VCCS Network Management White Paper

April 1, 2000

Contact: Roney E. Boyd Jr.

As stated in various white papers on Policy-Based Networking, Network managers are increasingly presented with a variety of bandwidth-hungry applications that compete for bandwidth in both the Local Area Network (LAN) and the Wide Area Network (WAN). These applications have a variety of characteristics. They may be mission-critical legacy applications with a WEB interface, on-line business-critical applications, or newer multimedia-based applications such as desktop videoconferencing and voice (telephone) over IP.

With the ever-increasing number of new applications that require additional bandwidth, Network Managers are constantly looking for ways to ensure that the mission-critical application traffic is protected from other bandwidth-hungry applications. The old rule of thumb was to just add more bandwidth, but today that is not a viable alternative due to expense. The new rule is not to add more bandwidth, but to control congestion in the network using Policy-Based Networking rules.

Policy-Based Networking is a set of automated rules to control traffic flow and workload. These rules govern which users or applications can use specified network bandwidth at any given time. Policy-Based Networking helps manage users and application priority, Quality of Service (QoS) and security rights based on organizational policies. The first step in implementing Policy-Based Networking Rules is to have a complete understanding of the network infrastructure.

The Virginia Community College System infrastructure consists of twenty-three Community Colleges (nine colleges have multiple campuses) and a Central Administration Office, for a total of 39 sites. Each site connects to Network Virginia's ATM backbone network via a DS3 connection. The local campus LAN at each site connects to an ATM Switch via a Router with an ATM Interface. The Router at each site connects to the local LANs via an Ethernet or Token Ring Interface.

The VCCS plans to create a server farm to house the Oracle Database and PeopleSoft Applications servers for its mission-critical applications. Access to the mission-critical applications can be WEB based, desktop client or by telephone using a voice over IP connection.

The VCCS also plans to implement network-wide desktop videoconferencing and video streaming. The VCC Utility maintains a centralized Global Directory Server that is used in conjunction with the E-mail service and other network authentication requirements (some colleges maintain a local directory for internal use).

(Refer to the VCCS Intranet diagram.)

With this flux of time dependent and non-time dependent traffic it is important to understand the transport and transmission protocols being used and how the bandwidth in the local area network and wide area network is now being managed.

Like all wide area network lines, the campus DS-3 connections are not managed directly. ATM is unique in that bandwidth within the line may be allocated manually or dynamically. Two small virtual circuits that carry the ATM signalling traffic are defined manually. The remaining bandwidth is allocated dynamically by the devices that need to use the ATM network. Once all of the available bandwidth is allocated, no new allocation requests are accepted. At that point, the line is fully utilized.

The campus LANs common transport protocol is TCP/IP. The LAN Administrator manages the bandwidth on the campus LANs while the Telephone Company manages the Bandwidth on the ATM Backbone.

Transmission Control Protocol / Internet Protocol is a suite of communications protocols used by host computers to exchange information between IP application processes over a local or wide area network. TCP/IP is not concerned about the link layer (transfer mode) used for transmission such as Ethernet, Token-Ring, Frame Relay, or ATM (Note, ATM will be the only link layer (transfer mode) addressed in this paper).

TCP operates at Layer 4 (transport) of the Open System Interconnection (OSI) Reference Model that is responsible for reliable end-to-end data connection between end systems. IP operates at Layer 3 (network) of the OSI Reference Model that deals with network addressing, routing and the switching of data.

Asynchronous Transfer Mode (ATM) is a multiplexed information transfer and switching method in which information is organized into fixed length (53-Byte Cells) and transmitted according to each application's instantaneous need. ATM has a set of protocols referred to as ATM Adaptation Layer (AAL) to process different types of information for insertion into an ATM cell. The Adaptation is performed at the sending edge of an ATM service offering, and UN-Adaptation is performed at the receiving edge. The Adaptation types are:

• Constant Bit Rate (CBR) - services in a digital network that are to be the same bandwidth for the duration of the call
• Variable Bit Rate (VBR) - services where digital bandwidth requirements change periodically, according to the needs of the communicating parties.
• Unspecified Bit Rate (UBR) - services that provide best effort connection. Does not guarantee bandwidth allocation.
• Available Bit Rate (ABR) - services designed to provide users with access to idle network capacity.

The Adaptation Layer specifies the Quality of Service for the ATM traffic, whether there is an end-to-end timing relationship, whether the traffic is error-sensitive or whether the traffic is connectionless or connection-oriented.

What needs to be determined at this point is which entry point or device is required to implement Policy-Based Networking Management of the traffic over the LAN and WAN.

With the LANs and the Network Backbone being managed by the two different groups, the question then becomes at which entry point or device should be used to implement management of IP traffic. There are several different views on where to start implementation. The following are several different viewpoints. Each will be addressed in greater detail later in this paper.

• Managing IP Traffic from Router-to-Router.
• Managing IP Traffic Using Separate Virtual Networks.
• Managing IP Traffic from End-to-End.

The complexity of involvement will depend on the viewpoint you choose to start the management of IP traffic. In all cases a boundary or endpoint must be defined.

The Boundary for TCP/IP is the endpoint for the Router or Switch. The Router or Switch uses the endpoint IP address as the originating and/or destination source address for transmission across a segment or network. Whereby, LANs use the Mac Address to communicate to other devices on the same segment (Switches also use the Mac Address to communicate with other devices between its ports).

The Boundary for ATM is the endpoint for the Permanent Virtual Circuit (PVC) or Switched Virtual Circuit (SVC) and can use any of the Adaptation Layers previously specified. A Virtual Path Identifier (VPI) and a Virtual Channel Identifier (VCI) identifies the endpoints of a PVC or SVC.

When managing IP traffic from router-to-router the router is the boundary edge device. The edge device determines which management method will be applied to the IP traffic as it is sent out over the network. Each router in the path must have the same method of management defined. Some methods are:

• IP Precedence - uses the three precedence bits in the IPv4 header to specify class of service for each packet. IP traffic can be partitioned in up to six classes of service using the IP Precedence bit. IP Precedence enables service classes to be established using the existing network queuing mechanism with no changes to existing applications or complicated network requirements. Those of us who are familiar with the Mainframe's Class of Service Table for TSO users can relate the IP Precedence bit function to that mainframe service feature.

• Resource Reservation Protocol (RSVP) - routers use RSVP in conjunction with other queuing features to deliver Quality of Service requests to routers along the paths of the data stream. RSVP is currently the only standard protocol designed to guarantee network bandwidth from end-to-end for IP networks.

• Weighted Fair Queuing (WFQ) - is a flow-based queuing algorithm that does two things simultaneously: It schedules interactive traffic to the front of the queuing to reduce response time, and it shares the remaining bandwidth between high bandwidth flows equally. It is designed to minimize configuration efforts and adapts automatically to changing network traffic conditions. WFQ is efficient in that it will use whatever bandwidth is available to forward traffic from lower priority flows if no traffic from higher priority flows is present. WFQ works with the IP Precedence and RSVP to provide not only differentiated Quality of Service, but also guarantees Quality of Service.

When managing IP traffic using separate virtual networks, each router that terminates a virtual network is a boundary point. Unlike the IP traffic from router-to-router, where all the traffic flows through a single virtual network. The virtual networks allow separation of IP traffic by IP traffic type within each virtual network. The types of IP traffic are: Data, Video and Voice. Each traffic type runs over its own virtual network. The virtual networks can be created using a single router or separate routers.

The method of management, as previously described, defines the Quality of Service for each virtual network. Quality of Service, within a given virtual network is provided by prioritizing and/or guaranteeing bandwidth to selected source and/or destination IP addresses.

Managing IP traffic from end-to-end is the most difficult and challenging task to accomplish. While the first two managing viewpoints were not concerned with the type of link layer being used (Ethernet, Token-Ring, Frame Relay, or ATM) or the platform from which it originated, the management of IP traffic from end-to-end requires that management of the traffic starts at the desktop, flows through the router, and link layer (ATM) to another router and finally, to the end point destination. End-to-End management requires that every device in the path understand the request for Prioritization and Quality of Service made by the requesting end device. This means that the method of management, IP Precedence, RSVP and WFQ has to be translated to one of the ATM Adaptation Layers before transmission across the network and that the desktop application has to have the capability to issue IP requests.

The first two starting points are simple to implement. The first requires a software upgrade to all the VCCS routers attached to the ATM Switch. Configuration changes to the routers for IP Precedence, RSVP and WFQ. The second requires the purchase of two additional routers for each site to connect to the ATM Switch and configuration changes to each router for IP Precedence, RSVP and WFQ. Policy-Based Networking can be implemented, but is not required.

The third starting point requires the implementation of Policy-Based Networking to eliminate the complexity of managing the IP request through the various OSI and Adaptation Layers.

Various vendors have instituted a policy-based networking architecture that is based on four building blocks:

• Intelligent Network Devices - devices must be "application-aware"; that is, capable of interpreting policy instruction in order to signal Quality of Service requirements for each application.
• Quality of Services and Security Policy Services - a server-based control system that provides the interface between the administrator (via a graphical user interface [GUI]) and the network devices.
• Registration and Directory Services - provides dynamic binding between the policy servers and the network addresses, users profiles, application profiles and other information vital to proper policy implementation and enforcement.
• Centralized Policy Administration - allows the administrator to interact with the policy server system via an administration GUI to simplify policy definition and provide the capability to centrally configure business rules, which are automatically mapped and translated to the intelligent network devices.

Using the four building blocks as the base architecture, Network Mangers have the capability to create a list of networking privileges covering issues such as who can use the network, when they use it, and which applications they can run. The network manager can also establish security schemes and establish bandwidth usage by user. The Network Manager would use the Centralized Policy Administration GUI to define a policy such as "The Student Information System (SIS) traffic will have the highest priority between 8 a.m. and 5 a.m., Monday through Friday." The underlying policy and registration server identifies the devices that require configuration to reflect the policy. The servers translate the policy into policy binding information, then communicates the policy to the relevant network devices using the industry-standards protocol such as Common Open Policy Service (COPS) protocol.

The following are several examples of implementing Policy-Based management for Data, Video and Voice (H.323).

The above data example shows routers at sites A, B, and C configured to recognize high priority traffic destined for the Oracle Application Server (OAS) over the ATM Backbone Network. At each site the Policy-Based Server (PBS) is configured to recognize traffic destined for the Oracle Application Server. At site D, the Policy-Based Server is configured to recognize return traffic from the Oracle Application Server with the same high priority.

The Data example use WFQ and IP Precedence to ensure that data to the Oracle Application Server receives the network resource (bandwidth) and prioritization it needs.

The above video example shows video streaming between sites A, B, C, and D with site D containing the video server (VS). The router at each site has an OC3 connection to the ATM switch. Each router is configured to use RSVP in conjunction with ATM SVC's to provide guaranteed bandwidth across the network. The Policy-Based Server at site D is configured to recognize that requests from the video server require RSVP and a VBR-RT SVC. No Policy-Based Server is required for sites A, B, and C in this example.

The above voice (H.323) example shows voice traffic going over an IP network. Voice traffic, at each site, is digitized on a voice over IP Gateway Device (GW). The voice traffic is then routed via a H.323 Gatekeeper (GK), which also requests specific Quality of Service for the voice traffic. The IP Precedence is set to high for the voice traffic. WFQ is enabled on all the routers that interface with the ATM network. WFQ reduces delay and jitter for the voice traffic.

The VCCS Intranet will have to supports a variety of new bandwidth-hungry applications, such as desktop video conferencing and/or voice over IP applications that will require some type of management to guarantee a certain level of customer expectations. Some applications, such as file transfers and electronic mail, require little or no management to operate at the current customers level of expectation, while other core mission-critical business applications, such as PeopleSoft and SNA traffic will still have to maintain a high level of performance when competing for network resources. Policy-Based Management allows for central control of bandwidth management and the enforcement of Quality of Services policies based upon how people need to use the network.

Reference:

CISCO System, Voice over IP Design Implementation Guide

CISCO System, IOS Software Quality of Service Solutions

ANIXER Networking, Delivering on Quality of Service

TRA, Understanding ATM Application and Implementation

Policy-Based Networking, Getting to the Root of Policy Management, by Mary Jander

CISCOAssure Policy Networking End-to-End Quality of Service

Policy-Based Networking, by Christ Walker