Table of Contents
Module 2 - Design the Network Structure
Section 6 - Provision Software Features
Section Objectives
Upon completion of this section, you will be able to:
-
Recognize scalability issues for various Cisco IOS software features such
as access lists, proxy services, encryption, compression, and queuing.
-
Recommend Cisco IOS software features that meet a customer's requirements
for performance, security, capacity, and scalability.
Time Required to Complete This Section
Approximately 3 hours
Completing This Section
Follow these steps to complete this section:
1. Study the reading assignment.
2. Click any links that you see in the reading assignment and review
the information that appears.
3. Review on any tables and job aids that appear in the reading assignment.
4. Review the case studies at the end of this section.
5. Complete the questions in each case study.
6. Review the answers provided by our internetworking experts.
Resources Required to Complete This Section
To complete this section, you will need:
-
Access to the World Wide Web and Cisco's Web site
-
A downloaded, printed copy of this section
-
Paper and pencil
Reading Assignment
Goals for Provisioning Router Software
When designing internetworks that meet your customer's needs for performance
and security, you will need to provision router software features. Your
goals for provisioning software features might include one or more of the
following:
-
Optimize bandwidth usage on WAN links to improve performance.
-
Optimize bandwidth usage on WAN links to save money.
-
Implement security policies.
-
Implement policies regarding some traffic having priority over other traffic.
-
Scale internetworks to a large size and retain good performance.
Cisco IOS Software Features
Depending on your customer's requirements for network performance and security,
you might need to implement the following Cisco IOS software features:
-
Access lists
-
Proxy services
-
Encryption
-
Compression
-
Queuing: custom, priority, weighted fair (default)
-
Resource Reservation Protocol (RSVP)
-
Traffic shaping
-
Tag switching
Cisco IOS Software Access Lists
Use access lists to:
-
Control whether network traffic is forwarded or blocked at a router's interfaces.
-
Provide a basic level of security.
-
Control the amount of traffic on networks to improve performance. For example,
a NetWare Service Advertising Protocol (SAP) filter can be used to avoid
advertising services unnecessarily. Reducing the number of services advertised
can have a significant impact on performance because of the reduction in
network traffic and reduction in required processing at the routers.
-
Provide a set of criteria applied to each packet that is processed by the
router. The router decides whether to forward or block each packet based
on whether the packet matches the access list criteria. Typical criteria
defined in access lists are packet source addresses, packet destination
addresses, or upper-layer protocol of the packet. However, each protocol
has its own specific set of criteria that can be defined.
-
Define each criterion in separate access list statements. These statements
specify whether to block or forward packets that match the criteria listed.
An access list, then, is the sum of individual statements that all share
the same identifying name or number.
Access List Order
The order of access list statements is important. When the router is deciding
whether to forward or block a packet, the Cisco IOS software tests the
packet against each criteria statement in the order the statements were
created. After a match is found, no more criteria statements are checked.
If you create a criteria statement that explicitly permits all traffic,
for example, no statements added later will ever be checked. If you need
additional statements, you must delete the access list and retype it with
the new entries.
At the end of every access list is an implied "deny all traffic" criteria
statement. If a packet does not match any of your criteria statements,
the packet will be blocked.
Inbound and Outbound Interfaces
With most protocols, you can apply access lists to interfaces as either
inbound or outbound. If the access list is inbound, when the router receives
a packet the Cisco IOS software checks the access list's criteria statements
for a match. If the packet is permitted, the software continues to process
the packet. If the packet is denied, the software discards the packet.
If the access list is outbound, after receiving and routing a packet
to the outbound interface the software checks the access list's criteria
statements for a match. If the packet is permitted, the software transmits
the packet. If the packet is denied, the software discards the packet.
NetFlow Switching
NetFlow switching can apply access list filtering very quickly, without
going through the list for each packet that must be switched. With most
types of switching, however, the Cisco IOS software tests the packet against
each criteria statement until a match is found. You should design your
access lists with care to provide good performance. Study your traffic
flow so that you can design the list so most packets will match the first
few conditions. The fewer conditions the router needs to check, the better
the performance will be.
Example Hub-and-Spoke Topology
Consider the following example of a hub-and-spoke topology where remote
offices attach to corporate headquarters in Connecticut:
-
Most remote users are in Massachusetts.
-
Many remote users are in New Hampshire.
-
Some remote users are in Vermont.
-
A few remote users are in California, but they are not allowed access to
corporate headquarters.
-
No outside users are allowed access to corporate headquarters.
To maximize performance, design an inbound access list as follows:
-
Permit packets from Massachusetts.
-
Permit packets from New Hampshire.
-
Permit packets from Vermont.
-
Implicitly deny all other packets (including packets from California).
Access Lists Numbering
With the exception of named IP access lists (a Cisco IOS Release 11.2 feature),
configuring an access list requires you to number the list. A range of
numbers has been reserved for each type of access list. Remembering the
ranges can be difficult, so we have provided a list.
(In Cisco IOS Release 11.2 you no longer need to number IP standard
or extended access lists. You can now use an alphanumeric name. To use
this feature, type ip access-list followed by the keyword standard
or extended, followed by a chosen name. Named IP access lists also
let you delete individual entries from a specific access list, which enables
you to modify access lists without deleting and reconfiguring them.)
Access List Numbers
|
Type of Access List
|
Range
|
| IP standard |
1 - 99 |
| IP extended |
100 - 199 |
| Bridge type code |
200 - 299 |
| DECnet standard and extended |
300 - 399 |
| XNS standard |
400 - 499 |
| XNS extended |
500 - 599 |
| AppleTalk zone |
600 - 699 |
| Bridge MAC |
700 - 799 |
| IPX standard |
800 - 899 |
| IPX extended |
900 - 999 |
| IPX SAP |
1000 - 1099 |
| Bridge extended |
1100 - 1199 |
| NLSP route aggregation |
1200 - 1299 |
Impact of Access Lists on Router Performance
Over the years, Cisco engineering has improved the performance of handling
IP access lists on various platforms. The following table shows the history.
Enhancements to Access Lists
|
Cisco IOS Software Release
|
Performance Enhancement
|
| 9.21 |
Inbound and outbound access lists can be fast switched |
| 10.0 |
Standard outbound access lists can be SSE switched on Cisco
7000 series routers |
| 10.3 |
Extended outbound access lists can be SSE switched on Cisco
7000 series routers |
| 11.0 (3) |
Inbound and outbound, standard and extended lists can be
SSE switched on Cisco 7000 series routers |
| 11.1 |
Access lists can use NetFlow switching on Cisco 7500 series
and Cisco 7000 series routers with an RSP |
| 11.1 (5) |
Access lists can use NetFlow switching on Cisco 7200 series
routers |
Enabling an inbound access list on any interface of a Cisco 7000 series
router with Cisco IOS Release 11.0 and earlier versions disables SSE switching.
Cisco IOS Release 11.0(3) was the first release to support SSE switching
of inbound IP access lists.
Cisco IOS software has never supported autonomous switching of inbound
access lists. Autonomous switching of outbound access lists is disabled
for some interface types. On Cisco 7000 series routers, enable SSE switching
to avoid performance problems when access lists are used. (It must be configured;
it is not on by default.) On routers with RSPs, enable NetFlow switching.
When compression or encryption is performed in software instead of hardware,
system performance can be affected. To determine if these services are
stressing a router's CPU:
-
Use the show processes Cisco IOS software command to get a baseline
reading before enabling encryption or compression.
-
Enable the service and use the show processes command again to assess
the difference.
Cisco recommends that you disable compression or encryption if the router
CPU load exceeds 40 percent. Cisco also recommends that you disable compression
if encryption is enabled. Also, if the files being sent across the network
are already compressed, then do not enable compression on your routers.
Cisco IOS Software Proxy Services
Cisco offers numerous "proxy services" that you can recommend at customer
sites where there are performance or connectivity concerns due to the topology
and behavior of network applications. Examples of proxy services that the
Cisco IOS software provides include the following:
Resource Discovery on Serverless LANs
-
A router can respond to an IPX GetNearestServer request from a NetWare
client if there is no local NetWare server.
-
A router can respond when a VINES client boots and sends a broadcast request
asking a server to provide it with a network-layer address if there is
no local VINES server.
-
A router can respond to an Address Resolution Protocol (ARP) request when
a local IP station looks for a remote station. (This is called proxy ARP.)
-
By configuring a helper address you can cause a router to forward certain
types of broadcast frames so that a client can reach a service on the other
side of the router.
Traffic Reduction on Bridged Networks and WANs
-
A source-route bridging router can convert an all-routes explorer frame
into a single-route frame, thus reducing the number of frames in a network
that has many redundant paths.
-
NetBIOS name caching allows a router to convert NetBIOS name-lookup frames
from explorers to single-route frames.
-
NetWare servers running the NetWare Core Protocol (NCP) send a keepalive
message to all connected clients every five minutes. If clients are connected
by DDR circuits, the keepalive keeps the DDR link open indefinitely. To
avoid this situation, use watchdog spoofing on the router at the server
end. The router answers session keepalives locally, and the DDR link is
allowed to drop.
-
Novell Sequenced Packet Exchange (SPX) spoofing does the same thing as
watchdog spoofing except that it is for applications that use SPX instead
of NCP.
Improved Performance for Time-Sensitive Applications
-
The LLC Local ACK feature allows a router to respond to LLC frames so that
SNA and other time-sensitive applications do not time out when used on
large routed networks.
Cisco IOS Software Encryption Options
Safeguarding network data has become increasingly important to many organizations
as they extend their private internetworks to use public, unprotected networks
such as the Internet. To safeguard IP data, Cisco IOS Release 11.2 provides
packet-level encryption that enables you to protect the confidentiality
and integrity of network data traveling between cooperating (peer) encrypting
routers by providing mechanisms to do the following:
Authenticate Peer Routers
Peer authentication is done using Digital Signature Standard (DSS) private
and public keys.
Encrypt the Data
For each session, a shared Data Encryption Standard (DES) session key is
used to encrypt and decrypt IP data between the authenticated peer routers.
Cisco's packet-level encryption is supported in the following implementations:
-
In Cisco IOS Release 11.2 and later.
-
In the VIP2 software, available on the Cisco 7500 series platform.
-
In the VIP2 Encryption Port Adapter (EPA) software, available on the Cisco
7500 series platform.
The VIP2 EPA greatly improves encryption performance because the encryption
is offloaded to the dedicated port adapter hardware. It also has added
tamper-proof features for session keys.
In Cisco IOS Release 11.2, packet-level encryption can be used with
any Layer 2 encapsulation. IP is the only Layer 3 protocol that is supported.
Other Layer 3 protocols, such as IPX and AppleTalk, can be encrypted if
they are encapsulated in IP.
Cisco IOS Software Compression Services
The basic function of data compression is to reduce the size of a frame
of data to be transmitted over a network link. Data compression algorithms
use two types of encoding techniques: statistical and dictionary.
Statistical compression, which uses a fixed, usually nonadaptive encoding
method, is best applied to a single application where the data is relatively
consistent and predictable. Because the traffic on internetworks is neither
consistent nor predictable, statistical algorithms are usually not suitable
for data compression implementations on routers.
Dictionary Compression
An example of dictionary compression is the Lempel-Ziv algorithm. This
algorithm is based on a dynamically encoded dictionary that replaces a
continuous stream of characters with codes. The symbols represented by
the codes are stored in memory in a dictionary-style list. This approach
is more responsive to variations in data than statistical compression.
Data Compression Algorithms
Cisco internetworking devices use the STAC and Predictor data compression
algorithms. STAC was developed by STAC Electronics and is based on the
Lempel-Ziv algorithm. The Cisco IOS software uses an optimized version
of STAC that provides good compression ratios but requires many CPU cycles
to perform compression.
Predictor Compression Algorithm
The Predictor compression algorithm tries to predict the next sequence
of characters in the data stream by using an index to look up a sequence
in the compression dictionary. It then examines the next sequence in the
data stream to learn if it matches. If so, that sequence replaces the looked-up
sequence in the dictionary. If not, the algorithm locates the next character
sequence in the index and the process begins again. The index updates itself
by hashing a few of the most recent character sequences from the input
stream.
The Predictor data compression algorithm was obtained from the public
domain and optimized by Cisco engineers. When compared with STAC, it makes
more efficient use of CPU cycles but requires more memory.
Cisco IOS Data Compression Solutions
Cisco IOS software provides these data compression solutions:
-
Van Jacobson header compression for TCP/IP conforms to RFC 1144.
-
Link compression has one set of dictionaries per hardware link (interface).
-
Payload compression has one set of dictionaries per virtual circuit.
-
The SA-Comp/1 and SA-Comp/2 data compression service adapters provide hardware-based
data compression capabilities on Cisco 7200 series routers, the VIP2 in
Cisco 7500 series routers, and Cisco 7000 series routers that have an RSP7000
or RSP7000CI.
Cisco IOS Software Queuing Services
Queuing services let a network administrator manage the varying demands
applications put on networks and routers. Because Cisco started supporting
weighted fair queuing in Cisco IOS Release 11.0, there has been less need
for more drastic types of queuing, such as priority and custom queuing.
However, in some cases, mission-critical applications that are running
on congested serial links might still require priority or custom queuing.
Custom queuing is a less drastic solution for mission-critical applications
than priority queuing. Custom queuing guarantees some level of service
to all traffic, while priority queuing makes sure that one type of traffic
will get through at the expense of all other types of traffic.
Priority Queuing
Priority queuing is particularly useful for time-sensitive, mission-critical
protocols such as SNA. It is appropriate for cases where WAN links are
congested from time to time. If the WAN links are constantly congested,
the customer needs more bandwidth or should use compression. If the WAN
links are never congested, priority queuing is unnecessary. Because priority
queuing requires extra processing, do not recommend it unless it is necessary.
Priority queuing has four queues: high, medium, normal, and low. The
high-priority queue is always emptied before the lower-priority queues
are serviced. Traffic can be assigned to the various queues based on protocol,
port number, or other criteria.
The following graphic shows priority queuing operation:
Custom Queuing
Custom queuing is a different approach for prioritizing traffic. Custom
queuing assigns different amounts of queue space to different protocols
and handles the queues in round-robin fashion. A particular protocol can
be prioritized by assigning it more queue space, but it will never monopolize
the bandwidth. Custom queuing is more "fair" than priority queuing, although
priority queuing is more powerful for prioritizing a mission-critical protocol.
Custom queuing works by establishing up to ten interface output queues.
The transmission window size of each queue is specified in bytes. Once
the appropriate number of frames are transmitted from a queue so that the
transmission window size has been reached, the next queue is checked.
Like priority queuing, custom queuing causes the router to do extra
processing. Do not recommend custom queuing unless you have determined
that one or more protocols need special processing.
The following graphic shows custom queuing operation:
Weighted Fair Queuing
Weighted fair queuing was first implemented in Cisco IOS Release 11.0.
It is enabled by default. No configuration is required to use Weighted
Fair Queuing. Weighted fair queuing is more "fair" than either priority
or custom queuing because it handles the problems inherent in queuing schemes
that are essentially first-come, first-serve.
The main problem with first-come, first-serve algorithms is that sessions
using large packets can impede sessions using small packets. For example,
FTP can negatively affect the performance of Telnet. The weighted fair
queuing implementation looks at sizes of messages and ensures that high-volume
senders do not crowd out low-volume senders.
Weighted fair queuing queues packets based on the arrival time of the
last bit rather than the first bit, which ensures that applications that
use large packets cannot unfairly monopolize the bandwidth.
Cisco IOS Software Resource Reservation Protocol (RSVP)
RSVP is another service that supports varying requirements for bandwidth
and delay. RSVP is an outgrowth of the Internet Engineering Task Force's
(IETF's) work on integrated services, which enable networks to support
special qualities of service for applications that need them while preserving
current internetworking methods. Cisco supports RSVP in Cisco IOS Release
11.2.
Traditional network functions, such as file transfers, are not sensitive
to delay. Although network users may prefer that a file transfer occur
quickly, the transfer will take place regardless of the amount of time
it takes. Traffic generated by these applications is called elastic, because
it can stretch to work under any delay conditions.
However, new multimedia network applications, such as voice and video,
require that certain minimum numbers of bits be transferred within a specific
time frame. The inelastic traffic generated by these applications requires
the network to allocate specific resources for it.
The mission of RSVP is to allow routers to communicate among themselves
and with end systems so that they can reserve end-to-end network resources
for inelastic applications.
RSVP is a receiver-based protocol. Applications that receive inelastic
traffic inform networks of their needs, while applications that send inelastic
traffic inform these receivers about traffic characteristics. The router
that is connected to the receiver of a particular data flow (for example,
the transmission of a video file) is responsible for initiating and maintaining
the resources used for that data flow.
Cisco IOS Software Traffic Shaping
Cisco IOS Release 11.2 supports both generic traffic shaping and Frame
Relay traffic shaping. Generic traffic shaping helps reduce the flow of
outbound traffic from a router interface into a backbone transport network
when congestion is detected in the downstream portions of the backbone
transport network or in a downstream router. Generic traffic shaping works
on a variety of Layer 2 data-link technologies including Frame Relay, SMDS,
and Ethernet.
Topologies that have high-speed links (such as at a central site) feeding
into lower-speed links (such as at remote or branch sites) often experience
bottlenecks at the remote end because of the speed mismatch. Generic traffic
shaping helps eliminate the bottleneck situation by throttling back traffic
volume at the source end.
Routers can be configured to transmit at a lower bit rate than the interface
bit rate. Service providers or large enterprises can use the feature to
partition, for example, T1 or T3 links into smaller channels to match service
ordered by customers. Packet loss in the service provider's network can
be limited by throttling the traffic back at the source, thus improving
service predictability.
Frame Relay Traffic Shaping
Frame Relay traffic shaping offers the following capabilities:
-
Rate enforcement on a per-VC basis—A peak rate can be configured
to limit outbound traffic to either the CIR or some other defined value.
-
Generalized BECN support on a per-VC basis—The router can monitor
BECNs and throttle traffic based on BECN marked packet feedback.
-
Priority/custom/weighted fair queuing support at the VC level—This
allows for finer granularity in the queuing of traffic, based on an individual
VC.
Cisco IOS Software Tag Switching
In order to scale large internetworks, including the Internet and large
corporate intranets, Cisco is working with the IETF to develop tag switching,
a new technology that combines the performance and traffic management capabilities
of Layer 2 (data link layer) switching with the proven scalability of Layer
3 (network layer) routing. Tag switching assigns tags to multiprotocol
frames for transport across packet or cell-based networks. It is based
on the concept of label swapping, in which units of data carry a short,
fixed-length label that tells switching nodes how to process the data.
Case Studies
In this section, you will provision Cisco IOS software features.
Read each case study and complete the questions that follow. Keep in
mind that there are potentially several correct answers to each question.
When you complete each question, you can refer to the solutions provided
by our internetworking experts. The case studies and solutions will help
prepare you for the Sylvan exam following the course.
In this section, you will review the following case studies:
1. Market Mavericks, a money management firm
2. CareTaker Publications, a publishing company
3. PH Network Services Corporation, a health care company
4. Pretty Paper Ltd., a European wall covering company
5. Jones, Jones, & Jones, an international law firm
Case Study: Market Mavericks
Ms. Martin is the MIS manager at Market Mavericks, a money market management
firm in New York City. Ms. Martin has the task of planning a new state-of-the-art
network for the brokers that work at Market Mavericks. The 80 brokers will
be on floors 74 through 77 in a skyscraper.
Ms. Martin has the task of designing a WAN that will connect the 60
branch offices at Market Mavericks. She has chosen Frame Relay and a hub-and-spoke
topology. At her site (corporate headquarters), she will have a 1.5-Mbps
T1/E1 serial link to the Frame Relay cloud.
She plans to route IP using IGRP. She also plans to route AppleTalk
using RTMP and Novell NetWare using IPX RIP. (She will upgrade to Enhanced
IGRP for IP, AppleTalk, and NetWare.)
At headquarters, five NetWare print servers and five NetWare file servers
are installed. Each remote site has one NetWare print server and one NetWare
file server.
The corporate router is a Cisco 4000 series running Cisco IOS Release
10.3. The branch offices have Cisco 2500 routers also running Cisco IOS
Release 10.3.
1. Users at corporate headquarters need to
access all the Novell file servers. Users at the branch offices
need to access only their
own servers and the corporate file servers (though not the corporate print
servers).
Ms. Martin is tentatively
planning to apply an outbound SAP filter on the serial link of the Cisco
4000
router to deny all branch-office
servers from being advertised. She will also deny all corporate print servers.
What scalability constraints
should you discuss with Ms. Martin as she considers using the scheme to
filter
SAPs?
Ms. Martin has been asked to implement a security scheme that requires
the use of IP access lists. At the corporate site, she has been asked to
filter any IP packets coming from the California branch office. This branch
office will be shut down soon. Executives at corporate headquarters are
concerned that people who will not be employees soon could get proprietary
information before they leave the company.
2. How will an inbound IP access list at the corporate
router affect IP performance for all the other branch
offices? Remember that
Ms. Martin has a Cisco 4000 router running Cisco IOS Release 10.3
at
headquarters.
3. The financial data that the brokers at the
branch offices send over TCP/IP is highly confidential.
Ms. Martin is considering
using encryption features on the branch routers and the corporate router.
How might these features
affect performance?
4. Ms. Martin wants to know if you recommend priority
queuing for the TCP/IP brokerage applications.
The data that the brokers
generate is considered mission-critical, but the marketing and administrative
data on the AppleTalk
and Novell networks is not as critical. What would you tell Ms. Martin
regarding
priority queuing? What
are the advantages and disadvantages? Would custom queuing work better
for her?
Now that you have completed the exercise, click here
to view the solutions provided by our internetworking design experts.
Case Study: CareTaker Publications
Remember CareTaker Publications? If not, click
here to review the case study.
You might find it useful to refer to your topology diagram for CareTaker
Publications in Section 3.
1. The manager of Warehouse and Distribution
is concerned about PC performance over a leased line.
What recommendations could
you make to increase performance using Cisco IOS software?
Now that you have completed the exercise, click here
to view the solutions provided by our internetworking design experts.
Case Study: PH Network Services Corporation
Remember PH Network Services Corporation? If not, click
here to review the case study.
You might find it useful to refer to your topology diagram created for
PH Network Services Corporation in Section 3.
1. The general manager of PH called again
to ask about the possibility of patients' medical information
being exposed with the
system you will present. How will you accommodate for this concern in your
design?
Now that you have completed the exercise, click here
to view the solutions provided by our internetworking design experts.
Case Study: Pretty Paper Ltd.
Remember Pretty Paper? If not, click here
to review the case study.
You might find it useful to refer to your topology diagram created for
Pretty Paper in Section 3.
1. The Sales and Marketing managers are concerned
about the possibility of someone stealing new designs
as they are being transmitted
over the network and when they are stored on the servers. What are the
performance trade-offs
he should be aware of when considering encryption of all data transmissions
on the Frame Relay network?
Now that you have completed the exercise, click here
to view the solutions provided by our internetworking design experts.
Case Study: Jones, Jones, & Jones
Remember Mr. Jones? If not, click here
to review the case study.
You might find it useful to refer to your topology diagram created for
Pretty Paper in Section 3.
1. Mr. Jones has been reading about hackers
accessing confidential data by hacking into the network from
the Internet. How have
you addressed his concerns with your design?
Now that you have completed the exercise, click here
to view the solutions provided by our internetworking design experts.
Click here to go on to Section 7.
Copyright Cisco Systems, Inc. -- Version 2.0 7/98