1 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, Technical, 9/04 Cisco Internal...
-
Upload
brooke-guthridge -
Category
Documents
-
view
241 -
download
2
Transcript of 1 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, Technical, 9/04 Cisco Internal...
1© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, Technical, 9/04 Cisco Internal Use Only
CISCO IOS IP SERVICE LEVEL AGREEMENTS: TECHNICAL OVERVIEW
TOM ZINGALE
INTERNET TECHNOLOGIES DIVISION
SEPTEMBER 2004
2© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
Cisco IOS IP Service Level Agreement:A New Direction
• Cisco solution that assures IP service levels, proactively verifies network operation, and accurately measures network performance
Comprehensive hardware support
Committed Cisco partner support
Cisco IOS Software, the world’s leading network infrastructure software
Access Enterprise Backbone Enterprise Premise Edge
Service Provider Aggregation Edge
Service Provider Core
Enterprise and Small Medium Business
Understand NetworkPerformance &
Ease Deployment
Verify Service LevelsVerify Outsourced SLAs
Measure and provideSLAs
Service Providers
Cisco IOS Software
3© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
The Need for IP-Based Service Levels
1 2003 Infonetics Research Study “Cost of Enterprise Downtime”www.infonetics.com/services/green.shtml?2004/service.provider.and.user.plans.shtml 2 2003 Network World Application Performance Market Studywww.nwfusion.com3 Forrester Researchwww.forrester.com
PROBLEM RESULT
40% of companies delay launching new applications due to network performance concerns2
Reduced business productivity
59% of companies simply add bandwidth to ensure application efficiency2 Increased network costs
55% of companies only identify some of their network traffic2
Reduced understanding of network behavior
Cost of application downtime and degradation is $13,000 per minute for an ERP application3
Lowered network performance can be costly
4© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
Cisco IOS IP SLA Benefits
Measurements and Metrics
Proactive
Automated Intelligence
Continuous Predictable Reliable
OPTIMIZED APPLICATIONS & SERVICES
REDUCED TOTAL COST OF OWNERSHIP AND OpEx
• Performance visibility
• Prove service levels
• Enhance Customer satisfaction
• Enhance acceptance of business- critical services
• Reduce deployment time• Lower mean time to restore and
downtime• Proactive identification of issues
enforces higher reliability
5© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
Fine tune and optimizeOngoing measurements to understand behaviorwith proactive notification
Baseline network performanceVerify network readiness for new services with Cisco IOS IP SLA capabilities.
Quantify results• Reduce deployment time• Prove service and
application differentiation• Verify service levels• Reduce network down
time• Manage demand for the
network
Understand network performance baseline Confidence to deploynew IP servicesand applications
AssureAssureapplication application and service and service deploymentdeployment
1
2
3
4
Cisco IOS IP SLAs Life Cycle
6© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
Latency NetworkJitter
Dist. ofStats ConnectivityPacket
Loss
FTP DNS DHCP TCPJitter ICMP UDPDLSW HTTP
NetworkPerformanceMonitoring
Service Level Service Level AgreementAgreement
(SLA)(SLA)MonitoringMonitoring
NetworkNetworkAssessmentAssessment
Multiprotocol Label
Switching (MPLS)
Monitoring
VoIP VoIP MonitoringMonitoringAvailability Trouble
Shooting
ProtocolsProtocols
Measurement MetricsMeasurement Metrics
ApplicationsApplications
IP Server
MIB Data Active Generated Traffic to measure the network
DestinationSource
Defined Packet Size, SpacingCOS and Protocol
IP Server
Responder
LDP H.323 SIP RTP
IP SLAIP SLA
Cisco IOS Software
IP SLAIP SLA
Cisco IOS Software IP SLAIP SLA
Cisco IOS Software
Example: Multi-Protocol Measurement and Management with Cisco IOS IP SLAs
Radius Video
7© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
Cisco 800Series
Cisco 17001800
Series
Cisco 37003800Series
Cisco 26002800
Series
Cisco 7300Series
Cisco Catalyst 6500; Cisco 7600 Series
Cisco 10000Series
Cisco 12000 Series
Cisco 7200 Series
Enterprise & Aggregation/Edge
Cisco IOS Software Release 12.2S
Cisco 2900, 3550, &
3750 Series
Cisco 7200 & 7300 Series
Comprehensive Hardware Support
Access
Core
Cisco IOS Software Releases 12.3T and 12.4
8© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
SLA Verification and Management
• Access router may be managed or unmanaged
• Data typically provided by the service provider for the customer includes availability, QoS, and Jitter SLAs
• Service Provider needs visibility in the Customer Edge, in order to commit to SLAs
• Enterprise will verify SP SLAs by using access router edge to edge measurements
Enterprise may provide restricted Simple Network Management Protocol (SNMP) (RTT, Latency, QoS) visibility into Access router for Service Provider
Service Provider with restricted access can report SLA as a service back to the enterprise
9© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
Network Monitoring
• Cisco IOS IP SLA answers the following question:
What is the jitter, latency, or packet loss between any two points in the network?
• IP Services can be simulated by specifying various packet sizes, ports, class of service, packet spacing, and measurement frequencies
• Uni-directional and highly accurate measurements
• Measurements per class of service to validate service differentiation for data, voice, and video
• Cisco IOS IP SLA will identify an edge to edge network performance baseline and allow the user to understand trends and anomalies from the baseline
10© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
IP Network Readiness
• Network assessment tool built into Cisco IOS Software
• Simulate IP Services and verify how well they will work in the network
• How well is QoS working in the network pre-deployment
• Post deployment continued verification of network performance per IP service
11© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
Availability Monitoring
• Cisco IOS IP SLA uses proactive monitoring for periodic, reliable, and continuous availability measurements
• Connectivity measurements from Cisco router to router or Cisco router to server
• Threshold notifications when end point is not available
What is the availability of a Network File System (NFS) server used to store business critical data from a remote site ?
Cisco IOS IP SLA UDP active measurement to specific server ports is used to test remote site to server connectivity
If server is unavailable, then traps can notify the network management system
12© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
Troubleshooting with Cisco IOS IP SLA
• Proactive notification of problems and issues based on threshold alerts
• Testing edge to edge consistently and reliability will save time in finding and pin pointing network performance problem areas
• Secondary activation of path operation (ie: path jitter) or activation of operations at a higher frequency to isolate and verify problem areas in the network
13© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
Cisco IOS IP SLA Source and Responder
• Source Router
Cisco IOS Software router that sends data from operation
Cisco IOS Software may or may not be the target
Some operations require the target to run the IP SLA responder
Stores results in MIB
• Responder
Responds to IP SLA packets at destination
User defined UDP/TCP ports
IP SLA Control Protocol
MD 5 Authentication
Accurate measurements
14© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
Responder
The Responder takes 2 Timestamps (T2 & T3)
Source Router
Responder
Target Router
T1
T4
T3
T2
= T3 - T2
• Responder factors out destination processing time making results highly accurate
• Responder allows for one-way measurements for latency, jitter, packet loss, and MOS
15© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
*DATA TRAFFIC
*VoIP*SERVICE LEVEL
AGREEMENT *AVAILABILITY**STREAMING
VIDEO
RE
QU
IRE
ME
NT
• Minimize Delay, Packet Loss
• Verify Quality of Service (QoS)
• Minimize Delay, Packet Loss, Jitter
• Measure Delay, Packet Loss, Jitter• One-way
Connectivity testing
• Minimize Delay, Packet Loss
IP S
LA
ME
AS
UR
ME
NT
• Jitter • Packet loss• Latency• per QoS
• Jitter • Packet loss• Latency• MOS Voice
Quality Score
• Jitter • Packet loss• Latency• One-way• Enhanced
accuracy• NTP
• Connectivity tests to IP devices
• Jitter • Packet loss• Latency
Cisco IOS IP SLAs Uses and Metrics
* Currently available**Limited availability in 9/04; complete in CY’05
16© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
• Reaction Trigger to Events
Can send SNMP traps for certain “triggering” events:
Connection Loss and Timeout
Round Trip Time Threshold
Average Jitter Threshold
Unidirectional packet loss, latency, jitter, MOS Scores
Can trigger another IP SLA operation for further analysis
Threshold Violation
Threshold violation
No Alert
100 ms
50 ms
Time
AlertAlert
Resolution
Threshold Violation
Trigger• Immediate• Consecutive• X of Y times• Average Exceeded
Cisco IOS IP SLA Reaction Conditions
16© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, Technical, 9/04 Cisco Internal Use Only
17© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
Availability
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
12.2(11)T(Infra2)
X
X
X
X
X
X
X
X
X
X
X
X
X
12.2(14)S
X
X
X
X
X
X
X
X
X
X
X
12.1E
XXXXSNMP Support
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
12.2(2)T
XAPM
XICMP Path Jitter
XFrame-Relay (CLI)
XMPLS/VPN Aware
XXFTP Get
XXUDP Jitter One Way Latency
XXXDLSw+
XXXDHCP
XXXDNS
XXXHTTP
XXXUDP Jitter
XXXXTCP Connect
XXXXUDP Echo
XXXXSSCP(SNA)
XXXXXICMP Echo Path
XXXXXICMP Echo
12.2(25)S12.1(1)T
12.212.0(5)T12.0(8)S
12.0(3)T11.2Feature/Release
18© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
THIRD PARTY PRODUCTS
Cisco Network Management Solution
Cisco IP Solution Center MPLS VPN and SLA Monitoring
Internetworking Performance Monitor Enterprise performance measurements
Cisco IOS IP SLA Partners
19© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
Cisco IOS IP SLA Performance with Infrastructure 2: CPU Load by Hardware
Operations/Second
Operations/Minute
Cisco 2600 Series
Cisco 2620XM Series
Cisco 3640 Series
Cisco 3725 Router
Cisco 7200VXRNPE225
4 240 14 7 6 2 4
8 480 20 8 9 3 3
12 720 29 12 13 2 3
16 960 35 15 17 3 3
20 1200 41 19 22 2 3
24 1440 48 24 25 3 3
28 1680 56 27 28 3 3
32 1920 63 28 31 2 4
36 2160 67 31 35 2 3
40 2400 34 38 3 7
44 2640 38 43 4 8
48 2880 42 47 5 8
52 3120 46 49 5 10
56 3360 48 43 6 11
60 3600 52 58 6 11*Jitter operations are activated sequentially with this testing. Each operation sends 10 packets, 64 bytes each with 20ms spacing
• Jitter probe
• Versus Release 12.3(3)
• 2,000 active probes
20© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
Operations per second
Operations per minute
Cisco 831 Router
Cisco 837 Router
Cisco 1751 Router
4 240 7 10 3
8 480 13 16 8
12 720 23 23 10
16 960 29 30 17
20 1200 33 34 22
24 1440 35 36 27
28 1680 41 41 29
32 1920 47 46 32
36 2160 52 50 35
40 2400 57 56 39
44 2640 62 62 43
48 2880 66 65 48
52 3120 72 68 53
56 3360 76 71 59
60 3600 81 75 62
Cisco IOS IP SLA PerformanceInfrastructure 2: CPU Load by Hardware
• Jitter probe
• Release 12.3(4)T6
IP Plus/Firewall/3DES
• 2,000 active probes
21© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
Cisco IOS IP SLA VoIP Measurements Q1CY’05
HeadquartersHeadquarters
Data CenterData Center
SeattleSeattleSales OfficeSales Office
LALASales OfficeSales Office
San JoseSan JoseSales OfficeSales Office
New YorkNew YorkSales OfficeSales Office
BostonBostonSales OfficeSales Office
Call ManagerCluster
ClevelandCleveland DetroitDetroit
Gatekeeper
Responder
RegistrationDelay
DiscoveryDelay
Post Dial DelayH323 or SIP
22© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
Digital Signal Processor Based IP SLA Measurements (Q3CY’05)
Call Control
IP Server
DSP
Responder
RTP IP SLA
RTPIP SLA
Cisco IOS IP SLA RTP Operation Data
• VoIP Active (test call) measurements using Real-time Transport Protocol (RTP) streams
• Voice quality scores and voice metrics from the Digital Signal Processor (DSP)
VoIP Metrics
23© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
New IOS IP SLACLI
• The new IOS IP SLA CLI releases Q1CY05 in 12.3(RLS6)T
• Phase 1 changes include new syntax for commands and new show commands
New show commands: “show ip sla statistics” and “ show ip sla statistics details”
Older show commands will be deprecated over time and replaced with the new show commands
The RTR keyword was changed to IP SLA Monitor in CLI
The new syntax is used in the presentation. The old syntax before 12.3(pi6)T is shown in the Appendix
OLD CLI
Router (config)#rtr 1
Router (config-rtr)#type echo protocol ipIcmpEcho 1.1.1.1
Router (config)#rtr schedule 1 start-time now
New CLIRouter (config)#ip sla monitor 1 Router (config-sla-monitor)#icmp-echo 1.1.1.1 Router (config)#ip sla monitor schedule 1 start-time now
24© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
New Cisco IOS IP SLA Show Commands Q1CY’05
• Jitter operation “show ip sla monitor statistics (details)”
Router#sh ip sla monitor statistics 15Round trip time (RTT) Index 15 Latest RTT: 1 msLatest operation start time: *05:43:28.720 UTC Fri May 28 2004 Latest operation return code: OK RTT Values Number Of RTT: 10 RTT Min/Avg/Max: 1/1/1 msLatency one-way time milliseconds Number of one-way Samples: 0 Source to Destination one way Latency Min/Avg/Max: 0/0/0 ms Desination to source one way Latency Min/Avg/Max: 0/0/0 ms Jitter time milliseconds Number of Jitter Samples: 9 Source to Destination Jitter Min/Avg/Max: 20/20/23 ms Destination to Source Jitter Min/Avg/Max: 0/0/0 ms Packet Loss Values Loss Source to Destination: 0 Loss Destination to Source: 0 Out Of Sequence: 0 Tail Drop: 0 Packet Late Arrival: 0Number of successes: 1Number of failures: 0Operation time to live: 3567 sec
25© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
New Cisco IOS IP SLA Show Commands Q1CY’05
• Jitter operation “show ip sla monitor statistics details”Round trip time (RTT) Index 2004 Latest RTT: 1 msLatest operation start time: *08:41:09.937 PST Wed Oct 6 2004Latest operation return code: OKOver thresholds occurred: FALSERTT Values Number Of RTT: 10 RTT Min/Avg/Max: 1/1/1 msLatency one-way time: Number of Latency one-way Samples: 0 Source to Destination Latency one way Min/Avg/Max: 0/0/0 ms Destination to Source Latency one way Min/Avg/Max: 0/0/0 ms Source to Destination Latency one way Sum/Sum2: 0/0 Destination to Source Latency one way Sum/Sum2: 0/0Jitter time: Number of Jitter Samples: 9 Source to Destination Jitter Min/Avg/Max: 0/0/0 ms Destination to Source Jitter Min/Avg/Max: 0/0/0 ms Source to destination positive jitter Min/Avg/Max: 0/0/0 ms Source to destination positive jitter Number/Sum/Sum2: 0/0/0 Source to destination negative jitter Min/Avg/Max: 0/0/0 ms Source to destination negative jitter Number/Sum/Sum2: 0/0/0 Destination to Source positive jitter Min/Avg/Max: 0/0/0 ms Destination to Source positive jitter Number/Sum/Sum2: 0/0/0 Destination to Source negative jitter Min/Avg/Max: 0/0/0 ms Destination to Source negative jitter Number/Sum/Sum2: 0/0/0 Interarrival jitterout: 0 Interarrival jitterin: 0
26© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
Cisco IOS IP SLA Multiple Operations Scheduling (Release 12.3(8)T)
• Schedule multiple operations in one command
• Scalable and sequential activation of IP SLA operationsIf the frequency is not specified, the default frequency will be the same as that of the schedule period)
Reduced load on the network
Consistent monitoring coverage
Router (config)#ip sla monitor 1
Router (config-sla-monitor)#type echo protocol ipIcmpEcho 1.1.1.1
Router (config)# ip sla monitor 2
Router (config-sla-monitor)#type echo protocol ipIcmpEcho 2.2.2.2
Router (config)# ip sla monitor 3
Router (config-sla-monitor)#type echo protocol ipIcmpEcho 3.3.3.3
Router (config)# ip sla monitor group schedule 1 1-3 sch 20 start now
Router #show ip sla monitor group schedule
27© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
Cisco IOS IP SLA Random Scheduler Enhancement
• Release 12.4(Rls1)T will introduce the following functionality:
Randomness for group scheduler during schedule period
Randomness for the frequency of the operations, which are started by random group scheduler
28© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
Cisco IOS IP SLA Accuracy Feature
• High performance and high accuracy measurements
• Precision to .1 ms from current 1ms
• Improve Cisco IOS IP SLA accuracy under forwarding load and for dedicated routers
• Release 12.3(RLS6)T will introduce this functionality in Q1CY’05
29© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
Feature Release Target Date
Release 12.3T Features
MOS and ICPIF Scores 12.3(4)T November 2003
One way latency, jitter, packet loss and MOS Traps 12.3(7)T March 2003
Multi-Operation Scheduler – Ease of scheduling 12.3(8)T June 2003
Post Dial and Gatekeeper Delays with SIP and H323 12.3(pi-6)T Q1CY’05
High accuracy enhancement 12.3(pi-6)T Q1CY’05
Ease of use CLI 12.3(pi-6)T Q1CY’05
Release 12.4T Features
Ease of use CLI Phase 2 12.4(pi-1)T Q2CY’05
Random scheduler for operations 12.4(pi-1)T Q2CY’05
Voice gateway integration VoIP measurement using DSP 12.4(pi-2)T Q3CY’05
Ease of use CLI Phase 3 12.4(pi-2)T Q3CY’05
Video operation 12.4(pi-2)T Q3CY’05
Radius response operation 12.4(pi-2)T Q3CY’05
Release 12.2S Features
IP SLA: Auto MPLS VPN Monitoring 12.2(Rls6)S Q1CY’05
IP SLA: Auto MPLS VPN Monitoring with ECMP 12.2(Rls7)S Q3CY’05
IP SLA: Auto MPLS Monitoring with VCCV 12.2(Rls8)S Radar
IP SLA: Auto MPLS Monitoring with BFD 12.2(Rls8)S Radar
Radar
IP SLA Multicast Radar Radar
Auto IP SLA Monitoring Radar Radar
IP SLA with DMVPN Radar Radar
ICMP Jitter Radar Radar
IP SLA High Availability Radar Radar
Embedded Event Manager (EEM) Detector Radar Radar
Cisco IOS IP Service Level Agreement Roadmap
30© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
NetFlow
31© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
Enable NetFlow
Traffic
Traditional Export & Collector
NetFlowExport
Packets
GUI
New SNMP MIB
Interface
SNMP Poller
• Source IP address
• Destination IP address
• Source port
• Destination port
• Layer 3 protocol type
• TOS byte (DSCP)
• Input logical interface (ifIndex)
Flow Is Defined By Seven Unique Keys
313131© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS NetFlow Overview, 2/04
32© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
NetFlow Cache Example
1. Create and update flows in NetFlow cacheSrclf SrclPadd Dstlf DstlPadd Protocol TOS Flgs Pkts
SrcPort
SrcMsk
SrcAS
DstPort
DstMsk
DstAS
NextHopBytes/
PktActive
Idle
Fa1/0 173.100.21.2 Fa0/0 10.0.227.12 11 80 10 11000 00A2 /24 5 00A2 /24 15 10.0.23.2 1528 1745 4
Fa1/0 173.100.3.2 Fa0/0 10.0.227.12 6 40 0 2491 15 /26 196 15 /24 15 10.0.23.2 740 41.5 1
Fa1/0 173.100.20.2 Fa0/0 10.0.227.12 11 80 10 10000 00A1 /24 180 00A1 /24 15 10.0.23.2 1428 1145.5 3
Fa1/0 173.100.6.2 Fa0/0 10.0.227.12 6 40 0 2210 19 /30 180 19 /24 15 10.0.23.2 1040 24.5 14
• Inactive timer expired (15 sec is default)• Active timer expired (30 min (1800 sec) is default)• NetFlow cache is full (oldest flows are expired)• RST or FIN TCP Flag
2. Expiration
Srclf SrclPadd Dstlf DstlPadd Protocol TOS Flgs PktsSrcPort
SrcMsk
SrcAS
DstPort
DstMsk
DstAS
NextHopBytes/
PktActive
Idle
Fa1/0 173.100.21.2 Fa0/0 10.0.227.12 11 80 10 1100000A
2/24 5 00A2 /24 15 10.0.23.2 1528 1800 4
3. Aggregation
4. Export version
5. Transport protocol
e.g. Protocol-Port Aggregation Scheme Becomes
Aggregated Flows—Export Version 8 or 9ExportPacket
Payload(Flows)
Non-Aggregated Flows—Export Version 5 or 9
YesNo
Protocol Pkts SrcPort DstPort Bytes/Pkt
11 11000 00A2 00A2 1528
He
ad
er
33© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
Principle Netflow Benefits
Service ProviderService Provider EnterpriseEnterprise
• Internet access monitoring (protocol distribution, where traffic is going/coming)
• User Monitoring
• Application Monitoring
• Charge Back billing for departments
• Security Monitoring
• Internet access monitoring (protocol distribution, where traffic is going/coming)
• User Monitoring
• Application Monitoring
• Charge Back billing for departments
• Security Monitoring
• Peering arrangements
• Network Planning
• Traffic Engineering
• Accounting and billing
• Security Monitoring
• Peering arrangements
• Network Planning
• Traffic Engineering
• Accounting and billing
• Security Monitoring
34© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
Tracking Users
Who are the top users?How long are the users on the network?
What Internet sites do they use?Where do the users go on the network?
What percentage of traffic do they use?What applications do they use?What are the user usage patterns?
35© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
NetFlow for Security:Flow Information Helps Mitigate Attacks
• Identify the attack
Count the Flows
Inactive flows signal a worm attack
• Classify the attack
Small size flows to same destination
What is being attacked and origination of attack
• Key Partners: Arbor Networks, Protego, NetQos, Adlex
36© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
Capacity Planning
• Capacity planning is the process of determining the network resources required to prevent a performance or availability impact on business-critical applications
• Key areas to monitor
Application usage
Identify which applications consume bandwidth
Who are the top ten nodes that consume bandwidth
• Output data circuit forecasts
• Current network utilization and capacity being used
37© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
Billing
• IP Accounting and Billing• Usage-based billing considerations
Time of dayWithin or outside of the network ApplicationDistance-basedQuality of Service (QoS) / Class of Service (CoS)Bandwidth usageTransit or peerData transferredTraffic class
38© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
How Cisco IT uses NetFlow
• Characterize IP traffic and account for how and where it flows
Total Avoidance of SQL Slammer Worm
Transition from Managed DSL service to Internet VPN
Detection of Unauthorized WAN Traffic
Reduction in Peak WAN Traffic
Validation of QoS Parameters and BW allocation
Analysis of VPN Traffic and Tele-Commuter Behavior
Calculating Total Cost of Ownership for Applications
Use of NetFlow NMS and Usage
Security Monitoring Network traffic analysis by application with BGP. Anomaly detection Arbor Networks
WAN Aggregation and Edge Network traffic analysis by application, for capacity planning using NetQOS
Core routers and Nat Gateway Collection of historical data, useful for forensics and diagnostics with Flow Tools
39© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
Cisco 800Series
Cisco 1700 Series
Cisco 3700Series
Cisco 2600Series
Cisco 7300Series
Cisco Catalyst 6500; Cisco 7600 Series
Cisco 10000Series ASIC
Cisco 12000 SeriesASIC
Cisco 7200Series
Cisco 4500Series ASIC
Cisco IOS Software Releases 12.3T & 12.4
Enterprise & Aggregation/Edge
Cisco IOS Software Release 12.2S
Cisco 7200/7300 Series
Comprehensive Hardware Support
Access
Core
Release 12.0S
40© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
NetFlow Versions
Cisco Catalyst 6500 Series Router will support versions 5 & 8 in Cisco IOS Software Release 12.1(13)E
NetFlow Version
Comments
1 Original
5 Standard and most common
7
Specific to Cisco Catalyst 6500 and 7600 Series Switches Similar to Version 5, but does not include AS, interface, TCP Flag & TOS information
8Choice of eleven aggregation schemesReduces resource usage
9
Flexible, extensible file export format to enable easier support of additional fields & technologies; coming out now MPLS, Multicast, & BGP Next Hop
41© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
Version 5 - Flow Export Format
• Source IP Address• Destination IP Address
• Packet Count• Byte Count
Usage
QoS
Timeof Day
Application
PortUtilization
From/To
Routing and
Peering
• Input ifIndex• Output ifIndex
• Type of Service• TCP Flags• Protocol
• Start sysUpTime• End sysUpTime
• Source TCP/UDP Port• Destination TCP/UDP Port
• Next Hop Address• Source AS Number• Dest. AS Number• Source Prefix Mask• Dest. Prefix Mask
• Source IP Address• Destination IP Address
Version 5 used extensively todayFlow information
42© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
Why a New Version 9?
• Fixed export formats are not flexible and adaptable
• With each new version Cisco creates new export fields
• Partners need to re-engineer for each new version
Solution: Build a flexible and extensible export format called version 9!
43© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
NetFlow v9 Export Packet
Data FlowSetTemplate FlowSet Option
Template
FlowSetFlowSet ID #1
Data FlowSetFlowSet ID #2
Template ID
(specific
Field types
and lengths)
(version,
# packets,
sequence #,
Source ID)
• Matching ID numbers are the way to associate template to the Data Records
• The Header follows the same format as prior NetFlow versions so Collectors will be backward compatible
• Each data record represents one flow
• If exported flows have the same fields, then they can be contained in the same Template Record (ie: unicast traffic) can be combined with multicast records
• If exported flows have different fields, then they cannot be contained in the same Template Record (ie: BGP next-hop cannot be combined with MPLS Aware NetFlow records)
Flows from
Interface A
Flows from
Interface B
To support technologies such as
MPLS or Multicast, this export format can
be leveraged to easily insert new fields
Option Data
FlowSetFlowSet ID
Option Data
Record
(Field values)
Option Data
Record
(Field values)
Template Record
Template ID #2
(specific Field types and lengths)
Template Record
Template ID #1
(specific Field types and lengths)
Data Record
(Field values)
Data Record
(Field values)
Data Record
(Field values)
44© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
NetFlow v9 and IETF
• Internet Protocol Flow Information eXport (IPFIX) is an IETF Working Group
www.ietf.org/html.charters/ipfix-charter.html
• Netflow version 9 is the basis for the standard in the IETF
• Standards Track NetFlow version 9 http://www.ietf.org/internet-drafts/draft-ietf-ipfix-protocol-05.txt
NewNew
45© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
NewNew
IETF: Packet SAMPling WG (PSAMP)
• PSAMP web site for the charter, email archive, drafts, etc. psamp.ccrle.nec.de/
• Agreed to use IPFIX for export protocol if suitable for PSAMP
To be improved: the variable length data type
• Note: NetFlow is already using some sampling mechanisms
46© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
NetFlow Partners
Traffic AnalysisTraffic Analysis
Denial of ServiceDenial of Service
Flow-Tools
BillingBilling
47© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
Hybrid Native 12.1E Native 12.2SX
MSFCx v5 v5 v5, v8*
Sup1a V7, v8 v7 N/A
Sup2 V7, v8 v5, v7 v5, v7, v8
Sup720 v5, v7, v8 v5, v7 v5, v7, v8
Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router
• Hybrid: Cisco Catalyst OS on PFC/supervisor and Cisco IOS software on MSFC
• Native Cisco IOS Software: PFC/supervisor and the MSFC both run a single bundled Cisco IOS software image
• Export is centrally via the supervisor and MSFC, each linecard has its own hardware NetFlow cache and forwarding table, i.e. distributed platform
*No NetFlow Support on MSFC with Sup1a
48© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
Cisco Catalyst 6500 and Cisco 7600 Series Versions and Features
• Cisco IOS Software Release 12.1(13)E1PFC2 Source/destination interface information (Hybrid 6.3(6))
PFC2 Source/destination AS information
PFC2 Support for V5 NetFlow data export (Hybrid 7.5(1))
IP Next hop
Sampled NetFlow is available on PFC in Cisco IOS
• Cisco IOS Software Release 12.2(14)SXVersion 8 in native mode
• PFC3b (Sup720) cardsToS byte
• Hybrid Catalyst OS 7.2(1)L2 switched traffic (vlan x to vlan y) support (doesn’t require MSFC)
• Hybrid Catalyst OS 7.3(1)
Destination and source IfIndex enabled by default
49© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
Cisco Catalyst 4000 Supervisor IV NetFlow Services Card
NetFlow Service Card Features
• NetFlow Statistics Collection and Data Export (NDE)•VLAN Statistics Collection•CLI support for NetFlow & VLAN Stats•SNMP support for VLAN Stats
• Requirements:• Supervisor IV or V• IOS 12.1(13)EW
• NetFlow Versions 1 & 5, 8 w IOS 12.1.19 EW
50© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
• Multicast NetFlowAvailability: Major Release 12.3(1) and 12.2(18)S
Ingress Accounting of replicated multicast packets
Egress Per user accounting of multicast packets
• MPLS Aware NetFlowAvailability: Release 12.0(26)S
Label and prefix export information
• BGP Next HopAvailability: Releases 12.0(26)S, 12.2(18)S, and 12.3
Edge to Edge Traffic Matrix
BGP traffic destination information
• NetFlow for IPv6
Availability: Release 12.3(7)T
Export IPv6 source and destination information
NetFlow Features supported with Version 9
51© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
• Sampled NetFlow
Availability: Releases 12.0(26)S, 12.3(2)T, and 12.2(18)S
Random Sampling of packets per flow with reduce CPU
• NetFlow MIB
Availability: Releases 12.3(7)T and 12.2(25)S
Top N Talker in MIB
NetFlow configuration using MIB
• Input Flow Filters
Availability: Release 12.3(7)T, 12.2(25)S
QOS MQC based Filtering entering NetFlow
• Egress NetFlow
Availability: Release 12.3(11)T, 12.2(Rls6)S-Q1CY05
Accounting for Egress IP Flows
NetFlow Product Update
52© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
Random Sampled NetFlow
• Capacity planning may not need every packet per Flow
• Sampling on high speed interfaces will reduce CPU consumption
• Random (select packet to export per statistical principles)
Cisco IOS Software Releases 12.0(26)S, 12.2S(18), and 12.3(1)T
Cisco 800, 1700, 1800, 2600, 2800,3600, 3700, 3800 7200, and 7500 Series Routers
Random sampling Cisco 12000 Series 12.0(28)S
Cisco 12000 Series deterministic sampling today
Cisco Catalyst 6500 Series Random and Time based sampling 12.1(13)E
53© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
NetFlow MIB
• Currently available in Releases 12.3(7)T
• NetFlow information available using SNMP and without NetFlow export
• Administration of Netflow using the MIB interface
• NetFlow MIB cannot be used to retrieve all Flow information but is very useful for security monitoring and locations where export is not possible
Example objects available:
Packet size distribution
Number of Bytes exported per second
Number of flowsNetFlow MIB with Export of Top N talkers
• Top N Talkers
Top N Flows based on various NetFlow field values ( AS Number, destination, ports…)
MIB and CLI support
12.2(25)S and 12.3(11)T
54© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
Import Flow Mask Filters
• Prevent flows from entering NetFlow cache by using Flow Filter
• Increase scalability and decrease CPU usage
• Filters are based on QOS MQC CLI class maps
• User can use ACL to match flows from certain port or source
• Define Traffic Class (match ACL) and Flow Sampling per Match
Traffic Filter Low Importance
Packets
12.0(27)S, 12.3(4)T, 12.2S(25)
Traffic Filter High Importance
Sample 1:100 from Subnet A
Sample 1:1 from Server B
55© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
Egress NetFlow Accounting
PEPE PEPE
IPIP IPIP
NetflowIngress Netflow
Egress
ServersServers
IP or MPLSIP or MPLS
NetflowEgress and Ingress
12.3(7)T, 12.2(25)S
56© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
Flexible NetFlow and Flexible Accounting
• Flexible NetFlow and Flexible Accounting will replace most static accounting technologies available today
Flexible NetFlow user defined Flow keys and export fields within NetFlow
Flexible Accounting user defined permanent flow with periodic export and account for defined flows over time
The data can be polled thru a MIB
Flow Groups user defined buckets for specific flow fields values
Example show me packets and bytes from 1.1.1.1 to 2.2.2.2 on port 21
57© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
SCTP Reliable Transport
• Flows may be sent in Reliable or unreliable or partial mode
• SCTP connection to collector and multiple streams per connection
• Supported with Version 9. Templates may be sent reliably
• Congestion Awareness, retransmission and queuing
Data for Export in SCTP Stream
Collector
Congestion - packets marked
unreliable potentially dropped
Releases 12.4(2nd)T, 12.2S(Rls7)Send Queue
58© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
NetFlow Security Enhancement Releases 12.4(1st)T Q2CY05
• New show commands to understand and parse NetFlow data
For Example, show flows on port X to destination Y
show ip flow top <N> <aggregate-field> <sort-criteria> <match-criteria>
show ip flow top 10 destination-address packets interface ser0 port-range 100 to 135
• New Flow export fields including Source Mac, TTL, Packet length, ICMP type, and more
• Also will be available in 12.2(rls7)S
59© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
Upcoming New Features:NetFlow Product Update
• NetFlow Security Enhancements (Q2CY2005)
New exports and show commands for security monitoring
• Flexible NetFlow and Accounting (Q3CY2005)
Allow user defined flow keys and aggregation with v.9
• Reliable and Congestion Aware Export (Q2CY2005)
SCTP protocol NetFlow export
• NBAR and NetFlow Integration (Radar)
Application flow information export
60© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential
Mar2005
Dec2004
Jan2005
Nov2004
Oct2004
Sep2004
Aug2004
Jul2004
Jun2004
May2004
Apr2004
Mar2004
Feb2004
Jan2004
Dec2003
Nov2003
Feb2005
12.3(Rls2)T
• Input Filter
Scalability & Scalability & FlexibilityFlexibility
Enhancing Cisco Enhancing Cisco technologies’ with technologies’ with Flow AccountingFlow Accounting
Optimizing data Optimizing data for Flow for Flow
processingprocessing
12.0(27)S
• Input Filter
Targeting 12.3(2)T
• NetFlow MIB & Top Talker
• NetFlow IPv6
StandardizationStandardization
Targeting 12.2(25)S
• NetFlow MIB & Top Talker
• Input Filter
Targeting 12.3(11)T
• Egress NetFlow
Targeting 12.2(Rls6)S
• Egress NetFlow
Targeting 12.2(Rls7)S
• Flexible Flow Definition
Reliable Export
Security Exports
MIB Phase 2
NetFlow Roadmap
Targeting 12.4(Rls1)T
Security Exports
61© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential