Cisco Performance Routing (PfR) example

Performance Routing (PfR) complements traditional routing technologies by using the intelligence of a Cisco IOS infrastructure to improve application performance and availability. PfR can select the best path for each application based upon advanced criteria such as, reachability, delay, loss, jitter, and mean opinion score (MOS).

PfR can also improve application availability by dynamically routing around network problems like black holes and brownouts that traditional IP routing may not detect. In addition, the intelligent load balancing capability of PfR can optimize path selection based on link use or circuit pricing.

Some of the scenario’s you could create are described on below links

Enterprise Intranet Solutions:

• Basic – Load Balancing
• Enterprise – Advanced Load Balancing, Class Based Routing
• Enterprise – Data, Dual-homed to two IP-VPN Service Providers
• Enterprise – Dual VPN – Primary path on MPLS-VPN, secondary path on Public WAN with DMVPN
• Enterprise – Fast Failover

Internet Edge Solutions:

• Internet – Outbound Load Balancing
• Internet – Inbound Load Balancing
• Internet – Implementing Cost Policie

In this example we will demonstrate the rerouting of a Cisco Video IP Phone traffic based on Jitter criteria.

The setup is as follows:

We use the ip sla functions of the router  to verify the jitter behaviour of a WAN link between the 3925 and 2921-1 router.

As soon as the Jitter goes above a threshold the Voice/Video Traffic will be rerouted to an alternative link.

(Note: that you could allow all other traffic on the degraded link)

The following video shows the effect of Jitter on the phone,  and the reaction off Pfr (timing can be tuned of course).

.

http://youtu.be/HRzjk3qBXgk

.

As mentioned in the video, you’ll see a change in routing behaveour, as example we’ll take the output off router 2921-1:

-Sep  3 17:16:19.358: %PFR_MC-5-ROUTE_EVENT: 50% of traffic classes controlled through policy VIDEO_VOICE 10 are NOT INPOLICY (trigger-log-percentage is 30%)

-Sep  3 17:17:19.382: %PFR_MC-5-ROUTE_EVENT: 100% of traffic classes controlled through policy VIDEO_VOICE 10 are INPOLICY (trigger-log-percentage is 30%)

-Sep  3 17:17:49.302: %PFR_MC-6-OOP_ACTIVE_MODE: Relative short term delay measurement is out of policy. Appl Prefix 10.0.63.11/32 N    17 [16384, 65535] [16384, 65535], delay 13, BR 10.0.62.34, i/f Gi0/1relative change 225, prev BR Unknown i/f Unknown

-Sep  3 17:17:49.502: %PFR_MC-6-ROUTE_EVENT_INFO: Appl Prefix 10.0.63.11/32 N    17 [16384, 65535] [16384, 65535]: route changed to BR 10.0.62.34, i/f Gi0/2, due to Jitter criteria. Out of policy reason: delay criteria

<-  A route is injected in router 2921-1 for the IP Phone .11 (PBR)

Below you can find the key commands to configure above setup and some show commands to illustrate.

.

For additional examples do have a look at:

http://docwiki.cisco.com/wiki/PfR:Home

or

http://www.cisco.com/go/pfr

.

Basic Configurations:

Cisco 3925 ISRG2:

!

key chain key1    

<- For secure communication between master & border

 key 1

  key-string cisco

!

pfr master

 policy-rules VIDEO_VOICE

<- Defined specific rules for a specific application

 logging

 !

 border 10.0.62.13 key-chain key1

  interface GigabitEthernet0/0 external

   link-group primary

<- Definition of the link- group, could be any name, linked to the pfr maps

  interface GigabitEthernet0/1.63 internal

 !

 border 10.0.62.17 key-chain key1

  interface GigabitEthernet0/0 external

   link-group secondary

  interface GigabitEthernet0/1.63 internal

 !

 no learn                                                                  

<- Learning disabled

 !

!

pfr border

 local Loopback1

 master 10.0.62.13 key-chain key1

 active-probe address source interface Loopback1

!

!

!

interface Loopback1

 ip address 10.0.62.13 255.255.255.252

!

interface GigabitEthernet0/0

 ip address 10.0.61.2 255.255.255.240

 duplex auto

 speed auto

!

interface GigabitEthernet0/1

 no ip address

 duplex auto

 speed auto

!

interface GigabitEthernet0/1.63

 encapsulation dot1Q 63

 ip address 10.0.63.3 255.255.255.0

 standby 1 ip 10.0.63.1

 standby 1 priority 150

 standby 1 preempt

!

!

interface GigabitEthernet1/0

 ip address 10.0.62.45 255.255.255.252

!

!

router eigrp 1

 network 10.0.61.0 0.0.0.15

….

!

router bgp 65002

 bgp log-neighbor-changes

 neighbor 192.168.0.2 remote-as 65001

 !

 address-family ipv4

  network 10.0.63.0 mask 255.255.255.0

  neighbor 192.168.0.2 activate

 exit-address-family

!

!

ip access-list extended VOICE_VIDEO_ACCESS_LIST

 permit udp any range 16384 65535 host 10.0.6.155 range 16384 65535

 permit udp any range 16384 65535 host 10.0.6.158 range 16384 65535

!

ip sla auto discovery

ip sla responder     

<- IP SLA responder as well , to respond to probes of 2921-1

ip sla enable reaction-alerts

!

!

!

pfr-map VIDEO_VOICE 10

 match traffic-class access-list VOICE_VIDEO_ACCESS_LIST

<- Match Voice & Video traffic

 set mode monitor fast

<- Fast failover choosen

 set resolve jitter priority 1 variance 5

 set resolve delay priority 2 variance 50

 set resolve loss priority 3 variance 50

 set jitter threshold 100

 set active-probe jitter 10.0.62.34 target-port 3050

<- Active Jitter Probe

 set probe frequency 5

 set link-group primary fallback secondary

<- link group fallback (primary and secondary can be any name)

!

control-plane

!

.

The 2921-2 Border Router 

.

….

key chain key1

 key 1

  key-string cisco

!

!

!

pfr border

 local Loopback1

 master 10.0.62.13 key-chain key1

 active-probe address source interface Loopback1

<- Used loopback as source for the Jitter probe packets

!

interface Loopback1

 ip address 10.0.62.17 255.255.255.252

!

!

interface GigabitEthernet0/0

 description WAN interface

 ip address 10.0.62.6 255.255.255.252

 duplex auto

 speed auto

!

interface GigabitEthernet0/1

 no ip address

 duplex auto

 speed auto

!

interface GigabitEthernet0/1.63

 encapsulation dot1Q 63

 ip address 10.0.63.2 255.255.255.0

 standby 1 ip 10.0.63.1

 standby 1 preempt

!

router eigrp 1

 network 10.0.62.4 0.0.0.3

…

We do a show command off the Master Controller before change of jitter:

3925#  sho pfr master

OER state: ENABLED and ACTIVE

  Conn Status: SUCCESS, PORT: 3949

  Version: 3.3

  Number of Border routers: 2

<- Master controls 2 border routers

  Number of Exits: 2

  Number of monitored prefixes: 4 (max 5000)

  Max prefixes: total 5000 learn 2500

  Prefix count: total 4, learn 0, cfg 4

  PBR Requirements met

  Nbar Status: Inactive

Border           Status                UP/DOWN             AuthFail  Version  DOWN Reason           <- Both Border routers are active

10.0.62.17       ACTIVE                UP       1w5d          0  3.3

10.0.62.13       ACTIVE                UP       1w5d          0  3.3

….

Default Policy Settings:

  backoff 90 900 90

  delay relative 50

  holddown 90

  periodic 90

  probe frequency 56

  number of jitter probe packets 100

  mode route control

  mode monitor both

  loss relative 10

  jitter threshold 1000

  mos threshold 3.60 percent 30

  unreachable relative 50

  trigger-log percentage 30

Learn Settings:

  current state : DISABLED

<-  We disabled learning in this example, going for fast failover

….

We’ll now look at the traffic-classes defined, seen we disabled

learning and enabled only 1 application prefixed (Voice/Video)

(only 2 traffic-class are defined).

One could use Netflow or NBAR2 to profile traffic.

c3925H#sho pfr master traffic-class

OER Prefix Statistics:

 Pas – Passive, Act – Active, S – Short term, L – Long term, Dly – Delay (ms),

 P – Percentage below threshold, Jit – Jitter (ms),

 MOS – Mean Opinion Score

 Los – Packet Loss (percent/10000), Un – Unreachable (flows-per-million),

 E – Egress, I – Ingress, Bw – Bandwidth (kbps), N – Not applicable

 U – unknown, * – uncontrolled, + – control more specific, @ – active probe all

 # – Prefix monitor mode is Special, & – Blackholed Prefix

 % – Force Next-Hop, ^ – Prefix is denied

DstPrefix           Appl_ID Dscp Prot     SrcPort     DstPort SrcPrefix

           Flags             State     Time            CurrBR  CurrI/F Protocol

         PasSDly  PasLDly   PasSUn   PasLUn  PasSLos  PasLLos      EBw      IBw

         ActSDly  ActLDly   ActSUn   ActLUn  ActSJit  ActPMOS  ActSLos  ActLLos

——————————————————————————–

10.0.6.155/32             N    N  udp 16384-65535 16384-65535 0.0.0.0/0

                          INPOLICY       @6        10.0.62.13 Gi0/0           PBR

               U        U        0        0        0        0        0        0

               2        2        0        0        0        0        0        0

10.0.6.158/32             N    N  udp 16384-65535 16384-65535 0.0.0.0/0

                          INPOLICY      @37        10.0.62.13 Gi0/0           PBR

<– Detected application, in policy exiting GE 0/0

               U        U        0        0        0        0      178      178

               2        2        0        0        0        0        0        0

The active probe:

sho pfr master active-probes forced:

        OER Master Controller active-probes

Border   = Border Router running this Probe

Policy   = Forced target is configure under this policy

Type     = Probe Type

Target   = Target Address

TPort    = Target Port

N – Not applicable

The following Forced Probes are running:

Border          State    Policy             Type     Target          TPort Dscp

10.0.62.17      ACTIVE   10                 jitter   10.0.62.34       3050 defa

10.0.62.13      ACTIVE   10                 jitter   10.0.62.34       3050 defa

After the rerouting off the traffic. Use a other sho command to illustrate on the 3925:

sho pfr master traffic-class performance

=============================================================

…..

Traffic-class:

Destination Prefix : 10.0.6.158/32           Source Prefix    : 0.0.0.0/0

Destination Port   : 16384-65535             Source Port      : 16384-65535

DSCP               : N                       Protocol         : udp

Application Name:  : N/A

General:

Control State                   : Controlled using PBR

Traffic-class status            : INPOLICY

Current Exit                    : BR 10.0.62.17 interface Gi0/0, Tie breaker was None

Time on current exit            : 0d 0:8:2

Time remaining in current state : @59 seconds

Traffic-class type              : Configured

Improper config                 : None

Last Out-of-Policy event:

No Out-of-Policy Event

Average Passive Performance Current Exit: (Average for last 5 minutes)

Unreachable            : 0% — Threshold: 50%

Delay                  : 0% — Threshold: 50%

Loss                   : 0% — Threshold: 10%

Egress BW              : 1033 kbps

Ingress BW             : 1030 kbps

Time since last update : 0d 0:0:28

Average Active Performance Current Exit: (Average for last 5 minutes)

Unreachable            : 0% — Threshold: 50%

Jitter                 : 0 msec — Threshold: 10000 msec

Delay                  : 80% — Threshold: 50%

Loss                   : 0% — Threshold: 10%

Last Resolver Decision:

BR              Interface    Status       Reason       Performance Threshold

————— ———— ———— ———— ———– ———

10.0.62.13      Gi0/0        Eliminated   Jitter       N/A          N/A     

   10.0.62.17      Gi0/0        Best Exit    Jitter       N/A          N/A   

.

The Central router 2921-1

.

(has also pfr enabled)

!

!

key chain key2

 key 1

  key-string cisco

!

!

pfr master

 policy-rules VIDEO_VOICE

 logging

 !

 border 10.0.62.34 key-chain key2                            

<- Only 1 border router this time, with 2 external interfaces

  interface GigabitEthernet0/2 external

   link-group secondary

  interface GigabitEthernet0/1 external

   max-xmit-utilization percentage 100

   link-group primary

  interface GigabitEthernet0/0 internal

 !

 no learn

…

!

pfr border

 local GigabitEthernet0/0

 master 10.0.62.34 key-chain key2

!

!

interface Loopback0

 ip address 10.0.62.37 255.255.255.252

!

interface GigabitEthernet0/0

 ip address 10.0.62.34 255.255.255.252

 duplex full

 speed 1000

!

interface GigabitEthernet0/1

 ip address 10.0.61.1 255.255.255.240

 duplex auto

 speed auto

!

interface GigabitEthernet0/2

 ip address 10.0.62.5 255.255.255.252

 delay 20

 duplex auto

 speed auto

!

!

router eigrp 1

 network 10.0.61.0 0.0.0.15

….

!

!

ip access-list extended VOICE_VIDEO_ACCESS_LIST

 permit udp any range 16384 65535 host 10.0.63.11 range 16384 65535

!

ip sla auto discovery

ip sla responder

ip sla enable reaction-alerts

!

!

!

pfr-map VIDEO_VOICE 10

 match traffic-class access-list VOICE_VIDEO_ACCESS_LIST

<- This time ip phone .11

 set mode route control

 set mode monitor fast

 set resolve jitter priority 1 variance 5

 set resolve delay priority 2 variance 50

 set resolve loss priority 3 variance 50

 set jitter threshold 120

 set active-probe jitter 10.0.63.1 target-port 3050

 set probe frequency 5

 set link-group primary fallback secondary

!

…

Have fun!

 Johan De Ridder

CiscoLive 2013 in London is ready to start

The biggest European Cisco event of the year – CiscoLive – is ready to start!!

As from tomorrow the techtorials are starting, followed as from Tuesday by the Keynotes and the general sessions. We look forward to meet the numerous Belgian and Luxemburg customers and partners attending the event. To give you already a glimpse of one of the main content tracks, please see underneath banner !

For those not able to attend physically CiscoLive in London, do not hesitate to register on the virtual event web site, where you will be able to see the keynotes and get access to very interesting event content : http://www.ciscolive.com/london/virtual/

Before and after VXI

Recent studies have revealed that over 60% of enterprise companies plans to deploy desktop virtualization in some way over the next 3 to 4 years.  From a TCO point of view the advantages of desktop virtualization are simply amazing. As we move further into the so called “post-pc era”, having the ability to “port over” the virtual desktop environment to other devices or let’s say locations than the traditional office desk brings unseen flexibility and mobility.  Think of our Cius business tablet that offers you a full desktop environment in the office, while keeping access to the virtual desktop  over wi-fi or 3G/4G connectivity while on the go.

Desktop virtualization however just doesn’t prove to be that good a solution when it comes to integrating real-time audio and video. Using a soft phone or video client over a display protocol such as Citrix ICA or VMWare PCOIP simply doesn’t scale. “Hair-pinning” all the real-time traffic back and forth to the data center where the virtual desktop resides causes delay and jitter and puts a heavy burden on data center resources, not to mention possible bandwidth exhaustion…

Thanks to our Virtual Expirience Infrastructure or simply VXI, we are able to separate real-time traffic out of the VDI display protocol, routing voice and video traffic directly between end points, bypassing the data center.

Please take a moment to view a short video on our VXI solutions, showing you how separating voice and video traffic from the display protocol enhances the user experience. To start with, you will first see what you get without VXI. They say that seeing is believing. Well,  this video really speaks for itself.

 

 

To find out more about our VXI offering and VXC clients, please visit the link below, and see how we effectively bring the best of our borderless networking, virtualization and collaboration technologies together.

http://www.cisco.com/go/vxi

Cisco Prime NCS – A New Way of Managing “Access”

As mentioned in previous blogs regarding “enabling Bring Your Own device” or “New Ways of Working”, people will access the network  in more and more different and variable ways. Starting with Home Working in the morning, connecting on the road, working at a virtual desk in the office and returning to the home office. The end user is therefore continuously changing between VPN, LAN and WLAN. Within that changing scope, the user is connecting with corporate devices as well as own private devices.

And then suddenly the user cannot access the data he wants, and he calls the IT support and says : “I don’t have access – can you solve this ?”.

Today, IT support will need to dive into a myriad of management tools, connecting the LAN, WLAN, VPN and Security dots to find the cause of the problem. This is where NCS jumps in by delivering you that Unified Access View !!

With Cisco Prime Network Control System you can see every user in your network regardless of whether he is connected through a wire or wireless and get all the information you need for identity management. You also get complete visibility into endpoint connectivity ,no matter where or what that endpoint is and how it is connected.
As mentioned above, this speeds troubleshooting for the most reported customer pain point – network problems related to client devices.

Cisco Prime NCS also provides monitoring of endpoint security policy through integration with Cisco Identity Services Engine (ISE) to deliver visibility into compliance based on real-time contextual information from the network, users and devices across the entire wired and wireless access network.

Built on the WCS, Cisco Prime NCS includes complete lifecycle management of 802.11n and 802.11a/b/g, enterprise-class, indoor and outdoor wireless networks. You get immediate access to the tools you need, when you need them, so that you can more efficiently implement and maintain secure wireless LANs, monitor wired and wireless LANs, and view users and endpoints across both networks – all from a centralized location.
Operational costs are significantly reduced as well through the platform’s workflow-oriented, simplified, and intuitive user experience. Unlike overlay management tools, Cisco NCS incorporates the full breadth of management requirements – from radio frequency, to controllers, switches, endpoints, and users on wired and wireless networks, and to mobility and identity services.

For an nice overview , have a look at below video:

Still having doubts ?
Well the best way to be sure is to test Cisco Prime NCS
Demo licenses are available and should be issued within 15-minutes. Remember, you need your own server (VMware ESX and ESXi) to install the .ova:
https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet?FormId=3999

For more information, please visit: www.cisco.com/go/ncs

Lennert

Datanews 2/12/2011: « Helft van Belgische bedrijven wil iPad – La moitié des entreprises belges veulent utiliser l’iPad »

Datanews’ yearly survey amongst 300 telecom- and IT-responsibles of Belgian companies (http://t.co/gnsy0DNF) is very clear : around half of the companies plan to use an iPad or another tablet for mobile data services (up from 21% last year). Impressive is that 41% of the companies mentioned that employees could use their own smartphone. Priority for the surveyed companies was : 1. Mobile Data, 2. Security and 3. Standardization. This survey confirms that the evolution to consumer devices entering the network (“Consumerization”) and people bringing in their own devices (“BYOD – Bring Your Own device”) is really breaking through.

More then 1 year ago, Cisco IT moved from an environment where all devices were corporate-owned and controlled, towards an environment allowing end users to choose from a broad catalog of devices as well as use their own devices. One year later, the result is spectacular: in 1 year mobile device count grew 59% up to more then 43.000 devices. iPhones take up 40% of those devices, BlackBerry 32% and Cisco IT now sees a rapidly growing community of Tablet users (15%), as well as Android device users (10%).

Can you block/ignore this evolution ?

No, difficult, as many customers mentioned us their upper management were the first to bring in the iPhone, iPad and other devices. Difficult to say “no” to them, although they might carry the most sensitive data and therefore carry the greatest potential security risk. So, how as an IT department can you accept and guide this evolution, taking into account the security risks ?

What happens when you say “yes” ?

First of all, it answers a real demand from the end users and leads to a more satisfied and productive end user community. As IT, you are addressing what Peter Hinssen mentions : “Work being that moment in time when you use old technology” (see Peter Hinssen : “The New Normal”). As mentioned above, at Cisco it led to an enormous growth in mobile devices, and a broad spectrum of new operating systems accessing the network. The times of the desktop with the single operating system are clearly behind us. Often, this evolution will also go hand in hand with enabling new ways of working : allowing the employees to work from home, on the road or in the office (behind a desk, virtual desk, flex desk, in meeting rooms or meeting corners – (wired or wireless).

How will mobile data usage evolve ?

An additional measurement of Cisco IT showed that the increased capabilities of the new generations of smartphones and tablets make data- and application access seamless, leading to a 40x increased data usage versus previous BlackBerry data usage. Therefore, it will be important to offload the devices wherever possible from 3G to a corporate wireless network for higher bandwidth and lower costs.

In fact, we need to move beyond looking at the access methods as such, and create an environment that allows the end user to connect seamlessly and transparently from anywhere to enable him to work in new ways : home working, working on the road, working behind one’s office desk, working in flexible desk environments, going wireless in meeting rooms and meeting corners, … This will require a going together of LAN, WLAN and VPN technologies into a seamless solution.

So, how can I start the journey ? How can Cisco help ?

First of all, as users access with new types of devices, you need to have the capability to discover which device they are using. Cisco’s Identity Services Engine with its unique profiling capability will give IT visibility on which devices access the network.

Secondly, you need to provide a strong standardized infrastructure to allow access from wherever needed : Cisco Virtual Office at home, mobile data services while on the road, a full wired and wireless LAN deployment in the corporate buildings.

Thirdly, as the end user wants access from different environments (without needing to be an IT expert), you need to provide him a uniform way of  access. Here, Cisco has unique capabilities to gradually evolve your LAN and WLAN environment towards a secure 802.1x environment. Cisco’s AnyConnect end device client can then incorporate VPN and 802.1x connectivity to deliver a seamless Access Experience, whether at home, on the road or in the office.

Finally, an adequate Security Policy environment is needed. As people can and will access the network with multiple devices – some controlled, some private – an evolution is required towards Context-Aware Security with Cisco’s Identity Services Engine as policy engine. This will allow IT to define the right security policies dependent on who accesses, as well as with what device, from where, at what time, …

In upcoming blogs, we will go deeper on each of the different above mentioned elements of the total solution.

Let’s start the journey !

Wide Area Application Services

Network World has provided an independent review of the new WAVE appliances after conducting extensive lab testing of the appliances. The report’s executive summary says it all – “The latest release of Cisco’s WAN optimization product line — Wide Area Application Services (WAAS) 4.4 — proves that the company famous for routing packets can also shape, optimize and accelerate them”. For customers, this report backed by hands-on testing, provides an independent source of product evaluation that goes beyond analyst or blogger speculation.

Cisco WAAS shows pizzazz by By Keith Schultz, Network World, November 21, 2011. Link and noteworthy quotes below:
http://www.networkworld.com/reviews/2011/112111-cisco-waas-252854.html

• Performance: The top-end WAVE-8541 is an absolute speed demon and its ability to handle 150,000 connections and pass 2Gbps optimized traffic over the WAN is impressive…That represents some of the best performance we’ve seen based on previous testing of WAN optimization gear.
• Reporting and Monitoring: The reporting and monitoring engine is top notch and overall, we found the system easy to navigate and use. There are a number of reports included in Central Manager, such as traffic and optimization summary, HTTP, HTTPS, video, SSL, MAPI and NFS acceleration reports, and also an overall acceleration summary.
• Context-aware DRE: Cisco’s new context-aware DRE (Data Reduction Engine) does away with the segmented cache, opting for a single large unified cache that all appliances can participate in. Cisco’s DRE adapts to changing conditions in traffic and applications.
• Video, VDI optimization: What’s interesting is that DRE can also function in a uni-directional mode for specific traffic types, like streaming audio and video, and VDI… take advantage of any cached byte segments in the branch appliance without filling up the data center cach
• Manageability: We found the browser-based management UI is well laid out and very intuitive to use…WAAS covers just about all possible scenarios. We were able to create custom policies quickly in just minutes and easily deploy them to specific device groups… WAAS provides TCP optimization, data compression, application specific optimization and intelligent caching, all controlled from a single browser-based management console.
• Breadth of Portfolio: WAAS comes in a variety of form factors and deployment methods — a data center appliance, branch office box, virtual WAAS for cloud-ready installations, and a mobile client for Windows operating systems… overall, Cisco has designed a consistent user interface and feature set across platforms
• Maturity and Scalability : Cisco’s latest release of WAAS is a very mature and highly scalable platform for speeding up TCP traffic in the enterprise… the TCP support covers just about every conceivable situation.

The report also calls out WAAS optimizations for Citrix Virtual Desktops and Microsoft RDP which can be deployed with Microsoft and VMWare desktop virtualization solutions. The report points out that WAAS does not optimize UDP based traffic today, which could be an option if PCoIP is deployed on the WAN (instead of RDP). Cisco WAAS provides up to 90%+ optimization for Video delivered when using PCoIP with MMR. What we have seen is that Video is the bandwidth culprit in many cases and WAAS Video optimizations benefit PCoIP environments too.

Also, like other leading vendors, Cisco charges for the WAAS Central Manager. However, we provide the integration with Cisco Prime, NAM at no additional cost. As the article points out, this integration is very powerful – “We like that Cisco includes Cisco Prime, its Network Analysis Module, as part of Central Manager. Where Central Manager’s reporting is unique to WAAS devices, Cisco Prime will collect network statistics from all across the network, including non-WAAS appliances. This allows IT to get a complete picture of network traffic from end to end and not be limited to WAAS-only information.”

Pleas have a look at the new appliances on:
www.cisco.com/go/waas

The IPv6 Implementation Action Plan (by TechWiseTV)

Isn’t real time to think about your company’s (and personal)  network migration to IPv6? 

That’s why today I want to share this (quite long but) very interesting video produced by our  TechWiseTV friends Robb Boyd & Jimmy Ray.

They have interviewed Cisco’s IPv6 experts around the world and walk us thru the key steps to successful implementation. The security implication are of course covered as well as co-existence mechanisms such as NAT64.

And not to forget Cisco’s own real-world experiences with IPv6, from the backstage of World IPv6 day last June ’11. See more links below.

If you wish to attend a deep dive workshop on this topic, feel free to contact me at jpa@cisco.com

World IPv6 Day: A Watershed Moment Towards a New Internet Protocol

Cisco.com users on World IPv6 Day 5 to 10 times more likely to use IPv6 than visitors to other websites

Fosdem 2011, IPv6 on Cisco’s Wireless

Over the last week-end, a group of Cisco’s volunteers, assisted the FOSDEM to get a proper network up and running; this is our story !

What is FOSDEM ?

FOSDEM, the Free and Open Source Developers’ European Meeting, is the biggest free and non-commercial event organized by and for the community. It’s taking place in Brussels for the last 11 years.

The event has been growing over the years and now welcome ~5000 visitors for two days of keynotes, speeches, lightning talks covering many many FOSS projects.

A group of volunteers from Cisco Belgium is helping FOSDEM to build the Internet access network, using Wireless.

What is special with this network ?

The audience you have at FOSDEM is very fund of network access, and also pretty knowledgeable, so not the common user base you’d find in an enterprise or another event. So pressure on getting it right and highly secure on the infrastructure side is key. An example of this was being able to detect and react nearly instantly to rogue DHCP/DNS server trying to poison the network. The Cisco Security toolkit embedded  in the Catalyst switches prevented this to be possible.

What was deployed and how was it configured ?

WAN Edge

We were provided by Belnet with a one Gigabit uplink within the Internet Exchange located on the ULB campus in Ixelles. The peering was done using an ASR 1004 running IOS-XE 3.1(2) and fiber uplink.

Campus

From the ASR a fiber, provisioned on the ULB underground fiber path, is going to our main comm’s room and terminated on a 12 ports 10Gig  fiber switch, a Catalyst 3560E-12D. And from the comm’s room, all 4 access switches, being a mix of 24 and 48 10/100/1000 PoE+ switches (3560-X series)

The Access-points were a mix of 1142 and 1252 abgn, depending of the site-specific needs.

Management and monitoring

On the Wireless, we were using the combined ULB and FOSDEM WLAN’s into one single WLAN. Maintaining full benefit of centralized wireless controllers for management, monitoring and reporting.

Reporting of network statitics and monitoring was done using Munin and Cisco WCS. We were also serving our own DNSv6 (& v4) server for local users.

Lastly we tested IPv6 only connection using DNS64 and NAT64 built on FreeBSD kernel. This has be proven to work really well and as such we are thinking of providing only IPv6 addresses at next year conference, but  🙂

Config:

The complete config used for the main router has been published at the Support Community website

Finally let’s the results speak for themselves:

Over the w-e, we had 4171 unique users on the WLAN and a peak at 1672 concurrent users on Saturday around 16.00 CET

Interesting to note is that amongst those 4171 unique devices on the FOSDEM network,  595 were Mac/iPhone/iPad, 452 were HTC devices, 341 Nokia, 56 Samsung, 23 RIM (Blackberry) and 806 were using an Intel chipset…

What about IPv4 to IPv6 ratio ?

We have seen about 1.85k IPv6 link-locals (==total devices whith IPv6 enabled) while 2.18k IPv4 addresses were cached at the router; which means 84% devices had IPv6 enabled !!

And a total of 1.08K global IPv6 addresses( == IPv6 used); that is 49.5% actually went to the v6 Internet.

So would said IPv6 was lagging adoption ?

If you want to have a look at how it was last week-end, check the video below:

IPv6 Unified Communications

Hello,

In this post I want to update you with what is available today when implementing Unified Communications on an IPv6 network.

What you need to retain from this post, is that IPv6 is available today when deploying Cisco Unified Communications, and it can be enable in a few easy steps. (Let’s agree that this would be first done in a lab though 😉

Configuring the UC server

The Ethernet interfaces of the UC server can be configured both in CLI and GUI [fig. 1]. This configuration is at OS level. An important note here is that Cisco UC-OS is a Common Application Run-time for most existing Cisco UC products, meaning that once a feature is available in it, it can be exposed and used by any UC applications.

with CLI, enable IPv6 :

set network ipv6 service enable

set a static IPv6 server address :

set network ipv6 static_address <addr> <mask>

review IPv6 address settings :

show network ipv6 settings

Or using the UCOS GUI, as showed below. This is done in OS administration; under Settings > IP > Ethernet IPv6

Configuring the CUCM, at the application level for phone and intra-cluster communications

The IPv6 address can be used for both phone to UC server and between server communications [fig. 2]. This is required configuration for every server in the cluster where you wish to use IPv6.

Either a AAAA record or IPv6 address can be used for the IPv6 name. In case of AAAA, your DNS (v4 and v6) will need to provide resolution for it.

under System > server

Enabling IPv6 for IP Phones to Server communications

You will first need to enable IPv6 cluster-wide, and then have the option of setting your signaling and media preference parameters either cluster-wide [fig. 3] or per group of phone [fig. 4]

under System > Enterprise Parameters

under Device > Device Settings > Common Phone Profile

SIP trunking

SIP trunk can be configured directly on CUCM or on an IOS VoIP gateway or SBC (like CUBE). More details on SIP trunks are covered in this previous post.

SIP trunking is fully supported in both IPv6 only and dual-stack depending of your needs. Both SIP Early Offer or Delayed Offer with ANAT or without ANAT are supported.

Today the recommended addressing mode would be dual-stack leaving the option to select one or the other thru ANAT.

IPv6 destination address and SRV records can be used in configuration.

A few work on ANAT:  Alternative Network Address Types (RFC 4091)

ANAT is an application layer mechanism that permit the offer of both IPv4 and IPv6 address in the SIP invite (mid:1 and mid:2) as well as indicating a preference (group:ANAT 2 1) where here mid:2 is the preferred choice.

SIP INVITE with SDP ( Early Offer)

a=group:ANAT 2 1
m=audio 18356 RTP/AVP 0
c=IN IP4 192.0.2.1
a=mid:1
m=audio 16462 RTP/AVP 0
c=IN IP6 2001:db8:aaaa::987:65ff:fe01:234b
a=mid:2

Then in the SIP answer  200 (OK) with SDP, shown below, the remote end replied saying, ok I can do IPv6, as group:ANAT 2 indicate. And to further indicate this, the UDP port number for IPv4 is set to zero.

a=group:ANAT 2
m=audio 0 RTP/AVP 0
c=IN IP4 192.168.1.1
a=mid:1
m=audio 16462 RTP/AVP 0
c=IN IP6 2001:db8:bbbb::123:45ff:fe32:191d
a=mid:2

So ANAT gives us an application aware, very flexible way to inter-connect multiple call-agents (could be both in your enterprise or between you and a service provider or another enterprise)

In conclusion

UCv6 is available today, and despite full feature set are not fully available yet, you can already start testing and validating this deployment. IPv6 only IP phones can be deployed today and be a starting point to help you save your IPv4 addresses.

Cisco has about 10 customers using it in production environment today. And we expect to provide a full featured UCv6 solution within the next 2 years.

Jerome

IPv6 – the next generation challenge for Service Providers

John Chambers on IPv6 at Google Conference :

As we near 2012 when the last IPv4 address is assigned to a new subscriber, SPs must maintain and continue to accelerate growth. Billions of new devices such as mobile phones, portable multimedia devices, sensors, and controllers will demand Internet connectivity in the next five years. SPs need a solution that supports unconstrained global accessibility.

CGv6 is designed to help SPs deal with these challenges. With CGv6, SPs can:

• Preserve investments in IPv4 infrastructure, assets, and delivery models through the use of Large-Scale Network Address Translation, along with private IP addressing.
• Prepare for the smooth, incremental transition to IPv6 services that are interoperable with IPv4 using high-performance Tunneling technologies, combined with Large-Scale Address Family Translation.
• Prosper through accelerated subscriber, device, and service growth enabled by private IP and IPv6.

CGv6 extends the already wide array of IPv6 platforms, solutions, and services. We’re introducing a Carrier-Grade Services Engine (CGSE) for the CRS-1 family, as well as supporting new features for the ASR family. Cisco CGv6 helps you build a bridge to the future of the Internet with IPv6.

For more IPv6 related information, make sure to visit :

http://www.cisco.com/go/ipv6

John Chambers on IPv6 at Google Conference