CISCO IOS IP SERVICE LEVEL AGREEMENTS TECHNICAL OVERVIEW

CISCO IOS IP SERVICE LEVEL AGREEMENTS: TECHNICAL OVERVIEW TOM ZINGALE INTERNET TECHNOLOGIES DIVISION SEPTEMBER 2004 Cisco IOS IP SLA, Technical, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Internal Use Only 1

Cisco IOS IP Service Level Agreement: A New Direction • Cisco solution that assures IP service levels, proactively verifies network operation, and accurately measures network performance Comprehensive hardware support Committed Cisco partner support Cisco IOS Software, the world’s leading network infrastructure software Enterprise and Small Medium Business Understand Network Performance & Ease Deployment Access Service Providers Verify Service Levels Verify Outsourced SLAs Enterprise Premise Edge Enterprise Backbone Measure and provide SLAs Service Provider Aggregation Edge Service Provider Core Cisco IOS Software Cisco IOS IP SLA, and Net. Flow, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2

The Need for IP-Based Service Levels PROBLEM 40% of companies delay launching new applications due to network performance concerns 2 RESULT Reduced business productivity 59% of companies simply add bandwidth to ensure application efficiency 2 Increased network costs 55% of companies only identify some of their network traffic 2 Reduced understanding of network behavior Cost of application downtime and degradation is $13, 000 per minute for an ERP application 3 Lowered network performance can be costly 2003 Infonetics Research Study “Cost of Enterprise Downtime” www. infonetics. com/services/green. shtml? 2004/service. provider. and. user. plans. shtml 2 2003 Network World Application Performance Market Study www. nwfusion. com 3 Forrester Research Cisco IOSwww. forrester. com IP SLA, and 1 Net. Flow, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3

Cisco IOS IP SLA Benefits OPTIMIZED APPLICATIONS & SERVICES • Performance visibility • Prove service levels • Enhance Customer satisfaction • Enhance acceptance of businesscritical services REDUCED TOTAL COST OF OWNERSHIP AND Op. Ex • Reduce deployment time • Lower mean time to restore and downtime • Proactive identification of issues enforces higher reliability Continuous Predictable Reliable Measurements and Metrics Automated Intelligence Proactive Cisco IOS IP SLA, and Net. Flow, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4

Cisco IOS IP SLAs Life Cycle Baseline network performance Verify network readiness for new services with Cisco IOS IP SLA capabilities. 2 1 Quantify results • Reduce deployment time • Prove service and application differentiation • Verify service levels • Reduce network down time • Manage demand for the network Cisco IOS IP SLA, and Net. Flow, 9/04 Understand network performance baseline Confidence to deploy new IP services and applications © 2004 Cisco Systems, Inc. All rights reserved. Assure application and service deployment 3 4 Cisco Confidential Fine tune and optimize Ongoing measurements to understand behavior with proactive notification 5

Example: Multi-Protocol Measurement and Management with Cisco IOS IP SLAs Applications Network Performance Monitoring Availability Vo. IP Monitoring Service Level Agreement (SLA) Monitoring Network Assessment Multiprotocol Label Switching (MPLS) Monitoring Trouble Shooting Measurement Metrics Packet Loss Latency Network Jitter Dist. of Stats Connectivity Protocols Jitter FTP DNS DHCP DLSW ICMP UDP TCP HTTP LDP H. 323 SIP RTP Radius Video IP Server Defined Packet Size, Spacing COS and Protocol IP Server Cisco IOS Software Source IP SLA MIB Data Cisco IOS Software Active Generated Traffic to measure the network IP SLA Destination Cisco IOS Software IP SLA Responder Cisco IOS IP SLA, and Net. Flow, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6

Comprehensive Hardware Support Enterprise & Aggregation/Edge Core Cisco IOS Software Release 12. 2 S Cisco 7200 Series Cisco Catalyst Cisco 10000 6500; Cisco Series 7600 Series Cisco 7300 Series Cisco 12000 Series Access Cisco IOS Software Releases 12. 3 T and 12. 4 Cisco 800 Cisco 1700 1800 Series Cisco IOS IP SLA, and Net. Flow, 9/04 Cisco 2600 2800 Series © 2004 Cisco Systems, Inc. All rights reserved. Cisco 7200 & Cisco 3700 7300 Series 3800 Series Cisco Confidential Cisco 2900, 3550, & 3750 Series 7

SLA Verification and Management • Access router may be managed or unmanaged • Data typically provided by the service provider for the customer includes availability, Qo. S, and Jitter SLAs • Service Provider needs visibility in the Customer Edge, in order to commit to SLAs • Enterprise will verify SP SLAs by using access router edge to edge measurements Enterprise may provide restricted Simple Network Management Protocol (SNMP) (RTT, Latency, Qo. S) visibility into Access router for Service Provider with restricted access can report SLA as a service back to the enterprise Cisco IOS IP SLA, and Net. Flow, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8

Network Monitoring • Cisco IOS IP SLA answers the following question: What is the jitter, latency, or packet loss between any two points in the network? • IP Services can be simulated by specifying various packet sizes, ports, class of service, packet spacing, and measurement frequencies • Uni-directional and highly accurate measurements • Measurements per class of service to validate service differentiation for data, voice, and video • Cisco IOS IP SLA will identify an edge to edge network performance baseline and allow the user to understand trends and anomalies from the baseline Cisco IOS IP SLA, and Net. Flow, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9

IP Network Readiness • Network assessment tool built into Cisco IOS Software • Simulate IP Services and verify how well they will work in the network • How well is Qo. S working in the network predeployment • Post deployment continued verification of network performance per IP service Cisco IOS IP SLA, and Net. Flow, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10

Availability Monitoring • Cisco IOS IP SLA uses proactive monitoring for periodic, reliable, and continuous availability measurements • Connectivity measurements from Cisco router to router or Cisco router to server • Threshold notifications when end point is not available What is the availability of a Network File System (NFS) server used to store business critical data from a remote site ? Cisco IOS IP SLA UDP active measurement to specific server ports is used to test remote site to server connectivity If server is unavailable, then traps can notify the network management system Cisco IOS IP SLA, and Net. Flow, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11

Troubleshooting with Cisco IOS IP SLA • Proactive notification of problems and issues based on threshold alerts • Testing edge to edge consistently and reliability will save time in finding and pin pointing network performance problem areas • Secondary activation of path operation (ie: path jitter) or activation of operations at a higher frequency to isolate and verify problem areas in the network Cisco IOS IP SLA, and Net. Flow, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12

Cisco IOS IP SLA Source and Responder • Source Router Cisco IOS Software router that sends data from operation Cisco IOS Software may or may not be the target Some operations require the target to run the IP SLA responder Stores results in MIB • Responder Responds to IP SLA packets at destination User defined UDP/TCP ports IP SLA Control Protocol MD 5 Authentication Accurate measurements Cisco IOS IP SLA, and Net. Flow, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13

Responder Source Router Target Router Responder T 2 T 1 T 3 T 4 D = T 3 - T 2 The Responder takes 2 Timestamps (T 2 & T 3) • Responder factors out destination processing time making results highly accurate • Responder allows for one-way measurements for latency, jitter, packet loss, and MOS Cisco IOS IP SLA, and Net. Flow, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14

Cisco IOS IP SLAs Uses and Metrics *DATA TRAFFIC *Vo. IP REQUIREMENT • Minimize Delay, Packet Loss • Verify Quality of Service (Qo. S) IP SLA MEASURMENT • Jitter • Packet loss • Latency • per Qo. S • Minimize Delay, Packet Loss, Jitter *SERVICE LEVEL AGREEMENT • Measure Delay, Packet Loss, Jitter • One-way • Jitter • Packet loss • Latency • MOS Voice Quality Score • Jitter • Packet loss • Latency • One-way • Enhanced accuracy • NTP *AVAILABILITY Connectivity testing • Connectivity tests to IP devices **STREAMING VIDEO • Minimize Delay, Packet Loss • Jitter • Packet loss • Latency * Currently available **Limited availability in 9/04; complete in CY’ 05 Cisco IOS IP SLA, and Net. Flow, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15

Cisco IOS IP SLA Reaction Conditions • Reaction Trigger to Events Can send SNMP traps for certain “triggering” events: Connection Loss and Timeout Round Trip Time Threshold Average Jitter Threshold Unidirectional packet loss, latency, jitter, MOS Scores Trigger • Immediate • Consecutive • X of Y times • Average Exceeded Can trigger another IP SLA operation for further analysis Threshold Violation Alert No Alert Threshold Violation Alert 100 ms 50 ms Threshold violation Time Cisco IOS IP SLA, and Net. Flow, 9/04 Technical, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. Resolution Cisco Internal Confidential Use Only 16

Availability 12. 0(5)T 12. 0(8)S 12. 1 E 12. 1(1)T 12. 2(2)T X X X X X X X X X X X X UDP Jitter One Way Latency X FTP Get X Feature/Release 11. 2 12. 0(3)T ICMP Echo X X X X ICMP Echo Path SSCP(SNA) UDP Echo TCP Connect UDP Jitter HTTP DNS DHCP DLSw+ SNMP Support MPLS/VPN Aware Frame-Relay (CLI) ICMP Path Jitter APM Cisco IOS IP SLA, and Net. Flow, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. 12. 2(11)T (Infra 2) 12. 2(14)S 12. 2(25)S X X X X X X X X X X X Cisco Confidential X X X X 17

Cisco IOS IP SLA Partners Cisco Network Management Solution Cisco IP Solution Center MPLS VPN and SLA Monitoring Internetworking Performance Monitor Enterprise performance measurements THIRD PARTY PRODUCTS Cisco IOS IP SLA, and Net. Flow, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Confidential 18

Cisco IOS IP SLA Performance with Infrastructure 2: CPU Load by Hardware • Jitter probe • Versus Release 12. 3(3) • Operations/ Second Operations/ Minute Cisco 2600 Series 4 240 14 Cisco 2620 XM Series 7 8 480 20 12 16 20 24 28 32 36 40 44 48 52 56 60 720 960 1200 1440 1680 1920 2160 2400 2640 2880 3120 3360 3600 29 35 41 48 56 63 67 2, 000 active probes Cisco 3640 Series Cisco 3725 Router 6 2 Cisco 7200 VXR NPE 225 4 8 9 3 3 12 15 19 24 27 28 31 34 38 42 46 48 52 13 17 22 25 28 31 35 38 43 47 49 43 58 2 3 3 2 2 3 4 5 5 6 6 3 3 3 4 3 7 8 8 10 11 11 *Jitter operations are activated sequentially with this testing. Each operation sends 10 packets, 64 bytes each with 20 ms spacing Cisco IOS IP SLA, and Net. Flow, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19

Cisco IOS IP SLA Performance Infrastructure 2: CPU Load by Hardware • Jitter probe • • Release 12. 3(4)T 6 2, 000 active probes IP Plus/Firewall/3 DES Operations per second 4 8 12 16 20 24 28 32 36 40 44 48 52 56 60 Cisco IOS IP SLA, and Net. Flow, 9/04 Operations per minute 240 480 720 960 1200 1440 1680 1920 2160 2400 2640 2880 3120 3360 3600 © 2004 Cisco Systems, Inc. All rights reserved. Cisco 831 Router 7 13 23 29 33 35 41 47 52 57 62 66 72 76 81 Cisco 837 Router 10 16 23 30 34 36 41 46 50 56 62 65 68 71 75 Cisco Confidential Cisco 1751 Router 3 8 10 17 22 27 29 32 35 39 43 48 53 59 62 20

Cisco IOS IP SLA Vo. IP Measurements Q 1 CY’ 05 Data Center Gatekeeper Call Manager Cluster Registration Delay Discovery Delay Headquarters H 323 or SIP Post Dial Delay Seattle LA San Jose Sales Office Cisco IOS IP SLA, and Net. Flow, 9/04 Responder © 2004 Cisco Systems, Inc. All rights reserved. New York Cleveland Detroit Cisco Confidential Boston Sales Office 21

Digital Signal Processor Based IP SLA Measurements (Q 3 CY’ 05) • Vo. IP Active (test call) measurements using Real-time Transport Protocol (RTP) streams • Voice quality scores and voice metrics from the Digital Signal Processor (DSP) Call Control Vo. IP Metrics RTP IP SLA DSP IP Server Responder RTP IP SLA Cisco IOS IP SLA, and Net. Flow, 9/04 Cisco IOS IP SLA RTP Operation Data © 2004 Cisco Systems, Inc. All rights reserved. Cisco Confidential 22

New IOS IP SLA CLI • The new IOS IP SLA CLI releases Q 1 CY 05 in 12. 3(RLS 6)T • Phase 1 changes include new syntax for commands and new show commands New show commands: “show ip sla statistics” and “ show ip sla statistics details” Older show commands will be deprecated over time and replaced with the new show commands The RTR keyword was changed to IP SLA Monitor in CLI The new syntax is used in the presentation. The old syntax before 12. 3(pi 6)T is shown in the Appendix OLD CLI Router (config)#rtr 1 Router (config-rtr)#type echo protocol ip. Icmp. Echo 1. 1 Router (config)#rtr schedule 1 start-time now Cisco IOS IP SLA, and Net. Flow, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. New CLI Router (config)#ip sla monitor 1 Router (config-sla-monitor)#icmp-echo 1. 1 Router (config)#ip sla monitor schedule 1 start-time now Cisco Confidential 23

New Cisco IOS IP SLA Show Commands Q 1 CY’ 05 • Jitter operation “show ip sla monitor statistics (details)” Router#sh ip sla monitor statistics 15 Round trip time (RTT) Index 15 Latest RTT: 1 ms Latest operation start time: *05: 43: 28. 720 UTC Fri May 28 2004 Latest operation return code: OK RTT Values Number Of RTT: 10 RTT Min/Avg/Max: 1/1/1 ms Latency one-way time milliseconds Number of one-way Samples: 0 Source to Destination one way Latency Min/Avg/Max: 0/0/0 ms Desination to source one way Latency Min/Avg/Max: 0/0/0 ms Jitter time milliseconds Number of Jitter Samples: 9 Source to Destination Jitter Min/Avg/Max: 20/20/23 ms Destination to Source Jitter Min/Avg/Max: 0/0/0 ms Packet Loss Values Loss Source to Destination: 0 Loss Destination to Source: 0 Out Of Sequence: 0 Tail Drop: 0 Packet Late Arrival: 0 Number of successes: 1 Number of failures: 0 Operation time to live: 3567 sec Cisco IOS IP SLA, and Net. Flow, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24

New Cisco IOS IP SLA Show Commands Q 1 CY’ 05 • Jitter operation “show ip sla monitor statistics details” Round trip time (RTT) Index 2004 Latest RTT: 1 ms Latest operation start time: *08: 41: 09. 937 PST Wed Oct 6 2004 Latest operation return code: OK Over thresholds occurred: FALSE RTT Values Number Of RTT: 10 RTT Min/Avg/Max: 1/1/1 ms Latency one-way time: Number of Latency one-way Samples: 0 Source to Destination Latency one way Min/Avg/Max: 0/0/0 ms Destination to Source Latency one way Min/Avg/Max: 0/0/0 ms Source to Destination Latency one way Sum/Sum 2: 0/0 Destination to Source Latency one way Sum/Sum 2: 0/0 Jitter time: Number of Jitter Samples: 9 Source to Destination Jitter Min/Avg/Max: 0/0/0 ms Destination to Source Jitter Min/Avg/Max: 0/0/0 ms Source to destination positive jitter Number/Sum 2: 0/0/0 Source to destination negative jitter Min/Avg/Max: 0/0/0 ms Source to destination negative jitter Number/Sum 2: 0/0/0 Destination to Source positive jitter Min/Avg/Max: 0/0/0 ms Destination to Source positive jitter Number/Sum 2: 0/0/0 Destination to Source negative jitter Min/Avg/Max: 0/0/0 ms Destination to Source negative jitter Number/Sum 2: 0/0/0 Interarrival jitterout: 0 Interarrival jitterin: 0 Cisco IOS IP SLA, and Net. Flow, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Confidential 25

Cisco IOS IP SLA Multiple Operations Scheduling (Release 12. 3(8)T) • Schedule multiple operations in one command • Scalable and sequential activation of IP SLA operations If the frequency is not specified, the default frequency will be the same as that of the schedule period) Reduced load on the network Consistent monitoring coverage Router (config)#ip sla monitor 1 Router (config-sla-monitor)#type echo protocol ip. Icmp. Echo 1. 1 Router (config)# ip sla monitor 2 Router (config-sla-monitor)#type echo protocol ip. Icmp. Echo 2. 2 Router (config)# ip sla monitor 3 Router (config-sla-monitor)#type echo protocol ip. Icmp. Echo 3. 3 Router (config)# ip sla monitor group schedule 1 1 -3 sch 20 start now Router #show ip sla monitor group schedule Cisco IOS IP SLA, and Net. Flow, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Confidential 26

Cisco IOS IP SLA Random Scheduler Enhancement • Release 12. 4(Rls 1)T will introduce the following functionality: Randomness for group scheduler during schedule period Randomness for the frequency of the operations, which are started by random group scheduler Cisco IOS IP SLA, and Net. Flow, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Confidential 27

Cisco IOS IP SLA Accuracy Feature • High performance and high accuracy measurements • Precision to. 1 ms from current 1 ms • Improve Cisco IOS IP SLA accuracy under forwarding load and for dedicated routers • Release 12. 3(RLS 6)T will introduce this functionality in Q 1 CY’ 05 Cisco IOS IP SLA, and Net. Flow, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Confidential 28

Cisco IOS IP Service Level Agreement Roadmap Feature Release Target Date Release 12. 3 T Features MOS and ICPIF Scores 12. 3(4)T November 2003 One way latency, jitter, packet loss and MOS Traps 12. 3(7)T March 2003 Multi-Operation Scheduler – Ease of scheduling 12. 3(8)T June 2003 Post Dial and Gatekeeper Delays with SIP and H 323 12. 3(pi-6)T Q 1 CY’ 05 High accuracy enhancement 12. 3(pi-6)T Q 1 CY’ 05 Ease of use CLI 12. 3(pi-6)T Q 1 CY’ 05 Release 12. 4 T Features Ease of use CLI Phase 2 12. 4(pi-1)T Q 2 CY’ 05 Random scheduler for operations 12. 4(pi-1)T Q 2 CY’ 05 Voice gateway integration Vo. IP measurement using DSP 12. 4(pi-2)T Q 3 CY’ 05 Ease of use CLI Phase 3 12. 4(pi-2)T Q 3 CY’ 05 Video operation 12. 4(pi-2)T Q 3 CY’ 05 Radius response operation 12. 4(pi-2)T Q 3 CY’ 05 Release 12. 2 S Features IP SLA: Auto MPLS VPN Monitoring 12. 2(Rls 6)S Q 1 CY’ 05 IP SLA: Auto MPLS VPN Monitoring with ECMP 12. 2(Rls 7)S Q 3 CY’ 05 IP SLA: Auto MPLS Monitoring with VCCV 12. 2(Rls 8)S Radar IP SLA: Auto MPLS Monitoring with BFD 12. 2(Rls 8)S Radar IP SLA Multicast Radar Auto IP SLA Monitoring Radar IP SLA with DMVPN Radar ICMP Jitter Radar IP SLA High Availability Radar Cisco IOS IP SLA, and Net. Flow, 9/04 Embedded 2004 Cisco Systems, All rights reserved. Event ©Manager (EEM)Inc. Detector Radar Cisco Confidential Radar 29

Net. Flow Cisco IOS IP SLA, and Net. Flow, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Confidential 30

Flow Is Defined By Seven Unique Keys • Source IP address • Destination IP address Traffic New SNMP MIB Interface Enable Net. Flow • Source port • Destination port • Layer 3 protocol type • TOS byte (DSCP) • Input logical interface (if. Index) Net. Flow Export Packets Traditional Export & Collector SNMP Poller GUI Cisco IOS IPNet. Flow SLA, and Net. Flow, Overview, 9/04 2/04 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Confidential 31

Net. Flow Cache Example 1. Create and update flows in Net. Flow cache Srclf Srcl. Padd Dstlf Dstl. Padd Protocol TOS Flgs Pkts Src Port Src Msk Src AS Dst Port Dst Msk Dst AS Next. Hop Bytes/ Pkt Active Idle Fa 1/0 173. 100. 21. 2 Fa 0/0 10. 0. 227. 12 11 80 10 11000 00 A 2 /24 5 00 A 2 /24 15 10. 0. 23. 2 1528 1745 4 Fa 1/0 173. 100. 3. 2 Fa 0/0 10. 0. 227. 12 6 40 0 2491 15 /26 196 15 /24 15 10. 0. 23. 2 740 41. 5 1 Fa 1/0 173. 100. 2 Fa 0/0 10. 0. 227. 12 11 80 10 10000 00 A 1 /24 180 00 A 1 /24 15 10. 0. 23. 2 1428 1145. 5 3 Fa 1/0 173. 100. 6. 2 Fa 0/0 10. 0. 227. 12 6 40 0 2210 19 /30 180 19 /24 15 10. 0. 23. 2 1040 24. 5 14 • • 2. Expiration Inactive timer expired (15 sec is default) Active timer expired (30 min (1800 sec) is default) Net. Flow cache is full (oldest flows are expired) RST or FIN TCP Flag Srclf Srcl. Padd Dstlf Dstl. Padd Protocol TOS Flgs Pkts Src Port Src Msk Src AS Dst Port Dst Msk Dst AS Next. Hop Bytes/ Pkt Active Idle Fa 1/0 173. 100. 21. 2 Fa 0/0 10. 0. 227. 12 11 80 10 11000 00 A 2 /24 5 00 A 2 /24 15 10. 0. 23. 2 1528 1800 4 3. Aggregation Ye No s e. g. Protocol-Port Aggregation Scheme Becomes 4. Export version 5. Transport protocol Cisco IOS IP SLA, and Net. Flow, 9/04 Export Packet © 2004 Cisco Systems, Inc. All rights reserved. Heade r Non-Aggregated Flows—Export Version 5 or 9 Payload (Flows) Protocol Pkts Src. Port Dst. Port Bytes/Pkt 11 11000 00 A 2 1528 Aggregated Flows—Export Version 8 or 9 Cisco Confidential 32

Principle Netflow Benefits Service Provider Enterprise • Traffic Engineering • Internet access monitoring (protocol distribution, where traffic is going/coming) • Accounting and billing • User Monitoring • Security Monitoring • Application Monitoring • Peering arrangements • Network Planning • Charge Back billing for departments • Security Monitoring Cisco IOS IP SLA, and Net. Flow, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Confidential 33

Tracking Users Who are the top users? How long are the users on the network? What Internet sites do they use? Where do the users go on the network? What percentage of traffic do they use? What applications do they use? What are the user usage patterns? Cisco IOS IP SLA, and Net. Flow, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Confidential 34

Net. Flow for Security: Flow Information Helps Mitigate Attacks • Identify the attack Count the Flows Inactive flows signal a worm attack • Classify the attack Small size flows to same destination What is being attacked and origination of attack • Key Partners: Arbor Networks, Protego, Net. Qos, Adlex Cisco IOS IP SLA, and Net. Flow, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Confidential 35

Capacity Planning • Capacity planning is the process of determining the network resources required to prevent a performance or availability impact on business-critical applications • Key areas to monitor Application usage Identify which applications consume bandwidth Who are the top ten nodes that consume bandwidth • Output data circuit forecasts • Current network utilization and capacity being used Cisco IOS IP SLA, and Net. Flow, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Confidential 36

Billing • IP Accounting and Billing • Usage-based billing considerations Time of day Within or outside of the network Application Distance-based Quality of Service (Qo. S) / Class of Service (Co. S) Bandwidth usage Transit or peer Data transferred Traffic class Cisco IOS IP SLA, and Net. Flow, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Confidential 37

How Cisco IT uses Net. Flow • Characterize IP traffic and account for how and where it flows Total Avoidance of SQL Slammer Worm Transition from Managed DSL service to Internet VPN Detection of Unauthorized WAN Traffic Reduction in Peak WAN Traffic Validation of Qo. S Parameters and BW allocation Analysis of VPN Traffic and Tele-Commuter Behavior Calculating Total Cost of Ownership for Applications Use of Net. Flow NMS and Usage Security Monitoring Network traffic analysis by application with BGP. Anomaly detection Arbor Networks WAN Aggregation and Edge Network traffic analysis by application, for capacity planning using Net. QOS Core routers and Nat Gateway Collection of historical data, useful forensics and diagnostics with Flow Tools Cisco IOS IP SLA, and Net. Flow, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Confidential 38

Comprehensive Hardware Support Enterprise & Aggregation/Edge Core Cisco IOS Software Release 12. 2 S Cisco 7200 Series Cisco 7300 Series Cisco Catalyst Cisco 10000 6500; Cisco Series ASIC 7600 Series Cisco 4500 Series ASIC Release 12. 0 S Cisco 12000 Series ASIC Access Cisco IOS Software Releases 12. 3 T & 12. 4 Cisco 800 Cisco 1700 Series Cisco IOS IP SLA, and Net. Flow, 9/04 Cisco 2600 Series © 2004 Cisco Systems, Inc. All rights reserved. Cisco 3700 Series Cisco 7200/ 7300 Series Cisco Confidential 39

Net. Flow Versions Net. Flow Version 1 5 7 8 9 Comments Original Standard and most common Specific to Cisco Catalyst 6500 and 7600 Series Switches Similar to Version 5, but does not include AS, interface, TCP Flag & TOS information Choice of eleven aggregation schemes Reduces resource usage Flexible, extensible file export format to enable easier support of additional fields & technologies; coming out now MPLS, Multicast, & BGP Next Hop Cisco Catalyst 6500 Series Router will support versions 5 & 8 in Cisco IOS Software Release 12. 1(13)E Cisco IOS IP SLA, and Net. Flow, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Confidential 40

Version 5 - Flow Export Format Usage • Packet Count • Byte Count Source IPIPAddress • • Source Address Destination IPIP Address • • Destination Address From/To Time of Day • Start sys. Up. Time • End sys. Up. Time • Source TCP/UDP Port • Destination TCP/UDP Port Application Port Utilization • Input if. Index • Output if. Index Qo. S • Type of Service • TCP Flags • Protocol • Next Hop Address • Source AS Number • Dest. AS Number • Source Prefix Mask • Dest. Prefix Mask Routing and Peering Version 5 used extensively today Flow information Cisco IOS IP SLA, and Net. Flow, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Confidential 41

Why a New Version 9? • Fixed export formats are not flexible and adaptable • With each new version Cisco creates new export fields • Partners need to re-engineer for each new version Solution: Build a flexible and extensible export format called version 9! Cisco IOS IP SLA, and Net. Flow, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Confidential 42

Net. Flow v 9 Export Packet To support technologies such as MPLS or Multicast, this export format can be leveraged to easily insert new fields Template Flow. Set (version, # packets, sequence #, Source ID) Template Record Template ID #1 Template Record Template ID #2 (specific Field types and lengths) Flows from Interface A Flows from Interface B Data Flow. Set ID #1 Flow. Set ID #2 Data Record (Field values) Option Data Option Template Flow. Set ID Flow. Set Data Record Template ID (Field values) (specific Field types and lengths) Option Data Record (Field values) • Matching ID numbers are the way to associate template to the Data Records • The Header follows the same format as prior Net. Flow versions so Collectors will be backward compatible • Each data record represents one flow • If exported flows have the same fields, then they can be contained in the same Template Record (ie: unicast traffic) can be combined with multicast records • If exported flows have different fields, then they cannot be contained in the same Template Record (ie: BGP next-hop cannot be combined with MPLS Aware Net. Flow Cisco IOSrecords) IP SLA, and Cisco Confidential Net. Flow, 9/04 43 © 2004 Cisco Systems, Inc. All rights reserved.

Net. Flow v 9 and IETF • Internet Protocol Flow Information e. Xport (IPFIX) is an IETF Working Group www. ietf. org/html. charters/ipfix-charter. html • Netflow version 9 is the basis for the standard in the IETF • Standards Track Net. Flow version 9 w Ne http: //www. ietf. org/internet-drafts/draft-ietf-ipfix-protocol-05. txt Cisco IOS IP SLA, and Net. Flow, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Confidential 44

IETF: Packet SAMPling WG (PSAMP) • PSAMP web site for the charter, email archive, drafts, etc. psamp. ccrle. nec. de/ • Agreed to use IPFIX for export protocol if suitable for PSAMP To be improved: the variable length data type w Ne • Note: Net. Flow is already using some sampling mechanisms Cisco IOS IP SLA, and Net. Flow, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Confidential 45

Net. Flow Partners Traffic Analysis Flow-Tools Denial of Service Cisco IOS IP SLA, and Net. Flow, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. Billing Cisco Confidential 46

Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router • Hybrid: Cisco Catalyst OS on PFC/supervisor and Cisco IOS software on MSFC • Native Cisco IOS Software: PFC/supervisor and the MSFC both run a single bundled Cisco IOS software image • Export is centrally via the supervisor and MSFC, each linecard has its own hardware Net. Flow cache and forwarding table, i. e. distributed platform Hybrid Native 12. 1 E Native 12. 2 SX MSFCx v 5 v 5, v 8* Sup 1 a V 7, v 8 v 7 N/A Sup 2 V 7, v 8 v 5, v 7, v 8 v 5, Sup 1 a v 7 *No Sup 720 Net. Flow Support on MSFC with Cisco IOS IP SLA, and Net. Flow, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. v 5, v 7, v 8 Cisco Confidential 47

Cisco Catalyst 6500 and Cisco 7600 Series Versions and Features • Cisco IOS Software Release 12. 1(13)E 1 PFC 2 Source/destination interface information (Hybrid 6. 3(6)) PFC 2 Source/destination AS information PFC 2 Support for V 5 Net. Flow data export (Hybrid 7. 5(1)) IP Next hop Sampled Net. Flow is available on PFC in Cisco IOS • Cisco IOS Software Release 12. 2(14)SX Version 8 in native mode • PFC 3 b (Sup 720) cards To. S byte • Hybrid Catalyst OS 7. 2(1) L 2 switched traffic (vlan x to vlan y) support (doesn’t require MSFC) • Hybrid Catalyst OS 7. 3(1) Destination and source If. Index enabled by default Cisco IOS IP SLA, and Net. Flow, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Confidential 48

Cisco Catalyst 4000 Supervisor IV Net. Flow Services Card Net. Flow Service Card Features • Net. Flow Statistics Collection and Data Export (NDE) • VLAN Statistics Collection • CLI support for Net. Flow & VLAN Stats • SNMP support for VLAN Stats Cisco IOS IP SLA, and Net. Flow, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. • Requirements: • Supervisor IV or V • IOS 12. 1(13)EW • Net. Flow Versions 1 & 5, 8 w IOS 12. 1. 19 EW Cisco Confidential 49

Net. Flow Features supported with Version 9 • Multicast Net. Flow Availability: Major Release 12. 3(1) and 12. 2(18)S Ingress Accounting of replicated multicast packets Egress Per user accounting of multicast packets • MPLS Aware Net. Flow Availability: Release 12. 0(26)S Label and prefix export information • BGP Next Hop Availability: Releases 12. 0(26)S, 12. 2(18)S, and 12. 3 Edge to Edge Traffic Matrix BGP traffic destination information • Net. Flow for IPv 6 Availability: Release 12. 3(7)T Export IPv 6 source and destination information Cisco IOS IP SLA, and Net. Flow, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Confidential 50

Net. Flow Product Update • Sampled Net. Flow Availability: Releases 12. 0(26)S, 12. 3(2)T, and 12. 2(18)S Random Sampling of packets per flow with reduce CPU • Net. Flow MIB Availability: Releases 12. 3(7)T and 12. 2(25)S Top N Talker in MIB Net. Flow configuration using MIB • Input Flow Filters Availability: Release 12. 3(7)T, 12. 2(25)S QOS MQC based Filtering entering Net. Flow • Egress Net. Flow Availability: Release 12. 3(11)T, 12. 2(Rls 6)S-Q 1 CY 05 Accounting for Egress IP Flows Cisco IOS IP SLA, and Net. Flow, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Confidential 51

Random Sampled Net. Flow • Capacity planning may not need every packet per Flow • Sampling on high speed interfaces will reduce CPU consumption • Random (select packet to export per statistical principles) Cisco IOS Software Releases 12. 0(26)S, 12. 2 S(18), and 12. 3(1)T Cisco 800, 1700, 1800, 2600, 2800, 3600, 3700, 3800 7200, and 7500 Series Routers Random sampling Cisco 12000 Series 12. 0(28)S Cisco 12000 Series deterministic sampling today Cisco Catalyst 6500 Series Random and Time based sampling 12. 1(13)E Cisco IOS IP SLA, and Net. Flow, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52

Net. Flow MIB • Currently available in Releases 12. 3(7)T • Net. Flow information available using SNMP and without Net. Flow export • Administration of Netflow using the MIB interface • Net. Flow MIB cannot be used to retrieve all Flow information but is very useful for security monitoring and locations where export is not possible Example objects available: Packet size distribution Number of Bytes exported per second Number of flows. Net. Flow MIB with Export of Top N talkers • Top N Talkers Top N Flows based on various Net. Flow field values ( AS Number, destination, ports…) MIB and CLI support 12. 2(25)S and 12. 3(11)T Cisco IOS IP SLA, and Net. Flow, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Confidential 53

Import Flow Mask Filters • Prevent flows from entering Net. Flow cache by using Flow Filter • Increase scalability and decrease CPU usage • Filters are based on QOS MQC CLI class maps • User can use ACL to match flows from certain port or source • Define Traffic Class (match ACL) and Flow Sampling per Match 12. 0(27)S, 12. 3(4)T, 12. 2 S(25) Traffic Filter High Importance Sample 1: 1 from Server B Packets Traffic Filter Low Importance Cisco IOS IP SLA, and Net. Flow, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. Sample 1: 100 from Subnet A Cisco Confidential 54

Egress Net. Flow Accounting Netflow Egress and Ingress PE PE IP Servers IP IP or MPLS Netflow Ingress Netflow Egress 12. 3(7)T, 12. 2(25)S Cisco IOS IP SLA, and Net. Flow, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Confidential 55

Flexible Net. Flow and Flexible Accounting • Flexible Net. Flow and Flexible Accounting will replace most static accounting technologies available today Flexible Net. Flow user defined Flow keys and export fields within Net. Flow Flexible Accounting user defined permanent flow with periodic export and account for defined flows over time The data can be polled thru a MIB Flow Groups user defined buckets for specific flow fields values Example show me packets and bytes from 1. 1 to 2. 2 on port 21 Cisco IOS IP SLA, and Net. Flow, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Confidential 56

SCTP Reliable Transport • Flows may be sent in Reliable or unreliable or partial mode • SCTP connection to collector and multiple streams per connection • Supported with Version 9. Templates may be sent reliably • Congestion Awareness, retransmission and queuing Send Queue Releases 12. 4(2 nd)T, 12. 2 S(Rls 7) Data for Export in SCTP Stream Cisco IOS IP SLA, and Net. Flow, 9/04 Congestion packets marked unreliable potentially dropped © 2004 Cisco Systems, Inc. All rights reserved. Collector Cisco Confidential 57

Net. Flow Security Enhancement Releases 12. 4(1 st)T Q 2 CY 05 • New show commands to understand parse Net. Flow data For Example, show flows on port X to destination Y show ip flow top <N> <aggregate-field> <sort-criteria> <matchcriteria> show ip flow top 10 destination-address packets interface ser 0 port-range 100 to 135 • New Flow export fields including Source Mac, TTL, Packet length, ICMP type, and more • Also will be available in 12. 2(rls 7)S Cisco IOS IP SLA, and Net. Flow, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Confidential 58

Upcoming New Features: Net. Flow Product Update • Net. Flow Security Enhancements (Q 2 CY 2005) New exports and show commands for security monitoring • Flexible Net. Flow and Accounting (Q 3 CY 2005) Allow user defined flow keys and aggregation with v. 9 • Reliable and Congestion Aware Export (Q 2 CY 2005) SCTP protocol Net. Flow export • NBAR and Net. Flow Integration (Radar) Application flow information export Cisco IOS IP SLA, and Net. Flow, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Confidential 59

Net. Flow Roadmap Enhancing Cisco technologies’ with Flow Accounting Scalability & Flexibility Nov 2003 Dec 2003 Jan 2004 Feb 2004 Mar 2004 Apr 2004 May 2004 Jun 2004 Optimizing data for Flow processing Jul 2004 Aug 2004 Sep 2004 Oct 2004 • Input Filter Targeting 12. 3(2)T • Net. Flow MIB & Top Talker • Net. Flow IPv 6 • Input Filter Cisco IOS IP SLA, and Net. Flow, 9/04 Nov 2004 Dec 2004 Jan 2005 Feb 2005 Mar 2005 Targeting 12. 2(Rls 6)S 12. 0(27)S 12. 3(Rls 2)T Standardization • Egress Net. Flow Targeting 12. 3(11)T • Egress Net. Flow Targeting 12. 2(25)S • Net. Flow MIB & Top Talker • Input Filter © 2004 Cisco Systems, Inc. All rights reserved. Targeting 12. 4(Rls 1)T Targeting 12. 2(Rls 7)S • Flexible Flow Definition Reliable Export Security Exports MIB Phase 2 Security Exports Cisco Confidential 60

Cisco IOS IP SLA, and Net. Flow, 9/04 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Confidential 61