Application Visibility and Experience through Flexible Netflow

Transcription

1

2 Application Visibility and Experience through Flexible Netflow Murali Erraguntala, Product Manager Gurudutt Pai, Technical Marketing Engineer DEVNET

3 Agenda Application Visibility and Control Overview AVC Building Blocks (NBAR, Custom Application, PerfMon, FNF etc) Application Recognition WHAT is AVC and WHY AVC is Required? Objective of AVC Application Visibility and Monitoring (Partners Role) Flexible Netflow Traffic Statistics, Unified Monitoring, Granular Monitoring URL Statistics Monitoring Applications HOW including Partners Voice and can Video add VALUE? ezpm Profiles DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 3

4 What is AVC Enabling Application Aware Networks DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 4

5 Application Visibility and Control - Overview Application Ecosystem Service Cross Ubiquity Vertical Integration Richness Partners Analytics Application Billing Security DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 5

6 End to End AVC Support Matrix Visibility Monitoring Control For Your Reference Wireless (WLC, AP) Limited Wired Access Roadmap Distribution, Core WAN Edge Internet Edge Data Center Firewall & Security NA DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 6

7 AVC Building Blocks Application Recognition Reporting of Usage (BW, Top Users, Perf Metrics) Troubleshoot applications. Business policy driven routing Delivers NBAR2 Protocol Pack URL Port Custom Signature IP Address SSL PPDK Flexible NetFlow PerfMon Across 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

8 Deliver Best Application Experience By Optimizing Utilization of Customer Networks And Minimizing IT Cost Through Simple, yet Powerful Ways of Application Awareness Application Analytics Application Control Application Experience On Device Mandatory (FNF) Optional (APIs) Optional (FNF) Partner Products 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

9 Application Reporting Network Wide Visibility DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 9

10 Flexible Netflow (FNF) App discovery (w/ NBAR2) and Bandwidth Usage Report NetFlow is the de-facto mechanism to provide visibility on network utilization Collect and export network information and usage statistics and performance data Backward compatible with TNF records Flexibility in defining fields and flow record format Utilize Netflow Version 9 format which is extensible FNF supports IPFIX Consist of data collection (flow monitor) and data export (flow export) Open-standard, can be analyzed by Cisco Prime NAM, Cisco Prime Assurance Manager, and 3rd Party Tools Usage of FNF Analytics Capacity Planning Performance Monitoring Application Troubleshooting Billing Security Peering Traffic Monitoring MSP: Multi-Tenant Reports DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 10

11 Flexible NetFlow - NBAR Integration News Key Fields Packet #1 Source IP Destination IP Source Port Destination Port 23 Layer 3 protocol 6 TOS byte 0 Ingres Interface Ethernet 0 flow record app_record! match ipv4 source address! match ipv4 destination address! match..! match application name!! NetFlow cache Key Fields Packet #2 Source IP Destination IP Source Port Destination Port 80 Layer 3 protocol 6 TOS byte 0 Ingres Interface Ethernet 0 Src. IP Dest. IP Src. Port Dest. Port Layer 3 Prot. TOS Byte Ingress Intf. App Name Timesta mps Ethernet Ethernet 0 HTTP Ethernet 0 Youtube Byttes Packets First packet of a flow will create the Flow entry using the Key Fields Remaining packets of this flow will only update statistics (bytes, counters, timestamps) DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 11

12 Metering Process Multiple Monitors with Unique Key Fields Traffic Flow Monitor 1 Flow Monitor 2 Key Fields Packet 1 Source IP Destination IP Source Port 23 Destination Port Non-Key Fields Packets Bytes Timestamps Next Hop Address Key Fields Packet 1 Source IP Destination IP Input Interface Gi0/1 Non-Key Fields Packets Timestamps Layer 3 Protocol TCP - 6 TOS Byte 0 Input Interface Ethernet 0 Traffic Analysis Cache Security Analysis Cache Source IP Dest. IP Source Port Dest. Port Protocol TOS Input I/F Pkts Source IP Dest. IP Input I/F Pkts E Gi0/ DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 12

13 Key Fields vs Non-Key Fields match ipv4 dscp match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface input collect interface output collect counter bytes long collect counter packets collect policy qos class hierarchy collect policy qos queue drops Uniquely identifies flow and aggregates the usage statistics Flexible number of match statements Identifies parameters to collect and export Flexible number of collect statements 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

14 Flexible NetFlow Configuration Configure the Exporter flow exporter my-exporter Where do I want my data sent? destination Configure the Flow Record flow record my-record match ipv4 destination address What data do I want to meter? match ipv4 source address collect counter bytes Configure the interface int s3/0 Configure NetFlow on the interface ip flow monitor my-monitor input Configure the Flow Monitor Creates a new NetFlow cache flow monitor my-monitor Attach the flow record exporter my-exporter Exporter is attached to the cache record my-record Potential sampling configuration DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 14

15 Use Case #1 Application Client-Server Stats Traffic statistics per client and server flow record RECORD-CLIENT-SERVER-STATS match ipv4 dscp match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface input match application name [account-on-resolution] collect interface output collect counter bytes long collect counter packets (..)! vs flow record RECORD-CLIENT-SERVER-STATS match application name [account-on-resolution] collect interface output collect counter bytes long collect counter packets (..)! match application name : calls NBAR2 account-on-resolution : accurate accounting until classification DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 15

16 Use Case #2 IP Accounting Replacement Collecting Per DSCP Usage Example flow record RECORD-FNF-DSCP-INGRESS match ipv4 dscp collect counter bytes long collect counter packets long collect application name! Flow record is created for each DSCP value DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 16

17 Use Case #3 QoS Queue Hierarchy Reports QoS Class-ID, Queue Drops and Queue Hierarchy Export with FNF policy-map P1 class C1 shaping average service-policy child policy-map child class C11 bandwidth remaining percent 10 class C12 bandwidth remaining percent 70 class class-default bandwidth remaining percent 20 class-map match-all C1 match any class-map match-all C11 match ip dscp ef class-map match-all C12 match ip dscp cs2 flow record RECORD-QoS-Hierarchy match ipv4 dscp match interface input collect policy qos class hierarchy collect policy qos queue drops! Queue id Queue packet drops Flow Hierarchy Queue id Flow 1 P1, C1, C11 1 Flow 2 P1, C1, C11 1 Flow 3 P1, C1, C12 2 For each flow, the class hierarchy and queue drops can now be exported through FNF Class-ID to Name mapping provided through separate Option Templates 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

18 NBAR2 Field Extraction Overview Ability to look into specific applications for additional field information NBAR2 extracted fields from HTTP, RTP, PCOIP, etc for QoS configuration HTTP Header Fields Eases classification of voice and video traffic VoIP, streaming/real time video, audio/video conferencing, Fax over IP Distinguishes between RTP packets based on payload type and CODECS Some extracted fields within Flexible NetFlow and Unified Monitoring Protocol Fields Length FNF Configuration Syntax HTTP URL * collect application http url HTTP Host 50 collection application http host HTTP User-agent 200 collection appllication http user-agent HTTP Referer * collect application http referer RTSP Host 50 collection application rtsp host-name SMTP Server 50 collect application smtp server SMTP Sender 50 collect application smtp sender POP3 Server 50 collect application pop3 server NNTP Group Name 50 collect application nntp group-name SIP Source Domain 50 collect application sip source SIP Destination Domain 50 collect application sip destination DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 18

19 NBAR2 HTTP Field Extraction Se0/0/0 (IP= ) Ability to extract information from HTTP message (IP= ) collect application http URL collect application http user-agent collect application http referer GET /weather/getforecast?time=37&&zipcode=95035 HTTP/1.1 Host: svcs.cnn.com collect application http host User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/ Firefox/ Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/ *;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Referer: DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 19

20 Use Case #4 - Top Domain and URL Hit Count Report Configuration Sample NBAR extracts fields from flows and exposes it into Application Response Time Engine (ART). ISRG2/ASR1k: ART Metrics integrated with Unified Monitoring Requires IPFIX export for variable length fields (URL) ASR1k Unified Monitoring flow record type performance-monitor ART-RECORD-URL match connection transaction-id collect application http url collect application http host ISR- G2k - Unified Monitoring & MACE (backward compagbility) flow record type mace PA-RECORD collect application http uri statistics collect application http host! Using a connection/ transaction records with export on transaction-end. So hit count =1, each URL is exported on a different record. ISRG2 supports MACE also for backward compatibility DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 20

21 NBAR2 Field Extraction Sub-application ID Format NBAR2 Sub-application ID Format (variable length) 4 bytes 2 bytes Variable length flow record MYRECORD collect application http host NBAR App ID Sub App ID Extracted Value 0x x byte 3 bytes Engine ID Selector ID NBAR Application ASR1#! ID, i.e. 0x = HTTP ASR1#sh flow exporter option application table inc 3:80! ASR1#sh 3:80 http ip nbar parameter Extracted extraction value World Wide http! Web traffic!! 3:8080 http-alt HTTP Alternate! Protocol 3:801 device Parameter device! ID! 13:80 cifs common internet file system! NBAR Sub-application ID from show ip nbar --! parameters http ASR1#! extraction and sub-application-table referer option ! template. Only http user-agent ! take the last two bytes, 0x3402 = HTTP Host http host ! 0x = 80 http url ! 0x03 = port (IANA_L4_STANDARD, ID: 3) 0x33402 DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 21

22 NBAR2 Field Extraction Sub-port Classification ica-tag text-chat file-transfer file-transfer file-transfer file-transfer audio audio app file-transfer video video Citrix Edonkey FastTrack Gmail Gnutella Kazaa2 RTP Webexmeeting search-filename payloadtype payloadtype Citrix: Fasttrack: Gnutella: RTP: HTTP: DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 22

23 Application Attributes Group Based Reports Traffic Class VoIP Telephony Broadcast Video Real-Time Interactive Multimedia Conferencing Multimedia Streaming Network Control Signaling Ops / Admin / Mgmt (OAM) Business Relevance Business Relevant Default Business Irrelevant Transactional Data Bulk Data Best Effort 1400 Apps Scavenger DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 23

24 Application Troubleshooting Faster Isolation and Resolution DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 24

25 When users complain about Application Problem Network is very slow, I am not able to get any work done ping? show ip route? traceroute? show interface? I don t see any thing wrong Increased Latency WAN Problems Application Problems Server Problems User Problems DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 25

26 Application Performance Monitoring Perf-Mon monitors voice and video application for latency, delay, jitter ART monitors TCP applications for network/client/server delay Performance Collection Traffic Statistics Voice and Video Performance (Perf-Mon) 30% of bandwidth is voice and video Critical Applications Performance (Application Response Time) What applications, how much bandwidth, flow direction? (Flexible NetFlow and NBAR2) 40% of bandwidth is critical applications HTTP HTTP DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 26

27 Performance Monitoring Single Flow Record Type Use RTP Case SSRC RTP Voice, Jitter Video (min/max/mean) Apps Transport L4 L7 Metrics Counter (expected/loss) Media Counter (bytes/packets/rate) Platforms Media Event ISR G2 Collection interval ASR1K/ XE TCP MSS Cat6K TCP round-trip time Cat4K Cat3K 3850 Media Monitoring Application Response Time Use CND Case - Client Network Delay (min/max/sum) SND HTTP, Server TCP Apps Network Delay (min/max/sum) ND L4-L7 Network Metrics Delay (min/max/sum) AD Application Delay (min/max/sum) Platforms Total Response Time (min/max/sum) Total ISR G2 Transaction Time (min/max/sum) Number ASR1K/ of XE New Connections Number NAM of Late Responses Number of Responses by Response Time (7-bucket histogram) Number of Retransmissions Number of Transactions Client/Server Bytes Client/Server Packets Other Metrics Use L3 Case counter (bytes/packets) Flow All IP event Apps Flow L3-L4 direction Metrics Client and server address Platforms Source and destination address Transport ISR G2 information Input and output interfaces ASR1K/ XE L3 information (TTL, DSCP, TOS, etc.) Cat6K Application information (from NBAR2) Cat4K Monitoring class hierarchy 3850 NAM All performance metrics are consolidated into one flow record type performance-monitor DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 27

28 Application Response Time Network Path Segments Clients Request Client Network AVC Server Network Application Servers Response Client Network Delay (CND) Server Network Delay (SND) Application Delay (AD) Network Delay (ND) Total Delay Application response time provides insight into application behavior (network vs server bottleneck) to accelerate problem isolation Separate application delivery path into multiple segments Server Network Delay (SND) approximates WAN Delay Latency per application DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 28

29 Understand IOS ART Metrics Calculation Client SYN CND ART SND SYN-ACK Server Request ACK Request 1 ACK Network Delay (ND) ND = CND + SND Request 1 (Cont) TT RT DATA 1 DATA 2 Response Time (RT) t(first response pkt) t(last request pkt) ACK 3 X X DATA 3 DATA 4 DATA 5 DATA 3 Response Transaction Time (TT) t(last response pkt) t(first request pkt) Quantify User Experience ACK 6 DATA 4 Retransmission Application Delay (AD) AD = RT SND Identify Server Performance Issue DATA 6 Request 2 DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 29

30 Flexible Netflow Unified Monitoring Common CLI and Framework to Export Various Metrics Netflow ART flow record RECORD-FNF match ipv4 tos match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface input match flow direction collect interface output collect counter bytes long collect counter packets flow record type performance-monitor my-rec match routing vrf input match ipv4 protocol match application name match connection client ipv4 address match connection server ipv4 address match connection server transport port collect ipv4 dscp collect connection delay response to-server sum collect connection server counter responses collect connection delay network to-server sum collect connection delay network to-client sum Define Flow Record - Match & Collect Define Flow Exporter - where to send flow record type performance-monitor my-rec match routing vrf input match ipv4 protocol match application name account-on-resolution match connection client ipv4 address match connection server ipv4 address match connection server transport port collect connection new-connections collect connection sum-duration collect connection server counter bytes long collect connection server counter packets long collect connection client counter bytes long collect connection client counter packets long flow record type performance-monitor pm-ipv4 match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match ipv4 protocol match transport rtp ssrc collect transport packets lost counter collect transport packets lost rate collect transport rtp jitter mean collect transport rtp jitter minimum collect transport rtp jitter maximum collect application media packets rate Apply Flow monitor to Interface, Direction Conversation Stats Perf-Mon Unified Monitoring Common with Metric Flexible Mediation Netflow Based Agent Monitoring (MMA) is available since 15.4(1)T Customer are advised to migrate from MACE to MMA 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

31 ezpm Profiles Template based configuration DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 31

32 ezpm Profile Predefined profiles for monitoring Enable ez-pm CLI to get visibility + monitoring stats reported via netflow to prime Configures exporters Enable / Disables various traffic-monitors (a.k.a tools) For each traffic-monitor, overrides some default parameters (IPv4/6, Ingress/Egress, traffic to which the monitor is applied, cache size..) Equivalent ~650 lines of configuration Monitor Name Application- Response-Time (ART) URL Media Conversation- Traffic-Stats All TCP Default Traffic Classification HTTP applications RTP applications over UDP Remaining traffic not matching other classifications DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 32

33 Types of ezpm Profiles Application Stats Application Performance Application Experience Addresses application-stats most common deployments application-client-server-stats (capacity planning) Aggregated App level stat (examples - Top N Apps, BW per App, Top clients/servers per App Per interface/application statistics Per client/server/application/interface statistics Addresses application-stats most common deployments (capacity application-client-server-stats planning) with more details than application-stats profile application-response-time Aggregated App level stat (examples - Top url N Apps, BW per App, Top clients/ servers media per App Additional metrics, granularity Selectively application-traffic-stats enable fine grain only for conversion-traffic-stats critical apps (and not all traffic). Performance application-response-time metrics Very url detailed media DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 33

34 ezpm Profile! User defined ezpm context performance monitor context MYTEST profile application-statistics exporter destination source GigabitEthernet0/0/1 traffic-monitor! User defined application-stats ezpm context traffic-monitor performance application-client-server-stats monitor context MYTEST profile application-performance! traffic-monitor! User defined url ezpm context! Attach traffic-monitor performance the context application-client-server-stats monitor the interface context MYTEST profile application-experience interface traffic-monitor traffic-monitor GigabitEthernet0/0/2 application-stats url performance traffic-monitor traffic-monitor application-response-time application-traffic-stats context MYTEST! traffic-monitor traffic-monitor media conversation-traffic-stats! traffic-monitor application-response-time! Attach! the context to the interface interface! Attach Ethernet0/0 context to the interface performance interface Ethernet0/0 monitor context MYTEST! performance monitor context MYTEST DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 34

35 Opportunities for Follow-up Become a DevNet Community member: AVC DevNet Page: DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 35

36 Continue Your Education in the DevNet Zone Take the DevNet Workshop DEVNET-2048: Application Visibility and Experience through Flexible Netflow Workshop Meet the Experts at the Demo Pods DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 36

37 Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card. Complete your session surveys through the Cisco Live mobile app or from the Session Catalog on CiscoLive.com/us. Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 37

38 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Lunch & Learn Meet the Engineer 1:1 meetings Related sessions DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 38

39 Please join us for the Service Provider Innovation Talk featuring: Yvette Kanouff Senior Vice President and General Manager, SP Business Joe Cozzolino Senior Vice President, Cisco Services Thursday, July 14 th, :30 am - 12:30 pm, In the Oceanside A room What to expect from this innovation talk Insights on market trends and forecasts Preview of key technologies and capabilities Innovative demonstrations of the latest and greatest products Better understanding of how Cisco can help you succeed Register to attend the session live now or watch the broadcast on cisco.com DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 39

40 Thank you DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 40

41