Application Visibility and Control for CLLE New England

Local Edition

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public

Local Edition

Application Visibility and Control:What’s in Your Network?Bob Nusbaum

Senior Product Manager, Enterprise Networking Group

Cisco

<SESSION ID>


The Network Needs To Evolve

Application complexityincreases

“I know it’s HTTP – but what application is it?

Cloud and Virtualization centralize application

delivery

“From here it looks like it’s running just fine”

Multiple entities involved in delivering

applications

“It’s from an outside cloud! How do you expect me to

fix it?”

http://www.ppcgeeks.com/wp-content/uploads/2010/04/apps.jpg




Real-Life Example: The iOS 7 Storm

Source: An actual customer’s branch WANGraphs from Cisco Prime Infrastructure 2.0


Cisco Application Experience(AVC and WAAS)

• “What’s in Your Network?”‒“What applications make up my traffic load?”‒“What are end users experiencing?”‒“Where is the slow-down?”‒“What traffic is slowing down my critical apps?”

• “What are You Going to DO About It?”‒“Prioritize important applications; control the others”‒“Choose a path based on current application performance”‒“Optimize traffic to reduce latency and bandwidth usage”

Introducing Cisco Application Visibility and Control (AVC)

The Next Stage in the Evolution of Your Network


AVC Major Components

TrafficE

xp

ort

N

etF

low

NetFlow Collector / Mgmt App

Monitor by app

Apply policy

Business AnalyticsCrunch

Control

Con

trol

Classify

ProtocolPacks

Pro

toco

lD

efinitio

ns

What are the apps?

Basic TrafficART

Media

BandwidthRoute choice


What is An Application?

HTTP

FTP

SMTP

POP3

IMAP

HTTPS

Are these applications?

80

20/21

25

110

143

443

What about these?

Or just ports?


Network Based Application Recognition v2(NBAR2)

• Cisco standard protocol classification mechanism

• > 1400 protocols vs. ~150 with original NBAR

• Backwards compatible with original NBAR

• Upgrade protocols with no OS upgrade

• NBAR2 supported protocol list online at:‒ http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6558/ps6616/product_bullet

in_c25-627831.html

NBAR2

Integrated feature in IOS and IOS XE

>1000 Signatures

Advanced Classification Techniques

Deep Packet Inspection (DPI)

Native IPv6 ClassificationCustom application profiles

Supports >1,000 protocols and

sub-classification

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6558/ps6616/product_bulletin_c25-627831.html

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6558/ps6616/product_bulletin_c25-627831.html

http://images.google.fr/imgres?imgurl=http://www.clikphoto.com/2003/Customers/images/Siebel.Logo.JPG&imgrefurl=http://www.clikphoto.com/2003/Customers/links.html&usg=__dY-YhzjlqXwgaBUa3GI7LkIC8nE=&h=137&w=363&sz=4&hl=fr&start=1&sig2=jRZ_dNmSZXrDAJLEkmINsA&um=1&tbnid=q54bb4J2TD1_uM:&tbnh=46&tbnw=121&prev=/images?q=siebel+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=CeHBSv6xGdi7jAfDrYHfBQ

http://images.google.fr/imgres?imgurl=http://4.bp.blogspot.com/_UZImdYAiry8/Sb9qYmN0llI/AAAAAAAAPtc/a_qXEx69CB0/s400/oracle_logo.jpg&imgrefurl=http://vectorlogo.blogspot.com/2009/03/oracle-logo-eps.html&usg=__TTg6bQ4L8aDCa2kKWUD3Q4YWewM=&h=161&w=400&sz=7&hl=fr&start=3&sig2=xj4d94noyf1kS0Adw6tzJA&um=1&tbnid=LLEUA6II6jNxiM:&tbnh=50&tbnw=124&prev=/images?q=oracle+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=FeHBSvDVKsjKjAeGsfDoBQ

http://images.google.fr/imgres?imgurl=http://elbconsultingllc.com/images/SAP-Logo.jpg&imgrefurl=http://elbconsultingllc.com/index.html&usg=__ttrD8hVR0ZecJBAgUc1jjcxqsZQ=&h=551&w=945&sz=36&hl=fr&start=1&sig2=eDSzYadbfwaGzGedWvK1-g&um=1&tbnid=9f5hdQ6CnNYH3M:&tbnh=86&tbnw=148&prev=/images?q=sap+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=reDBSv2WCZa7jAfWrvXgBQ

http://images.google.fr/imgres?imgurl=http://www.nowhereelse.fr/wp-content/docs/youtube-logo5.jpg&imgrefurl=http://www.nowhereelse.fr/youtube-live-video-streaming-12525/&usg=__MyBsEJIR3joE8gm-rBq5Wel1qGA=&h=428&w=570&sz=33&hl=fr&start=1&sig2=z2krQGjzyqJMHPDfVwLLvg&um=1&tbnid=RKDnixEb39ds5M:&tbnh=101&tbnw=134&prev=/images?q=video+streaming+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=0czJSp79EcSD4QaBkoTHAQ







© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 10

NBAR2 Highlights

• More than 1000 applications support and growing

• Categorization to simplify application management

• In-service signature update through Protocol Pack

• Field Extraction – collect application specific information in addition to identify applications

• NBAR2 sub-classification features - Dynamic payload types, SSL sub classification, PCoIP sub classification etc.

NBAR1 NBAR20

200

400

600

800

1000

1200

Number of Applications Supported

Number of Applica-tions Supported

1000+

HTTP URI

HTTP Hostname Browser Type


Simplify Application Management with NBAR2 Attributes

11

• NBAR2 attributes provide grouping of similar types of applications

• Use attributes to report on group of applications or to simplify QoS classification

• 6 pre-defined attributes per application (can be reassigned by users)

Category First level grouping of applications with similar functionalities

Sub-category Second level grouping of applications with similar functionalities

Application-group Grouping of applications based on brand or application suite

P2P-technology? Indicates application is peer-to-peer

Encrypted? Indicates application is encrypted

Tunneled? Indicates application uses tunneling technique


NBAR2 Application CategoriesPredefined and customizable to simplify config and reporting

NBAR2 Category NBAR2 Sub-category NBAR2 Application Group P2P Technology Encrypted Tunnelbrowsing authentication-services apple-talk-group skype-group n n n

business-and-productivity-tools backup-systems banyan-group smtp-group y y yemail client-server bittorrent-group snmp-group unassigned unassigned unassigned

file-sharing commercial-media-distribution corba-group sqlsvr-groupgaming control-and-signaling edonkey-emule-group stun-groupindustrial-protocols database fasttrack-group telepresence-groupinstant-messaging epayement flash-group tftp-groupinternet-privacy file-sharing fring-group vmware-grouplayer2-non-ip inter-process-rpc ftp-group vnc-grouplayer3-over-ip internet-privacy gnutella-group wap-grouplocation-based-services license-manager gtalk-group webex-group

net-admin naming-services icq-groupwindows-live-messanger-group

newsgroup network-management imap-group xns-xerox-group

obsolete network-protocol ipsec-group yahoo-messenger-groupother other irc-grouptrojan p2p-file-transfer kerberos-groupvoice-and-video p2p-networking ldap-group

remote-access-terminal netbios-grouprich-media-http-content nntp-grouprouting-protocol npmp-groupstorage otherstreaming p2p-file-transferterminal pop3-grouptunneling-protocols prm-group

voice-video-chat-collaboration skinny-group


Define Your Own Application in NBAR2

Port• TCP or UDP• 16 static ports per

application• Range of ports (1000

maximum)

Payload• Search the first 255

bytes of TCP or UDP payload

• ASCII (16 characters)• Hex (4 bytes)• Decimal

(1-4294967295)• Variable (4 bytes Hex)

HTTP URL• URI regex• Host regex

ISR G2: 15.2(4)M2ASR1K: 3.8S

L3/4 Based Definition

Coming in XE 3.12


ip nbar custom 001-payroll http host server1.example.com id 60001

ip nbar custom 002-doc http url doc host server2.example.com id 60002

ip nbar custom 003-soft http url software host server2.example.com id 60003

14

NBAR2 Custom Application Enhancement

Custom App Server URI BW Resp. Time

My Payroll server1.example.com - 2M 100ms

My Doc. Mgmt. server2.example.com /doc 1M 250ms

My Software Rep. server2.example.com /software 5M 30sec

• Custom application match on HTTP URL and/or Host

Custom Enterprise Application

server1.example.com

/doc – Documentation/software - Software

Cisco Prime Infrastructure

Cust

om A

pplic

ation

Defi

nitio

n &

Rep

ort

server2.example.com

• All the NBAR commands are under “ip nbar…” it is completely unrelated to the IP version.

• Custom application attribute value is set to ‘other’ and ‘unassigned’ by default

ISR G2: 15.2(4)M2ASR1K: 3.8S

Custom App Selector ID


NBAR2 Field Extraction SupportNot just what – but who and where?

URL?

Hostname?

Referrer?

User agent?

Sender?

Server?

Business Analytics

Cru

nch

NetFlow Collector / Mgmt App


NBAR2 Field ExtractionOverview

16

• Ability to look into specific applications for additional field information

• NBAR2 extracted fields from HTTP, RTP, PCOIP, etc… for QoS configuration

• HTTP Header Fields

• Eases classification of voice and video traffic‒ VoIP, streaming/real time video, audio/video conferencing, Fax over IP

‒ Distinguishes between RTP packets based on payload type and CODECS

• Some extracted fields within Flexible NetFlow and Unified Monitoring


NBAR2 Field ExtractionHTTP Example

GET /weather/getForecast?time=37&&zipCode=95035 HTTP/1.1Host: svcs.cnn.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-us,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-aliveReferer: http://www.cnn.com/US/

www.cnn.com(IP=157.166.255.18)

http://www.cnn.com/US Se0/0/0

(IP=192.168.100.100)

Extracting information from HTTP message

collect application http url

collect application http host

collect application http user-agent

collect application http referer


Sub ClassificationNBAR RTP Payload Type Classification

• Eases classification of voice and video traffic

‒ VoIP, streaming/real time video, audio/video conferencing, Fax over IP

• Distinguishes between RTP packets based on payload type and CODECS

• New in PP 7.0

‒ audio/video parameters will match not only if the PT is in the known static range of audio or video, but also if it’s in the dynamic range

• Future: audio/video granularity will be not a sub-classification but an actual protocol, so the report will show it well.

CODEC Payload Type

G.711 (Audio) 0 (mu-law) 8 (a-law)

G.721 (Audio) 2

G.722 (Audio) 9

G.723 (Audio) 4

G.728 (Audio) 15

G.729 (Audio) 18

H.261 (Video) 31

MPEG-1 (A/V)

MPEG-2 (A/V)14 (Audio), 32 (Video), 33 (A-V)

Dynamic 96–127

Router(config-cmap)# match protocol rtp ? audio match voice packets payload-type match an explicit PT (Payload Type) video match video packets


What applications, how much bandwidth, flow direction?(Flexible Netflow and NBAR / NBAR2)

Basic Monitoring

Integrated Performance Collection & Exporting

HTTP HTTP

Voice and Video PerformanceAdvanced Monitoring

30% of traffic is voice and video

Transactional Application Performance

40% of traffic is critical applications

Simpler for configuration, collection, analysis, and troubleshooting


More Metrics with Flexible Netflow

Bytes, Packets, Routing Info (L3 to L4) Flexible NetFlow

Performance Metrics

(e.g. media, transactional)

Network Metrics(e.g. QoS)

Derived Metrics(e.g. URL Hit

count)

Other Metrics(e.g. PfR)

Unified Monitoring

Network latency

Response Time

Jitter

Retransmission

QoS policy/class-map

Netflow to FNF Migration Guide: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6601/ps6965/white_paper_c11-545581.html

Application ID (L3 to L7)Flexible

NetFlow + NBAR

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6601/ps6965/white_paper_c11-545581.html


Foundation: Exporting ProcessNetFlow v9 and IPFIX

Flow record

Flow record

Flow record

Flow record

Describe flow format A

Describe flow format B

Flow record A

Flow record A

Flow record B

Expo

rter

Colle

ctor

Expo

rter

Colle

ctor

• Fixed number of fields (18 fields)

e.g. source/destination IP & port, input/output interfaces, packet/byte count, ToS

NetFlow Version 5 NetFlow v9 / IPFIX

• Users define flow record format

• Flow format is communicated to collector

Flexible & Extensible Flow Export Format Static Flow Export Format


Foundation: Exporting ProcessAvailable Option Templates

Option Template Definition

application-table NBAR Application ID to name mapping

application-attributes Application attributes definition per application

c3pl-class-table QoS class-map ID to name mapping

c3pl-policy-table QoS policy-map ID to name mapping

exporter-stats Exporter Statistics Option

interface-table Interface SNMP ifIndex to name mapping

Sampler-table Export Sampler Option

sub-application-table NBAR Sub-application ID to name mapping

vrf-table VRF ID to name mapping

queue-id (hidden) Queue index and queue drop information

Note: Check the IOS release for exact support


1. Traffic Statistics: Application Usage

ASR

HQ

ISR ISR ISRISR

Reporting Tool

ASR

Key Features Feature to collect and export network information

and statistics Flexibility in defining fields and flow record format NBAR2 Integration

Examines data from Layers 3 thru 7 Utilizes Layers 3 and 4 plus packet inspection for

classification Stateful inspection of dynamic-port traffic

IOS: FNF, PA or MMA IOS-XE: FNF or MMA Export: NFv9 or IPFIX

Benefits Visibility into application usage Monitors data in Layers 2 thru 7 Capacity Planning Top-N applications Top-N clients and servers

WAN1(IP-VPN)

WAN2(IPVPN, DMVPN)


For Your Reference


2. URL CollectionTop Domain, hit counts

Key Features Provide web browsing activity report Standard IPFIX export IOS: PA or MMA IOS-XE: MMA Utilize IPFIX Format which is extensible

Benefits Visibility into top domains Monitors data in Layers 2 thru 7 Most visited web site Most visited URL per site How many hits for a particular domain – extracted from

HTTP request message

http://www.cnn.com/UShttp://www.cnn.com/UShttp://www.cnn.com/WORLD

www.cnn.com www.facebook.comwww.youtube.com

http://www.youtube.com/ciscolivelondonhttp://www.youtube.com/olympic

http://www.facebook.com/farmvillehttp://www.facebook.com/farmvillehttp://www.facebook.com/farmvillehttp://www.facebook.com/cisco


Example: URL Hit Count Report

Courtesy of LivingObjects

How many hits for a particular domain – extracted from HTTP request message


3. Application Response Time Measurement

ASR

HQ

ISR ISR ISRISR

Reporting Tool

PA

ASR

Key Features 27 Application Response Time (ART) Metrics Interact with NBAR2 for Application ID IOS: PA or MMA IOS-XE: MMA Export: NFv9 and IPFIX export

Benefits Visibility into application usage and performance Quantify user experience Troubleshoot application performance Track service levels for application delivery

PA PAPA

My email is

slow!

How do I ensure my SLA is met

Bran

ch D

elay

Net

wor

k D

elay

Dat

acen

ter D

elay

My query is taking long

time!

WAN1(IP-VPN)

WAN2(IPVPN, DMVPN)


Application Delivery Path Breakdown

• Separate application delivery path into multiple segments

• Server Network Delay (SND) approximates WAN Delay

• Latency per application

Application Servers

Total Delay

ClientNetwork

Clients

Client Network Delay (CND)

ApplicationDelay (AD)

Network Delay (ND)

IOSServer

Network

Request

ResponseServer Network

Delay (SND)


Application Response Time Measurement

Screenshots: courtesy LivingObjects

For Your Reference


For Your Reference


Media Performance Metrics

ASR1kcollect routing vrf inputcollect interface inputcollect application namecollect ipv4 dscpcollect datalink source-vlan-idcollect connection initiatorcollect counter packetscollect counter bytes longcollect connection new-connectionscollect ipv4 ttlcollect transport rtp payload-typecollect transport rtp jitter mean sumcollect transport rtp jitter maximumcollect transport packets lost countercollect timestamp sys-uptime firstcollect timestamp sys-uptime last

match ipv4 protocolmatch ipv4 source addressmatch ipv4 destination addressmatch transport source-portmatch transport destination-portmatch transport rtp ssrcmatch routing vrf outputmatch interface output

Key Fields

Non-Key Fields

What are my key network metrics for each media application?


Sample AVC Monitoring PolicyEnterprise Voice & Video Match enterprise subnet Match RTP traffic

Enterprise TCP Apps Match datacenter subnet Match TCP

Enterprise Cloud Apps Match SFDC Match Office 365

Web Browsing Match HTTP

Rest of traffic Match any

Collect Media Performance

Collect Traffic Statistics

Collect ART Collect Traffic Statistics

Collect ART Collect Traffic Statistics

Collect URL Sample




ezPM – Simplified Configuration for AVC Monitoring

33

• Equivalent to ~650 lines of configuration

• Records/Monitors/Class-maps/Policy-map pre-defined

! User defined ezPM contextperformance monitor context my-visibility profile application-experience exporter destination 10.10.10.10 source GigabitEthernet0/0/1 traffic-monitor all!! Attach the context to the interfaceinterface GigabitEthernet0/0/2 performance monitor context my-visibility!

IOS-XE: 3.10IOS 15.4(1)T


AVC Configuration via Prime Infrastructure

• Enable AVC features with just ON/OFF button

• With Cisco Prime Infrastructure 2.0


AVC ConfigurationPrime AVC One-Click

• Enable AVC in one click

‒ One device at a time

• Two simple steps

1. Select interface(s)

2. Enable

1

2


AVC Control Options

• Guarantee bandwidth to protect critical applications from network congestion

• Provide low latency to delay sensitive applications

• Stop or limit unwanted applications from using WAN resources

Application Bandwidth Control

WAN LAN

• Application routing based-on real-time performance Information

• Intelligent load sharing provides resiliency and fully utilizes all available WAN resources

• Improve performance of voice, video, and critical applications

Application Path Selection

InternetNo SLA

WAN 1High SLA

WAN 2Med SLA

WAN LAN

Email

HTTP

Email

HTTP

QoS PfR


class-map match-any bittorrent match protocol attribute sub-category p2p-file-transfer match protocol bittorrent-networking match protocol dhtpolicy-map drop-bittorrent class bittorrent police 8000 conform-action drop exceed-action drop violate-action dropinterface GigabitEthernet0/0/0 service-policy input drop-bittorrent service-policy output drop-bittorrent

37

Example: Stop P2P Applications with AVC

After apply control policy


Application Performance Optimization• Visualize application paths and problems with AVC & Medianet

• Alert on application performance with AVC

• QoS control using NBAR2 to optimize application performance

38

NBAR appls

© 2014 ActionPacked Networks, Inc. All Rights Reserved. Proprietary and Confidential.


QoS Monitoring & Configuration

39

Once the Policy is applied to Police Interactive Video to 512 Kbps, LiveAction can monitor to see how policy has taken effect

Impact of QoS Policy

Visualize QoS Performance QoS Policy Editor

QoS Marking

Congestion Indicator(amber color)

• Visualize & Track: QoS Performance• Monitor & Alert: Voice/Video Quality• Control & Fix: Full MQC QoS• Verify & Validate: Audit, Templates

Application Performance Optimization• Visualize application paths and problems with AVC & Medianet• Alert on application performance with AVC• QoS control using NBAR2 to optimize application performance

40

NBAR appls


41

QoS Monitoring & Configuration

41

Once the Policy is applied to Police Interactive Video to 512 Kbps, LiveAction can monitor to see how policy has taken effect

Impact of QoS Policy

Visualize QoS Performance QoS Policy Editor

QoS Marking

Congestion Indicator(amber color)

• Visualize & Track: QoS Performance• Monitor & Alert: Voice/Video Quality• Control & Fix: Full MQC QoS• Verify & Validate: Audit, Templates

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42

PrivateCloud

Intelligent Path Control with PfRVoice and Video use-case

MPLS

Internet

• PfR monitors network performance and routes applicationsbased on application performance policies

• PfR load balances traffic based upon link utilization levels to efficiently utilize all available WAN bandwidth

VirtualPrivate Cloud

Other traffic is load balanced to maximize bandwidth

Branch

Voice/Video will be rerouted if the current path degrades below policy thresholds

Voice/Video take the best delay, jitter, and/or loss path

LiveAction For Cisco Intelligent Path Control

• PfR path change visualization• Alert and report on PfR Out of Policy events• Reports on traffic class/application path changes

Out-Of-PolicyThreshold Crossing Alert


Cisco AVC Management SolutionsEnterprise Solutions

Managed Service Provider Solutions

PrimeInfrastructure

http://www.ca.com/us/default.aspx