Академический Документы
Профессиональный Документы
Культура Документы
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 2. Convergence of applications on the network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 3. Plain old switching is not enough any more . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 4. What is Multilayer Traffic Classification? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 5. The Matrix E7, N3 and N7 with NetSight Atlas Policy Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9 6. Applications for Multilayer Packet Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12 6.1 Quality of Service for Business-Critical Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 6.1.1 Application Prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 6.1.2 Application Rate Limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 6.2 Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 6.2.1 Application Containment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 6.2.2 Application Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 6.2.3 Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 6.3 Voice and Data Convergence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
7. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
1. Introduction
The technologies of IT are a fast evolving environment. New business applications, frameworks and solutions are emerging every day, making the IT environment more and more mission critical along the way. It is not enough to understand the complexities of new technologies, and how they work. IT organizations must know how to build and manage suitable infrastructures to support them, and integrate them with the vast collection of existing technologies so that the anticipated business solutions can be leveraged. This is quite a challenge for IT organizations today. With technologies like wireless for user mobility, Instant Messenger and video/voice real-time collaboration tools, and new-age data storage, IT architects have to carefully plan and deploy the infrastructure and supporting systems that will enable companies to maximize these critical solutions. More and more, IT organizations will be looking for tools and architectures that enable them to deploy and manage systems that are directly related to delivering the business benefits found in these advanced technologies. As an IT administrator, would you feel comfortable if 50% of your companys employee base discovered the benefits of realtime voice and video collaboration through the use of an Instant Messenger application that came with the operating system you were deploying? Most IT administrators would not feel confident that their network architecture and support systems were capable of delivering this widespread service in a user-acceptable manner. So what can we do to better prepare networks for the evolution of technology? We can find solutions that allow the technology to be properly aligned with the business.
Figure 1 below shows todays enterprise applications and their requirements in terms of bandwidth and latency on the network. This highlights the need for differentiated application support on the network. Applications Video Conferencing File Transfer, CAD, Desktop Publishing, IP Storage Instant Messaging Voice over IP E-mail, Web Thin Clients ERP , CRM Video Streaming Bandwidth Requirements High High Low Low-Moderate Low-Moderate Low-Moderate Moderate Moderate-High Latency Sensitivity High Low Moderate High Low Moderate Moderate High
The concept of Quality of Service (QoS) was introduced to support latency-sensitive applications. The demand for QoS to fulfill the need for tight control over latency and throughput in a mixed application environment is undeniable. QoS refers to a set of mechanisms for guaranteeing levels of bandwidth, maximum latency limits and controlled inter-packet timing. True QoS strategy strives to meet the needs of all traffic flows in the network by providing wire-speed bandwidth and low latency to all applications. However, when output wires on a switch are overloaded and internal buffers are filled, QoS is required to prioritize traffic by creating rules or policies that stipulate priority. Policy-based QoS gives network managers control over latency and throughput so that the demands of high-priority traffic may be met. For example, video streaming can be serviced first to ensure minimal latency, then ERP traffic can be serviced because it is critical for the enterprise business, and finally e-mail can be serviced because it is considered as less important. Another area to consider is where in the network Quality of Service should be implemented? At the backbone level? At the edge level? After many discussions and disagreements between network equipment vendors, the final outcome is that QoS is required everywhere. At the core layer, static aggregation QoS rules are important to specify that from an overall company business point of view, ERP traffic is more important than Web surfing, for example. At the edge layer, at the closest possible point to the user, we need flexible, dynamic QoS rules. Actually how useful is it to prioritize ERP traffic for a user that doesnt use this type of application? Users need priority on the applications that are critical for them, to fulfill the mission of their position in the enterprise. And what about security? Since the non-event of Y2K, enterprises realize the importance of securing their intellectual property from resource misuse or intentional attacks. Traditionally, security was handled in routers through security filters and Access Control Lists. Although this provides a nice level of security, it is surely not enough. This is about core security. Now, how do you prevent users from misusing resources? If only core security is activated, it doesnt prevent forbidden applications to enter the network. Those applications not only put intellectual property in jeopardy, but unneeded bandwidth-greedy applications can saturate the network. Enterasys focuses not only on QoS to expedite the various business applications but also on security. We believe the network should understand that the application is present and that the application is allowed to exist, in an efficient manner. We can also prevent applications from entering the network. We can also restrict the use of certain applications to certain users or class of users. To summarize, based on the obvious need to provide QoS and security, it is important to carefully consider the right switching platforms and associated network management systems to make sure business-critical applications are serviced optimally.
Layer 2
Port-based
Port
Layer 3
IP Address IP Protocol (TPC, UDP , etc.) ToS
Permit
Groups
Layer 4
TCP/UDP port (HTTP , SAP , etc.)
Contain
User-based
User
Class of Service
The process of traffic classification is made up of three distinct steps: roles definition, inspection and action.
Roles Definition
The first step is to define where a traffic classification rule needs to be applied. A rule can be port based or user based. This choice is related to the decision to implement or not implement user-authentication functionality. For port-based multilayer traffic classification, it is possible to choose one port, several ports or entire switches on which to apply the classification rule. Using network-based authentication (IEEE 802.1X, MAC-based authentication or Web-based authentication), it is possible to identify a user or a group of users who will be the target of the classification rule. Such a solution is called policy-based management and is delivered by Enterasys Networks within the User Personalized Networking (UPN) architecture.
Frame Inspection
The second step is the frame inspection. The goal is to identify traffic, based upon the frames Datalink, Network or Transport Layer information (Layers 2, 3 and 4, respectively, in the OSI model, shown in Figure 3 below). Although the Distributed Forwarding Engines make classification decisions based on Layers 2-4, their forwarding mechanism is still that of a Layer 2 storeand-forward device (a bridge or switch) or a Layer 3 router.
7 6 5 4 3 2 1
Figure 3: The OSI Model At Layer 2, an administrator can classify frames based on MAC addresses (physical address) or Ethertype field, which defines the Layer 3 protocol, e.g., IP , IPX, AppleTalk, etc. At Layer 3, an administrator can classify based on specific information contained within the Layer 3 header of an IP or IPX frame. For IP frames, it is possible to look at IP Type of Service (ToS) information used for DiffServ Quality of Service. The IP Protocol Type defines the Layer 4 protocol that is used (e.g., TCP , UDP , ICMP , etc.). And of course, it is possible to classify based on the IP addresses and subnets. IPX frames can be classified based on IPX Class of Service, Packet Type, Network and Socket Numbers. At Layer 4, an administrator can classify IP frames based on the specific Layer 4 TCP or UDP port numbers. Those Layer 4 port numbers give information on the application transported in the frame (e.g., Web, e-mail, SNMP , etc.).
Action
Once the traffic has been defined in the classification rule, the network administrator has to create a set of actions to be taken by the Distributed Forwarding Engines each time this defined frame is recognized. On the security side, it is possible to create access control types of actions. The administrator can choose to have this specific traffic forwarded or discarded by the switch. This provides the ability to filter unwanted traffic, including traffic to specific servers or application traffic such as Web traffic (HTTP) or network management traffic (SNMP). Only business-critical applications, or authorized applications will be transmitted over the network. It is also possible to increase the overall security of the infrastructure by preventing hacking of active equipment, routers or switches. To increase the overall availability and security of the network infrastructure, it is possible to group users of a given protocol or application together logically and control the flow of their traffic on the network. Then network administrators can make sure that no protocol or application will overload the network. This mechanism is referred to as containment, and is based on VLAN (Virtual LAN IEEE 802.1Q) technology. On the QoS side, it is possible to assign Class of Service to any type of application. Those priority levels determine which applications should be serviced first, based on business requirements. It is also possible to use the rate limiting functionality on applications. The DFE modules can limit the rate at which traffic enters network ports. Rate limiting can be combined with Layer 3/4 prioritization to construct a committed information rate (CIR) that guarantees the delivery of critical traffic through the enterprise network. In summary, advanced multilayer switching does protect business-critical applications by ensuring optimal delivery of those applications through QoS mechanisms. The security features protect the business applications by containing, limiting or even forbidding non-critical applications. Traffic classification brings a great level of control to your network architecture at the closest possible point to users. Enterasys Networks can offer a network infrastructure that is capable of providing recognition of and special handling for any application. The quality and consistency of the user experience can be improved by activating those features in the DFE modules.
The creation of classification rules is done quickly, using the wizard-based role and policies (services) creation in the NetSight Atlas Policy Manager application. The process is simple, and it takes less than a minute to configure a classification rule:
1. Service Creation
3. Traffic Description (Layer 2, 3 or 4 -> Field -> Classification type -> Field value)
4. Action Definition
Once configured, the classification rules and associated services (or policy containers) can be re-used whenever and wherever needed, as many times as needed. This removes the complexity of configuring QoS and policy rules. Once the above business model is defined in the NetSight Atlas Policy Manager application, network administrators can deploy the policy rule set to the entire network with a single mouse click, significantly reducing deployment time of QoS and security settings. Troubleshooting is also more efficient, as it can be handled from one central location, the policy management application, instead of on several discreet switches. In summary, traffic classification brings a great level of control of your network architecture at the closest possible point to users. Enterasys Networks can offer a network infrastructure that is capable of providing recognition of and special handling for any application. The quality and consistency of user experience can be improved by activating those features in the Matrix N-Series switches. Within the User Personalized Networking framework and using the NetSight Atlas Policy Manager application, Enterasys Networks provides an automated, coherent way to configure and operate end-to-end Quality of Service and security throughout the network. The next section provides more details on how Multilayer Packet Classification can be used to treat business-critical applications.
Density
Performance
Security
Users
Servers
Security
Oversubscription
Capacity
Performance
Users
There are two main steps required to accomplish this: configuring the classification rules and configuring the Priority-to-Transmit Queue mapping for the switch. Classification Rules Rule 1 (SAP R/3)All frames to or from the IP address of the SAP R/3 server will be tagged with a priority indicator of 7 (highest). Rule 2 (Web)All frames with a UDP port number of 80 (HTTP Web) will be tagged with a priority indicator of 5 (medium). Rule 3 (e-mail)All frames with a UDP port number of 25 (SMTP e-mail) will be tagged with a priority indicator of 3 (low). Priority Queuing Configuration Based on the default Matrix priority-to-transmit queue mapping, the values selected above will work so that each frame classification type will be mapped to the desired transmit queue.
Classification
SAP (IP Header) Layer 3 Source IP HTTP (UDP Header) Layer 4 Source Port SMTP (UDP Header) Layer 4 Source Port
Result With the classification rules for the network shown in Figure 7, above, the Matrix N-series provides advanced Class of Service functionality for individual network applications, but still forwards at Layer 2 (or Layer 3).
Performance
1Gbps USERS
Oversubscription
Figure 8: Rate limiting and prioritization for CIR to guarantee delivery of critical traffic The end result is that the uplink is not oversubscribed and SAP gets guaranteed high-priority delivery. This functionality increases end-to-end performance and avoids uplink oversubscription.
Others (IP)
This approach also provides some level of security. For example, in a retail company, administrators may want to separate cash registers traffic from all other traffic. No one can access cash registers traffic in order to steal financial information from the company. As shown in Figure 10, application containment can solve performance issues from the edge to the core of the network and increase the overall security of communications on the network.
Performance
Security
Users
Servers
Security
Capacity
Security
192.168.1.2 USERS
SERVERS
Security
Figure 11: Using classification to increase security
The end result is that any frames from a user trying to hack into the router will be discarded before they reach the router. It is possible to apply the same kind of security for all network elements or to protect specific servers (e.g., the DHCP server). The overall network security is therefore increased.
Performance
IP Phones
1 Gbps Users
The end result is that every employee in the enterprise can make phone calls over the network in a reliable manner. This is mandatory for enterprises that plan to replace their traditional voice systems by telephony over IP .
7. Conclusion
The standards-based Multilayer Frame Classification abilities of the Matrix N-Series with the Distributed Forwarding Engines provide network administrators with a powerful set of utilities that allow more intelligent configuration and management of todays and tomorrows converged networks. Those functionalities, many previously viewed as optional, become mandatory in enterprise networks where multiple (and actually more and more) applications co-exist; each application needs to be serviced differently. NetSight Atlas Policy Manager is the graphical interface that allows quick and easy set-up of those classification rules. Providing a relationship between those technical rules and the business requirements on IT, NetSight Atlas Policy Manager allows automated creation and enforcement of enterprise-wide QoS and security rules throughout the network. Coupled with networkbased authentication, NetSight Atlas Policy Manager allows the creation of a User Personalized Network. For more information on NetSight Atlas Policy Manager: http://www.enterasys.com/netsight For more information on Enterasys User Personalized Network: http://www.enterasys.com/upn
NOTES
2003 Enterasys Networks, Inc. All rights reserved. Lit. #9013244-1 12/03