My Cisco Live! research presentation on QoS for non-QoS aware WANs and implementation of "Remote Ingress Shaping"

1. Designing Multipoint WAN QoS
BRKRST-3500
Eddie Kempe
Solutions Architect

2. Bridge Puzzle
§ Need the flashlight to cross
§ Only two at a time
§ Fast as slowest person
§ Abe – 1 Minute
§ Bob – 2 Minutes
§ Chad – 5 Minutes
§ Dave – 6 Minutes
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
2

3. Bridge Puzzle
What if the slow guys walk
together?
§ Abe + Bob (2)
§ Abe returns (1)
§ Chad + Dave (6)
§ Bob returns (2)
§ Abe + Bob (2)
§ Total 13 Minutes
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
3

4. Abstract
§ Real-time and business critical application, such as cloud SaaS applications,
Unified Communications and video, are driving the need for any-to-any
connectivity with deterministic Quality of Service (QoS). This creates new
challenges for multipoint wide area network (WAN) environments that are not
QoS-aware, such as the Internet and DMVPN networks.
§ While the requirements have changed, the tools available to provide QoS in
multipoint WAN environments have not. QoS policy enforcement points lack
visibility into the quantity and type of traffic being received at branch and
teleworker offices, forcing network designers to choose between resource
underutilization or possible loss of real-time and business critical traffic.
§ This session will examine new methods of meeting today's QoS challenges,
identify key design considerations, and review supporting case studies. It is
intended for network architects and designers of corporate WAN
infrastructures. An advanced understanding of QoS, WAN and virtual private
network (VPN) design principles is recommended.
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
4

5. Multipoint WAN QoS
Aggregation
Speed Mismatch
1000 Mbps
10 Mbps
1) Multipoint
2) 3rd Party
3) Non-QoS Aware
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
5

6. Agenda
§ Scenario: Teleworker QoS
§ Remote Ingress Shaping Theoretical Background
§ Implementing Remote Ingress Shaping
§ Proof of Concept Lab
§ Internet-Based Proof of Concept Lab
§ Putting it all together
§ Remote Ingress Shaping and Teleworker Revisited
§ Additional Use Cases
§ Buck’s Financial
§ Looking Ahead
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
6

7. Agenda
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
7

8. Scenario: Teleworker QoS

9. Teleworker Overview
Residential Traffic
DC1
DC2
Internet
PE
ISP
CPE
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
9

10. Ingress Oversubscription
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
10

11. QoS Success Criteria
1. Protect voice and video
2. Protect business applications
3. Meet user expectations
4. Utilize resources
5. Flexibility
6. Financial feasibility
7. Operationally feasibility
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
11

12. QoS Success Criteria
1. Can I protect voice and video services from data?
2. Can I differentiate traffic to ensure business
critical applications are not impacted?
3. Are applications performing as expected?
4. Does the solution utilize my available resources?
5. Can I deliver new services or change policy?
Example: Add voice or video to the network
6. Is the solution financially feasible?
7. Is the solution operationally feasible?
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
12

13. Available Approaches
§ No QoS (do nothing)
§ Change the topology
Force hub and spoke topology
§ Head-end shaping/per-tunnel QoS
§ Move to a QoS-aware WAN service
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
13

14. No QoS
Source http://www.bricklin.com/qos.htm
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
14

15. No QoS
§ Simple?
§ QoS is most important under adverse conditions
§ Can’t always throw bandwidth at the problem
§ Lack of QoS can delay
Adoption of new applications
Business capabilities
§ Can’t satisfy success criteria without it!
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
15

16. Force Hub and Spoke
§ Similar to point-to-point topologies
§ Implies Active/Standby
§ Residential/Guest traffic backhauled to hub
§ Hairpin of spoke-to-spoke traffic
Increases latency
Consumes hub bandwidth
Traffic is increasingly peer-to-peer
§ Inflexible
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
16

17. Head-end shaping/per-tunnel QoS
Datacenter 1
Datacenter 2
Per Tunnel QoS
§ Shaping from hub to spoke
ISP/SP
Per-tunnel
Per-Security Association (SA)
§ Deterministic and
well understood
§ Great for hub and spoke
ISP/SP
Branch
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
17

18. Head-end shaping/per-tunnel QoS
Shaper has no visibility to multipoint traffic
§ TCP applications must go through the DC
§ Static reservation for spoke-to-spoke UDP
§ Remaining bandwidth statically divided among
active datacenters
§ See calculations in Buck’s Financial case study
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
18

19. DMVPN Per Tunnel QoS (Dynamic)
• Available in 12.4(22)T
• NHRP group per policy
! DMVPN Hub Configuration
Policy-map SHAPING-1.5MBPS
Class class-default
shape average 1500000
service-policy site
Policy-map SHAPING-1.0MBPS
Class class-default
shape average 1000000
service-policy site
interface Tunnel1
bandwidth 45000
ip address 10.0.0.1 255.255.255.0
ip nhrp map multicast dynamic
ip nhrp map group group1 service-policy output SHAPING-1.5MBPS
ip nhrp map group group2 service-policy output SHAPING-1.0MBPS
! Spoke Configuration
interface Tunnel1
bandwidth 1500
ip address 10.0.0.2 255.255.255.0
ip nhrp group group1
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
19

20. QoS-Aware WAN Services
Datacenter 1
Datacenter 2
§ Excellent multipoint model
§ QoS enforcement point has
visibility to all traffic
ISP/SP
§ Cooperation model
with ISP/SP
§ Dependent on
QoS configurations offered
ISP/SP
§ Examples:
QoS Aware WAN
MPLS Services from a SP
Metro-Ethernet services
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Branch
Cisco Public
20

21. Solution Capabilities—Teleworker
No QoS
Per-Tunnel
QoS-Aware WAN
Service
Protect Voice and Video
No
No
Yes
Support Business Critical
Apps
Maybe
Maybe
Yes
Meet Performance
Expectations
Maybe
Maybe
Yes
Financially Feasible
Yes
Yes
No
Operationally Feasible
Maybe
Maybe
Yes
Valid Solution
No
No
No
Utilizes Available Resources
Flexibility to deliver new
services
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
21

22. Solution Capabilities—Teleworker
No QoS
Per-Tunnel
QoS-Aware
WAN Service
Protect Voice and Video
No
No
Yes
Support Business
Critical Apps
Maybe
Maybe
Yes
Meet Performance
Expectations
Maybe
Maybe
Yes
Utilizes Available
Resources
Yes
No
Yes
Flexibility to deliver new
services
No
Yes
Yes
Financially Feasible
Yes
Yes
No
Operationally Feasible
Maybe
Maybe
Yes
Valid Solution
No
No
No
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
22

23. Solution Capabilities—Teleworker
Remote
Ingress
Shaping
No QoS
Per-Tunnel
QoS-Aware
WAN Service
Protect Voice and Video
No
No
Yes
Yes
Support Business
Critical Apps
Maybe
Maybe
Yes
Yes
Meet Performance
Expectations
Maybe
Maybe
Yes
Yes
Utilizes Available
Resources
Yes
No
Yes
Yes
Flexibility to deliver new
services
No
Yes
Yes
Yes
Financially Feasible
Yes
Yes
No
Yes
Operationally Feasible
Maybe
Maybe
Yes
Maybe
Valid Solution
No
No
No
Maybe
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
23

24. Agenda
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
24

25. Theoretical Background

26. Location of QoS
Datacenter 1
Datacenter 2
Per Tunnel
ISP/SP
ISP/SP
ISP/SP
QoS Aware WAN
QoS at Branch?
Branch
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
26

27. Remote Ingress Shaping
Datacenter 1
Datacenter 2
§ Create artificial bottleneck
§ Move queuing from ISP
ISP
ISP
§ Control delay and drops
§ Slow down TCP
§ Prioritize UDP
ISP
Remote Ingress Shaping
Branch 1
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
27

28. Mathis and TCP performance
MSS
RTT
P
Maximum Segment Size
Round Trip Time
Loss probability
http://www.linuxsa.org.au/meetings/2003-09/tcpperformance.screen.pdf
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
28

29. Delay
Delay
Shaping puts “excess” traffic in a queue
Packets in Queue
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
29

30. TCP Loss
§ TCP design balance
Don’t over-run the receiver/network
Use available bandwidth
§ TCP will adjust to the correct rate based on delay
and drops
§ TCP drops packets!
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
30

31. Bandwidth
Bandwidth-Delay Product
Delay (RTT)
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
31

32. TCP Loss
§ There are 2 types of TCP loss
Detected by timeout (red area)
Detected by duplicate ACK (green area)
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
32

33. Summary
§ Slow TCP sessions
§ Preserve bandwidth-delay product
§ Make room for UDP
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
33

34. Agenda
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
34

35. Implementing Remote Ingress Shaping

36. Remote Ingress Shaping
Datacenter 1
Datacenter 2
Objective
§ Create artificial bottleneck
ISP
ISP
§ Move queuing from ISP
§ Control delay and drops
ISP
Remote Ingress Shaping
Branch 1
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
36

37. Ingress Shaping
Problems
§ Platform Support
§ Classification
Solution
ISP
§ Shape egress in
opposite direction
Branch
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
37

38. Remote Ingress Shaping
Configuration example
policy-map site
class voice
priority percent 33
class call-signaling
bandwidth percent 5
class critical-data
bandwidth percent 37
random-detect dscp-based
class class-default
bandwidth percent 25
random-detect
policy-map shape-in
class class-default
shape average 1500000
service-policy site
interface FastEthernet0/1
Description Connection to branch LAN
service-policy output shape-in
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
38

39. Multiple Egress Interfaces/Networks
“LAN” Interface must
Support HQoS
See all WAN traffic
Branch
ISP
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
39

40. Two Router Solution
ISP
R2
R1
Apply QoS Policy
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
40

41. VRF-Lite Solution
Branch Router
ISP
VRF1
VRF2
Apply QoS Policy
On loopback cable
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
41

42. 870 Series
Loopback Cable Solution would
consume 2 of 4 available LAN ports
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
42

43. GRE Loopback Tunnel Solution
Branch Router
VRF1
ISP
VRF2
Apply QoS Policy
On loopback tunnel
§ Works prior to HQF
§ Verified on 12.4(15)T
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
43

44. GRE Loopback Tunnel Configuration
Two VRFs (1)
ip vrf inside
rd 2:2
ip vrf outside
rd 1:1
interface Loopback0
ip address 10.1.3.3 255.255.255.255
interface Loopback1
ip address 10.1.3.4 255.255.255.255
!
interface Tunnel0
ip vrf forwarding outside
ip address 10.3.3.3 255.255.255.0
tunnel source Loopback0
tunnel destination 10.1.3.4
service-policy output shape-in
interface Tunnel1
ip vrf forwarding inside
ip address 10.3.3.4 255.255.255.0
tunnel source Loopback1
tunnel destination 10.1.3.3
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
44

45. GRE Loopback Tunnel Configuration
Two VRFs (2)
interface GigabitEthernet1/0
ip vrf forwarding inside
ip address 10.0.13.3 255.255.255.0
interface GigabitEthernet2/0
ip vrf forwarding outside
ip address 10.0.23.3 255.255.255.0
router eigrp 1
network 10.0.0.0
no auto-summary
!
address-family ipv4 vrf outside
network 10.0.0.0
no auto-summary
autonomous-system 1
exit-address-family
!
address-family ipv4 vrf inside
network 10.0.0.0
no auto-summary
autonomous-system 1
exit-address-family
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
45

46. GRE Loopback Tunnel Solution
Single VRF and Global Table
Branch Router
VRF1
ISP
Global
Apply QoS Policy
On loopback tunnel
§ Same as previous example
§ Easier migration and operation
§ Works prior to HQF
§ Verified on 12.4(15)T
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
46

47. GRE Loopback Tunnel Configuration
VRF and Global (1)
ip vrf outside
rd 1:1
!
interface Loopback0
ip address 10.1.3.3 255.255.255.255
interface Loopback1
ip address 10.1.3.4 255.255.255.255
!
interface Tunnel0
ip vrf forwarding outside
ip address 10.3.3.3 255.255.255.0
tunnel source Loopback0
tunnel destination 10.1.3.4
service-policy output shaper
!
interface Tunnel1
ip address 10.3.3.4 255.255.255.0
tunnel source Loopback1
tunnel destination 10.1.3.3
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
! Create 1 VRFs
! Create 2 loopback interfaces in global
! Tunnel 0 in VRF outside
! Tunnel 1 in global
Cisco Public
47

48. GRE Loopback Tunnel Configuration
VRF and Global (2)
interface GigabitEthernet1/0
ip address 10.0.13.3 255.255.255.0
!
interface GigabitEthernet2/0
ip vrf forwarding outside
ip address 10.0.23.3 255.255.255.0
!
router eigrp 1
network 10.0.0.0
no auto-summary
!
address-family ipv4 vrf outside
network 10.0.0.0
no auto-summary
autonomous-system 1
exit-address-family
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
! Physical interface in global table
! Physical WAN interface in VRF outside
! Create EIGRP peering between VRF
! VRF and global
Cisco Public
48

49. 890 Series
• IOS 15.0 and above (No GRE Loopback Cable)
• Physical loopback cable
• More ports including 2 WAN ports
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
49

50. Cisco 890 Loopback Cable Solution
Branch Router
ISP
Global
Switch
Apply QoS Policy
On loopback cable
§ Switch Ports (FA0 to FA7)
§ WAN Ports (FA8 and Gig0)
§ Treat switch ports as 2nd box
§ Connect 2nd WAN port to Switch
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
50

51. Cisco 890 Loopback Cable Solution
interface FastEthernet7
Description Loopback cable to Gig 0
!
interface FastEthernet8
description WAN Interface
ip address 10.10.10.99 255.255.255.0
ip nat outside
!
interface GigabitEthernet0
ip address 10.10.100.1 255.255.255.0
ip nat inside
service-policy output shaper
!!
interface Vlan1
no ip address
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
51

52. BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
52

53. Summary
§ These are tools you already know
§ Shape egress in opposite direction
§ Requires applicable interface
§ Shaping only at branch
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
53

54. Agenda
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
54

55. Remote Ingress Shaping
Proof of Concept

56. Lab Requirements
§ TCP session emulation (PC1 and PC2)
§ WAN emulator (WAN)
§ Bandwidth constrained link (ISP to CPE2 Link)
§ Remote CPE (CPE2)
§ Head-end CPE (CPE1) (optional)
§ Wireshark
PC1
BRKRST-3500
CPE1
WAN
© 2011 Cisco and/or its affiliates. All rights reserved.
ISP/SP
Cisco Public
CPE2
PC2
56

57. Test 1
ISP Drops vs. Shaped Rate
PC1
CPE1
WAN
ISP/SP
CPE2
PC2
Can we prevent ISP/SP drops due to a congested
WAN link?
1) Yes
2) Yes, but it is not practical
3) No, you can’t
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
57

58. ISP Drops vs. Shaped Rate
ISP Drops
600
Dropped Packets
500
400
300
200
100
0
10
9.9 9.8 9.7 9.6 9.5 9.4 9.3 9.2 9.1
9
8.9 8.8 8.7 8.6 8.5 8.4 8.3 8.2 8.1
8
Shaped Rate (Mbps)
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
58

59. Test 2
UDP Delay and Jitter vs. Shaped Rate
PC1
CPE1
WAN
ISP/SP
CPE2
PC2
Can we bound the jitter of UDP to acceptable levels
under congestion?
1) Yes
2) No
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
59

60. UDP Jitter vs. Shaped Rate
Jitter
90
80
Jitter (ms)
70
60
50
40
30
20
10
9.9
9.8
9.7
9.6
9.5
9.4
9.3
9.2
9.1
9
8.9
8.8
8.7
8.6
8.5
8.4
8.3
8.2
8.1
8
Shaped Rate (Mbps)
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
60

61. UDP Delay vs. Shaped Rate
Average Delay
240
Average Delay (ms)
220
200
180
160
140
120
100
80
60
40
10
9.9
9.8
9.7
9.6
9.5 9.4
9.3
9.2
9.1
9
8.9
8.8
8.7
8.6
8.5 8.4
8.3
8.2
8.1
8
Shaped Rate (Mbps)
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
61

62. Test 3
UDP Delay and Jitter vs. TCP Sessions
PC1
CPE1
WAN
ISP/SP
CPE2
PC2
How does the number of TCP sessions affect UDP
delay, loss and jitter?
1) No impact
2) Low impact, no action required
3) High impact, action required
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
62

63. UDP Average Delay vs. TCP Sessions
Average Delay
Average Delay (ms)
270
220
170
120
70
20
1
2
3
4
5
10
15
20
25
30
35
40
45
50
55
60
65
70
100
TCP Sessions
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
63

64. Test 4
TCP Sessions and Queue Depth
PC1
CPE1
WAN
ISP/SP
CPE2
PC2
How does the number of TCP sessions affect
average queue depth?
1)
2)
3)
4)
BRKRST-3500
Hard to tell
No impact
Increases queue depth
Decreases queue depth
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
64

65. Queue Depth vs. TCP Sessions
Average Queue Depth (Packets)
Average Queue Depth
840
740
640
540
440
340
240
140
40
BRKRST-3500
35
40
45
50
55
60
65
70
TCP Sessions
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
65

66. Test 5
Queue Depth and UDP Delay
PC1
CPE1
WAN
ISP/SP
CPE2
PC2
Will increasing queue size affect UDP delay, loss and
jitter?
Yes
No
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
66

67. Delay vs. Queue Depth
Max Queue Size (Packets)
Min Delay (ms)
Max Delay (ms)
Avg Delay (ms)
40
48
109
70
4000
9
57
29
Difference
39
52
41
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
67

68. Conclusions
§ RIS can move queuing from ISP and reduce drops
§ UDP delay and jitter can be bounded to acceptable
levels
§ Two key “knobs”
Shaped Rate – How aggressively we queue TCP packets
Queue Depth – Conserving the bandwidth delay product
requires that queue depth increase linearly with the number
of TCP sessions
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
68

69. Internet-Based Tests

70. Lab Setup
Branch Router
ISP
VRF1
Global
Internet
Apply QoS Policy
On loopback tunnel
§ 871W
§ 3 Mbps cable Internet
§ ICMP RTT of 40 ms
§ Load generation
FTP
HTTrack
High definition Internet video
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
70

71. Audience Questions
§ Does ISP queuing delay have a significant impact on
delay?
Yes
No
§ What is the required ingress shaped rate?
70% of line rate
80% of line rate
90% of line rate
§ How deep will queues need to be?
500 packets
250 packets
100 packets
40 packets
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
71

72. Internet-Based Tests
Jitter vs. Shaped Rate
Jitter
200
180
Jitter (ms)
160
140
120
100
80
60
40
20
0
3.5 3.4
3.3
3.2
3.1
3
2.9
2.8
2.7
2.6
2.5 2.4
2.3
2.2
2.1
2
1.9
1.8
1.7
1.6
1.5
Shaped Rate (Mbps)
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
72

73. Internet-Based Test
Average Delay vs. Shaped Rate
Average Delay
100
95
Delay (ms)
90
85
80
75
70
65
60
55
50
3.5 3.4
3.3
3.2
3.1
3
2.9
2.8
2.7
2.6
2.5 2.4
2.3
2.2
2.1
2
1.9
1.8
1.7
1.6
1.5
Shaped Rate (Mbps)
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
73

74. Conclusions
§ ISP queue delay peak was 55 ms
(95 ms–40 ms = 55 ms)
Nearly tripled one-way delay
§ 95% of line rate
§ Default (40 packets) queue depth
§ 30 ms or less average delay for real-time traffic
added by branch and ISP WAN connection
§ GRE Loopback Tunnel on 871W with BVI
§ 15% CPU
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
74

75. What Does Remote Ingress Shaping
(RIS) Enable?
Two new capabilities that define the use cases
1. Allows you to maintain control over TCP applications,
even if the traffic does not go through your datacenter
Examples:
Cloud services (SaaS, IaaS)
Teleworkers (residential traffic)
Guest networking
Split-tunneling
2. Allows a single point of configuration and policy
enforcement for a location or WAN link
Examples:
A/A Datacenter
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
75

76. Putting it all Together
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
76

77. Teleworker Example Revisited

78. Teleworker Overview
DC1
DC2
Internet
PE
ISP
CPE
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
78

79. Solution Capabilities—Teleworker
No QoS
Per-Tunnel
QoS-Aware
WAN Service
Protect Voice and Video
No
No
Yes
Support Business
Critical Apps
Maybe
Maybe
Yes
Meet Performance
Expectations
Maybe
Maybe
Yes
Financially Feasible
Yes
Yes
No
Operationally Feasible
Maybe
Maybe
Yes
Valid Solution
No
No
No
Utilizes Available
Resources
Flexibility to deliver new
services
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
79

80. Solution Capabilities—Teleworker
Remote
Ingress
Shaping
No QoS
Per-Tunnel
QoS-Aware
WAN Service
Protect Voice and Video
No
No
Yes
Yes
Support Business
Critical Apps
Maybe
Maybe
Yes
Yes
Meet Performance
Expectations
Maybe
Maybe
Yes
Yes
Financially Feasible
Yes
Yes
No
Yes
Operationally Feasible
Maybe
Maybe
Yes
Maybe
Valid Solution
No
No
No
Maybe
Utilizes Available
Resources
Flexibility to deliver new
services
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
80

81. Buck’s Financial

82. Buck’s Financial
Overview
Datacenter 1
Datacenter 2
ISP
ISP
§ Financial services
company
§ 1000s of very small
branch offices
§ Dual datacenters
Internet
3rd Party
3rd Party
§ Migrating from MPLS
VPN to DMVPN
§ DSL and broadband
cable connections
PE
ISP
§ Future VoIP
Branch Office
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
82

83. Buck’s Financial
Challenges
Datacenter 1
Datacenter 2
ISP
ISP
§ Wants to leverage
3rd party (cloud) for
live video
§ Branch owners want
to use available
broadband capacity
Internet
3rd Party
3rd Party
§ ScanSafe
§ Future services
PE
GuestNet
ISP
Other 3rd parties
Branch Office
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
83

84. Head-End Shaping as a Solution
Shaper has no visibility to multipoint traffic
§ TCP applications must go through the DC
§ Static reservation for spoke-to-spoke UDP
§ Remaining bandwidth statically divided among
active datacenters
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
84

85. Head-End Shaping as a Solution
§ Configure per-tunnel traffic shaping at each DC
§ 720 Kbps reserved for 3rd party video
(600 Kbps + 20%)
§ 160 Kbps reserved for 2 VoIP phone calls
§ Remaining bandwidth divided between 2 DCs
Branch BW
2 VoIP Calls
Available to DC
1.5 Mbps
720 Kbps
160 Kbps
310 Kbps
2 Mbps
720 Kbps
160 Kbps
810 Kbps
3 Mbps
BRKRST-3500
3rd Party Video
720 Kbps
160 Kbps
1310 Kbps
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
85

86. Solution Capabilities—Buck’s Financial
Remote
Ingress
Shaping
No QoS
Per-Tunnel
QoS-Aware
WAN Service
Protect Voice and Video
No
Yes
Yes
Yes
Support Business
Critical Apps
No
Yes
Yes
Yes
Meet Performance
Expectations
Maybe
Maybe
Yes
Yes
Utilizes Available
Resources
Yes
No
Yes
Yes
Flexibility to deliver new
services
Maybe
No
Maybe
Yes
Financially Feasible
Yes
Yes
No
Yes
Operationally Feasible
Maybe
Yes
Yes
Maybe
Valid Solution
No
No
No
Maybe
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
86

87. Looking Ahead
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
87

88. Agenda
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
88

89. Looking Ahead

90. Traffic Classification
Problem
§ Ports/Protocols
§ Payload Encrypted
§ DSCP Reliability
ISP
§ DSCP Trust
Branch
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
90

91. Internet Head-End
§ More than just Internet
Business-to-Business VPN
Corporate E-Commerce
Access to Cloud Services
Branch site-to-site VPN
Teleworker
User Internet access
§ Critical applications separated by circuits
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
91

92. Internet Head-End
§ Simplified classification
§ Ports/Protocols works better
§ TCP session scaling important!
§ Buffering is key
§ Additional Tools
Ironport Web Security Appliance (WSA)
Services Control Engine (SCE)
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
92

93. WSA Bandwidth Controls
for Streaming Media
§ New in WSA AsyncOS 7.0
§ Overall bandwidth limit.
§ User bandwidth limit.
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
93

94. Services Control Engine (SCE)
§ Application-layer deep packet inspection
§ Real-time traffic control
§ Granular bandwidth metering and shaping
§ Quota management
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
94

95. Explicit Congestion Notification (ECN)
§ Notify sender of congestion without packet loss
§ Specified as RFC 3186 (2001)
§ Requires support on hosts and network
§ Not widely used
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
95

96. Explicit Congestion Notification (ECN)
§ Supported in IOS since 12.2T
policy-map QoS_Policy
class class-default
bandwidth per 70
random-detect
random-detect ecn
§ Disabled by default on
Windows 7
Windows Server 2008
Windows Vista
Mac OS X 10.5 and 10.6
§ Server Mode for
Linux
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
96

97. RSVP
§ RSVP implementation could be modified to address
the problem for private WANs
§ Requires routers to initiate reservations
§ See backup slides
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
97

98. Additional RIS Considerations
§ L2 Overhead accounting
§ CPU requirements
§ WAAS
“Measure” optimized traffic
Transport Flow Optimization (TFO)
§ Viruses/scavenger class
User-Based Rate Limiting
Drop
§ Anti-replay
Use caution if applying QoS policies to encrypted traffic
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
98

99. “If you only have a hammer, then you
tend to see every problem as a nail.”
Abraham Maslow

100. Summary
§ Now you have a new tool!
§ RIS can overcome challenges with
Multipoint
3rd Party
Non-QoS Aware WAN
§ Enables acceptable UDP performance
Even if applications do not go through the DC
With a single point of configuration and policy enforcement
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
100

101. Complete Your Online
Session Evaluation
§ Receive 25 Cisco Preferred Access points for each session
evaluation you complete.
§ Give us your feedback and you could win fabulous prizes. Points are
calculated on a daily basis. Winners will be notified by email after
July 22nd.
§ Complete your session evaluation online now (open a browser
through our wireless network to access our portal) or visit one of the
Internet stations throughout the Convention Center.
§ Don’t forget to activate your Cisco Live and Networkers Virtual
account for access to all session materials, communities, and ondemand and live activities throughout the year. Activate your account
at any internet station or visit www.ciscolivevirtual.com.
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
101
1

102. Visit the Cisco Store for Related
Titles
http://theciscostores.com

103. BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
103

104. QoS Golden Rules
§ Start with the goal in mind
§ There is no substitute for sufficient bandwidth
§ Queuing and Scheduling can protect voice and
video from data
§ Only Call Admission Control can protect voice from
voice and video from video
§ Don’t mix UDP and TCP in the same class
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
104

105. Happy Health

106. Happy Health
Overview
Datacenter 1
Datacenter 2
§ Healthcare provider
§ MPLS VPN
PE
PE
§ Dozens of large sites
§ DS-3 or better
DR Site
§ Applications
VoIP
Medical Imaging
Applications in
multiple DCs
PE
PE
Location 1
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
106

107. Happy Health
Challenges
Datacenter 1
§ MPLS VPN Service
Provider charges for
“burst” usage above
50% of line rate
Datacenter 2
PE
PE
DR Site
PE
PE
Location 1
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
107

108. Without RIS
1) TCP applications must go through the DC (or
similar QoS enforcement point) to prevent
oversubscription
2) Every active datacenter must share bandwidth with
other active datacenters
3) Bandwidth must be statically reserved for UDP
applications that do not go through the datacenter
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
108

109. Egress Shaping as a Solution
No Tunnels
§ Identify destination networks
§ Shape traffic toward each destination
§ Requires a mapping of every network to every
location
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
109

110. Traffic Shaping Configuration Example
No Tunnels (1)
ip access-list extended site1
permit ip 10.0.1.0 0.0.0.255 any
permit ip any 10.0.1.0 0.0.0.255
ip access-list extended site2
permit ip 10.0.2.0 0.0.0.255 any
permit ip any 10.0.2.0 0.0.0.255
ip access-list extended site3
permit ip 10.0.3.0 0.0.0.255 any
permit ip any 10.0.3.0 0.0.0.255
class-map match-any
match access-group
class-map match-any
match access-group
class-map match-any
match access-group
BRKRST-3500
site1
name site1
site2
name site2
site3
name site3
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
110

111. Traffic Shaping Configuration Example
No Tunnels (2)
policy-map site
class voice
priority percent 33
class call-signaling
bandwidth percent 5
class critical-data
bandwidth percent 37
random-detect dscp-based
class class-default
bandwidth percent 25
random-detect
policy-map all-sites
class site1
shape average 600000
service-policy site
class site2
shape average 400000
service-policy site
class site3
shape average 200000
service-policy site
interface FastEthernet0/1
service-policy output all-sites
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
111

112. Egress Shaping as a Solution
Static Tunnels
§ Simplifies classification of destination networks
§ Requires a full-mesh overlay on top of existing anyto-any network (5050 tunnels)
§ Shape traffic toward each destination
§ Full mesh routing protocol can cause network
meltdown
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
112

113. Traffic Shaping Configuration Example
Static GRE Tunnels
policy-map site
! Omitted for brevity
policy-map 600ksite
class class-default
shape average 600000
service-policy site
policy-map 400ksite
class class-default
shape average 400000
service-policy site
Interface tunnel 1
Description tunnel to site1
service-policy output 600ksite
Interface tunnel 2
Description tunnel to site2
service-policy output 400ksite
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
113

114. Egress Shaping as a Solution
DMVPN
§ Further simplifies the configuration by automating
tunnel creation
§ New dynamic per-tunnel QoS, 12.4(22)T
§ Within the tunnel interface associate the QoS policy
with the “ip nhrp map group” command
§ Simplifies the association of a QoS policy at the hub
to each spoke location
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_per_tunnel_
qos.html#wp1072822
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
114

115. Traffic Shaping Configuration Example
DMVPN Per Tunnel QoS (Dynamic)
Policy-map SHAPING-1.5MBPS
Class class-default
shape average 1500000
service-policy site
Policy-map SHAPING-1.0MBPS
Class class-default
shape average 1000000
service-policy site
interface Tunnel1
bandwidth 45000
ip address 10.0.0.1 255.255.255.0
ip nhrp map multicast dynamic
ip nhrp map group group1 service-policy output SHAPING-1.5MBPS
ip nhrp map group group2 service-policy output SHAPING-1.0MBPS
.
no ip mroute-cache
tunnel source 172.17.0.1
tunnel mode gre multipoint
tunnel key 253
tunnel protection ipsec profile DMVPN
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
115

116. Solution Capabilities—Happy Health
Per-Tunnel
Protect Voice and Video
Yes
Yes
Yes
Support Business
Critical Apps
Yes
Yes
Yes
Meet Performance
Expectations
Yes
Maybe
Yes
Utilizes Available
Resources
Yes
No
Yes
Flexibility to deliver new
services
Maybe
Maybe
Yes
Financially Feasible
No
Yes
Yes
Operationally Feasible
Yes
Maybe
Maybe
Valid Solution
No
No
BRKRST-3500
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
QoS-Aware
WAN Service
Remote
Ingress
Shaping
No QoS
(Do Nothing)
N/A
Maybe
116