Réseau WAN vu de l’entreprise

Présentation au sujet: "Réseau WAN vu de l’entreprise"— Transcription de la présentation:

1 Réseau WAN vu de l’entreprise
Réseau WAN vu de l’entreprise Gilles Clugnac

2 Quelles demandes pour un fournisseur d’infrastructure de communication
Quelles demandes pour un fournisseur d’infrastructure de communication? La quadrature du cercle ? Je veux pouvoir accéder à mon SI où et quand je le désire avec le terminal le plus adapté !! Flexibilité, Agilité Mon travail a évolué de la production vers les transactions et maintenant les interactions => Valeur ajoutée vers le client Plus de services pour moins cher => Contrôle des coûts, risques & complexité PROCESSES BUSINESS MANUFACTURING HR SALES FINANCE INFRASTRUCTURE TECHNOLOGIQUE CORE STORAGE SECURITY WIRELESS IPT APPLICATIONS ET SERVICES ERP E-SALES SUPPLY CHAIN On ne rentre pas dans le detail maintenant mais plutot donner une vue simplifiee et schematisee #1: point de vue utilisateur plus que client Le terminal adapte va dependre du lieu (maison, voiture, bureau,…) #2: la facon dont on travaille evolue Transaction = une tache avec un debut et une fin -> de plus en plus automatise -> notre travail evolue vers l’interaction = dans la duree, appel a des infos multiples, exige un travail collaboratif Exemple du retail: l’hotesse de caisse va sans doute disparaître a terme car automatisation, et a cote dautres personnes avec interaction: Bonjour, que desirez-vous cette semaine, avez-vous besoin d’un conseil -> mise en relation avec un expert, verifions le stock -> la valeur ajoutee va se faire autour de la transaction -> importance de l’axe ‘communication et collaboration’ developpe par Cisco #3: plus et moins cher Controler les risques associes (ex: securite, disponibilite de systeme) IIN a pour ambition de faire le lien entre l’infra et les applications -> ces applis tirent parti de l’infra pour ameliorer les process metiers #3: DG, DF #1: Travailleurs individuels #2: concerne tout le monde

3 Convergence des réseaux
We are now right in the middle of this convergence revolution.  These four separate networks are converging over time onto the IP data network.  Voice is becoming packets on the IP network with VoIP technology—one of Cisco's highest technology priorities. IP video is bringing video onto our PCs and IP networks as we speak—with video on demand, company event broadcasts, videoconferencing, and security camera video being used by thousands of companies today. And new technologies like iSCSI pioneered by Cisco are allowing IP networks to also connect computer systems to storage systems located anywhere in the world. And by eliminating the need for separate networks, organizations can not only save tremendous costs and simplify their IT infrastructures, a new world of applications are emerging that allow for the integration of data, voice, and video datatypes.

4 Changement de paradigme Exemple : Vidéosurveillance intégrée
Major Segments of Security INTRUSION INTRUSION DETECTION ID CREDENTIAL ID CREDENTIAL MANAGEMENT CCTV & DIGITAL CCTV & DIGITAL VIDEO SURVEILLANCE VIDEO SURVEILLANCE Un exemple de cette convergence entre « systèmes du bâtiment » et « information » Bullring Birmingham is the largest retail-led city centre regeneration scheme in Europe. Serving a population of 4.3 million with a potential spending power of £4.1 billion per annum, Bullring provides 110,000m2 of prime retail space comprising over 150 shops, two department stores – one of which is the largest Selfridges store outside London - and 18 cafes and restaurants. DATA & NETWORK SECURITY SECURITY ACCESS CONTROL VISITOR FIRE MANAGEMENT ALARM

5 L’Internet des ordinateurs Informations connectées
La vague suivante L’Internet des objets L’Internet des ordinateurs Products Cartons Shipping containers PCs Objets connectés à travers les tags Pallets Tires Pharmaceuticals PDAs/Handhelds People Medical Assets Pets IP Telephones Rations Livestock Currency Weapons Barcode Scanners RFID and sensor networks will transform the Internet. Today the internet consist mostly of computing devices (PCs, PDAs, etc.) connected to the network. RFID and Sensor networks allow ANYTHING to be connected to the Internet and the continuous capture of ANY (temperature, weight, etc.) type of information. Creating the next generation of the Internet - an "Internet of Things" Changing not only business processes and the way we work, but also the way we live, play and learn. We will be ready to support it when it happens We will accelerate adoption because the benefits are huge “information” and “things” are not independent – information can be attached to things Attributes Increased access/reach Increased context More network “touch points” Temperature Location Video Cameras Informations connectées à travers les capteurs Speed Intrusion Elevation Direction Shock/movement Pressure Light Chemicals

6 Le réseau va connecter des milliards d’objets !!
Users 2005 Forecast, Million Units Réseaux Actuels 500 Computers 1,500 Phones Réseaux Etendus Mobile Assets 350 Les nouveaux systèmes seront connectés sur le réseau IP universel 375 Static Assets Today, there are an estimated 500 million computers connected to the Internet, but this is only the tip of the iceberg. Mobile and IP phones are going online at an astounding rate and are expected to total 1.5 billion by the end of the year. Mobile assets such as trains, cars, trucks and planes are also fueling Internet growth, as are static assets (such as large manufacturing systems or hospital equipment), controllers, sensors and other microprocessors and microcontrollers embedded in a host of new devices – and that doesn’t even count the trillions of SKUs used in the supply chain and retail environments. What’s important is that the Internet now connects billions of objects not previously networked and exposes millions of objects previously hidden within proprietary networks. As IP becomes increasingly pervasive, this number will grow exponentially as devices that do not exist today will become connected to the Internet. 500 Controllers 750 Smart Sensors Microprocessors and Microcontrollers 35,000 Source: Harbor Research, Inc., Forrester Research, Inc., IBSG

7 Un environnement IT complexe
Disponibilité et conformité Contrôle des coûts Gestion de l’information Enterprise Data Center Internet Data Center Public Web Site 100s of Servers with Integrated Storage E-Commerce Application 4-Tier Application App. Server Supply-Chain Management Traditional Voice PBX In-House Developed Apps 2-Tier CRM Application NCR DB Server Data Warehousing Finance, HR, Payroll and EDI Mainframe Systems Tape Backup Multiple 2-Tier ERP Instances Engineering Services NAS Filers Appliances IP Services DNS RADIUS LDAP JBOD Operations Center Conformité Automatisation Content Delivery Virtualisation Data Classification Continuité d’activités Securité Consolidation Tiered Storage Operational Risk Management On-Demand, Utility Infrastructure Information Lifecycle Management Enterprise Data Center Internet Data Center Public Web Site 100s of Servers with Integrated Storage E-Commerce Application 4-Tier Application App. Server Supply-Chain Management Traditional Voice PBX In-House Developed Apps 2-Tier CRM Application NCR DB Server Data Warehousing Finance, HR, Payroll and EDI Mainframe Systems Tape Backup Multiple 2-Tier ERP Instances Engineering Services NAS Filers Appliances IP Services DNS RADIUS LDAP JBOD Operations Center SLAs applicatifs Agilité Business So how does this infrastructure support the key IT challenges and objectives today and moving forward? How does it support the continued need to control costs, while at the same time being more responsive to growth and change within the business. How does it continue to meet and exceed application service levels, while keeping resources flat and while also rolling out new applications? How does it meet new regulation requirements? And how does it allow companies to address the growing challenge of managing the business’ information in a way that allows that information to be used and leveraged most effectively and without drowning in the exponential growth of data? Clearly the current infrastructure model needs to evolve to meet these challenges. Agilité Performance Intégration applicative Disponibilité Croissance Application Awareness and Optimization Infrastructure actuelle Service Oriented Architecture

8 Approche modulaire Architectures de bout-en-bout
Networked Infrastructure Layer Network Areas Server Storage Devices Fondamentaux du réseau Campus Data Center Extranet Internet WAN/MAN Agence Télétravailleur Règles d’architecture Architectures de référence par zone Interopérabilité forte entre les zones Continuité des Services Garantie des SLAs de bout-en-bout Solution Cisco Recommandations validées par zone Orientées déploiement de Services Architectures cohérentes et globales Site B The network infrastructure layer, which has traditionally provided connectivity to clients, servers, storage devices and distributed sites is also evolving. As IP becomes the pervasive network protocol, there are a numner of other protocols and technologies the network must support. These include NAC for access control, 802.1x for client identity purposes, Infiniband and 10GE for high throughout server clusters, and a number of traditional functions such as routing, switching and transport technology which offer virtualization capabilities. Whether the communication is from a web client on a desktop, from a PDA or mobile phone to a server, from a remote host to network-attached storage arrays, or between two storage arrays or server clusters, the network interconnects need to provide a predictable level of service, the right level of performance and I/O capabilities, and a reliable and secure media for transport. Additionally, the overall network architecture must support consistent network-wide services and policies applied to the specific location where the servers, storage, and clients reside. COUCHE D’INFRASTRUCTURE EN RESEAU Modules du réseau Campus Agence Data Center Extranet Internet WAN/MAN Télétravailleur Serveur Stockage Clients

9 Infrastructure Réseau WAN Evolution des architectures de bout-en-bout
Users LAN/WAN Compute SAN Disk/ Tape RS Adaptable Campus RR 7301 L3 Switch with VRF-Lite 802.1Q VRF-Data VRF-Voice PE 7600 IGP between VRFs BGP between PEs MPLS MAN (L1/2 P-P or Ring) P 12000 P 7600 EoMPLS ORG-A Voice ORG-A Data MPLS-BGP VPN (2547-bis) NG WAN RR 7301 L3 Switch with VRF-Lite 802.1Q VRF-Data VRF-Voice PE 7600 IGP between VRFs BGP between PEs MPLS MAN (L1/2 P-P or Ring) P 12000 P 7600 EoMPLS ORG-A Voice ORG-A Data MPLS-BGP VPN (2547-bis) NG WAN VPN opéré VPN déployé par l’Entreprise NG WAN Consolidated Data Center Services de Virtualisation du réseau COUCHE D’INFRASTRUCTURE EN RESEAU Campus Agence Data Center MAN/WAN Télétravail WAN

10 Network Management/Provisioning
Construire une infrastructure cohérente L’exemple de l’IP Communications Sécurité Multi- cast QoS HA Network Management/Provisioning For example, we can offer today a converged voice, video and data network that can accelerate the deployment of new business applications. This requires more than just connecting components. It requires a unified approach to high availability, quality of service, multicast and security.

11 Architectures WAN Pourquoi une Nouvelle Génération?
Hier Aujourd’hui Le WAN est un problème de généralisation de la fourniture de services Facteurs critiques: Coût/Disponibilité/Débit Sécurité Intégration de Services Approche architecturale intégrée Le WAN est un problème de transport Facteurs critiques Coût Disponibilité Débit Approche architecturale fragmentée Le WAN fait partie de l’architecture globale du réseau

12 Un Besoin de Segmentation
Accès invité Internet access for customers, visitors, etc. Contrôle d’Accès au Réseau Quarantine and/or isolation during remediation Accès partenaires Onsite partners, limited server/application access Séparation Groupes/Départments Closed User Groups for divisions/teams sharing common work locations (e.g. Financial Banking/Trading) Isolation des Applications/Systèmes Isolating critical applications or devices, such as IPC, factory robots, point-of-sale terminals, etc. Services Externalisés Participating in multiple client networks (e.g. India ITS model) Filiales / Fusions & Acquisitions Enabling staged network consolidation, while companies are being merged Entreprise Fournisseur de Services Réseaux (éventuellement source de revenus) Shared service locations (e.g. Munich Airport “virtual” gate access) Retail stores providing kiosk/on-location network access (e.g. Best Buy, Albertson’s, etc.) Cisco Connected Real Estate (CCRE) (e.g. multi-tenant, strip malls, etc.) Dynamique forte de création de projets Closed User Groups between multiple companies during joint-ventures/collaborations L‘isolation des groupes est le principal besoin. Les attaques, virus, vers sont plus facilement confinés. Ils ne se progagent pas partout

13 Enjeux du WAN ACHETER un service VPN ou CONSTRUIRE son réseau VPN?
Core/context is key. What CIOs view as context they will be more willing to out-task. Definitions of core and context vary by industry and by company and can be influenced. Cost savings also key, as is the ability to cover skill or resource gaps. As network requirements become more extended and complex the benefits of outtaksing increase(non-core, cost savings) Also, as IT departments get squeezed, lack of staff and expertise becomes and increasing issues. Outtasking vs. Outsourcing. Most enterprises focus on selective out-tasking rather than full scale, complete outsourcing of IT Core/context is what we have been discussing within Cisco for our own IT…. ACHETER UN SERVICE L3, IP VPN ACHETER un Service L1 ou L2 VPN Ratio is moving to 64% Mgd-VPN / 36%

14 Enjeux de l’agence Amener les Services aux utilisateurs
Information disponible dans tous les sites de l’entreprise Besoin de performances dans le DataCenter comme pour l’utilisateur Fiabilité de tout le système d’information Architecture et Services réseaux transparents pour l’utilisateur Les sites distants ou de télétravail ont des besoins au-delà de la simple connexion ! Organizations with branch offices or remote sites face 3 key challenges: Optimizing the performance of HQ applications in the branch, despite limited WAN bandwidth Increasing branch employee productivity with better communications, faster access to information And increasing network security, while decreasing legal liabilities caused by inappropriate web surfing and content In order to stay competitive, businesses require reliable, high performance access to mission-critical applications and information for employees in branch offices – particularly since the majority of enterprise employees typically reside in branch offices, where bandwidth is scarce and NOT in headquarters, where bandwidth is abundant. This creates communication challenges, which hinders morale, time to market, and competitiveness. Organizations also want to: Protect mission-critical data from outside intruders Avoid downtime and costs associated with Web viruses and malicious code Avoid legal liability due to improper Internet Use; improve productivity due to inappropriate Web surfing Reduce network congestion and bandwidth expense; origin server consolidation Application performance improvement

15 Au global : Concentration des serveurs + utilisateurs distants
20% des utilisateurs 80% des utilisateurs Backup Client Workstations Consolidation des Ressources Tape Drives And Libraries NAS IP Network Disk Arrays Application Servers Optimisation de l’accès Consolidation Engine Printer Siège Agence

16 Combien de routeurs ? Siège Opérateurs Agence IP VPN Campus/ Data Center Internet (ISP, Broadband, etc.) WAN principalement fourni (IP, MPLS VPN, IPSEC) par un opérateur de connectivité [driver principal : le coût; services: IP, VPN (+ QoS)] Services d’entreprises fournis par un intégrateur ou un opérateur à valeur ajouté [driver principal: le contrat de services; services: VPN chiffré, QoS, sécurité, IP Com, mobilité, optimisation applicative] Délégation de Services via Role Based Access Control

17 Combien de routeurs ? HSRP GLBP Siège Opérateurs Agence IP VPN Campus/ Data Center Internet (ISP, Broadband, etc.) WAN principalement fourni (IP, MPLS VPN, IPSEC) par un opérateur de connectivité [driver principal : le coût; services: IP, VPN (+ QoS)] Services d’entreprises fournis par un intégrateur ou un opérateur à valeur ajouté [driver principal: le contrat de services; services: VPN chiffré, QoS, sécurité, IP Com, mobilité, optimisation applicative] Délégation de Services via Role Based Access Control

18 VPN OPERE

19 MPLS – Virtualisation Une hiérarchie de labels
VPN A VPN B VPN C MPLS Core MP-iBGP or LDP IP data Across the MPLS core to the other PE routers, this separation is maintained by adding unique VPN identifiers in multiprotocol BGP (MP BGP), such as the route distinguisher. VPN routes are exclusively exchanged by MP-BGP across the core, and this BGP information is not redistributed to the core network; it is redistributed only to the other PE routers, where the information is kept again in VPN-specific VRFs. Thus, routing across an MPLS network is separate per VPN. Given the addressing and routing separation across an MPLS core network, we can assume that MPLS offers, in this respect, the same security as comparable Layer 2 VPNs such as ATM or Frame Relay. It is not possible to intrude into other VPNs through the MPLS cloud, unless this has been configured specifically. VPN label IP data Core label VPN label IP data

20 L3 VPN – MPLS-VPN Même service sur tous types de liens
Regional Site TDM MUX LL Remote Sites INTERNET Frame-Relay ATM INTERNET Branch Home Travel MPLS (Fiber / WDM / POS / Ethernet / ATM / FR / PPP, Tunnel) Central Site IPSec PSTN ISDN Branch Home ADSL/Cable Branch Home Shared Services Travel

21 L3 VPN – MPLS-VPN Qos de bout en bout
Sites Regionaux Sites Distants QoS de bout en bout QoS niveau Application Modèle Par Classe Service Level Agreement Transparence QoS MPLS IP-VPN L2 VPN QoS Sites Distants Site Central End to End QoS Application level QoS Not only bandwidth selling Very much Customer oriented Per class model Easier to do classification Service Level Agreement Close to application response time need CE outsourcing QoS transparency QoS design per hierarchical domain End-to-End SLA mesurement Domaine DiffServ Hiérarchique / Ajout de TE pour le core

22 L3 VPN – Exemple Typique de QoS 5 profiles et 4 Cos
150 140 135 120 100 RELATIVE PORT PRICE First Executive Business Classic Standard 100% 25% 25% 75% 50% 75% Port % 50% 50% 100% # CoS 75% Real-Time 25% 50% Data-Interactive Data-LAN2LAN 25% 25% Best-Effort 0% Evolution vers 5 ou 6 Classes de Service PE-CE

23 L3 VPN – Carrier Supporting Carrier
Customer VRF Sub-VPNs mpls MPLS IP VPN Internet Customer routing SP offre uniquement une VRF au client entreprise Utilisation de labels entre le PE et CE (et non pas IP) Le client utilise le backbone MPLS de l’opérateur pour construire son propre service MPLS VPN

24 L3 VPN – Multi-VRF CE (VRF-lite)
VRF : Création de plusieurs tables de routage et commutation séparées Tables de routage séparées Tables de forwarding séparées (FIB) Association des interfaces (physiques ou logiques) dans les VRFs Aujourd’hui, une solution assez classique Demande plusieurs VRF sur le PE – Dépendance forte envers le SP Exige plusieurs liens physiques ou logiques entre le PE et le CE – xDSL ? (utilisation possible de tunnels GRE CE-PE) VRF 802.1q GRE VRF VRF

25 L3 VPN – Multi-VRF (VRF-Lite)
Multi-VRF CE Extension de la fonctionnalité VPN dans le CPE et dans le campus pour continuer à fournir une segmentation sans avoir à mettre en place les fonctionnalités d’un PE complet PE2 Resources PE1 Partners SP IP VPN Multi-VRF CE2 Site 2 Contractors PE3 Guests/NAC Quarantine Multi-VRF CE1 Site 1 Séparation logique de niveau 3 à l’intérieur du CE au travers de la fonction Multi-VRF Séparation Logique dans le campus via des VLANs ou même VRF sur les Catalyst Le SP fournit plusieurs VPNs pour la même entreprise Multi-VRF CE3 Site 3

26 L2 VPNs Le modèle de référence Pseudo Wire
Site A1 Site A2 PSN Tunnel PE PE Pseudo Wires PWES PWES Site B1 PWES PWES Site B2 EMULATED SERVICE Un Pseudo Wire (PW) est une connexion entre deux PE permettant de connecter deux Pseudo Wire End-Services (PWESs) Les types de service Point à Point: Ethernet 802.1Q (VLAN) ATM VC or VP HDLC PPP Frame Relay VC PWES

27 L2 VPNs AToM vs VPLS Any Transport over MPLS AToM
Central Site L2VPN Remote Sites L2 Hub and Spoke— Point-to-Point Any Transport over MPLS AToM Service Point à point Hub and Spoke au travers de plusieurs circuits P2P circuits depuis le site central Support interworking pour des circuits de type différents Idéal pour Remplacement du WAN traditionnel (Modèle Frame Relay) Liaison dédiée P2P dans le MAN Central Site L2VPN Remote Sites L2 Full mesh— Point-to-Multipoint Virtual Private LAN Service VPLS Service Multipoint Access Ethernet vers le SP Le backbone SP émule un bridge LAN (réseau commuté à plat) Evolutivité ? Traitement des flux Multicast

28 VPN DEPLOYE PAR L’ENTREPRISE

29 L2VPN – Interconnexion de DataCenters Utilisation de EoMPLS
pseudowire-class eompls encapsulation mpls interface GigabitEthernet1/4.601 encapsulation dot1Q 601 xconnect pw-class eompls Tunnel Label VC Label 103 89 Payload Loop0 CE1 CE2 PE1 PE2 Red-6500 Red-6500 Data Center 1 MPLS Network Data Center 2 7600-LC-PE2#sh mpls l2transport vc det Local interface: Gi1/4.601 up, line protocol up, Eth VLAN 601 up Destination address: , VC ID: 601, VC status: up Tunnel label: 103, next hop Output interface: Gi1/3, imposed label stack {103 89} Create time: 1w3d, last status change time: 1d02h Signaling protocol: LDP, peer :0 up MPLS VC labels: local 49, remote 89 Group ID: local 0, remote 0 MTU: local 9000, remote 9000 Remote interface description: Sequencing: receive disabled, send disabled Jumbo frame support: Ensure all interfaces have it enabled in the forwarding path

30 Service de L3 VPN MPLS-VPN par l’entreprise elle-même
VRF iBGP—VPNv4 Label Exchange VRF PE-CE Routing Protocol LDP LDP LDP PE PE iBGP—VPNv4 CE iBGP—VPNv4 PE CE VRF CE

31 IPSec VPN dans le WAN Enterprise Applications Clients
Pourquoi utiliser un VPN IPSec ? Encryption sur les liens WAN traditionnels (par exemple FR, ATM, LL) Conformité aux nouvelles législations : HIPAA, Sarbanes-Oxley (S-Ox), Basel Agreement (Europe), etc. Migration d’un WAN traditionnel vers un service bas-coût (exemple Internet, broadband) Utilisation d’un service Internet comme WAN secondaire, comme backup ou comme lien pour le trafic non critique et bande passante importante Extension des services de sites vers les télétravailleurs

32 Utilisation d’un IP-VPN Opérateur Architecture Typique
SP IP VPN eBGP Internet HSRP Or iBGP eBGP

33 Utilisation de Tunnels sur IP-VPNs Multi-point GRE
mGRE avec NHRP (RFC2332) IP VPN eBGP mptp Internet eBGP mptp Backup avec les fonctionnalités de l’IGP rapidité, réglable avec les backoff timers Routage site isolé du SP Support des flux multicast

34 Utilisation de Tunnels sur IP-VPNs Multi-point GRE + IPSEC
DMVPN sur MPLS-VPN IP VPN eBGP mptp Internet eBGP mptp Backup avec les fonctionnalités de l’IGP rapidité, réglable avec les backoff timers Routage site isolé du SP Support des flux multicast Les flux sont encryptés Les PKI sont gérées par l’entreprise

35 Synthèse Opéré versus Déployé par l’Entreprise
VPN OPERE Stratégie d’outsourcing (CPE/Routage/QoS managés) Pas de MPLS demandé sur le CE Bien adapté pour un petit nombre de VRFs Possibilité de garder la main sur quelques services, mais assez peu Mais Augmentation dépendance envers le SP L’ajout d’un VPN se traduit par la création d’une sous-interface sur tous les sites concernés Le coût peut devenir prohibitif en fonction du nombre de VRF et de sites VPN DEPLOYE PAR ENTREPRISE Stratégie d’insourcing Services de Segmentation IP Accroissment de la Sécurité (Closed Users Groups) Isolation/réduction des vers Construction d’un réseau de type SP à destination de clients internes à l’entreprise Facilité d’intégration des nouvelles entités ou des partenaires Consolidation datacenter Virtualisation accès Front-end Centralisation services réseaux extension VLAN via MAN/WAN

36 Qualité de service

37 Multiservice IP Applications
VoIP ERP Multimedia VPN Web/URL Bandwidth in 10Kbps Rare Loss Latency < 150ms Jitter < 30ms Bandwidth in 10Kbps TCP Controlled Loss Latency < 300ms No Jitter sensitivity Bandwidth in Mbps Rare Loss Latency < 300ms Jitter < 300ms Latency in S Jitter in S Bursty Bandwidth Resilient to Loss No Latency control Do not care of Jitter Non-Uniform Network Traffic Demands QoS

38 So, What Is Quality of Service?
“Collection of technologies which allows applications/users to request and receive predictable service levels in terms of data throughput capacity (bandwidth), latency variations (jitter) and delay” There are three key phrases in this definition: 1. “Appropriate combination”—a solution isn’t a solution unless it satisfies the needs of a particular customer. And those needs can differ widely between customers, or even between sites or departments at one company. And “ end-to-end” won’t mean the same thing to all people. End-to-end for a service provider is very different from end-to-end for a branch office, or a small business. Customers should seek a vendor with the experience and expertise to understand what the appropriate solution is. 2. “Hardware and software”—an end-to-end solution is not achieved simply by stringing boxes together. It involves networking devices plus the software that runs on them. That software is important because it’s the way by which the network delivers... 3. “Consistent network services” —an end-to-end network means that no group of users winds up second-class citizens because they don’t have access to all the data or network services they need to be productive. “Network services” are what you want the network to do for you— be it connectivity, manageability, multimedia support, etc. Whatever you want your network to do, it should do for every user on the network and every manager behind the network.

39 Delay Delay- Variation Packet Loss
QoS Factors Delay (Latency) Delay- Variation (Jitter) Packet Loss

40 Effects of Latency on Voice
Hello? Hello? Avoid the “Human Ethernet” CB Zone Satellite Quality High Quality Fax Relay, Broadcast 100 Delay Target 200 300 400 500 600 700 800 Time (msec) ITU’s G.114 Recommendation: ≤ 150msec One-Way Delay

41 Elements That Affect Latency and Jitter
Fixed (6.3 s / Km) + Network Delay (Variable) Propagation & Network PSTN G.729A: 25 ms CODEC 20-50 ms Jitter Buffer Variable Queuing Variable Serialization SRST router IP WAN Campus Branch Office End-to-End Delay (Must be ≤ 150 ms)

42 Delay and Latency Router Latency: less than 100 usec for Cisco (64-byte packets, varies with packet sizes) Insertion Delay (a.k.a. Serialization Delay) Example with 250-byte packet: 16 msec on 256 Kbps link msec on 2 Mbps link ,2 msec on 10 Mbps link 0,02 msec on 100Mbps link Queuing Delay = queue depth x insertion delay Example: Queue-length = 40 at 256Kbps = 640ms delay Queue-length = 40 at 2 Mbps = 80ms delay Effect of RTT with 16k window 500µs  270 Mbps 12ms  10 Mbps 120ms  Mbps

43 Packet Loss Limitations
Voice 3 Voice 4 Voice 3 Voice 2 Voice 1 Voice 4 Voice 3 Voice 2 Voice 1 Voice 3 Reconstructed Voice Sample Cisco DSP Codecs can use predictor algorithms to compensate for a single lost packet in a row two lost packets in a row will cause an audible clip in the conversation

44 QoS Requirements for Voice
Smooth Benign Drop Sensitive Delay Sensitive UDP Priority Voice Latency ≤ 150 ms Jitter ≤ 30 ms Loss ≤ 1% kbps guaranteed priority bandwidth per call 150 bps (+ layer 2 overhead) guaranteed bandwidth for Voice-Control traffic per call One-way requirements

45 QoS Requirements for Video-Conferencing
Latency ≤ 150 ms Jitter ≤ 30 ms Loss ≤ 1% Minimum priority bandwidth guarantee required is: Video-Stream + 20% e.g. a 384 kbps stream would require 460 kbps of priority bandwidth One-way requirements Bursty Greedy Drop Sensitive Delay Sensitive UDP Priority I-Frames are full-frame samples, whereas P and B frames are differential (or delta) frames Video-Conferencing shares the same latency, jitter and loss requirements as voice, but has radically burstier and heavier traffic patterns A 384 kbps stream can take up to 600 kbps at points; rather than provisioning the stream + 60% (to accommodate the occasional 600 kbps burst), the video stream can be provisioned at + 20% with a burst allowance in the LLQ of bytes per 384 kbps stream

46 QoS Requirements for Data
Different applications have different traffic characteristics Different versions of the same application can have different traffic characteristics Classify Data into relative-priority model with no more than four classes: Gold: Mission-Critical Apps (ERP Apps, Transactions) Silver: Guaranteed-Bandwidth (Intranet, Messaging) Bronze: Best-Effort ( , Internet) Less-Than-Best-Effort: Scavenger (FTP, Backups, Napster/Kazaa) Smooth/Bursty Benign/Greedy Drop Insensitive Delay Insensitive TCP Retransmits

47 IntServ / DiffServ Models
1. The original IP service 5. Per Class of Service Bandwidth Reservation SLA 2. Per application flow reservation No state Per-flow state state Best Effort IntServ / RSVP DiffServ

48 Differentiated Services Share ressources via Classes of Services
DS field RFC 2474 DSCP CU Voice (ToIP / Video) Real time queue (EF=RFC 3246) Platinium Guaranted service, (AF=RFC 2597) Minimum / Maximum controled Video distribution Streaming Guaranted service, (AF=RFC 2597) Guaranted bandwidth low level of drop Legacy (SNA, …) Gold MPLS-based VPNs enable SPs to offer differentiated IP services. A SP needs to keep billing simple and most will only over 3-8 services classes. It would be difficult to differentiate and successfully sell 64 or 120 different service classes and even more difficult to tariff and bill. A Gold service would guarantee latency and delivery for the transport of mission critical business applications like packet telephony or SNA. The silver class would guarantee delivery and be used for more general applications that are not as sensitive to delay like e-commerce. The Bronze class could be used to support small business and and other Best Effort applications. E-Commerce, E-business (ERP, SCM, ...) Premium IP, (AF=RFC 2597) Guaranted bandwidth Silver Best effort Minimum bandwidth guaranted High level of Overbooking , Web Bronze Architecture RFC 2474, 2475

49 Diffserv Architecture: RFC2475
Classification Shaping Access queueing Policing Core Queueing VoIP Bus Best- Effort VoIP Bus Best Effort VoIP Bus Best- Effort VoIP Bus Best Effort

50 Design Approach to Enabling QoS
Classification: Mark the packets with a specific priority denoting a requirement for class of service from the network Trust Boundary: Define and enforce a trust boundary at the network edge Scheduling: Assign packets to one of multiple queues (based on classification) for expedited treatment throughout the network; use congestion avoidance for data Provisioning: Accurately calculate the required bandwidth for all applications plus element overhead PSTN IP WAN Campus Branch Office

51 QoS Tools Mapped To Design Requirements
PSTN Inline Power Multiple Queues 802.1Q/p DSCP Fast link convergence Campus Access LLQ CBWFQ WRED LFI/FRF.12 cRTP FRTS 802.1Q/p DSCP NBAR Branch Router SRST router Inline Power Multiple Queues 802.1Q/p Branch Switch Multiple Queues 802.1Q/p DSCP Campus Distribution LLQ CBWFQ WRED LFI/FRF.12 cRTP FRTS, dTS DSCP WAN Aggregator Bandwidth Provisioning IP WAN Campus Branch Office

52 QoS Toolset Classification Policing / Shaping Scheduling / Queueing
Congestion Avoidance

53 Classification Tools: Ethernet 802.1Q Class of Service
Pream. SFD DA SA Type TAG 4 bytes PT Data FCS 802.1Q/p Header PRI VLAN ID CFI Ethernet Frame Three Bits Used for CoS (802.1p User Priority) 1 2 3 4 5 6 7 Best Effort Data Medium Priority Data High Priority Data Call Signaling Video Conferencing Voice Bearer Reserved CoS Application 802.1p User Priority field also called Class of Service (CoS) Different types of traffic are assigned different CoS values CoS 6 and 7 are reserved for network use

54 Classification Tools: IPv4 IP Precedence and DiffServ Code Points
Version Length ToS Byte Len ID Offset TTL Proto FCS IP SA IP DA Data 7 6 5 4 3 2 1 IPv4 Packet Standard IPv4 IP Precedence Unused DiffServ Code Point (DSCP) Flow Ctrl DiffServ Extensions IPv4: Three Most Significant Bits of ToS byte are called IP Precedence (IPP)—other bits unused DiffServ: Six Most Significant Bits of ToS byte are called DiffServ Code Point (DSCP)—remaining two bits used for flow control DSCP is backward-compatible with IP Precedence

55 Classification Tools: QoS Classification Summary
Best Effort Data Medium Priority Data High Priority Data Call Signaling Video Conferencing Voice Bearer Reserved Application Less-than-Best-Effort Data 10,14,16 18,20,22 26 34 46 48-55 56-63 AF1y AF2y AF31 AF41 EF - BE 1 2 3 4 5 6 7 IPP PHB DSCP L3 Classification 2,4,6 CoS 1 2 3 4 5 6 7 L2 MPLS EV 1 2 3 4 5 6 7 L2

56 Classification Tools: Network-Based Application Recognition
TCP/UDP Segment Src Port Dst Data Payload Frame IP Packet ToS/ DSCP Source IP Dest MAC/CoS DE/CLP/MPLS EV NBAR PDLM DATA citrix http nntp ssh cuseeme custom exchange fasttrack ftp gnutella imap irc kerberos ldap napster netshow notes novadigm pcanywhere pop3 realaudio rcmd smtp snmp socks sqlserver sqlnet sunrpc streamwork syslog telnet Secure-telnet tftp vdolive xwindows While the majority of data applications can be identified by using Layer 3 or Layer 4 criteria (i.e. discrete IP addresses and/or well-known TCP/UDP ports), there are applications that cannot be identified such criteria alone. This may be due to legacy limitations, but more likely due to deliberate design. For example, peer-to-peer media-sharing applications deliberately negotiate dynamic ports with the objective of penetrating firewalls. When Layer 3 or 4 parameters are insufficient to positively identify an application, then Network-Based Application Recognition (NBAR) may be a viable alternative solution. NBAR identifies application layer protocols by matching them against a Protocol Description Language Module (PDLM), which is essentially an application signature. NBAR’s deep-packet classification engine examines the data payload of stateless protocols against PDLMs. There are over 70 PDLMs embedded into IOS 12.2 code. Furthermore, since PDLMs are modular, they can be added to system without upgrading requiring an IOS upgrade NBAR is Cisco Express Forwarding (CEF) dependent, and performs deep-packet classification only on the first packet of a flow; the remainder of the packets belonging to the flow is then CEF switched.

57 Classification Tools: Trust Boundaries
Endpoints Access Distribution Core WAN Agg. 1 2 3 Trust Boundary A device is trusted if it correctly classifies packets For scalability, classification should be done as close to the edge as possible The outermost trusted devices represent the trust boundary 1 and are optimal, 3 is acceptable (if access switch cannot perform classification) 1 2 3

58 Classification Tools: Connecting the IP Phone
Auxiliary VLAN = 110 PC VLAN = 10 (PVID) Catalyst 6000 IP Phone Desktop PC 802.1Q Trunk with 802.1p Layer 2 CoS Native VLAN (PVID); No Configuration Changes Needed on PC

59 Classification Tools: Extended Trust
.. A new concept of assigning trust to a device not directly connected to the switch port… Allows intermediate “trusted” device to modify priority assigned by downstream device Trusted Device Un-Trusted Device Data Trust Boundary Feature will allow specification (via CDP) of the priority of downstream (un-trusted) device by the trusted device

60 Classification Tools: PC CoS Settings Are Not Trusted

61 Policers and Shapers Line Rate without Traffic Shaping with Traffic Shaping Shaped Rate Traffic shaping limits the transmit rate to a value lower than line rate Policers typically drop traffic (NO buffering, TCP retransmit), bi-directionnal Shapers typically delay excess traffic, smoothing bursts and preventing unnecessary drops

62 Traffic Shaping and Policing Mechanisms
Shaping mechanisms: Class-based shaping Frame Relay traffic shaping (FRTS) Generic traffic shaping (GTS) Policing mechanisms: Two rate policer Class-based policing Committed access rate (CAR)

63 RFC 2697: Single Rate Policer
overflow Bc = Burst Commited Bc = CIR * Tc (Be = Burst Excess)

64 Scheduling Tools: Queuing Algorithms
3 2 1 Voice Video Data 1 congestion can occur at any point in the network where there are speed mismatches Low-Latency Queuing (LLQ) used for highest-priority traffic (voice/video) Class-Based Weighted-Fair Queuing (CBWFQ) used for guaranteeing bandwidth to data applications

65 Output Interface Queue Structure
Forwarder Software Queuing System Hardware Queue (TxQ) Output Interface Always FIFO Any supported queuing mechanism Each interface has its hardware and software queuing system. The hardware queuing system (transmit queue, or TxQ) always uses FIFO queuing. The software queuing system can be selected and configured depending on the platform and Cisco IOS version.

66 ... Class-Based Queueing LLQ CB- WFQ DSCP TOS ACL FB- WFQ
Multiple LLQ class max bandwidth shaping Strict Priority (15%) LLQ Expedite Business 20% CB- WFQ DSCP TOS ACL 30% Normal Transmit Queue ... Best Effort FB- WFQ WRED threshold . per classes or . overall

67 Scheduling Tools: Congestion Avoidance Algorithms
WRED TAIL DROP Queue 1 3 3 3 1 1 2 1 2 2 3 2 1 3 3 Queueing algorithms manage the front of the queue i.e. which packets get transmitted first Congestion Avoidance algorithms, like Weighted-Random Early-Detect (WRED), manage the tail of the queue i.e. which packets get dropped first when queueing buffers fill WRED can operate in a DiffServ compliant mode which will drop packets according to their DSCP markings WRED works best with TCP-based applications, like Data

68 Provisioning Tools: Link-Fragmentation and Interleaving
Voice DATA Serialization can cause excessive delay DATA DATA DATA Voice DATA With fragmentation and interleaving serialization delay is minimized serialization delay is the finite amount of time required to put frames on a wire for links ≤ 768 kbps serialization delay is a major factor affecting latency and jitter for such slow links, large data packets need to be fragmented and interleaved with smaller, more urgent voice packets

69 Fragment Size Recommendations LFI Fragment Information
56kbps 64kbps 128kbps 256kbps 512kbps 64 Bytes 9ms 8ms 4ms 2ms 1ms 18ms 128 16ms 36ms 256 32ms 72ms 512 64ms 144ms 1024 128ms 1500 46ms 214ms 187ms 93ms 23ms Serialization Delay Matrix 768kbps 640usec 1.2ms 2.6ms 5ms 10ms 15ms 56 kbps 70 Bytes Frag Size 64 kbps 80 128 kbps 160 256 kbps 512 kbps 768 kbps 1536 kbs 320 640 1000 2000 Link Speed Fragmentation Size Matrix (based on 10msec delay) X

70 Provisioning for Voice: VoIP Bandwidth Reference Tables
Voice Payload in Bytes Packets per Second Bandwidth per Conversion CODEC Sampling Rate G.711 20 msec 160 50 80 kbps G.711 30 msec 240 33 74 kbps G.729A 20 msec 20 50 24 kbps G.729A 30 msec 30 33 19 kbps A more accurate method for provisioning is to include the Layer 2 Overhead into the bandwidth calculations: The bandwidth consumed by VoIP streams is calculated by adding the packet payload and all headers (inbits), then multiplying by the packet rate per second. This does not take into account the effect of such tools as RTP Header-Compression A more accurate method for provisioning VoIP is to include the layer 2 overhead, which includes: preambles, headers, flags, CRCs, and ATM cell-padding. ATM + Variable L2 Bytes (Cell Padding) 801.Q Ethernet + 32 L2 Bytes MLP + 13 L2 Bytes CODEC Frame-Relay + 8 L2 Bytes G.711 at 50 pps 93 kbps 86 kbps 84 kbps 106 kbps G.711 at 33 pps 83 kbps 78 kbps 77 kbps 84 kbps G.729A at 50 pps 37 kbps 30 kbps 28 kbps 43 kbps G.729A at 33 pps 27 kbps 22 kbps 21 kbps 28 kbps

71 IP WAN link provisioned for 2 VoIP calls (equivalent
Provisioning for Voice: Call Admission Control (CAC): Why Is It Needed? Circuit-Switched Networks Packet-Switched Networks IP WAN Router/ Gateway Call Manager PSTN IP WAN link provisioned for 2 VoIP calls (equivalent to 2 “virtual” trunks) IP WAN Link Physical Trunks No physical limitation on IP links If 3rd call accepted, voice quality of all calls degrades 3rd call rejected After performing the calculations to provision the network with the required bandwidth to support voice, video and data applications, it's important to ensure that voice or video do not oversubscribe the portion of the bandwidth allocated to them. While most QoS mechanisms are used to protect voice from data, Call Admission Control (CAC) is used to protect voice from voice (and video from video). STOP PBX CAC limits # of VoIP calls on each WAN link

72 WAN Scheduling Design Principles
Voice Video Voice/Video Control Data Routing + L2 Overhead 33% of Link It is important to keep in mind that the LLQ is in effect a first-in first-out (FIFO) queue. The amount of bandwidth reservable for the LLQ is variable, yet if the LLQ is over-provisioned, the overall effect will be a dampening of QoS functionality. This is because the scheduling algorithm that decides how packets exit the device will be predominantly FIFO (which is essentially “no QoS”). Over-provisioning the LLQ defeats the purpose of enabling QoS at all. For this reason, it is recommended that you not provision more than 33% of the link's capacity as a LLQ Note: The 33% limit for all LLQs is a design recommendation. There may be cases where specific business needs cannot be met while holding to this recommendation. In such cases, the enterprise must provision queueing according to their specific requirements and constraints. To avoid bandwidth starvation of background applications (such as routing protocols, network services,and layer 2 keepalives), it is recommended that you not provision total bandwidth guarantees to exceed75% of the link's capacity Link Capacity 75% of Link Capacity Reserved LLQ (Voice) + LLQ (Video) ≤ 33% of Link Capacity LLQ (Voice) + LLQ (Video) + CBWFQ (All Data) ≤ 75% of Link

73 Management Tools QoS is efficiently scaled with a centralized management server QoS deployment is best followed by ongoing monitoring to ensure that targeted service-levels are being provided QoS policies need periodic tuning to adjust to changing business needs

74 show policy WAN-AGG-7200#show policy Policy Map WAN-EDGE Class VOICE
Weighted Fair Queueing Strict Priority Bandwidth 17 (%) Class VIDEO Bandwidth 16 (%) Burst (Bytes) Class VOICE-CONTROL Bandwidth 2 (%) Max Threshold 64 (packets) Class GOLD-DATA Bandwidth 25 (%) exponential weight 9 dscp min-threshold max-threshold mark-probablity … af /10 af /10 af /10 show policy is a static confirmation of a defined policy-map that’s been defined This command is a configuration verification command only, so the user doesn’t need to do a “show run” to display his policy there are no dynamic counters, and the policy may not even be applied to an interface This example is the output of a voice, video and data policy on a non-distributed platform. In this example, you will note that: Voice traffic is assigned LLQ Video Traffic is assigned LLQ Voice-control traffic is assigned CBWFQ Gold data is assigned CBWFQ Silver data is assigned CBWFQ Best-effort traffic is assigned WFQ * Silver-Data and Bronze (BE) data not shown on slide due to space limitations (but the output is compatible with Gold-Data)

75 show policy interface WAN-AGG-7200#show policy interface multilink 1
Service-policy output: WAN-EDGE Class-map: VOICE (match-all) packets, bytes 30 second offered rate bps, drop rate 0 bps Match: ip dscp 46 Weighted Fair Queueing Strict Priority Output Queue: Conversation 264 Bandwidth 17 (%) Bandwidth 522 (kbps) Burst (Bytes) (pkts matched/bytes matched) / (total drops/bytes drops) 0/0 Class-map: VIDEO (match-all) 64405 packets, bytes 30 second offered rate bps, drop rate 0 bps Match: ip dscp 34 Bandwidth 16 (%) Bandwidth 491 (kbps) Burst (Bytes) (pkts matched/bytes matched) 64538/ show policy interface is a valuable, dynamic output of not only the policy-map that’s been defined, but also the effects of the policy on an applied interface, show policy interface is one of the most useful show commands for MQC This example is the output of a voice, video and data policy applied to a multilink interface consisting of a dual-T1 connection on a non-distributed platform. In this example, you will note that: there are no drops for voice traffic there are no drops for video traffic There are no drops for voice-control traffic* Gold data has deep queues and drops** Silver data has deep queues and drops** Best effort traffic has deep queues and drops** * Not shown on slide due to space limitations ** Shown on following slides

76 show policy interface (continued) – Gold Data
Class-map: GOLD-DATA (match-any) 93422 packets, bytes 30 second offered rate bps, drop rate bps Match: ip dscp 18 24386 packets, bytes 30 second rate bps Match: ip dscp 20 33676 packets, bytes 30 second rate bps Match: ip dscp 22 35360 packets, bytes 30 second rate bps Weighted Fair Queueing Output Queue: Conversation 266 Bandwidth 25 (%) Bandwidth 768 (kbps) (pkts matched/bytes matched) 93816/ (depth/total drops/no-buffer drops) 29/2327/0  deep queues + drops exponential weight: 9 mean queue depth: 28 dscp Transmitted Random drop Tail drop Minimum Maximum Mark pkts/bytes pkts/bytes pkts/bytes thresh thresh prob … af / / / /10 af / / / /10 af / / / /10 show policy interface is a valuable, dynamic output of not only the policy-map that’s been defined, but also the effects of the policy on an applied interface, show policy interface is one of the most useful show commands for MQC This example is the output of a voice, video and data policy applied to a multilink interface consisting of a dual-T1 connection on a non-distributed platform. In this example, you will note that: there are no drops for voice traffic there are no drops for video traffic there are no drops for voice-control traffic* Gold data has deep queues and drops DSCP table reflects that the drop-preference bit is a factor in deciding which application to drop first in the event of queue congestion AF23 gets (statistically) dropped more often than AF22, which is dropped more often than AF21 Notice also there (under the current network conditions) there are no tail-drops of Gold-Data traffic Silver data has deep queues and drops** Best effort traffic has deep queues and drops** * Not shown on slide due to space limitations ** Shown on following slides

77 Un élément CLE : L’administration du réseau
Objectifs Faciliter la configuration des équipements Management embarqué Déploiement à grande échelle Gérer les SLA Apporter la visibilité : instrumentation NBAR, Netflow Moyens L’instrumentation : SLA : IOS IPSLA , CBQOS, CorviL Visibilité : NBAR, Netflow, RMON2 et extensions Les outils intégrés Plateformes logicielles

78 Security Device Manager (SDM) Management embarqué
Configuration graphique de l’ensemble de la gamme ISR Wizards et outils de management et configuration de: Interfaces LAN/WAN/VLAN VPN: Easy VPN, DMVPN Firewall, IPS Routage QoS, NBAR NAC Connexion sécurisée SSH Fonction auto-secure Cisco SDM is an intuitive, web-based device manager for Easy and Reliable Deployment and Management of Cisco IOS routers Smart wizards in SDM have built-in intelligence about Cisco TAC recommended IOS configurations for different use scenarios. SDM can detect complex interactions between LAN/WAN configurations, ACLs, NAT, IPSec Policies, Firewall Rules, etc. and recommend a configuration that’s inherently more secure. SDM is designed for users with limited IOS CLI knowledge and limited security expertise. There are power tools in SDM that help the security experts and IOS experts to be more productive in their day-to-day operations. SDM is a device manager and thus manages one box at a time SDM supports Cisco routers from 830 series to 7301 models. SDM works with IOS versions from 12.2(13)T and onwards. One Touch Router Lock-down, Auto Secure

79 Déploiement à grande échelle Agents CNS et CNS configuration Engine
Cisco Configuration Engine Solution de configuration et provisionning réseau supportant jusqu’à 5000 CPE Cisco par appliance. Communications sécurisées entre les agents CNS embarqués dans l’IOS des devices et le Configuration Engine. Distribution des upgrades ou de modifications sur un parc de routeurs Cisco ISR quelque soit la technologie d’accès. Application embarquée (GUI web) Technologie flexible pour génération de template de configuration (Velocity template) Interface de programmation XML-SOAP et Java/C++ based Cisco Configuration Engine is a secure, highly scalable operational appliance enables roll out of services based on Cisco advanced technology. Cisco Configuration Engine works out of the box through intuitive, feature rich Web GUI or through programmatic interface using Web services Cisco Configuration Engine can be readily deployed in customer’s networks with minimal on changes to their process Cisco Configuration Engine enables substantial reduction in OPEX and TCO Cisco Configuration Engine software runs on IBM x336 Linux appliance Key applications supported by Cisco Configuration Engine include: Zero Touch Deployment – Automates the deployment of all Cisco IOS routers, switches and PIX over encrypted link using SSL ISR upgrades – Automate the upgrade of Cisco’s new ISR routers from existing install base Service roll out such as VPN, Voice, Security, Metro E through integration with either Cisco or customer applications Configuration updates, distribution & activation of software images and signature files (SDF) distribution User programmable and extensible Apache open source Velocity template engine automating Programmatic interface to Cisco Configuration Engine using XML/SOAP based Web Services.

80 Zero Touch Deployment Core SP/Enterprise ISR ISR
ISR expédié avec un bootstrap générique soit du manufacturing Cisco (Cisco Configuration Express) soit du distributeur. Les techniciens connectent les cables et mettent sous tension. SP/Enterprise Configuration Engine ISR ISR Core Aggregator Avec la configuration de bootstrap ISR se synchronise pour obtenir la connectivité L1 L2 ISR récupère une adresse IP (aggregator) Zero Touch Deployment customer streamline their operations and process to automate the deployment of Cisco CPE’s. Solution will work across all Cisco access router/switch platforms including Next Gen ISR routers across all access technology. ZTD is supported on both plain text and totally secure solution transporting data over encrypted link using SSL CPE’s are shipped with generic bootstrap configuration common across all devices. Bootstrap configuration does include any device specific information such as hostname IP address, DLCI, VPI/VCI, bandwidth etc. On power up devices use the bootstrap to synchronize layer 1 and layer 2 connectivity and learn IP address dynamically. How IP address learned varies depending type of access technology used. CPE reach Cisco Configuration Engine identify uniquely to request device specific configuration. Multiple option available for unique ID (IP address, chassis serial no., mac address, string etc..). Type of unique ID used depend of customer existing processes. Outcome of device deployment it notified as an event (success or failure) to Cisco Configuration Engine. Customer can optionally use the event to trigger service configuration to the devices. ISR contacte le Cisco Configuration Engine Identification unique Requête de configuration sur lien encryptés SSL ISR notifie le Cisco Configuration Engine du résultat du déploiement les services clients peuvent maintenant être provisionnés

81 Gestion des SLAs Métriques Process de prise en compte des anomalies
Enterprise and Small/Medium Business Service Providers Understand Network Performance and Ease Deployment Verify Service Levels Verify Outsourced SLAs Measure and Provide SLAs Métriques Disponibilité Mean Time to diagnose (MTD) Mean Time To Repair (MTTR) Mean Time Between Failure (MTBF) Performance des services différenciés Bande passante Latence Perte de paquets Variation de latence(Gigue) MOS Process de prise en compte des anomalies Engagements de retour à la normale Pénalités

82 Stratégie de mesure de performances
Observée Synthétique Méthode d’échantillonnage Méthode de collecte Sondes Externes Agent embarqué Utilisateur Réseau Perspective des mesures

83 Technologies de mesures
SNMP MIBs and Embedded Event Management MEASURES: CPU/Memory Utilization, Availability, QoS Sampling: Passive Collection: Embedded Scope: Device/Link Perspective: User/Network Cisco IPSLAs MEASURES: Latency and Jitter Between Source Router and Specified Target Sampling: Active Collection: Embedded Scope: Link/End-to-End Perspective: User/Network NetFlow MEASURES: Device Interface Traffic Rate by S/D IP Address, Port Number or AS Sampling: Passive Collection: Embedded Scope: Link/End-to-End Perspective: Network NBAR/NAM/CBQOS/CORVIL MEASURES: Response Time of Live Application Traffic to Server Device, QoS Sampling: Passive Collection: External Probe/Embedded Scope: Link/End-to-End Perspective: User/Network The purpose of the Performance Measurement Technologies is to outline the different technologies available within the Cisco device, and to make you aware of what they do. Voice Quality Leave Question mark ?. NBAR/NAM/Corvil QoS related performance and response. We will go into more detail about how to use when we go though the examples. Cisco CallManager MEASURES: Voice Calls, Voice Quality, Cisco CallManager Performance Sampling: Passive Collection: Embedded Scope: Link/End-to-End Perspective: User/Network

84 Mesures multi-protocolaires avec Cisco IOS IP SLA
Applications Availability Network Performance Monitoring VoIP Monitoring Service Level Agreement (SLA) Monitoring Network Assessment Multiprotocol Label Switching (MPLS) Monitoring Trouble Shooting Measurement Metrics Latency Packet Loss Network Jitter Dist. of Stats Connectivity Operations Jitter FTP DNS DHCP DLSW ICMP UDP TCP HTTP LDP H.323 SIP RTP Radius Video Configuration de la source Si nécessaire, configuration du responder Schedule des operations Si nécessaire, positionnement des seuils Mesure Poll SNMP ou CLI pour récupération des résultats Defined Packet Size, Spacing COS and Protocol IP Server IP Server IP SLAs Cisco IOS Software Source MIB Data Active Generated Traffic to measure the network Destination IP SLAs Cisco IOS Software IP SLAs Cisco IOS Software Responder

85 Fonctionnement IP SLA Measure Performance Management Application
Configure source router If needed, configure responder Schedule operations If needed, set thresholds Measure Network Poll SNMP or CLI for measurement results IP Host IP SLAs Responder Trigger Other Operations Based on Thresholds/Timeouts Measure Measure Performance Target Source IP SLAs

86 Cisco IOS IP SLAs Operation et Responder
Network IP SLAs Source IP SLAs Target Time Time TS1 TS2 Target Processing Time (TProc = TS3-TS2) TS4 TS3 Source Processing Time (TProc=TS5-TS4) TS5 Receive timestamp done at interrupt level, as soon as the packet is dequeued from the interface driver; absolute priority over everything else Round-Trip Delay (without Responder) TS5 - TS1 – TProc(Source) Round-Trip Delay (with Responder) (TS5 – TS1) – T Proc(Source) – TProc(Target) One-Way Delay (with Responder) TS2 – TS1 Locally an IP SLAs packet will perceive the same scheduling latency as any packet from its class

87 Exemple : Opération UDP Jitter
Sends train of packets with constant Interval Receives train of packets at interval impacted by the network IP Core Responder IP SLAs Add a receive time stamp and calculate delta (the processing time) Responder replies to packets (does not generate its own) Per-direction inter-packet delay (Jitter) Per-direction packet loss Average Round Trip Delay

88 Exemple : Opération UDP Jitter
Send Packets ST2 P2 ST1 P1 i1 STx = sent tstamp for packet x. RT2 RT1 Receive packets P2 P1 i2 IP Core IP SLAs Responder RTx = receive tstamp for packet x. AT1 AT2 Reflected packets P2 P1 i3 RT1+d1 RT2+d2 Reply to packets P2 P1 i2 dx = processing time spent between packet arrival and treatment. ATx = receive tstamp for packet x. Each packet contains STx, RTx, ATx, and dx The source can now calculate: JitterSD = (RT2-RT1)-(ST2-ST1) = i2-i1 JitterDS = (AT2-AT1)-((RT2+d2)-(RT1+d1)) = i3-i2

89 MIB Class-Based QoS (CBQoSMIB)
La MIB CBQoS permet de connaitre les statistiques des services différenciés (par classe de service) : Trafic Avant application de la QoS Trafic Après application de la QoS Visualisation de la bonne configuration et de l’efficacité de la QoS. . L’exploitation de la MIB CBQOs est indispensable dans le cas de déploiement de QoS pour accueillir de la téléphonie sur IP et/ou des applications métier critiques. Dans chaque classe de service la bande passante peut être estimée automatiquement en fonction d’un SLA (latence, perte de paquets).

90 Class Map Stats Table After QOS Policies have been applied Before QOS
CMPrePolicyPkt CMPrePolicyByte CMPostPolicyPkt CMDropPkt CMDropByte CMNoBufDropPkt Drop=Pre- Post Bronze Silver Silver Bronze Gold Gold Bronze Silver

91 Netflow – Fonctionnement
Cache NetFlow 7 critères autres data 7 identifiers Other data Flow identifiers Flow data Flow data update Flow identifiers Flow data Flow identifiers Flow data Data exportées Adresse IP Source Adresse IP Destination port Source port Destination Protocole L3 TOS byte Ifindex interface d’entrée

92 Principales utilisations
Service Provider Enterprise Peering arrangements Internet access monitoring (protocol distribution, where traffic is going/coming) Network planning User monitoring Traffic engineering Application monitoring Accounting and billing Charge back billing for departments Security monitoring

93 NetFlow Cache : exemple
Create and update flows in NetFlow cache Srclf SrclPadd Dstlf DstlPadd Protocol TOS Flgs Pkts Src Port Src Msk Src AS Dst Port DstMsk Dst AS NextHop Bytes/Pkt Active Idle Fa1/0 Fa0/0 11 80 10 11000 00A2 /24 5 15 1528 1745 4 6 40 2491 /26 196 740 41.5 1 10000 00A1 180 1428 1145.5 3 2210 19 /30 1040 24.5 14 Inactive timer expired (15 sec is default) Active timer expired (30 min (1800 sec) is default) NetFlow cache is full (oldest flows are expired) RST or FIN TCP flag Expiration Srclf SrclPadd Dstlf DstlPadd Protocol TOS Flgs Pkts Src Port Src Msk Src AS Dst Port DstMsk Dst AS NextHop Bytes/Pkt Active Idle Fa1/0 Fa0/0 11 80 10 11000 00A2 /24 5 15 1528 1800 4 Yes No Aggregation ie: Protocol-port aggregation scheme becomes Export version Non-aggregated flows—export Version5 or 9 Protocol Pkts SrcPort DstPort Bytes/Pkt 11 11000 00A2 1528 Export packet Payload (flows) Transport protocol Header Aggregated flows—export Version8 or 9 30 Flows per 1500 byte export packet

94 NetFlow – Infrastructure
Router/Switch: Cache creation Data export Aggregation Cisco Collector: Collection Filtering Aggregation Storage Cisco and Partners RMON/NAM Applications: Accounting Billing Network Planning Data processing Data presentation Partners RMON Application

95 Découverte des protocoles Network-Based Application Recognition (NBAR)
Analyse des data L3 à L7 Utilisation dans la classification “Stateful inspection” pour les trafics avec ports dynamiques PDLM (Packet Description Language Modules) pour définition des applications Critères de reconnaissances configurables pour identifier les applications basées TCP ou UDP MIB NBAR- PROTOCOL DISCOVERY: bit/s,bytes, paquets Voice Traffic Application volumes MQC packet classification Flexible threshold notifications Focus on Performance and use of MIB for Traps. Data Traffic P2P Video Traffic Internet

96 Sondes d’analyses intégrées
“Visibilité” intégrée au réseau Configuration NAMs Agrégation/corrélation des données de trafic (y compris Netflow) GUI analyseur NAM SNMP data sources: SPAN RSPAN (remote SPAN) Netflow v1/5/6/7/8 (broad) VLAN ACL (specific) HTTP/S Hardware Cisco’s Solution: The Network Analysis Module With the NAM, Cisco offers a solution that provides you with network visibility while also addressing many of the network and performance monitoring issues that we’ve raised. What is the NAM exactly? The Network Analysis Module (NAM) for Cisco Catalyst 6500 and 6000 series switches is a network monitoring system that combines a rich set of embedded data collection and analysis capabilities with a web-based management console. And all of this functionality resides on a single blade in a Catalyst switch. In addition, the NAM has dedicated resources for all management functions, thus eliminating any load it might impose on the host switch. Now, you can gather large volumes of performance information about the switch and the traffic traversing it without impacting the switch itself. What does the NAM look like from the inside? Well, it is basically a fully integrated management system that gathers information at the packet level for any port, VLAN, or EtherChannel on the switch. It includes an embedded Traffic Analyzer that analyzes and stores the data using both standards-based and proprietary specifications. It also includes an embedded web server that presents the configuration menus and traffic reports generated by the Traffic Analyzer to clients using a supported web browser. These reports can provide you with visibility into voice or data traffic, VLANs, DiffServ configurations, hosts, conversation pairs, application usage, or application response times. With the NAM, you have the ability to not only collect packets, but to collect them from the switch itself, giving you that flexibility and visibility to see into the smallest details of how your switch and your network is being used and how your users experience the services your network offers. Let’s take a closer look at how the NAM does this and what features it offers you to address your traffic management needs. Layer 3-7 RMON I,II, HCRMON SMON, DSMON ART, Voice Analysis Layer 2 mini-RMON par port, par interface Routeur d’accès Multiservice 2600/3660/3700/ISR2800/ISR3800 Catalyst 6500/7600

97 NAM : Analyse temps réel

98 Historisation, reporting et isolation, troubleshooting
100 jours d’historisation des rapports Informations détaillées aidant au troubleshooting. Complément d’outils tiers de capacity planning Capture et décode de paquets Filtres Pre et post capture ; Save et Export Déclenchement de capture sur évènements prédéfinis

99 Objectif : Contrôler latence/perte
Ultra Low (<1-10 ms, <0.001%) Algorithmic Trading Grid Computing Very Low (< ms, <0.01%) Telepresence Bandwidth Quality Manager VoIP Controle Latence / perte Low (< ms, <0.1%) Citrix Web 2.0 Uncontrolled (1ms - 10 Seconds) Outils traditionnels de gestion de performances FTP HTTP

100 Caractéristiques des réseaux IP actuels
Consolidation des datacentres et augmentation du nombre de sites remote Coût de la bande passante En 100 ms sur un LAN a 1 Gb/s beaucoup de choses peuvent arriver Jusqu’à 12 MB de data générées ~100,000 paquets peuvent êtres perdus !! Diversisté des profils applicatifs Sensibilité à la latence, à la perte de paquets DATA CENTER REMOTE SITE WAN Différence des débits LAN/WAN

101 La micro-congestion peut conduire à un comportement imprévisible des applications
Les outils courants sont incapables de détecter, troubleshooter et de déterminer quoi faire : Granularité des évènements ; milliseconde Analyse dans un contexte QoS La probabilité d’avoir des problèmes de performances applicatives s’accroit Dynamic network congestion impacte les applications micro bursts La Solution n’est pas toujours évidente Plus de Bande passante –au bon endroit) Techniques de QoS ( traffic shaping, priority queuing ) DATA CENTER REMOTE SITE WAN

102 Mesure de latence Trading Client A Traditional 1 Sec PING Latency View
What is the Latency of Market Data Feed to Trading Client A? Traditional 1 Sec PING Latency View 99% Latency of 4ms BQM 2120 BQM 1180 BQM 2120 WAN BQM 2120 Market Data Gigabit Ethernet 99% Latency of 50ms 10Mb/s BQM 2120 PNQM BQM 2120 Trading Client A BQM PNQM Latency View

103 What is the utilization of the access link to Site A?
Mesure de trafic What is the utilization of the access link to Site A? Traditional 5min View 20% Link Utilization BQM 1180 WAN Citrix Metaframe Fast Ethernet 20,000% Link Utilization 2Mb/s (0.5Mb/s for Citrix Class) Site A BQM 5ms View

104 Analyse de la bande passante
What is the Expected Latency induced on Site A link by Citrix traffic? BQM Expected Latency View Up to 330ms of Latency induced BQM 1180 WAN Citrix Metaframe Fast Ethernet Upgrade to 2.5Mb/s for Citrix Class Required 2Mb/s (0.5Mb/s for Citrix Class) What is the Bandwidth needed by Citrix to achieve no worse than 200ms for 99.9% of packets? Site A BQM Bandwidth Requirement View

105 Solution de SLM “Turning a Cisco Network into a powerful SLM solution”
Appliance avec un Portail Web centralisant : Les mesures de performance par les probes IP-SLA L’analyse des MIBs CBQos (classes de service) & NBAR (protocol discovery) Le suivi des trafics Netflow Solution évolutive pour : Le suivi des SLA réseaux ….. et des infrastructures VoIP Préparer ou améliorer la mise en œuvre d’applications « critiques » Graphiques détaillés des mesures

106