BRKAPP-2017

© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

1

© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAPP-201714328_04_2008_c2 2

Optimizing Application Delivery

BRKAPP-2017


2

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3BRKAPP-201714328_04_2008_c2

WAN AccelerationData redundancy eliminationWindow scalingLZ compressionAdaptive congestion avoidance

Application AccelerationLatency mitigationApplication data cacheMeta data cacheLocal services

Application OptimizationDelta encodingFlashForward optimizationApplication securityServer offload

Application NetworkingMessage transformationProtocol transformationMessage-based securityApplication visibility

Application ScalabilityServer load-balancingSite selectionSSL termination and offloadVideo delivery

Network ClassificationQuality of serviceNetwork-based app recognitionQueuing, policing, shapingVisibility, monitoring, control

Cisco Application Delivery Networks

WAN


Other Cisco Live Breakout Sessions that You May Want to Attend

BRKAPP-2014 Deploying AXG

BRKAPP-2013 Best Practices for Application Optimization illustrated with SAP, Seibel and Exchange

BRKAPP-2011 Scaling Applications in a Clustered Environment

BRKAPP-2010 How to build and deploy a scalable video communication solution for your organization

BRKAPP-1009 Introduction to Web Application Security

BRKAPP-1008 What can Cisco IOS do for my application?

BRKAPP-3006 Troubleshooting WAASBRKAPP-2005 Deploying WAAS

BRKAPP-2018 Optimizing Oracle Deployments in Distributed Data Centers

BRKAPP-2017 Optimizing Application DeliveryBRKAPP-1016 Running Applications on the Branch Router

BRKAPP-1015 Web 2.0, AJAX, XML, Web Services for Network Engineers

BRKAPP-1004 Introduction WAAS

BRKAPP-3003 Troubleshooting ACEBRKAPP-2002 Server Load Balancing Design

ApplicationsISRGSS WAAS ACE AXGACNS

Relevancy


3


Agenda

Why Optimize?

Enterprise Framework for WAN/Application Optimization

Technologies That Will Be Discussed

Deployment Scenario in Depth

Caveats


Why Optimize?


4


WAN Characteristics

BandwidthBandwidth constraints keep applications from performing wellToo much data and too small of a pipe causes congestion, packet loss, and backpressure

Packet loss, congestion, and retransmissionPacket loss and congestion cause retransmission which hinders application performance and throughputCommonly caused by saturated device transmit queues in the network path

Packet LossCongestion


Enterprise WAN/Application Optimization Framework


5


Net

wor

ked

Infr

astr

uctu

reLa

yer

App

licat

ions

Inte

ract

ive

Serv

ices

La

yer WAN/Application

Optimization Services

Secure and Highly Available Network Infrastructure

Enterprise WAN/Application Optimization Framework

TransactionalIP Communications Bulk File / Storage

Data Center

Branch Office

IP WAN/FR/MPLS

Internet

Polic

y C

onfig

urat

ion

& M

anag

emen

t

Optimization

Control

Monitoring

Classification


WAN/Application Optimization Technologies


6


WAN/Application Optimization Technologies

Data Center

CampusSiSi SiSi

Branch

Branch

Internet

WAN

Branch

IP SLAsMeasurements

Deploy WAASFarm

Deploy WAAS

Deploy WAAS

NBAR Protocol Discoveryand NetFlow Monitoring

Deploy NetQoSMonitoring tools

IP SLAsMeasurements

Deploy ACE: SSL Offload and SLB

QoS

PfR and QoS

PfR and QoSDeploy WAAS

IOS FW

DMVPN


Deployment


7


DeploymentStep 1—Visibility

Obtain visibility into applications running across the networkApplication discovery and reporting per location

Including encapsulated applications

Get visibility into end-to-end application performanceApplication bandwidth/throughput usage—per user, per site, per prefix

Application performance metrics—loss, RTT, one-way delay, jitter, latency, ART, MOS

Top talkers—applications, sessions, prefixes

TCP session stats—complete, open, expired

Historical and real-time

Network-wide congestion points

Application behavior analysis

Behavioral based application analysis


Link Utilization

Voice

P2P

E-mailBackup,

etc.

Bulk

Streaming-Video

Mission-Critical

Routing

Interactive-Video

Call-SignalingNet Mgmt

Transactional

Real-Time ≤ 33%

Critical Data

Best Effort≥ 25%

Network Based Application Recognition (NBAR)

Protocol Discovery: discover what apps are running on your network and provide real-time statistics

Per-interface, per-protocol, bi-directional statistics

bit rate (bps); packet count; byte count

SNMP accessible for centralized monitoring

Supported by Partner products (Concord|CA, InfoVista, Micromuse|IBM) and MRTG

Stateful Application Intelligence


8


Application Discovery—NBAR

Configure NBAR on the LAN interface on the branch router

ip nbar protocol-discovery

Identify all applications (NBAR can detect more than 500 applications and protocols)Determine application specific SLAs

Real-Time Application Visibility


Application Discovery—NBAR and NetQOS

NetQOS supports SNMP

Configure NetQOS to take in NBAR info

Map NetQOS to recognize applications


9


NetFlow

Characterize and analyze application traffic flow

Understand who is utilizing the network and top talkers

Diagnose slow network performance, bandwidth hogs and bandwidth utilization in real-time

Information for network capacity and traffic engineering

Used for anomaly detection, worm diagnosis, and DOS attacks


Making Sense of Your Network Traffic


10


Configure NetFlow on LAN and WAN interfaces (ingress)ip flow ingress

Identify flows using “show ip cache flow” command.

Monitoring Application Performance Identifying Flows—NetFlow


Monitoring Application PerformanceIdentifying Flows—NetFlow and NetQOS

Configure NetFlow to export statistics to NetQOS

ip flow-export source FastEthernet3/1.3051

ip flow-export version 5

ip flow-export destination 52.1.1.22 9995

Use NetQOS reports to identify top protocols and network-wise traffic


11


IP SLA—Response Time Measurement

Active AgentSampling method

Synthetic/active

Collection methodEmbedded agents as supposedto external probes

Perspective of measurementNetwork perspective

Scope of measurementEnd-to-end/path

Network Perspective

User Perspective

Source Responder

Network


Monitoring Application PerformanceIP SLA and NetQOS

Configure IP SLAs manually or with NetQOS for the flows identified

Use NetQOS to track these SLAs


12


Remote Office

WAN Access Links Are Biggest End-to-End Bottleneck!

Telecommuter

Headquarters

Bottlenecks!MCBR

BRBR

MC/BR

MC/BRSP A SP B SP C

SP D SP E

By Default BGP Chooses Best Path Based on Fewest As-

Path Hops!

Performance Routing Overview

PFR Components

BR—Border Router

MC—Master Controller (decision maker)

What Is PFR?Routing Based on Performance

Optimize by: Reachability, Delay, Loss, Jitter*,

MOS*, Throughput, Load and/or $Cost


Multi-Path Baselining—PfR

The router is configured with PfR in monitoring mode to learn jitter, delay, mos etc for automating multi-path baselining

Helps develop appropriate PfR policies for path optimization


13


Multi-Path Baselining—PfR

PfR can learn and track prefixes and associated delay, jitter etc.


Establishing Application Performance Baselines—NetQOS

Various NetQOS reports can be used to establish application performance baselines

Drill down reports provide greater granularity


14


Identify What Can Be Optimized and Where

Top traffic in New York is voice and low latency queues with higher bandwidth for voice traffic might provide optimum delay, jitter and performance


Deployment Step 2—Visibility and Control

Assumes visibility tools are already deployed and all applications have been recognized and appropriate priorities mappedProvide application-level SLAs for prioritized traffic flows

Apply application based QoS within the network—shaping, queuing, markingAbility to apply per branch and per application QoS policies

If application SLA are not met based on monitored performance, behavioral based anomaly following actions should be taken:

For local congestion, the local hierarchical QoS policies will be in playIf above don’t suffice then have ability to change application class of service per policy

Local and remoteIf alternate path exist which meets SLA, reroute traffic per policy

Local and remote congestionOnce SLAs are met on the congested path revert back to defaultsIf traffic is anomalous drop the traffic or redirect for forensic analysis


15


QoS Deployment for Converged NetworksGoal: To Deploy Consistent, End-to-End QoSfor Voice, Video, and Data

• Layer 3 Policing• Egress Scheduling

(multiple queues with WRR)

• Priority Queuing for Voice over IP (VoIP)

• Buffer Management

Distribution Layer• Classification and Trust

Boundary• Marking / Remarking• Egress Queue Scheduling• Buffer Management

Access Layer WAN

• Intelligent Classification • Bandwidth Provisioning• Admission Control• Shaping• Link Fragmentation and

Interleaving• Header Compression

WAN


NBAR Application Discovery and QOS Marking

Configure NBAR classification policies on the LAN interface to recognize different application traffic

match protocol HTTP url *cisco*

match protocol sipmatch protocol rtcp

Configure QOS policies to mark those traffic with appropriate DSCP/TOS markings

match all class HTTP

Set precedence 3 match all class rtcp

Set precedence 6match all class sip

Set precedence 7


16


NBAR Application Discovery and QOS Marking Show Command Outputs

MQC markings before TCP optimization help in applying appropriate application specific QOS policies on the exit after optimization


Control Policies with QOS

Configure appropriate congestion management QOS policies on the WAN interfaces for both optimized and unoptimized traffic

match ip precedence 5

set bandwidth 20

match ip precedence 3

Set bandwidth 30

Ensure real time traffic like voice are prioritized with appropriate low latency queues

If using a DMVPN tunnel for security, configure appropriate policy and apply the policy map to the physical interface mapped to the tunnel


17


Control Policies with QOSShow Commands

Verify that the QOS policies are adhered to with appropriate show commands


Path Optimization—PfR

Configure PfR to monitor and route traffic based on appropriate application specific policies

Configure the branch router to be both PfRmaster and border router

Tag the appropriate internal(ingress) and external(exit) interfaces

Define appropriate policy to enable PfR load balance traffic across both the WAN exits


18


PfR Path Optimization—Load Balancing

Effective bandwidth utilization using both the links

Distinctive treatment for different kids of traffic


PfR Path Optimization—Congestion

Passive or active monitoring of network parameters like delay, jitter, etc.

Fast switch over to alternate path in case of failure


19


PfR Path Optimization—Congestion Show Command

PfR continuously monitors and verifies that the network parameters are within the defined policy for path optimization

During congestion the delay increases in that path

PfR compares this delay with that of the alternate path and switches path


PfR Path Optimization—Path Failure

Passive or active monitoring of path reachability

Fast switch over to alternate path in case of failure


20


PfR Path Optimization—Path FailureDebug Command

As soon as PfR detects reachability has gone down it switches to alternate path

Alternate path held in “HOLDDOWN” state for a period of time (configurable) to prevent flapping


Deployment: Step 3—Visibility, Control and Optimization

Assumes visibility and control service already running or is part of this serviceProvide application optimization

TCP accelerationDate CompressionApplication acceleration and caching

DC to DC Active Application Load Distribution

Should support both native and hardware acceleration optimizationAbility for the monitoring tool to extract and present pre/post optimization data—compressions stats, ART, latency, etc.

Per user, per application, per siteShould be consistent across all implementations (native or Hw)—NBI and Instrumentation

Should be transparent to other services (interop and co-exist) already deployed


21


WAN

TCP Performance Improvement

Transport flow optimization overcomes TCP and WAN bottlenecksShields nodes connections from WAN conditions

Clients experience fast acknowledgementMinimize perceived packet lossEliminate need to use inefficient congestion handling

LAN TCPBehavior

LAN TCPBehavior

Window ScalingLarge Initial Windows

Congestion MgmtImproved Retransmit


Data CompressionReduce overall WAN consumption based on redundancy

Maintain active database of previously sent and received trafficSend database index on behalf of traffic that has been seen beforeRealize 5x–50x compression, minimize WAN bandwidth consumption

Compress all outbound traffic with LZ compressionAdditional 2x compression beyond data suppressionVery good compression for non-redundant data

Label Data

L1

L2

ABCDEFGHIJKL

QRSTUVWXYZ

ABCDEFGHIJKLMNOPQRSTUVWXYZ

ABCDEFGHIJKLMNOPQRSTUVWXYZL1+”MNOP”+L2

DRE CACHE DRE CACHE

IPNetwork


22


TCP Optimization with Web Cache Communication Protocol (WCCP)

Configure WCCP interception on LAN and WAN interfaces

ip wccp 61 redirect in (LAN)ip wccp 62 redirect in (WAN)

Configure appropriate optimization policies on the WideArea Application Engine (WAE) for different kinds of traffic

TCP flowData Redundancy Elimination (DRE)LZFull


TCP Optimization with WCCPShow Commands

“show ip wccp” command on routers

No of packets redirected by WCCP

No of bypassed packets returned by

WAE


23


TCP Optimization Show Commands

“show tfo connection summary” on WAEs

Full optimization

Only TCP Flow optimization


TCP Optimization NetQOS

“NetQOS trend charts can be used to track optimization efficiency by tracking throughput


24


ACE Optimization at Data Center


Server Load Balancing (SLB) andSecure Socket Layer (SSL) Offload with ACE

Load Balancing Algorithms (Round Robin, Least Connections, Hash)Stickiness (session persistence mechanisms—Source IP/Source Subnet Sticky, Cookie sticky, HTTP Redirection sticky, SSL sticky)Health Monitoring (Return code checking, TcL scripts) Redundancy (stateful versus stateless redundancy, session and sticky state replication)Offload of CPU-intensive SSL processing Servers resources are dedicated to serving requests and running applications, rather than encrypting dataAllows packet inspection and advanced content switching (cookie sticky) of SSL traffic

Clients send traffic to a Virtual IP SLB makes a L7

decision on the traffic and sends the connection to the best serverfarm

SLB load balances to the selected SSL Module

SSL Module decrypts traffic & returns it to SLB

Clients send SSL traffic to a Virtual IP


25


SLB and SSL Offloading with ACE

Offload of CPU-intensive SSL processing

Servers resources are dedicated to serving requests and running applications, rather than encrypting data

Allows packet inspection and advanced content switching (cookie sticky) of SSL traffic

Application Control Engine


WAN Optimization and Security


26


MPLS WAN Optimization

. L2 WAN is a typical hub and spoke network

Support CenterIndia

USHeadQuarters

ManufacturingChina

USCustomer

USAssembly WAN

USCallCenter

MPLS WAN

USCallCenter

ManufacturingEurope

. All spoke to spoke traffic go through the hub

. MPLS provides direct path between branches


Group Encrypted Technology VPN—GET VPN

Support CenterIndia

ManufacturingChina

USCustomer

USAssembly WAN

USCallCenter

MPLS WAN

USCallCenter

ManufacturingEurope

. Get VPN - Scalable architecture for any-to-any connectivity and encryption

. IPSec tunnel mode security is a typical hub and spoke overlay network

. No overlays – native routing. Any-to-any instant connectivity.

USHeadQuarters


27


Dynamic Multipoint VPNs—DMVPN

Key Features:

Multipoint GRE (mGRE)

Dynamic IGP routing (EIGRP, OSPF, etc.)

NHRP

Good For:

Customers already using routing

IP only branch offices

IP multicast requirements—hub and spoke only

Customers with dynamic partial or full mesh requirements

DynamicRouting

Routing Control Plane

DPD DPDIPSec Control Plane

TunnelProtection

DynamicRouting

NHRPNHRP

TunnelProtection

GREControl Plane

MultipointGRE

MultipointGRE

IP WAN

DS3, OC3, OC12

Broadband

Hub Site 1

Hub Site 2 Primary DMVPN Tunnel

Branch OfficesBroadband, Frac-T1, T1

Home Offices

Secondary DMVPN Tunnel

DM

VPN

DM

VPN

Head-End Branches

Spoke-to-Spoke Tunnel

WAN RouterVPNHead-end

Branch Router


Deployment Summary


28


Where to Apply WAN/Application Optimization Technologies

Data Center

CampusSiSi SiSi

Branch

Branch

Internet

WAN

Branch

IP SLAsMeasurements

PfR and QoS

Deploy WAASFarm

Deploy WAAS

QoS

NBAR Protocol DiscoveryAnd NetFlow Monitoring

Deploy WAAS

Deploy NetQoSMonitoring Tools

IP SLAsMeasurements

Deploy ACE: SSL Offload and SLB

NAM Trouble-shooting

PfR and QoSDeploy WAAS

IOS FW

DMVPN


Quick Look—Before Optimization

At around 300 mseclatency, 10 users could sustain connection rate of around 20 connections per second


29


Quick Look—After Optimization

At around 130 mseclatency, 10 users could sustain a connection rate of around 110 connections per second


Suggested Branch Deployment Designs


30


Branch Deployment Scenarios 1 and 2

Single Homed Small Branch Office Dual Homed Small Branch Office


Branch Deployment Scenario 3

MC—PfR master controllerRecommended not to be placed in the forwarding path

GLBP—can provide load balancing

Dual homed Medium Branch Office


31


Deployment CaveatPfR: Lacks Support for Multipoint Interfaces

PfR supports only single next hop per interface

Will work with:PPP/HDLC/Frame Relay

GRE

DMVPN (point to point GRE)

Will not work with:VPLS

Common Ethernet VLAN

DMVPN (multipoint GRE)

Support will be available from IOS version 12.5(pi4)T expected in late 2008


Deployment CaveatPfR Only Supports Static or BGP Routes

PfR currently supports route learning with only static or BGP routes for path control

Support for other routing protocols like EIGRP or OSPF does not exist

Workaround is to add summary static routes and use PfR for only route unreachability mitigation

Support for EIGRP will be available from IOS version 12.5(pi4)T in late 2008 or early 2009

Plans are there to add support for OSPF


32


Deployment CaveatWAE TCP Options and Firewalls

WAEs add TCP options (0x21) to the TCP header that help in WAE peer discovery and negotiations

Many firewalls do not understand these options and clear them

WAEs peer discovery and negotiation fails and hence no optimization can take place

Wokaround: configure firewalls to allow TCP options

Many Cisco firewalls like IOS Firewall, PIX and the Firewall Service Module (FWSM) can be configured to allow TCP options


Deployment CaveatWAE Sequence Numbers and Firewalls

Introduction of WAEs causes three different TCP sessions to be established

WAEs jump sequence numbers on the optimized TCP session once TCP handshake is done

Many firewalls do not like this and will drop subsequent traffic

Workaround: sequence check can be disabled on the firewalls or traffic from WAEs can be tunneled, say, with GRE

Cisco software and firewall modules can be configured to support this behavior.

PIX 7.2(3)/FWSM v3.2.1

IOS Zone based FW 12.4(11)T2


33


Branch Deployment Scenario 4

MC—PfR master controllerRecommended not to be placed in the forwarding path

IPSec protection for traffic optional (GetVPN)

Dual homed Large Branch Office


Suggested Data Center Deployment Designs


34


Core

Distribution

MAN

Data Center View—WAE at WAN-Edge

WAAS

WCCP redirects packet to WAAS

WAE device

Uncompressed / unoptimized Packets

pass thru Firewall to the Server Farm Load Balanced By ACE

DATA CENTER 2

DATA CENTER 1


MAN

Secured WAN

Secured

WAN

Core

Distribution

Data Center View—ACE Load Balancing WAE

WAAS ACE redirects and Load Balances across the

WAAS Farm

DATA CENTER 2

Packets need to traverse Firewalls

so open appropriate ports

DATA CENTER 1

Uncompressed / unoptimizedpackets are

spanned to the NAM for

Monitoring


35


Deployment CaveatWCCP and DMVPN

DMVPN uses NHRP to create spoke-to-spoke shortcuts

When spoke to spoke traffic hits the DMVPN hub, a NHRP redirect gets generated

In a DMVPN environment, WCCP is redirected on the tunnel interfaces

WCCP breaks this NHRP redirect in both IP return and GRE return

Workaround: use ‘WCCP redirect out’ on client facing interface on HUB; will affect performance


Deployment CaveatWCCP/WAEs Do Not Support VRFs

Current WCCP versions do not support VRF

Also WAEs do not support multi-tenant, or overlapping address ranges

VRF support is being planned


36


Q and A


Recommended Reading

Continue your Cisco Live learning experience with further reading from Cisco Press

Check the Recommended Reading flyer for suggested books

Available Onsite at the Cisco Company Store


37


Complete Your Online Session Evaluation

Give us your feedback and you could win fabulous prizes. Winners announced daily.

Receive 20 Passport points for each session evaluation you complete.

Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.

Don’t forget to activate your Cisco Live virtual account for access to all session material on-demand and return for our live virtual event in October 2008.

Go to the Collaboration Zone in World of Solutions or visit www.cisco-live.com.



38


Backup Slides


Enterprises Becoming Global

WAN

Support CenterIndia

USHeadQuarters

ManufacturingChina

ManufacturingEurope

. As enterprises evolve so do the applications

. As enterprises keep growing so do applications

USCustomer

USCallCenter

USAssembly


39


Enterprises Becoming Global

WAN

Support CenterIndia

USHeadquarters

ManufacturingChina

ManufacturingEurope

. As enterprises and applications grow so do their need for bandwidth

. Murphy’s law

USCustomer

USCallCenter

USAssembly

BRKAPP-2017

Documents

Transcript of BRKAPP-2017