Wednesday, November 30, 2011

CCNA

I've just completed my first CCNA training as a teacher.
Two weeks, ICND1 and ICND2

The course is much better, it's changed for good since 2006.

I liked very much L2 and L3 sections, very good explanations and pictures/slides, step-by-step examples.

It's still Frame-Relay there.... i wonder if it's still in use now, thanks God no IPX anymore, and very good IPv6 section

I didn't like the LABs. They are supposed to be used in a way when students do not see the devices, and use remote connectivity to manage remote devices.

So, i refused to use the proposed remote laboratory  and grab some devices i could find out-of-use in my work.

I've got a 3640, one 2811, a few 2960s, one 3400, a  2600, and 7200 in dynamips for some tests.

Good mix of routers/switches, one L2-L3 switch.

So, in  about 10 days my students had a chance to get a real experience - password restore, device connectivity, terminal cable connection and console program setup/use, IOS upgrade, an so on. We disassembled the 2600 (likely it's failed because one memory bank unlocked) and managed to restore it to normal operations, could see how the thing does NOT pass boot testing.

Yes, it's the same LABS as proposed in the course, BUT - it's real hands-on experience, which is very important, from technical and psychological aspects.

So, on the day 10 people who didn't even understood OSI levels  where pretty comfortable in setting up/running devices, ip stack, advanced switching features, NAT (via CLI), RIP, OSPF, EIGRP, and even some redistribution functions,IPv6 basic routing.

We also spent half a day 9 implementing their labs - they brought their ideas, tasks, real life challenges and we've solved them all.

I wanted to try myself in a teacher role, and i think it went very good.
The best measurement - a can hardly remember when students asked to go to a lunch or have break or being bored/tired.

Friday, November 11, 2011

Rate-Limit vs Shaping

... this is the question.

After i've published the description of the ng_state module I've got several comments stain policing is much worse then shaping in ISP applications.

We already came through this in 2008 when we've switched from shaping to policing on our PPTP servers. That time tests shown policing has much worse user expereince quality on speeds below 256Kbits.

Today's lowest CIR is 6Mbits, and most of our customers enjoys CIRs more then 10Mbit.

So, i decided to retest.

The test should prove that shaping gives noticeable positive difference in network software behavior.

We put one PC after policing/shaping device.

About ten peoples was asked to go through 4 tests: policing and shaping on speeds 3Mbit and 6Mbit. We reduced the speeds because rate-limit artifacts more noticeable on lower bandwidth.

Each tester didn't know which exact test he is performing. After completing all 4 tests, the tester should grade each test on 1..5 scale.

So, the result was surprising: most testers preferred 'rate-limit' experience, about 60% of tests with same speeds.

Overall, most testers graded experience with high marks (4 or 5) and summary of grades for 3 and 6Mbits is very close.

So the final result : user experience is at least  not worse with rate-limit then with shaping. 

Maybe one of the reasons is CIRs are so high these days that most interactive applications, like Web surf, online video, games can not reach the limits.

Graph, re-transmissions, packet lost are 'better' with shaping, but if doesn't affect quality of work and at the same time is much more expensive in terms of hardware, then it's a good reason not to use it. And more - I've never heard from the Support team someone complaining about speed graph is not narrow.

Tuesday, November 1, 2011

ng_state


NG_STATE


The ng_state module implements traffic policing with elements of DPI (deep packet inspection), classification and traffic processing according to classification results


What is it? A little bit of history, economics, reasons to use

Economic and common sense


The solution is resonable to ones who is dealing with > 1G of traffic,  > 500 users  to proccess and police, and does not have solition or needs functions the module has.

Most likely it's ISP applications, or corporate traffic gateways.

To make it up and running you need time and knowledge in FreeBSD administration and network systems integration.
I recommend to use Cisco devices or similar if possible. Due to their good support, stability and quality   they are more likely to give higher service uptime results.

Nevertheless, if you are in situation of very fast growth, tight schedule, unable to buy or wait for such a device, have excessive amount of traffic, you are good in FreeBSD then the module and solution on it could be profitable.

The module might also be interesting if you already have a FreeBSD gateway.



Time


I estimate about 40 man-hours to start and test the solution, and 40 more to inetgrate it with external systems. One month to make it running in production systems.

Hardware

4-5Gigs of duplex traffix (4-5G up and down at the same time) is proccessed on 2k$ hardware,

10Gig in duplex – 3,2k$ – 4k$ for hardware.



History


At some point policing feature has te be split from existing NAS because of new type of access appeared. With such a split policing, proxying, messages, P2P detecion functions had to be done on standalone hardware.

Sure, we've spent a time looking for something ready out of box. The best thing to fit was Cisco SCE. We were ready to spent 30k$ per each processed Gig, and sacrifise some features,wait several month for delivery.

A device was ordered for test, but test is delayed for 2,5 month. Finally we've got it, but didn't like – the thing required another 3-4  PC to manage it (actually it turned out later that same 3-4 PC could do much more traffic processing then the device itself), couldn't alter traffic, only drop.

The device we've got for testing had one of it's two ports out of order so we've spent another 10 days in trying to make it work, chasing support, trying other Gbic/configs, chasing again and so on.
By the time we've finished the testing, all service was working on PC-based solution. It was working ok. It had some bugs, was not optimal, and CPU hungry.

Other few months of optimization, joining/cutting functions, centralizing processing turned to very effective, well-functioning module as we have now.




Appliance

The module  implements user bandwidth policing according to service agreement and traffic type. It is intended to be used on  Internet gateways.


Main features

  • User bandwidth policing
  • Possibility of having common CIR for group of IP addresses
  • Traffic classification and traffic policing according to class
  • Netflow v5 export
  • WEB traffic redirect to display informational messages
  • Flood and attack protection (internal and external)
  • P2P traffic detection by behavior

The module must be put on a traffic path. It can be done by setting up standalone server with two NIC and connecting it into Ethernet link split or by installing module on an existing server.
It is preferable to install module on standalone server when bandwidth exceeds 500Mbit or 100kps.
The module is functionally close to Cisco SCE.


Some reference numbers

Number of supported users - 65k.
The module is tested on loads about 5-7Gbits, which is 4 million flows handling.
in theory the maximum number of flows is 40-50 million, user number is only limited to 65k by common sense.


Performance


Performance is really high. Traffic is handled on kernel level, and it goes to module almost without any other kernel processing, which is very efficient.
Also following should be considered

  • NIC type and features
  • CPU type, number of processors
  • traffic characteristics
  • Number of rules in classification module



Performance reference

100kps processed on one core of Core 2 Duo 6800 leads to 55-60% of one core utilization.
Core I7-960 machine with Intel 10Gb NIC is capable of processing about 2Mps which is 10-12Gbit total or 5-7Gbit in duplex.


In case when classification, Netflow and WEB traffic redirect is not required, and bandwidth policing is the only task, then its possible and desirable to switch off flow engine (at the moment this can be done by fixing module) which will lead to about 5x performance increase.


In such a configuration 180kps load takes 15% of one core of Core 2 Duo 6800 CPU.


The mentioned results where seen on average user inetnet traffic (40-50% is HTTP, another 40% is torrent).



System requirements

  • ОS FreeBSD 8x. (although it works in 7X, 8 is recommended for better network subsystem)
  • 2-4Gigs of memory
  • 64 bit OS (preferred)



Installation


You will need kernel sources and you have to be sure that running kernel is the same version as sources are. If you are not  - install kernel sources and then compile and install new kernel.
Adjust some OS parameters
kernel memory
netgraph items ( sometimes they help to survive congestion time )
Compile the module:

  •  Copy sources to /usr/src/sys/netgraph/state
  •  Copy makefile to /usr/src/sys/moduels/netgraph/state
  •  go to /usr/src/sys/moduels/netgraph/state, do make install clean
  •  load module kld_load ng_state
  •  Create you netgraph graph or use my script
  •  Using netgraph messages start setting services according to your needs
  •  Profit



Typical schemes

1. Standalone machine with classification

2. Standalone machine without classification



3. Existing machine


4. Making reserve


To make a reserve use any managable switch with STP/RSTP functionality. Switch bypass link In parralel to the ng_state server  with higher STP/RSTP cost. This way whenever L2 connectivity is broken on the primary link, where the server is, then traffic switches to the bypass link. On some switches loop detection should be switched off in case all connectivity is done on the same device.
Remark: All non-IP traffic is travels without restrictions between up1 and down1 hooks. Such a traffic is not a subject of policing, so all L2 non-IP protocols will be running without policing and loss possibility.


Attention


Promisc mode


When working on Ethernet link split mode then NICs should be switched to promisc mode to disable hardware mac filtration.
Do for all NICs participating in the split
ifconfig em0: promisc


Traffic is processed on kernel space


On the time of critical load the system may become unmanageable, even from local console.
IPFW
As traffic does not get into IP processing level, firewall features related to IP doesn't work. Only basic ALLOW/DENY rules will do. Man ipfw, please.
MAC autorsrc for ng_ether
To disable source mac substitution in traffic, disable the feature in ng_ether of both NICs of the split.
ngctl msg em0: setautosrc 0


Classification


Classification feature

The module can get information about traffic class from external systems or modules. To do classification it's assumed that traffic can by classified on first 10 packets in the flow. After successive pattern match packets in the flow are classified with the same class and no more packets are sent to classifier.

As an example ng_bpf can be used. Ng bpf is capable of doing following:

  • tcpdump expression
  • packet length, headers
  • protocol, ports
  • patterns with payload data match

Man bpf, man ng_bpf please.
After being classified traffic is sent back to the ng_state modules to complete learning process:



Classified traffic processing
The module sends packets in it's original direction on hook up/down with number matching traffic class. If packet  is not classified yet or hook with class number  not exists then traffic is send out  on hook 1. (up1 or down1)


Further processing examples

Overall view of classification process

  • send packets to different NIC (say, sent all WEB traffic to NIC where transparent proxy waits to catch it)
  • put additional policer to class hook (ng_car)
  • send P2P to cheap channel



P2P


Module is capable of detecting p2p traffic by its behavior. Traffic that has been classified is excluded from detection. Detection is based on connections number and traffic intensity. Each 5 second for each service decision is made - if the service (user) is P2Per or not. For those detected P2Per traffic marked as p2p-pissible is sent to class 2 next 5 seconds.


Flood protection


Module forbids to create more the 4000 flows for each service, except default service. This protects from floods, port scans and other connection hungry attacks.
Note: i've tested a few p2p clients and was not able to reach the limit without p2p client tuning. Typycally about 300-500 connects are exists for 4-5 resources being downloaded by p2p. Even by doing tuning I was able to get 3000 flows. For normal use this limit shouldn't be a problem


Informational messages


.. are to display informational messages, for example 'out of balance' or agreement to use the service. All web traffic is sent to predefined IP address (destination IP address is changed, DNAT actually)


Managing the module


Service setup


For grouping several IPs to same group with same polices 'service' is used. Service is a set of common parameters and restrictions, such as CIR (commited information rate), p2p detection, flag to show informational messages). One IP can be at only at one service at a time. When IP is added to a new service, then it is removed from old one.
Module is controlled via netgraph messages.
Service and IP address manage commands
ngctl msg ng_state: setservice { userid=\”\” ip=192.168.0.1 cir_up=200000 cir_down=200000 fwd=1 fwd_ip=192.168.0.5 mpolicer=2 }
Sets service of customer identified by
Cir_down, cir_up - CIR in downstream and upstream directions. 
ip=192.168.0.5  to assign this ip to the service.
If it is desired to assign more addresses to the same service then do it by calling setservice command with IP and usename only.
ngctl msg state: setservice { userid=”” ip=192.168.0.2 }
One command for each IP address.
fwd – switch on traffic redirection of port 80 to display informational messages. Set fwd=2 to enable forwardingm fwd=1 to disable, if not set – then old value is kept. 
fwd_ip - IP address where to send the traffic. Warning - this cannot be used for transparent proxy
mpolicer – P2P traffic detection for the service. To set use mpolicer=2. When not set (mpolicer=1), all traffic belonging to the service is ubject of P2P by behavior detection. 


Service and address request commnads


ngctl msg ng_state: getservice { userid=”” }ngctl msg ng_state: getservice { ip=192.168.0.1 }


Will show service metrics for user identified by , or if only IP is given - then service will be found by the IP address.


Statistics


ngctl msg state: servicestat { userid=”” }ngctl msg state: servicestat { ip=192.168.0.5 }
Show per-service statistics – packets, bytes transmitted/dropped, flow number.


Mass speed check


ngctl msg state: getspeeds N
To do massive CIR verification to synchronize billing data and module settings. Returns 70-100 CIRs at a time (whatever number will fit 4kb buffer)


Hooks description


upX, downX. X - number of class. Packets, classified as class X will be leaving the module by hook upX or donwX (according to original destination). If hook is not connected, then up1/down1 is used.
To turn on packet class learning do
ngctl msg ng_state: setifupclass {iface=18 class=14}
All packets entering up18 will be classified as class 14. Flow the packet belongs will also be marked as class 14. All further packets in the flow will be classified as class 14 without learning. This way classes are set after matching rules in bpf-classifier


newflows_up, newflows_down – hooks which are used to sent new packets to. When classification is not possible for the packet then it should enter module again with class set to 10 (“unable to classify”) which will lead to sending further packets in the flow  to classification. If classification fails after 10s packet, then flow is marked class 2 (P2P - possible ).


export – for netflow v5 export, works same way as ng_netflow.


Special features, defaults


Default service


Packets not belonging to any services are assumed to belong to "default service". Default service parameters might be set via setservice command with userid parameter  set to ”default” 
ngctl msg state: setservice { userid=\”default\” cir_up=64000 cir_down=64000 }
Same to retrieve service parameters.
ngctl msg state: getservice { userid=\”default\” }
Default service is supposed to be used as default policy – for example, when CIR speeds are set to very small values, then no traffic will go until IP is assigned to a service.


Deleting IP addresses from services


Not possible. But you can move ip to default service back. Use setservice 
ngctl msg state: setservice {userid=\”defaut\”  ip=127.0.0.2 }


Netflow


Export is done same way as ng_netflow. As the state module does eport in dedicated thread each 3-5 seconds - netflow stream is somewhat bursty.
In addition, src_ad field is used to pass number of service the flow belongs. Billing can check this number to see if correct service is set.


Predefined classes

  • 1 – default class, shouldn't be policed
  • 2 – p2p-possible class
  • 10 – unable to classify yet

Please, Notice
The module is very specific instrument as almost useless alone. To make it fully functional it should be setup with scripts which will translate business-logic to the module commands.


Thanks
Special thanks to Gleb Smirnoff, whose ng_netflow is used as a base for the module.

Download

here