Architectures and choice of technology - cisco.com€¦ · Presentation_ID Cisco and/or its...

Architectures and choice of technology

Per Jensen, [email protected] Consulting Systems Engineer

Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public

Agenda   Architectures and choice of technology

–  Unified Access – refresher –  Instant Access –  Converged Access

  SDU Case   AVC (Application, Visibility and Control)

–  AVC overview –  NBAR2 –  Performance –  Control

  Key Takeaways


Simple

Secure

Reduced TCO

One Place to Define Policy Multiple Policy enforcement points

•  One pane of glass •  Wired •  Wireless

•  Deployment Modes •  Wired

•  Traditional Access •  Instant Access

•  Wireless •  Centralized •  Flex •  Autonomous

•  Wired-wireless •  Converged Access

Cisco ONE Enterprise Networks Architecture

Unified Access - refresher


Unified Access – focus

Aironet APs

Cisco Catalyst 4500E, Cisco Catalyst 3K-X

Cisco Prime Infrastructure

WISM2/ WLC

Identity Services Engine

Cisco Catalyst 6500/VSS

TrustSec Secure Group Access to Simplify the Network and Enable Virtualized Data Center Services

Application Visibility and Control

Application-Aware Networking to Enable Collaboration, Video, and Other Apps

Resiliency Maximized Network Availability with Virtual Switching and Stateful Switch Over

Smart Operations Reduce Operating Expenses and Improve Network Application and Service Delivery


Unified Access – products

Identity Services Engine (ISE)

Prime Infrastructure

One Policy

1600

Small-Mid Enterprise

2600 and 2700

Feature-Optimized Enterprise

3600

Mid-Large Enterprise

3700 W/ HDX

High-Density Enterprise

1530

Low Profile

1550

Larger Deployments

8500, 5760, 5508

Wireless Controllers

Backbone Switches

Catalyst 4500

Converged Access Switches

Catalyst 3650

Catalyst 3850

One Network Controllers and Access Switches

MDM

Access Points

Catalyst 6800 Catalyst 6500 Catalyst 2960-X

Access Switch

One Management

NEW






  Key Takeaways


Simplify Operations across entire Distribution POD

“Grow as you Go” with full “Plug & Play” IA client provisioning

Deploy Premium Catalyst 6500 features at Access Layer

Benefits of Instant Access

VSS

LACP or PAGP

VSL

Access Switch Access Switch Stack

SiSi SiSi

Instant Access

VSL

Instant Access Stack

SDP SRP SCP

Instant Access Client

SiSi SiSi

Catalyst Instant Access

Standalone

Access Switch

LACP or PAGP

SiSi SiSi

STP or MST

Access Switch Stack


RE

DU

CE

D TC

O

Single Image to deploy and manage across Distribution POD

Agile Infrastructure - Add new features across Layers

Ultra High Availability with Quad-Sup VSS SSO

Plug & Play Architecture - Add more when Needed

Single Point Of Management, Configuration & Troubleshooting

Benefits

Example: 1000 User-Port Campus Distribution POD

Prime Managed Devices = 22 Managed Devices = 1

SiSi SiSi

Catalyst Instant Access

ISE






  Key Takeaways


Understanding Current Deployment Model Known Deployment Model

•  Wireless is an Overlay Network •  Software components within the WLC

today: •  Mobility Agent (MA) is responsible for:

–  AP CAPWAP termination –  Maintaining client database –  Policy enforcement

•  Mobility Controller (MC) is responsible for: –  Client Mobility –  Radio Resource Management (RRM) –  WiPS, Spectrum Management

Access Points

5508 5508

Inter--Controller EoIP/CAPWAP tunnel AP-Controller CAPWAP tunnel

ISE Prime

MC MA


ISE Prime

Access Points

Better Scale and Bandwidth with Converged Access

•  Traditional Controllers continue to play MA and MC

•  Catalyst 3850 can play the role of both MA

and MC •  Valid for Branch and small-medium campus type

deployments

•  Moving the MA only to the Catalyst 3850 (typically in large campus) helps with: •  Improved Scalability – larger mobility domains •  Increased wireless bandwidth •  Uniform wired/wireless policy enforcement

AP Capwap Tunnels Mobility Tunnels

Catalyst 3750

5508 or WISM2 with SW Upgrade or new 5760

New Catalyst 3850

MC

MA

MC

MA






  Key Takeaways

Arkitektur- og teknologivalg Infrastruktur

Syddansk Universitet

Tim Kirketerp Infrastrukturchef, IT-service

SYDDANSK UNIVERSITET ET INTERNATIONALT UNIVERSITET MED FOKUS PÅ DE STUDERENDE MED FORSKNING PÅ HØJESTE, INTERNATIONALE NIVEAU OG TÆTTERE PÅ OMVERDENEN.

Maj 2014 16

Maj 2014 17

Krav til infrastruktur •  Superstabilt trådløst net til afholdelse af digital

eksamen •  Stærkt netværk til forskning, undervisning og

administration, både kablet og trådløst •  Ensartethed uanset lokalitet •  Vildt mange enheder af forskellig art •  Mulighed for netværkssamarbejde med nære

partnere, eksempelvis OUH, UCL og RSDK.

Maj 2014 18

Løsning i drift •  1100+ AP’s – 100% trådløs dækning •  Layer 3 netværk, datacenter i Odense •  Ingen decentrale servere i byerne •  Ensartethed uanset lokalitet

•  2 teknologier – trådløst og kablet •  Kun 802.1x på trådløst netværk •  Ingen udnyttelse af metadata som positionering,

applikationsstyring, brugertyper og enhedsstyring

Maj 2014 19

Campus Kolding Campusprofil   Entreprenørskab   Kommunikation   Design, kultur og sprog Studerende pr. 1/10 2013   Bestand: 2.634 heraf 176 internationale   Optag: 781 Personale pr. 31/12 2013 (årsværk)   Videnskabeligt: 109   Teknisk og administrativt: 60

  Nyt lavenergi-hus   Nabo til Designskolen og fokus på design

Maj 2014 20

Maj 2014 21

Netværk i Campus Kolding

•  2 stk. Cisco 4500-X Router •  12 stk. Cisco 4506-E Chassis •  2 stk. Cisco 8510 wifi Controller (HA) •  80 stk. Cisco 3702 AP •  Cisco Identity Services Engine (ISE) •  MSE Virtual Appliance •  De nødvendige licenser til at starte ud med…

Maj 2014 22

Sektorens bedste netværksfolk - og solidt grej

Campus Odense Store, planlagte nybygninger

Maj 2014

SDU SUND

Portalby og Forskerpark

Planlagte nybygninger (med RØDT): 1.  Nyt OUH 2.  SDU SUND 3.  SDU TEK 4.  Portalby, inkl. Forskerpark Samt 5. Letbane gennem området SDU

TEK

Niels Bohrs Allé

Til motorvej

Nyt OUH

Nuvær. SDU Campusvej

23






  Key Takeaways


Focus on AVC

Aironet APs

Cisco Catalyst 4500E, Cisco Catalyst 3K-X

Cisco Prime Infrastructure

WISM2/ WLC

Identity Services Engine

Cisco Catalyst 6500/VSS

TrustSec Secure Group Access to Simplify the Network and Enable Virtualized Data Center Services

Application Visibility and Control

Application-Aware Networking to Enable Collaboration, Video, and Other Apps

Resiliency Maximized Network Availability with Virtual Switching and Stateful Switch Over

Smart Operations Reduce Operating Expenses and Improve Network Application and Service Delivery


Key Customer Challenges

  65% of organizations do not know what is running on their network

  Port 80 is typically associated with HTTP web traffic, but it can also be used for streaming media, P2P music downloads and more

  89% of network downtime and outages are due to lack of visibility and awareness into network load and application performance

  61% of organization reports Public Cloud service reduces visibility into end user experiences

WAN Internet

Branch with no direct Internet

access

Branch with direct Internet access

Public SaaS Data Centers

•  How can I fix the poor and inconsistent performance

•  How can I recover from Network outages faster

•  How can I increase utilization of my Expensive WAN links

•  How can I increase my WAN reliability


Use QoS and PfR to control

application network usage to improve

application performance

ASR1K

ISR G2

Control

High

Med

Low

Advanced reporting tool aggregates

and reports application

performance

App Visibility & User Experience Report

Management Tool

ISR G2 & ASR collect application

performance metrics, and export to management tool

ASR1K

ISR G2

Reporting Tool Perf. Collection & Exporting

Reporting Tools

NFv9/IPFIX

3

App BW Transaction Time

…

SAP 3M 150 ms …Sharepoint 10M 500 ms …

Identify applications using L3 to L7

information

ASR1K

ISR G2

Application Recognition

What is Application Visibility and Control (AVC)


•  QoS (w/ NBAR2) •  PfR (w/ NBAR2)

ASR1K

ISR G2

Control

High

Med

Low

•  Cisco Prime Infrastructure

•  Insight Reporter •  3rd Party Tools

App Visibility & User Experience Report

Management Tool

•  Metric Mediation Agent -  Basic Monitoring -  Application

Response Time -  Voice/Video

Monitoring

ASR1K

ISR G2

Reporting Tool Perf. Collection & Exporting

Reporting Tools

NFv9/IPFIX

3

App BW Transaction Time

…

SAP 3M 150 ms …Sharepoint 10M 500 ms …

•  NBAR2

ASR1K

ISR G2

Application Recognition

AVC Solution – Enabled Technologies


How is Assurance Achieved ?

Prime Infrastructure NAM module/Appliance Cisco ASR NBAR2, AVC, Medianet

NBAR2

SNMP/CLI Polling

WAAS

NBAR

MEDIANET

ART/PA

SPAN/ ERSPAN

Netflow

Cisco 6500/6800 Netflow,, Medianet

Wireless Controller NBAR2

Cisco ISR/ISR G2 NBAR2, AVC, Medianet

By normalizing and correlating data across multiple sources – leverage the power of embedded Cisco instrumentation

Cisco Catalyst 3750-X w/ 3K-X 10G Catalyst switcheNetflow, Netflow, Medianet






  Key Takeaways


What is Really in Your Network?

Port Monitoring

Application Monitoring

bittorrent rtp gtalk netflix skype webex

unknown? http?


NBAR2

IOS NBAR +150 Signatures

SCE Classification +1600 Signatures

Advanced Classification Techniques

Innovations Native IPv6

Classification Open API

Next Generation NBAR (NBAR2)

  New DPI engine provides Advanced Application Classification and Field Extraction Capabilities from SCE

  Protocol Pack allows adding more applications without upgrading or reloading IOS

  NBAR2 Protocol List - http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6558/ps6616/product_bulletin_c25-627831.html


List of all NBAR2 Attributes and Values

NBAR2 Category NBAR2 Sub-category NBAR2 Application Group P2P Technology Encrypted Tunnel

browsing authentication-services apple-talk-group skype-group n n n business-and-productivity-

tools backup-systems banyan-group smtp-group y y y email client-server bittorrent-group snmp-group unassigned unassigned unassigned

file-sharing commercial-media-distribution corba-group sqlsvr-group gaming control-and-signaling edonkey-emule-group stun-group

industrial-protocols database fasttrack-group telepresence-group instant-messaging epayement flash-group tftp-group

internet-privacy file-sharing fring-group vmware-group layer2-non-ip inter-process-rpc ftp-group vnc-group layer3-over-ip internet-privacy gnutella-group wap-group

location-based-services license-manager gtalk-group webex-group net-admin naming-services icq-group windows-live-messanger-group newsgroup network-management imap-group xns-xerox-group obsolete network-protocol ipsec-group yahoo-messenger-group

other other irc-group trojan p2p-file-transfer kerberos-group

voice-and-video p2p-networking ldap-group remote-access-terminal netbios-group rich-media-http-content nntp-group

routing-protocol npmp-group storage other

streaming p2p-file-transfer terminal pop3-group

tunneling-protocols prm-group voice-video-chat-collaboration skinny-group

For Your Reference


Define Your Own Application in NBAR2

Port • TCP or UDP • 16 static ports per

application • Range of ports

(1000 maximum)

Payload • Search the first

255 bytes of TCP or UDP payload

• ASCII (16 characters)

• And more

HTTP URL • URI regex • Host regex

New


Key Fields Packet #1

Source IP 10.1.1.1

Destination IP 173.194.34.134

Source Port 20457

Destination Port 23

Layer 3 protocol 6

TOS byte 0

Ingres Interface Ethernet 0

Src. IP Dest. IP Src. Port Dest. Port Layer 3 Prot. TOS Byte Ingress Intf.

10.1.1.1 173.194.34.134. 20457 80 6 0 Ethernet 0

Key Fields Packet #2

Source IP 10.1.1.1

Destination IP 72.163.4.161

Source Port 30307

Destination Port 80

Layer 3 protocol 6

TOS byte 0

Ingres Interface Ethernet 0

Src. IP Dest. IP Src. Port Dest. Port Layer 3 Prot. TOS Byte Ingress Intf. App Name Timestamps

Byttes Packets

10.1.1.1 173.194.34.134 20457 80 6 0 Ethernet 0 HTTP

10.1.1.1 72.163.4.161 30307 80 6 0 Ethernet 0 Youtube

NetFlow cache

News

Flexible NetFlow - NBAR Integration

flow record app_record! match ipv4 source address! match ipv4 destination address! match …..! collect application name!!

First packet of a flow will create the Flow entry using the Key Fields” Remaining packets of this flow will only update statistics (bytes, counters, timestamps)






  Key Takeaways


When users complain about Application Problem

37

Increased Latency

WAN Problem

Application Problem

Server Problem

User Problem

Your network is so slow I cannot get any work done

today I do not see anything wrong

End Users

Network Admin

What the users see What network admins see What can happen

ping? show ip route?

traceroute? show interface?


Application Response Time

  Application response time provides insight into application behavior (network vs server bottleneck) to accelerate problem isolation

  Separate application delivery path into multiple segments   Server Network Delay (SND) approximates WAN Delay   Latency per application

Application Servers

Total Delay

Client Network

Clients

Client Network Delay (CND)

Application Delay (AD)

Network Delay (ND)

Server Network

Request

Response Server Network Delay (SND)

ART


TT

Client Server

X

SYN

SYN-ACK

ACK 6

Request 1

ACK

DATA 4

DATA 3

DATA 5

DATA 3

Request 1 (Cont)

X

DATA 4

DATA 1

Request 2

DATA 6

DATA 2

ACK 3

ACK

SND

CND

Understand IOS ART Metrics Calculation

Request

Response

Retransmission

RT

For Your Reference

Response Time (RT)

t(First response pkt) – t(Last request pkt)

Transaction Time (TT)

t(Last response pkt) – t(First request pkt)

Network Delay (ND)

ND = CND + SND

Application Delay (AD)

AD = RT – SND

Quantify User Experience

Identify Server Performance Issue

ART


Medianet Performance Monitoring Metrics

match ipv4 protocol!match ipv4 source address!match ipv4 destination address!match transport source-port!match transport destination-port!match transport rtp ssrc!collect routing forwarding-status!collect ipv4 dscp!collect ipv4 ttl!collect transport packets expected counter!collect transport packets lost counter!collect transport packets lost rate!collect transport event packet-loss counter!collect transport rtp jitter mean!collect transport rtp jitter minimum!collect transport rtp jitter maximum!collect interface input!collect interface output!collect counter bytes!collect counter packets!collect counter bytes rate!collect timestamp interval!collect application media bytes counter!collect application media bytes rate!collect application media packets counter!collect application media packets rate!collect application media event!collect monitor event!

Default RTP

For Your Reference


Detect Application Server Problem

  End user experience is impacted because application is slow

Transaction Time Response Time

Server Delay Network Latency

41


Detect voice/video Problem

42






  Key Takeaways


Growing Applications in the Network

Application Based Policy Enforcement Range of applications in the network:

•  Different traffic characteristics •  Different bandwidth requirements •  Different tolerances to delay, loss •  Different service level expectations

Legacy Policies are:

•  Ports or ACL/DSCP driven (no granularity) •  Difficult to enforce for many Applications •  Not scalable for big deployments (many ACE)

AVC Provides:

•  Application based policy enforcement (NBAR2/Metadata + QoS)

•  Scalable, intuitive policies aligned to business logic •  Policy performance reporting (NBAR2/Metadata + QoS +

FNF)


  Statefull classification for creating policies irrespective of v4/v6 traffic, simplifying policy management

  Discover applications using NBAR2

  Supports both input and output traffic

Modular QoS Traffic Classification

BR BR

HQ

MC/BR

MC/BR

BR MC/BR

WAN2 (IPVPN, DMVPN)

WAN1 (IP-‐VPN)

IPv4 Native IPv6

class-map match-any peer2peer! match protocol kazaa2! match protocol gnutella! match protocol fastrack!

policy-map limit-p2p! class peer2peer! bandwidth percent 10!

interface Serial1! service-policy output limit-p2p!

What Traffic?

HOW to treat the traffic?

Where to apply?






  Key Takeaways


Key Takeaways

  Architectures are important

 Unified Access – different solutions

 Unified Access – “same” functionality

  AVC – its time to take control

Architectures and choice of technology - cisco.com€¦ · Presentation_ID Cisco and/or its...

Documents

Transcript of Architectures and choice of technology - cisco.com€¦ · Presentation_ID Cisco and/or its...