The Traffic Management Handbook for Enterprises

Transcription

1 The Traffic Management Handbook for Enterprises n n A comprehensive review of traffic management for enterprise networks and network managers a mind for networks

2 The Traffic Management Handbook for Enterprises A comprehensive review of traffic management for enterprise networks and network managers Allot Communications Ltd., 2006 First Edition: September, 2006 Part Number: D501101, Revision A i

3 Copyright 2006 by Allot Communications Ltd. This book contains works of authorship owned and published by Allot Communications Ltd. that are protected under copyright laws and international treaties. All Rights Reserved. No part of this publication may be reproduced, distributed, translated, stored in a retrieval system or transmitted in any form or by any means without the prior written permission of Allot Communications Ltd. Although every reasonable effort has been made to provide reliable data and information, Allot Communications does not guarantee the accuracy or completeness of any information published herein, and shall not be responsible for any errors, omissions or damages arising from the use of or reliance upon this information. Brand and product names mentioned herein are trademarks of their respective owners. International Headquarters Allot Communications Ltd. 22 Hanagar Street Industrial Zone B Hod-Hasharon, Israel Tel: US Office Allot Communications, Inc Golden Triangle Drive Eden Prairie, MN Minneapolis, USA Tel: (952) ISBN ii

4 Table of Contents Preface 1 Chapter 1 About Traffic Management and Why You Probably Need It 3 Chapter 2 The Business Case for Strategic Traffic Management 9 Chapter 3 Network Monitoring Part I 17 Chapter 4 Network Monitoring Part II 23 Chapter 5 Creating a Network Policy: Classification 29 Chapter 6 Creating a Network Policy: Assigning Actions 35 Chapter 7 Managing Shared IP VPN and Internet Connections 41 Chapter 8 A Look Inside HTTP 45 Chapter 9 Taming Peer-to-Peer Traffic 49 Chapter 10 When Voice and Video Join the Network 57 Chapter 11 IT and Business Alignment 63 Chapter 12 Network Topology Alternatives 69 Chapter 13 Quality of Service (QoS) in an MPLS Environment 75 Chapter 14 Strategies for Universities 79 Chapter 15 Gaining an Edge Through Strategic Networking 87 Chapter 16 Network Business Intelligence Data Mining for Strategic Performance Management 97 Chapter 17 Case Study of Louisiana State University 101 iii

5

6 Preface This book contains a collection of articles written over a period of 2 years by Allot Communications. Based on the company s extensive experience and leading worldwide position in the area of network traffic management for service providers, carriers and enterprises, these articles cover a range of subjects, starting with a description of what network traffic management is and why you probably need it. Other chapters deal with the relevance of network monitoring, taming peer-to-peer traffic, the importance of integrating Layer 7 deep packet inspection for monitoring of network traffic, the significance of voice and video joining the network, ensuring quality of service, and gaining an edge through strategic networking. The bottom line is that in today s networks, there are cost effective alternatives to adding more bandwidth in order to meet the demands of users. More and more, traffic management devices are being employed to ensure mission-critical applications and contain WAN costs in enterprise networks. Used to manage enterprise network LAN/WAN traffic, they offer robust, policy-powered networking that directly links between board-level strategic priorities and the priorities of the IT infrastructure. This is achieved by monitoring network and bandwidth usage to automatically discover applications and determine the protocols that affect performance and require management; defining the policies that link business priorities to computing needs and determine the quality of service (QoS) attributes, such as minimum and maximum bandwidth percentages and traffic prioritization; and finally, enforcing the rules, allowing the traffic management device to examine all traffic crossing the WAN link and continually monitor resources to maintain network control and application performance. 1

7

8 Chapter 1 About Traffic Management and Why You Probably Need It A relatively new category of network management is fast becoming a necessity in converged business networks. Mid-sized and large organizations are finding they must control network traffic behavior to assure that their strategic applications always get the resources they need to perform optimally. Controlling network traffic requires limiting bandwidth to certain applications, guaranteeing minimum bandwidth to others, and marking traffic with high or low priorities. This exercise is called traffic management. You might also hear variations of this activity described as WAN optimization, application performance management, traffic shaping, bandwidth management, bandwidth optimization, and quality of service (QoS). There are some subtle technical differences among these terms. For example, traffic management makes use of QoS mechanisms, such as traffic classification, prioritization, queuing, and rate limiting. However, when used informally, these terms all loosely describe setting rules, or policies, for how particular application traffic should behave and then ensure that the network automatically enforces those rules. 3

9 Today s traffic management systems let network managers control network traffic flows based on application type, protocol type, source and destination addresses, and other variables. To provide this level of granularity, traffic management tools operate up through Layer 7 of the OSI model (the application layer). These tools are software-centric, but are often embodied in standalone devices. Network monitoring and reporting through Layer 7, both historical and real-time, are fundamental to successfully managing application performance. For example, Layer 7 monitoring identifies Oracle databases by user and application name, auto-detects Citrix published application names, and tracks Hyper Text Transfer Protocol (HTTP) traffic by signature and on any port number it may use. These functions will be discussed in detail in Chapters 3 and 4. How Organizations Are Using Traffic Management There are many reasons that enterprises use traffic management to set and enforce traffic policies, including: To guarantee minimum bandwidth to Citrix and Voice over IP (VoIP) traffic at all times To ensure that delay-sensitive VoIP has priority over other traffic types To eliminate expensive, real-time international frame relay permanent virtual circuits (PVCs) To enforce service-level agreements (SLAs) with their WAN service providers To block music or video downloads To block music file-sharing and avoid copyright infringement liability To eliminate congestion in real-time data replication to mirrored data centers To eliminate usage-based ISDN costs for videoconferences To delay investments in additional network capacity Do You Need Traffic Management? Most organizations migrating multiple application types to an integrated packet-switched wide area network (WAN) service will benefit from traffic management tools. This is because the WAN is usually more bandwidth-constrained than the local area network (LAN), causing potential congestion bottlenecks. Also, as a network shared among many customers, WAN performance is often less predictable. That said, the 4

10 extent and configuration of the traffic management policies you establish depend on: The number of remote sites on your network The degree of diversity in your application mix The number of user groups you must support with disparate policies Another indication that your network could benefit from traffic management is if performance degradation did not improve much when you added WAN bandwidth. The behavior of certain protocols in a converged, packet-switched environment renders adding network bandwidth an ineffective fix, particularly for applications sensitive to latency. The Impact of Convergence The main driver behind the growing use of traffic management is the industry s migration from time-division multiplexing (TDM) networks to converged, packet-switched WANs, such as IP virtual private networks (VPNs) and public Internet connections. With packet switching, businesses gain large bandwidth efficiencies, thanks to the statistical multiplexing nature of the technology. Packet switching uses any available bandwidth across the aggregate capacity of the transmission facility to transport packets. Converged packet-switched networks make optimum use of network bandwidth, saving businesses significant amounts of money on monthly service transmission fees. They also enable both enterprises and service providers to transmit all types of traffic over a single infrastructure, dramatically reducing capital and operational expenses (Figure 1). Figure 1: The Efficiencies of Packet Switching Packet-switched networks make full use of available network capacity. However, the different traffic types contending for a common bandwidth pool require enterprises to groom traffic flows for consistent, predictable performance 5

11 Convergence also fosters innovative new applications that merge packetbased voice, video, and data. For example, companies can create web sites that combine real-time voice conversations with a live operator, virtual tours, text chat, music, and other functions into an integrated multimedia experience. However, the TCP/IP protocols in packet-switched IP VPNs and Internet services are best effort technologies, with no inherent mechanisms for performance management. With IP traffic volumes doubling every year and applications all contending for a shared pool of WAN bandwidth, it is up to network managers to ensure that each application gets the resources it needs to consistently perform well. WAN Edge Deployment Usually, traffic management is deployed at the WAN edge of an enterprise site. This is where the high-speed LAN meets the lower-speed WAN access link. The LAN-WAN juncture is also where both Internet and Intranet traffic enters and exits the enterprise. So it is the ideal place to tame traffic to mitigate the impact of non-critical and even suspicious traffic picked up on the Internet. Limiting or blocking the network resources available to frivolous or undesirable traffic boosts the performance of enterprise resource planning (ERP), customer relationship management (CRM), and other strategic, business-critical applications. In addition to policing traffic at the network edge, there are pure performance issues to consider. The WAN access network is usually slower than the LAN, generally for budgetary reasons. Businesses pay recurring monthly fees for WAN services, while LAN bandwidth is free (after upfront equipment investments have been made). With high-speed LAN traffic throttling back to a lower-speed access circuit, the LAN-WAN edge is where congestion is most likely to occur. Most applications have been developed to run on LANs. Local networks are generally free from congestion and fall under the total control of an internal IT department. LAN-optimized applications behave differently in the WAN environment. Not only is the WAN access link slower, but WAN services also can fall under the management purview of multiple network providers. 6

12 Managing traffic in this network segment aids distributed organizations that depend on the WAN to serve remote users with centralized resources. Doing so is a reasonably simple matter. In most cases, a network administrator uses a GUI to set parameters for some business-critical policies in plain English. The administrator then pushes a button to propagate those policies to the various network segments where they should be enforced. Chapter Summary Traffic management describes the use of software tools to set policies that govern how network traffic flows should behave when traversing a WAN or Internet connection. The tools enable granular control over traffic, often on a per-flow basis. Network administrators can set policies that the network automatically enforces based on application type, protocol type, user, source address, destination address, and other variables. Traffic management involves classifying and marking traffic according to priority. For example, delay-sensitive applications like VoIP usually would have a small amount of bandwidth guaranteed to them, and VoIP packets would be marked for placement in the top priority queue. Traffic management has become a fundamental element of network management in an era where enterprises and service providers are merging all traffic onto packet-switched networks. Converged networks afford many efficiencies and application innovation. But they also require monitoring and control to ensure that the various applications all contending for a common pool of bandwidth do not negatively affect one another. 7

13 8

14 Chapter 2 The Business Case for Strategic Traffic Management Most network implementers have determined that the operational efficiencies and multimedia capabilities of converged, packet-switched networks justify the conversion to this architecture. Furthermore, all businesses want employees to readily accept and utilize the strategic applications that IT organizations deploy. Today, most of these applications rely on WAN technologies such as IP virtual private networks (VPNs), frame relay and ATM services for user access. For enterprise deployments of networked applications to succeed, they must consistently deliver response times that users find acceptable. Ensuring suitable response times across converged WAN connections requires some level of monitoring and control over applications, which all contend for a common pool of often-unpredictable WAN resources. IT managers ignoring the contention-management issue risk allowing low-priority, bandwidth-intensive applications and users to negatively impact the strategic, revenue-generating applications of their organizations. This risk can have costly ramifications (see The High Cost of Poor Performance below). Instead, it generally pays to control the amount of total bandwidth that lower-priority traffic is allowed to consume in the presence of more strategic application traffic. This is a preventive measure that mitigates the impact of any WAN congestion on user productivity and business 9

15 revenue. Most organizations, for example, would prefer that and web browsing slow down slightly during peak usage periods rather than negatively impact CRM, e-commerce or Citrix sessions. The Hefty Price Tag of Peer-to-Peer (P2P) Another more recent economic driver for this type of strategic traffic management is the much-publicized emergence of P2P traffic in most universities and also in many enterprises. P2P protocols enable one client device to serve content directly to another client device. This content is generally multimedia (music and movies) in nature and thus consumes massive volumes of bandwidth. With very few exceptions, P2P content is not business-related, yet it can cost an organization dearly in terms of bandwidth consumption and poor productivity. Because P2P content is not hosted by a server managed by the enterprise IT department, it is difficult to even detect, let alone control, without special application-recognition tools. However, left unchecked, P2P can monopolize network resources to the detriment of other applications, leaving users frustrated by poor response times while network managers scratch their heads. There are also thorny legal issues with P2P applications when they are used to share copyright-protected content. A full chapter devoted to managing the impact of P2P traffic appears later in this book. Left unmanaged, lower-priority traffic will overtake network bandwidth, preventing strategic business applications, such as enterprise resource management (ERP) and customer relationship management (CRM), from delivering the productivity and revenue returns expected by the organizations that deploy them. As discussed in Chapter 1, most business applications have been designed to run in a high-speed LAN environment, controlled by a single entity (the enterprise IT department). Those same applications will not run as well across a WAN topology. WAN services are shared by multiple enterprises, often managed by multiple network operators, and, as a result, offer less predictable service levels. Failed or diminished use of business-critical applications carries a high cost to enterprises, as reflected by research presented in the section below. 10

16 The High Cost of Poor Performance Application design and server processing resources play a role in application performance. However, poor management of network links is most often to blame for network application bottlenecks. A study conducted by international researcher Infonetics Inc., for example, reveals that network downtime a combination of both network outages and performance degradation costs enterprises millions per year and thousands per hour in lost revenues (see Figure 1). Industry Annual Revenue Annual Downtime Cost Downtime Cost per Hour Portion of Cost Due to Network Outage Portion of Cost Due to Network Degradation Energy $6.75B $4.3M $1,624 72% 28% Hi-tech $1.3B $10.2M $4,167 15% 85% Healthcare $44B $74.6M $96,632 33% 67% Travel $850M $2.4M $38,710 56% 44% Finance (US) Finance (Europe) $4B $10.6M $28,342 53% 47% $1.2B $379,000 $1,573 51% 49% Figure 1: Cost of Enterprise Downtime 2003 Source: Infonetics Inc. study based on six companies in different industries with some of the world s most advanced IT organizations From this research, it is apparent that companies could seriously improve their bottom lines simply by doing a better job of tracking and managing network performance. Inadequate network and application performance compromises a company s ability to compete in an economy that depends on real-time network transactions. Application bottlenecks can impede communication between companies and their customers and dramatically degrade internal productivity. The cumulative bottom line impact can be staggering. 11

17 Your Baseline ROI For most organizations, the most tangible and immediate payback from an investment in traffic management results from delaying the acquisition of additional bandwidth, or even reducing current bandwidth needs. Most networks experience peak usage at several predictable periods of the day, and the typical network manager s response is to purchase additional capacity to alleviate congestion issues during these periods. While this approach seems logical and prudent, it is a tactical short-term solution that rarely resolves this long term strategic issue. A better strategy is to forecast and purchase incremental capacity based on long-term average usage levels, and to utilize traffic management tools to help smooth out the peak periods. Some applications utilize protocols that readily adapt to incremental capacity, scaling to absorb the available bandwidth. These bandwidthhungry applications are often non-critical in nature so new capacity is quickly consumed. Worse yet, many business-critical applications use protocols that cannot effectively scale, so the incremental bandwidth does not alleviate performance problems with many core business applications. Rather than incurring the on-going monthly expense of additional network capacity, most network managers discover that implementing traffic management policies can easily resolve their congestion problems. By allocating a portion of bandwidth to strategic applications, protocols or user groups, or by setting relative priorities on various traffic types, highpriority sessions flow unimpeded, while low-priority traffic is queued or throttled momentarily to provide logical traffic control. This is the essence of intelligent traffic management. Depending on where the network congestion resides, this component of the overall ROI for traffic management solutions is easily calculated. If, for instance, implementing a $10,000 traffic management device on an Internet access link delays the monthly lease of $2,000 in additional Internet bandwidth, the ROI is five months. Similarly, a $40,000 solution that forestalls a $10,000 per month upgrade to an international WAN link would yield a four month ROI. These types of calculations are relevant for service provider, university, government and enterprise networks and virtually every type of network topology. 12

18 Using Monitoring to Calculate Payback Monitoring and reporting exercises will help you quantify the financial justification for traffic management in your organization. Note that there are different types of network monitoring used for different purposes. Monitoring takes place at different layers of the Open Systems Interconnection (OSI) protocol stack, for example, depending on what information you are trying to glean and how you will apply it. Real-time monitoring is used for troubleshooting and resolution, while longerterm monitoring and reporting assists with fine-tuning the network and capacity planning, ensuring that you have adequately sized your network capacity. Figure 2: Examples of 7 Layer Monitoring WAN Performance The most critical first step in assessing whether traffic management is required is to monitor WAN performance for a week or two using a device capable of monitoring all seven OSI layers. Most reputable vendors will provide an evaluation unit for this purpose. This type of product provides detailed information about the applications resident on the network, how they are behaving, and whether any applications, users, or protocols require careful control to improve the performance of strategic business applications. An additional component of your business case involves the productivity of users of your business-critical applications. Armed with your historical monitoring information, you can identify problem areas and estimate the downtime and response time issues that applications are experiencing, as well as calculate what those periods of lost productivity are costing your organization (see Figure 3). 13

19 Application Downtime Cost per Minute CRM $2,200 Data warehouse $5,800 E-commerce $2,500 ERP $6,500 Supply-chain management $4,400 Figure 3: Cost of Application Downtime to Enterprises Source: The Standish Group, as reported by Software Magazine Another consideration involves an analysis of your current (or planned future) costs for network monitoring solutions. Most organizations utilize one or more platforms for their ongoing monitoring and reporting needs. There are many such solutions on the market, although most have some notable limitations, such as inability to monitor traffic above Layer 4. Alternatively, several traffic management vendors offer sophisticated Layer 7 monitoring and reporting capabilities in addition to their core traffic shaping technologies. Some even offer monitoring only versions of their products, where the traffic shaping features are software key disabled. These versions typically sell for much less than the full-featured products, and may provide an alternative to your current monitoring and reporting systems, thereby enhancing overall ROI for a traffic management solution. Furthermore, once the need to begin actively managing your traffic is validated, monitoring-only solutions can be easily field upgraded to full-functional traffic management platforms. Every seasoned executive understands that employees are the organization s most valuable assets, and that the primary responsibility of management is to align employee resources and actions behind the organization s key strategic goals. A consistent and unwavering focus on employee alignment generates synergy, leverage and focus the key ingredients to success. The organizational costs to achieve this focus are high and the ROI is impossible to calculate, yet the need for it is unquestioned. 14

20 In today s networked economy, where real-time results are demanded and reliance on the IT/network infrastructure is extraordinary, organizations are increasingly recognizing that their network resources deserve a similar focus. A focus on prioritizing, allocating and aligning critical resources in support of corporate goals and objectives. Traffic management technologies offer a simple yet effective method of imparting this intelligence to networks, so that a CRM or e-commerce transaction is given preferential treatment to an or FTP session. Thankfully, network managers are discovering that, unlike employee alignment, the cost of strategic network alignment is low and the ROI calculations are straightforward. The next two chapters will discuss network monitoring and reporting in more depth. Chapter Summary Enterprises would like to gain the benefits of converged WAN services while still maintaining the application response times that will suit users and make application deployments successful. To win on both counts, it is likely that some level of traffic management will be required. Enterprises can build a business case for traffic management by first estimating the cumulative savings from delayed bandwidth upgrades. The next step involves examining the high cost of network and application downtime to their organizations bottom lines, then monitoring the status of their networks to see if any core business applications are creating productivity losses during periods of congestion. Monitoring-only traffic management systems offer the dual benefits of providing this baseline business case data, and potentially replacing current or planned network monitoring platforms. The aggregate savings from implementing a traffic management solution are almost always a compelling business case with a rapid ROI for the organization. 15

21 16

22 Chapter 3 Network Monitoring Part I Successfully managing network and application performance requires certain information about your network. First, you must know the application and protocol mix present on your network and how the traffic associated with each is currently performing. For example: Is there congestion on the network? If so, is the congestion occurring at consistent periods during the day, week or month? What applications, protocols, servers and users are contributing to the congestion? At what utilization level is the network running, both on average and during the periods of peak congestion? Gaining this knowledge requires monitoring the network to gather usage statistics and then analyzing them via graphical reports from several perspectives. Many network managers are frequently surprised at the application traffic that has sneaked onto their networks. Armed with this information, you can logically determine how to manage it effectively. Multiple Monitoring Flavors There are many types of monitoring products, each designed to collect and analyze specific types of network information. Legacy monitors, for example, primarily monitor Layers 1 3. They generate reports on whether WAN service level agreements (SLAs) for network availability have been met, about performance levels for permanent virtual circuits (PVCs) in frame relay and ATM networks, and whether (and when) traffic is bursting above its Committed Information Rate (CIR). 17

23 Figure 1: Identification of Top Talkers Some of these products also identify top talkers the PCs, servers and users generating the highest volumes of network traffic based on IP or MAC address. These monitors provide useful reports for tracking network behavior patterns. If congestion is present regularly, or if overall bandwidth utilization levels are growing steadily, network managers know that they will need to take action soon to ensure that sufficient capacity remains available for all applications. A newer breed of monitoring products focuses on network Layers 4 7. Such products often identify applications by port number, given that many applications consistently use the same port number. Unlike the earlier category of products, these products are able to calculate response times on a per-application basis. Both types of products perform important functions, and each has its limitations. The lower-layer products can draw general conclusions about overall network traffic, but not about specific applications. The higherlevel devices can measure application response time, but are unable to correlate relationships between application performance degradation and network conditions. Neither types of monitoring can take dynamic action to improve application performance that is degrading. Deep Packet Inspection In today s converged-network environment, savvy organizations will use monitors that combine the functionality of the two product types described to inspect traffic at all seven OSI layers. The most useful 18

24 products will also have the ability to take real-time action to control application performance using integrated network classification and policy-enforcement capabilities. These seven-layer monitors provide a foundation of information upon which network policies can be built, and the key to the statistics-gathering capabilities of these products is deep packet inspection (DPI). Layer 2 Layer 3 Layer 4 Layer 7 Layer 7 Protocol (Frame Relay, ATM, Ethernet, etc.) Protocol (IP, IPX, SNA, etc.) Protocol (TCP, UDP, etc.) and Port No. Packet Header (identifies application type) Payload DPI provides the ability to accurately identify application types by looking inside the packet header when the port number alone is insufficient. This is particularly useful for applications using dynamic port numbers, such as Voice over IP (VoIP), HTTP-based applications, Citrix-based remote-access applications, and the Microsoft NetMeeting conferencing application. While HTTP consistently uses port 80, for example, a number of web applications and traffic types utilize HTTP. For such applications, a port number alone is insufficient for identifying specifically which HTTP applications are running. Both real-time and long-term monitoring should be used to fine-tune policies about network behavior. In both cases, DPI is necessary for understanding traffic behavior and patterns so that policies can be implemented for each traffic type. Figure 2: Examples of Real-Time and Long-Term Monitoring of Network Behavior 19

25 As explained in Chapter 2, to determine whether traffic management is required, it is best to start by monitoring the network for one to two weeks, after which it is possible to review the historical reports and analyze many aspects of your network traffic, including the following: The composition of your network traffic at all OSI layers Which applications consume the most resources, and which applications are bandwidth-constrained The impact of low-priority applications on core business applications Which servers and users are the top talkers Average utilization levels, including highest and lowest utilization periods The affect of congestion on critical business applications and user productivity The presence of non-sanctioned applications on the network The existence of recreational traffic which you want to limit or block, as well as the users responsible for this traffic Once you have collected and analyzed these statistics and more, you can apply policies to the traffic. Continuing to monitor and fine-tune network behavior helps ensure you have applied the appropriate policies to indeed optimize the performance of core business applications. This fine-tuning includes classifying traffic based on its relative importance to your business objectives. Traffic Classification Classification is a component of setting and enforcing network policies, which will be examined more closely in Chapters 5 and 6. The more types of application traffic that are running on your network and the more diverse your user base is, the more traffic classes you are likely to need. Classification involves an exercise in which you organize your applications into categories based on traits that you wish to group together. The classification can have multiple dimensions, such as SAP traffic generated by Server A in the Human Resources department. Depending on the diversity of your network traffic and requirements, you could set up anything from two to thousands of classes. A general traffic class, for example, might be all HTTP traffic. If you need to be more precise, you might stratify HTTP carrying text, HTTP carrying images/ video, HTTP carrying audio, HTTP going to Server A, HTTP going to Server B, all HTTP carrying text going to Server B and so forth. 20

26 The number of classes you might wish to establish can quickly multiply, depending on how closely you wish to control your traffic. Figure 3: Graphic Display of Classes for Control of Traffic Furthermore, as already mentioned, DPI will be needed to differentiate among all these traffic types running over HTTP. Once you have classified traffic, you can assign actions and attributes to those classes. These parameters will be discussed in more detail in Chapter 6. Chapter Summary Before you can successfully manage application performance across a network by setting network policies and classifying traffic, you must have a way to discover the various applications, protocols and users on the network, and evaluate how they are behaving. Consequently, the first step to successful management is monitoring these attributes using products that inspect network-layer behavior and conditions as well as specific application-performance levels and have the ability to correlate the two. This type of monitoring requires DPI to enable identification of applications that do not utilize fixed port assignments, or use fixed ports but carry different traffic types. Once you have discovered what is running on your network, you can classify traffic as to its priority during periods of congestion. 21

27 22

28 Chapter 4 Network Monitoring Part II We have learned that network monitoring is a critical first step in traffic management, but it does not stop there. Ongoing monitoring is necessary to ensure continued network optimization and application performance because your network and its supported applications are constantly changing. As mentioned in Chapter 3, monitoring at Layers 1 7 using deep packet inspection (DPI) enables network managers to always know exactly what traffic is traversing their networks and how it is behaving. By combining monitoring with classification and policy-based traffic shaping, it is also possible to take action to control the performance of certain traffic flows based on your organization s goals, priorities and corporate policies. A monitoring system without active traffic management features is like having a low fuel indicator on your automobile, but not being able to fill up the tank. Once you detect problems, you want a simple and straightforward way to address them. With active traffic management systems, you define what actions should be taken on specific traffic flows by assigning a policy to a particular classification of traffic or a particular network event. As explained in Chapter 3, traffic management policies can be few or many, simple or multidimensional. 23

29 Centralized Management Software Devices that perform seven-layer monitoring and traffic management usually reside at network points where high capacity links connect to lower capacity circuits. Examples include a 100 Mbps LAN connecting to a 1.5 Mbps T-1 Internet link, or a DS-3 access circuit connecting to a 256 Kbps Frame circuit. Units deployed in these natural congestion points continually communicate with associated management software. If the management application offers a centralized window into all the circuits being monitored for a comprehensive network view, a single individual or small group of individuals can tune and manage application performance from a central location, rather than having to be distributed out to the various network locations. Server-based management software that collects statistics from each monitoring/shaping device is often available with the purchase of the devices from the vendor. The server polls the various monitoring devices over the network to gather performance information. Generally, this network utilization data is stored in a centralized database (see Figure 1) and displayed on a management console in report form. It is important that this information be available in an intuitive graphical format that is easy and quick for the network manager to interpret, particularly when troubleshooting real-time performance issues on the network. Figure 1: Common Monitoring System Architecture 24

30 Real-Time Monitoring for Troubleshooting Monitoring the network in real time refers to gathering networks statistics and generating reports on network behavior in time intervals of seconds or minutes. This form of monitoring assists in troubleshooting immediate problems. For example, the user interface may display something like a topology tree of all network circuits, with color-coding to quickly identify the health of each network segment. A green circuit turning to yellow may indicate network congestion on the circuit. If the circuit s health degrades beyond a certain point, the condition may trigger an alarm (typically color-coded in red) which is passed to a network manager either on the network management console or forwarded to a pager, cell phone, or other device. Figure 2: Alarm Drill-Down Capabilities Once the alarm is seen, it is possible to quickly drill down on the problem circuit by viewing multiple layers of reports and graphs. In some cases, double-clicking or right-clicking on the screen icons will produce increasingly granular information. For instance, your first step might be to display a pie chart of top protocols in use on the problem circuit in order to identify irregularities. If this view reveals a very high proportion of HTTP-streaming activity, right-clicking on that pie slice could display 25

31 a bar chart of top clients and servers utilizing that protocol, along with the amount of bandwidth each is consuming. In this example, two simple mouse clicks transform a general alarm into the knowledge that 30 of your employees are using 25% of your bandwidth to watch a streaming video file on the CNN web site. Figure 3: Pie Chart of Top Protocols on Problem Circuit and Bar Chart of Top Clients and Servers Utilizing the Most Used Protocol Armed with this real-time information on applications, protocols and users, it is possible to quickly correct the problem if your monitoring system also offers active traffic management features. For example, by returning to the pie chart of top protocols, you could right-click on the HTTP-streaming pie slice and add a traffic management policy instructing your system to limit this traffic to 10% of total bandwidth, or to block it entirely. You could also start with line-level utilization to determine how much of a physical port is being utilized at the moment. If a port reaches 95% utilization, for example, this could cause congestion and performance degradation. Furthermore, it is possible to use reports to see if there is a permanent virtual circuit (PVC)-level problem on a frame relay or ATM link. If congestion is occurring at a head-end location, such as a data center WAN link, it is simple to drill down in your reporting system to determine if one PVC is heavily utilized or bursting beyond its committed information rate (CIR). The following are some of the types of reports that enable quick troubleshooting and performance management: Pie charts showing total protocol and application distribution of traffic currently on the network, which can then be used to more finely classify and manage that traffic. Event reports, which include details about specific network events. 26

32 These are a good starting point from which to drill down to discover the source of the problem and implement a policy to eliminate the problem. Trend reports that reveal a detailed, minute-by-minute view of fluctuations in network utilization. These will likely include average and peak usage values for each circuit. Response-time reports for tracking real-time and historical round-trip delay on all monitored circuits. Historical Reports for Planning Historical reporting generated on a daily, weekly or monthly basis is more useful for capacity planning and spotting longer term trends. In general, it is possible to select a time frame and filter the data used to create a report customized to what you wish to analyze. Using these reports, you should be able to see if you have the appropriate amount of bandwidth to each site or whether tuning the performance of the traffic on existing links would free up enough bandwidth that you can delay the cost of additional capacity. These reports are particularly useful if you want to verify that the servicelevel agreements (SLAs) for which you have contracted with your WAN service provider are being met each month. For example, reports should be able to both summarize and provide detailed views of your network service level, circuit by circuit. This information can be shown to your service provider to prove any breaches from a contracted SLA. Chapter Summary A high-quality seven-layer monitoring tool should also provide easy access to a wide variety of real-time and long-term reporting features. Real-time reports are invaluable in troubleshooting immediate network problems, while long-term reporting is best for analyzing network trends such as daily congestion conditions on a given circuit. Use of a full-stack (seven-layer) device is especially powerful, because it pinpoints issues down to individual sessions, applications, protocols, and users. The most useful and versatile systems also provide policy-based traffic management capabilities, since you will want to address the problems identified by your reports. Chapters 5 and 6 explore policy setting and enforcement in greater detail. 27

33 28

34 Chapter 5 Creating a Network Policy: Classification For many organizations, the biggest challenge in implementing a traffic management solution has more to do with the executive committee than the IT department. Before you install and configure such a strategic technology capable of aligning critical IT resources with corporate goals it is imperative that you establish your organization s policy framework before creating the policies you would like your system to enforce. Depending on your organization culture, size and type of business, determining the relative importance of your organization s various traffic types might require input from the IT department, as well as other departments and business units. Creating a general strategy regarding what is most important to your organization as a whole allows the IT department to then ensure that the network s behavior reflects those priorities. Increasingly, organizations are recognizing that traffic management technology can be a strategic weapon to their business, and may in fact hold the potential to offer a strategic advantage over their competitors. As corporations have sharpened their focus on core competencies and streamlined operations, the need for precise resource alignment has never been greater. To achieve this, all key resources must be focused on the organization s top strategic priorities. As shown in Figure 1 below, the 29

35 mission-critical nature of IT and networking means that strategic direction regarding resource alignments and traffic priorities originates in the boardroom. Figure 1: The Strategic Role of Traffic Management Systems Traffic management solutions provide a foolproof method of ensuring alignment between corporate strategy and IT/network resources For instance, a company whose top three strategic objectives are customer service, revenue growth, and improved e-commerce results, could easily use their traffic management system to their competitive and strategic advantage. For example, they could classify all CRM traffic into a customer service group, all Sales Force Automation (SFA) traffic into a revenue group, and all traffic to and from their e-commerce servers into an e-commerce group. By assigning each service group the highest possible priority on the network, the IT department s alignment with corporate goals is exceptional. Internal SLA Considerations To ensure that business goals are supported in the IT infrastructure, networking departments are increasingly required to strike service-level agreements (SLAs) with their internal customers. These internal SLAs might emerge because the IT department is viewed in a role similar to that of a third-party service provider within an organization, particularly if the IT department charges back internal departments or cost centers for networking services. An example would be a SLA to deliver high quality QoS on VoIP calls to an overseas subsidiary. 30

36 Additionally, internal SLAs might serve as a performance criterion for evaluating IT and networking staff. The bottom line if your organization utilizes internal SLAs in support of business goals or interdepartmental relationships, you should factor these considerations into your policy framework. Classifying Traffic Classifying traffic involves dividing traffic into categories or groups, each of which is deemed to have enough in common that all packet/session flows within the group should be treated in the same way. You can have two groups or 10,000 groups, depending on the complexity of your network, the size of your organization and the level of granularity you have incorporated into your policy framework. As described in previous chapters, most traffic management systems offer a monitoring-only mode, allowing the collection of vital usage information for your network. The data and reports from this monitoring phase will provide vital insight into statistics and trends that should form the technical foundation of your classification strategy. For example, if your most pressing issues exist at a given location, or are user-, application- or time-of-day-oriented, your framework should factor in these variables. Most systems offer a hierarchical approach to classification. The highest level might represent a physical or logical circuit (a pipe ) to which you wish to apply traffic management or QoS policies. For instance, a DS3 (45 Mbps) Internet link could be allocated such that your e-commerce data center receives 30 Mbps and your HQ employees share the other 15 Mbps. This separation might be achieved via IP address ranges or IP subnets. In such a scenario, each pipe can be managed as if it was a separate physical circuit. Within each pipe, you can further classify your traffic into logical service groups you wish to manage (see Table 1). Returning to our example, Customer Service, Revenue and E-commerce service groups would exist within either or both pipes, allowing you the flexibility to manage them separately, while still providing strong linkage to your corporate goals. 31

37 Data Center Traffic (30 Mbps) Subnet 1 E-commerce (high priority) HTTPS HTTP Oracle (high priority) (low priority) MS Exchange Lotus Notes FTP-business hours (low priority) FTP-after hours (high priority) All Other Traffic (low priority) HQ Traffic (15 Mbps) Subnet 2 Customer Service (Subnet 2a) (high priority) CRM HTTP Revenue (high priority) SFA VoIP (high priority) H.323 SIP (medium priority) MS Exchange Lotus Notes FTP-all hours (low priority) All Other Traffic (low priority) Table 1: A Hierarchical Approach to Traffic Classification You may also wish to take it one step further and classify traffic and assign policies uniquely with a service group, such as assigning one policy to your Lotus Notes sessions and a different policy for your MS Exchange traffic. Similarly, a service group called VoIP could contain both H.323 and SIP policies, so that each H.323 session by a HQ employee could potentially be handled differently from a SIP session. The logical structure of these traffic groupings will form the foundation for your traffic management framework, and will dictate how your network and application traffic will behave. Your approach should carefully consider the many options available to your traffic management 32

38 implementation, including setting policies based on: MAC or IP addresses, ranges of IP addresses which may represent a department, location or business unit application, subnets, VLANs, protocol, location, traffic direction (inbound vs. outbound) time of day, or groupings/combinations of all the above, and many other variables. User-Defined Traffic To help you establish policies for user-definable traffic sessions, or even applications developed in-house, most systems allow you the flexibility to easily add new entries to a service catalog. For instance, you may wish to give priority treatment to your executive team s Monday morning IP videoconference. This is easily accomplished by creating a new service called Monday Executive Conference, specifying each member s source IP address, selecting H.323 protocol (for instance), and indicating the timeframe for the call. Once the new service is defined, you are ready to create a traffic management policy to handle it appropriately. This is discussed in Chapter 6. Chapter Summary Establishing a policy framework for your traffic management system should be closely tied to your strategic corporate goals, and affords you the opportunity to align your IT and networking resources with those goals. Consequently, setting enterprise-wide network policies should be a joint effort between the executive staff, departments and business units, and the IT organization. Once your policy framework is defined, most systems make it easy to create service groups to help classify traffic based on variables such as application, user, server, time of day, and time of week. When you are comfortable that your traffic is being classified and grouped according to your objectives, policies can be created that direct your traffic management system on the proper handling of each traffic type. Together, classification and assigning actions to traffic classes form a network policy that will optimize your bandwidth utilization, application performance and business/it resource alignment. Assigning traffic management actions to traffic classes is discussed in Chapter 6. 33