; Understanding Service Level and Traffic Management
Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

Understanding Service Level and Traffic Management

VIEWS: 99 PAGES: 44

  • pg 1
									NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.   1




                                                                         1
                  Understanding Service Level
                    and Traffic Management
                                                                     Session NCM -208




NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                   3




      Performance vs. Fault Management
                                                                         Users
              Service Level
              Management

       Performance                                                                        Fault
       Management                                                                       Management




                                                                 Devices & Software

NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                   4




                                                                                                         2
      Session Focus


       • This presentation looks at some tools
         available for traffic and service level
         management—it is by no means an
         exhaustive review
       • It also focuses primarily on the monitoring
         component of management—leaving
         provisioning as a separate exercise


NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.   5




      Agenda



                                     • Traffic Management
                                     • Service Level Management
                                     • Tools and Technologies
                                     • Case Studies



NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.   6




                                                                         3
                                        Traffic Management



NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                    7




      Traffic Management
      in a Multiservice Network




                                VoIP                    ERP          Multimedia   VPN   Web/URL

           Low Latency                                                             Latency Tolerant
          Low Bandwidth                                                            Bursty Bandwidth
         Network Must Provide Each Application With Different
             Service Level Characteristics Simultaneously
NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                    8




                                                                                                          4
      Traffic Management Challenges
          • Planning
                      Verify application impact on the
                      network and vice-versa
                      Deployment of new applications
                      and services
                      Gain understanding of traffic flows
                      Utilization and latency dependent on
                      application mix
          • Troubleshooting
                      Bursts in traffic load caused by
                      applications
                      Service degradation
                      Rogue applications that hijack
                      the network
                      Misconfigured applications

NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                       9




      Performance Measurement Strategies

                                                                     Sampling Method
        Synthetic                                                                           Observed

                                                                     Collection Method
        Embedded Agents                                                                External Probes

                                                             Scope of Measurement
        Device/Link                                                                  End-to-End/Path

                                                    Perspective of Measurement
        User                                                                                  Network
NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                       10




                                                                                                              5
      Sampling Method
                            Observed                                            Synthetic
       • Definition                                                  • Definition
                  Actual end-user network traffic                         Network traffic generated strictly
                  where performance is measured                           for the purpose of measuring a
                  by timing specific application                          network performance
                  traffic flows                                           characteristic
       • Advantages                                                  • Advantages
                  Most accurate for live application                      Measures performance:
                  traffic on a specified link
                                                                            Between any two points in
       • Disadvantages                                                      the network
                  Limited to measuring:                                     Controllable, on a
                     Existing traffic types, which                          continuous basis
                     may not be present on the                              By traffic class based on IP
                     network at all times                                   Precedence marking
                     Existing traffic patterns,                      • Disadvantages
                     which may not reflect
                     patterns for new or future                           Only an approximation for
                     applications                                         performance of live traffic
NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                             11




      Collection Method
                        Embedded                                                 External
        • Definition                                                 • Definition
                  Mechanisms for collection of                            Mechanisms for collection of
                  network statistics are integrated                       network statistics are provided
                  into the network communication                          by a stand-alone device
                  device (e.g., router or                                 specifically designed to collect
                  switch), itself                                         network performance statistics

        • Advantages                                                 • Advantages
                  Follows network infrastructure                          Validation of performance
                                                                          performed independent of
                  Gathers metrics that can not be                         the devices that transmit
                  observed externally                                     network traffic
        • Disadvantages                                              • Disadvantages
                  Performance monitoring has                              More hardware to administer
                  device -level performance
                  implications                                            Observed statistics limited to
                                                                          points of deployment
NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                             12




                                                                                                                    6
      Scope of Measurement
    Device or Link Oriented                                                   End-to-End
       • Definition                                                  • Definition
                  Performance measurement                                 Performance measurement
                  based on analysis of specific                           based on analysis of response
                  device or device interface,                             time across two or more network
                  and typically based on                                  devices, and typically based
                  utilization rates                                       on latency

       • Advantages                                                  • Advantages
                  Detailed application                                    Starting point performance
                  performance monitoring of                               troubleshooting
                  critical network links
                                                                          Reflects end-user experience
       • Disadvantages                                               • Disadvantages
                  When network-wide performance
                  problems exist, how does one                            Prior knowledge of relevant
                                                                          end-to-end paths is needed
                  select which device or link
                  to evaluate?
NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                          13




      Perspective of Measurement
                                    User                                        Network
       • Definition                                                  • Definition
                  Measurement based on                                    Measurement based on
                  performance statistics                                  performance statistics
                  measured at the end-user                                measured in network devices
                  workstation
                                                                     • Advantages
       • Advantages
                                                                          Easy to deploy, and non-
                  Accurate measurement of                                 intrusive to the desktop
                  end-user experience
                                                                          Identifies network
       • Disadvantages                                                    performance issue

                  Scale and distribution issues                      • Disadvantages
                  Intrusive on the desktop                                Imperfect understanding of
                                                                          end-user experience
NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                          14




                                                                                                                 7
                    Service Level Management



NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                    15




      Service Level Management
      in a Multiservice Network




                                VoIP                    ERP          Multimedia   VPN   Web/URL

           Low Latency                                                             Latency Tolerant
          Low Bandwidth                                                            Bursty Bandwidth
         Network Must Provide Each Application With Different
             Service Level Characteristics Simultaneously
NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                    16




                                                                                                           8
      Service Level Management Challenges


                                                                                        Business
       Traffic Management                                                                Service


                                 Plus
                                                                                                      IT
                                                                                  Networking
  End-to-End Abstraction                                                          WAN         LAN
                                                                                                             Other IT




                                                                     Service 1    Service 2            Hardware     Application


                                                                           SP 1         SP 2        Vendor 1      Vendor 2



NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                                           17




      Service Management
        • Measuring
                  Current traffic and
                  service metrics                                             1. Gather
                                                                               Service
        • Defining                                                           And Traffic
                  Policies and services                                        Metrics
                                                                                                           2. Determine How
                  Demarcations
                                                                                                            to Shape SLAs,
                  Service elements                                                                             Business

        • Implementing                                                                  3. Design
                                                                                        and Alter
                  Cross-Boundary                                                          to Suit
                    Organization
                    Technology

NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                                           18




                                                                                                                                  9
      Measuring Current Metrics

                                                                     Sampling Method
        Synthetic                                                                                 Observed

                                                                     Collection Method
        Embedded Agents                                                                 External Probes

                                                             Scope of Measurement
        Device/Link                                                                    End-to-End/Path

                                                    Perspective of Measurement
        User                                                                                        Network
NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                              19




      Defining Policies and Services


                                                              Service Quality Level




     Latency               Errors                   Jitter             Other    (Mean) Time to    (Mean) Time
                                                                                Restore Service    to Repair


              Throughput                             Availability                           (Mean)
                                                                                       Provisioning Time

                           Service Intrinsic                                             Operational
NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                              20




                                                                                                                     10
      Defining SLM Policies and Services




          • Security
          • Time
          • Application/protocol
          • People




NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                         21




      Defining Demarcations
                                                                      Regional
                                                                      Regional                   Retail
                                                                                                 Retail
      Corp. HQ/Data Center
      Corp. HQ/Data Center                                           Aggregation
                                                                     Aggregation                Branch
                                                                                                Branch


                        SA                                              SA                       SA
                       Agent                                           Agent                    Agent

                                                             SP1                     SP2




        Enterprise                                     Service       Enterprise     Service   Enterprise
         Domain                                       Provider        Domain       Provider    Domain
                                                      Domain 1                     Domain 2

    Other Domains
            Network Hardware
            Workstation Hardware
            Application Software
            Etc.

NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                         22




                                                                                                                11
      Defining Service Elements


                       • Network                                                                 Service
                       • Path
                                                                                    SE       SE       SE      SE
                       • Link
                       • Firewall
                       • Application                                                             Service

                       • Server                                                     SE       SE       SE      SE



NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                                         23




      Example: Service Elements
      in Content Delivery Networks

                                                                                                           Core
                                                                                                           Core
                                                                                                           Networking
                                                                                                           Networking
     Content
    Delivery          Web Hosting
                      Web Hosting                      E-Commerce
                                                       E-Commerce     Streaming
                                                                      Streaming   Applications
                                                                                  Applications             Content
                                                                                                           Content
    Services                                                                                               Routing
                                                                                                           Routing


                     Content Distribution Content Content
                     Content Distribution Content  Content    Content
                                                              Content                                      Content
                                                                                                           Content
    Content           and Management      Routing Switching Edge Delivery                                  Switching
                                                                                                           Switching
                      and Management      Routing Switching Edge Delivery
    Delivery
   Networks                                        Intelligent Network Services                            Content
                                                                                                           Content
                                                   Intelligent Network Services
                                                                                                           Edge-delivery
                                                                                                           Edge-delivery

      L2/L3                                                                                                Content-aware
                                                                                                           Content-aware
   Networks Highly Available, Scalable, Performance Network at Layer 2/3
            Highly Available, Scalable, Performance Network at Layer 2/3                                   Services
                                                                                                           Services

                                                                                                           Content
                                                                                                           Content
                                                                                                           Distribution and
                                                                                                           Distribution and
                                                                                                           Management
                                                                                                           Management

                                                                                                           Origin Web
                                                                                                           Origin Web
                  Mobile            Fixed                   Cable    DSL   Dedicated/ ISDN/Dial            Servers
                                                                                                           Servers
                                   Wireless                                 ATM/FR
                                                                                                           Origin
                                                                                                           Origin
                                                                                                           Data Stores
                                                                                                           Data Stores

NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                                         24




                                                                                                                                12
      Implementing SLM across Boundaries

      • Enterprise
                  Measure from CPE
                  Measure network layer
                  Measure application
                  response and availability                                             ATM      ATM        ATM

                                                                       CPE                                                  CPE
      • Service provider                                                       IP DSL
                                                                               Switch
                                                                                                                   IP DSL
                                                                                                                   Switch
                  Measure edge-to-edge
                                                                        CPE Wholesale DSL Back-           Wholesale DSL     CPE
      • Both                                                                 Provider #1  bone             Provider #2
                  Define common metrics                                                    SP

                  Define common tests
                  Define information
                  interchange


NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                                            25




      Implementing SLM
      Across Technical Boundaries

                                                XML                                            IP                   OSI
                                                                                         Infrastructure           Model layer

                                                              C/S Service
                                                            Component App.

                                                                                          Application             Layers 5 to 7
      End-to-End
        Service                                             L3 or L4 Service                  Transport             Layer 4
      Management                                            Component App.
                                                                                               Internet             Layer 3
       Solution
                                                                                              Interface             Layer 2

                                                            L1 or L2 Service                  Hardware              Layer 1
                                                            Component App.



NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                                            26




                                                                                                                                   13
                             Tools and Technologies



NCM-208
2944_05_2001_c1    © 2001, Cisco Systems, Inc. All rights reserved.                                          27




      Measurement Technologies

                                        NetFlow                                       ART MIB
                                                                        Application Response Time SNMP MIB
                                                                        Application Response Time SNMP MIB
          MEASURES: Device interface traffic rate                     MEASURES: Response time of live
          by s/d IP address, port number or AS                        application traffic to server device

                  Sampling:                    Observed                  Sampling:        Observed
                  Collection:                  Embedded                  Collection:      External Probe
                  Scope:                       Device/Link               Scope:           End-to-End
                  Perspective:                 Network                   Perspective:     User/Network

                                      SA Agent                                     IPSec MIBs
                          Service Assurance Agent
                          Service Assurance Agent
                                                                      MEASURE: Tunnel trends and failures,
          MEASURES: Latency and Jitter between                        tunnel to policy mappings, IOS
          source router and specified target                          configurations

                  Sampling:                    Synthetic                 Sampling:        Observed
                  Collection:                  Embedded                  Collection:      Embedded
                  Scope:                       End-to-End                Scope:           End-to-End
                  Perspective:                 User/Network              Perspective:     User/Network

NCM-208
2944_05_2001_c1    © 2001, Cisco Systems, Inc. All rights reserved.                                          28




                                                                                                                  14
                  Measurement Technologies
                                                                     NetFlow




2603
NCM-208
1161_05_2000_c1
2944_05_2001_c1   © 2000, Cisco Systems, Inc. All rights reserved.
                   © 2001, Cisco Systems, Inc.                                                            29




      NetFlow Defined

   • Flows are defined
     by 7 keys:
             Source address
             Destination address
             Source port
             Destination port
             Layer 3 protocol
             TOS byte (DSCP)
             Input interface

   • Flows are unidirectional
   • Flows are enabled on a per
     input-interface basis                                                        Flow Data
   • Flows can be configured                                         Exported to Management Application
     “on-demand” or continuous


NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                        30




                                                                                                               15
      NetFlow Data Record per Flow
                                  RMON Accessible
                                     • Packet count                  • Source IP address
           Usage
                                     • Byte count                    • Destination IP address
                                                                     • Source prefix mask         Routing
         Device                      • Input interface               • Destination prefix mask    and
       Interface                     • Output interface              • Source AS number           Peering
                                                                     • Destination AS number
                                     • Type of service
              QoS                    • TCP flags                     • Source TCP/UDP port
                                     • Protocol                      • Destination TCP/UDP port   Application


           Usage                     • Number of flows
                                     • Flow size distribution

                                  Non-RMON
                                     • Start timestamp                • Next hop address
            Time                     • End timestamp                  • Lost datagrams
           Stamp                     • Call duration
NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                          31




      NetFlow Export




                  • Versions 1, 5, 8—Cisco IOS routers
                  • Version 7—Cat5000(NFFC),
                    Cat6000(MSFC)




NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                          32




                                                                                                                 16
      NetFlow v8 Aggregation

                             Aggregation                                          Identifies
                                                                      Autonomous System-to-Autonomous
                                 ASMatrix
                                                                           System Traffic Flow Data

                  DestinationPrefixMatrix                               Destinations of Network Traffic

                                                                         Sources and Destinations of
                             PrefixMatrix
                                                                              Network Traffic

                     ProtocolPortMatrix                                 Network Usage by Traffic Type

                    SourcePrefixMatrix                                    Sources of Network Traffic


       Use NetFlow FlowCollector Version 3.0 to obtain v8 Records
NCM-208
2944_05_2001_c1    © 2001, Cisco Systems, Inc. All rights reserved.                                       33




      NetFlow Aggregation Config Example




      Router(config)#ip flow-aggregation cache as
      Router(config-flow-cache)#cache entries 2046
      Router(config-flow-cache)#cache timeout inactive 200
      Router(config-flow-cache)#cache timeout active 45
      Router(config-flow-cache)#export destination 10.42.42.1 9992
      Router(config-flow-cache)#enabled




NCM-208
2944_05_2001_c1    © 2001, Cisco Systems, Inc. All rights reserved.                                       34




                                                                                                               17
      NetFlow in SLM


                                                                                   Network Planning



                                              RMON Probe                           Accounting/Billing



                                                                                     Flow Profiling




                                                                                   Network Monitoring
       NetFlow/                                     Flow             Management        End-User
      Data Export                                 Collectors         Application      Information
NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                      35




      NetFlow Activation and Data
      Collection Strategy


       • Meter at edge, NOT on “hot” core routers
       • Accounting applications—
         originating/terminating flow information
       • Monitoring applications—more data
         intensive end-to-end view
       • Key aggregation routers = less duplication
         in flow collection

NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                      36




                                                                                                             18
                  Measurement Technologies
                                                                     SA Agent




2603
NCM-208
1161_05_2000_c1
2944_05_2001_c1   © 2000, Cisco Systems, Inc. All rights reserved.
                   © 2001, Cisco Systems, Inc.                                                  37




      Service Assurance Agent
                                                                      Regional
                                                                      Regional
   Corp. HQ/Data Center
   Corp. HQ/Data Center                                              Aggregation    SA
                                                                     Aggregation
                                                                                   Agent
                                                                                           Retail
                                                                                           Retail
                                                                         SA
                     SA                                                                    Branch
                                                                                           Branch
                                                                        Agent
                    Agent

                                                                                    SA
                                                                                   Agent
                                                                                           Field
                                                                                           Field
                                                                                           Office
                                                                                           Office
                                                                         SA
                                                                        Agent
                                                                                    SA
                                                                                   Agent   Retail
                                                                                           Retail
                                                                                           Branch
                                                                                           Branch

       • Synthetic traffic for various protocols
       • Supports IP precedence for QoS                                             SA
                                                                                   Agent   Field
                                                                                           Field
       • Measures latency, jitter and availability                                         Office
                                                                                           Office
       • Deterministic testing methodology

NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                              38




                                                                                                     19
      Service Assurance
      Agent Operation Types

                                                               Increasing Service Value

                                                                       Voice

                                DLSw                                   Jitter         Packet                    Path
      HTTP                                                                                        DNS/          Echo
                                                                                       Loss
                                                                                                  DHCP
                                                         Latency

                                                                                                                    Latency

                                        TCP                                     UDP                 ICMP


                                                                         IOS-Based
                                                                     Service Assurance
                                                                           Agent
     Note: IP Precedence Can Be Combined With Other Operation
           Types to Simulate QoS Traffic Marking
NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                                         39




      SA Agent in SLM
                                                                                                       •   Demarcation
                                                                                                       •   Deterministic
                                                                                                       •   Repeatable
                                                                             Regional
                                                                             Regional                            Retail
                                                                                                                 Retail
      Corp. HQ/Data Center
      Corp. HQ/Data Center                                                  Aggregation
                                                                            Aggregation                         Branch
                                                                                                                Branch


                        SA                                                       SA                              SA
                       Agent                                                    Agent                           Agent

                                                             SP1                                 SP2




        Enterprise                                     Service             Enterprise          Service       Enterprise
         Domain                                        Provider             Domain             Provider       Domain
                                                       Domain                                  Domain


NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                                         40




                                                                                                                                20
      Accessing SAA Data: MIB
    Example: Creating an echo probe (TOS bits enabled, life is 200 seconds)




       On CCO
          http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
       MIB Names
          CISCO-RTTMON-MIB-120_5_T.my
          CISCO-RTTMON-MIB.my




NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                                               41




      Accessing SAA Data: CLI
   (config )#rtr 1
   (config -rtr )#type jitter dest-ipaddr 10.0.0.1 dest -port 14384 source-ipaddr 10.0.0.2 source -port 14383 num-packets 47 interval
   10
   (config -rtr )# rtr schedule 1 life 10000000 start-time now




              • Show rtr
                            Configuration
                            Operation
                            Distribution-stats
                            History
                            …




NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                                               42




                                                                                                                                        21
      Accessing SAA Data: Applications

           • Cisco
                        CiscoWorks2000
                                SMS
                                IPM
                        VPN Solution Center
           • Other
                        MRTG
                        Concord
                        InfoVista

NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.             43




                  Measurement Technologies
                                                                     ART MIB




2603
NCM-208
2944_05_2001_c1
1161_05_2000_c1   © 2000, Cisco Systems, Inc. All rights reserved.
                   © 2001, Cisco Systems, Inc.                                 44




                                                                                    22
      ART MIB Implementation Example
                                                                                                             WAN Probe
                                                                              TR Probe FDDI Probe

       • Dedicated RMON                                                                                     ART
         probes for critical links
                                                                                             FDDI
         and high-speed                                                                                                      WAN
         backbones                                                                                     ATM Probe
       • ART monitoring
         option installed on
         key probes                                                  FE/Gigabit
                                                                                                    ART
                                                                         Probe
       • Application                                                      ART
         monitoring tools
         for measuring
         application
         performance and                                                                                       Application
                                                                                                               Monitoring
         response time                                                                Ethernet Probe             Tools


NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                                             45




      ART MIB Functionality
                                                                              Application Level Response Time
       • TCP protocols only (1.0)
                                                                          Client Latency                       Server Latency
       • Based upon well-known
         destination port
                                                                                  C
       • Default protocols:                                                                 Network Flight Time          S
         AOL
         AOL                         NNTP
                                     NNTP
         COMPUSRV
         COMPUSRV                    NOTESTCP
                                     NOTESTCP
         DLSW_RD                     ORACLSQL
                                                                                              Identify Application
         DLSW_RD                     ORACLSQL
         DLSW_WR
         DLSW_WR                     REALAUD
                                     REALAUD                         Response Time             Example: FTP
         DNS_TCP
         DNS_TCP                     SMTP
                                     SMTP                                                     Packet Level Measurement
         DOOM
         DOOM                        SNA_TCP
                                     SNA_TCP                                      SEQ 101
         FTP-CTRL
         FTP-CTRL                    SOCKET
                                     SOCKET
         FTP-DATA
         FTP-DATA                    SQLNET_N
                                     SQLNET_N                                     ACK 101
         HTTP
         HTTP                        SUNRPC_T
                                     SUNRPC_T                                     SEQ 102
                                                                                  SEQ 103
         HTTPS
         HTTPS                       TELNET
                                     TELNET                                       SEQ 104
         NB_DGM_T
         NB_DGM_T                    XWINDOW
                                     XWINDOW
         NB_NS_T
         NB_NS_T                                                                  ACK 104
         NB_SSN_T
         NB_SSN_T                                                                 SEQ 105
         NEWS_TCP
         NEWS_TCP
NCM-208
                                                                                  ACK 105
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                                             46




                                                                                                                                    23
      ART MIB Example of Reporting

        • Web accessible
                    For monitoring application
                    and web flows from
                    anywhere, anytime

        • URL visibility
                    For control of your site

        • Proactive management
                    Alarm on responsiveness of
                    the site or your mission
                    critical applications

        • Seamless real-time
          and historical
                    Current statistics with look
                    back capability
NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                47




                  Measurement Technologies
                                                                     IPSec MIBs




NCM-208
2603
1161_05_2000_c1
2944_05_2001_c1   © 2000, Cisco Systems, Inc. All rights reserved.
                   © 2001, Cisco Systems, Inc.                                    48




                                                                                       24
      IPSec VPN Types

       • Site-to-site connection                                               • Remote access
                  Long session lifetimes                                          Relatively short-lived
                                                                                  sessions
                  Simplest form: Leased
                  line replacement                                                User authentication
                                                                                  needed
                                                                                  Remote address not
                                                                                  known in advance




                           Main
                           Office                                                Branch
NCM-208
                                                                                 Office
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                         49




      IPSec Terminology


                                                                     • Flows
                                                                     • Tunnels
                                                                     • IKE/ISAKMP
                                                                     • SAs
                                                                     • Peers
                                                                     • End points

NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                         50




                                                                                                                25
      Flow vs. SAs




                      • IKE tunnel = 1 ISAKMP SA
                      • IPSec tunnel = non-ISAKMP SA bundle
                      • CLI reports on SAs
                      • Flow MIB reports on tunnels
NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                     51




      IPSec End Points/IKE Peers

                  • “End points” of the IPSec tunnel are Bob
                    and Alice
                  • B and C are IKE peers


                                                                                                 Bob
                                                      A                             B

                                                                             C           IKE
                                                                                        Tunnel
                                                                                 IPSec
                                                                                 Tunnel
                                                                     Alice
NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                     52




                                                                                                            26
      IPSec MIBs

        • IPSec flow monitor MIB
        • IPSec tunnel-to-policy
          MIB (IOS)
        • IPSec configuration
        • MIB (IOS)                                                  Main
                                                                     Office   Branch
        • Cisco 3000                                                          Office
          Concentrators
                   Active tunnel MIBs
                   Active sessions MIBs


NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                 53




      IPSec Flow Monitor MIB


                         • Monitor IKE tunnels
                         • Monitor IPSec tunnels
                         • Tunnel structure and end points
                         • Trending and failures
                         • Notifications
                         • SNMPv1 and v2C

NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                 54




                                                                                        27
      Flow Monitor MIB: Phase 1 Group


            • IKE global statistics
                        Metrics pertaining to activity of IKE tunnels
                        system-wide

            • IKE tunnel table
                           Record of all active IKE tunnels

            • IKE peer table
                           Record of all IKE peers of the device


NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                      55




      Use Cases: Phase 1 Group

         • Monitors device-wide
           IKE statistics
                                                                             Carol
         • Identifies active                                                              Ted

           IKE tunnels
                                                                                 B
                                                                                                  Bob
         • Lists the IKE tunnels
           to a specified peer
                                                                     C
         • Lists the IPSec
                                                                                              IPSec
           tunnels to a                                                                       Tunnel
           specified peer
                                                                                     IKE
                                                                     Alice
                                                                                     Tunnel

NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                      56




                                                                                                             28
      Flow Monitor MIB: Phase 2 Group



                                              • IPSec global statistics
                                              • IPSec tunnel table
                                              • End point table
                                              • SA table



NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                      57




      Use Cases: Phase 2 Group

             • Monitors device -wide
               IPSec (data) tunnel
               statistics
                                                                             Carol
                                                                                          Ted
             • Identifies active
               IPSec tunnels
                                                                                 B
                                                                                                  Bob
             • Lists
                          IPSec tunnels of an
                          IKE tunnel
                                                                     C
                          End points/protocols
                          using an IPSec tunnel                                               IPSec
                                                                                              Tunnel
                          Structure (SAs) of an
                          IPSec tunnel                                               IKE
                                                                     Alice
                                                                                     Tunnel

NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                      58




                                                                                                             29
      Flow Monitor MIB: Failure Group



          • IKE/IPsecTunnel setup failures
                      Invalid/unacceptable proposal, authorization
                      failure, etc.

          • IKE/IPsecTunnel operational failures
                      Operator deletion, protocol failure, etc.




NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                 59




      Phase 1 Failures


       • Setup failures                                              • Tunnel failures
                  Authentication failure                                 Tunnel deleted (by CLI
                                                                         or notification)
                  “Proposal failure”
                                                                         Connection to peer lost
                  PKI failure
                  (certificate/CRL                                       System capacity failure
                  unavailable)
                                                                         Unknown SA (“No SA”)
                  Encryption failure
                                                                         Encryption/hash failure
                  System capacity failure



NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                 60




                                                                                                        30
      IPSec MIBs: Application

          Management Aspects                                              Monitoring:
                                                                       What Can Go Wrong
       • Policy                                                      • Setup failures
         definition/deployment
                                                                     • Crypto hardware failure
       • Monitor VPN
                                                                     • Protocol failure
         throughput/performance
                                                                     • Security breaches
       • Monitor historical trends
                                                                     • Monitor failures
       • Monitor failures
       • Troubleshooting


NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                               61




      IPSec MIB Reporting Example

         • Real-time status, fault,
           and performance
         • Configuration
           inconsistencies
         • IPSec, PPTP and L2TP
         • Site-to-site,
           remote access
         • IPSec, L2TP, PPTP
         • VPN C3000, IPSec
           MIB (IOS)

NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                               62




                                                                                                      31
                                                           Case Studies



NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                        63




      Case Study 1: IPSec VPN
                                                                            New York (Headquarters)

         • Environment
                     Site-to-site VPN                                  Corp. Engr.         Engr.
                     links HQ to remote                                Resources
                                                                                           Mktg.
                     branches across
                     Internet/SP network
                                                                                                     Chicago
         • Goal                                                                                       Engr.
                                                                     Internet
                     To monitor VPN                                                                   Sales
                     service delivery to                                                    Dallas
                     ensure consistent
                     availability                                                            Engr.

                                                                                             Sales


NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                        64




                                                                                                               32
      What to Monitor

                                             • Router resources
                                                            CPU
                                                            Memory
                                                            Active tunnels/sessions

                                             • Throughput
                                             • Failures
                                                            Key management
                                                            Data management
NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                    65




      What Happened Here?




NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                    66




                                                                                           33
      Check Syslog




            Explanation IKE maintains state for a communication in the
            form of security associations; no security association exists for
            this packet and it is not an initial offer from the peer to establish
            one; this situation could denote a denial of service attack
            Recommended Action Contact the remote peer’s administrator




NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                   67




      Check Syslog




       Explanation A received IPSEC packet specifies an SPI that does not exist
       in the security association database (SADB); this may be a temporary
       condition resulting from slight differences in the aging of SAs between the
       IPSEC peers, or because the local SAs have been cleared; it may also be
       caused by bogus packets being sent by the IPSEC peer; some might
       consider this a hostile event
       Recommended Action If the local SAs have been cleared, the peer may
       not know this; in this case, if a new connection is established from the
       local router, the two peers may reestablish successfully; if the problem
       occurs for more than a brief period, either attempt to establish a new
       connection or contact the peer’s administrator
NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                   68




                                                                                          34
      Check Syslog




       Quick Mode failure
       Explanation Negotiation with the remote peer failed
       Recommended Action If this situation persists contact the
       remote peer

       Main Node failure
       Explanation Negotiation with the remote peer failed
       Recommended Action If this situation persists contact the
       remote peer
NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.   69




      Audit Config Changes




NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.   70




                                                                          35
      What to Monitor




                               • Examples
                                              Default settings too long?
                                              IKE exchange/SA mismatches
                                              Natural goal is to minimize pain




NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                        71




      Where to Monitor?
            • Head end                                                      New York (Headquarters)

                         Can get most of
                         needed data                                   Corp. Engr.         Engr.
                                                                       Resources
                         Consolidated                                                      Mktg.
                         info source
                                                                                                     Chicago
            • Remote end
                                                                                                      Engr.
                         Bring up tunnel                             Internet
                                                                                                      Sales
                         just to manage
                                                                                            Dallas
                         Polling bandwidth?
                                                                                             Engr.
                         SA’s out of synch?
                                                                                             Sales


NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                        72




                                                                                                               36
      Service Monitoring Applications
     • CSPM                                                             New York
                  Policy auditing and                                 (Headquarters)
                  monitoring
                  Near-real time
                  event data                                            Corp. Engr.    Engr.
                                                                        Resources
     • CWVMS                                                                           Mktg.

                  System, throughput,
                                                                                                 Chicago
                  failures and events
                                                                                                  Engr.
                  Threshold violations                                Internet
                                                                                                  Sales
                  Real-time graph of
                  key VPN parameters                                                    Dallas
                  Tunnel drill-downs                                                     Engr.

                                                                                         Sales
NCM-208
2944_05_2001_c1    © 2001, Cisco Systems, Inc. All rights reserved.                                       73




      Case Study 2: VoIP


        • Environment
                   Government agency with distributed offices
                   using VoIP to reduce telephony charges
                   Wants ability to objectively monitor and report
                   on voice quality in network
                   Voice QoS affected by Network QoS: when
                   former detected, need to examine latter



NCM-208
2944_05_2001_c1    © 2001, Cisco Systems, Inc. All rights reserved.                                       74




                                                                                                               37
      VoIP Potential Problems

        • Typical QoS problems
                   Packet Loss
                   Excessive Delay
                   Excessive Jitter
        • Core problems do not
          always show evidence on
          edges
        • Need means to inject at
          edges, track ingress to
          egress                                                                    ?
NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                     75




      Service Assurance Agent Jitter Probes
                                                                     • Parameters
          SAA                                                            Source/destination devices
        Monitoring                                                       Source/destination ports
          app
                                                                         Sampling interval
                                                                         Packets per sample
                                                                         Payload size
                                                                         Interpacket delay
                                                                         Type of Service

    Router acting as                                                                   Dedicated RTR
         RTR probe                                                                     Responder



                                                                              (config)#rtr responder


NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                     76




                                                                                                            38
      SAA Deployment—Coverage



                                                                        Core routers

                                                                     Distribution routers




                                                                           WAN



                                                                           Access
                                                                           routers



NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                        77




      SAA Deployment—CPU Impact



                                                                        Core routers

                                                                     Distribution routers
                                           H                                                H
                                CPU                                                             CPU
                                           L                                                L


                                                                           WAN
                                H                                                               H
                    CPU                                                                             CPU
                                L                                                               L
                                                                           Access
                                                                           routers



NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                        78




                                                                                                               39
      Deployment—Probes and Responders
                                                                     CWSMS




                                                                          Core routers

       RTR                                                              Core/distribution   RTR
  Responder                                                             routers acting as   Responder
                                                                         RTR Responder




                                                                             WAN
    Access
    routers
     acting
    as RTR                                                                   Access
    probes                                                                   routers



NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                 79




      QoS Considerations

        • Probe traffic must have same QoS as real voice traffic
        • LLQ or RTP Priority configurations on the router may
          need to be adjusted so that traffic from the RTR probes is
          subject to strict priority queuing
         Example:
         class-map VoiceRTP
           match access -group name IP -RTP
         policy-map 192Kbps_site
           class VoiceTRP
           priority 110

         ip access -list extended IP -RTP
           deny ip any any fragments
           permit udp <from> <mask> range 16384 32768 <to> <mask> range 1 6384 32768
         precedence critical
           permit udp any any eq 20000 precedence critical
           permit udp any eq 20000 precedence critical
NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                 80




                                                                                                        40
      Tracking Results



           • Define SLAs
             paralleling service
             guarantees
           • View trends,
             threshold status
           • APIs to access data
             for individual uses
                                                                       11




NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.            81




      What’s Acceptable?

        • Delay, Jitter: It Depends!
                   Obtain workable delay and jitter figures
                           Compare similar sites in the same network
                           Baseline baseline baseline!
        • Errors are a different story
                   In principle any non-zero error percentage is a red flag
                   RTR packets are given the same QoS treatment as
                   voice packets
                   No level of congestion should cause packet loss or
                   excessive delay

NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.            82




                                                                                   41
                                              CLOSING SLIDES



NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.   83




      Other Presentations of Interest



       • NCM-101—Introduction to Network
         Management
       • NCM-207—Understanding Fault
         Management
       • NCM-301—Network Troubleshooting Tools
         and Techniques


NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.   84




                                                                          42
                  Understanding Service Level
                    and Traffic Management
                                                                     Session NCM -208




NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                      85




                                 Please Complete Your
                                    Evaluation Form
                                                                     Session NCM -208




NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                      86




                                                                                             43
NCM-208
2944_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.   87




                                                                          44

								
To top
;