2003, Cisco Systems, Inc. All rights reserved.

Transcription

2 Transparenz und Kontrolle von Netzwerkapplikationen Roland Schön Internetworking Consultant CCIE # 1785 Public Sector Team, Cisco Germany rschoen@cisco.com 2003, Cisco Systems, Inc. All rights reserved. 2

3 Agenda Erkennung von Netzwerkapplikationen - NBAR Funktion im IOS Einschränkung von Bandbreiten - NBAR und Policing - Rate-Limiting (Benutzer-basiert) SAA Service Assurance Agent G-WiN Zugangsrouter

4 Stimmt die Aussage...? There is always enough bandwidth available in my network and on my Internet-Connection. For each and every application! The Network Admin 2003, Cisco Systems, Inc. All rights reserved. 4

5 NBAR Übersicht Intelligent Classification Engine in Cisco IOS Used in conjunction with QoS class-based features Protocol Discovery analyzes application traffic patterns in real time Discovers which traffic is running on the network Supported Platforms Cisco 1700 Cisco 2600 Cisco 3600 / 3700 Cisco 7100 / 7200 Cisco 7500 Catalyst 6500 Flex Wan 2003, Cisco Systems, Inc. All rights reserved. 5

6 Network Based Application Recognition (NBAR) My application is too slow! Protect your business critical traffic / applications Router Link-Utilization Citrix 25% Netshow 15% Gnutella 10% FTP 30% HTTP 20% Citrix Action: Mark Citrix real-time as GOLD service and police FTP. Block Gnutella Result: Guarantee bandwidth for Citrix! 2003, Cisco Systems, Inc. All rights reserved. 6

7 Intelligente Klassifizierung von IP-Paketen IP Packet Classification Engine capable of classifying Applications that have Statically assigned TCP and UDP port numbers Non-TCP and Non-UDP IP protocols Dynamically assigned TCP and UDP port numbers during connection establishment Sub-port classification or Classification based on deep inspection Ability to look deeper into the packet to identify applications. HTTP traffic by URL, host name or MIME type using regular expressions (*,?, [ ]), Citrix ICA traffic, RTP Payload type classification NBAR Currently Supports >85 protocols/applications 2003, Cisco Systems, Inc. All rights reserved. 7

8 Das Inspizieren von IP Paketen IP Packet Stateful/Dynamic Inspection TCP/UDP Packet Data Packet ToS Byte Source IP Addr Dest IP Addr Src Port Dst Port Sub-Port/Deep Inspection egp exchange kerberos secure-nntp smtp gre finger l2tp notes snmp icmp ftp ldap novadigm socks ipinip secure-ftp secure-ldap ntp sqlnet ipsec gopher netshow pcanywhere ssh eigrp http pptp pop3 streamwork bgp secure-http sqlserver secure-pop3 syslog cuseeme imap netbios printer telnet dhcp irc nfs realaudio secure-telent dns secure-irc nntp rcmd tftp fasttrack gnutella citrix napster vdolive xwindows , Cisco Systems, Inc. All rights reserved. 8

9 Wie werden NBAR neue Applikationen hinzugefügt? Through the use of PDLM: Packet Description Language Module Custom-xx functionality in NBAR for Static TCP/UDP port applications 2003, Cisco Systems, Inc. All rights reserved. 9

10 Packet Description Language Module PDLMs define applications recognizable by NBAR New applications easily supported by adding new PDLMs No Cisco IOS software upgrade or reboot required to add new PDLMs* PDLMs must be produced by Cisco engineers * in most cases 2003, Cisco Systems, Inc. All rights reserved. 10

11 Custom-xx NBAR Funktion Used for static TCP/UDP port based applications that are not supported in NBAR. Up to 10 custom applications can be added Map 16 TCP and UDP ports each per application Statistics appear in the Protocol Discovery Router(config)#ip nbar port-map custom-01? - tcp TCP ports - udp UDP ports 2003, Cisco Systems, Inc. All rights reserved. 11

12 Protocol Discovery The Protocol Discovery feature discovers and provides real time statistics on applications per-interface, per-protocol, bi-directional statistics: 5 minute bit rate (bps) packet counts and byte counts. 2003, Cisco Systems, Inc. All rights reserved. 12

13 NBAR Protocol Discovery + QDM Graph Router# show ip nbar protocol-discovery interface FastEthernet 6/0 FastEthernet6/0 Input Output Protocol Packet Count Packet Count Byte Count Byte Count 5 minute bit rate (bps) 5 minute bit rate (bps) http pop snmp ftp Total , Cisco Systems, Inc. All rights reserved. 13

14 Kürzliche NBAR Erweiterungen Addition of New Applications and Protocols - Fasttrack & Gnutella PDLM on CCO Next Generation of Napster (aquired by Roxio) like applications Peer 2 Peer file sharing applications KaZaa, Morpheus, Grokster and Gnutella Does not require an IOS Release upgrade - Real-Time Protocol Payload (RTP) Classification [ since 12.2(8)T and 12.1(11b)E ] Stateful mechanism to identify real time audio and video traffic Differentiate on the basis of audio and video codecs 2003, Cisco Systems, Inc. All rights reserved. 14

15 Peer-to-Peer File Sharing Fasttrack: Kazaa, Morpheus, Grokster, Imesh clients Concept of Super Nodes: Simplifies the search criteria Currently Supported in NBAR as: Match protocol fasttrack file-transfer * Match protocol fasttrack file-transfer *.mpeg 2003, Cisco Systems, Inc. All rights reserved. 15

16 Peer-to-Peer File Sharing Gnutella: BearShare, LimeWire, Gnotella Currently Supported in NBAR as: Match protocol gnutella file-transfer * Match protocol gnutella file-transfer *.mpeg 2003, Cisco Systems, Inc. All rights reserved. 16

19 1. Enable NBAR + Protocol discovery Router(config)# interface FastEthernet 1/0 ip nbar protocol-discovery Router# sh ip nbar protocol-discovery interface FastEthernet 1/0 Input Output Protocol Packet Count Packet Count Byte Count Byte Count 5 minute bit rate (bps) 5 minute bit rate (bps) http pop , Cisco Systems, Inc. All rights reserved. 19

20 1. Beispiel Protokoll Erkennung Router# sh ip nbar protocol-discovery interface Pos 4/0/0 Input Output Protocol Packet Count Packet Count Byte Count Byte Count 30 second bit rate (bps) 30 second bit rate (bps) http napster fasttrack smtp secure-http ,5Mbit/s 2,5Mbit/s 2003, Cisco Systems, Inc. All rights reserved. 20

21 2. Create Class Map Classification which traffic to look at? class-map match-all peer2peer match protocol gnutella file-transfer * match protocol fasttrack file-transfer *.mpeg match protocol kazaa2 class-map match-all sports match acl 103 match protocol url *sports* 2003, Cisco Systems, Inc. All rights reserved. 21

22 3. Create Policy Map Policing What to do with classified packets? e.g. drop policy-map Limit-fileshare class-map peer2peer police conform-action transmit exceed-action drop class-map sports police Limit to 1 Mbit/s, all above will be dropped 2003, Cisco Systems, Inc. All rights reserved. 22

23 4. Create Service Map Apply to an interface (for example FE 1/0) Router(config)# interface FastEthernet 1/0 service-map input limit-fileshare service-map output limit-fileshare 2003, Cisco Systems, Inc. All rights reserved. 23

24 5. Optional: Load PDLM PDLM Packed Description Language Module Add Protocol for NBAR Classification Engine with out IOS Update Router(config)# ip nbar pdlm <flash location> fasttrack.pdlm PDLMs can be found on CCO: , Cisco Systems, Inc. All rights reserved. 24

25 6. NBAR zum Klassifizieren von P2P Appl. und deren Einstufung in Best-Effort Klasse Activate PDLM into RAM: ip nbar pdlm flash:gnutella.pdlm Use MQC match protocol statements to classify the traffic class-map match-any protocol P2P match protocol gnutella match protocol fasttrack (identifies KaZaa, Morpheus and Grokster) WRED DSCP Based to cause drops from this traffic first policy-map P2P class P2P set dscp 2 Alternative is to place in separate bandwidth based queue with very small bandwidth guarantee policy-map P2P class P2P set dscp 2 policy-map QoS-Policy class class-default fair-queue random-detect dscp-based policy-map P2P-CBWFQ-MIN class P2P bandwidth percent , Cisco Systems, Inc. All rights reserved. 25

27 Policing vs. Shaping Traffic Traffic Traffic Rate Time Traffic Rate Time Policing Shaping Traffic Traffic Traffic Rate Time Traffic Rate Time Policer Causes TCP resends Oscillation of TCP windows Ingress Rate limiting with No buffering (drop) Shaper Egress Rate limiting with Buffering (delay or drop) Can adapt to network congestion (FR BECN, FECN) 2003, Cisco Systems, Inc. All rights reserved. 27

28 Traffic Shaping und Policing Implementierungen Shaping mechanisms: Class-based shaping Frame Relay traffic shaping (FRTS) Generic traffic shaping (GTS) Policing mechanisms: Two rate policer Class-based policing Committed access rate (CAR) 2003, Cisco Systems, Inc. All rights reserved. 28

29 Class-based Policer (1) Single Rate Policer Bc = Burst Commited Bc = CIR * Tc Bc + Be Bc Packet of Size B B < Bc+Be Be Yes No Conform Exceed Action Action 2003, Cisco Systems, Inc. All rights reserved. 29

30 Class-based policer (2) RFC 2698: Two Rate Three Color Policer in 12.2T Be = Burst Excess Be = PIR * Te Bc = Burst Commited Bc = CIR * Tc B > Be(t) No B > Bc(t) No Packet of Size B Yes Yes Violate Exceed Conform Drop Action Action 2003, Cisco Systems, Inc. All rights reserved. 30

32 Zukünftiges Feature im Cat6K User-Based Rate Limiting z.b. Studentenwohnheim Traffic from Dorms Ingress Microflow policer Applied to user ports(s) Source-only Flow mask Use ACL to limit the scope of source IP addresses to intended users Traffic from Internet Ingress Microflow policer Applied to uplink ports Dest-only Flow mask Use ACL to limit the scope of destination IP addresses to intended users 2003, Cisco Systems, Inc. All rights reserved. 32

33 Zukünftiges Feature im Cat6K User-Based Rate Limiting - Konfiguration User Subnets n.x/24 int fast4/1-48 int gig3/1 Internet Traffic from Dorms access-list 101 permit ip n any class-map Users-Outbound match access-group 101 policy-map Users-Outbound class Users-Outbound police flow mask src-only blah int range fast4/1-48 service-policy input Users-Outbound Traffic from Internet access-list 102 permit ip any n class-map Users-Inbound match access-group 102 policy-map Users Inbound class Users-Inbound police flow mask dest-only blah ** int gig 3/1 service-policy input Users-Inbound ** e.g.: police flow mask dest-only conform-action transmit exceed-action drop Scales to 64 Different Rates and 128K Host IP addresses 2003, Cisco Systems, Inc. All rights reserved. 33

36 Service-Level Monitoring im Netz Monitoren von SLAs Cisco IOS Router mit SA Agent SA Agent Cisco IOS Router mit SA Agent SA Agent Network Core Messbare SLA Metriken sind z.b. Antwortzeit Verfügbarkeit Verletzungen von Schwellwerten Jitter Paketverlust 2003, Cisco Systems, Inc. All rights reserved. 36

37 Einsatz des SA Agent What s up in my net? Performance Management: Collection, utilization, and performance data; analyze data and set utilization thresholds Why is Performance Management important? Problem isolation Service differentiation Network planning 2003, Cisco Systems, Inc. All rights reserved. 37

38 SA Agent Funktionsvielfalt Increasing Service Value HTTP FTP Connect DLSw QoS Support (ToS) TCP Jitter DNS/ DHCP UDP Echo SNA Path Echo ICMP Cisco IOS-Based Service Assurance* Agent Echo Path Jitter *With Cisco IOS 12.2(13)T (APM) ATM* Frame Relay MPLS VPN Aware 2003, Cisco Systems, Inc. All rights reserved. 38

39 IOS Releases und unterstützte Features Feature/Release ICMP Ping ICMP Echo Path SSCP (SNA) UDP Echo TCP Connect UDP Jitter HTTP DNS DHCP DLSw+ One-Way Latency with UDP Jitter FTP Get SNMP Support MPLS VPN Aware Frame Relay (CLI Only) ICMP Path Jitter Application Performance Monitor (3)T 12.0(5)T 12.0(8)S 12.1(1)T 12.2(2)T X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X 2003, Cisco Systems, Inc. All rights reserved. 39

41 Wie funktioniert das mit dem SAA? Hop-by-hop analysis Proactive notification Rising and falling thresholds Robust threshold definition for SLAs SNMP traps generated when SLA violated Thresholds can trigger SA operation activation for further analysis Any IP Host Measure Measure Management Application SNMP Trap Configure Collect Present SA Agent Measure SA Agent Cisco IOS Device Measure (SA Agent Responder) 2003, Cisco Systems, Inc. All rights reserved. 41

44 Beispiel 1: Echo IP SAA Cisco-RTTMon Completions Errors (7 Types) IP ICMP Echo Probe } SumCompletionTime MaxCompletionTime MinCompletionTime } Response IP Core Availability = IP Device a.b.c.d Completions Completions + Errors of IP Network 7 Types of Errors: Disconnects, Timeouts, Busies, No Connections, Drops, Sequence Errors, VerifyErrors 2003, Cisco Systems, Inc. All rights reserved. 44

45 Beipiel 2: HTTP Probe SAA Cisco-RTTMon HTTP Probe } IP Core HTTPCompletions HTTPErrors Availability = Completions Completions + HTTP Server Errors DNSRTT TCPConnectRTT TransactionRTT RTT to Perform Domain Lookup RTT to Perform TCP Connect to HTTP Server RTT to Send out Request and Get Response from Server 2003, Cisco Systems, Inc. All rights reserved. 45

46 Configuration Process Set operation number Configure operation type Configure operation characteristics Set reaction conditions Schedule the operation time 2003, Cisco Systems, Inc. All rights reserved. 46

47 Konfiguration des Operation Type einige Beispiele (config)# rtr 1 Operation number (config-rtr)# type jitter dest-ip a.b.c.d dest-port 99 num-packets 20 interval 20 type http Operation get url type echo protocol ipicmpecho Operation a.b.c.d type tcpconnect dest-ipaddr a.b.c.d dest-port , Cisco Systems, Inc. All rights reserved. 47

49 Management Applications Supporting SA Agent Internetwork Performance Monitor (IPM) Service Management Suite (SMS) VPN SC CNS Performance Engine ehealth VistaView PowerView Firehunter UpTime IPInsight MRTG Brixworx and Many More 2003, Cisco Systems, Inc. All rights reserved. 49

51 SA Agent Performance Memory and CPU usage on a c2600(40mhz M860 CPU): Type UDP Echo Jitter (UDP Plus) ICMP Echo Responder (UDP Echo) Responder (Jitter) # of Source Probe Operations per Minute Average Memory Usage (Bytes) 13K per Probe 17K per Probe 11K per Probe 58K Total 97K Total Avg. CPU Usage per Probe Operation (msec) CPU usage can be scaled based on the clock frequency of the RISC CPU: 7200(150MHz->40/150=0.27 times) 2003, Cisco Systems, Inc. All rights reserved. 51

53 Geräteklassen für G-WiN Zugang und deren NBAR-Support ü NBAR Support Cisco 7200/7500 Medium ü in 12.2S with NPE-G100 Cisco 7300 System Performance 2003, Cisco Systems, Inc. All rights reserved. ü No! Cisco 7600 & Catalyst6500 Cisco very high 53

54 NBAR Performance-Zahlen NBAR is CEF supported! No NBAR in PXF-based Systems Performance Impact? Sample1: For Cisco 7200/NPE300, 45 Mbit/s in both directions + 8 % CPU Load for Protocol discovery + 15 % CPU Load for NBAR Classification Sample2: For Cisco 7500 with VIP2-50 to VIP4-80 (dnbar) + approx. 5% performance degradation 2003, Cisco Systems, Inc. All rights reserved. 54

55 Plattform-Support für SA Agent MC3810 Catalyst Cisco 36xx 4K/5K/6K/ with L3 Mod Cisco 25xx/26xx Cisco AS5400/5800 Cat5K Cisco3700 Cisco 4500/4700 Cisco GSR, 10K Cisco 6400/ 7200/7500, 7300/7400 Cisco 800/100x/14xx/16xx/17xx 2003, Cisco Systems, Inc. All rights reserved. 55

56

58 Backup-slide configuring NBAR! Router config with NBAR enabbled for limiting NAPSTER! ip cef ip nbar pdlm slot0:napster.pdlm!! class-map match-all napster_nonstd match protocol napster non-std class-map match-all napster match protocol napster!! policy-map napout class napster_nonstd police conform-action drop exceed-action drop class napster police conform-action transmit exceed-action drop policy-map napin class napster_nonstd police conform-action drop exceed-action drop class napster police conform-action transmit exceed-action drop! interface FastEthernet0/0 description ***Residence Halls*** ip address xxx.xxx.xxx.xxx xxx.xxx no ip mroute-cache duplex full service-policy input napin service-policy output napout atm pvc aal5snap , Cisco Systems, Inc. All rights reserved. 58! interface FastEthernet0/1 description ***Admin*** ip address xxx.xxx.xxx.xxx xxx.xxx ip nbar protocol-discovery duplex full no ip mroute-cache! interface ATM1/0 description *** PVC to Sunnyville CSU router no ip address no atm ilmi-keepalive! interface ATM1/0.1 point-to-point bandwidth ip address xxx.xxx.xxx.xxx xxx.xxx ip nbar protocol-discovery ip policy route-map papapix