The header follows the same format as prior NetFlow versions so collectors will be backward compatible • Each data record represents one flow • If exported flows have different fields, they cannot be contained in the same template record (i.e., BGP next hop
cannot be combined with MPLS-aware, NetFlow records)
Data FlowSet Template FlowSet #0 Option Template FlowSet
#1 FlowSet ID #256
Data FlowSet FlowSet ID #257
Template ID 258
(Specific Field Types
and Lengths)
(Version, # Packets,
Sequence #, Source ID)
Flows from Interface A
Flows from Interface B
To Support Technologies Such as MPLS or Multicast, This Export Format Can Be Leveraged to Easily Insert New Fields
FlowSet ID
Option Data Record
(Field Values)
Option Data Record
(Field Values)
Template Record Template ID #257 (Specific Field
Types and Lengths)
Template Record Template ID #254 (Specific Field
Types and Lengths)
Data Record (Field Values)
Data Record
(Field Values)
Option Data FlowSet
Data Record (Field Values)
© 2012 Cisco and/or its affiliates. All rights reserved. 19
Interface
Source IP Address
Source Port
Destination Port
NetFlow Monitors data in Layers 2 thru 4 Determines applications by combination of
Port or Port/IP Addressed Flow information who,
what, when, where
NBAR Examines data from
Layers 3 thru 7 Utilizes Layers 3 and 4
plus packet inspection for classification Stateful inspection of
dynamic-port traffic Packet and byte counts
Protocol
Link Layer Header
Deep Packet (Payload) Inspection
ToS NetFlow
NBAR
Destination IP Address
IP Header
TCP/UDP Header
Data Packet
© 2012 Cisco and/or its affiliates. All rights reserved. 20
flow exporter my-exporter! destination 1.1.1.1 !
flow record my-record ! match ipv4 destination address! match ipv4 source address! collect counter bytes!
flow monitor my-monitor! exporter my-exporter! record my-record!
int s3/0! ip flow monitor my-monitor input!
Configure the Exporter
Configure the Flow Record
Configure the Flow Monitor
Configure the interface
For Your Reference
© 2012 Cisco and/or its affiliates. All rights reserved. 21
flow exporter EXPORTER! destination 10.151.1.131! source loopback0! transport udp 9991! option interface-table timeout 3600! option sampler-table timeout 3600! option application-table timeout 3600!
For Your Reference
flow record RECORD-FNF-NBAR-INGRESS! match interface input! match flow direction! match application name account-on-resolution! collect interface output! collect counter bytes long! collect counter packets! (..)!
flow record RECORD-FNF-NBAR-EGRESS! match interface output! match flow direction! match application name account-on-resolution! collect interface input! collect counter bytes long! collect counter packets! (..)!
flow monitor MONITOR-FNF-NBAR-INGRESS! record RECORD-FNF-NBAR-INGRESS! exporter EXPORTER!
flow monitor MONITOR-FNF-NBAR-EGRESS! record RECORD-FNF-NBAR-EGRESS! exporter EXPORTER!
interface GigabitEthernet0/0/1! ip flow monitor MONITOR-FNF-NBAR-INGRESS input! ip flow monitor MONITOR-FNF-NBAR-EGRESS output!
Record for ingress traffic
Record for egress traffic
Usage record is aggregated by application, flow direction, and interface
© 2012 Cisco and/or its affiliates. All rights reserved. 22 22
Increased Latency
WAN Problem
Application Problem
Server Problem
User Problem
Your network is so slow I cannot get any work done
today I do not see
anything wrong
End Users
Network Admin
What the users see What network admins see What can happen
ping? show ip route?
traceroute? show interface?
© 2012 Cisco and/or its affiliates. All rights reserved. 23
ASR
HQ
ISR ISR ISR ISR
WAN2 (IPVPN, DMVPN)
WAN1 (IP-‐VPN)
Reporting Tool
PA
ASR
Key Features 27 Application Response Time (ART) Metrics Interact with NBAR or NBAR2 for Application ID Standard NFv9 and IPFIX export In ISR G2, provide by Performance Agent (PA) In ASR1K, ART is part of unified monitoring policy
Benefits Visibility into application usage and performance Quantify user experience Troubleshoot application performance Track service levels for application delivery
PA PA PA
My query is taking
long time!
My email is
slow!
How do I ensure my SLA is met
© 2012 Cisco and/or its affiliates. All rights reserved. 24
• Application response time provides insight into application behavior (network vs server bottleneck) to accelerate problem isolation
• Separate application delivery path into multiple segments • Server Network Delay (SND) approximates WAN Delay • Latency per application
Application Servers
Total Delay
Client Network
Clients
Client Network Delay (CND)
Application Delay (AD)
Network Delay (ND)
IOS ART
Server Network
Request
Response Server Network Delay (SND)
© 2012 Cisco and/or its affiliates. All rights reserved. 25
TT
Client IOS PA
Server
X
SYN
SYN-ACK
ACK 6
Request 1
ACK
DATA 4
DATA 3
DATA 5
DATA 3
Request 1 (Cont)
X
DATA 4
DATA 1
Request 2
DATA 6
DATA 2
ACK 3
ACK
SND
CND
• Response Time (RT) t(First response pkt) – t(Last request pkt)
• Transaction Time (TT) t(Last response pkt) – t(First request pkt)
• Network Delay (ND) ND = CND + SND
• Application Delay (AD) AD = RT – SND
Request
Response
Quantify User Experience
Identify Server Performance Issue
Retransmission
RT
For Your Reference
© 2012 Cisco and/or its affiliates. All rights reserved. 26
• ‘collect application name’ exports application ID field to reporting tool
Src IP Dst IP Dst Port App ID Resp Time …
192.168.100.100 66.114.168.178 443 0 100
cisco.webex.com (IP=66.114.168.178)
https://cisco.webex.com
IOS PA
Se0/0/0
(IP=192.168.100.100)
Src IP Dst IP Dst Port App ID Resp Time …
192.168.100.100 66.114.168.178 443 0x0D00019E 100
Without NBAR
With NBAR
Indicate this is webex application
Flow Record
flow record type mace pa-record! collect application name! collect art all!
© 2012 Cisco and/or its affiliates. All rights reserved. 27
ASR
HQ
ISR ISR ISR ISR
WAN2 (IPVPN, DMVPN)
WAN1 (IP-‐VPN)
Reporting Tool ASR
Key Features Monitor media performance metrics, i.e. jitter, loss Integrate with NBAR2 to identify applications Setting threshold and generating alert/alarm Standard FNFv9 export
Benefits Real-time monitoring of voice and video
performance across network Accelerate troubleshooting – identify what, where,
when is the problem Proactive troubleshooting Validate SLA
© 2012 Cisco and/or its affiliates. All rights reserved. 28
• Consistent provisioning and correlation across multiple clients
• Alert architecture – syslog, SNMP etc
• Export architecture – v9 and IPFIX
• Scalable database – multi tier database model
• Aggregation mode – flexible match and collect aggregation
• API driven provisioning - On demand provisioning
NBAR2 NBAR2 PA
(ART)
PerfMon QoS
NBAR2
ART PerfMon
QoS
MMA
Agent
FNF
Cisco Prime Infrastructure NetFlow Partners
NetFlow v9 IPFIX
FNF
© 2012 Cisco and/or its affiliates. All rights reserved. 29
flow record FNF-RECORD! match ipv4 source address! match ipv4 destination address! match application name! collect counter bytes long! (..)!!!flow monitor FNF-MONITOR! (..)!! interface Gi0/0/1! ip flow monitor FNF-MONITOR input! ip flow monitor FNF-MONITOR output!
Flexible NetFlow
Flow byte-count, interface, etc.
flow record type performance-monitor medianet-record! match ipv4 source address! collect transport rtp-jitter! (..)!!!flow monitor type performance-monitor medianet-mon! (..)!! policy-map type performance-monitor medianet! class rtp-traffic! flow monitor medianet-mon!!!interface Gi0/0/1! service-policy type performance-monitor input medianet! service-policy type performance-monitor output medianet!
Perfmon
flow record type mace mace-record! collect art all! (..)!!!flow monitor type mace ios-pa! (..)!!!policy-map mace_global! class http-traffic! flow monitor type mace ios-pa!!!interface Gi0/0/1! mace enable!!!
Performance Agent
Voice/video RTP metrics, jitter, etc.
App. Response Time, etc.
For Your Reference
© 2012 Cisco and/or its affiliates. All rights reserved. 30
flow record type performance-monitor rtp-record! match ipv4 source address! match ipv4 destination address! match application name! collect transport rtp-jitter! (..)!flow record type performance-monitor art-record! match ipv4 source address! match ipv4 destination address! match application name! collect art all! (..)!
Define Flow Records
Policy-driven monitoring – what to monitor, what to collect in single policy
flow monitor type performance-monitor rtp-mon! (..)!flow monitor type performance-monitor app-mon! (..)!!
Define Flow Monitors
policy-map type performance-monitor avc! class rtp-traffic! flow monitor rtp-mon! class tcp-app! flow monitor app-mon! (..)!!!interface Gi0/0/1! service-policy type performance-monitor input avc! service-policy type performance-monitor output avc!
Filter what traffic to monitor
Flow byte-count, interface. Voice/video RTP metrics, jitter. App. Response Time, etc.
© 2012 Cisco and/or its affiliates. All rights reserved. 31
• RTP SSRC • RTP Jitter (min/max/mean) • Transport Counter (expected/loss) • Media Counter (bytes/packets/rate) • Media Event • Collection interval • TCP MSS • TCP round-trip time
• CND - Client Network Delay (min/max/sum)
• SND – Server Network Delay (min/max/sum)
• ND – Network Delay (min/max/sum) • AD – Application Delay (min/max/sum) • Total Response Time (min/max/sum) • Total Transaction Time (min/max/sum) • Number of New Connections • Number of Late Responses • Number of Responses by Response Time
(7-bucket histogram) • Number of Retransmissions • Number of Transactions • Client/Server Bytes • Client/Server Packets
• L3 counter (bytes/packets) • Flow event • Flow direction • Client and server address • Source and destination address • Transport information • Input and output interfaces • L3 information (TTL, DSCP, TOS, etc.) • Application information (from NBAR2) • Monitoring class hierarchy
Media Monitoring Application Response Time Other Metrics
• All performance metrics are consolidated into one flow record type performance-monitor
For Your Reference
© 2012 Cisco and/or its affiliates. All rights reserved. 32
Traffic Statistics
• Application Usage per client IP/subnet/site
• Top clients per application
Application Response Time
• Per-application end-to-end latency
• Application response time & transaction time
• Application processing time
• Top conversation per application
Media Performance
• Per-stream jitter and packet loss
• RTP conversations
URL Visibility
• Most visited web-site
• Per-URL application response time
© 2012 Cisco and/or its affiliates. All rights reserved. 33
Enterprise Voice & Video Match enterprise subnet Match RTP traffic Enterprise TCP Apps Match datacenter subnet Match TCP Enterprise Cloud Apps Match SFDC Match Office 365
Web Browsing Match HTTP
Rest of traffic Match any
AVC Monitoring Policy
Collect Media Performance
Collect Traffic Statistics
Collect ART Collect Traffic Statistics
Collect ART Collect Traffic Statistics
Collect URL Sample Collect Traffic Statistics
Collect Traffic Statistics
© 2012 Cisco and/or its affiliates. All rights reserved. 34
Use QoS or PfR to control application network usage to
improve application
performance
ASR1K
ISR G2
Control
High
Med
Low
AGENDA
Deep Packet Inspection engine (NBAR2) identifies applications using
L7 signatures
ASR1K
ISR G2
Application Classification
ISR G2 & ASR collect application
bandwidth and response time
metrics, and export to management tool
ASR1K
ISR G2
FNFv9 IPFIX
FNF IOS PA
Reporting Tool Perf. Collection & Exporting
Reporting Tools
© 2012 Cisco and/or its affiliates. All rights reserved. 35
• Guarantee bandwidth to protect critical applications from network congestion
• Provide low latency to delay sensitive applications
• Stop or limit unwanted applications from using WAN resources
• Application routing based-on real-time performance Information
• Intelligent load sharing provides resiliency and fully utilizes all available WAN resources
• Improve performance of voice, video, and critical applications
Application Bandwidth Control Application Path Control
Internet No SLA
WAN 1 High SLA
WAN 2 Med SLA
WAN LAN WAN LAN
HTTP
© 2012 Cisco and/or its affiliates. All rights reserved. 36
• Statefull classification for creating policies irrespective of v4/v6 traffic, simplifying policy management
• Discover applications using NBAR2 • Supports both input and output traffic
BR BR
HQ
MC/BR MC/BR BR MC/BR
WAN2 (IPVPN, DMVPN)
WAN1 (IP-‐VPN)
IPv4 Native IPv6
WAN2 (IPVPN, DMVPN)
class-map match-any peer2peer! match protocol kazaa2! match protocol gnutella! match protocol fastrack!
policy-map limit-p2p! class peer2peer! bandwidth percent 10!
interface Serial1! service-policy input limit-p2p!
What Traffic?
HOW to treat the traffic?
Where to apply?
class-map peer2peer! match protocol attribute category <name>!
© 2012 Cisco and/or its affiliates. All rights reserved. 37
Internet Presence & Enterprise WAN
• The Decision Maker: Master Controller (MC) Apply policy, verification, reporting No packet forwarding/ inspection required
• The Forwarding Path: Border Router (BR) Learn, measure, enforcement
Optimize by: Reachability, Delay, Loss, Jitter, MOS, Throughput, Load, and/or $Cost
Internet ISP-‐1 ISP-‐2
WAN1 (IP-‐VPN)
WAN2 (IPVPN, DMVPN)
MC/BR
MC/BR
BR
MC/BR
BR
BR
HQ
MC
BR BR
MC
© 2012 Cisco and/or its affiliates. All rights reserved. 38
Protecting critical applications while Maximizing bandwidth utilization
• Protect business Cloud applications from network brownout
Loss > 10%
• Cloud Service preferred path – ISP1 • Maximize all ISP bandwidth by load sharing other
Internet traffic
Cloud Service & Load Balancing Policy
ISP-1 (Primary) ISP-2 (Secondary)
Detect loss > 10%
Cloud Service
Best Effort traffic
Internet
• Protect voice and video quality Latency > 200ms; Jitter > 30ms
• Protect VDI applications from brownouts Loss > 5%
• Voice & Video preferred path SP-A • VDI preferred path SP-B • Maximize utilization by load sharing
Multimedia & Critical Data Policy
SP-A (MPLS VPN) SP-B (MPLS VPN)
VDI
Detect high jitter
Voice&Video
Best Effort traffic
WAN
© 2012 Cisco and/or its affiliates. All rights reserved. 39
• Globally
• Or per group (link-group, similar to class-maps for QoS)
39
Learning Prefixes ACL DSCP Based Applications
Traffic Classes
BR BR
HQ
MC/BR MC/BR BR MC/BR
MC
WAN2 (IPVPN, DMVPN)
WAN1 (IP-‐VPN)
Rest of the Traffic
Voice - Video
Critical Application
© 2012 Cisco and/or its affiliates. All rights reserved. 40 40
Traffic Classes
Passive
PfR Netflow Monitoring Flows Need not be symmetrical
Delay Loss
Egress BW
Reachability
Ingress BW
Passive Performance
Metrics BR BR
HQ
MC/BR MC/BR BR MC/BR
MC
NetFlow Cache
WAN2 (IPVPN, DMVPN)
WAN1 (IP-‐VPN) Active
PfR enables IP SLA feature Probes sourced from BR ICMP probes learned or configured TCP, UDP, JITTER need ip sla
responder
Delay Loss
Jitter
Reachability
MOS
© 2012 Cisco and/or its affiliates. All rights reserved. 41
• Global policies – for all traffic classes • Or policies per application group
Voice/video: link-group, jitter, delay, loss
Critical: link-group, delay, loss Rest: load-balancing
41
Traffic Classes Link
Load balancing Max utilization Link grouping $Cost
Application Performance Reachability Delay Loss MOS Jitter
BR BR
HQ
MC/BR MC/BR BR MC/BR
MC
Voice, Video, Critical
The Rest of the Traffic
WAN2 (IPVPN, DMVPN)
WAN1 (IP-‐VPN)
© 2012 Cisco and/or its affiliates. All rights reserved. 42 42
Destination Prefix BGP
- Egress: route injection or Modifying the BGP Local Preference attribute
- Ingress: BGP AS-PATH Prepend or AS Community
EIGRP Route Control Static Route Injection PIRO
Application Dynamic PBR NBAR/CCE BR BR
HQ
MC/BR MC/BR BR MC/BR
Voice, Video, Critical
The Rest of the Traffic
MC
WAN2 (IPVPN, DMVPN)
WAN1 (IP-‐VPN)
© 2012 Cisco and/or its affiliates. All rights reserved. 43
• Multisite MC Peering Framework • MC to MC Peering Framework can be used to
exchange policies, services and feedback • Remote Site Discovery
Simplifies Configuration – prefix and target discovery
Probing Efficiency – sharing of probe data across policies
43
BR BR
HQ
MC
MC/BR MC/BR BR MC/BR
WAN2 (IPVPN, DMVPN)
WAN1 (IP-‐VPN)
© 2012 Cisco and/or its affiliates. All rights reserved. 44
Use QoS or PfR to control application network usage to
improve application
performance
ASR1K
ISR G2
Control
High
Med
Low
AGENDA
Advanced reporting tool
aggregates and reports application
performance
App Visibility & User Experience Report
Reporting Tool
App BW Transaction Time
…
WebEx 3 Mb 150 ms …Citrix 10 Mb 500 ms …
Deep Packet Inspection engine (NBAR2) identifies applications using
L7 signatures
ASR1K
ISR G2
Application Classification
ISR G2 & ASR collect application
bandwidth and response time
metrics, and export to management tool
ASR1K
ISR G2
FNFv9 IPFIX
FNF IOS PA
Reporting Tool Perf. Collection & Exporting
Reporting Tools
© 2012 Cisco and/or its affiliates. All rights reserved. 45
• Configuration of AVC features (2.0)
• Network Monitoring
• Service Monitoring
• Reporting and Trends
• Multi-NAM Manager
• Packet and Flows Analysis
• Application Response Time
• Voice and Video Metrics
• Operates Standalone or Cisco Prime NCS
• Distributed SNMP and Flexible Netflow Collection
45
© 2012 Cisco and/or its affiliates. All rights reserved. 46
How is the Server performing?
Which site is slowest?
How is user experience at a site?
© 2012 Cisco and/or its affiliates. All rights reserved. 47
Company Product Use Cases Status
PAM Network and App Monitoring. Control GUI (future)
PAM 2.0 – Adding PfR, new metrics in XE 3.8S
Gomez & DynaTrace
APM combined with App-aware Network Monitoring
Adding NBAR2, PA, WAAS
5View App-aware Network Monitoring
Already support WAAS Adding NBAR2, PA
LiveAction Control (QoS) GUI, App-aware Network Monitoring
Already supports medianet Adding NBAR2, PA, PfR
Scrutinizer App-aware Network Monitoring
Already support PfR, medianet Adding NBAR2, PA
Others: Living Object, Insight, CA
© 2012 Cisco and/or its affiliates. All rights reserved. 48
© 2012 Cisco and/or its affiliates. All rights reserved. 49
Managed Service Provider
Provide value added services from the same CPE used for connectivity
Application visibility and application performance report
3rd Party Reporting tool integration
Internet Edge & SP Edge
Enterprise WAN
Discover application usage on Internet router
Traffic shaping limit recreational, bandwidth hogging application, i.e. P2P
GUI for reporting and configuration
Branch and WAN aggregation deployment
Application-aware Network Performance Monitoring
Application-aware QoS and intelligent path selection
Integration with enterprise infrastructure, i.e. switch, wireless
IOS XE 3.4S (Q4CY11) IOS 15.2(4)M2 (Q4CY12) IOS XE 3.8S (Q4CY12) IOS 15.2(4)M2 (Q4CY12)
© 2012 Cisco and/or its affiliates. All rights reserved. 50
Internet Router
Internet Router + App Visibility +
QoS NBAR2, FNF, and QoS
NFv9/IPFIX Reporting Tool
Cisco Prime Infrastructure 2.0 Cisco Insight 4.0
Application Monitoring
• NBAR2 recognizes application • FNF exports application
usage information using NFv9 or IPFIX
Application Control
• NBAR2 and QoS controls application bandwidth usage and prioritization
Network Management
• Cisco Insight or Cisco Prime receives NFv9 or IPFIX
• Cisco Prime provides configuration GUI*
Instrumentation
© 2012 Cisco and/or its affiliates. All rights reserved. 51
3
Customer Portal Top N App
App Transaction Time
SP Cloud
Application Monitoring
• NBAR2 provides application recognition service
• FNF & PA for tier monitoring service export NFv9 or IPFIX records
Control
• Application-aware QoS in VPN service pre-provisioned by MSP
Network Management
• Multi-tenant 3rd party tool with customer portal access, e.g. Living Object, Insight, InfoVista, CA
CSR in CSP data center (future)
• Application usage • Top talkers • URL hit count • Network performance
NFv9/IPFIX
© 2012 Cisco and/or its affiliates. All rights reserved. 52
Internet
Branch
Branch
Data Center
WAN
Prime Infrastructure
NFv9/IPFIX
Application Monitoring
• NBAR2 for Visibility with field extraction
• Performance Metrics and Export using NFv9/IPFIX
Control & Optimization
• Application-aware QoS • Intelligent path selection with
PfR • Optimization with WAAS
Network Management
• Cisco Prime Infrastructure 2.x • Identity Service Engine 1.1
(Optional)
ISR G2
ISR XE
ASR1K
ASR1K
© 2012 Cisco and/or its affiliates. All rights reserved. 53
• Insight license (FLASR1-NSIGHT-RTU) - $6000 per install
• *880 (non 3G) and 3900E will support AVC starting 15.2(4)M
Platform Today Future
800* AdvIPServices - $150 No change
1900 Data License - $600 No change
2900 Data License - $700 No change
3900* Data License - $1000 No change
ASR1K AIS/AES - $10000
FLASR1-AVC-RTU - $10000
Starting XE 3.8S Proposed tier pricing based
on session count
Thank you.
top related