Cisco Application Visibility and Control Solution Guide for IOS XE Release 3.8
Technical Overview
Downloads: This chapterpdf (PDF - 476.0KB) The complete bookPDF (PDF - 1.73MB) | Feedback

Technology Overview

Table Of Contents

Technology Overview

Overview

AVC Features and Capabilities

AVC Architecture

NBAR2

Metric Mediation Agent

Metric Providers

Flexible NetFlow

QoS

Embedded Packet Capture

Common Flow Table

Cisco Management and Reporting System: Cisco Prime Infrastructure

Interoperability of AVC with other Services

Interoperability with AppNav WAAS

Attachment to a WAAS-Enabled Interface

Application Recognition on Optimized Traffic

Reported Input/Output Interfaces

Interoperability with NAT and VRF

Major External Interfaces

New Exported Fields

DPI/L7 Extracted Fields

Fields that Require Records Punt to the Route Processor


Technology Overview


Revised: February 6, 2013, OL-27969-02

This overview of AVC technology includes the following topics:

Overview

AVC Features and Capabilities

AVC Architecture

Interoperability of AVC with other Services

Major External Interfaces

Overview

The Cisco Application Visibility and Control (AVC) solution leverages multiple technologies to recognize, analyze, and control over 1000 applications, including voice and video, email, file sharing, gaming, peer-to-peer (P2P), and cloud-based applications. AVC combines several Cisco IOS XE components, as well as communicating with external tools, to integrate the following functions into a powerful solution.

Application Recognition

Operating on Cisco ASR 1000 routers, NBAR2 utilizes innovative deep packet inspection (DPI) technology to identify a wide variety of applications within the network traffic flow, using L3 to L7 data.

NBAR2 can monitor over 1000 applications, and supports Protocol Pack updates for expanding application recognition, without requiring IOS upgrade or router reload.

Metrics Collection and Exporting

Metric providers, an embedded monitoring agent, and Flexible NetFlow combine to provide a wide variety of network metrics data. The monitoring agent collects:

TCP performance metrics such as bandwidth usage, response time, and latency.

RTP performance metrics such as packet loss and jitter.

Performance metrics can be measured at multiple points within the router.

Metrics are aggregated and exported in NetFlow v9 or IPFIX format to a management and reporting package. Metrics records are sent out directly from the data plane when possible, to maximize system performance. However, if more complex processing is required on the router, such as if the user requests that the router keep a history of exported records, the records may be exported from the route processor at a lower speed.

Management and Reporting Systems

Management and reporting systems, such as Cisco Prime Infrastructure or third-party tools, receive the network metrics data in Netflow v9 or IPFIX format, and provide a wide variety of system management and reporting functions. These functions include configuring metrics reporting, creating application and network performance reports, system provisioning, configuring alerts, and assisting in troubleshooting.

Using the Cisco Prime Infrastructure management console, an administrator can configure each router in the network remotely by a GUI.

Control

Administrators can use industry-leading Quality of Service (QoS) capabilities to control application prioritization, manage application bandwidth, and so on. Cisco QoS employs the same deep packet inspection (DPI) technology used by NBAR2, to enable Cisco ASR 1000 routers to reprioritize critical applications and enforce application bandwidth use.

Figure 2-1 provides a high level overview the functions of the Cisco AVC solution.

Figure 2-1 Functional overview of the Cisco AVC solution

AVC Features and Capabilities

The Cisco AVC solution for IOS XE 3.8 includes enhancements to existing components, as well as new features.

Existing/Enhanced Features

Application Recognition—Network Based Application Recognition 2 (NBAR2) provides application recognition.

Medianet Flow Metadata—In addition to application recognition by NBAR2, media traffic can be identified by the Medianet Flow Metadata technology, using information passed from media end-points by the Resource Reservation Protocol (RSVP) channel.

Traffic Filtering—A policy-map defined in Cisco Common Classification Policy Language (C3PL) filters the traffic to be reported. The traffic filters operate exclusively of other types of policy-maps employed in the system.

Media Monitoring—Media performance metrics are provided by the Medianet technology.

Accounting:

Accounting of all metrics performed by Flexible NetFlow (FNF) and the IPFIX exporter.

Multiple parallel monitors with overlapping data for the same traffic permitted.

Flexible record keys provide different aggregation schemes for different traffic types.

New AVC Features in IOS XE 3.8

The following are new features in IOS XE 3.8:

Unified Solution—Unifies the technologies of several reporting/control solutions. AVC technologies include the configuration mechanism, metrics, and reports of such components as TCP performance, Medianet, and so on.

Infrastructure Enhancements—A common infrastructure, Metric Mediation Agent (MMA) enables adding stateful and derived parameters with dynamic registration. The infrastructure provides aggregation of connections, history, and alarms from the route processor at a lower speed than the data path export.

TCP Performance Metrics—This release adds several TCP performance measurements for traffic performance reporting.

Interoperability with AppNav—AppNav is the Wide Area Application Services (WAAS) diversion mechanism. AVC for IOS XE 3.8 provides statistics before and after the AppNav WAAS service controller (AppNav SC), as well as inspecting and reporting application information on optimized traffic.

Packet Capture—Cisco Embedded Packet Capture (EPC) technology performs packet capture.

Cisco Prime Infrastructure—The Cisco Prime Infrastructure management and reporting system is an integral part of the Cisco AVC solution and provides extensive management and reporting features, including provisioning the system, storing exported data, and generating reports.

IPv6 Support—The Cisco AVC solution supports both IPv4 and IPv6.

AVC Architecture

The following Cisco AVC components are described in this section:

NBAR2

Metric Mediation Agent

Metric Providers

Flexible NetFlow

QoS

Embedded Packet Capture

Common Flow Table

Cisco Management and Reporting System: Cisco Prime Infrastructure

Figure 2-2 describes the components in the Cisco AVC architecture.

Figure 2-2 AVC Architecture

NBAR2

Network Based Application Recognition 2 (NBAR2) provides native stateful deep packet inspection (DPI) capabilities. NBAR2 is the next generation of NBAR, enhancing the application recognition engine to support more than 1000 applications.

NBAR2 provides powerful capabilities, including:

Categorizing applications into meaningful terms, such as category, sub-category, application group, and so on. This categorization simplifies report aggregation and control configuration.

Field extraction of data such as HTTP URL, SIP domain, mail server, and so on. The extracted application information can be used for classification or can be exported by IPFIX to the collector for creating reports.

Customized definition of applications, based on ports, payload values, or URL/Host of HTTP traffic.

The set of attributes for each protocol can be customized.

Additional Application Protocol Definitions

With NBAR2 Protocol Packs, new and updated application signatures can be loaded into a router without upgrading the software image. Major protocol packs providing new and updated signatures are released periodically. Minor protocol packs are released between major releases; they provide updates and bug fixes. For information about protocol pack support, visit: http://www.cisco.com/en/US/docs/ios-xml/ios/qos_nbar/prot_lib/config_library/nbar-prot-pack-library.html

In addition to the predefined application protocols, you can create customized application definitions based on ports, payload values, or URL/Host of the HTTP traffic. Protocol attributes, such as application categorization, sub-categorization, application group, and so on, can also be customized.

For more information, visit: http://www.cisco.com/go/nbar

Metric Mediation Agent

The Metric Mediation Agent (MMA) is a new infrastructure element developed in the IOS XE 3.8 release to manage, correlate, and aggregate metrics from different metric providers. MMA provides the following functions:

Controls traffic monitoring and filtering policy.

Correlates data from multiple metric providers (see Metric Providers) into the same record.

Aggregates metrics.

Supports history and alert functions. This requires sending the metrics records to the route processor (RP) before exporting them to the management and reporting tools.

Metric Providers

Metric providers collect and calculate metrics and provide them to the Metric Mediation Agent (MMA) for correlation. There are a variety of metric providers: some collect simple, stateless metrics per packet, while other more complex metric providers track states and collect metrics per flow, transforming the metrics at the time of export and making sophisticated calculations. These transformations may require punting of records to the route processor (RP) before the metrics are exported to the management and reporting system.

The MMA compiles multiple metric providers of different types into the same record (see Metric Mediation Agent).

Flexible NetFlow

Netflow/IPFIX is the industry standard for acquiring operational data from IP networks to enable network planning, monitoring traffic analysis, and IP accounting. Flexible NetFlow (FNF) enables customizing traffic analysis parameters according to specific requirements. The AVC solution is compatible with NetFlow v9 (RFC-3954) and IPFIX (RFC-5101).

For more information, visit: http://www.cisco.com/go/fnf

QoS

Cisco Quality of Service (QoS) provides prioritization, shaping, or rate-limiting of traffic. QoS can place designated applications into specific QoS classes/queues. This enables:

Placing high priority, latency-sensitive traffic into a priority queue.

Guaranteeing a minimum bandwidth for an individual application or for a group of applications within a QoS traffic class.

Similarly, QoS can also be used for "policing" or managing non-enterprise, recreational applications such as YouTube and Facebook.

The Cisco AVC solution integrates QoS functionality with NBAR2. QoS can use application information provided by NBAR2 in managing network traffic. The QoS class-map statements enable matching to NBAR2-supported applications and L7 application fields (such as HTTP URL or Host), as well as to NBAR2 attributes. Class-map statements can coexist with all other traditional QoS match attributes, such as IP, subnet, and DSCP.

For more information, visit: http://www.cisco.com/go/qos

Embedded Packet Capture

Embedded Packet Capture (EPC) enables capturing the entire traffic for a given traffic class. The capture is limited only by available memory. The management and reporting system can read packets captured as a packet capture (pcap) file.

For more information, visit: http://www.cisco.com/go/epc

Common Flow Table

The Common Flow Table (CFT) manages L4 connections and enables storing and retrieving states for each flow. Using a common flow table optimizes use of system memory and improves performance by storing and running data for each flow only once. The CFT standardizes flow management across the entire system.

Cisco Management and Reporting System: Cisco Prime Infrastructure

Cisco Prime Infrastructure provides infrastructure lifecycle management and end-to-end visibility of services and applications for improved troubleshooting. It combines the solution lifecycle from design phase to monitor and troubleshooting phase.

For configuration, Cisco Prime Infrastructure has a provisioning GUI and built-in templates for enabling AVC capabilities on network devices.

For monitoring, Cisco Prime Infrastructure leverages the rich information provided by the network infrastructure, such as routers, and provides network administrators with a single tool for monitoring both network and application performance.

Network administrators can use Cisco Prime Infrastructure to drill down from an enterprise-wide network view to an individual user at a site, to proactively monitor and troubleshoot network and application performance problems.

For more information, visit: http://www.cisco.com/go/primeinfrastructure

Interoperability of AVC with other Services

Cisco AVC is interoperable with many router features and services. This section provides additional information about AVC integration with AppNav WAAS, NAT, and VRF.

Interoperability with AppNav WAAS

Interoperability with NAT and VRF

Interoperability with AppNav WAAS

Figure 2-3 shows a typical deployment scenario for Cisco AVC, demonstrating the integration with WAAS and the combination of optimized and pass-through traffic.

Figure 2-3 Typical AVC deployment

Attachment to a WAAS-Enabled Interface

Cisco Wide Area Application Services (WAAS) provides WAN optimization and application acceleration. The Cisco AVC solution operates closely with Cisco WAAS, reporting performance on both optimized and unoptimized traffic.

Figure 2-4 shows two recommended locations for metric collection. The monitoring location on the WAN interface collects metrics for optimized and unoptimized traffic. The monitoring location on the unoptimized virtual interface collects metrics for unoptimized traffic.

Figure 2-4 Recommended WAAS Monitoring Points

Because optimized traffic may be exported twice (pre/post WAAS), a new segment field, servicesWaasSegment, is exported within the record in order to describe the type of traffic at the monitoring location. Table 2-1 describes the segment definitions.

Table 2-1 AppNav "servicesWaasSegment" field values

Value
Description

0

Unknown

1

Client unoptimized

2

Server optimized

4

Client optimized

8

Server unoptimized

16

Pass-through


For pass-through traffic (bypassing WAAS), the servicesWaasPassThroughReason field indicates the reason for pass-through. See "New Exported Fields" for a description of this field.

Application Recognition on Optimized Traffic

The interoperability of Cisco AVC and WAAS enables executing traffic policies and monitoring on optimized traffic, utilizing NBAR2 application recognition.


Note When using WAAS, application L7 fields are only supported on unoptimized traffic. URL records must be attached on the unoptimized AppNav virtual interface.


Reported Input/Output Interfaces

Table 2-2 describes the input/output interface field values used by AppNav when a monitor is attached to the WAN, LAN, or an AppNav virtual interface.

Table 2-2 AppNav Exported Interfaces

Interface
Direction
Input interface value
Output interface value

WAN

Ingress

WAN

LAN

WAN

Egress

LAN

WAN

Optimized VI

Egress

WAN

Optimized VI

Optimized VI

Ingress

Optimized VI

LAN

UnOptimized VI

Ingress

UnOptimized VI

LAN

UnOptimized VI

Egress

LAN

UnOptimized VI

LAN

Egress

WAN

LAN

LAN

Ingress

LAN

WAN


Interoperability with NAT and VRF

When AppNav is enabled, it uses the virtual routing and forwarding (VRF) configuration of the LAN interface although it is installed on the WAN interface. AppNav uses the LAN VRF to divert traffic to WAAS, based on local addresses.

Up to three tuples can be used per flow. Figure 2-5 shows an example. Using more than one tuple can be necessary because of different VRF configurations and/or NAT translation. The NBAR/FNF/AppNav features in the path interact together using the same flow.

Figure 2-5 AppNav interaction in VRF/NAT cases

Major External Interfaces

New Exported Fields

"New Exported Fields" describes Flexible NetFlow (FNF) fields new to the IOS XE 3.8 release.

DPI/L7 Extracted Fields

"DPI/L7 Extracted Fields" describes the deep packet inspection (DPI)/L7 extracted fields.

Fields that Require Records Punt to the Route Processor

"Fields that Require Punt to the Route Processor" describes the media monitoring/metadata metrics that require punt to the route processor (RP).