Upload
cutter
View
36
Download
0
Embed Size (px)
DESCRIPTION
http://dl.free.fr/kFB3ljra4/cours3-WAN.pdf. Réseau WAN vu de l’entreprise. Gilles Clugnac. SALES. HR. MANUFACTURING. FINANCE. PROCESSES BUSINESS. ERP. E-SALES. STORAGE. IPT. CORE. SUPPLY CHAIN. SECURITY. WIRELESS. INFRASTRUCTURE TECHNOLOGIQUE. APPLICATIONS ET SERVICES. - PowerPoint PPT Presentation
Citation preview
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1
Réseau WAN vu de l’entreprise
Gilles Clugnac
http://dl.free.fr/kFB3ljra4/cours3-WAN.pdf
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2
Quelles demandes pour un fournisseur d’infrastructure de communication? La quadrature du cercle ?
Je veux pouvoir accéder à mon SI où et quand je le désire avec le terminal le
plus adapté !! Flexibilité, Agilité
Mon travail a évolué de la production
vers les transactions et maintenant les
interactions=> Valeur ajoutée
vers le client
Plus de services pour moins cher
=> Contrôle des coûts, risques &
complexité
PR
OC
ES
SE
S B
US
INE
SS
PR
OC
ES
SE
S B
US
INE
SS
MA
NU
FA
CT
UR
ING
HR
SA
LE
S
FIN
AN
CE
INF
RA
ST
RU
CT
UR
E
TE
CH
NO
LO
GIQ
UE
INF
RA
ST
RU
CT
UR
E
TE
CH
NO
LO
GIQ
UE
CO
RE
ST
OR
AG
E
SE
CU
RIT
YW
IRE
LE
SS
IPT
AP
PL
ICA
TIO
NS
ET
SE
RV
ICE
SA
PP
LIC
AT
ION
SE
T S
ER
VIC
ES
ER
PE
-SA
LE
SS
UP
PL
Y C
HA
IN
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 3
Convergence des réseaux
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 4
Changement de paradigmeExemple : Vidéosurveillance intégrée
ID CREDENTIAL ID CREDENTIAL MANAGEMENT
CCTV & DIGITAL CCTV & DIGITAL VIDEO SURVEILLANCEVIDEO SURVEILLANCE
DATA & NETWORK SECURITYSECURITY
VISITOR MANAGEMENT
ACCESSCONTROL
Major Segments of Security
INTRUSIONINTRUSIONDETECTION
FIREALARM
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 5
TemperatureTemperature
La vague suivante
L’Internet des ordinateurs
L’Internet des ordinateurs
IP TelephonesIP Telephones
Barcode ScannersBarcode Scanners
PCsPCs
PDAs/HandheldsPDAs/HandheldsObjets connectésObjets connectés à travers les tagsà travers les tags
Informations connectées Informations connectées à travers les capteursà travers les capteurs
Informations connectées Informations connectées à travers les capteursà travers les capteurs
ProductsProducts
LivestockLivestock
TiresTires
CurrencyCurrency
PharmaceuticalsPharmaceuticals
Shipping containersShipping containersCartonsCartons
PalletsPallets
RationsRations WeaponsWeapons
PeoplePeople PetsPetsMedical AssetsMedical Assets
Video CamerasVideo CamerasLocationLocation
IntrusionIntrusion
Shock/movementShock/movement
ElevationElevation
DirectionDirection
PressurePressure LightLight ChemicalsChemicals
SpeedSpeed
L’Internet des objetsL’Internet des objets
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6
Computers
Phones
Mobile Assets
Static Assets
Controllers
Smart Sensors
Microprocessors and Microcontrollers
Users
2005 Forecast, Million Units
500
1,500
350
375
500
750
35,000
Source: Harbor Research, Inc., Forrester Research, Inc., IBSG
Réseaux
Actuels
Réseaux Etendus
Les nouveaux systèmes seront connectés sur le réseau IP universel
Le réseau va connecter des milliards d’objets !!
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 7
Enterprise Data CenterInternet Data Center
Public Web Site
100s of Servers with Integrated Storage
E-Commerce Application
4-Tier Application App. Server
Internet Data Center
Supply-Chain Management
Traditional Voice PBX
In-House Developed Apps
2-Tier CRM Application
NCR DB Server
Data Warehousing
Finance, HR, Payroll and EDI
Mainframe Systems
Tape Backup Multiple 2-Tier ERP Instances
Engineering Services
NAS Filers
E-Mail Appliances
IP Services
DNS RADIUS LDAP
JBOD
Operations Center
Un environnement IT complexe
Infrastructureactuelle
Disponibilité et conformité
• Operational Risk Management
Continuité d’activités
Agilité Business
• Service Oriented Architecture
Intégration applicative
Contrôle des coûts
• On-Demand, Utility Infrastructure
Automatisation
Consolidation
Gestion de l’information
• Information Lifecycle Management
SLAs applicatifs
• Application Awareness and Optimization
Securité
Conformité
Virtualisation
Croissance
Agilité
Disponibilité
Performance
Tiered Storage
Content Delivery
Data Classification
Enterprise Data CenterInternet Data Center
Public Web Site
100s of Servers with Integrated Storage
E-Commerce Application
4-Tier Application App. Server
Internet Data CenterSupply-Chain Management
Traditional Voice
PBX
In-House Developed Apps
2-Tier CRM Application
NCR DB Server
Data Warehousing
Finance, HR, Payroll and EDI
Mainframe Systems
Tape Backup Multiple 2-Tier ERP Instances
Engineering Services
NAS Filers
E-Mail Appliances
IP Services
DNS RADIUS
LDAP
JBOD
Operations Center
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 8
Approche modulaireArchitectures de bout-en-bout
Data Data CenterCenter
Data Data CenterCenterAgenceAgence
AgenceAgenceCampusCampus
CampusCampus TélétravaillTélétravailleureur
TélétravaillTélétravailleureurWAN/MANWAN/MAN
WAN/MANWAN/MAN
ServeurServeur StockageStockage ClientsClientsCO
UC
HE
C
OU
CH
E
D’IN
FR
AS
TR
UC
TU
RE
D
’INF
RA
ST
RU
CT
UR
E
EN
RE
SE
AU
EN
RE
SE
AU
ExtranetExtranetInternetInternet
ExtranetExtranetInternetInternet
Site B
Fondamentaux du réseauRègles d’architecture• Architectures de référence par zone• Interopérabilité forte entre les zones • Continuité des Services• Garantie des SLAs de bout-en-bout
Solution Cisco• Recommandations validées par zone• Orientées déploiement de Services• Architectures cohérentes et globales
CampusData Center
ExtranetInternet
WAN/MAN
Agence
Télétravailleur
Modules du réseauModules du réseau
Net
wo
rked
In
fras
tru
ctu
re
Lay
er
Server Storage Devices
Network Areas
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 9
CampusCampusCampusCampus AgenceAgenceAgenceAgence Data Data CenterCenterData Data
CenterCenterMAN/WANMAN/WANMAN/WANMAN/WAN TélétravailTélétravailTélétravailTélétravail
CO
UC
HE
C
OU
CH
E
D’I
NF
RA
ST
RU
CT
UR
E
D’I
NF
RA
ST
RU
CT
UR
E
EN
RE
SE
AU
EN
RE
SE
AU
CO
UC
HE
C
OU
CH
E
D’I
NF
RA
ST
RU
CT
UR
E
D’I
NF
RA
ST
RU
CT
UR
E
EN
RE
SE
AU
EN
RE
SE
AU
Services de Virtualisation du réseauServices de Virtualisation du réseauServices de Virtualisation du réseauServices de Virtualisation du réseau
Consolidated Data Center
RR 7301
L3 Switch with VRF-
Lite
802.1Q 802.1QVRF-Data
VRF-Voice
PE 7600
IGP between VRFs
BGP between PEsMPLS MAN (L1/2 P-P or
Ring)
P 12000
P 7600
EoMPLS
ORG-A
VoiceVRF-Data
VRF-Data
VRF-VoiceVRF-Voice
ORG-A
Data
MPLS-BGP VPN (2547-bis)
NG WAN
Users
LAN/WAN
Compute
SAN
Disk/Tape
RSRSRS
Adaptable Campus
RR 7301
L3 Switch with VRF-Lite
802.1Q 802.1QVRF-Data
VRF-Voice
PE 7600
IGP between VRFs
BGP between PEsMPLS MAN (L1/2 P-P
or Ring)
P 12000
P 7600
EoMPLS
ORG-A VoiceVRF-Data
VRF-Data
VRF-VoiceVRF-Voice
ORG-A Data
MPLS-BGP VPN (2547-bis)
NG WAN
WANWANWANWAN
VPN opéré
VPN déployé par l’Entreprise
VPN opéré
VPN déployé par l’Entreprise
NG WANNG WAN
Infrastructure Réseau WANEvolution des architectures de bout-en-bout
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 10
HAHA QoSQoSMulti-cast
Multi-cast SécuritéSécurité
Network Management/ProvisioningNetwork Management/Provisioning
Construire une infrastructure cohérente L’exemple de l’IP Communications
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 11
Architectures WAN Pourquoi une Nouvelle Génération?
Hier Aujourd’hui
Le WAN est un problème de transport
Facteurs critiquesCoût
Disponibilité
Débit
Approche architecturale fragmentée
Le WAN est un problème de généralisation de la fourniture de services
Facteurs critiques:Coût/Disponibilité/Débit
Sécurité
Intégration de Services
Approche architecturale intégrée
Le WAN fait partie de l’architecture globale du réseau
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 12
Un Besoin de Segmentation Accès invité
Internet access for customers, visitors, etc.
Contrôle d’Accès au RéseauQuarantine and/or isolation during remediation
Accès partenairesOnsite partners, limited server/application access
Séparation Groupes/Départments Closed User Groups for divisions/teams sharing common work locations (e.g. Financial Banking/Trading)
Isolation des Applications/SystèmesIsolating critical applications or devices, such as IPC, factory robots, point-of-sale terminals, etc.
Services ExternalisésParticipating in multiple client networks (e.g. India ITS model)
Filiales / Fusions & Acquisitions Enabling staged network consolidation, while companies are being merged
Entreprise Fournisseur de Services Réseaux (éventuellement source de revenus)Shared service locations (e.g. Munich Airport “virtual” gate access)Retail stores providing kiosk/on-location network access (e.g. Best Buy, Albertson’s, etc.)Cisco Connected Real Estate (CCRE) (e.g. multi-tenant, strip malls, etc.)
Dynamique forte de création de projetsClosed User Groups between multiple companies during joint-ventures/collaborations
L‘isolation des groupes est le principal besoin.Les attaques, virus, vers sont plus facilement confinés.
Ils ne se progagent pas partout
L‘isolation des groupes est le principal besoin.Les attaques, virus, vers sont plus facilement confinés.
Ils ne se progagent pas partout
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 13
777Source : Cisco Study
Reasons for NOT Out-Tasking a VPN
~ 53% of Enterprises choose for a DIY VPN
888
Reasons for Out-Tasking a VPN
To Gain More Value
Lack of Staff
Lack of In-house Expertise
Expect Cost Savings
Not a Core Business Activity
37%
45%
51%
51%
54%
0 20 40 60
Percent of CIOs
Source : Cisco FISH Study
~ 47% of Enterprises choose to BUY a VPN
ACHETER UN SERVICE L3, ACHETER UN SERVICE L3, IP VPNIP VPN
ACHETER un Service L1 ACHETER un Service L1 ou L2 VPNou L2 VPN
Ratio is moving to 64% Mgd-VPN / 36%
Enjeux du WANACHETER un service VPN ou CONSTRUIRE son réseau VPN?
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 14
Enjeux de l’agenceAmener les Services aux utilisateurs
•Information disponible dans tous les sites de l’entreprise
•Besoin de performances dans le DataCenter comme pour l’utilisateur
•Fiabilité de tout le système d’information
•Architecture et Services réseaux transparents pour l’utilisateur
•Les sites distants ou de télétravail ont des besoins au-delà de la simple connexion !
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 15
Backup
NAS
ApplicationServers
Siège
Consolidation des Ressources
Optimisation de l’accès
Agence
IPNetwork
Tape DrivesAnd Libraries
Disk Arrays
Client Workstations
Printer
Consolidation Engine
20% des utilisateurs 80% des utilisateurs
Au global :Concentration des serveurs + utilisateurs distants
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 16
Siège AgenceOpérateurs
Campus/Data Center Internet
(ISP, Broadband, etc.)
IP VPN
WAN principalement fourni (IP, MPLS VPN, IPSEC) par un opérateur de connectivité [driver principal : le coût; services: IP, VPN (+ QoS)]
Services d’entreprises fournis par un intégrateur ou un opérateur à valeur ajouté [driver principal: le contrat de services; services: VPN chiffré, QoS, sécurité, IP Com, mobilité, optimisation applicative]
Délégation de Services via Role Based Access Control
Combien de routeurs ?
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 17
Siège AgenceOpérateurs
Campus/Data Center Internet
(ISP, Broadband, etc.)
IP VPN
HSRPGLBP
WAN principalement fourni (IP, MPLS VPN, IPSEC) par un opérateur de connectivité [driver principal : le coût; services: IP, VPN (+ QoS)]
Services d’entreprises fournis par un intégrateur ou un opérateur à valeur ajouté [driver principal: le contrat de services; services: VPN chiffré, QoS, sécurité, IP Com, mobilité, optimisation applicative]
Délégation de Services via Role Based Access Control
Combien de routeurs ?
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 18
VPN OPERE
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 19
MPLSMPLSCoreCore
VPN A
VPN B
VPN C
VPN A
VPN B
VPN C
Core label
VPN label
IP data
VPN label
IP data VPN label
IP data
IP data IP data
MP-iBGPMP-iBGP or or
LDP LDP
MPLS – VirtualisationUne hiérarchie de labels
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 20
MPLSMPLS
PSTNISDNBranch
Home
Travel
ADSL/Cable
BranchHome
INTERNET
SharedServices
Regional Site
LL
Frame-RelayATM
Remote Sites
INTERNET
Branch
Home
Travel
IPSec Central Site
TDMMUX
(Fiber / WDM / POS / Ethernet / ATM / FR / PPP, Tunnel)
L3 VPN – MPLS-VPN Même service sur tous types de liens
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 21
Site Central
Sites Distants
Sites Distants
Sites Regionaux
End-to-End SLA mesurement
MPLSMPLSIP-IP-VPNVPNL2 VPNL2 VPN
QoSQoS
Domaine DiffServ Hiérarchique / Ajout de TE pour le core
QoS de bout en boutQoS niveau Application
Modèle Par ClasseService Level Agreement
Transparence QoS
L3 VPN – MPLS-VPNQos de bout en bout
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 22
50%
75%
100%
25%
25%25%
25%
100%
75%
50%
25%
0%
Business Classic StandardExecutiveFirst
Port %
Best-Effort
Data-LAN2LAN
Data-Interactive
Real-Time
# CoS50%
75%
50%
135 120 100140150 RELATIVEPORT PRICE
Evolution vers 5 ou 6 Classes de Service PE-CE
L3 VPN – Exemple Typique de QoS5 profiles et 4 Cos
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 23
L3 VPN – Carrier Supporting Carrier
InternetMPLS
IP VPN
mpls
mpls
mpls
mpls
mpls
mpls
Customer VRFSub-VPNs
Customerrouting
SP offre uniquement une VRF au client entreprise
Utilisation de labels entre le PE et CE (et non pas IP)
Le client utilise le backbone MPLS de l’opérateur pour construire son propre service MPLS VPN
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 24
L3 VPN – Multi-VRF CE (VRF-lite)
VRF : Création de plusieurs tables de routage et commutation séparées
Tables de routage séparéesTables de forwarding séparées (FIB)Association des interfaces (physiques ou logiques) dans les VRFs
Aujourd’hui, une solution assez classique
Demande plusieurs VRF sur le PE – Dépendance forte envers le SP
Exige plusieurs liens physiques ou logiques entre le PE et le CE – xDSL ? (utilisation possible de tunnels GRE CE-PE)
802.1qGRE
VRF
VRF
VRF
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 25
Multi-VRF CEMulti-VRF CEExtension de la fonctionnalité VPN dans le CPE et dans le campus pour continuer à fournir une segmentation sans avoir à mettre en place les
fonctionnalités d’un PE complet
Partners
Contractors
Resources
Guests/NAC Quarantine
SPIP VPN
PE2
PE1
PE3
Multi-VRF CE1
Multi-VRF CE2
Multi-VRF CE3
Site 1
Site 2
Site 3Séparation Logique dans le campus via
des VLANs ou même VRF sur les Catalyst
Séparation logique de niveau 3 à l’intérieur du
CE au travers de la fonction Multi-VRF
Le SP fournit plusieurs VPNs pour la même entreprise
L3 VPN – Multi-VRF (VRF-Lite)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 26
L2 VPNsLe modèle de référence Pseudo Wire
• Ethernet
• 802.1Q (VLAN)
• ATM VC or VP
• HDLC
• PPP
• Frame Relay VC
Les types de service Point à Point:
PWES
EMULATED SERVICE
PWES PWES
PSN Tunnel
PWES PWES
Site A2Site A1
Site B1 Site B2
PEPEPEPEPseudo Wires
Un Pseudo Wire (PW)Pseudo Wire (PW) est une connexion entre deux PE permettant de connecter deux Pseudo Wire End-Services (PWESs)Pseudo Wire End-Services (PWESs)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 27
L2 VPNsAToM vs VPLS
Central Site
L2VPN
Remote Sites
L2 Full mesh—Point-to-Multipoint
Virtual Private LAN ServiceVirtual Private LAN ServiceVPLSVPLS • Service Multipoint
• Access Ethernet vers le SP
• Le backbone SP émule un bridge LAN (réseau commuté à plat)
Evolutivité ?
Traitement des flux Multicast
Central Site
L2VPN
Remote Sites
L2 Hub and Spoke— Point-to-Point
Any Transport over MPLSAny Transport over MPLSAToMAToM
Service Point à point
Hub and Spoke au travers de plusieurs circuits P2P circuits depuis le site central
Support interworking pour des circuits de type différents
Idéal pour Remplacement du WAN traditionnel (Modèle Frame Relay)
Liaison dédiée P2P dans le MAN
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 28
VPN DEPLOYE PAR L’ENTREPRISE
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 29
L2VPN – Interconnexion de DataCentersUtilisation de EoMPLS
pseudowire-class eompls encapsulation mpls
interface GigabitEthernet1/4.601 encapsulation dot1Q 601 xconnect 125.1.125.13 601 pw-class eompls
7600-LC-PE2#sh mpls l2transport vc detLocal interface: Gi1/4.601 up, line protocol up, Eth VLAN 601 up Destination address: 125.1.125.13, VC ID: 601, VC status: up Tunnel label: 103, next hop 125.1.103.26 Output interface: Gi1/3, imposed label stack {103 89} Create time: 1w3d, last status change time: 1d02h Signaling protocol: LDP, peer 125.1.125.13:0 up MPLS VC labels: local 49, remote 89 Group ID: local 0, remote 0 MTU: local 9000, remote 9000 Remote interface description: Sequencing: receive disabled, send disabled
PE2PE1
Red-6500 Red-6500
CE2CE1103 89 Payload
VC Label
Tunnel Label
Data Center 1
Data Center 2
MPLSNetwork
Jumbo frame support:Ensure all interfaces have it enabled in the forwarding path
Loop0125.1.125.13
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 30
VRF
VRF
VRF
LDP LDPLDP
iBGP—VPNv4 Label Exchange
iBGP—VPNv4 iBGP—VPNv4
PE
PE
PE
CE
CE
CE
CE
CE
PE-CE Routing Protocol
Service de L3 VPN MPLS-VPN par l’entreprise elle-même
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 31
IPSec VPN dans le WAN EnterpriseApplications Clients
Encryption sur les liens WAN traditionnels (par exemple FR, ATM, LL)
Conformité aux nouvelles législations : HIPAA, Sarbanes-Oxley (S-Ox), Basel Agreement (Europe), etc.
Migration d’un WAN traditionnel vers un service bas-coût (exemple Internet, broadband)
Utilisation d’un service Internet comme WAN secondaire, comme backup ou comme lien pour le trafic non critique et bande passante importante
Extension des services de sites vers les télétravailleurs
Pourquoi utiliser un VPN IPSec ?Pourquoi utiliser un VPN IPSec ?
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 32
Utilisation d’un IP-VPN Opérateur Architecture Typique
InternetSPSP
IP VPNIP VPNeBGPeBGP
eBGPeBGP
HSRPHSRP
OrOr
iBGPiBGP
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 33
InternetIP VPNeBGP
eBGP
mptp
mptp
1. Backup avec les fonctionnalités de l’IGP
• rapidité, réglable avec les backoff timers
2. Routage site isolé du SP
3. Support des flux multicast
mGRE avec NHRP mGRE avec NHRP (RFC2332)(RFC2332)
Utilisation de Tunnels sur IP-VPNs Multi-point GRE
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 34
InternetIP VPNeBGP
eBGP
mptp
mptp
DMVPN sur MPLS-VPNDMVPN sur MPLS-VPN
Utilisation de Tunnels sur IP-VPNs Multi-point GRE + IPSEC
1. Backup avec les fonctionnalités de l’IGP
• rapidité, réglable avec les backoff timers
2. Routage site isolé du SP
3. Support des flux multicast
4. Les flux sont encryptés
5. Les PKI sont gérées par l’entreprise
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 35
SynthèseOpéré versus Déployé par l’Entreprise
VPN OPEREVPN OPERE Stratégie d’outsourcing (CPE/Routage/QoS
managés) Pas de MPLS demandé sur le CE Bien adapté pour un petit nombre de VRFs Possibilité de garder la main sur quelques
services, mais assez peu MaisMais Augmentation dépendance envers le SP L’ajout d’un VPN se traduit par la création
d’une sous-interface sur tous les sites concernés
Le coût peut devenir prohibitif en fonction du nombre de VRF et de sites
VPN DEPLOYE PAR ENTREPRISEVPN DEPLOYE PAR ENTREPRISE Stratégie d’insourcing Services de Segmentation IP
Accroissment de la Sécurité (Closed Users Groups)Isolation/réduction des vers
Construction d’un réseau de type SP à destination de clients internes à l’entreprise
Facilité d’intégration des nouvelles entités ou des partenaires
Consolidation datacenterVirtualisation accès Front-endCentralisation services réseauxextension VLAN via MAN/WAN
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 36
Qualité de service
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 37
Multiservice IP Applications
Bandwidth in 10KbpsRare Loss
Latency < 150msJitter < 30ms
VoIP ERP Multimedia VPN Web/URL
Non-Uniform Network Traffic Demands QoSNon-Uniform Network Traffic Demands QoS
Bursty BandwidthResilient to Loss
No Latency controlDo not care of Jitter
Bandwidth in MbpsRare Loss
Latency < 300msJitter < 300msLatency in S
Jitter in S
Bandwidth in 10KbpsTCP Controlled Loss
Latency < 300msNo Jitter sensitivity
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 38
“Collection of technologies which allows applications/users to request and receive predictable service levels in terms of data throughput capacity (bandwidth), latency variations(jitter) and delay””
So, What Is Quality of Service?
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 39
QoS Factors
DelayDelay(Latency)(Latency)
Delay-Delay-VariationVariation
(Jitter)(Jitter)
PacketPacketLossLoss
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 40
Avoid the Avoid the “Human Ethernet”“Human Ethernet”
Time (msec)
0 100 200 300 400
CB ZoneCB Zone
Satellite QualitySatellite Quality
Fax Relay, BroadcastFax Relay, BroadcastHigh QualityHigh Quality
Delay Target
500 600 700 800
ITU’s G.114 Recommendation: ITU’s G.114 Recommendation: ≤ ≤ 150msec One-Way Delay150msec One-Way DelayITU’s G.114 Recommendation: ITU’s G.114 Recommendation: ≤ ≤ 150msec One-Way Delay150msec One-Way Delay
Effects of Latency on Voice
Hello? Hello?
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 41
Elements That Affect Latency and Jitter
Campus Branch Office
SRSTrouter
IP WAN
PSTN
G.729A: 25 msG.729A: 25 ms
CODECCODEC
VariableVariable
SerializationSerialization
FixedFixed (6.3 (6.3 s / Km) +s / Km) +Network DelayNetwork Delay
(Variable)(Variable)
PropagationPropagation& Network& Network
20-50 ms20-50 ms
Jitter BufferJitter Buffer
End-to-End Delay (Must be End-to-End Delay (Must be ≤≤ 150 ms) 150 ms)
VariableVariable
QueuingQueuing
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 42
Router LatencyRouter Latency: less than 100 usec for Cisco 7500 (64-byte packets, varies with packet sizes)
Insertion DelayInsertion Delay (a.k.a. Serialization Delay)Example with 250-byte packet:
16 msec on 256 Kbps link 1 msec on 2 Mbps link 0,2 msec on 10 Mbps link 0,02 msec on 100Mbps link
Queuing DelayQueuing Delay = queue depth x insertion delay
Example:
Queue-length = 40 at 256Kbps = 640ms delay
Queue-length = 40 at 2 Mbps = 80ms delay
Effect of RTT with 16k window500µs 270 Mbps 12ms 10 Mbps120ms 1 Mbps
Delay and Latency
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 43
Voice
1
Voice
1
Voice
2
Voice
2
Voice
3
Voice
3
Voice
4
Voice
4
Packet Loss Limitations
Cisco DSP Codecs can use predictor algorithms to compensate for a single lost packet in a row
two lost packets in a row will cause an audible clip in the conversation
Voice
1
Voice
1
Voice
2
Voice
2
Voice
3
Voice
3
Voice
4
Voice
4
Voice
3
Voice
3
Voice
3
Voice
3Reconstructed Voice Sample
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 44
Latency ≤ 150 ms
Jitter ≤ 30 ms
Loss ≤ 1%
17-106 kbps guaranteed priority bandwidth per call
150 bps (+ layer 2 overhead) guaranteed bandwidth for Voice-Control traffic per call
QoS Requirements for Voice
SmoothBenignDrop SensitiveDelay SensitiveUDP Priority
VoiceVoice
One-wayrequirements
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 45
QoS Requirements for Video-Conferencing
Latency ≤ 150 ms Jitter ≤ 30 ms Loss ≤ 1% Minimum priority bandwidth
guarantee required is:
Video-Stream + 20% e.g. a 384 kbps stream would require 460 kbps of priority bandwidth
BurstyBurstyGreedyGreedyDrop SensitiveDelay SensitiveUDP Priority
VideoVideo
One-wayrequirements
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 46
QoS Requirements for Data
Smooth/BurstySmooth/BurstyBenign/GreedyBenign/GreedyDrop InsensitiveDrop InsensitiveDelay InsensitiveDelay InsensitiveTCP RetransmitsTCP Retransmits
DataData
Different applications have different traffic characteristics
Different versions of the same application can have different traffic characteristics
Classify Data into relative-priority model with no more than four classes:
Gold: Mission-Critical AppsGold: Mission-Critical Apps(ERP Apps, Transactions)(ERP Apps, Transactions)
Silver: Guaranteed-BandwidthSilver: Guaranteed-Bandwidth(Intranet, Messaging)(Intranet, Messaging)
Bronze: Best-EffortBronze: Best-Effort(Email, Internet)(Email, Internet)
Less-Than-Best-Effort: ScavengerLess-Than-Best-Effort: Scavenger(FTP, Backups, Napster/Kazaa)(FTP, Backups, Napster/Kazaa)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 47
No state Per-flow state
IntServ / DiffServ Models
2. Per applicationflow reservation
1. The original IP service
state
Best Effort IntServ / RSVPDiffServ
5. Per Class of Service Bandwidth Reservation
SLA
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 48
Differentiated ServicesShare ressources via Classes of Services
GoldGold
BronzeBronze
Silver
Guaranted service, (AF=RFC 2597)Guaranted bandwidth low level of drop
Best effortMinimum bandwidth guarantedHigh level of Overbooking
Premium IP, (AF=RFC 2597)Guaranted bandwidth
Legacy(SNA, …)
E-mail,Web
E-Commerce,E-business (ERP, SCM, ...)
PlatiniumPlatiniumVoice
(ToIP / Video)Real time queue (EF=RFC 3246)
StreamingStreamingGuaranted service, (AF=RFC 2597)Minimum / Maximum controledVideo
distribution
Architecture RFC 2474, 2475
DSCPDSCP CUCU
DS field DS field RFC 2474
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 49
ClassificationClassification
ShapingShaping
Access queueingAccess queueing
Core QueueingCore QueueingPolicingPolicing
VoIP
Bus
Best- Effort
VoIP
Bus
Best- Effort
VoIP Bus Best- Effort
VoIP Bus Best- Effort
Diffserv Architecture: RFC2475
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 50
Design Approach to Enabling QoS
Campus Branch Office
IP WAN
PSTN
Classification:Classification: Mark the packets with a specific priority denoting a Mark the packets with a specific priority denoting a requirement for class of service from the networkrequirement for class of service from the network
Trust Boundary:Trust Boundary: Define and enforce a trust boundary at the network edge Define and enforce a trust boundary at the network edge
Provisioning:Provisioning: Accurately calculate the required bandwidth Accurately calculate the required bandwidth for all applications plus element overheadfor all applications plus element overhead
Scheduling:Scheduling: Assign packets to one of multiple queues (based on Assign packets to one of multiple queues (based on classification) for expedited treatment throughout theclassification) for expedited treatment throughout the
network; use congestion avoidance for datanetwork; use congestion avoidance for data
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 51
QoS Tools Mapped To Design Requirements
Campus Branch Office
SRSTrouter
IP WAN
PSTN
• Multiple QueuesMultiple Queues• 802.1Q/p802.1Q/p• DSCPDSCP
Campus Campus DistributionDistribution
• LLQLLQ• CBWFQ CBWFQ • WREDWRED• LFI/FRF.12LFI/FRF.12• cRTPcRTP• FRTS, dTSFRTS, dTS• DSCPDSCP
WAN WAN AggregatorAggregator
• LLQLLQ• CBWFQCBWFQ• WREDWRED• LFI/FRF.12LFI/FRF.12• cRTPcRTP• FRTSFRTS• 802.1Q/p802.1Q/p• DSCPDSCP• NBARNBAR
Branch RouterBranch Router
• Inline PowerInline Power• Multiple QueuesMultiple Queues• 802.1Q/p802.1Q/p
Branch SwitchBranch Switch
BandwidthBandwidthProvisioningProvisioning
• Inline PowerInline Power• Multiple QueuesMultiple Queues• 802.1Q/p802.1Q/p• DSCPDSCP• Fast linkFast link convergence convergence
Campus AccessCampus Access
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 52
QoS Toolset
Classification
Policing / Shaping
Scheduling / Queueing
Congestion Avoidance
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 53
Classification Tools:Ethernet 802.1Q Class of Service
TAGTAG4 bytes4 bytes
Three Bits Used for CoS(802.1p User Priority)
DataData FCSFCSPTPTSASADADASFDSFDPream.Pream. TypeType
802.1Q/pHeader
PRIPRI VLAN IDVLAN IDCFICFI
Ethernet Frame
• 802.1p User Priority field also called Class of Service (CoS)
• Different types of traffic are assigned different CoS values
• CoS 6 and 7 are reserved for network use 11
22
33
44
55
66
77
00 Best Effort DataBest Effort Data
Medium Priority DataMedium Priority Data
High Priority DataHigh Priority Data
Call SignalingCall Signaling
Video ConferencingVideo Conferencing
Voice BearerVoice Bearer
ReservedReserved
ReservedReserved
CoSCoS ApplicationApplication
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 54
77 66 55 44 33 22 11 00
Classification Tools:IPv4 IP Precedence and DiffServ Code Points
ID Offset TTL Proto FCS IP SA IP DA DataLenVersionLength
ToSByte
DiffServ Code Point (DSCP)DiffServ Code Point (DSCP) Flow CtrlFlow Ctrl
IPv4 Packet
IP PrecedenceIP Precedence UnusedUnused Standard IPv4Standard IPv4
DiffServ ExtensionsDiffServ Extensions
• IPv4: Three Most Significant Bits of ToS byte are called IP Precedence (IPP)—other bits unused
• DiffServ: Six Most Significant Bits of ToS byte are called DiffServ Code Point (DSCP)—remaining two bits used for flow control
• DSCP is backward-compatible with IP Precedence
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 55
Classification Tools:QoS Classification Summary
Best Effort DataBest Effort Data
Medium Priority DataMedium Priority Data
High Priority DataHigh Priority Data
Call SignalingCall Signaling
Video ConferencingVideo Conferencing
Voice BearerVoice Bearer
ReservedReserved
ReservedReserved
ApplicationApplication
Less-than-Best-Effort DataLess-than-Best-Effort Data
10,14,1610,14,16
18,20,2218,20,22
2626
3434
4646
48-5548-55
56-6356-63
00
AF1yAF1y
AF2yAF2y
AF31AF31
AF41AF41
EFEF
--
--
BEBE
11
22
33
44
55
66
77
00
IPPIPP PHBPHB DSCPDSCP
L3 ClassificationL3 Classification
2,4,62,4,6--00
CoSCoS
11
22
33
44
55
66
77
00
L2L2
00
MPLS EVMPLS EV
11
22
33
44
55
66
77
00
L2L2
00
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 56
Classification Tools:Network-Based Application Recognition
DATA
Frame
MAC/CoSDE/CLP/MPLS EV
IP Packet
ToS/
DSCP
Source
IP
Dest
IP
TCP/UDP Segment
Src
Port
Dst
Port
Data Payload
NBAR PDLM
citrixcitrix httphttp nntpnntp sshssh
cuseemecuseeme
customcustom
exchangeexchange
fasttrackfasttrack
ftpftp
gnutellagnutella
imapimap
ircirc
kerberoskerberos
ldapldap
napsternapster
netshownetshow
notesnotes
novadigmnovadigm
pcanywherepcanywhere
pop3pop3
realaudiorealaudio
rcmdrcmd
smtpsmtp
snmpsnmp
sockssocks
sqlserversqlserver
sqlnetsqlnet
sunrpcsunrpc
streamworkstreamwork
syslogsyslog
telnettelnet
Secure-telnetSecure-telnet
tftptftp
vdolivevdolive
xwindowsxwindows
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 57
Classification Tools: Trust Boundaries
A device is trusted if it correctly classifies packets For scalability, classification should be done as close to the edge as
possible The outermost trusted devices represent the
trust boundary 1 and 2 are optimal, 3 is acceptable (if access switch cannot
perform classification)
SiSi
SiSi
SiSi
SiSi
Endpoints Access Distribution Core WAN Agg.
Trust BoundaryTrust Boundary
11
22
33
11 22 33
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 58
Classification Tools:Connecting the IP Phone
Auxiliary VLAN = 110 PC VLAN = 10
(PVID)
Desktop PC 171.1.10.3
IP Phone 10.1.110.3
802.1Q Trunk with 802.1p Layer 2 CoS
Native VLAN (PVID); No Configuration Changes
Needed on PC
Catalyst 6000
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 59
Classification Tools:Extended Trust
.. A new concept of assigning trust to a device not directly connected to the switch port…
Allows intermediate “trusted” device to modify priority assignedby downstream device
Trusted Device Un-Trusted Device
Trust Boundary Feature will allow specification (via CDP) of the priority of downstream (un-trusted) device by the trusted device
Data
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 60
Classification Tools:PC CoS Settings Are Not Trusted
CoS=5
CoS=0
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 61
Policers and Shapers
PolicersPolicers typically drop traffic (NO buffering, TCP retransmit), bi-directionnal
ShapersShapers typically delay excess traffic, smoothing bursts and preventing unnecessary drops
LineLineRateRate
ShapedShapedRateRate
Traffic shaping limits the transmit rate to a value lower than line rateTraffic shaping limits the transmit rate to a value lower than line rate
without Traffic Shapingwithout Traffic Shaping
with Traffic Shapingwith Traffic Shaping
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 62
Traffic Shaping and Policing Mechanisms
Shaping mechanisms:
Class-based shaping
Frame Relay traffic shaping (FRTS)
Generic traffic shaping (GTS)
Policing mechanisms:
Two rate policer
Class-based policing
Committed access rate (CAR)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 63
RFC 2697: Single Rate Policer
overflow
Bc = Burst CommitedBc = CIR * Tc (Be = Burst Excess)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 64
1 111 11 111 1 11 1
Scheduling Tools:Queuing Algorithms
congestion can occur at any point in the network where there are speed mismatches
Low-Latency Queuing (LLQ) used for highest-priority traffic (voice/video)
Class-Based Weighted-Fair Queuing (CBWFQ) used for guaranteeing bandwidth to data applications
Voice
Video
Data3 33 3
2 2
1 11 1 1
1 1 1
1 1 1
1 1
1 1 11
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 65
HardwareQueue(TxQ)
HardwareQueue(TxQ)
SoftwareQueuingSystem
SoftwareQueuingSystem
OutputInterfaceForwarderForwarder
Any supported queuing mechanism
Always FIFO
Output Interface Queue Structure
Each interface has its hardware and software queuing system.
The hardware queuing system (transmit queue, or TxQ) always uses FIFO queuing.
The software queuing system can be selected and configured depending on the platform and Cisco IOS version.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 66
Best Effort
Transmit Queue
...
DSCPTOSACL
20%
30%
Strict Priority(15%)
LLQ
CB-WFQ
FB-WFQ
WRED threshold . per classes or . overall
Multiple LLQ classmax bandwidth
shapingExpedite
Business
Normal
Class-Based Queueing
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 67
Scheduling Tools:Congestion Avoidance Algorithms
312302021201
TAIL DROP
3
3
3
WRED
01
0
1
0
3
Queue
Queueing algorithms manage the front of the queue
i.e. which packets get transmitted first Congestion Avoidance algorithms, like Weighted-Random Early-Detect
(WRED), manage the tail of the queue
i.e. which packets get dropped first when queueing buffers fill
WRED can operate in a DiffServ compliant mode which will drop packets according to their DSCP markings
WRED works best with TCP-based applications, like Data
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 68
Provisioning Tools:Link-Fragmentation and Interleaving
serialization delay is the finite amount of time required to put frames on a wire
for links ≤ 768 kbps serialization delay is a major factor affecting latency and jitter
for such slow links, large data packets need to be fragmented and interleaved with smaller, more urgent voice packets
VoiceVoice
VoiceVoice DATADATADATADATADATADATADATADATA
DATADATASerialization can causeexcessive delay
With fragmentation and interleaving serialization delay is minimized
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 69
Fragment Size RecommendationsLFI Fragment InformationLFI Fragment Information
56kbps
64kbps
128kbps
256kbps
512kbps
64Bytes
9ms
8ms
4ms
2ms
1ms
18ms
128Bytes
16ms
8ms
4ms
2ms
36ms
256Bytes
32ms
16ms
8ms
4ms
72ms
512Bytes
64ms
32ms
16ms
8ms
144ms
1024Bytes
128ms
64ms
32ms
16ms
1500Bytes
46ms
214ms
187ms
93ms
23ms
Serialization Delay Matrix
768kbps 640usec 1.2ms 2.6ms 5ms 10ms 15ms
56 kbps 70Bytes
FragSize
64 kbps 80Bytes
128 kbps 160Bytes
256 kbps
512 kbps
768 kbps
1536 kbs
320Bytes640
Bytes1000Bytes
2000Bytes
LinkSpeed
Fragmentation Size MatrixFragmentation Size Matrix(based on 10msec delay)(based on 10msec delay)
Fragmentation Size MatrixFragmentation Size Matrix(based on 10msec delay)(based on 10msec delay)
X
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 70
Provisioning for Voice:VoIP Bandwidth Reference Tables
CODECCODEC Sampling RateSampling Rate Voice Payloadin Bytes
Voice Payloadin Bytes
Packets per Second
Packets per Second
Bandwidth perConversion
Bandwidth perConversion
G.711G.711 20 msec20 msec 160160 5050 80 kbps80 kbps
240240 3333
2020 5050
G.711G.711
G.729AG.729A
G.729AG.729A
30 msec30 msec
20 msec20 msec
30 msec30 msec 3030 3333
74 kbps74 kbps
24 kbps24 kbps
19 kbps19 kbps
CODECCODEC 801.Q Ethernet+ 32 L2 Bytes
801.Q Ethernet+ 32 L2 Bytes
MLP+ 13 L2 Bytes
MLP+ 13 L2 Bytes
Frame-Relay+ 8 L2 BytesFrame-Relay+ 8 L2 Bytes
ATM+ Variable L2 Bytes
(Cell Padding)
ATM+ Variable L2 Bytes
(Cell Padding)
G.711 at 50 ppsG.711 at 50 pps 93 kbps93 kbps 86 kbps86 kbps 84 kbps84 kbps 106 kbps106 kbps
78 kbps78 kbps 77 kbps77 kbps
30 kbps30 kbps 28 kbps28 kbps
G.711 at 33 ppsG.711 at 33 pps
G.729A at 50 ppsG.729A at 50 pps
G.729A at 33 ppsG.729A at 33 pps
83 kbps83 kbps
37 kbps37 kbps
27 kbps27 kbps 22 kbps22 kbps 21 kbps21 kbps
84 kbps84 kbps
43 kbps43 kbps
28 kbps28 kbps
A more accurate method for provisioning is to include the Layer 2 Overhead into the bandwidth calculations:
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 71
IP WAN
Router/Gateway
CallManager
Provisioning for Voice:Call Admission Control (CAC): Why Is It Needed?
PSTN
Circuit-Switched Circuit-Switched NetworksNetworks
Packet-Switched Packet-Switched NetworksNetworks
PBX
PhysicalTrunks
STOPSTOP
IP WANLink
IP WAN link provisionedIP WAN link provisionedfor 2 VoIP calls (equivalentfor 2 VoIP calls (equivalent
to 2 “virtual” trunks)to 2 “virtual” trunks)
3rd callrejected
No No physicalphysical limitation on IP linkslimitation on IP links
If 3If 3rdrd call accepted, call accepted,voice quality of voice quality of allall
calls degradescalls degrades
No No physicalphysical limitation on IP linkslimitation on IP links
If 3If 3rdrd call accepted, call accepted,voice quality of voice quality of allall
calls degradescalls degrades
CAC limits # of VoIP calls on each WAN linkCAC limits # of VoIP calls on each WAN linkCAC limits # of VoIP calls on each WAN linkCAC limits # of VoIP calls on each WAN link
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 72
Link CapacityLink Capacity
WAN Scheduling Design Principles
LLQ (Voice) + LLQ (Video) LLQ (Voice) + LLQ (Video) ≤ 33% of Link Capacity≤ 33% of Link Capacity
LLQ (Voice) + LLQ (Video) + CBWFQ (All Data) ≤ 75% of LinkLLQ (Voice) + LLQ (Video) + CBWFQ (All Data) ≤ 75% of Link
LLQ (Voice) + LLQ (Video) LLQ (Voice) + LLQ (Video) ≤ 33% of Link Capacity≤ 33% of Link Capacity
LLQ (Voice) + LLQ (Video) + CBWFQ (All Data) ≤ 75% of LinkLLQ (Voice) + LLQ (Video) + CBWFQ (All Data) ≤ 75% of Link
75% of Link Capacity75% of Link Capacity
Voice
Reserved
Video Voice/VideoControl
Data Routing +L2 Overhead
33% of Link33% of Link
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 73
Management Tools
QoS is efficiently scaled with a centralized management server
QoS deployment is best followed by ongoing monitoring to ensure that targeted service-levels are being provided
QoS policies need periodic tuning to adjust to changing business needs
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 74
show policy
WAN-AGG-7200#show policy Policy Map WAN-EDGE Class VOICE Weighted Fair Queueing Strict Priority Bandwidth 17 (%) Class VIDEO Weighted Fair Queueing Strict Priority Bandwidth 16 (%) Burst 30000 (Bytes) Class VOICE-CONTROL Weighted Fair Queueing Bandwidth 2 (%) Max Threshold 64 (packets) Class GOLD-DATA Weighted Fair Queueing Bandwidth 25 (%) exponential weight 9 dscp min-threshold max-threshold mark-probablity ----------------------------------------------------------… af21 - - 1/10 af22 - - 1/10 af23 - - 1/10…
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 75
show policy interface
WAN-AGG-7200#show policy interface multilink 1 Multilink1 Service-policy output: WAN-EDGE Class-map: VOICE (match-all) 235728 packets, 45259776 bytes 30 second offered rate 512000 bps, drop rate 0 bps Match: ip dscp 46 Weighted Fair Queueing Strict Priority Output Queue: Conversation 264 Bandwidth 17 (%) Bandwidth 522 (kbps) Burst 13050 (Bytes) (pkts matched/bytes matched) 235729/45259968 (total drops/bytes drops) 0/0 Class-map: VIDEO (match-all) 64405 packets, 42852720 bytes 30 second offered rate 485000 bps, drop rate 0 bps Match: ip dscp 34 Weighted Fair Queueing Strict Priority Output Queue: Conversation 264 Bandwidth 16 (%) Bandwidth 491 (kbps) Burst 30000 (Bytes) (pkts matched/bytes matched) 64538/42941550 (total drops/bytes drops) 0/0
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 76
show policy interface (continued) – Gold DataClass-map: GOLD-DATA (match-any) 93422 packets, 118192896 bytes 30 second offered rate 1336000 bps, drop rate 32000 bps Match: ip dscp 18 24386 packets, 36676544 bytes 30 second rate 415000 bps Match: ip dscp 20 33676 packets, 41488832 bytes 30 second rate 469000 bps Match: ip dscp 22 35360 packets, 40027520 bytes 30 second rate 451000 bps Weighted Fair Queueing Output Queue: Conversation 266 Bandwidth 25 (%) Bandwidth 768 (kbps) (pkts matched/bytes matched) 93816/118691420 (depth/total drops/no-buffer drops) 29/2327/0 deep queues + drops exponential weight: 9 mean queue depth: 28dscp Transmitted Random drop Tail drop Minimum Maximum Mark pkts/bytes pkts/bytes pkts/bytes thresh thresh prob…af21 24489/36831456 98/14700 0/0 32 40 1/10af22 33061/40732666 458/932340 0/0 28 40 1/10af23 33990/38479822 571/1775230 0/0 24 40 1/10
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 77
Un élément CLE : L’administration du réseau
ObjectifsObjectifs 1. Faciliter la configuration des équipements
– Management embarqué– Déploiement à grande échelle
2. Gérer les SLA 3. Apporter la visibilité : instrumentation NBAR, Netflow
MoyensMoyens1. L’instrumentation :
– SLA : IOS IPSLA , CBQOS, CorviL– Visibilité : NBAR, Netflow, RMON2 et extensions
2. Les outils intégrés3. Plateformes logicielles
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 78
• Configuration graphique de l’ensemble de la gamme ISR
• Wizards et outils de management et configuration de:• Interfaces LAN/WAN/VLAN
•VPN: Easy VPN, DMVPN•Firewall, IPS•Routage•QoS, NBAR•NAC
• Connexion sécurisée SSH• Fonction auto-secure
One Touch Router Lock-down, Auto Secure
Security Device Manager (SDM) Management embarqué
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 79
Déploiement à grande échelle Agents CNS et CNS configuration Engine
Cisco Configuration EngineCisco Configuration Engine Solution de configuration et provisionning réseau supportant jusqu’à 5000 CPE Cisco par appliance. Communications sécurisées entre les agents CNS embarqués dans l’IOS des devices et le Configuration Engine.
Distribution des upgrades ou de modifications sur un parc de routeurs Cisco ISR quelque soit la technologie d’accès.
Application embarquée (GUI web) Technologie flexible pour génération de template de configuration
(Velocity template) Interface de programmation XML-SOAP et Java/C++ based
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 80
Configuration Engine
SP/EnterpriseSP/Enterprise
CoreCoreISRISR
ISR expédié avec un bootstrap générique soit du manufacturing Cisco (Cisco Configuration Express) soit du distributeur. Les techniciensconnectent les cables et mettent sous tension.
Avec la configuration de bootstrap • ISR se synchronise pour obtenir la connectivité L1 L2• ISR récupère une adresse IP (aggregator)
ISR contacte le Cisco Configuration Engine • Identification unique• Requête de configuration sur lien encryptés SSL
ISR notifie le Cisco Configuration Engine du résultat du déploiement• les services clients peuvent maintenant être provisionnés
Zero Touch Deployment
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 81
MétriquesDisponibilité
Mean Time to diagnose (MTD)
Mean Time To Repair (MTTR)
Mean Time Between Failure (MTBF)
Performance des services différenciés
Bande passante
Latence
Perte de paquets
Variation de latence(Gigue)
MOS
Gestion des SLAs
Enterprise and Small/Medium Business Service Providers
Understand NetworkUnderstand NetworkPerformance andPerformance andEase DeploymentEase Deployment
Verify Service LevelsVerify Service LevelsVerify Outsourced SLAsVerify Outsourced SLAs
Measure and Measure and Provide SLAsProvide SLAs
• Process de prise en compte des anomalies
• Engagements de retour à la normale
• Pénalités
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 82
ObservéeObservée SynthétiqueSynthétiqueMéthode d’échantillonnageMéthode d’échantillonnage
Agent embarquéAgent embarquéSondes Externes Sondes Externes Méthode de collecteMéthode de collecte
UtilisateurUtilisateur RéseauRéseauPerspective des mesuresPerspective des mesures
Stratégie de mesure de performances
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 83
Technologies de mesuresCisco IPSLAs
MEASURES: Latency and Jitter Between Source Router and Specified Target
Sampling: ActiveCollection: EmbeddedScope: Link/End-to-EndPerspective: User/Network
NBAR/NAM/CBQOS/CORVIL
MEASURES: Response Time of Live Application Traffic to Server Device, QoS
Sampling: PassiveCollection: External Probe/EmbeddedScope: Link/End-to-EndPerspective: User/Network
SNMP MIBs and Embedded Event Management
MEASURES: CPU/Memory Utilization, Availability, QoS
Sampling: PassiveCollection: EmbeddedScope: Device/LinkPerspective: User/Network
Cisco CallManagerMEASURES: Voice Calls, Voice Quality, Cisco CallManager Performance
Sampling: PassiveCollection: EmbeddedScope: Link/End-to-EndPerspective: User/Network
NetFlowMEASURES: Device Interface Traffic Rateby S/D IP Address, Port Number or AS
Sampling: PassiveCollection: EmbeddedScope: Link/End-to-EndPerspective: Network
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 84
Latency NetworkJitter
Dist. ofStats ConnectivityPacket
Loss
FTP DNS DHCP TCPJitter ICMP UDPDLSW HTTP
NetworkPerformanceMonitoring
Service Level Service Level AgreementAgreement
(SLA)(SLA)MonitoringMonitoring
NetworkNetworkAssessmentAssessment
Multiprotocol Label
Switching (MPLS)
Monitoring
VoIP VoIP MonitoringMonitoringAvailability Trouble
Shooting
OperationsOperations
Measurement MetricsMeasurement Metrics
ApplicationsApplications
IP ServerIP Server
MIB Data Active Generated Traffic to measure the network
DestinationDestinationSourceSource
Defined Packet Size, SpacingDefined Packet Size, SpacingCOS and ProtocolCOS and Protocol
IP Server
ResponderResponder
LDP H.323 SIP RTP
IP SLAsIP SLAs
Cisco IOS Software
IP SLAsIP SLAs
Cisco IOS Software IP SLAsIP SLAs
Cisco IOS Software
Mesures multi-protocolaires avec Cisco IOS IP SLA
Radius Video
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 85
IP HostIP Host
Fonctionnement IP SLA
ManagementApplication
ManagementApplication
Trigger Other Operations Based on Thresholds/Timeouts Trigger Other Operations Based on Thresholds/Timeouts
IP SLAsIP SLAs
Mea
sure
Mea
sure
MeasureMeasure
Measure PerformanceMeasure Performance
IP SLAs ResponderIP SLAs Responder
TargetTarget
SourceSource
1. Configure source router
2. If needed, configure responder
3. Schedule operations4. If needed, set
thresholds5. Measure Network6. Poll SNMP or CLI for
measurement results
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 86
Cisco IOS IP SLAsOperation et Responder
Round-Trip Delay (without Responder)TS5 - TS1 – TProc(Source)
Round-Trip Delay (with Responder)(TS5 – TS1) – T Proc(Source) – TProc(Target)
One-Way Delay (with Responder)TS2 – TS1
IP SLAs Source IP SLAs Target
Network
Time Time
TS1
TS3
TS2
TS4
TS5
• Locally an IP SLAs packet will perceive the same scheduling latency as any packet from its class
Source Processing Time (TProc=TS5-TS4)
Target Processing Time (TProc = TS3-TS2)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 87
Exemple : Opération UDP Jitter
IP SLAs
IP CoreResponder
Sends train of packets with constant Interval
Receives train of packets atinterval impacted by the network
Add a receive time stamp and calculate delta (the processing time) Responder replies to packets (does not generate its own)
Per-direction inter-packet delay (Jitter)
Per-direction packet loss
Average Round Trip Delay
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 88
Exemple : Opération UDP Jitter
IP SLAsRTx = receive tstamp for packet x.
Send Packets
ST2
P2
ST1
P1P2 i1
RT2 RT1
Receive packets
P2 P1i2
RT1+d1 RT2+d2
Reply to packets
P2P1 i2
AT1 AT2
Reflected packets
P2P1 i3
Responder
dx = processing time spent between packet arrival and treatment.
IP Core
STx = sent tstamp for packet x.
Each packet contains STx, RTx, ATx, and dxThe source can now calculate:JitterSD = (RT2-RT1)-(ST2-ST1) = i2-i1JitterDS = (AT2-AT1)-((RT2+d2)-(RT1+d1)) = i3-i2
ATx = receive tstamp for packet x.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 89
MIB Class-Based QoS (CBQoSMIB)
La MIB CBQoS permet de connaitre les statistiques des services différenciés (par classe de service) :
-Trafic Avant application de la QoS
-Trafic Après application de la QoS
Visualisation de la bonne configuration et de l’efficacité de la QoS.
. L’exploitation de la MIB CBQOs est indispensable dans le cas de déploiement de QoS pour accueillir de la téléphonie sur IP et/ou des applications métier critiques.
• Dans chaque classe de service la bande passante peut être estimée automatiquement en fonction d’un SLA (latence, perte de paquets).
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 90
Class Map Stats Table
CMPrePolicyPkt
CMPrePolicyByte
Bronze
Silver
Gold
Bronze
Silver
Gold
CMPostPolicyPkt CMDropPkt
CMDropByte
CMNoBufDropPkt
Drop=Pre- Post
Bronze
Silver
After QOS Policies have been applied
Before QOS
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 91
Netflow – Fonctionnement
Data exportées
Cache NetFlow
7 identifiers Other dataFlow identifiers Flow data
Flow identifiers Flow data
Flow data update
Flow identifiers Flow data
7 critères autres data
Adresse IP Source Adresse IP Destination port Source port Destination Protocole L3 TOS byte Ifindex interface d’entrée
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 92
Principales utilisations
Service Provider Enterprise
Peering arrangementsInternet access monitoring (protocol
distribution, where traffic is going/coming)
Network planning User monitoring
Traffic engineering Application monitoring
Accounting and billing Charge back billing for departments
Security monitoring Security monitoring
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 93
NetFlow Cache : exemple1. Create and update flows in NetFlow cache
Srclf SrclPadd Dstlf DstlPadd Protocol TOS Flgs PktsSrcPort
SrcMsk
SrcAS
DstPort
DstMsk
DstAS
NextHopBytes/
PktActive Idle
Fa1/0 173.100.21.2 Fa0/0 10.0.227.12 11 80 10 11000 00A2 /24 5 00A2 /24 15 10.0.23.2 1528 1745 4
Fa1/0 173.100.3.2 Fa0/0 10.0.227.12 6 40 0 2491 15 /26 196 15 /24 15 10.0.23.2 740 41.5 1
Fa1/0 173.100.20.2 Fa0/0 10.0.227.12 11 80 10 10000 00A1 /24 180 00A1 /24 15 10.0.23.2 1428 1145.5 3
Fa1/0 173.100.6.2 Fa0/0 10.0.227.12 6 40 0 2210 19 /30 180 19 /24 15 10.0.23.2 1040 24.5 14
• Inactive timer expired (15 sec is default)• Active timer expired (30 min (1800 sec) is default)• NetFlow cache is full (oldest flows are expired)• RST or FIN TCP flag
2. Expiration
Srclf SrclPadd Dstlf DstlPadd Protocol TOS Flgs PktsSrcPort
SrcMsk
SrcAS
DstPort
DstMsk
DstAS
NextHopBytes/
PktActive Idle
Fa1/0 173.100.21.2 Fa0/0 10.0.227.12 11 80 10 11000 00A2 /24 5 00A2 /24 15 10.0.23.2 1528 1800 4
3. Aggregation
4. Export version
5. Transport protocol
ie: Protocol-port aggregation scheme becomes
Aggregated flows—export Version8 or 9
Exportpacket
Payload(flows)
Non-aggregated flows—export Version5 or 9
YesNo
Protocol Pkts SrcPort DstPort Bytes/Pkt
11 11000 00A2 00A2 1528
He
ad
er
30 Flows per 1500 byte export packet
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 94
NetFlow – Infrastructure
Router/Switch:• Cache creation• Data export• Aggregation
Cisco
Collector:• Collection• Filtering• Aggregation• Storage
Cisco and Partners
RMON/NAM
Applications:
Accounting Billing
Network Planning
• Data processing• Data presentation
Partners
RMON Application
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 95
Découverte des protocolesNetwork-Based Application Recognition (NBAR)
Analyse des data L3 à L7 Utilisation dans la classification “Stateful inspection” pour les trafics avec ports dynamiques PDLM (Packet Description Language Modules) pour
définition des applications Critères de reconnaissances configurables pour identifier
les applications basées TCP ou UDP MIB NBAR- PROTOCOL DISCOVERY: bit/s,bytes, paquets
Voice Traffic
Data TrafficP2P
• Application volumes• MQC packet classification• Flexible threshold
notifications
InternetVideo Traffic
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 96
Sondes d’analyses intégrées
HTTP/SSNMP
Hardware
• Configuration NAMs• Agrégation/corrélation des données de trafic (y compris Netflow)
GUI analyseur NAM
data sources:SPAN
RSPAN (remote SPAN)Netflow v1/5/6/7/8 (broad)
VLAN ACL (specific)
data sources:SPAN
RSPAN (remote SPAN)Netflow v1/5/6/7/8 (broad)
VLAN ACL (specific)
“Visibilité” intégrée au réseau
Catalyst 6500/7600Routeur d’accès Multiservice
2600/3660/3700/ISR2800/ISR3800
Layer 3-7 RMON I,II, HCRMON
SMON, DSMONART, Voice Analysis
Layer 2 mini-RMON
par port, par interface
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 97
NAM : Analyse temps réel
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 98
• 100 jours d’historisation des rapports
• Informations détaillées aidant au troubleshooting. Complément d’outils tiers de capacity planning
Capture et décode de paquets
Filtres Pre et post capture ; Save et Export
Déclenchement de capture sur évènements prédéfinis
Historisation, reporting et isolation, troubleshooting
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 99
Uncontrolled(1ms - 10 Seconds)
Low(<100 - 1000 ms,
<0.1%)
Very Low(<10-100 ms, <0.01%)
Ultra Low(<1-10 ms, <0.001%)
Contr
ole
La
tence
/ p
ert
e
Algorithmic Trading
Grid Computing
Telepresence
VoIP
Citrix
Web 2.0
FTP HTTP
Objectif : Contrôler latence/perte
Outils traditionnels de
gestion de performances
BandwidthQuality
Manager
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 100
En 100 ms sur un LAN a 1 Gb/s beaucoup de choses peuvent arriver
Jusqu’à 12 MB de data générées~100,000 paquets peuvent êtres perdus !!
Diversisté des profils applicatifs
Sensibilité à la latence, à la perte de paquets
Caractéristiques des réseaux IP actuels
Consolidation des datacentres et augmentation du nombre de sites remote
Coût de la bande passante
Différence des débits LAN/WAN
DATA CENTER
REMOTE SITE
REMOTE SITE
WAN
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 101
Les outils courants sont incapables de détecter, troubleshooter et de déterminer quoi faire :
Granularité des évènements ; milliseconde
Analyse dans un contexte QoS
La micro-congestion peut conduire à un comportement imprévisible des applications La probabilité d’avoir des problèmes
de performances applicatives s’accroit
Dynamic network congestion impacte les applications
micro bursts
La Solution n’est pas toujours évidente
Plus de Bande passante –au bon endroit)
Techniques de QoS ( traffic shaping, priority queuing )
DATA CENTER
REMOTE SITE
REMOTE SITE
WAN
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 102
Mesure de latence
BQM 1180
BQM 2120
MarketData
GigabitEthernet
10Mb/s
TradingClient A
Traditional 1 Sec PING Latency View
BQM PNQM Latency View
99% Latency of 4ms
99% Latency of 50ms
WAN
BQM 2120
BQM 2120
BQM 2120
BQM 2120
PNQM
What is the Latency of Market Data Feed
to Trading Client A?
What is the Latency of Market Data Feed
to Trading Client A?
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 103
Mesure de trafic
Traditional 5min View
BQM 5ms View
20% Link Utilization
20,000% Link Utilization
BQM 1180
CitrixMetaframe
FastEthernet
2Mb/s(0.5Mb/s for Citrix Class)
Site A
WAN
What is the utilization of the access link to
Site A?
What is the utilization of the access link to
Site A?
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 104
Analyse de la bande passante
BQM Expected Latency View
BQM Bandwidth Requirement View
Up to 330ms of Latency induced
Upgrade to 2.5Mb/s for Citrix Class Required
BQM 1180
CitrixMetaframe
FastEthernet
2Mb/s(0.5Mb/s for Citrix Class)
Site A
WAN
What is the Expected Latency induced on Site A link by Citrix
traffic?
What is the Expected Latency induced on Site A link by Citrix
traffic?
What is the Bandwidth needed by Citrix to achieve no
worse than 200ms for 99.9% of packets?
What is the Bandwidth needed by Citrix to achieve no
worse than 200ms for 99.9% of packets?
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 105
Solution de SLM
Graphiques détaillés des mesures
“Turning a Cisco Network into a powerful SLM solution”
Appliance avec un Portail Web centralisant :
Les mesures de performance par les probes IP-SLA
L’analyse des MIBs CBQos (classes de service) & NBAR (protocol discovery)
Le suivi des trafics Netflow
Solution évolutive pour :Le suivi des SLA réseaux ….. et des infrastructures VoIP
Préparer ou améliorer la mise en œuvre d’applications « critiques »
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 106