Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Agenda Architectures and choice of technology
– Unified Access – refresher – Instant Access – Converged Access
SDU Case AVC (Application, Visibility and Control)
– AVC overview – NBAR2 – Performance – Control
Key Takeaways
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Agenda Architectures and choice of technology
– Unified Access – refresher – Instant Access – Converged Access
SDU Case AVC (Application, Visibility and Control)
– AVC overview – NBAR2 – Performance – Control
Key Takeaways
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Simple
Secure
Reduced TCO
One Place to Define Policy Multiple Policy enforcement points
• One pane of glass • Wired • Wireless
• Deployment Modes • Wired
• Traditional Access • Instant Access
• Wireless • Centralized • Flex • Autonomous
• Wired-wireless • Converged Access
Cisco ONE Enterprise Networks Architecture
Unified Access - refresher
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Unified Access – focus
Aironet APs
Cisco Catalyst 4500E, Cisco Catalyst 3K-X
Cisco Prime Infrastructure
WISM2/ WLC
Identity Services Engine
Cisco Catalyst 6500/VSS
TrustSec Secure Group Access to Simplify the Network and Enable Virtualized Data Center Services
Application Visibility and Control
Application-Aware Networking to Enable Collaboration, Video, and Other Apps
Resiliency Maximized Network Availability with Virtual Switching and Stateful Switch Over
Smart Operations Reduce Operating Expenses and Improve Network Application and Service Delivery
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Unified Access – products
Identity Services Engine (ISE)
Prime Infrastructure
One Policy
1600
Small-Mid Enterprise
2600 and 2700
Feature-Optimized Enterprise
3600
Mid-Large Enterprise
3700 W/ HDX
High-Density Enterprise
1530
Low Profile
1550
Larger Deployments
8500, 5760, 5508
Wireless Controllers
Backbone Switches
Catalyst 4500
Converged Access Switches
Catalyst 3650
Catalyst 3850
One Network Controllers and Access Switches
MDM
Access Points
Catalyst 6800 Catalyst 6500 Catalyst 2960-X
Access Switch
One Management
NEW
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Agenda Architectures and choice of technology
– Unified Access – refresher – Instant Access – Converged Access
SDU Case AVC (Application, Visibility and Control)
– AVC overview – NBAR2 – Performance – Control
Key Takeaways
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Simplify Operations across entire Distribution POD
“Grow as you Go” with full “Plug & Play” IA client provisioning
Deploy Premium Catalyst 6500 features at Access Layer
Benefits of Instant Access
VSS
LACP or PAGP
VSL
Access Switch Access Switch Stack
SiSi SiSi
Instant Access
VSL
Instant Access Stack
SDP SRP SCP
Instant Access Client
SiSi SiSi
Catalyst Instant Access
Standalone
Access Switch
LACP or PAGP
SiSi SiSi
STP or MST
Access Switch Stack
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
RE
DU
CE
D TC
O
Single Image to deploy and manage across Distribution POD
Agile Infrastructure - Add new features across Layers
Ultra High Availability with Quad-Sup VSS SSO
Plug & Play Architecture - Add more when Needed
Single Point Of Management, Configuration & Troubleshooting
Benefits
Example: 1000 User-Port Campus Distribution POD
Prime Managed Devices = 22 Managed Devices = 1
SiSi SiSi
Catalyst Instant Access
ISE
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Agenda Architectures and choice of technology
– Unified Access – refresher – Instant Access – Converged Access
SDU Case AVC (Application, Visibility and Control)
– AVC overview – NBAR2 – Performance – Control
Key Takeaways
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Understanding Current Deployment Model Known Deployment Model
• Wireless is an Overlay Network • Software components within the WLC
today: • Mobility Agent (MA) is responsible for:
– AP CAPWAP termination – Maintaining client database – Policy enforcement
• Mobility Controller (MC) is responsible for: – Client Mobility – Radio Resource Management (RRM) – WiPS, Spectrum Management
Access Points
5508 5508
Inter--Controller EoIP/CAPWAP tunnel AP-Controller CAPWAP tunnel
ISE Prime
MC MA
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
ISE Prime
Access Points
Better Scale and Bandwidth with Converged Access
• Traditional Controllers continue to play MA and MC
• Catalyst 3850 can play the role of both MA
and MC • Valid for Branch and small-medium campus type
deployments
• Moving the MA only to the Catalyst 3850 (typically in large campus) helps with: • Improved Scalability – larger mobility domains • Increased wireless bandwidth • Uniform wired/wireless policy enforcement
AP Capwap Tunnels Mobility Tunnels
Catalyst 3750
5508 or WISM2 with SW Upgrade or new 5760
New Catalyst 3850
MC
MA
MC
MA
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Agenda Architectures and choice of technology
– Unified Access – refresher – Instant Access – Converged Access
SDU Case AVC (Application, Visibility and Control)
– AVC overview – NBAR2 – Performance – Control
Key Takeaways
Arkitektur- og teknologivalg Infrastruktur
Syddansk Universitet
Tim Kirketerp Infrastrukturchef, IT-service
SYDDANSK UNIVERSITET ET INTERNATIONALT UNIVERSITET MED FOKUS PÅ DE STUDERENDE MED FORSKNING PÅ HØJESTE, INTERNATIONALE NIVEAU OG TÆTTERE PÅ OMVERDENEN.
Maj 2014 16
Maj 2014 17
Krav til infrastruktur • Superstabilt trådløst net til afholdelse af digital
eksamen • Stærkt netværk til forskning, undervisning og
administration, både kablet og trådløst • Ensartethed uanset lokalitet • Vildt mange enheder af forskellig art • Mulighed for netværkssamarbejde med nære
partnere, eksempelvis OUH, UCL og RSDK.
Maj 2014 18
Løsning i drift • 1100+ AP’s – 100% trådløs dækning • Layer 3 netværk, datacenter i Odense • Ingen decentrale servere i byerne • Ensartethed uanset lokalitet
• 2 teknologier – trådløst og kablet • Kun 802.1x på trådløst netværk • Ingen udnyttelse af metadata som positionering,
applikationsstyring, brugertyper og enhedsstyring
Campus Kolding Campusprofil Entreprenørskab Kommunikation Design, kultur og sprog Studerende pr. 1/10 2013 Bestand: 2.634 heraf 176 internationale Optag: 781 Personale pr. 31/12 2013 (årsværk) Videnskabeligt: 109 Teknisk og administrativt: 60
Nyt lavenergi-hus Nabo til Designskolen og fokus på design
Maj 2014 20
Maj 2014 21
Netværk i Campus Kolding
• 2 stk. Cisco 4500-X Router • 12 stk. Cisco 4506-E Chassis • 2 stk. Cisco 8510 wifi Controller (HA) • 80 stk. Cisco 3702 AP • Cisco Identity Services Engine (ISE) • MSE Virtual Appliance • De nødvendige licenser til at starte ud med…
Campus Odense Store, planlagte nybygninger
Maj 2014
SDU SUND
Portalby og Forskerpark
Planlagte nybygninger (med RØDT): 1. Nyt OUH 2. SDU SUND 3. SDU TEK 4. Portalby, inkl. Forskerpark Samt 5. Letbane gennem området SDU
TEK
Niels Bohrs Allé
Til motorvej
Nyt OUH
Nuvær. SDU Campusvej
23
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Agenda Architectures and choice of technology
– Unified Access – refresher – Instant Access – Converged Access
SDU Case AVC (Application, Visibility and Control)
– AVC overview – NBAR2 – Performance – Control
Key Takeaways
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Focus on AVC
Aironet APs
Cisco Catalyst 4500E, Cisco Catalyst 3K-X
Cisco Prime Infrastructure
WISM2/ WLC
Identity Services Engine
Cisco Catalyst 6500/VSS
TrustSec Secure Group Access to Simplify the Network and Enable Virtualized Data Center Services
Application Visibility and Control
Application-Aware Networking to Enable Collaboration, Video, and Other Apps
Resiliency Maximized Network Availability with Virtual Switching and Stateful Switch Over
Smart Operations Reduce Operating Expenses and Improve Network Application and Service Delivery
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Key Customer Challenges
65% of organizations do not know what is running on their network
Port 80 is typically associated with HTTP web traffic, but it can also be used for streaming media, P2P music downloads and more
89% of network downtime and outages are due to lack of visibility and awareness into network load and application performance
61% of organization reports Public Cloud service reduces visibility into end user experiences
WAN Internet
Branch with no direct Internet
access
Branch with direct Internet access
Public SaaS Data Centers
• How can I fix the poor and inconsistent performance
• How can I recover from Network outages faster
• How can I increase utilization of my Expensive WAN links
• How can I increase my WAN reliability
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Use QoS and PfR to control
application network usage to improve
application performance
ASR1K
ISR G2
Control
High
Med
Low
Advanced reporting tool aggregates
and reports application
performance
App Visibility & User Experience Report
Management Tool
ISR G2 & ASR collect application
performance metrics, and export to management tool
ASR1K
ISR G2
Reporting Tool Perf. Collection & Exporting
Reporting Tools
NFv9/IPFIX
3
App BW Transaction Time
…
SAP 3M 150 ms …Sharepoint 10M 500 ms …
Identify applications using L3 to L7
information
ASR1K
ISR G2
Application Recognition
What is Application Visibility and Control (AVC)
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
• QoS (w/ NBAR2) • PfR (w/ NBAR2)
ASR1K
ISR G2
Control
High
Med
Low
• Cisco Prime Infrastructure
• Insight Reporter • 3rd Party Tools
App Visibility & User Experience Report
Management Tool
• Metric Mediation Agent - Basic Monitoring - Application
Response Time - Voice/Video
Monitoring
ASR1K
ISR G2
Reporting Tool Perf. Collection & Exporting
Reporting Tools
NFv9/IPFIX
3
App BW Transaction Time
…
SAP 3M 150 ms …Sharepoint 10M 500 ms …
• NBAR2
ASR1K
ISR G2
Application Recognition
AVC Solution – Enabled Technologies
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
How is Assurance Achieved ?
Prime Infrastructure NAM module/Appliance Cisco ASR NBAR2, AVC, Medianet
NBAR2
SNMP/CLI Polling
WAAS
NBAR
MEDIANET
ART/PA
SPAN/ ERSPAN
Netflow
Cisco 6500/6800 Netflow,, Medianet
Wireless Controller NBAR2
Cisco ISR/ISR G2 NBAR2, AVC, Medianet
By normalizing and correlating data across multiple sources – leverage the power of embedded Cisco instrumentation
Cisco Catalyst 3750-X w/ 3K-X 10G Catalyst switcheNetflow, Netflow, Medianet
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Agenda Architectures and choice of technology
– Unified Access – refresher – Instant Access – Converged Access
SDU Case AVC (Application, Visibility and Control)
– AVC overview – NBAR2 – Performance – Control
Key Takeaways
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
What is Really in Your Network?
Port Monitoring
Application Monitoring
bittorrent rtp gtalk netflix skype webex
unknown? http?
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
NBAR2
IOS NBAR +150 Signatures
SCE Classification +1600 Signatures
Advanced Classification Techniques
Innovations Native IPv6
Classification Open API
Next Generation NBAR (NBAR2)
New DPI engine provides Advanced Application Classification and Field Extraction Capabilities from SCE
Protocol Pack allows adding more applications without upgrading or reloading IOS
NBAR2 Protocol List - http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6558/ps6616/product_bulletin_c25-627831.html
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
List of all NBAR2 Attributes and Values
NBAR2 Category NBAR2 Sub-category NBAR2 Application Group P2P Technology Encrypted Tunnel
browsing authentication-services apple-talk-group skype-group n n n business-and-productivity-
tools backup-systems banyan-group smtp-group y y y email client-server bittorrent-group snmp-group unassigned unassigned unassigned
file-sharing commercial-media-distribution corba-group sqlsvr-group gaming control-and-signaling edonkey-emule-group stun-group
industrial-protocols database fasttrack-group telepresence-group instant-messaging epayement flash-group tftp-group
internet-privacy file-sharing fring-group vmware-group layer2-non-ip inter-process-rpc ftp-group vnc-group layer3-over-ip internet-privacy gnutella-group wap-group
location-based-services license-manager gtalk-group webex-group net-admin naming-services icq-group windows-live-messanger-group newsgroup network-management imap-group xns-xerox-group obsolete network-protocol ipsec-group yahoo-messenger-group
other other irc-group trojan p2p-file-transfer kerberos-group
voice-and-video p2p-networking ldap-group remote-access-terminal netbios-group rich-media-http-content nntp-group
routing-protocol npmp-group storage other
streaming p2p-file-transfer terminal pop3-group
tunneling-protocols prm-group voice-video-chat-collaboration skinny-group
For Your Reference
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Define Your Own Application in NBAR2
Port • TCP or UDP • 16 static ports per
application • Range of ports
(1000 maximum)
Payload • Search the first
255 bytes of TCP or UDP payload
• ASCII (16 characters)
• And more
HTTP URL • URI regex • Host regex
New
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Key Fields Packet #1
Source IP 10.1.1.1
Destination IP 173.194.34.134
Source Port 20457
Destination Port 23
Layer 3 protocol 6
TOS byte 0
Ingres Interface Ethernet 0
Src. IP Dest. IP Src. Port Dest. Port Layer 3 Prot. TOS Byte Ingress Intf.
10.1.1.1 173.194.34.134. 20457 80 6 0 Ethernet 0
Key Fields Packet #2
Source IP 10.1.1.1
Destination IP 72.163.4.161
Source Port 30307
Destination Port 80
Layer 3 protocol 6
TOS byte 0
Ingres Interface Ethernet 0
Src. IP Dest. IP Src. Port Dest. Port Layer 3 Prot. TOS Byte Ingress Intf. App Name Timestamps
Byttes Packets
10.1.1.1 173.194.34.134 20457 80 6 0 Ethernet 0 HTTP
10.1.1.1 72.163.4.161 30307 80 6 0 Ethernet 0 Youtube
NetFlow cache
News
Flexible NetFlow - NBAR Integration
flow record app_record! match ipv4 source address! match ipv4 destination address! match …..! collect application name!!
First packet of a flow will create the Flow entry using the Key Fields” Remaining packets of this flow will only update statistics (bytes, counters, timestamps)
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Agenda Architectures and choice of technology
– Unified Access – refresher – Instant Access – Converged Access
SDU Case AVC (Application, Visibility and Control)
– AVC overview – NBAR2 – Performance – Control
Key Takeaways
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
When users complain about Application Problem
37
Increased Latency
WAN Problem
Application Problem
Server Problem
User Problem
Your network is so slow I cannot get any work done
today I do not see anything wrong
End Users
Network Admin
What the users see What network admins see What can happen
ping? show ip route?
traceroute? show interface?
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Application Response Time
Application response time provides insight into application behavior (network vs server bottleneck) to accelerate problem isolation
Separate application delivery path into multiple segments Server Network Delay (SND) approximates WAN Delay Latency per application
Application Servers
Total Delay
Client Network
Clients
Client Network Delay (CND)
Application Delay (AD)
Network Delay (ND)
Server Network
Request
Response Server Network Delay (SND)
ART
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
TT
Client Server
X
SYN
SYN-ACK
ACK 6
Request 1
ACK
DATA 4
DATA 3
DATA 5
DATA 3
Request 1 (Cont)
X
DATA 4
DATA 1
Request 2
DATA 6
DATA 2
ACK 3
ACK
SND
CND
Understand IOS ART Metrics Calculation
Request
Response
Retransmission
RT
For Your Reference
Response Time (RT)
t(First response pkt) – t(Last request pkt)
Transaction Time (TT)
t(Last response pkt) – t(First request pkt)
Network Delay (ND)
ND = CND + SND
Application Delay (AD)
AD = RT – SND
Quantify User Experience
Identify Server Performance Issue
ART
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Medianet Performance Monitoring Metrics
match ipv4 protocol!match ipv4 source address!match ipv4 destination address!match transport source-port!match transport destination-port!match transport rtp ssrc!collect routing forwarding-status!collect ipv4 dscp!collect ipv4 ttl!collect transport packets expected counter!collect transport packets lost counter!collect transport packets lost rate!collect transport event packet-loss counter!collect transport rtp jitter mean!collect transport rtp jitter minimum!collect transport rtp jitter maximum!collect interface input!collect interface output!collect counter bytes!collect counter packets!collect counter bytes rate!collect timestamp interval!collect application media bytes counter!collect application media bytes rate!collect application media packets counter!collect application media packets rate!collect application media event!collect monitor event!
Default RTP
For Your Reference
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Detect Application Server Problem
End user experience is impacted because application is slow
Transaction Time Response Time
Server Delay Network Latency
41
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Detect voice/video Problem
42
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Agenda Architectures and choice of technology
– Unified Access – refresher – Instant Access – Converged Access
SDU Case AVC (Application, Visibility and Control)
– AVC overview – NBAR2 – Performance – Control
Key Takeaways
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Growing Applications in the Network
Application Based Policy Enforcement Range of applications in the network:
• Different traffic characteristics • Different bandwidth requirements • Different tolerances to delay, loss • Different service level expectations
Legacy Policies are:
• Ports or ACL/DSCP driven (no granularity) • Difficult to enforce for many Applications • Not scalable for big deployments (many ACE)
AVC Provides:
• Application based policy enforcement (NBAR2/Metadata + QoS)
• Scalable, intuitive policies aligned to business logic • Policy performance reporting (NBAR2/Metadata + QoS +
FNF)
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Statefull classification for creating policies irrespective of v4/v6 traffic, simplifying policy management
Discover applications using NBAR2
Supports both input and output traffic
Modular QoS Traffic Classification
BR BR
HQ
MC/BR
MC/BR
BR MC/BR
WAN2 (IPVPN, DMVPN)
WAN1 (IP-‐VPN)
IPv4 Native IPv6
class-map match-any peer2peer! match protocol kazaa2! match protocol gnutella! match protocol fastrack!
policy-map limit-p2p! class peer2peer! bandwidth percent 10!
interface Serial1! service-policy output limit-p2p!
What Traffic?
HOW to treat the traffic?
Where to apply?
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Agenda Architectures and choice of technology
– Unified Access – refresher – Instant Access – Converged Access
SDU Case AVC (Application, Visibility and Control)
– AVC overview – NBAR2 – Performance – Control
Key Takeaways
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Key Takeaways
Architectures are important
Unified Access – different solutions
Unified Access – “same” functionality
AVC – its time to take control