Tải bản đầy đủ - 0 (trang)
Chapter 12.  Campus QoS Design

Chapter 12.  Campus QoS Design

Tải bản đầy đủ - 0trang

ThisisoftenthecasewhennetworkadministratorsequateQoS

withqueuingonly.But,ashasbeenshown,theQoStoolset

extendsconsiderablybeyondjustqueuingtools.Inadditionto

queuing,classification,marking,andpolicingareallimportant

QoSfunctionsthatareperformedoptimallywithinthecampus

network,particularlyattheaccess-layeringressedge(access

edge).

ThreeimportantQoSdesignprinciplescomeintoplaytomake

thecasefordeployingcampusQoSpolicies.

Thefirstisthatapplicationsshouldbeclassifiedandmarkedas

closetotheirsourcesastechnicallyandadministratively

feasible.Thisprinciplepromotesend-to-endDifferentiated

ServicesandPer-HopBehaviors.

SometimesendpointscanbetrustedtosetCoSandDSCP

markingscorrectly,but,inmost,casesitisnotagoodideato

trustmarkingsthatuserscansetontheirPCs(orothersimilar

devices).Thisisbecauseuserseasilycouldabuseprovisioned

QoSpoliciesifpermittedtomarktheirowntraffic.Forexample,

ifDSCPEFreceivedpriorityservicesthroughouttheenterprise,

ausercouldconfigurehisPCtomarkallhistraffictoDSCPEF

rightontheNIC,thushijackingnetworkpriorityqueuesto

servicenon-real-timetraffic.Suchabusecouldruintheservice

qualityofReal-Timeapplications(suchasVoIP)throughoutthe

enterprise.Forthisreason,theclause"ascloseas...

administrativelyfeasible"isincludedinthedesignprinciple.

AsecondimportantQoSdesignprinciplerelatingtoaccess-edge

QoSdesignisthatunwantedtrafficflowsshouldbepolicedas

closetotheirsourcesaspossible.Thereislittlesensein

forwardingunwantedtrafficonlytopoliceanddropitata

subsequentnode.Thisisespeciallythecasewhenthe

unwantedtrafficistheresultofDoSorwormattacks.The

overwhelmingvolumesoftrafficthatsuchattackscreatecan

readilydrivenetworkdeviceprocessorstotheirmaximum

levels,causingnetworkoutages.



ThethirdimportantdesignprincipleisthatQoSalwaysshould

beperformedinhardwareratherthansoftwarewhenachoice

exists.CiscoIOSroutersperformQoSinsoftware,whichplaces

additionaltaxesontheCPU(dependingonthecomplexityand

functionalityofthepolicy).CiscoCatalystswitches,ontheother

hand,performQoSindedicatedhardwareASICSand,assuch,

donottaxtheirmainCPUstoadministerQoSpolicies.

Therefore,complexQoSpoliciescanbeappliedatGigabitand

TenGigabitEthernetlinespeedsintheseswitches.

Forthesereasons,QoSpolicies,suchasclassificationand

markingpoliciestoestablishandenforcetrustboundaries,as

wellaspolicerstoprotectagainstundesiredflows,shouldbe

enabledattheaccessedgeoftheLAN.However,theneedfor

queuinginthecampusshouldnotbedismissed.

Somestudieshaveshownthat95percentofthetime,campus

access-layerlinksareutilizedatlessthan5percentoftheir

capacity.Suchunderutilizationpermitscampusnetworkstobe

designedtoaccommodateoversubscriptionamongaccess,

distribution,andcorelayers.Oversubscriptionallowsforuplinks

tobeutilizedmoreefficientlyand,moreimportant,reducesthe

overallcosttobuildthecampusnetwork.Sometypicalvalues

forcampusoversubscriptionare20:1fortheaccess-todistributionlayersand4:1forthedistribution-to-corelayers,as

showninFigure12-1.



Figure12-1.TypicalCampusOversubscription

Ratios



Undernormaloperatingconditions,itisquiterareforcampus

networkstoexperiencecongestionand,thus,haveaneedfor

queuing.Whencongestiondoesoccur,itisusuallymomentary

andnotsustained,asataWANedge.

Nonetheless,criticalapplications,suchasVoIP,requireservice

guaranteesregardlessofnetworkconditions.Theonlywayto

provideserviceguaranteesistoenablequeuingatanynode

thathasthepotentialforcongestionregardlessofhowrarely

thisactuallymightoccur.Becauseoftheoversubscriptionratios

justdiscussed,thepotentialforcongestionexistsincampus

uplinks.Furthermore,thepotentialforcongestionalsoexistsin

campusdownlinksbecauseofmismatches(suchasGigabit

EthernettoFastEthernetlinks).Inbothcases,theonlywayto

ensureserviceguaranteesintheeventofcongestionisto

enablequeuingatthesepoints.

Sofar,thisdiscussionforenablingqueuingwithinthecampus

hasrevolvedaroundnetworkrequirementsundernormal

operatingconditions.However,probablythestrongestcasefor

enablingQoSwithinthecampusistoconsiderwhathappens

underabnormalnetworkconditions,suchasaDoSorworm

attack.Duringsuchconditions,networktrafficincreases

exponentiallyuntillinksareutilizedfully.WithoutQoS,



applicationsaredrownedoutbytheworm-generatedtraffic,

causingDoSthroughunavailability.Ontheotherhand,when

QoSpoliciesareenabledwithinthecampus(asdetailedlaterin

thischapter),VoIP,criticalapplications,andevenBest-Effort

trafficisprotectedandservicedifawormattackoccurs,thus

maintainingthenetwork'savailability.

Insuchworst-casescenarios,theintrinsicinterdependenciesof

networkQoS,high-availability,andsecurityareclearly

manifest.

SowhereisQoSrequiredinthecampus?

AccessswitchesrequirethefollowingQoSpolicies:

Appropriate(endpoint-dependent)trustpolicies

Classificationandmarkingpolicies

Policingandmarkdownpolicies

Queuingpolicies

Distributionandcoreswitchesrequirethefollowing:

DSCP-trustpolicies

Queuingpolicies

Optionally,per-usermicroflowpolicingpolicies(on

distribution-layerCatalyst6500swithSupervisor720sonly)

Figure12-2summarizestheserecommendations.



Figure12-2.WhereQoSIsRequiredWithinthe

Campus



Someimportantconsiderationstokeepinmindwhendefining

campusQoSdesignsfollow:

DoS/worm-mitigationstrategies

Call-signalingTCP/UDPportsinuse

Access-edgetrustmodels

WANaggregatorandbranchrouterconnections



Eachoftheseconcernsisdiscussedinthefollowingsections.



DoS/Worm-MitigationStrategies

AproactiveapproachtomitigatingDoS/wormfloodingattacks

withincampusenvironmentsistorespondimmediatelytooutof-profilenetworkbehaviorthatindicatesaDoSorwormattack

usingaccess-layerpolicers.Suchpolicerscouldmetertraffic

ratesreceivedfromendpointdevices,andwhentheseexceed

specifiedwatermarks(atwhichpointtheynolongerare

considerednormalflows),thesepolicerscouldmarkdown

excesstraffic.

Inthisrespect,thepolicerswouldbefairly"dumb."Theywould

notbematchingspecificnetworkcharacteristicsofspecific

typesofattacks,buttheysimplywouldbemeteringtraffic

volumesandrespondingtoabnormallyhighvolumesascloseto

thesourceaspossible.Thesimplicityofthisapproachnegates

theneedforthepolicerstobeprogrammedwithknowledgeof

thespecificdetailsofhowtheattackisbeinggeneratedor

propagated.

Itispreciselythis"dumbness"ofsuchaccess-layerpolicersthat

enablesthemtomaintainrelevancyaswormsmutateand

becomemorecomplex:Thepolicersdon'tcarehowthetraffic

wasgenerated,whatitlookslike,orwhatportitisbeingserved

onalltheycareaboutishowmuchtrafficisbeingputontothe

wire.Therefore,theycontinuetopoliceevenadvancedworms

thatcontinuallychangethetacticsofhowtrafficisbeing

generated.

Forexample,inmostenterprises,itisabnormal(withina95percentstatisticalconfidenceinterval)forPCstogenerate

sustainedtrafficinexcessof5percentoftheirlink'scapacity.In

thecaseofaFastEthernetswitchport,thiswouldmeanthatit

wouldbeunusualinmostorganizationsforanenduser'sPCto

generatemorethan5Mbpsofuplinktrafficonasustained

basis.



Note

Itisimportanttorecognizethatthisvalue( 5

percent)fornormalaccess-edgeutilizationby

endpointsisjustanexamplevalue.Thisvaluelikely

variesfromindustryverticaltovertical,andfrom

enterprisetoenterprise.Tokeepthingssimple,this

5-percentvalueisbeingusedintheexamples

presentedinthisdesignchapter.



Itisimportanttorecognizethatwhatisbeingproposedisnot

policingalltrafficto5Mbpsandautomaticallydroppingthe

excess.Ifthatwasthecase,therewouldnotbemuchreasonto

deployFastEthernetorGigabitEthernetswitchportsto

endpointdevicesbecauseeven10BASE-TEthernetswitchports

wouldhavemoreuplinkcapacitythana5Mbpspolicer-enforced

limit.Furthermore,suchanapproachsupremelywouldpenalize

legitimatetrafficthatdidexceed5MbpsonanFEswitchport.

Alessdraconianapproachistocoupleaccess-layerpolicerswith

hardwareandsoftware(campus,WAN,VPN)queuingpolices,

withbothsetsofpoliciesprovisioningforaless-thanbest-effort

Scavengerclass.

Thiscouldworkbyhavingaccess-layerpolicersmarkdownoutof-profiletraffictoDSCPCS1(Scavenger)andthenhaveall

congestion-managementpolicies(whetherinCatalysthardware

orinCiscoIOSSoftware)provisionaless-thanbest-effort

serviceforanytrafficmarkedtoCS1duringperiodsof

congestion.



Scavenger-ClassQoSOperation



ThissectionexamineshowtheScavenger-classQoSstrategy

forDoS/wormmitigationmightwork,bothforlegitimatetraffic

thatexceedstheaccess-layerpolicer'swatermarkandalsoin

thecaseofillegitimateexcesstraffic(theresultofaDoSor

wormattack).

Intheformercase,imaginethatthePCgeneratesmorethan5

Mbpsoftrafficperhapsbecauseofalargefiletransferor

backup.Withinthecampus,thereisgenerallyabundant

capacitytocarrythetraffic,socongestion(undernormal

operatingconditions)israrely,ifever,experienced.Thisis

usuallythecasebecausetheuplinkstothedistributionandcore

layersofthecampusnetworkaretypicallyGigabitEthernetand

wouldrequire(atleast)1000Mbpsoftrafficfromtheaccesslayerswitchtoexperiencecongestion.

IfthetrafficweredestinedforthefarsideofaWANorVPNlink

(thesearerarelygreaterthan5Mbpsinspeed),droppingwould

occurevenwithouttheaccess-layerpolicersimplybecauseof

bottlenecksresultingfromthecampus/WANspeedmismatch.

TCP'sslidingwindowsmechanismeventuallywouldfindan

optimalspeed(lessthan5Mbps)forthefiletransfer.

Tosummarize,access-layerpolicersthatmarkdownout-ofprofiletraffictoScavenger(CS1)wouldnotaffectlegitimate

traffic,asidefromtheobviousre-marking.Noreorderingor

droppingwouldoccuronsuchflowsasaresultofthesepolicers

(thatwouldnothaveoccurredanyway).

Inthelattercase,theeffectofaccess-layerpolicersontraffic

causedbyDoSorwormattacksisquitedifferent.Ashosts

becomeinfectedandtrafficvolumesmultiply,congestionmight

beexperiencedevenwithinthecampus.Ifjust11end-userPCs

onasingleswitchbeginspawningwormflowstotheir

maximumFastEthernetlinkcapacities,aGEuplinkfromthe

access-layerswitchtothedistribution-layerswitchwillbecome

congested,andqueuingandreorderingwillengage.Atsucha

point,VoIPandcriticaldataapplicationsandevenBest-Effort



applicationswouldgainpriorityoverworm-generatedtraffic

(becausethisScavenger-markedtrafficwouldbedroppedthe

mostaggressively);networkdeviceswouldremainaccessible

fortheadministrationofpatches,plugs,andACLsrequiredto

fullyneutralizethespecificattack.

WANlinksalsowouldbeprotected:VoIP,CriticalData,and

evenBest-Effortflowswouldcontinuetoreceivepriorityover

anytrafficmarkeddowntoScavenger/CS1.Thisisahuge

advantagebecausegenerallyWANlinksarethefirsttobe

overwhelmedbyDoS/wormattacks.

Thebottomlineisthataccess-layerpolicerssignificantlywill

mitigatenetworktrafficgeneratedbyDoSorwormattacks.

Itisimportanttorecognizethedistinctionbetweenmitigating

anattackandpreventingitentirely:Thestrategybeing

presentedwillnotguaranteethatnoDoSorwormattacksever

willhappen;itonlyreducestheriskandimpactthatsuch

attackscouldhaveonthecampusnetworkinfrastructureand

then,byextension,theWANandVPNnetworkinfrastructure.



Call-SignalingTCP/UDPPortsinUse

Inthisdesignchapter,tokeeptheexamplesrelativelysimple,

onlySkinnyCallControlProtocol(SCCP)ports(TCPports

20002002)areusedtoidentifycall-signalingprotocols.

However,SCCPisbynomeanstheonlycall-signalingprotocol

usedinIPTelephonyenvironments.Table12-1showsmanyof

theTCP/UDPportsusedinaCiscoCallManagerenvironment.

Table12-1.ExampleTDP/UDPPortsUsedinaCiscoCallManagerEnvironment



Protocol



DTC



SSH

Telnet

DNS

DHCP

DHCP

TFTP



HTTP



OSI(DAP,

DSP,DISP)



Remote

Remote CallManager

CallManager Device

Source Destination

RemoteDevices Notes

SourcePort Destination

Port

Port

Port



















TCP22

TCP23

UDP53



UDP68 UDP67





















UDP69



TCP80



TCPorUDP

120



TCP135







CallManagersin

thesamecluster



































UDP68



UDP67



DHCPclient































SecureShellclient

Telnetclient

DNSservers

DHCPserver



















Dynamicportsusedafte

initialconnect



Administrator/user CCMAdminandCCMUse

webbrowsers

pages

DCDDirectory







Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 12.  Campus QoS Design

Tải bản đầy đủ ngay(0 tr)

×