Transcription
Understanding Performance Routing (PfR)Ron Trunk, CCIEChesapeake NetcraftsmenCopyright 2009
Agenda PfR Overview Deployment Performance Conclusion Copyright 2009
What Is Performance Routing (PfR)? Traditional routing protocols select shortest path– Shortest Highest BWSometimes “shortest path” is not best path– Congestion– Delay– Co t–PfR selects the best performing path–Copyright 2009
Where Is PfR Used? WAN EdgeInternet EdgeMore than one available path4Copyright 2009
Best Path Selection per Prefix,Two or More PathsWAN Access Links Are BiggestEnd-to-End BottleneckHeadquartersSP CSP BSP ARemoteOfficeBy Default BGP Chooses BestPath Based on Fewest As-PathHopsBottlenecksSP DSP ETelecommuterShortest Path Is Not Always theBest Performing PathCopyright 2009
PfR Best PathPfR PathSP AHeadquartersSP CSP BRemoteOfficeMC/BRBRBRMCBRBottlenecksSP DSP EMC/BROptimize by:Reachability, Delay, Loss, Jitter*, MOS*,Throughput, Load, and/or CostTelecommuterPfR Components BR—Border Router MC—Master Controller (decision maker)Copyright 2009
PfR and OERWhat’s the Difference? PfR has a broader technology scope PfR will greatly expand application intelligence PfR will leverage OER and other Cisco IOS technologies to enable adaptive routingthroughoutthe enterpriseOERPfR Prefix Applications WAN edge Private IP (MPLS) Network selection Path selection Exit routing NetworkwideCopyright 2009
Performance Routing (PfR)Exit Selection CriteriaReachability, Delay, Loss, Jitter, MOS, Load, CostE-MailRemote OfficeMCHeadquartersBRBRMPLSATMFRBRMC/BRBRBRPfR ComponentsInternet VPN BR—Border Router (Forwarding Path) MC—Master Controller (Decision Maker)MC/BRTelecommuterCopyright 2009
Performance Routing Policy EngineVerify Enforcementand PerformanceReroute TrafficLearn Applicationson the NetworkMeasureApplicationPerformanceMeasure Alternate PathsApply Performance Policies to MeasurementsCopyright 2009
Component DescriptionMaster Controller (MC)– Cisco IOS software feature– Apply policy, verification,reporting– Standalone or collocatedwith BR– No routing protocol required– Not required to be in forwardingpathBR External (WAN)InterfacesMCBRISP1/WAN1ISP2/WAN2BRBR Internal (LAN)Interfaces Border Router (BR)– Cisco IOS software featurein forwarding router– Learn, measure, enforcement– NetFlow collector– Probe source (IP SLA client)Copyright 2009
Information Flow MC controls all operationIssues commands to BRsResponseContains traffic class/link dataReports eventsReports measurementsMCBR1CommandMakes policy decisions BR responds to MC commandsBR2Sends responses to MCUses NetFlow, IP SLA, BGP, static, PBRMeasures traffic class performanceMeasures link performanceEnforces performance-based routingCopyright 2009
PfR Operates on Traffic ClassesTypeExampleDestination .1.1.0/24ACL10.1.1.0/24 dscp ef10.1.1.0/24 dst-port 50Well-Known10.1.1.0/24 telnet20.1.0.0/16 sshNBAR10.1.1.0/24 nbar RTP20.1.1.0/24 nbar citrixMultiple ways to identify a traffic class.Copyright 2009
Measuring Traffic Class Performance PassivePfR NetFlow monitoringof traffic classesFlows do not need to be onsymmetrical paths provided that allexit/entry points are PfR-managed ActivePfR enables IP SLA featureProbes sourced from BRsicmp probes learned or configuredtcp, udp, jitter need ip slaresponder Both modeAttempts to measure performancepassively with NetFlow and onlylaunches IP SLA probes as needed Fast modeProbes all paths all the timeDelayLossReachabilityEgress BWIngress BWDelayReachabilityJitter 12.4TMOS 12.4TLoss 12.4(15)TBRCopyright 2009
PfR PolicyTraffic ClassPerformanceSecurity Delay Sinkhole Loss Blackhole ReachabilityLinkPerformanceAdministrative Loadbalancing Linkgrouping Maxutilization Cost MOS JitterScopeGlobal or per PolicyCopyright 2009
Selecting “Best” Traffic Class Path 1. Ignore paths without sufficient capacity 2. Select best performing path based onpriority and variance 3. If tie, keep current or select randomMCopyright 2009
Selecting “Best” Traffic Class PathLinkUtilizationDelay (ms)Priority 1Jitter (ms)Priority al440%15020Copyright 2009
How Best Exit Path Is Enforced MC tells BR to insert prefix in BGP or static table MC tells BR to insert application/DSCP in policy routeABGP/Static RedisRoute CommandsBR1ISP or MPLSMasterBBGP/Static Redis Modifying BGP local preferenceLocal preference must be highestBR2ISP or MPLS Installing a static route at the exitRedistribute static should be configuredInstalling a Dynamic PBR route-map at the ExitDirect Link or GRE Tunnel Between BRs NecessaryCopyright 2009
How Best Entrance Path Is Chosen Measurements gathered for all entrances Measurements applied in priority order Identify entrances to downgrade Downgrade entrance using BGPadvertisementMCAS path prependAppend downgrade BGP communityCopyright 2009
How Best Entrance Path Is Enforced Needed for inbound load balancing MC tells BR to modify eBGP advertisementAeBGP AdvertRoute CommandsBR1ISP or MPLSMastereBGP AdvertBR2BISP or MPLS Modifying eBGPPrepend AS hop(s)Append BGP downgrade communityCopyright 2009
PfR Typical Customers Large, medium, and small enterprises withmission-critical Internet presence Enterprises with redundant WAN networks Enterprises with remote offices Home office with dual internet connectionsHeadquartersRemote OfficeTelecommuterCopyright 2009
PfR Platform SupportCisco3800 ISRCisco 2800ISRCisco1800 ISR1700*12.4, 12.4T3640*/3660*/3700*12.4, 12.4TCisco7200-NPE-G2Current HighestPerforming PfRDevice**Cisco6500***Cisco 760012.2(33)SRB12.2(33)SXH12.4, 12.4T2600*12.4, 12.4T*Announced/reached end-of-sale (EoS)**Cisco 7301 with fixed NPE-G1 also supports PfR***Only BR function supported, no support for MCCopyright 2009
Key Features of Cisco PfRManager by Fluke Networks Executive-level reports Troubleshooting analysis Network health reports Easy traffic class and policyconfiguration Technical support 24 hoursa day Same design as NetFlow andIP SLA monitoring products Fully Web-based Reports and alerts onnetwork events Historical and trendinggraphical reportsCopyright 2009
Agenda PfR Overview Deployment Performance Conclusion Q and A Backup Slides—TroubleshootingCopyright 2009
Design Questions1. Do I have redundant WAN connections?Internet, IPSEC/GRE, MPLS, ATM, Frame RelayConfigure as PfR external interfaces1. Which routers terminate the WAN?These are PfR border routers1. What routing protocols over WAN?BGP, static covered by PfRAll others, cfg static with redistribution and filtering1. Which router is PfR master controller?Up to 5000 prefixes, dedicated 7200 or 3800 MCUp to 20K prefixes with NPE-G2For a few to few hundred prefixes, configure MC on BRCopyright 2009
Design BasicsInternal InterfacesExternal InterfacesAISP or MPLSRoute CommandsBR1BISP or MPLSMCBR2CUp to 10 BRs20 total external interfacesExternal InterfacesISP or MPLSCopyright 2009
Designing Your Policy1. What policy is important?Exit performanceDelay, loss, reachability, throughputJitter, MOSEntrance performance—12.4TDelay, loss, reachability, throughputLoad distributionCost minimization ( cost)Primary/backup link groupsPath discovery (for troubleshooting)Security 12.4TDefault priority is performance then loadCopyright 2009
Design Questions1. Determine interesting traffic class by:Configure prefixConfigure applicationConfigure full ACLLearn interesting prefixesLearn interesting traffic classesLearn eBGP advertised prefixes (inbound optimization)Learn applicationCopyright 2009
Routing Table Interaction For static routing, you must configure “Parent” Routes Static equal cost routes Points to external interface or next hopPfR injects additional routes with longer prefixes to steertraffic For BGP, parent routes must exist in BGP table If more than one BR, they must be IGP peers For application control, BRs must have direct link (orGRE tunnel)28Copyright 2009
Which Router is the Master Controller? Up to a few hundred prefixes– Configure MC and BR on same router Up to 5000 prefixes– Use 3800 or 7200 Up to 20,000 prefixes– 7200 with NPE-G2MCBRMC/BR29Copyright 2009
Typical Deployments2. Remote Office1. SOHO/BroadbandISP1/WAN1BRMC/BRISP2/WAN2MC/BR3. Headquarters/Content/Hosting/Data CentersISP1/WAN1BRMCISP2/WAN2BRBR—Border Router, MC—Master ControllerCopyright 2009
SOHO/Broadband Deployment Cable and DSL WAN interfaces Eth8/0—OER Internal Eth9/0—OER External Ser12/0—OER ExternalISR router terminates WAN ISR is OER BR Static default routing 10 to 100 traffic classes ISR is also MC 12.4Eth8/0MC/BRSer12/0 DSLPerformance is most important Eth9/0 CableUse OER default policy (performance overload)Learn throughput and delay to get prefixesBR—Border Router, MC—Master ControllerCopyright 2009
SOHO/Broadband Configurationkey chain key1key 1key-string oeroer masterEnable Loggingloggingmode route controlEnforce Routingmax prefix total 100Changesbackoff 90 3000 300Authentication Requiredborder 10.10.10.1 key-chain key1interface Ethernet8/0 internalinterface Ethernet9/0 externalLimit Cable andmax-xmit-utilization absolute 1000DSL Throughputinterface Ser12/0 externalmax-xmit-utilization absolute 300learnLearn Delay andthroughputThroughputdelayPrefixes Every Minutemonitor-period 1periodic-interval 0MC and BR onoer borderSame RouterloggingEth9/0 Cablelocal Ethernet8/0master 10.10.10.1 key-chain key1Eth8/0interface Ethernet8/0ip address 10.10.10.1 255.255.255.0MC/BRinterface Ethernet 9/0load-interval 30interface Serial 12/0Ser12/0 DSLload-interval 30Copyright 2009
Mission-Critical Internet Presence Online bankingE-mail hostingOnline ticketingInstant messagingOnline MCE-Mail ISPAISP2BRISPFISPGISPCInternet voiceApplication hostingDNSOnline musicOnline videoCopyright 2009
Internet Presence Deployment1. DS3 interfacesSer12/0, Ser13/0, etc.1. Cisco 7200 and Cisco 3800are typical BR/MC with BRterminating WAN connections2. BGP routingBRs must be iBGP peersDefault routing -orPartial routes -orFull routesIMWebE-mailBRMCBRSame PfR Configuration for All1. Support of up to 20,000 prefixes(with Cisco 7200-NPE-G2)12.4T/14.4MEntrance Optimization1. Customers differ on policy priority2. Learn prefixes by throughput and delayCopyright 2009
Internet Presence ConfigurationDefault Policy: Performance Then Loadkey chain key1key 1key chain key1key-string oerkey 1Choose Best Exitoer masterkey-string oerRegardless of In orloggingoer borderOut of Policymode route controlloggingmode select-exit bestlocal loopback 1Revaluate Exitbackoff 90 3000 300master 10.10.10.1 key-chain key110 Minutesperiodic 600interface ser12/0border 10.1.1.2 key-chain key1load-interval 30interface Ethernet8/0 internalinterface ser13/0interface Serial12/0 externalload-interval 30interface Serial13/0 externalborder 10.1.1.3 key-chain key1interface Ethernet 8/0 internalIMBRinterface Serial12/0 externalWebinterface Serial13/0 externalMClearnE-MailBRthroughputLearn 500delayPrefixesmonitor-period 1periodic-interval 0Delete Prefix if Notprefixes 500Relearned in4 Minutesexpire after time 240MC 10.1.1.1BR 10.10.10.2BR 10.10.10.3Copyright 2009
Internet Presence ConfigurationOutbound Load Balancing Only Add to default policy configurationDisable PeriodicPrefix EvaluationIMWeboer masterno periodicresolve utilization priority 1 variance 5resolve range priority 2no resolve delayno resolve lossmax-range-utilization percent 10border 10.1.1.2interface Serial12/0 externalmax-xmit-utilization percent 70interface Serial13/0 externalmax-xmit-utilization percent 70border 10.1.1.3interface Serial12/0 externalmax-xmit-utilization percent 70interface Serial13/0 externalmax-xmit-utilization percent 70MC 10.1.1.1E-MailBRMCBRLink OOP if :%util Lowest 10 or% util 70Copyright 2009
Internet Presence Configuration Cost Minimization Only10010000oer masterno periodicresolve cost priority 1no resolve delayno resolve utilizationborder 10.1.1.2interface Serial12/0 externalcost-minimization tier 100 fee10000cost-minimization tier 75 fee8000cost-minimization tier 40 fee4000cost-minimization end day-of-month 31interface Serial13/0 externalcost-minimization tier 75 fee3000Cost-minimization tier 10010000MC 10.1.1.175%10,000 75%8000 404000 3000NoOER10,000 1000075%75%8000 OER30004000 TieredCopyright 2009
Enterprise VPN sBRMCATMBRRemoteOfficeFrame RelayMC/BRBRBR—Border Router, MC—Master ControllerCopyright 2009
Enterprise VPN DeploymentDual IPSec/GRE TunnelsIPSec over GRE DMVPN (at spokes only) Tunnels are OER externalTelecommuterTunnel0 Tunnel1 Add to SOHO CfgTunnel0HeadquartersAdd to Internet default policy configBRTunnel1Tunnel0MCBR/CEoer masterborder 10.1.1.2interface Tunnelinterface Tunnelborder 10.1.1.3interface Tunnelinterface TunnelMC/BRInternetoer masterborder 10.10.10.1interface Tunnel 0 externalinterface Tunnel 1 externalTunnel1Tunnel0MC/BR0 external1 externalRemoteOfficeTunnel0 BR/CE0 external1 externalCopyright 2009
Enterprise VPN DeploymentMPLS Primary with IPSec/GRE Backup Application 1: Primary MPLS, backup IPSEC Application 2: l Backup then performance der Router, MC—Master ControllerCopyright 2009
Enterprise VPN DeploymentMPLS Primary and IPSec/GRE Backup Configurations*Group Linksoer masterborder 1.1.1.1 key-chain key1interface Serial1 externallink-group REDinterface Tu0 externallink-group BLUEinterface eth1/1 internalSpecify Link Preferenceoer-map MAP 10match Appl1set delay threshold 100set link-group RED fallback BLUEoer-map MAP 20match Appl2set link-group BLUEborder 1.1.1.2 key-chain key2interface Serial3 externallink-group REDinterface Tu2 externallink-group BLUEinterface et3/1 internalTunnel0BR1Serial1Tunnel2MCBR2Serial3*PfR also supported with ISDN and 3G wireless interfacesCopyright 2009
Enterprise VPN DeploymentFast Failover and Load Balancing Simultaneous probing on all exits Quick failover to alternate path within 3 OfficeBR/CESerial0Oer mastermax-range-utilization percent 10learnlist sequence 10 refname REM OFCtraffic-class prefix-list REM OFC LISTthroughputIp prefix-lst REM OFC LIST permit 10.1.0.0/16Ip prefix-lst REM OFC LIST deny 0.0.0.0/0oer-map MAP 10match oer learn list REM OFCset mode monitor fastset unreachable threshold 5set active-probe echo 10.1.1.1set active-probe echo 10.1.1.2set probe frequency 2set resolve range priority 1BR—Border Router, MC—Master ControllerCopyright 2009
Enterprise VPN DeploymentOptimize Voice Traffic Between Two SitesJitter 20 msIP SLA er 5 ms Select exit with highest percentage of estimated MOS above thresholdTunnel1–5 out of 100 sample had MOS 4.00 betterTunnel0–20 out of 100 sample had MOS 4.00BR—Border Router, MC—Master ControllerCopyright 2009
Enterprise VPN DeploymentOptimize Voice Traffic Between Two SitesIdentify Voice TrafficPackets marked with DSCP bitsip access-list extended VOICE-LISTpermit ip any 10.1.1.0 0.0.0.255 dscpefOrUDP port rangeip access-list extended VOICE-LISTpermit udp any 10.1.1.0 0.0.0.255range x yConfigure Voice Policyoer-map MAP 10match traffic class access listVOICE LISTset active probe jitter 10.1.1.1target port 2000 codec g729aset probe frequency 2set mos percent 20 threshold 4.00set resolve mos priority 1set mode monitor fastFar End configurationConfigureResponder on remote routerIpsla responderCopyright 2009
Enterprise VPN DeploymentOptimize Application Traffic to branch officeHeadquartersLatency sensitive application—telnet, sshLatency 100 msTunnel01BRInternetMCLatency tolerant—otherBR/CETunnel1Learn Application TrafficIp prefix-list BRANCH PFX permit 10.1.0.0/16!oer masterlearnlist sequence 10 refname BRANCH APPLtraffic-class application telnet ssh filter BRANCH PFXthroughputlist sequence 20 refname BRANCH PFXtraffic-class prefix-list BRANCH PFXthroughput2Latency 200 msTelnet or sshOtherTunnel0Tunnel1Configure Policyoer-map MAP 10match oer learn list BRANCH APPLset delay threshold 100set resolve delay priority 1 variance 5oer-map MAP 20match oer learn list BRANCH PFXset delay threshold 400set resolve utilization priority 1variance 5Copyright 2009
Enterprise VPN DeploymentOptimize Application—Define Your Own ApplicationDefine Application Using access-listAdd Application Definition to OER DatabaseIp access-list extended APPL1 DEFpermit tcp any eq 200 anypermit tcp any any eq 200Oer masterapplication define APPL1 access-list APPL1 DEFapplication define APPL2 access-list APPL2 DEFIp access-list extended APPL2 DEFpermit ip any any dscp af12Learning User Defined ApplicationsBRMCBROer masterlearnlist seq 30 refname LISTAtraffic-class application APPL1list seq 40 refname LISTBtraffic-class application APPL2Apply Policy to Learned Applicationoer-map MAP 10match traffic-class learn list LISTAset resolve delay priority 1 variance 5oer-map MAP 20match traffic-class learn list LISTBset resolve range priority 1Copyright 2009
Enterprise VPN DeploymentOptimize Application Identified by NBAR* Use NBAR to identify application traffic NBAR is activated automatically on BRBRLearning NBAR Identified ApplicationsOer masterlearnlist seq 30 refname LISTAtraffic-class application nbar rtp-audiolist seq 40 refname LISTBMCBRtraffic-class application nbar citrixConfigure NBAR Identified ApplicationsIp prefix-list LIST1 permit 10.1.1.0/24Ip prefix-list LIST1 permit 10.1.2.0/24Oer-map MAP 10match traffic-class application nbar citrix prefix-list LIST1* To be released in 12.5 (1st) TCopyright 2009
PfR with NATMC/BR Router Combined Existing flowcontinues on sameexit; no sessions aredroppedRPF CheckIMISP1WebMC/BRCSS11500E-MailPfR and NATISP2NAT TranslationOccurs HereNew flow goes outvia new exitAvoids problems ifISP is performing RPFcheckingISP1Minimal Configuration Changeinterface virtual-template 1ip nat inside source x interface Virtual-Template 1 overload oerBRISP2MCWith Separate MC and BRCopyright 2009
PfR with NAT—Configuration ExampleIdentify Traffic to be NAT Translatedaccess-list 1 permit 10.1.0.00.0.255.255route-map isp-1 permit 10match ip address 1match interface Se1/0route-map isp-2 permit 10match ip address 1match interface Se2/0interface Eth3/0ip nat insideinterface Se1/0ip nat outsideinterface Se2/0ip nat outsideOER InternalInterfaceOER ExternalInterfaceSingle IPSe1/0—ISP1interface virtual-template 1ip nat inside source route-map isp-1 interfaceVirtual-Template1 overload oerIP Poolip nat pool ISP-2 min-ip-addr max-ip-addr prefix-length len ip nat inside source route-map isp-2 pool ISP-2oerSingle IPISP110.1.0.0MC/BRISP2Eth3/0Se2/0—ISP2IP PoolCopyright 2009
Security Considerations Deploy MC behind firewall Separate private VLANfor MC and BRIMWebBRMCE-MailBR Private addressing forMC and BR communication No routing on MCno ip routingno router Routing Not Required on MCCopyright 2009
PfR MC Redundancy What if MC goes down?Routing defaults to normalas if PfR was not configured Still need MC redundancy?AvailableStateless redundancywithout configurationsynchronization availableusing HSRPOn roadmapStateless redundancywith synchronized configurationand stateful redundancyISP1IMBRWebBRE-MailISP2MCCopyright 2009
PfR MC Redundancy Stateless redundancy using HSRPOn Border Configure HSRPGroup IP as MC IPoer bordermaster 10.1.1.100 key-chain oerISP1IMBRWebBRE-MailMCActiveMCISP2HSRP GroupIP 10.1.1.100Standbyinterface Ethernet0/0standby 100 ip 10.1.1.100Duplicate Configurationon both MCCopyright 2009
terminating WAN connections 2. BGP routing BRs must be iBGP peers Default routing -or-Partial routes -or-Full routes 1. Support of up to 20,000 prefixes (with Cisco 7200-NPE-G2) 12.4T/14.4M Entrance Optimization 1. Customers differ on policy priority 2. Learn prefixes by throughput and delay Same PfR Configuration for All E-mail MC BR BR Web IM
