Cisco Service Control Overview
Revised: February 07, 2014, OL-24150-12
This chapter provides a general overview of the Cisco Service Control solution. It introduces the Cisco service control concept and capabilities.
It also briefly describes the hardware capabilities of the service control engine (SCE) platform and the Cisco specific applications that together compose the complete Cisco service control solution.
Cisco Service Control Solution
The Cisco service control solution is delivered through a combination of hardware and specific software solutions that address various operational and business-related challenges. Service providers can use the SCE platform to support classification, analysis, and control of Internet and IP traffic.
Service control enables service providers to:
Capitalize on existing infrastructure.
Analyze, charge for, and control IP network traffic at multigigabit wire line speeds.
Identify and target high-margin content-based services and enable their delivery.
As access and bandwidth have become commodities where prices continually fall and profits disappear, service providers have realized that they must offer value-added services to derive more revenue from the traffic and services running on their networks.
Cisco service control solutions allow the service provider to capture profits from IP services through detailed monitoring, precise, real-time control, and awareness of applications as they are delivered.
Service Control for Broadband Service Providers
Service providers of any access technology (DSL, cable, mobile, and so on) targeting residential and business consumers must find new ways to get maximum leverage from their existing infrastructure, while differentiating their offerings with enhanced IP services.
The Cisco service control application for broadband adds a layer of service intelligence and control to existing networks that can:
Report and analyze network traffic at subscriber and aggregate level for capacity planning
Provide customer-intuitive tiered application services and guarantee application service level agreements (SLAs)
Implement different service levels for different types of customers, content, or applications
Identify network abusers who are violating the acceptable use policy (AUP)
Identify and manage peer-to-peer traffic, NNTP (news) traffic, and spam abusers
Enforce the AUP
Integrate Service Control solutions easily with existing network elements and business support systems (BSS) and operational support systems (OSS)
Cisco Service Control Capabilities
The core of the Cisco service control solution is the network hardware device: the Service control engine (SCE). The core capabilities of the SCE platform, which support a wide range of applications for delivering service control solutions, include:
Subscriber and application awareness—Application-level drilling into IP traffic for real-time understanding and controlling of usage and content at the granularity of a specific subscriber.
– Subscriber awareness—The ability to map between IP flows and a specific subscriber to maintain the state of each subscriber transmitting traffic through the SCE platform and to enforce the appropriate policy on this subscriber’s traffic.
Subscriber awareness is achieved either through dedicated integrations with subscriber management repositories, such as a DHCP or a RADIUS server, or through sniffing of RADIUS or DHCP traffic.
– Application awareness—The ability to understand and analyze traffic up to the application protocol layer (Layer 7).
For application protocols implemented using bundled flows (such as FTP, which is implemented using Control and Data flows), the SCE platform understands the bundling connection between the flows and treats them accordingly.
Application-layer, stateful, real-time traffic control—The ability to perform advanced control functions, including granular bandwidth (BW) metering and shaping, quota management, and redirection, using application-layer, stateful, real-time traffic transaction processing. This requires highly adaptive protocol and application-level intelligence.
Programmability—The ability to quickly add new protocols and adapt to new services and applications in the service provider environment. Programmability is achieved using the Cisco Service Modeling Language (SML).
Programmability allows new services to be deployed quickly and provides an easy upgrade path for network, application, or service growth.
Robust and flexible back-office integration—The ability to integrate with existing third-party systems at the service provider, including provisioning systems, subscriber repositories, billing systems, and OSS systems. The SCE provides a set of open and well-documented APIs that allows a quick integration process.
Scalable high-performance service engines—The ability to perform all of these operations at wire speed.
SCE Platform Description
The SCE family of programmable network devices performs application-layer stateful-flow inspection of IP traffic, and controls the traffic based on configurable rules. The SCE platform is a network device that uses ASIC components and reduced instruction set computer (RISC) processors to exceed beyond packet counting and expand into the contents of network traffic. Providing programmable, stateful inspection of bidirectional traffic flows, and mapping these flows with user ownership, SCE platforms provide real-time classification of network use. The classification provides the basis of the SCE platform advanced traffic-control and bandwidth-policing functionality. Where most bandwidth control functionality ends, the SCE platform provides further control and shaping options, including:
Layer 7 stateful wire-speed packet inspection and classification
Robust support for more than 600 protocols and applications, including:
– General—HTTP, HTTPS, FTP, Telnet, Network News Transfer Protocol (NNTP), Simple Mail Transfer Protocol (SMTP), Post Office Protocol 3 (POP3), Internet Message Access Protocol (IMAP), Wireless Application Protocol (WAP), and others
– Peer-to-Peer (P2P) file sharing—FastTrack-KazaA, Gnutella, BitTorrent, Winny, Hotline, eDonkey, DirectConnect, Piolet, and others
– P2P VoIP—Skype, Skinny, DingoTel, and others
– Streaming and Multimedia—Real Time Streaming Protocol (RTSP), Session Initiation Protocol (SIP), HTTP streaming, Real Time Protocol (RTP) and Real Time Control Protocol (RTCP), and others
Programmable system core for flexible reporting and bandwidth control
Transparent network and BSS and OSS integration into existing networks
Subscriber awareness that relates traffic and usage to specific customers
Figure 1-1 illustrates a common deployment of an SCE platform in a network.
Figure 1-1 SCE Platform in the Network
Bandwidth Management of Peer-to-Peer Traffic
The Cisco SCE uses unique signatures to identify the networking flows of P2P, IM, and other applications. While defining packages to subscribers, you can create rules for different types of applications such as P2P, and IM and if required, associate these rules to separate Bandwidth Controls (BWCs). With BWC enforcement, you can limit the networking flows for all types of applications. There are three types of rules in the Cisco SCE which can be used for bandwidth enforcement at different levels.
• P2P based BWC
If the Cisco SCE is configured to enforce BWC based on peer-to-peer traffic, it detects the application based on its signature. SCE then includes the amount of network flows of P2P traffic and calculates the bandwidth accordingly. The consumed bandwidth is the sum of P2P data and the control traffic. Bandwidth limitation takes place as per the enforcement configured in the BWC.
When an application is configured with discrete BWC, the Cisco SCE does not relate the amount of networking flows of the application when calculating the bandwidth consumed by it. The amount of networking flows consumed by the application is accounted with the Default Service. If there is any rate limit associated with Default Service BWC, this amount is accounted with Default Service BWC.
No bandwidth control is enforced upon the subscribers. This results in unlimited bandwidth to the subscriber.
Management and Collection
The Cisco service control solution includes a complete management infrastructure that provides the following management components to manage all aspects of the solution:
Service Configuration management
These management interfaces are designed to comply with common management standards and to integrate easily with existing OSS infrastructure (Figure 1-2).
Figure 1-2 Service Control Management Infrastructure
The Cisco service control solution provides complete network Fault, Configuration, Accounting, Performance, Security (FCAPS) Management.
Two interfaces provide network management:
Command-line interface (CLI)—Accessible through the Console port or through a Telnet connection, the CLI is used for configuration and security functions.
SNMP—Provides fault management (through SNMP traps) and performance-monitoring functionality.
Where the Cisco service control application for broadband (SCA BB) enforces policies on different subscribers and tracks usage on an individual subscriber basis, the Cisco service control management suite (SCMS) subscriber manager (SM) may be used as middleware software for bridging between OSS and SCE platforms. Subscriber information is stored in the SM database and can be distributed between multiple platforms according to actual subscriber placement.
The SM provides subscriber awareness by mapping network IDs to subscriber IDs. It can obtain subscriber information using dedicated integration modules that integrate with AAA devices, such as RADIUS or DHCP servers.
Subscriber information may be obtained in one of two ways:
Push Mode—The SM pushes subscriber information to the SCE platform automatically upon logon of a subscriber.
Pull Mode—The SM sends subscriber information to the SCE platform in response to a query from the SCE platform.
Service Configuration Management
Service configuration management is the ability to configure the general service definitions of a service control application. A service configuration file containing settings for traffic classification, accounting and reporting, and control is created and applied to an SCE platform. The SCA BB application provides tools to automate the distribution of these configuration files to SCE platforms. This standards-based approach makes it easy to manage multiple devices in a large network.
Service Control provides a GUI to edit and create these files and a complete set of APIs to automate their creation.
Data collection occurs as follows:
1. All analysis and data processing functions of the SCE platform result in the generation of Raw Data Records (RDRs), which the SCE platform forwards using a simple TCP-based protocol (RDR-Protocol).
2. RDRs are processed by the Cisco service control management suite collection manager.
3. The collection manager software is an implementation of a collection system that receives RDRs from one or more SCE platforms. It collects these records and processes them in one of its adapters. Each adapter performs a specific action on the RDR.
RDRs contain a variety of information and statistics, depending on the configuration of the system. Three main categories of RDRs include:
Transaction RDRs—Records generated for each
, where a transaction is a single event detected in network traffic. The identification of a transaction depends on the particular application and protocol.
Subscriber Usage RDRs—Records generated per subscriber, describing the traffic generated by that subscriber for a defined interval.
Link RDRs—Records generated per link, describing the traffic carried over the link for a defined interval.
From Cisco SCOS Release 3.7.5, software-based support for IPv6 traffic is available on Cisco SCE 8000 devices. The features that are available for IPv4, such as traffic processing, application classification, and management APIs (except the subscriber integration features) are available for IPv6.
Note IPv6 works only in the subscriberless mode.
You can configure IPv6 on a Service Control Manager (SCM) at the traffic processor card level. However, you cannot configure IPv6 on individual traffic processors. When configured, a traffic processor can process either IPv4 traffic or IPv6 traffic, but not both.
The following IPv4 and IPv6 assignment options are available in:
Single SCM—IPv4 only or IPv6 only
Single SCM—(Split by traffic processor cards) Six IPv4 traffic processors and six IPv6 traffic processors
Dual SCM—IPv4 only or IPv6 only
Dual SCM—(Split by traffic processor cards) On each SCM, one traffic processor card for IPv4 and one for IPv6
Dual SCM—One traffic processor card for IPv6, and three for IPv4
Dual SCM—Three traffic processor cards for IPv6 and one for IPv4
If all the traffic processor cards are configured to handle IPv6 traffic, IPv4 traffic is bypassed.
The following limitations are applicable to the IPv6 features on Cisco SCE Release 3.7.5:
IPv6 addresses or connectivity in the management interfaces are not supported.
Supports only the default subscriber and works only in a subscriber-less mode. All traffic is classified to the default subscriber (defined by the PQB file), with a default package.
Tunneling—The L2TP, GRE, GTP, MPLS, MPLS-VPN tunnels are not supported. Redirection and blocking is not supported for the 6to4, 6rd, and DS-Lite tunnels.
Flow filter limitations:
– For TCP flags, the PSH and URG fields are not considered, but SYN, ACK, RST, and FIN are considered.
– Range options are not provided for subscriber side IP and network side IP address; instead, prefix length is used.
– Inverse support is not provided for any of the fields.
Value-Added Services (VAS) are not supported.
Service classification and global bandwidth control are applicable for both IPv4 and IPv6. For example, there is only one browsing service for both IPv6 and IPv4 browsing traffic. Allocating the global bandwidth controller to a certain service limits the IPv6 and IPv4 traffic within that service.
The Services over IPv6 are classified under the same service IDs as the corresponding services over IPv4.
IPv6-fragmented packets are not supported. This also applies to IPv6 tunnels in which classification of internal and external fragmentation is not supported.
Flow capture is not supported for IPv6.
Note By default, IPv6 support is disabled. You must configure the IPv6 environment to use the features. For details on configuring the IPv6 environment, see the “Configuring the IPv6 Environment” section.