• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Cisco Live! Designing Multipoint WAN QoS
 

Cisco Live! Designing Multipoint WAN QoS

on

  • 1,018 views

My Cisco Live! research presentation on QoS for non-QoS aware WANs and implementation of "Remote Ingress Shaping"

My Cisco Live! research presentation on QoS for non-QoS aware WANs and implementation of "Remote Ingress Shaping"

Statistics

Views

Total Views
1,018
Views on SlideShare
1,018
Embed Views
0

Actions

Likes
0
Downloads
17
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Cisco Live! Designing Multipoint WAN QoS Cisco Live! Designing Multipoint WAN QoS Presentation Transcript

    • Designing Multipoint WAN QoS BRKRST-3500 Eddie Kempe Solutions Architect
    • Bridge Puzzle §  Need the flashlight to cross §  Only two at a time §  Fast as slowest person §  Abe – 1 Minute §  Bob – 2 Minutes §  Chad – 5 Minutes §  Dave – 6 Minutes BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
    • Bridge Puzzle What if the slow guys walk together? §  Abe + Bob (2) §  Abe returns (1) §  Chad + Dave (6) §  Bob returns (2) §  Abe + Bob (2) §  Total 13 Minutes BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
    • Abstract §  Real-time and business critical application, such as cloud SaaS applications, Unified Communications and video, are driving the need for any-to-any connectivity with deterministic Quality of Service (QoS). This creates new challenges for multipoint wide area network (WAN) environments that are not QoS-aware, such as the Internet and DMVPN networks. §  While the requirements have changed, the tools available to provide QoS in multipoint WAN environments have not. QoS policy enforcement points lack visibility into the quantity and type of traffic being received at branch and teleworker offices, forcing network designers to choose between resource underutilization or possible loss of real-time and business critical traffic. §  This session will examine new methods of meeting today's QoS challenges, identify key design considerations, and review supporting case studies. It is intended for network architects and designers of corporate WAN infrastructures. An advanced understanding of QoS, WAN and virtual private network (VPN) design principles is recommended. BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
    • Multipoint WAN QoS Aggregation Speed Mismatch 1000 Mbps 10 Mbps 1) Multipoint 2) 3rd Party 3) Non-QoS Aware BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
    • Agenda §  Scenario: Teleworker QoS §  Remote Ingress Shaping Theoretical Background §  Implementing Remote Ingress Shaping §  Proof of Concept Lab §  Internet-Based Proof of Concept Lab §  Putting it all together § Remote Ingress Shaping and Teleworker Revisited § Additional Use Cases § Buck’s Financial §  Looking Ahead BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
    • Agenda BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
    • Scenario: Teleworker QoS
    • Teleworker Overview Residential Traffic DC1 DC2 Internet PE ISP CPE BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
    • Ingress Oversubscription BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
    • QoS Success Criteria 1.  Protect voice and video 2.  Protect business applications 3.  Meet user expectations 4.  Utilize resources 5.  Flexibility 6.  Financial feasibility 7.  Operationally feasibility BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
    • QoS Success Criteria 1.  Can I protect voice and video services from data? 2.  Can I differentiate traffic to ensure business critical applications are not impacted? 3.  Are applications performing as expected? 4.  Does the solution utilize my available resources? 5.  Can I deliver new services or change policy? Example: Add voice or video to the network 6.  Is the solution financially feasible? 7.  Is the solution operationally feasible? BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
    • Available Approaches §  No QoS (do nothing) §  Change the topology Force hub and spoke topology §  Head-end shaping/per-tunnel QoS §  Move to a QoS-aware WAN service BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
    • No QoS Source http://www.bricklin.com/qos.htm BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
    • No QoS §  Simple? §  QoS is most important under adverse conditions §  Can’t always throw bandwidth at the problem §  Lack of QoS can delay Adoption of new applications Business capabilities §  Can’t satisfy success criteria without it! BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
    • Force Hub and Spoke §  Similar to point-to-point topologies §  Implies Active/Standby §  Residential/Guest traffic backhauled to hub §  Hairpin of spoke-to-spoke traffic Increases latency Consumes hub bandwidth Traffic is increasingly peer-to-peer §  Inflexible BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
    • Head-end shaping/per-tunnel QoS Datacenter 1 Datacenter 2 Per Tunnel QoS §  Shaping from hub to spoke ISP/SP Per-tunnel Per-Security Association (SA) §  Deterministic and well understood §  Great for hub and spoke ISP/SP Branch BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
    • Head-end shaping/per-tunnel QoS Shaper has no visibility to multipoint traffic §  TCP applications must go through the DC §  Static reservation for spoke-to-spoke UDP §  Remaining bandwidth statically divided among active datacenters §  See calculations in Buck’s Financial case study BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
    • DMVPN Per Tunnel QoS (Dynamic) •  Available in 12.4(22)T •  NHRP group per policy ! DMVPN Hub Configuration Policy-map SHAPING-1.5MBPS Class class-default shape average 1500000 service-policy site Policy-map SHAPING-1.0MBPS Class class-default shape average 1000000 service-policy site interface Tunnel1 bandwidth 45000 ip address 10.0.0.1 255.255.255.0 ip nhrp map multicast dynamic ip nhrp map group group1 service-policy output SHAPING-1.5MBPS ip nhrp map group group2 service-policy output SHAPING-1.0MBPS ! Spoke Configuration interface Tunnel1 bandwidth 1500 ip address 10.0.0.2 255.255.255.0 ip nhrp group group1 BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
    • QoS-Aware WAN Services Datacenter 1 Datacenter 2 §  Excellent multipoint model §  QoS enforcement point has visibility to all traffic ISP/SP §  Cooperation model with ISP/SP §  Dependent on QoS configurations offered ISP/SP §  Examples: QoS Aware WAN MPLS Services from a SP Metro-Ethernet services BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Branch Cisco Public 20
    • Solution Capabilities—Teleworker No QoS Per-Tunnel QoS-Aware WAN Service Protect Voice and Video No No Yes Support Business Critical Apps Maybe Maybe Yes Meet Performance Expectations Maybe Maybe Yes Financially Feasible Yes Yes No Operationally Feasible Maybe Maybe Yes Valid Solution No No No Utilizes Available Resources Flexibility to deliver new services BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
    • Solution Capabilities—Teleworker No QoS Per-Tunnel QoS-Aware WAN Service Protect Voice and Video No No Yes Support Business Critical Apps Maybe Maybe Yes Meet Performance Expectations Maybe Maybe Yes Utilizes Available Resources Yes No Yes Flexibility to deliver new services No Yes Yes Financially Feasible Yes Yes No Operationally Feasible Maybe Maybe Yes Valid Solution No No No BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
    • Solution Capabilities—Teleworker Remote Ingress Shaping No QoS Per-Tunnel QoS-Aware WAN Service Protect Voice and Video No No Yes Yes Support Business Critical Apps Maybe Maybe Yes Yes Meet Performance Expectations Maybe Maybe Yes Yes Utilizes Available Resources Yes No Yes Yes Flexibility to deliver new services No Yes Yes Yes Financially Feasible Yes Yes No Yes Operationally Feasible Maybe Maybe Yes Maybe Valid Solution No No No Maybe BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
    • Agenda BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
    • Theoretical Background
    • Location of QoS Datacenter 1 Datacenter 2 Per Tunnel ISP/SP ISP/SP ISP/SP QoS Aware WAN QoS at Branch? Branch BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
    • Remote Ingress Shaping Datacenter 1 Datacenter 2 §  Create artificial bottleneck §  Move queuing from ISP ISP ISP §  Control delay and drops §  Slow down TCP §  Prioritize UDP ISP Remote Ingress Shaping Branch 1 BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
    • Mathis and TCP performance MSS RTT P Maximum Segment Size Round Trip Time Loss probability http://www.linuxsa.org.au/meetings/2003-09/tcpperformance.screen.pdf BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
    • Delay Delay Shaping puts “excess” traffic in a queue Packets in Queue BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
    • TCP Loss §  TCP design balance Don’t over-run the receiver/network Use available bandwidth §  TCP will adjust to the correct rate based on delay and drops §  TCP drops packets! BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
    • Bandwidth Bandwidth-Delay Product Delay (RTT) BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
    • TCP Loss §  There are 2 types of TCP loss Detected by timeout (red area) Detected by duplicate ACK (green area) BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
    • Summary §  Slow TCP sessions §  Preserve bandwidth-delay product §  Make room for UDP BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
    • Agenda BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
    • Implementing Remote Ingress Shaping
    • Remote Ingress Shaping Datacenter 1 Datacenter 2 Objective §  Create artificial bottleneck ISP ISP §  Move queuing from ISP §  Control delay and drops ISP Remote Ingress Shaping Branch 1 BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
    • Ingress Shaping Problems §  Platform Support §  Classification Solution ISP §  Shape egress in opposite direction Branch BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
    • Remote Ingress Shaping Configuration example policy-map site class voice priority percent 33 class call-signaling bandwidth percent 5 class critical-data bandwidth percent 37 random-detect dscp-based class class-default bandwidth percent 25 random-detect policy-map shape-in class class-default shape average 1500000 service-policy site interface FastEthernet0/1 Description Connection to branch LAN service-policy output shape-in BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
    • Multiple Egress Interfaces/Networks “LAN” Interface must Support HQoS See all WAN traffic Branch ISP BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
    • Two Router Solution ISP R2 R1 Apply QoS Policy BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
    • VRF-Lite Solution Branch Router ISP VRF1 VRF2 Apply QoS Policy On loopback cable BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
    • 870 Series Loopback Cable Solution would consume 2 of 4 available LAN ports BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
    • GRE Loopback Tunnel Solution Branch Router VRF1 ISP VRF2 Apply QoS Policy On loopback tunnel §  Works prior to HQF §  Verified on 12.4(15)T BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
    • GRE Loopback Tunnel Configuration Two VRFs (1) ip vrf inside rd 2:2 ip vrf outside rd 1:1 interface Loopback0 ip address 10.1.3.3 255.255.255.255 interface Loopback1 ip address 10.1.3.4 255.255.255.255 ! interface Tunnel0 ip vrf forwarding outside ip address 10.3.3.3 255.255.255.0 tunnel source Loopback0 tunnel destination 10.1.3.4 service-policy output shape-in interface Tunnel1 ip vrf forwarding inside ip address 10.3.3.4 255.255.255.0 tunnel source Loopback1 tunnel destination 10.1.3.3 BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
    • GRE Loopback Tunnel Configuration Two VRFs (2) interface GigabitEthernet1/0 ip vrf forwarding inside ip address 10.0.13.3 255.255.255.0 interface GigabitEthernet2/0 ip vrf forwarding outside ip address 10.0.23.3 255.255.255.0 router eigrp 1 network 10.0.0.0 no auto-summary ! address-family ipv4 vrf outside network 10.0.0.0 no auto-summary autonomous-system 1 exit-address-family ! address-family ipv4 vrf inside network 10.0.0.0 no auto-summary autonomous-system 1 exit-address-family BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
    • GRE Loopback Tunnel Solution Single VRF and Global Table Branch Router VRF1 ISP Global Apply QoS Policy On loopback tunnel §  Same as previous example §  Easier migration and operation §  Works prior to HQF §  Verified on 12.4(15)T BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
    • GRE Loopback Tunnel Configuration VRF and Global (1) ip vrf outside rd 1:1 ! interface Loopback0 ip address 10.1.3.3 255.255.255.255 interface Loopback1 ip address 10.1.3.4 255.255.255.255 ! interface Tunnel0 ip vrf forwarding outside ip address 10.3.3.3 255.255.255.0 tunnel source Loopback0 tunnel destination 10.1.3.4 service-policy output shaper ! interface Tunnel1 ip address 10.3.3.4 255.255.255.0 tunnel source Loopback1 tunnel destination 10.1.3.3 BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. ! Create 1 VRFs ! Create 2 loopback interfaces in global ! Tunnel 0 in VRF outside ! Tunnel 1 in global Cisco Public 47
    • GRE Loopback Tunnel Configuration VRF and Global (2) interface GigabitEthernet1/0 ip address 10.0.13.3 255.255.255.0 ! interface GigabitEthernet2/0 ip vrf forwarding outside ip address 10.0.23.3 255.255.255.0 ! router eigrp 1 network 10.0.0.0 no auto-summary ! address-family ipv4 vrf outside network 10.0.0.0 no auto-summary autonomous-system 1 exit-address-family BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. ! Physical interface in global table ! Physical WAN interface in VRF outside ! Create EIGRP peering between VRF ! VRF and global Cisco Public 48
    • 890 Series •  IOS 15.0 and above (No GRE Loopback Cable) •  Physical loopback cable •  More ports including 2 WAN ports BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
    • Cisco 890 Loopback Cable Solution Branch Router ISP Global Switch Apply QoS Policy On loopback cable §  Switch Ports (FA0 to FA7) §  WAN Ports (FA8 and Gig0) §  Treat switch ports as 2nd box §  Connect 2nd WAN port to Switch BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
    • Cisco 890 Loopback Cable Solution interface FastEthernet7 Description Loopback cable to Gig 0 ! interface FastEthernet8 description WAN Interface ip address 10.10.10.99 255.255.255.0 ip nat outside ! interface GigabitEthernet0 ip address 10.10.100.1 255.255.255.0 ip nat inside service-policy output shaper !! interface Vlan1 no ip address BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
    • BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
    • Summary §  These are tools you already know §  Shape egress in opposite direction §  Requires applicable interface §  Shaping only at branch BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
    • Agenda BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
    • Remote Ingress Shaping Proof of Concept
    • Lab Requirements §  TCP session emulation (PC1 and PC2) §  WAN emulator (WAN) §  Bandwidth constrained link (ISP to CPE2 Link) §  Remote CPE (CPE2) §  Head-end CPE (CPE1) (optional) §  Wireshark PC1 BRKRST-3500 CPE1 WAN © 2011 Cisco and/or its affiliates. All rights reserved. ISP/SP Cisco Public CPE2 PC2 56
    • Test 1 ISP Drops vs. Shaped Rate PC1 CPE1 WAN ISP/SP CPE2 PC2 Can we prevent ISP/SP drops due to a congested WAN link? 1)  Yes 2)  Yes, but it is not practical 3)  No, you can’t BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
    • ISP Drops vs. Shaped Rate ISP Drops 600 Dropped Packets 500 400 300 200 100 0 10 9.9 9.8 9.7 9.6 9.5 9.4 9.3 9.2 9.1 9 8.9 8.8 8.7 8.6 8.5 8.4 8.3 8.2 8.1 8 Shaped Rate (Mbps) BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
    • Test 2 UDP Delay and Jitter vs. Shaped Rate PC1 CPE1 WAN ISP/SP CPE2 PC2 Can we bound the jitter of UDP to acceptable levels under congestion? 1)  Yes 2)  No BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
    • UDP Jitter vs. Shaped Rate Jitter 90 80 Jitter (ms) 70 60 50 40 30 20 10 9.9 9.8 9.7 9.6 9.5 9.4 9.3 9.2 9.1 9 8.9 8.8 8.7 8.6 8.5 8.4 8.3 8.2 8.1 8 Shaped Rate (Mbps) BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
    • UDP Delay vs. Shaped Rate Average Delay 240 Average Delay (ms) 220 200 180 160 140 120 100 80 60 40 10 9.9 9.8 9.7 9.6 9.5 9.4 9.3 9.2 9.1 9 8.9 8.8 8.7 8.6 8.5 8.4 8.3 8.2 8.1 8 Shaped Rate (Mbps) BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
    • Test 3 UDP Delay and Jitter vs. TCP Sessions PC1 CPE1 WAN ISP/SP CPE2 PC2 How does the number of TCP sessions affect UDP delay, loss and jitter? 1)  No impact 2)  Low impact, no action required 3)  High impact, action required BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
    • UDP Average Delay vs. TCP Sessions Average Delay Average Delay (ms) 270 220 170 120 70 20 1 2 3 4 5 10 15 20 25 30 35 40 45 50 55 60 65 70 100 TCP Sessions BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
    • Test 4 TCP Sessions and Queue Depth PC1 CPE1 WAN ISP/SP CPE2 PC2 How does the number of TCP sessions affect average queue depth? 1)  2)  3)  4)  BRKRST-3500 Hard to tell No impact Increases queue depth Decreases queue depth © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
    • Queue Depth vs. TCP Sessions Average Queue Depth (Packets) Average Queue Depth 840 740 640 540 440 340 240 140 40 BRKRST-3500 35 40 45 50 55 60 65 70 TCP Sessions © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
    • Test 5 Queue Depth and UDP Delay PC1 CPE1 WAN ISP/SP CPE2 PC2 Will increasing queue size affect UDP delay, loss and jitter? Yes No BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
    • Delay vs. Queue Depth Max Queue Size (Packets) Min Delay (ms) Max Delay (ms) Avg Delay (ms) 40 48 109 70 4000 9 57 29 Difference 39 52 41 BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
    • Conclusions §  RIS can move queuing from ISP and reduce drops §  UDP delay and jitter can be bounded to acceptable levels §  Two key “knobs” Shaped Rate – How aggressively we queue TCP packets Queue Depth – Conserving the bandwidth delay product requires that queue depth increase linearly with the number of TCP sessions BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
    • Internet-Based Tests
    • Lab Setup Branch Router ISP VRF1 Global Internet Apply QoS Policy On loopback tunnel §  871W §  3 Mbps cable Internet §  ICMP RTT of 40 ms §  Load generation FTP HTTrack High definition Internet video BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
    • Audience Questions §  Does ISP queuing delay have a significant impact on delay? Yes No §  What is the required ingress shaped rate? 70% of line rate 80% of line rate 90% of line rate §  How deep will queues need to be? 500 packets 250 packets 100 packets 40 packets BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
    • Internet-Based Tests Jitter vs. Shaped Rate Jitter 200 180 Jitter (ms) 160 140 120 100 80 60 40 20 0 3.5 3.4 3.3 3.2 3.1 3 2.9 2.8 2.7 2.6 2.5 2.4 2.3 2.2 2.1 2 1.9 1.8 1.7 1.6 1.5 Shaped Rate (Mbps) BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
    • Internet-Based Test Average Delay vs. Shaped Rate Average Delay 100 95 Delay (ms) 90 85 80 75 70 65 60 55 50 3.5 3.4 3.3 3.2 3.1 3 2.9 2.8 2.7 2.6 2.5 2.4 2.3 2.2 2.1 2 1.9 1.8 1.7 1.6 1.5 Shaped Rate (Mbps) BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
    • Conclusions §  ISP queue delay peak was 55 ms (95 ms–40 ms = 55 ms) Nearly tripled one-way delay §  95% of line rate §  Default (40 packets) queue depth §  30 ms or less average delay for real-time traffic added by branch and ISP WAN connection §  GRE Loopback Tunnel on 871W with BVI §  15% CPU BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
    • What Does Remote Ingress Shaping (RIS) Enable? Two new capabilities that define the use cases 1. Allows you to maintain control over TCP applications, even if the traffic does not go through your datacenter Examples: Cloud services (SaaS, IaaS) Teleworkers (residential traffic) Guest networking Split-tunneling 2. Allows a single point of configuration and policy enforcement for a location or WAN link Examples: A/A Datacenter BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
    • Putting it all Together BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
    • Teleworker Example Revisited
    • Teleworker Overview DC1 DC2 Internet PE ISP CPE BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
    • Solution Capabilities—Teleworker No QoS Per-Tunnel QoS-Aware WAN Service Protect Voice and Video No No Yes Support Business Critical Apps Maybe Maybe Yes Meet Performance Expectations Maybe Maybe Yes Financially Feasible Yes Yes No Operationally Feasible Maybe Maybe Yes Valid Solution No No No Utilizes Available Resources Flexibility to deliver new services BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
    • Solution Capabilities—Teleworker Remote Ingress Shaping No QoS Per-Tunnel QoS-Aware WAN Service Protect Voice and Video No No Yes Yes Support Business Critical Apps Maybe Maybe Yes Yes Meet Performance Expectations Maybe Maybe Yes Yes Financially Feasible Yes Yes No Yes Operationally Feasible Maybe Maybe Yes Maybe Valid Solution No No No Maybe Utilizes Available Resources Flexibility to deliver new services BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
    • Buck’s Financial
    • Buck’s Financial Overview Datacenter 1 Datacenter 2 ISP ISP §  Financial services company §  1000s of very small branch offices §  Dual datacenters Internet 3rd Party 3rd Party §  Migrating from MPLS VPN to DMVPN §  DSL and broadband cable connections PE ISP §  Future VoIP Branch Office BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
    • Buck’s Financial Challenges Datacenter 1 Datacenter 2 ISP ISP §  Wants to leverage 3rd party (cloud) for live video §  Branch owners want to use available broadband capacity Internet 3rd Party 3rd Party §  ScanSafe §  Future services PE GuestNet ISP Other 3rd parties Branch Office BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
    • Head-End Shaping as a Solution Shaper has no visibility to multipoint traffic §  TCP applications must go through the DC §  Static reservation for spoke-to-spoke UDP §  Remaining bandwidth statically divided among active datacenters BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
    • Head-End Shaping as a Solution §  Configure per-tunnel traffic shaping at each DC §  720 Kbps reserved for 3rd party video (600 Kbps + 20%) §  160 Kbps reserved for 2 VoIP phone calls §  Remaining bandwidth divided between 2 DCs Branch BW 2 VoIP Calls Available to DC 1.5 Mbps 720 Kbps 160 Kbps 310 Kbps 2 Mbps 720 Kbps 160 Kbps 810 Kbps 3 Mbps BRKRST-3500 3rd Party Video 720 Kbps 160 Kbps 1310 Kbps © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
    • Solution Capabilities—Buck’s Financial Remote Ingress Shaping No QoS Per-Tunnel QoS-Aware WAN Service Protect Voice and Video No Yes Yes Yes Support Business Critical Apps No Yes Yes Yes Meet Performance Expectations Maybe Maybe Yes Yes Utilizes Available Resources Yes No Yes Yes Flexibility to deliver new services Maybe No Maybe Yes Financially Feasible Yes Yes No Yes Operationally Feasible Maybe Yes Yes Maybe Valid Solution No No No Maybe BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
    • Looking Ahead BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
    • Agenda BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
    • Looking Ahead
    • Traffic Classification Problem §  Ports/Protocols §  Payload Encrypted §  DSCP Reliability ISP §  DSCP Trust Branch BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
    • Internet Head-End §  More than just Internet Business-to-Business VPN Corporate E-Commerce Access to Cloud Services Branch site-to-site VPN Teleworker User Internet access §  Critical applications separated by circuits BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
    • Internet Head-End §  Simplified classification §  Ports/Protocols works better §  TCP session scaling important! §  Buffering is key §  Additional Tools Ironport Web Security Appliance (WSA) Services Control Engine (SCE) BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
    • WSA Bandwidth Controls for Streaming Media §  New in WSA AsyncOS 7.0 §  Overall bandwidth limit. §  User bandwidth limit. BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
    • Services Control Engine (SCE) §  Application-layer deep packet inspection §  Real-time traffic control §  Granular bandwidth metering and shaping §  Quota management BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
    • Explicit Congestion Notification (ECN) §  Notify sender of congestion without packet loss §  Specified as RFC 3186 (2001) §  Requires support on hosts and network §  Not widely used BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
    • Explicit Congestion Notification (ECN) §  Supported in IOS since 12.2T policy-map QoS_Policy class class-default bandwidth per 70 random-detect random-detect ecn §  Disabled by default on Windows 7 Windows Server 2008 Windows Vista Mac OS X 10.5 and 10.6 §  Server Mode for Linux BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
    • RSVP §  RSVP implementation could be modified to address the problem for private WANs §  Requires routers to initiate reservations §  See backup slides BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
    • Additional RIS Considerations §  L2 Overhead accounting §  CPU requirements §  WAAS “Measure” optimized traffic Transport Flow Optimization (TFO) §  Viruses/scavenger class User-Based Rate Limiting Drop §  Anti-replay Use caution if applying QoS policies to encrypted traffic BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
    • “If you only have a hammer, then you tend to see every problem as a nail.” Abraham Maslow
    • Summary §  Now you have a new tool! §  RIS can overcome challenges with Multipoint 3rd Party Non-QoS Aware WAN §  Enables acceptable UDP performance Even if applications do not go through the DC With a single point of configuration and policy enforcement BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
    • Complete Your Online Session Evaluation §  Receive 25 Cisco Preferred Access points for each session evaluation you complete. §  Give us your feedback and you could win fabulous prizes. Points are calculated on a daily basis. Winners will be notified by email after July 22nd. §  Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center. §  Don’t forget to activate your Cisco Live and Networkers Virtual account for access to all session materials, communities, and ondemand and live activities throughout the year. Activate your account at any internet station or visit www.ciscolivevirtual.com. BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 101 1
    • Visit the Cisco Store for Related Titles http://theciscostores.com
    • BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
    • QoS Golden Rules §  Start with the goal in mind §  There is no substitute for sufficient bandwidth §  Queuing and Scheduling can protect voice and video from data §  Only Call Admission Control can protect voice from voice and video from video §  Don’t mix UDP and TCP in the same class BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
    • Happy Health
    • Happy Health Overview Datacenter 1 Datacenter 2 §  Healthcare provider §  MPLS VPN PE PE §  Dozens of large sites §  DS-3 or better DR Site §  Applications VoIP Medical Imaging Applications in multiple DCs PE PE Location 1 BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
    • Happy Health Challenges Datacenter 1 §  MPLS VPN Service Provider charges for “burst” usage above 50% of line rate Datacenter 2 PE PE DR Site PE PE Location 1 BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
    • Without RIS 1) TCP applications must go through the DC (or similar QoS enforcement point) to prevent oversubscription 2) Every active datacenter must share bandwidth with other active datacenters 3) Bandwidth must be statically reserved for UDP applications that do not go through the datacenter BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
    • Egress Shaping as a Solution No Tunnels §  Identify destination networks §  Shape traffic toward each destination §  Requires a mapping of every network to every location BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
    • Traffic Shaping Configuration Example No Tunnels (1) ip access-list extended site1 permit ip 10.0.1.0 0.0.0.255 any permit ip any 10.0.1.0 0.0.0.255 ip access-list extended site2 permit ip 10.0.2.0 0.0.0.255 any permit ip any 10.0.2.0 0.0.0.255 ip access-list extended site3 permit ip 10.0.3.0 0.0.0.255 any permit ip any 10.0.3.0 0.0.0.255 class-map match-any match access-group class-map match-any match access-group class-map match-any match access-group BRKRST-3500 site1 name site1 site2 name site2 site3 name site3 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
    • Traffic Shaping Configuration Example No Tunnels (2) policy-map site class voice priority percent 33 class call-signaling bandwidth percent 5 class critical-data bandwidth percent 37 random-detect dscp-based class class-default bandwidth percent 25 random-detect policy-map all-sites class site1 shape average 600000 service-policy site class site2 shape average 400000 service-policy site class site3 shape average 200000 service-policy site interface FastEthernet0/1 service-policy output all-sites BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
    • Egress Shaping as a Solution Static Tunnels §  Simplifies classification of destination networks §  Requires a full-mesh overlay on top of existing anyto-any network (5050 tunnels) §  Shape traffic toward each destination §  Full mesh routing protocol can cause network meltdown BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
    • Traffic Shaping Configuration Example Static GRE Tunnels policy-map site ! Omitted for brevity policy-map 600ksite class class-default shape average 600000 service-policy site policy-map 400ksite class class-default shape average 400000 service-policy site Interface tunnel 1 Description tunnel to site1 service-policy output 600ksite Interface tunnel 2 Description tunnel to site2 service-policy output 400ksite BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
    • Egress Shaping as a Solution DMVPN §  Further simplifies the configuration by automating tunnel creation §  New dynamic per-tunnel QoS, 12.4(22)T §  Within the tunnel interface associate the QoS policy with the “ip nhrp map group” command §  Simplifies the association of a QoS policy at the hub to each spoke location http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_per_tunnel_ qos.html#wp1072822 BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
    • Traffic Shaping Configuration Example DMVPN Per Tunnel QoS (Dynamic) Policy-map SHAPING-1.5MBPS Class class-default shape average 1500000 service-policy site Policy-map SHAPING-1.0MBPS Class class-default shape average 1000000 service-policy site interface Tunnel1 bandwidth 45000 ip address 10.0.0.1 255.255.255.0 ip nhrp map multicast dynamic ip nhrp map group group1 service-policy output SHAPING-1.5MBPS ip nhrp map group group2 service-policy output SHAPING-1.0MBPS . no ip mroute-cache tunnel source 172.17.0.1 tunnel mode gre multipoint tunnel key 253 tunnel protection ipsec profile DMVPN BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
    • Solution Capabilities—Happy Health Per-Tunnel Protect Voice and Video Yes Yes Yes Support Business Critical Apps Yes Yes Yes Meet Performance Expectations Yes Maybe Yes Utilizes Available Resources Yes No Yes Flexibility to deliver new services Maybe Maybe Yes Financially Feasible No Yes Yes Operationally Feasible Yes Maybe Maybe Valid Solution No No BRKRST-3500 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public QoS-Aware WAN Service Remote Ingress Shaping No QoS (Do Nothing) N/A Maybe 116