Local Edition
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Local Edition
Application Visibility and Control:
Wh...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Application complexity
increases
“I know it’s HTTP –...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Real-Life Example: The iOS 7 Storm
Source: An actual...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
• “What‟s in Your Network?”
‒“What applications make...
Introducing Cisco
Application Visibility and Control
(AVC)
The Next Stage in the Evolution of Your
Network
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Traffic Export
NetFlow
NetFlow
Collector /
Mgmt App
...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
HTTP
FTP
SMTP
POP3
IMAP
HTTPS
Are these
applications...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Cisco standard protocol classification mechanism
•...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
NBAR2 Highlights
• More than 1000 applications su...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Simplify Application Management with NBAR2 Attribute...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
NBAR2 Application Categories
Predefined and customiz...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Define Your Own Application in NBAR2
Port
• TCP o...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
ip nbar custom 001-payroll http host
server1.example...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Not just what – but who and where?
URL?
Hostname?
Re...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
NBAR2 Field Extraction
Overview
16
• Ability to look...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
NBAR2 Field Extraction
HTTP Example
GET /weather/...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Sub Classification
NBAR RTP Payload Type Classifi...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
What applications, how much bandwidth, flow directio...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
More Metrics with Flexible Netflow
Bytes, Packets, R...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Foundation: Exporting Process
NetFlow v9 and IPFI...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Foundation: Exporting Process
Available Option Te...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
1. Traffic Statistics: Application Usage
ASR
HQ
I...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
For Your
Reference
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
2. URL Collection
Top Domain, hit counts
Key Feat...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Example: URL Hit Count Report
Courtesy of LivingO...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
3. Application Response Time
Measurement
ASR
HQ
I...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Application Delivery Path Breakdown
• Separate appli...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Application Response Time
Measurement
cts 19
is i...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
For Your
Reference
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Media Performance Metrics
ASR1kcollect routing vr...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Enterprise Voice & Video
 Match enterprise subnet
...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
ezPM – Simplified Configuration for AVC Monitoring
3...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
AVC Configuration via Prime Infrastructure
• Enab...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
AVC Configuration
Prime AVC One-Click
• Enable AV...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Guarantee bandwidth to protect critical
applicatio...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
class-map match-any bittorrent
match protocol attrib...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Application Performance Optimization
• Visualize app...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
QoS Monitoring & Configuration
Once the Policy is...
Application Performance Optimization
•
•
•
QoS Monitoring & Configuration
Once the Policy is applied to Police Interactive
Video to 512 Kbps, LiveAction can monitor ...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Private
Cloud
MPLS
Internet
• PfR monitors ...
LiveAction For Cisco Intelligent Path Control
•
•
•
Cisco AVC Management Solutions
Enterprise Solutions
Managed Service Provider Solutions
Prime
Infrastructure
Application Visibility and Control for CLLE New England
Upcoming SlideShare
Loading in …5
×

Application Visibility and Control for CLLE New England

912 views

Published on

Application Visibility and Control (Bob Nusbaum presenter)

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
912
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
34
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • This slide shows an actual customer’s branch traffic breakdown about a week after Apple released iOS 7.
  • [SCRIPT]So, what are the major components of the Application Visibility and Control solution?It all starts with classification. The classification engine is the second generation of our Network-Based Application Recognition engine. It combines traditional classification of protocols by protocol type and port number with deep packet inspection to identify more than 1,000 different applications. Furthermore, the application definitions can be updated while the router is running. The data files that contain the application definitions are called “Protocol Packs.”Once the traffic is classified, the first thing most people want to do with it is measure it. We can actually measure and capture three different types of statistics on a per-application basis. We can capture the basic traffic statistics that Cisco Netflow has been capturing for years: IP source and destination addresses and ports, IP protocol, IP Type of Service, and which interface the traffic came in on. The difference between basic Netflow and AVC is that we enrich these traditional Netflow statistics with additional information such as application IDs and categories, and extracted fields such as URL, domain name, and other useful performance metrics such as connection durationFor applications running over TCP, we can calculate a large variety of Application Response Time metrics by inspecting and timestamping TCP transactions.For common voice and video protocols, we can measure things like latency and jitter, which are important to telephony, video, etc.At this point, the router knows what application the traffic is for, and what its performance is, but nobody else does! To make that information available outside the router, it has to be exported, usually to a network management software product. This is done using an industry standard called Netflow. Each measurement or statistic exported can then be analyzed by the external application for a wide range of purposes, such as performance troubleshooting, network capacity planning, security, or billing and chargeback. OK - now we’ve got a very good handle on Application Visibility. But where does the Control come in?With AVC, we can map the application traffic that we classify into the classes used to apply various types of network control policies. The most commonly used of these is QoS, or Quality of Service. Network devices can allocate bandwidth to different application classes, setting priorities and maximum and minimum bandwidth consumption. This allocation can guarantee minimum bandwidth for critical applications, while limiting the bandwidth consumption of low priority and non-business critical applications, by policing them (dropping their packets if necessary).Another way to control traffic when more than one route is available to the destination is by using intelligent path selection, known as Performance Based Routing, or PfR. PfR actually monitors the network performance on each route to the destination, and dynamically chooses which path to send each class of traffic on based on those real-time performance observations. What AVC adds to both of these control mechanisms is the ability to map groups of applications, or even individual applications, into specific control classes used by QoS and PfR.
  • Historically, networks and analytical tools have been very limited in their view of what an application was. Network applications using well-known ports could be identified and reported easily. But just knowing that something was a web browser session, or even a secured web session, became less and less useful as increasing numbers of applications were converted to use browser-based user interfaces. New models have arisen in both business and recreational applications, such as peer-to-peer, web-based media applications, and Software as a Service.Furthermore, even some traditional client-server applications, like Microsoft Exchange, select their TCP ports dynamically, so monitoring the same port all the time misses a lot of the action.
  • Weve revamped the NBAR engine completely but have kept the same look and feel on the front end.The basic CLI is the same but again the main engine has been completely rebuilt to be more accurate and to provide Heuristic, behavioral, and statistical analysis.---NBAR is a deep packet inspection engine that was created quite a few years ago.The basic engine performed pattern matching, stateful inspection and provided upwards of 100 signatures.NBAR is very useful when detecting specific applications like skype or when classifying applications like bittorent or edonkeyNon TCP and non UDP IP protocols example… ICMP and Encapsulation, protocol 41, and ospf---Identifies applicationsStatically assignedDynamically assigned during connection establishmentNon-TCP and non-UDP IP protocolsHeuristics Classification:Data packet inspection for application traffic patternsHeader classification and data packet inspectionStatefull inspectionsnoopingbi-directionalapplicationtraffic as itflowsthroughthenetwork
  • Simplify application management Grouping of Apps based on various characteristics/propertiesPre-defined attributes can be used for reporting and QoS (match protocol)Category, sub-category, application-group, p2p, tunnel, encrypted
  • Port and Payload rules are “Hand-In-Glove” - Port rule should be there in payload rule. And it’s recommended to have payload rule in port rules.The current support is only for WKP (no IP), and the recommendation is to combine WKP with a payload check. Therefore this only happens on the first payload packet. The new support will run on the first packet (even SYN), because it will be pure L3/L4. It will add the ability to match on L3, that’s the main difference.
  • Before – Create custom app in NBAR, no way to report because of NBAR app ID is local to deviceAfter – PAM creates custom app which synchronizes custom app on PAM with deviceUse the same custom app in the policy
  • We don’t limit ourselves to the protocols in terms of what we can recognize. Our Deep Packet Inspection has the ability to extract specific fields from certain protocols. You can then match on specific values for those fields as well as the protocol to generate far more detailed selection of packets for monitoring and reporting, for defining custom applications, or for control purposes.
  • When talking about RTP sub-classification, you must refer to a few things:i.     Currently all the RTP sub-classifications will find the first value in the flow and keep it. They will not match on every payload type in the flow. I.e. if it changes in the middle of the flow or if it’s different per direction, you won’t see it. ii.     The most common use case is the ability to distinguish voice from video, and that should be done using the “rtp audio” and “rtp video” commands, and not using explicit payload typesiii.     Dynamic payload types are now included in the audio/video sub-classifications, as learned from SIP sessions. This came in PP7.0 and it means you don’t need to fine tune your match statements for the coincidental payload type that happens to be used by your device.iv.     We intend to replace the audio/video sub-classification commands with actual protocols (rtp-video, rtp-audio), in the near future (this should have been released but got delayed due to infra issues, but it’s coming on WIFI platforms in any case and will also come on routers at some point).v.     Per packet payload type is another thing we would like to add but hasn’t been done yet, it will come later.
  • Track security, and traffic analysis data separatelyExport different Flow Monitors to different destinationsCustomers benefit from detailed analysis for each application Create virtual NetFlow caches to track and isolate issueIsolate security or traffic incidents in the networkCustomized traffic identification combined with input filtering Allows pinpoint accuracy in determining and isolating incidentsSelect only information that is neededBetter use of flow cache and aggregationNew information from layer 2 and above including packet sections
  • Template Flowsetvs Data FlowsetFlowset ID = 0 (Data Template) 1 (Option Template) 2-255 (Data)
  • application-attributes Application Attributes Table Option application-table Application Table Optionc3pl-class-table C3PL class cce-id tablec3pl-policy-table C3PL policy cce-id table exporter-stats Exporter Statistics Option interface-table Interface SNMP-index-to-name Table Option metadata-version-table Metadata Version Table Option sampler-table Export Sampler Option sub-application-table Sub Application Table Optionvrf-table VRF ID-to-name Table Option
  • ART measurement is technology we brings from NAM which provides about 37 related latency metrics, in addition to typical netflow metrics such as byte count, packet count, DSCP, input/output interfacesIt can ask NBAR for the application information and populate the flow recordAnother great feature, PA does aggregation of metric inside the router. This will reduce the # of flow records. FNF normally uses 5-tuple, while PA is 4-tuple (no source port). Latency metrics can be used for troubleshoot network issue, or quantify the application performance.ART metrics are provided by PA on the ISR-G2 and is part of MMA under performance-monitor on the ASR1k.
  • Provide web browsing activity reportMost visited web siteMost visited URL per siteHow many hits for a particular domain – extracted from HTTP request messagePA will collect and export uri and hit-count in the format “uri:count::uri:count.....”. The delimiters colon (:) and double colon (::) are written here just for the demonstration of the format. The actual delimiter would be NULL (\0) URI and count is always represented in binary format using fixed length 2bytes. The collector has to parse the URI by parsing on the basis of delimiters i.e. NULL (\0). URI count is read as a 2byte binary number and there is no '\0' delimiter after the count. A special PA specific FNF export field (42125) would be used to export the list of URIs and the corresponding hit-counts. The encoding would be done as follows:{URI\0countURI\0count}In this example:US\02WORLD\01US – count =2WORLD – count=1
  • ART measurement is technology we brings from NAM which provides about 37 related latency metrics, in addition to typical netflow metrics such as byte count, packet count, DSCP, input/output interfacesIt can ask NBAR for the application information and populate the flow recordAnother great feature, PA does aggregation of metric inside the router. This will reduce the # of flow records. FNF normally uses 5-tuple, while PA is 4-tuple (no source port). Latency metrics can be used for troubleshoot network issue, or quantify the application performance.ART metrics are provided by PA on the ISR-G2 and is part of MMA under performance-monitor on the ASR1k.
  • ezPM Availability:On IOS-XE: 3.10On IOS T-train (ISR-G2): PI-23 (15.4(1)T)Explain that this is equivalent to ~650 lines of traditional configuration.We can also explain that we give the user the following flexibility:Configuring exportersEnable / Disable various traffic-monitors (a.k.a tools)For each traffic-monitor, override some default parameters (IPv4/6, Ingress/Egress, traffic to which the monitor is applied, cache size..)An example for this flexibility could be the following:performance monitor context my-visibility-2 profile application-experience exporter destination 1.1.1.1 source GigabitEthernet0/0/1 transport udpvrfMgmnt port 1111 exporter destination 2.2.2.2 source GigabitEthernet0/0/1 transport udpvrfMgmnt port 2222 traffic-monitor application-response-time ipv4 class-and my-art-apps traffic-monitor url ipv6 traffic-monitor media ipv4 ingress cache-size 1000 traffic-monitor media ipv4 egress cache-size 2000 traffic-monitor application-traffic-stats traffic-monitor conversation-traffic-stats!
  • So, when you apply the Control part of AVC, you can turn your BitTorrent into a Bit Trickle!
  • Access to all available QoS actions are supported
  • So how do we leverage low-cost internet transport in a WAN access strategy?So today it is active/standby so what we’re going to show you is how to move to active/active and get more capacity for your WAN for a lot less moneyAnd now if your leverage internet for WAN transport, why not use for direct internet access - for you employees to access public cloud with better performance and offload your guest user directly for security.You’re going to increase you WAN capacity very cost effectively and improve performance by sending the right flows to the right places.-----First we want secure transport overlay certainly on the internet path and perhaps for consistency and design simplicity we want this on our MPLS/IP access as wellMaybe then we want to route some of our less critical flows across the internet transport, we want to do that selectively and be able to revert back to MPLS leg if performance degradesMaybe we want load balancing of best effort traffic across both links to help offload traffic from MPLS VPN accessAnd further, for traffic that we know is destined to Public cloud servicesfor employees like Google, Salesforce.com, Office365 etc or Guest Users directly to the internet, maybe we want to leverage Local internet access to offload these flows from the WAN altogetherSo now you use your internet connection, not just as a backup, but as a real component of your over WANCombining these elements, with the right network technlogies to optimize the flows will help reduce overall WAN transport BW requirements and improve application performance by directing the right flows to the right places.Let’s see how...
  • Application Visibility and Control for CLLE New England

    1. 1. Local Edition
    2. 2. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Local Edition Application Visibility and Control: What‟s in Your Network? Bob Nusbaum Senior Product Manager, Enterprise Networking Group Cisco <SESSION ID>
    3. 3. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Application complexity increases “I know it’s HTTP – but what application is it? Cloud and Virtualization centralize application delivery “From here it looks like it’s running just fine” Multiple entities involved in delivering applications “It’s from an outside cloud! How do you expect me to fix it?”
    4. 4. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Real-Life Example: The iOS 7 Storm Source: An actual customer’s branch WAN Graphs from Cisco Prime Infrastructure 2.0
    5. 5. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public • “What‟s in Your Network?” ‒“What applications make up my traffic load?” ‒“What are end users experiencing?” ‒“Where is the slow-down?” ‒“What traffic is slowing down my critical apps?” • “What are You Going to DO About It?” ‒“Prioritize important applications; control the others” ‒“Choose a path based on current application performance” ‒“Optimize traffic to reduce latency and bandwidth usage”
    6. 6. Introducing Cisco Application Visibility and Control (AVC) The Next Stage in the Evolution of Your Network
    7. 7. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Traffic Export NetFlow NetFlow Collector / Mgmt App Monitor by app Apply policy Business Analytics Control Classify Protocol PacksProtocol Definitions What are the apps? Basic Traffic ART Media Bandwidth Route choice
    8. 8. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public HTTP FTP SMTP POP3 IMAP HTTPS Are these applications? 80 20/21 25 110 143 443 What about these? Or just ports?
    9. 9. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public • Cisco standard protocol classification mechanism • > 1400 protocols vs. ~150 with original NBAR • Backwards compatible with original NBAR • Upgrade protocols with no OS upgrade • NBAR2 supported protocol list online at: ‒ http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6558/ps6616/product_bulleti n_c25-627831.html NBAR2 Integrated feature in IOS and IOS XE >1000 Signatures Advanced Classification Techniques Deep Packet Inspection (DPI) Native IPv6 Classification Custom application profiles Supports >1,000 protocols and sub-classification
    10. 10. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 NBAR2 Highlights • More than 1000 applications support and growing • Categorization to simplify application management • In-service signature update through Protocol Pack • Field Extraction – collect application specific information in addition to identify applications • NBAR2 sub-classification features - Dynamic payload types, SSL sub classification, PCoIP sub classification etc. 0 200 400 600 800 1000 1200 NBAR1 NBAR2 Number of Applications Supported NBAR1 NBAR2 1000+ HTTP URI HTTP Hostname Browser Type
    11. 11. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Simplify Application Management with NBAR2 Attributes 11 • NBAR2 attributes provide grouping of similar types of applications • Use attributes to report on group of applications or to simplify QoS classification • 6 pre-defined attributes per application (can be reassigned by users) Category First level grouping of applications with similar functionalities Sub-category Second level grouping of applications with similar functionalities Application-group Grouping of applications based on brand or application suite P2P-technology? Indicates application is peer-to-peer Encrypted? Indicates application is encrypted Tunneled? Indicates application uses tunneling technique
    12. 12. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public NBAR2 Application Categories Predefined and customizable to simplify config and reporting NBAR2 Category NBAR2 Sub-category NBAR2 Application Group P2P Technology Encrypted Tunnel browsing authentication-services apple-talk-group skype-group n n n business-and-productivity-tools backup-systems banyan-group smtp-group y y y email client-server bittorrent-group snmp-group unassigned unassigned unassigned file-sharing commercial-media-distribution corba-group sqlsvr-group gaming control-and-signaling edonkey-emule-group stun-group industrial-protocols database fasttrack-group telepresence-group instant-messaging epayement flash-group tftp-group internet-privacy file-sharing fring-group vmware-group layer2-non-ip inter-process-rpc ftp-group vnc-group layer3-over-ip internet-privacy gnutella-group wap-group location-based-services license-manager gtalk-group webex-group net-admin naming-services icq-group windows-live-messanger- group newsgroup network-management imap-group xns-xerox-group obsolete network-protocol ipsec-group yahoo-messenger-group other other irc-group trojan p2p-file-transfer kerberos-group voice-and-video p2p-networking ldap-group remote-access-terminal netbios-group rich-media-http-content nntp-group routing-protocol npmp-group storage other streaming p2p-file-transfer terminal pop3-group tunneling-protocols prm-group voice-video-chat-collaboration skinny-group
    13. 13. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 Define Your Own Application in NBAR2 Port • TCP or UDP • 16 static ports per application • Range of ports (1000 maximum) Payload • Search the first 255 bytes of TCP or UDP payload • ASCII (16 characters) • Hex (4 bytes) • Decimal (1-4294967295) • Variable (4 bytes Hex) HTTP URL • URI regex • Host regex ISR G2: 15.2(4)M2 ASR1K: 3.8S L3/4 Based Definition Coming in XE 3.12
    14. 14. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public ip nbar custom 001-payroll http host server1.example.com id 60001 ip nbar custom 002-doc http url doc host server2.example.com id 60002 ip nbar custom 003-soft http url software host server2.example.com id 60003 14 NBAR2 Custom Application Enhancement Custom App Server URI BW Resp. Time My Payroll server1.example.com - 2M 100ms My Doc. Mgmt. server2.example.com /doc 1M 250ms My Software Rep. server2.example.com /software 5M 30sec • Custom application match on HTTP URL and/or Host Custom Enterprise Application server1.example.com /doc – Documentation /software - Software Cisco Prime Infrastructure CustomApplication Definition&Report server2.example.com • All the NBAR commands are under “ip nbar…” it is completely unrelated to the IP version. • Custom application attribute value is set to „other‟ and „unassigned‟ by default ISR G2: 15.2(4)M2 ASR1K: 3.8S Custom App Selector ID
    15. 15. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Not just what – but who and where? URL? Hostname? Referrer? User agent? Sender? Server? Business Analytics NetFlow Collector / Mgmt App
    16. 16. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public NBAR2 Field Extraction Overview 16 • Ability to look into specific applications for additional field information • NBAR2 extracted fields from HTTP, RTP, PCOIP, etc… for QoS configuration • HTTP Header Fields • Eases classification of voice and video traffic ‒ VoIP, streaming/real time video, audio/video conferencing, Fax over IP ‒ Distinguishes between RTP packets based on payload type and CODECS • Some extracted fields within Flexible NetFlow and Unified Monitoring
    17. 17. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 NBAR2 Field Extraction HTTP Example GET /weather/getForecast?time=37&&zipCode=95035 HTTP/1.1 Host: svcs.cnn.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Referer: http://www.cnn.com/US/ www.cnn.com (IP=157.166.255.18) http://www.cnn.com/US Se0/0/0 (IP=192.168.100.100) Extracting information from HTTP message collect application http url collect application http host collect application http user-agent collect application http referer
    18. 18. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 Sub Classification NBAR RTP Payload Type Classification • Eases classification of voice and video traffic ‒ VoIP, streaming/real time video, audio/video conferencing, Fax over IP • Distinguishes between RTP packets based on payload type and CODECS • New in PP 7.0 ‒ audio/video parameters will match not only if the PT is in the known static range of audio or video, but also if it‟s in the dynamic range • Future: audio/video granularity will be not a sub-classification but an actual protocol, so the report will show it well. CODEC Payload Type G.711 (Audio) 0 (mu-law) 8 (a-law) G.721 (Audio) 2 G.722 (Audio) 9 G.723 (Audio) 4 G.728 (Audio) 15 G.729 (Audio) 18 H.261 (Video) 31 MPEG-1 (A/V) MPEG-2 (A/V) 14 (Audio), 32 (Video), 33 (A-V) Dynamic 96–127 Router(config-cmap)# match protocol rtp ? audio match voice packets payload-type match an explicit PT (Payload Type) video match video packets
    19. 19. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public What applications, how much bandwidth, flow direction? (Flexible Netflow and NBAR / NBAR2) Basic Monitoring HTTP HTTP Voice and Video Performance Advanced Monitoring 30% of traffic is voice and video Transactional Application Performance 40% of traffic is critical applications Simpler for configuration, collection, analysis, and troubleshooting
    20. 20. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public More Metrics with Flexible Netflow Bytes, Packets, Routing Info (L3 to L4) Flexible NetFlow Performance Metrics (e.g. media, transactional) Network Metrics (e.g. QoS) Derived Metrics (e.g. URL Hit count) Other Metrics (e.g. PfR) Unified Monitoring Network latency Response Time Jitter Retransmission QoS policy/class-map Netflow to FNF Migration Guide: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6601/ps6965/white_paper_c11-545581.html Application ID (L3 to L7) Flexible NetFlow + NBAR
    21. 21. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 21 Foundation: Exporting Process NetFlow v9 and IPFIX Flow record Flow record Flow record Flow record Describe flow format A Describe flow format B Flow record A Flow record A Flow record B Exporter Collector Exporter Collector • Fixed number of fields (18 fields) e.g. source/destination IP & port, input/output interfaces, packet/byte count, ToS NetFlow Version 5 NetFlow v9 / IPFIX • Users define flow record format • Flow format is communicated to collector Flexible & Extensible Flow Export FormatStatic Flow Export Format
    22. 22. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 22 Foundation: Exporting Process Available Option Templates Option Template Definition application-table NBAR Application ID to name mapping application-attributes Application attributes definition per application c3pl-class-table QoS class-map ID to name mapping c3pl-policy-table QoS policy-map ID to name mapping exporter-stats Exporter Statistics Option interface-table Interface SNMP ifIndex to name mapping Sampler-table Export Sampler Option sub-application-table NBAR Sub-application ID to name mapping vrf-table VRF ID to name mapping queue-id (hidden) Queue index and queue drop information Note: Check the IOS release for exact support
    23. 23. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 23 1. Traffic Statistics: Application Usage ASR HQ ISR ISR ISRISR Reporting Tool ASR Key Features  Feature to collect and export network information and statistics  Flexibility in defining fields and flow record format  NBAR2 Integration  Examines data from Layers 3 thru 7  Utilizes Layers 3 and 4 plus packet inspection for classification  Stateful inspection of dynamic-port traffic  IOS: FNF, PA or MMA  IOS-XE: FNF or MMA  Export: NFv9 or IPFIX Benefits  Visibility into application usage  Monitors data in Layers 2 thru 7  Capacity Planning  Top-N applications  Top-N clients and servers WAN1 (IP-VPN) WAN2 (IPVPN, DMVPN)
    24. 24. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 24 For Your Reference
    25. 25. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 25 2. URL Collection Top Domain, hit counts Key Features  Provide web browsing activity report  Standard IPFIX export  IOS: PA or MMA  IOS-XE: MMA  Utilize IPFIX Format which is extensible Benefits  Visibility into top domains  Monitors data in Layers 2 thru 7  Most visited web site  Most visited URL per site  How many hits for a particular domain – extracted from HTTP request message http://www.cnn.com/US http://www.cnn.com/US http://www.cnn.com/WORLD www.cnn.com www.facebook.comwww.youtube.co m http://www.youtube.com/ciscolivelondon http://www.youtube.com/olympic http://www.facebook.com/farmville http://www.facebook.com/farmville http://www.facebook.com/farmville http://www.facebook.com/cisco
    26. 26. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 26 Example: URL Hit Count Report Courtesy of LivingObjects How many hits for a particular domain – extracted from HTTP request message
    27. 27. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 27 3. Application Response Time Measurement ASR HQ ISR ISR ISRISR Reporting Tool PA ASR Key Features  27 Application Response Time (ART) Metrics  Interact with NBAR2 for Application ID  IOS: PA or MMA  IOS-XE: MMA  Export: NFv9 and IPFIX export Benefits  Visibility into application usage and performance  Quantify user experience  Troubleshoot application performance  Track service levels for application delivery PA PAPA My email is slow! How do I ensure my SLA is met BranchDelayNetworkDelayDatacenterDelay My query is taking long time! WAN1 (IP-VPN) WAN2 (IPVPN, DMVPN)
    28. 28. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Application Delivery Path Breakdown • Separate application delivery path into multiple segments • Server Network Delay (SND) approximates WAN Delay • Latency per application Application Servers Total Delay Client Network Clients Client Network Delay (CND) Application Delay (AD) Network Delay (ND) IOS Server Network Request Response Server Network Delay (SND)
    29. 29. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 29 Application Response Time Measurement cts 19 is in the correct CoS y application ? osts, static TCP/UDP ports, DSCP values ports date ? my network ? sers ? pplication name discovered on loy specific appliance for X rk and how it’s classified ivingObjects 18 te business vs leisure use Screenshots: courtesy LivingObjects For Your Reference
    30. 30. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 30 For Your Reference
    31. 31. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 31 Media Performance Metrics ASR1kcollect routing vrf input collect interface input collect application name collect ipv4 dscp collect datalink source-vlan-id collect connection initiator collect counter packets collect counter bytes long collect connection new-connections collect ipv4 ttl collect transport rtp payload-type collect transport rtp jitter mean sum collect transport rtp jitter maximum collect transport packets lost counter collect timestamp sys-uptime first collect timestamp sys-uptime last match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match transport rtp ssrc match routing vrf output match interface output Key Fields Non-Key Fields What are my key network metrics for each media application?
    32. 32. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Enterprise Voice & Video  Match enterprise subnet  Match RTP traffic Enterprise TCP Apps  Match datacenter subnet  Match TCP Enterprise Cloud Apps  Match SFDC  Match Office 365 Web Browsing  Match HTTP Rest of traffic  Match any Collect Media Performance Collect Traffic Statistics Collect ART Collect Traffic Statistics Collect ART Collect Traffic Statistics Collect URL Sample Collect Traffic Statistics Collect Traffic Statistics
    33. 33. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public ezPM – Simplified Configuration for AVC Monitoring 33 • Equivalent to ~650 lines of configuration • Records/Monitors/Class-maps/Policy-map pre-defined ! User defined ezPM context performance monitor context my-visibility profile application-experience exporter destination 10.10.10.10 source GigabitEthernet0/0/1 traffic-monitor all ! ! Attach the context to the interface interface GigabitEthernet0/0/2 performance monitor context my-visibility ! IOS-XE: 3.10 IOS 15.4(1)T
    34. 34. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 34 AVC Configuration via Prime Infrastructure • Enable AVC features with just ON/OFF button • With Cisco Prime Infrastructure 2.0
    35. 35. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 35 AVC Configuration Prime AVC One-Click • Enable AVC in one click ‒ One device at a time • Two simple steps 1. Select interface(s) 2. Enable 1 2
    36. 36. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public • Guarantee bandwidth to protect critical applications from network congestion • Provide low latency to delay sensitive applications • Stop or limit unwanted applications from using WAN resources Application Bandwidth Control WAN LAN • Application routing based-on real-time performance Information • Intelligent load sharing provides resiliency and fully utilizes all available WAN resources • Improve performance of voice, video, and critical applications Application Path Selection Internet No SLA WAN 1 High SLA WAN 2 Med SLA WAN LAN Email HTTP Email HTTP QoS PfR
    37. 37. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public class-map match-any bittorrent match protocol attribute sub-category p2p-file-transfer match protocol bittorrent-networking match protocol dht policy-map drop-bittorrent class bittorrent police 8000 conform-action drop exceed-action drop violate-action drop interface GigabitEthernet0/0/0 service-policy input drop-bittorrent service-policy output drop-bittorrent 37 Example: Stop P2P Applications with AVC After apply control policy
    38. 38. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Application Performance Optimization • Visualize application paths and problems with AVC & Medianet • Alert on application performance with AVC • QoS control using NBAR2 to optimize application performance 38 © 2014 ActionPacked Networks, Inc. All Rights Reserved. Proprietary and Confidential.
    39. 39. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 39 QoS Monitoring & Configuration Once the Policy is applied to Police Interactive Video to 512 Kbps, LiveAction can monitor to see how policy has taken effect QoS Marking Congestion Indicator (amber color) • • • •
    40. 40. Application Performance Optimization • • •
    41. 41. QoS Monitoring & Configuration Once the Policy is applied to Police Interactive Video to 512 Kbps, LiveAction can monitor to see how policy has taken effect QoS Marking Congestion Indicator (amber color) • • • •
    42. 42. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42 Private Cloud MPLS Internet • PfR monitors network performance and routes applications based on application performance policies • PfR load balances traffic based upon link utilization levels to efficiently utilize all available WAN bandwidth Virtual Private Cloud Other traffic is load balanced to maximize bandwidth Branch Voice/Video will be rerouted if the current path degrades below policy thresholds Voice/Video take the best delay, jitter, and/or loss path
    43. 43. LiveAction For Cisco Intelligent Path Control • • •
    44. 44. Cisco AVC Management Solutions Enterprise Solutions Managed Service Provider Solutions Prime Infrastructure

    ×