T - Security Audit Systems

Download Report

Transcript T - Security Audit Systems

QoS for ApplicationEnabled Networking
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
1
Agenda
• Evolutions/Trends
• Case Study for QoS in the Campus
• Case Study for QoS in the WAN
• Case Study for NBAR
• Hybrid IP and ATM Networking
• End-to-End QoS and Policy
Management
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
2
Business Drivers
Evolution
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
Bridges to First Generation Routers
Early 1980’s
Multiprotocol Router,
Dynamic Routing Protocols
Mid 1980s
Multicast, Switching, Scaling, DHCP
1990s
Co-Mingling of Delay Sensitive (Voice),
High Bandwidth (Video), Standard Data
(Email) and Mission-Critical Data (ERP)
Mid 1990s–2000
www.cisco.com
3
Business Drivers
Service Level Management (SLA)
Traffic Differentiation Metrics:
Standard Classification
NBAR Classification
(Network Based Application Recognition)
Static Layer 3 Address
Static Layer 4 Port
Router
Phase 1
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
Switches
Phase 2
Dynamic Layer 4–Layer 7
H323, ERP, Multimedia
URL Address
Router
Phase 2
www.cisco.com
Switches
Phase 3
4
Business Drivers
Service Level Management (SLA)
Traffic Differentiation Metrics:
Applications
User
Physical Ports
Others
Applied To:
Policy
Routing
Routing
URL
Encryption
CBAC
Security
Bandwidth
Delay/Jitter
QoS
Mechanisms
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
• Congestion management
• Congestion avoidance
• Policing
5
Not All Traffic Is Equal
Voice
FTP
ERP and
Mission-Critical
Bandwidth
Low to
Moderate
Moderate
to High
Low
Random Drop Sensitive
Low
High
Moderate
To High
Delay Sensitive
High
Low
Low to
Moderate
Jitter Sensitive
High
Low
Moderate
Traffic Is Grouped into SLAs
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
6
MicroSoft on Multimedia
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
7
Agenda
• Evolutions/Trends
• Case Study for QoS in the Campus
• Case Study for QoS in the WAN
• Case Study for NBAR
• Hybrid IP and ATM Networking
• End-to-End QoS and Policy
Management
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
8
Campus Case Study
Existing Network
New Additions
Voice
Video
Surveillance
PCs
MissionCritical
NetShow
Mission- Email
Critical Servers
Servers
Protect Mission-Critical Traffic!
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
9
Consolidated Network
Catalyst 8500/6000
Distribution
Catalyst 5000/6000
Catalyst 5000/6000
Wiring Closet
Voice
PCs
0919_04F9_c5
953003-01
Server Farm
MissionCritical
Application
Video
Surveillance
MissionCritical
Servers
Web
Servers
Four Different Traffic Types (SLAs):
PCs, Voice, Video, Mission-Critical
© 1999, Cisco Systems, Inc.
www.cisco.com
10
• How are traffic types identified?
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
11
Catalyst 6000 Wiring Closet
• How are applications
detected?
Catalyst 5000/6000
Wiring Closet
Voice: Identified by well known
static UDP port number
Video: Identified by physical port
Mission-critical static port
Voice
MissionCritical
Application
Video
Surveillance
PC default
(Note normally RTP voice uses
dynamic port numbers)
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
PCs
12
• Once traffic types are classified,
how are they labeled or marked
Case Study: Need unique markings for:
Voice
Video
Mission-critical
PCs (default)
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
13
Traffic Differentiation
Mechanisms
Referred to as Packet Classification or Coloring
Layer 3
IPV4
Version ToS
Len
Length 1 Byte
Standard IPV4: Three MSB Called IP Precedence
(DiffServ Will Use Six D.S. Bits Plus Two for Flow Control)
ID
offset
TTL Proto FCS IP-SA IP-DA
Data
Layer 3 Mechanisms Provide End-to-End Classification
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
14
Traffic Differentiation
Mechanisms
Three Bits Used for CoS
(Class of Service)
Layer 2
ISL
ISL Header
26 Bytes
Encapsulated Frame 1 ... 24.5 KBytes
Three Bits Used for CoS
(User Priority)
Layer 2
802.1Q/p
PREAM. SFD
FCS
4 Bytes
DA
SA
TAG
4 Bytes
PT
DATA
FCS
Layer 2 Mechanisms Are Not Assured End-to-End
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
15
• Once the classifier marks the packets,
what QoS mechanisms are required and
where are these mechanisms applied?
Mechanisms:
Multiple queues
Multiple drop thresholds
Policing
Scheduling
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
16
Multiple Queues and Drop Thresholds—
Two Queues with Two Drop Thresholds
Delay
Insensitive
Delay
Sensitive
Minimum
Bandwidth
80%
20%
Low Drop
Threshold
3, 4
7, 8
High Drop
Threshold
1, 2
5, 6
Service
Drop
Priority
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
Delay
Priority
www.cisco.com
17
Catalyst 6000 Wiring Queuing
and Scheduling
• Two queues: Queue-1
voice, queue-2 missioncritical and PC
Catalyst 5000/6000
Wiring Closet
• Multiple drop thresholds
Mission-critical control
system high drop threshold
Voice
MissionCritical
Application
Video
Surveillance
PCs low threshold
PCs
Note video may or may
not go in queue-1
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
18
Catalyst 6000 Server Farm
Policing
• Mission-critical not policed
• Policing could be
considered for PC traffic
and Web servers to
protect network
• Policing performed by
flow or aggregate
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
Server
Farm
MissionCritical
Servers
Web
Servers
19
Token Bucket for
Policing and Shaping
Average
Rate
• Start with a bucket
full of tokens. Tokens
can be removed at a
bursty rate. Tokens are
replaced at a specified
constant rate.
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
Maximum
Burst
www.cisco.com
Bursts
20
Catalyst 8500 or Catalyst 6000
at Distribution
• Queuing and scheduling
Catalyst 8500/6000
Separate queues for voice,
video, PCs, mission-critical
Distribution
Each queue assigned
a minimum bandwidth
WRR between queues
• Classification and policing
Not required at distribution
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
21
• IS QoS required in the campus?
• Why not just increase the link
bandwidth if congestion is an issue?
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
22
Short Answer
Maybe you can but maybe not
• QoS in the campus is primarily
about buffer management. Buffer
management is required to control
delay or drops.
• TCP will eventually retransmit
dropped packets
• Do you care about delay or drops?
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
23
Long Answer
• To understand why you might care
about buffer management requires
an understanding of traffic behavior
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
24
Debris Becomes Structured in
a Creek that Is Flooding
Congestion Points
Clumpy Sticks
Random Sticks
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
25
Traffic Behavior:
Patterns Bursty and Periodic
Theoretical Data Pattern
• Random
• Unstructured
Observed Data Pattern
• Period approximately 100 ms
• Structured
• Periodic
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
26
TCP Traffic Behavior:
Transmission of a 13 Segment Window
RTT 100 ms
6
5
4
3
2
1
568 512byte Packets/Second
T1 transmission Rate 1.536 Mbps
25 Packets per 50 ms
Typical TCP Segment (MSS) 530 bytes
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
27
Traffic Behavior: Window
Perfectly Matched with RT
WAN Link Holds 12 IP Segments Worth of
Data Which Is Equal to TCP Window
13
12
11
10
8
9
7
1
2
3
4
5
6
Acknowledgement
Next Window Is
Transmitted Upon the
Receipt of Segment 1
Acknowledgement
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
28
Traffic Behavior:
Window Not Perfectly Matched
Link Buffers Less than the TCP Window
Which Causes Transmit Buffer to Fill
9
1
8
2
7
6
3
4
5
Acknowledgement
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
29
Traffic Behavior: Buffers Fill
for Various Reasons
• Window delay mismatch
• Rate mismatch
(1000M to 10M Ethernet)
• Many to one (multiple interface
talking to the same interface all
with the same rate)
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
30
What Happens When Multiple Packets
Are Dropped Within the Same Window?
• Window size is reduced exponentially
since it is halved for each failed ACK
• TCP window may be reduced
to the minimum
• Transmitter of the sender tends
to lock-up
• TCP session may be restarted
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
31
Random Early
Detection (RED)
Is a Method for
Managing Buffers
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
32
Random Early Detection (RED)
• RED reduces long
term average queue
• Packet drops
are randomized
throughout
the queue ensuring
fairness
• Drop rate is
increased as queue
depth is increased
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
Transmit
Buffer
Queue
Transmit
www.cisco.com
33
Random Early Detection
Benefits
• Average delay reduced
• Reduced TCP slow start conditions
• Reduced global synchronization
• Reduces negative bias towards
light users
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
34
Weighted RED
• WRED
addresses:
Queue
In the event
packets need to
be dropped, what
class of packets
should be
dropped
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
Transmit
Packets Classified
as Blue Start Dropping
at a 50% Queue
Depth. Drop Rate Is
Increased as Queue
Depth Is Increased
www.cisco.com
Packets Classified
as Gold Are
Dropped
at 90% Queue
Depth
35
RED For Congestion
Avoidance
Uncontrolled Congestion
Managed Congestion
• Maximize goodput
• Accommodate burstiness
• Minimize delay
100%
Offered Load
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
36
Global Synchronization
Queue
Utilization
100%
Time
Tail Drop
3 Traffic Flows Start
at Different Times
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
Another Traffic Flow
Starts at This Point
www.cisco.com
37
Congestion Avoidance in Case
Study Summary
• LAN and WAN traffic is
structured
Backbone/Distribution
• Buffers (particularly in the
backbone) can reach 100%
for short periods of time
• WRED is used to prioritize
mission critical over the PC
traffic in the backbone and
the access layers
• Multiple queues
control delay
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
Access Layer
(Wiring Closet and
Server Farm)
38
An Example of RED
on a WAN Link
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
39
Link Management:
Increased Link Utilization
• Data from a burst E1 (2.0 Mbps) courtesy
of Sean Doran
• RED was turned on Friday at 10:00 a.m.
Link utilization goes up to near 100%.
Thursday
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
Friday
www.cisco.com
40
Link Management (Cont.)
• Link utilization went from about 1700 kbps
to 2000 kbps
Average TCP window size is higher
Multiple packets from same window are not dropped
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
41
Other Benefits of RED
Not Shown
• Beyond the higher link utilization
other benefits that are not graphically
shown include:
Small users are not negatively biased
Fewer retransmissions because there
are fewer restarts
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
42
Pulling it All Together
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
43
Demonstration
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
44
Agenda
• Evolutions/Trends
• Case Study for QoS in the Campus
• Case Study for QoS in the WAN
• Case Study for NBAR
• Hybrid IP and ATM Networking
• End-to-End QoS and Policy
Management
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
45
Case Study: Voice and Data
Over WAN
Requirements for:
Requirements:
• SLAs
• LFI
• CBWFQ
• CRTP
• RSVP
VPN
T1–1.536 Mbps
Cisco
7500
Cisco
7200
256 kbps
PPP
Cisco
3600
128 kbps
Frame Relay
Frame
Relay
Requirements for:
Requirements for:
• Point-to-point high-speed link
• FRTS
• WFQ
• FR.12
Cisco
2600
• CRTP
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
46
QoS Consideration on PPP Link
• Considerations
• Congestion management:
WFQ/CBWFQ
Cisco
7200
256 kbps
PPP
RTP reserve
Cisco
3600
RSVP
• Link efficiency:
Link fragmentation interleave
RTP header compression
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
47
How Are Applications Treated
(De-Queued) Fairly?
Are Bandwidth Guarantees
Required for Voice?
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
48
Congestion Management—
WFQ (Weighted Fair Queuing)
• Two scheduling options:
class-based or flow-based
• Flow based
Per flow queuing (each flow is a separate queue)
ensures bandwidth is used fairly. Interactive traffic
with small packet sizes get better service.
With IP precedence queues can be weighted
On by default for 2.0M links and below
No configuration required
• Class based (covered later)
SLAs
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
49
Weighted Fair Queuing (WFQ)
Two 100 Byte
Packets Transmitted
for Every One 200
Byte Packet
Configurable Queues
Two 100 Byte
Voice Packets
1
Therefore = “Fair”
1
2
1
2
Dequeue
1
2
1
1
Classify
One 200 Byte
Data
Packet
Interface Buffer
Resources
Flow Classification/Sorting
• Source and destination address
• Protocol
• Session identifier (port/socket)
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
Transmit
Scheduling
Weighted Fair Scheduling
• Requested Qos (IP precedence, RSVP)
• Frame Relay FECN, BECN, DE
• Flow throughput (weighted-fair)
www.cisco.com
50
WFQ will Treat All Small
Packets with the Same
Precedence Value the Same
Is Differentiation between Small
Packets Required?
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
51
RTP Reserve
• RTP Reserve will put all packets that
have a specified port range in their
own queue
• The RTP Reserve queue is weighted
higher than most other queues
RSVP: 4
RTP Reserve 128
IP precedence 4096/(1 + precedence)
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
52
Are Bandwidth
Guarantees Required?
Is Admission Control Required?
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
53
RSVP
• For voice it may be required to deny a call
(generate a busy signal) rather than admit
the call and degrade the quality of calls
in progress.
• With DiffServ there are no bandwidth
guarantees unless by design (the backbone
can always carry all the voice traffic). With
RSVP there is.
• With RSVP one call cannot rob another
call of quality.
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
54
RSVP with IP Precedence
• RSVP is in-band vs out-of-band signaling
• RSVP is ideal as it provides guaranteed service and
admission control but there are considerations.
• RSVP is emerging and is not supported by
all applications
• RSVP could pose potential scaling issues if
incorrectly used
• RSVP is appropriate for long lived flows. A router can
support up to several thousands of concurrent RSVP
sessions. For tens of thousands RSVP aggregation
is required.
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
55
Integrated and Differentiated
Services
• Integrated Services—RSVP (IntServ)
explicit signaling through path and
Resv messages
Quantative service asks “May I send this
much” network responds “You may send
this” or “You may not””
• Differentiated services is about
aggregated traffic classification
Qualitative service says all traffic with this
classification has the following behavior
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
56
RSVP for Admission Control
and Guaranteed Delivery
“May this
application access
the network”
RESV
RESV
PATH
PATH
Policy
Server
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
RESV
PATH
RESV
PATH
“Yes you may as priority”
“Yes you may but only
as best effort”
“No you may not”
www.cisco.com
57
IntServ with DiffServ
RESV
PATH
PATH
PATH
RESV
RSVP (IntServ)
RESV
Diff Serv
Backbone
PATH
RSVP (IntServ)
PATH
RESV
RESV
RSVP (IntServ)
RSVP (IntServ)
Policy Server
Policy Server Response:
“Admit the call and use the
DiffServ Code Point X for
data flow.”
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
RSVP Requests Are
Tunneled to
the Other End and the Dats
DSCP Is Marked
www.cisco.com
58
The Scheduling Algorithm
Could Schedule Small Packets
Ahead of Large Packets
What Happens if a Large Packet Is
Already in Transit When a Small
Packet Arrives?
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
59
Serialization Delay
1
Byte
Link
Speed
1024 1500
64
512
256
128
Bytes Bytes Bytes Bytes Bytes Bytes
56 kbps
143 us
9 ms
18 ms
36 ms
72 ms 144 ms 214 ms
64 kbps
125 us
8 ms
16 ms
32 ms
64 ms 128 ms 187 ms
128 kbps
62.5 us
4 ms
8 ms
16 ms
32 ms
64 ms
93 ms
256 kbps
31 us
2 ms
4 ms
8 ms
16 ms
32 ms
46 ms
512 kbps
15.5 us
1 ms
2 ms
4 ms
8 ms
16 ms
23 ms
768 kbps
10 us
640 us 1.28 ms 2.56 ms 5.12 ms 10.24 ms 15 ms
1536 kbps
5 us
320 us
640 us
1.28 ms 2.56 ms 5.12 ms 7.5 ms
Frame Size
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
60
Link Efficiency—Link
Fragmentation Interleave
• Large packet can be fragmented to insure small
delay sensitive packets are transmitted without
incurring more than 10 ms (for example) delay
Link
Speed
Frag
Size
56 kbps
70
Bytes
64 kbps
80
Bytes
128 kbps
160
Bytes
512 kbps
320
Bytes
640
Bytes
768 kbps
1000
Bytes
256 kbps
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
61
Multilink PPP Fragmentation
and Interleave
VoIP Frame
Interleaved,
Compressed
and Given Priority
via WFQ, IP
Prec or RSVP
Configurable Queues
1
2
1
Small
Volume/Size
Packet
2
2
Dequeue
2
Large
Volume/
Size
Packet
Flow Classification
• Source and destination address
• Protocol
• Session identifier (port/socket)
© 1999, Cisco Systems, Inc.
2
1
2
Classify
Interface Buffer
Resources
0919_04F9_c5
953003-01
2
www.cisco.com
Transmit
Scheduling
Weighted Fair or Reserved Scheduling
62
RTP Compression
for Voice
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
63
Link Efficiency—CRTP
• 20 byte data payload
Version
IHL
Identification
Time to Live
• IP header 20; UDP header
8; RTP header 12
Total Length
Flags
Protocol
Fragment Offset
Header Checksum
Source Address
Destination Address
Options
40 Bytes overhead!
2X payload!
• CRTP compresses
payload to 2-4 bytes
Type of Service
V=2
P
Padding
Source Port
Destination Port
Length
Checksum
X
CC M
PT
Sequence Number
Timestamp
Synchronization Source (SSRC) Identifier
• Hop-by-hop on
slow links
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
64
In Addition there Is Layer 2
Overhead
• Let’s assume G.729 with 20 bytes/pck
PPP over HDLC with CRTP = 28 bytes
11.2 kbps
PPP over FR with CRTP = 32 bytes
12.8 kbps
Frame Relay with CRTP = 31 bytes
12.4 kbps
Requires FRF.12
PPP over FR with RTP = 70 bytes
28 kbps
Mandatory for high speed links
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
65
QoS Considerations
for Frame Relay
• Considerations
Frame Relay Traffic
Shaping (FRTS)
Cisco
7200
Frame
Relay
Cisco
2600
Frame Relay
FRF.12 (LFI
functionality for F.R)
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
66
If Packets Need to be
Dropped Due to
Congestion, Will the Frame
Relay Switch Drop the
Packets I Want Dropped?
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
67
Frame Relay Traffic Shaping
• Shaping per DLCI
• WFQ within the shaping queue
• Downstream Frame Relay switch
will police. It is therefore desirable
to shape at the upstream router.
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
68
LFI for Frame Relay Does
Not Work the Same as for
PPP—FRF.12 Is Required
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
69
FRF.12 Queue Structure
1. FRF.12 + WFQ on PVC basis
WFQ Flow Classifier
1
“Non Fragment”
Voice Queue
PVC #1
1
22
2. Frame Relay traffic shaping
turned on when FRF.12 enabled
4. Fragments reassembled at far
end (voice interleaved)
1
Small
VoIP
Packet
PVC#1
1
Router Queuing Structure
Route
Table
1
Dequeue
1
1
Large
Packet
PVC#1
Large
Packet
PVC#2
2
1
2
“Fragment”
Voice Queue
PVC #2
Frame Relay
Two Interface Queue’s
Fragmentation
Occurs at Dequeue
from PVC WFQ
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
1. Non Fragment Queue
2. Fragment Queue
Note: “Non fragment” queue gets de-queued exhaustively like
Priority queuing over “fragment queue”. Prevents other PVC’s
from effecting “non fragmented” Voice packets whether these
PVC’s are misbehaving or oversubscribed
www.cisco.com
70
QoS Consideration for SLAs
• Class-based
weighted fair
queuing
Minimum bandwidth
assigned per class
VPN
Policing per class
Per class congestion
avoidance
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
71
CBWFQ Uses a
DiffServ SLA Model
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
72
Class-Based Weighted Fair
Queuing CBWFQ
• Extension of CQ
SLA-1
(20%)
SLA-2
(30%)
SLA-3
(25%)
• 8/64/100 classes
• WFQ between classes
• RED within a class*
• Policing/shaping per class
RED*
WFQ*
• SLAs per class
• WFQ
• Strict
0919_04F9_c5
953003-01
* Second Phase
© 1999, Cisco Systems, Inc.
www.cisco.com
73
Summary
Classification
0919_04F9_c5
953003-01
PBR
Routers 11.2
ACL—L2/L3/L4
Routers 12.0
ACL—L2/L3/L4
Catalyst 6000 5.3(1) CSX, 12.1E
ACL—L2/L3/L4
Catalyst 5000 5.1 Catalyst OS
Physical Interface
2900XL Mid ’99
dCAR
Routers 11.1CC
NBAR Dynamic Port Numbers
7200/7100—12.1(1)T
URLs
7200/7100—12.1(1)T
© 1999, Cisco Systems, Inc.
www.cisco.com
74
Summary
Marking
0919_04F9_c5
953003-01
IP Precedence Marking
Routers
IP Precedence Marking
Catalyst 5000 5.1
IP Precedence Marking
Catalyst 6000 5.3(1)
DiffServ Marking
7200 12.0(6)T
DiffServ
Catalyst 6000 5.3(1)
802.1p
Catalyst 5000 5.1
802.1p
Catalyst 6000 5.3(1)
802.1p
2900XL Mid ’99
© 1999, Cisco Systems, Inc.
www.cisco.com
75
Summary
Congestion Management
0919_04F9_c5
953003-01
Strict Queuing
Routers (PQ)—10.3
Strict Queuing
WRR
2900XL—2 Queues
Catalyst 6000—2 Queues
WRR
Catalyst 8500 8 Queues
WFQ
dWFQ
Routers—11.0
VIP—11.1CC
CBWFQ
Routers—12.0(5)T
dCBWFQ
dRR
VIP—11.1CC
12000
© 1999, Cisco Systems, Inc.
www.cisco.com
76
Summary
Congestion Avoidance
0919_04F9_c5
953003-01
WRED
Routers—11.2
dWRED
VIP 11.1CC
WRED
Catalyst 5000 5.1
WRED
Catalyst 6000 5.3(1) 12.1E
FRED
Routers 12.0(3)T
© 1999, Cisco Systems, Inc.
www.cisco.com
77
Summary
Policing and Shaping
GTS
FRTS
dTS
Policing
dCAR
Policing
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
Routers 11.2
Routers 11.2
Routers 12.0(5)XE
Routers (CAR)—12.0/12.0(4)T
VIP 11.1CC
Catalyst 6000 5.3(1) 12.1E
www.cisco.com
78
Summary
Link Efficiency
LFI
cRTP
FRF12
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
Routers 11.3
Routers 11.2
Routers 12.0(4)T
www.cisco.com
79
Summary
Signaling
RSVP
dRSVP
SBM
RSVP
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
Routers 11.2
VIP Planned
Routers—12.0(5)T
Catalyst 6000 12.1E
www.cisco.com
80
Summary
ATM
Per VC WRED
VC Bundling
Per VC WFQ
Per VC dWFQ
Precedence to VCC
RSVP to ATM VCC
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
VIP 11.1CC
7X00—12.0(3)T
7200—12.0(5)T
VIP—12.1(1)T
Routers 12.0(3)T
Routers 12.0(3)T
www.cisco.com
81
Demonstration of WFQ
and a Video Image
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
82
Agenda
• Evolutions/Trends
• Case Study for QoS in the Campus
• Case Study for QoS in the WAN
• Case Study for NBAR
• Hybrid IP and ATM Networking
• End-to-End QoS and Policy
Management
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
83
Case Study: NBAR
Classification
• Granular classification:
WEB traffic
Applications using dynamic
port numbers
T1–1.536 Mbps
H323 voice
Cisco
7100
SAP
Cisco
7100
Oracle
MSExchange
• Application auto discovery
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
84
NBAR Classification
• Where is granularity required?
Start on the WAN move toward the LAN
Voice classification where:
It cannot be assumed that all small
packets are delay sensitive and a
DiffServ model is used
Identification by static Layer 4 port number
is not possible (i.e. standard RTP)
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
85
NBAR for ERP and Web Traffic
PeopleSoft HR Client
Oracle Database
PeopleSoft
ERP Clients
Oracle Print
Cisco 7100
Cisco 7100
SQL Listener
ERP Server Farm
Web Traffic
Port 80
Web Server
Web Games Web NMS
(Port 80)
(Port 80)
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
86
Agenda
• Evolutions/Trends
• Case Study for QoS in the Campus
• Case Study for QoS in the WAN
• Case Study for NBAR
• Hybrid IP and ATM Networking
• End-to-End QoS and Policy
Management
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
87
QoS Across a Mixed IP and
ATM Networks
“
Policy Required:
Make sure that my QoS
policies are preserved in an
IP-ATM network.
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
”
88
IP-ATM Overview
• IP-ATM CoS: Differentiated services
over standard ATM
• Requires PA-A3/deluxe PA
Per VC WRED
IP precedence to ATM CoS mapping
Per VC CBWFQ
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
89
Per-VC WRED
VC1
• Single VC for each source/destination
• Multiple service classes on same VC
• WRED, WFQ, or CBWFQ runs on each VC queue
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
90
Precedence to VC Mapping
VC1
VC2
VC3
VC4
• Multiple VCs for each source/destination
• Separate VC for each IP CoS
0919_04F9_c5
953003-01
• RED (WRED) runs on each VC queue
© 1999, Cisco Systems, Inc.
www.cisco.com
91
Agenda
• Evolutions/Trends
• Case Study for QoS in the Campus
• Case Study for QoS in the WAN
• Case Study for NBAR
• Hybrid IP and ATM Networking
• End-to-End QoS and Policy
Management
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
92
Policy Networking to
Manage QoS
Inconsistent
Policies
Lack of
Application
Control
Configuration
Complexity
Intelligent
Network
Users
Automated
Policy
Configuration
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
Applications
Centralized
Policy
Control
www.cisco.com
Application/
Network
Integration
93
End-to-End Quality of Service
Policy Networking
Client
Multilayer Switch
ATM Switch
Router
Cisco
Catalyst
Cisco
LightStream
Cisco
Router
Weighted RED
Multiple Queues
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
ATM QoS Services
Per VC Queuing
www.cisco.com
Windows NT
Server
Weighted Fair Queuing
Random Early Detection
94
CiscoAssure Architecture
Directories
User Identity
LDAP
COPS
Policy Server
COPS
COPS
RSVP
RSVP+
Client
Server
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
95
COPS Policy Server
Service Mapping
0919_04F9_c5
953003-01
Service Class
User Mapping
Network
Network Control
Mission Critical
Oracle, PeopleSoft
Premium Service
John Chambers
Standard Service
Default
Best Effort
Games
Drop
Intl video, Adult XXX
Voice
VOIP
Video
NetShow, NetMeeting
© 1999, Cisco Systems, Inc.
www.cisco.com
96
COPS Policy Server
Service Mapping
DSCP Mapping to Service Types
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
1
Network
8
Mission Critical
16
Premium Service
24
Standard Service
32
Best Effort
40
Drop
48
Voice
55
Video
www.cisco.com
97
COPS Policy Server
Service Mapping
DSCP to Queues and Thresholds Mapping
DSCP 1q1t
...
1q4t
...
3q2t
Q=1
T=1
Q=1
T=1
Q=1
T=1
Q=1
T=2
Q=1
T=1
Q=1
T=2
3
Q=1
T=1
Q=1
T=3
Q=2
T=1
4
Q=1
T=1
Q=1
T=4
Q=2
T=2
5
Q=1
T=1
Q=1
T=4
Q=3
T=1
6
Q=1
T=1
Q=1
T=3
Q=3
T=2
Q=1
T=1
Q=1
T=2
Q=2
T=2
1
2
...
nqnt
...
64
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
98
COPS Policy Server
Service Mapping
0919_04F9_c5
953003-01
Network
Network Control
Mission Critical
Oracle, PeopleSoft
Premium Service
John Chambers
Standard Service
Default
Best Effort
Games
Drop
Intl video, Adult XXX
Voice
VOIP
Video
NetShow, NetMeeting
© 1999, Cisco Systems, Inc.
www.cisco.com
99
COPS Policy Server Roles
Schedular Example On Policy Server
Preference
Role
1st
WAN Edge—Low Speed
CBWFQ
2nd
3rd
4th
WFQ
WAN Edge—High Speed WRR
0919_04F9_c5
953003-01
Backbone
WRR
User Defined
CBWFQ
© 1999, Cisco Systems, Inc.
www.cisco.com
WRR
100
COPS Policy Server Roles
Interfaces Are Mapped to Roles
Interface e0 Roles
Interface s1 Roles
Untrusted
Trusted ToS-in
Wiring Closet
Low Speed WAN
Police-1M
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
101
QoS Mechanisms
Concluding Thoughts
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
102
QoS End-to-End
• QoS signaling across a network that spans
multiple subnets mandates Layer 3
• QoS may or may not be extended to the client
• Some clients (such as servers) can be trusted
while other clients (such as some end users)
cannot be trusted
• It may be easier to manage and control the
network devise rather than all the clients
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
103
Where Are QoS Features
Applied?
T1 Access
Congestion and Delay
Campus A
WAN
Campus B
QoS WAN Edge
Admission Control
Classification
Congestion Management
Congestion Avoidance
Traffic Shaping Policing
Link Efficiency
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
104
Where Are QoS Features
Applied?
Campus
Congestion
Campus A
QoS Ingress
Admission Control
Classification
Congestion Avoidance
T1 Access
Congestion and Delay
WAN
QoS Core
Campus B
QoS WAN Edge
Congestion Avoidance
Admission Control
Congestion
Management
Congestion Avoidance
Congestion
Management
Congestion
Management
Policing/Shaping
Link Efficiency
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
105
Application Aware
Networking—QoS Summary
• QoS is applicable in both the WAN and campus
• QoS mechanisms can be necessarily complex
• Multiple QoS mechanisms for multiple
problem spaces
• QoS is a networking architecture issue
• CiscoAssure provides centralized policy
control across the enterprise
• Cisco offers a total solution
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
106
For More Information on QoS
• For more information on QoS please
go to the following URLs
http//www.cisco.com/warp/public/779/
largeent/learn/technologies/qos/
http//www.cisco.com/warp/public/779/
largeent/learn/topologies/campus.html
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
107
Where to Get More Information
http://www.cisco.com
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
108
Upcoming Events
June 15–18, 1999
July 13–16, 1999
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
New Orleans
Vancouver, BC
www.cisco.com
109
Packet Magazine
• Packet magazine is published quarterly and
distributed free of charge to users of Cisco
Systems products
• Subscribe to Packet and get news on Cisco
products, technologies, and programs to
help you get the most out of your network
• Leave your completed applications at the
registration desk
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
110
Before You Go…
• Please fill out the seminar evaluation
• Please turn in your badge holders—
we recycle them
• Questions? Contact your local Cisco
office for more information
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
111
Thank You
0880_04F9_c1
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
112
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
113
Appendix
0880_04F9_c1
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
114
Configuring RSVP
ip rsvp bandwidth [interface-kbps] [single-flow-kbps]
!
interface Serial0/0
ip address 10.1.1.2 255.255.0.0
ip rsvp bandwidth 96 96
bandwidth 128
fair-queue 64 256 1000
!
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
115
Configuring WFQ
(On By Default on Links 2 MB or Less)
interface Serial0/0
ip address 10.1.1.2 255.255.255.0
bandwidth 128
fair-queue 64 256 1000
Congestive Discard
Threshold
Dynamic Queues
Maximum RSVP
Queues
!
Remote(config-if)#fair-queue ?
<1-4096> Congestive Discard Threshold
<16-4096> Number Dynamic Conversation Queues
<0-1000> Number Reservable Conversation Queues
<cr>
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
116
Displaying WFQ
bottom#show queue se 0
Input queue: 0/75/0 (size/max/drops); Total output drops: 0
Queuing strategy: weighted fair
Output queue: 31/64/0 (size/threshold/drops)
Conversations 2/4 (active/max active)
Reserved Conversations 0/0 (allocated/max allocated)
(depth/weight/discards/interleaves) 24/4096/0/0
Conversation 184, linktype: ip, length: 1504
source: 10.1.5.2, destination: 10.1.6.1, id: 0x04CF, ttl: 31,
TOS: 0 prot: 6, source port 1503, destination port 21
(depth/weight/discards/interleaves) 7/4096/0/0
Conversation 227, linktype: ip, length: 68
source: 10.1.1.2, destination: 10.1.1.1, id: 0xFCCF, ttl: 31,
TOS: 0 prot: 17, source port 49608, destination port 49608
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
Weight =
4096/(1+ IP Prec)
High Bandwidth
Flow vs.
Telnet, VoIP Etc.
117
Configuring FRTS + FRF.12
! Int S0
frame-relay traffic shaping
frame-relay interface-dlci 101
class frf12
map-class frf12
frame-relay cir 128000
frame-relay bc 1000
frame-relay fragment 40
frame-relay fair-queue
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
118
Modular Hierarchical
Configuration
• ClassMap ERP
Match-protocol msexchange
Match ACL 101
• PolicyMap SLA1
Classmap ERP
Minimum bandwidth 50%
Queue limit
• ServiceMap (bind policy maps to logical or
physical interfaces)
Service-policy output SLA-1
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
119
Class Maps Example
Router(config)# classmap erp
Router(config-cmap)# match access-group 101
Router(config-cmap)# match peoplesoft
Router(config-cmap)# exit
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
120
Policy Maps Example
Router(config)# policymap SLA-1
Router(config-pmap)# class erp
Router(config-pmap-c)# bandwidth 3000
Router(config-pmap-c)# queue-limit 30
Router(config-pmap-c)# random-detect exponential-weightingconstant 14
Router(config-pmap)# exit
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
121
Service Map Example
Router(config)# interface e1/1
Router(config-if)# service output SLA-1
Router(config-if)# exit
Router(config)# interface fa1/0/0
Router(config-if)# service output SLA-1
Router(config-if)# exit
0919_04F9_c5
953003-01
© 1999, Cisco Systems, Inc.
www.cisco.com
122