Download presentation
Presentation is loading. Please wait.
1
Topic 21 ADNS Overview and Basic IP Routing
Introduction The goal of this topic is to introduce ADNS and basic IP routing. This topic discusses IP routing and the protocols that make it happen. A basic understanding in this area is critical to your effectiveness as a manager. It is also intended as a reference for the collection of added system capabilities identified as Automated Digital Network System (ADNS) Increment II. B. Enabling Objectives DESCRIBE the basic IP routing process. DESCRIBE an Autonomous System (AS). DESCRIBE the routing protocols used in a CSG/ESG environment. DESCRIBE the Open Shortest Path First (OSPF) routing protocol. DISCUSS the ADNS concept of operations and vision. DIFFERENTIATE major capabilities between Increment I and Increment II. DISCUSS Increment I capabilities and constraints. DESCRIBE Increment II capabilities, components, hardware, and software. 21.9 DISCUSS Increment II features. EXPLAIN the various organizations that provide ADNS support. C. Topic Outline ADNS concept Summary of Increments Nomenclature and software variants Increment I capabilities and constraints Justification for Increment II Increment II capabilities, components, software and hardware Definition of Policy Based Routing and QoS Increment II features Topic 21 ADNS Overview and Basic IP Routing Enabling Objectives DESCRIBE the basic IP routing process. DESCRIBE an Autonomous System (AS). DESCRIBE the routing protocols used in a CSG/ESG environment. DESCRIBE the Open Shortest Path First (OSPF) routing protocol. DISCUSS the ADNS concept of operations and vision. DIFFERENTIATE major capabilities between Increment I and Increment II. DISCUSS Increment I capabilities and constraints. DESCRIBE Increment II capabilities, components, hardware, and software. 21.9 DISCUSS Increment II features. EXPLAIN the various organizations that provide ADNS support.
2
What is ADNS? ADNS is an integral part of a complex communications system that provides an automated pathway for information to travel along any available transit link. Provides for optimal use of bandwidth assigned by the system to: UNCLAS SECRET SCI Coalition Other afloat networks and their shore counterparts Figure 21.1: ADNS concept. ADNS Concept ADNS is an enabling resource of the FORCEnet architecture, providing network services and access to the Defense Information Systems Agency networks for ships, submarines, and naval shore users. The ADNS functions as the routing connection between shipboard LANs and off-ship WANs while managing the use of RF resources and landlines. The ADNS Program is transitioning from the first phase, identified as Increment 1, to the second-generation, Increment II phase. ADNS Increment I provides the initial Wide Area Network (WAN) routing infrastructure, but utilizes a more limited portion of the potential capabilities of available COTS technology. ADNS allows communications capability across multiple security enclaves, interfacing with UNCLAS, SECRET, SCI, CENTRIXS and other services within the same routing infrastructure. This infrastructure supports the exchange of information between tactical and strategic forces, as well as identification and reporting of hostile activity. __________________________________________________________________________
3
ADNS “Vision” Provide assured gateway availability for critical paths/applications Guarantee 100% end-to-end delivery of selected voice, video, and data Provide restore capabilities Increase information transfer efficiency Reduce manning and operation costs Provide joint interoperability Figure 21.2: ADNS vision. Vision for ADNS The vision for ADNS is to provide communication services management for maximum use of available resources, efficient resource selection, and integrated network management. ADNS became a Program of Record in Original variants provided a WAN router to coordinate IP network traffic from the UNCLAS, SECRET and SCI security enclaves and routed this traffic synchronously across a single RF transmission path. Increment I capabilities provide ship-to-shore IP connectivity via one RF path, separation of security enclaves, reuse of unused enclave bandwidth, and ship-to-tactical shore IP connectivity (on amphibious ships). Any variant with these capabilities, whether using a Cisco or Proteon router, is an Increment I variant. ADNS consistently uses commercial standards and protocols, such as TCP/IP and OSPF, throughout the design. As described in later sections, the ADNS Program developed Increment II to optimize the use of finite RF bandwidth to handle the expanding use of IP-based data applications and to improve the operator interface. Increment II has five new capabilities that will be discussed later in this topic. __________________________________________________________________________
4
DISA Autonomous Systems
EIGRP OSPF OSPF EIGRP ADNS ADNS DWTS EHF MDR CWSP Inmarsat “B” HSD DSCS OSPF ADNS ADNS NOC OSPF EIGRP Figure 21.3: Basic Routing. JWICS ASBR Introduction to Routing When a network is small and there is a single connection point to other networks there is no need for redundant routes (i.e. a static route will work). But if more than one route exists, dynamic routing is normally used. Dynamic routing occurs when routers talk to adjacent routers, informing each other about the networks to which they are connected. The routers must communicate using a routing protocol that is being run by the router’s Operating System (OS). As routes change over time, the information placed into the routing table (i.e. the routes) is added and deleted dynamically by the routing protocol. In the case of multiple routes to the same destination, the router, using the entries in its route table, chooses which route is the best. If no specific match is found, the router will look for a default gateway (aka, a gateway of last resort). Failing any match and, with no default gateway set, the router will discard the datagram and send an ICMP error message back upstream. Additionally, if a link goes down, the router must delete routes connected to that link and find alternatives to the routes - if they exist. A lot of different technology is involved with IP routing in a Navy environment (Figure 21.3). _________________________________________________________________________ BGP-4 SIPRNET DISA Autonomous Systems NIPRNET CENTRIXS
5
Figure 21.4: How routing works.
Application Application ROUTER Transport Transport Network Network Network Data Link Data Link Data Link Physical Physical Physical Figure 21.4: How routing works. BASIC IP ROUTING IP routing is required when one host needs to send a packet to another host located on a remote (i.e. different) IP network (Figure 21.4). The sending host must first determine whether or not the packet’s destination is on it’s local network or is on a remote network. It does this by applying its subnet mask to the destination host’s IP address, a process called ANDing (Figure 21.5). If the calculation determines that the packet’s destination is remote, then IP will build an IP datagram containing the packet and destination IP address and then send the IP datagram to the “default route” (e.g. router). The sending host’s default route is normally configured manually. Assuming the router receives the datagram from one of its attached Ethernet segments, it examines the frame and determines that the type field is set to 0x8000, indicating an IP datagram. Also, before discarding the Ethernet header the router notes the length of the Ethernet frame. The router then verifies the contents of the Version, Header Length, Length, and Header Checksum fields. In addition, the router checks that the entire IP datagram has been received by comparing the datagram length against the length of the data field in the received Ethernet frame. _________________________________________________________________________
6
Destination IP Address
ANDing Destination IP Address = ANDING ANDING ANDING = = Subnet Mask Figure 21.5: Anding. Next, the router verifies that the TTL field is greater than 1. The purpose of the TTL field is to make sure that packets do not circulate forever when there are routing loops. The host sets the packet’s TTL field to be greater than or equal to the maximum number of router hops expected on the way to the destination (Windows default equals 32). (Of note, there may be a fair number (30) of hops between – for example - a GENSER LAN aboard a ship in the Arabian Gulf and the GENSER LAN aboard a ship in the Med.) Each router will decrement the TTL by 1 when forwarding. On decrementing the TTL, the router must adjust the packet’s Header Checksum. Other then this, the IP datagram header remains relatively unchanged. The router then looks at the Destination IP address which is used as a key for the routing table lookup. The best-matching routing table entry is returned, indicating whether to forward the datagram and, if so, the interface to forward the datagram out of and the IP address of the next IP router (if any) in the datagram’s path. The router then apends the appropriate Data Link header for the outgoing interface. The IP address of the next hop is converted to a Data Link header address (i.e. normally a MAC address), usually using ARP or a variant of the ARP protocol. The router then sends the datagram to the next hop, where the process is repeated. ___________________________________________________________________________________________________________________________________________________________________________________________________________________________ Network address Local Machine Address =
7
Figure 21.6: ADNS Nomenclature.
Autonomous Systems NOC SIPRNET NIPRNET JWICS CSG ESG OSPF & EIGRP OSPF & EIGRP Figure 21.6: ADNS Nomenclature. AUTONOMOUS SYSTEM The Defense Information Systems Agency (DISA) networks (e.g. NIPRNET, SIPRNET and JWICS) and Navy Battle Forces (consisting of Carrier Strike Groups (CSG) and Expeditionary Strike Groups (ESG)) are all organized into Autonomous Systems (Figure 21.6). An Autonomous System (AS) consists of a collection of routers under mutual administration that share the same routing methodology. A single NOC AS consists of routers from the CSG ships, the ESG ships, and the NOC. Implementing the AS boundaries along NOC lines limits the amount of routing protocol overhead and protects low bandwidth transit links between afloat nodes. The routers in an AS are normally completely trusted and share information freely. The routing protocols that enforce this trust within an AS are called Interior Gateway Protocols (IGPs). Secret and Unclas ADNS networks use the IGP called Open Shortest Path First (OSPF). INTERIOR GATEWAY PROTOCOLS (IGPs) In the case of Automated Digital Networking System (ADNS), all the routers on ships terminating at a particular NOC are in a common AS; therefore, they share routing information completely. SECRET and UNCLAS ADNS networks use the IGP called the Open Shortest Path First (OSPF) routing protocol.
8
OSPF runs on the routers inside the ship and at the routers terminating the Radio Frequency connections on shore. OSPF ensures that the routers on each ship know about the networks and routers on other ships within the CSG/ESG, as well as the terminating routers at the NOC. The SCI Networks program currently uses the Enhanced Interior Gateway Routing Protocol (EIGRP) as its IGP. EIGRP is used within the Sensitive Compartmented Information (SCI) enclave of the battle force AS and at the shore SCI nodes. EIGRP is configured to ensure that each shipboard SCI router knows of its adjacent shore router and that each shore router knows about all shipboard SCI routers. EIGRP is a Cisco-proprietary routing protocol based on the Interior Gateway Routing Protocol (IGRP), but uses the Diffusing Update Algorithm (DUAL) to enhance many of the original features of IGRP. By contrast, routers from different ASs are not completely trusted. Because different administrators control each AS, there is no simple way to enforce consistent policy or resolve disputes between ASs. Therefore, each AS needs mechanisms to protect it. The routing protocols used between ASs have methods for controlling what information is accepted and what information is shared. Routing protocols that are used between ASs are called Exterior Gateway Protocols (EGPs). EXTERIOR GATEWAY PROTOCOLS (EGPs) The routing protocols used between ASs have methods for controlling what information is accepted and what information is shared. For example, the routers controlled by the Navy are in a different AS than the Defense Information Systems Agency (DISA) Secret Internet Protocol Router Network (SIPRNET) routers, and the routing protocol used between the Navy and DISA has many mechanisms for limiting what information is shared. By far, the most common EGP is the Border Gateway Protocol, Version 4 (BGP-4). BGP-4 is run at the NOCs on the routers that connect the Navy shore sites to the DISA networks. Routers that connect two or more ASs are called Autonomous System Boundary Routers (ASBRs). These ASBRs are known as “Premise Routers” at the NOCs. The Premise Routers, at each NOC, control what information the Navy accepts from, and sends to, DISA. Likewise, DISA implements an ASBR that controls what it will accept from the Navy. __________________________________________________________________________
9
ROUTER 1 ROUTER 2 Operating System Physical OSPF IP Data Link 89
Figure 21.7: OSPF Ports. LINK-STATE ROUTING PROTOCOL (OSPF) The Open Shortest Path First (OSPF) is the (Link- State) routing protocol used by the Unclassified and Secret network routers in a NOC AS. OSPF is an Interior Gateway Protocol (IGP), meaning that it distributes routing information among routers belonging to a single Autonomous System. OSPF (Open Shortest Path First) is used over IP. That means that an OSPF packet is transmitted within an IP datagram. The PROTOCOL field in the IP datagram header is set to 89 for OSPF (Figure 21.7). OSPF is designed to be run internal to a single Autonomous System (Figure 21.8). Each OSPF router maintains an identical database describing the Autonomous System's topology. From this database, a routing table is calculated. OSPF recalculates routes quickly in the face of topological changes, using a minimum of routing protocol traffic. ________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________
10
Figure 21.8: OSPF Environment.
ROUTER OSPF Figure 21.8: OSPF Environment. OSPF BASICS At the core of OSPF is a distributed, replicated database. This database describes the routing topology, the collection of routers in the routing domain (i.e. Autonomous System) and how they are interconnected. Each router in the routing domain is responsible for describing its local environment in Link-State Advertisements (LSAs). The local environment includes the router’s operational interfaces, the cost to send user datagrams out of the interfaces, and information about interface connections. These LSAs are then reliably distributed to all the other routers in the routing domain in a process called Reliable Flooding. OSPF’s flooding algorithm ensures that each router has an identical link-state database, except during brief periods of convergence (convergence is the process of finding the next hop after the network changes). Taken together, the collection of LSAs generated by all of the routers is called the Link-State Database. Using the link-state database as input, each router calculates its IP routing table, enabling the correct forwarding of IP data traffic. NOTE: Each OSPF router has a 32 bit Router ID number. In Figure 21.10, each router is identified by an IP address, and this is also how OSPF routers commonly identify one another. By convention, the shipboard ADNS Proteon routers use x.y.z.8 as the Router ID number (where x.y.z is the ship’s ADNS backbone LAN). __________________________________________________________________________________________________________________________________________________ AUTONOMOUS SYSTEM
11
ROUTER ROUTER ROUTER ROUTER ROUTER ROUTER
ROUTER ROUTER 1 7 2 2 11 ROUTER ROUTER 2 1 ROUTER 6 ROUTER Figure 21.9: OSPF basics. The link-state database describes the routers and the links that interconnect them. However, only the links that are appropriate for forwarding have been included in the database. The link-state database also indicates the cost of transmitting packets on the various links (Figure 21.9). OSPF does not automatically assign link costs. Link cost is configured by the ADNS installer. The preferred links should have the smaller numbers. On Navy ships, an Appendix in the networking guidebook will list the costs that should be entered in the ship’s ADNS router. An OSPF router uses an algorithm (typically the Dijkstra’s Shortest Path First Algorithm) to calculate shortest paths. The cost of a path in the network is assigned as the sum of the links comprising the path. Suppose the network (Figure 21.9) has been up and running for some time. All of the six routers pictured will then have identical link-state databases that describe a complete map of the network. Looking at this database, any of the six routers can tell how many other routers are in the network (5), how many interfaces router has (3), whether a link connects and (yes), and so on. The database also gives a cost for each link. From the database, each router will calculate the shortest paths to all others. For example, router calculates that it has two equal-cost shortest paths to and Extracting this information from the collection of shortest paths yields the IP routing table.
12
Figure 21.10: Routing Table. Notes: __________________________________________________________________________
13
Figure 21.11: ADNS Increment I Capabilities
Consolidated WAN access for Multi-security level networks (via NES, TACLANE) Link preference: DSCS, CWSP, EHF, IMS Hot-standby Link Failover Bandwidth Reservation per security level Ship-to-Ship LOS links w/IP (VTC over DWTS) Ship-to-Shore MAGTF support Pier-side network access Constraints IP traffic uses only one RF link even if more are connected Best Effort delivery (i.e. no application has priority) Fixed bandwidth allocation to each enclave Figure 21.11: ADNS Increment I Capabilities Increment I Capabilities and Constraints . When an ADNS platform connects to two shore facilities simultaneously, it advertises to DISA from two locations. Since the routing infrastructure does not allow two shore exit points, this can cause major routing problems in both areas. ADNS ISEA operational policy is that a ship should not connect to two shore facilities at the same time. This includes indirectly though ship-to-ship (DWTS). ADNS Increment I has the following constraints: IP traffic uses only one (1) RF link, even if two are available and connected to ADNS. All applications are delivered on a Best Effort basis; no application is given priority. Bandwidth allocation to each security enclave is fixed to one configuration. __________________________________________________________________________
14
Justification for Change
Increased demand requires more efficient use of RF bandwidth Need to prioritize network traffic Must be able to monitor and control network traffic based on applications Figure 21.12: Why do we need Increment II? Justification for Change Although Increment I systems met the fleet requirements in the late 90s, the increase in traffic from networked applications and web-enabled data transfer has created a requirement to exploit multiple paths in order to maximize effective RF bandwidth. This increased demand and volume of traffic requires a method of prioritization to ensure high-priority data is not lost while giving administrators the ability to monitor and control network traffic based on the applications that generate it. Increment II adds capabilities that maximize routing efficiencies to improve data throughput to ships without investing in additional Space Segment or Terminal resources. To address increased network traffic, Increment II comprises five major improvements that benefit both shore and shipboard ADNS users: Traffic Distribution Selectable Bandwidth Allocation Application Prioritization Application Monitoring and Blocking RF/Pier Side Link Monitoring __________________________________________________________________________
15
Figure 21.13: Increment II in a nutshell.
Inc II Capabilities Increment II = Inc I plus: Traffic distribution over multiple links Adjustable bandwidth guarantees Application prioritization Improved link monitoring tools Application monitoring Figure 21.13: Increment II in a nutshell. Increment II Capabilities The following sections address the Increment II capabilities and features in more detail. __________________________________________________________________________
16
Figure 21.14: ADNS components.
Integrated Network Management (INM) LQoSMAN Routing and Switching Cisco router Packetshaper TACLANE Figure 21.14: ADNS components. Increment II Components ADNS contains three functional elements: Integrated Network Management - Provides flexibility to adapt communications to available assets and mission priorities. Routing and Switching (R&S) - Provides the interface and performs routing and switching of user data to available transmission circuits. TACLANE (KG 175) - Provides encryption of IP data. __________________________________________________________________________
17
Software Windows 2003 Server + patches
Internet Explorer (IE) + patches Apache Web Server Adobe Acrobat Reader WinZip mIRC Chat Client (and patches) Tera Term Pro Norton Antivirus IT-20 Security scripts Cisco IOS PacketWise PacketShaper Tool Figure 21.15: ADNS software. Software ADNS incorporates and adopts a variety of COTS software for use in a Windows 2003 environment. However, ADNS personnel are not expected to become Windows 2003 system administrators. Windows 2003, Apache Web Server, and mIRC will be discussed later in this topic. The following information is provided as a summary of some of the other lesser known, software elements shown in Figure 21.15: -Tera Term Pro is a tool for connecting with remote Telnet or serial hosts. It acts as a “middle-man” to provide communication between platform-independent web-based application servers and any remote Telnet/SSH host. -Cisco IOS is the software used on the vast majority of Cisco system routers and all current Cisco network switches. IOS is a package of routing, switching, internetworking and telecommunications functions tightly integrated with a multitasking operating system. -PacketWise software is the heart of Packeteer's PacketShaper product line. __________________________________________________________________________
18
Figure 21.16: Windows Server 2003..
32 bit, secure, Network Operating System that controls system hardware and provides a platform for running applications. Monitors ADNS software and controls ADNS devices. Industry standard for large networks. IAVA’s and FAMs are issued with directions to download and perform updates and patches. Figure 21.16: Windows Server Windows Server 2003 Windows Server 2003 is a productive infrastructure platform for powering connected applications, networks, and Web services from the workgroup to the data center. Windows Server 2003 helps to build a secure IT infrastructure that provides a powerful application platform for quickly building connected solutions and an information worker infrastructure for enhanced communication and collaboration. Windows Server 2003 builds upon the increased security, reliability, and performance provided by earlier operating systems to provide a more secure and dependable platform on which to deliver business-critical applications and Web services. At the same time, Windows Server is easier to manage and integrate into existing environments. __________________________________________________________________________
19
Figure 21.17: Apache Web (HTTP) Server.
Apache Web Server Provides support for storing, managing, and displaying of HTML based content to local and network users. Enables network users to access the local ADNS INM functionality using the IE browser. Monitor network connectivity Configure information display Configure and generate reports Configure QoS and bandwidth management settings Figure 21.17: Apache Web (HTTP) Server. Apache Web Server The Apache HTTP (Web) Server is a web server for Unix-like systems, Microsoft Windows, Novell Netware and other operating systems. Apache is notable for playing a key role in the initial growth of the World Wide Web Apache is developed and maintained by an open community of developers under the auspices of the Apache Software Foundation. Released under the Apache License, the Apache HTTP Server is free software. Apache is primarily used to serve both static content and dynamic Web pages on the World Wide Web. Many web applications are designed expecting the environment and features that Apache provides. Apache is used for many other tasks where content needs to be made available in a secure and reliable way. __________________________________________________________________________
20
mIRC mIRC is an Internet Relay Chat (IRC) program that connects to a host chat server at NCTAMS PAC and LANT. Chat room to allow users to communicate with each other for testing and troubleshooting. Figure 21.18: mIRC. mIRC mIRC is the chat client stored on the ADNS INM. It is used to connect to a SHORE server at NCTAMS PAC or LANT and is used to communicate with other users and the ADNS Help Desk. mIRC is a shareware Internet Relay Chat (IRC) client for Windows. mIRC is a highly configurable IRC client with all the features common to other chat clients on UNIX, Macintosh and other Windows platforms. Combined with a clean user interface, mIRC offers full color text lines, DCC File Send and Get capabilities, programmable aliases, a remote commands and events handler, World Wide Web and sound support. IRC is Internet Relay Chat (IRC) is a form of real-time Internet chat or synchronous conferencing. It is mainly designed for group (many-to-many) communication in discussion forums called channels, but also allows one-to-one communications and data transfers via private message. __________________________________________________________________________
21
LQoSMAN 3.x Software Tool Kit
Standalone IBM compatible workstation running Windows Server software Provides status information Monitors via Ethernet link Uses SNMP Provides remote access and monitoring via SIPRNET web access. Figure 21.19: LQoSMAN 3.x STK. LQoSMAN 3.x Software Tool Kit The Local Quality of Service Manager (LQoSMAN) 3.x Software Tool Kit is used to monitor and graphically display the status of the devices connected to the ADNS. The software is completely Web-based and serves as the front end of the ADNS routers. The LQoSMAN allows users of the system to configure nodes (routers) and interfaces associated with the ADNS and provides reporting capabilities. There are two ways to verify that traffic is being routed: 1. Directly via the Cisco command line interface (CLI). 2. With the LQoSMAN. SNMP is short for Simple Network Management Protocol. It is a set of protocols for managing complex networks. SNMP works by sending messages, call Protocol Data Units (PDUs), to different parts of a network. SNMP-compliant devices, called agents, store data about themselves in Management Information Bases (MIBs) and return this data to the SNMP requesters. __________________________________________________________________________
22
Figure 21.20: LQoSMAN 3.x User Levels.
Administrator (Monitor/Manage) Access all software modules and monitoring Manage the entire ADNS Operator (Monitor) Monitor performance Generate reports Change screen preferences Read-Only Web access to view how ADNS is working Figure 21.20: LQoSMAN 3.x User Levels. LQoSMAN 3.x User Levels With Administrator privileges, the user can configure the routers, change the bandwidth management policies and set application prioritization. Operator privileges do not allow the user to manage or change set configurations. Mainly, the Operator user monitors the system. The Read-Only user cannot change any configurations or alter screen preferences. The user access is provided primarily for troubleshooting purposes when not at the actual LQoSMAN server. __________________________________________________________________________
23
Policy-Based Routing (PBR)
Source-Based Transit Provider Selection Quality of Service (QOS) Cost Savings Load Sharing Figure 21.21: Policy Based Routing defined. Policy-Based Routing (PBR) In today's high performance internetworks, organizations need the freedom to implement packet forwarding and routing according to their own defined policies in a way that goes beyond traditional routing protocol concerns. Where administrative issues dictate that traffic be routed through specific paths, policy-based routing can provide the solution. By using policy-based routing, customers can implement policies that selectively cause packets to take different paths. Policy routing also provides a mechanism to mark packets so that certain kinds of traffic receive differentiated, preferential service when used in combination with queuing techniques. These queuing techniques provide an extremely powerful, simple, and flexible tool to network managers who implement routing policies in their networks. Policy-based routing (PBR) provides a mechanism for expressing and implementing forwarding/routing of data packets based on the policies defined by the network administrators. It provides a more flexible mechanism for routing packets through routers, complementing the existing mechanism provided by routing protocols. Routers forward packets to the destination addresses based on information from static routes or dynamic routing protocols such as Routing Information Protocol (RIP), Open Shortest Path First (OSPF), or Enhanced Interior Gateway Routing Protocol (Enhanced IGRP). Instead of routing by the destination address, policy-based routing allows network administrators to determine and implement routing policies to allow or deny paths.
24
Quality of Service (QoS)
Control over resources More efficient use of network resources. Tailored Services Grades of service differentiation to the customers. Coexistence of mission-critical applications Bandwidth and minimum delays required by time-sensitive multimedia and voice applications are available, and that other applications using the link get their fair service without interfering with mission-critical traffic. Foundation for a fully integrated network in the future Figure 21.22: QoS explained. Quality of Service (QoS) Quality of Service (QoS) refers to the capability of a network to provide better service to selected network traffic over various technologies, including Frame Relay, Asynchronous Transfer Mode (ATM), Ethernet and networks, SONET, and IP-routed networks that may use any or all of these underlying technologies. The primary goal of QoS is to provide priority including dedicated bandwidth, controlled jitter and latency (required by some real-time and interactive traffic), and improved loss characteristics. Also important is making sure that providing priority for one or more flows does not make other flows fail. QoS technologies provide the elemental building blocks that will be used for future business applications in campus, WAN, and service provider networks. Fundamentally, QoS enables better service to certain flows. This is done by either raising the priority of a flow or limiting the priority of another flow. When using congestion-management tools, one can raise the priority of a flow by queuing and servicing queues in different ways. The queue management tool used for congestion avoidance raises priority by dropping lower-priority flows before higher-priority flows. Policing and shaping provide priority to a flow by limiting the throughput of other flows. Link efficiency tools limit large flows to show a preference for small flows. __________________________________________________________________________
25
Figure 21.23: Traffic Distribution.
Inc 2 Enhancement # 1 Traffic Distribution Benefits Using multiple links increases effective bandwidth Improves overall system reliability Figure 21.23: Traffic Distribution. Traffic Distribution In Increment I systems, even with multiple links available to ADNS, it will use only one. However, in Increment II systems, the design of the OSPF configuration, particularly the configuration of the ADNS Policy Switch and frequency routers, permits ADNS to distribute data over multiple links simultaneously. Additionally, if one of the simultaneous links fails, Increment II systems have the ability to automatically fail-over by switching all traffic to the remaining operational links. Once the failed link is restored, Increment II systems automatically fail-back to the original, optimal configuration. By using policy-based routing, and advertising static routes at the shore, a Community of Interest (COI) enclave can function, with respect to routing, as if connected directly to one of the frequency routers. With ADNS Increment II, the JCA and NIPRNET enclaves can function as if connected to the shore CWSP frequency router. For ship-to-shore unclassified data, a static route to the ship’s UNCLAS TACLANE is set up on the CWSP frequency router and advertised within OSPF. Since the static route represents a longest-match route, which is preferred over a lower-cost default route, unclassified data will use a CWSP link if it is available. If a CWSP link is unavailable, the unclassified data will go over the next lowest-cost path. Secret data will always select the DSCS link first because it is the lowest-cost link between ship and shore. __________________________________________________________________________
26
Traffic Distribution for Force Level Platforms
RF Links Available DSCS Pt-to-Pt (256k – 1536k) CWSP (1024k – 1536k) EHF MDR (128k – 1024k) EHF TIP Shared DSCS and CWSP SECRET, SCI, CENTRIXS, CWSP Failover JCA, UNCLAS, DSCS Failover DSCS and EHF MDR SECRET, SCI, CENTRIXS, JCA, UNCLAS DSCS Failover DSCS and EHF TIP SECRET ship to ship, DSCS Failover DSCS, CWSP, and EHF MDR Failover on loss of CWSP and DSCS DSCS, CWSP, and EHF TIP Figure 21.24: Force-Level ship traffic Distribution. Traffic Distribution on Force-Level Platforms Figure is a typical force-level ship with CWSP and DSCS operational. Using policy-based routing and advertisement of static routes at the shore, CWSP will appear as the lowest-cost OSPF path for UNCLAS and JCA traffic. If a ship has a CWSP link operational, UNCLAS and JCA network traffic will take the CWSP path, while other COI enclaves will use DSCS. In the case of a force-level ship with three (3) links operational, such as DSCS, CWSP, and EHF-MDR, EHF functions only as a backup. If the DSCS link fails, SECRET, SCI, and CENTRIXS network traffic will fail-over to CWSP since it has a lower cost than EHF MDR. If both the DSCS and CWSP links fail, all IP traffic, except UNCLAS will be routed through EHF-MDR. This will result in significant congestion due to higher delay and lower bandwidth available. When bandwidth is degraded, application prioritization becomes important. Ships with DSCS, CWSP, and EHF-TIP will normally use the EHF-TIP link for ship-to-ship traffic only. If both the DSCS and CWSP links fail, all IP traffic will be routed through EHF-TIP. Because TIP is a shared RF network with less bandwidth and longer delays, congestion in this case will be more severe than in EHF-MDR fail-over discussed above. EHF-TIP does not recognize application prioritization because it is not a point-to-point link. __________________________________________________________________________
27
Figure 21.25: Selectable Bandwidth Allocation.
Inc 2 Enhancement # 2 Selectable Enclave Bandwidth Allocation Baseline Configuration SIPR-Favored SCI-Favored Figure 21.25: Selectable Bandwidth Allocation. Selectable Enclave Bandwidth Allocation Shipboard administrators of Increment II systems are able to select from three (3) enclave bandwidth-allocation configurations: Duplicate of baseline Increment I configuration SECRET-data favored SCI-data favored Selections made aboard ships will affect traffic in the ship-to-shore direction only; ships must request coordinated changes in shore-to-ship direction with the appropriate shore facilities by phone. The allocations are minimum guaranteed bandwidth for each respective enclave. To leave room for overhead traffic, bandwidth guarantees are at or below 75%. The remaining 25% is distributed among enclaves in proportion to their guarantees. Additionally, unused portions of guaranteed bandwidth are available to the other enclaves as needed. ADNS does not control bandwidth allocations over EHF-TIP; consequently, there is no bandwidth guarantee associated with EHF-TIP. A special router queue is used to combine User Datagram Protocol (UDP) and Internet Control Message Protocol (ICMP) traffic, both of which can flood a link. __________________________________________________________________________
28
Percent Bandwidth Allocation (Force Level)
Baseline JCA NIPR SCI SIPR UDP/ICMP Total DSCS 1 20 25 24 128k max 70 CWSP 45 5 10 EHF 8k max DWTS 67 74 SIPR-Favored 15 39 75 35 SCI-Favored Figure 21.26: Force-Level Selectable Bandwidth Allocation. if not controlled. On the DWTS link, this queue is allocated a large bandwidth percentage to support video-teleconferencing (VTC). An example of bandwidth allocations are listed in Figure The CENTRIXS enclave is not listed separately, because it shares SIPRNET bandwidth. Router traffic is first sorted to the JCA, NIPR, SCI, and UDP queues. What remains, SIPR and Coalition traffic, goes in the router default queue. __________________________________________________________________________
29
Figure 21.27: Application Prioritization.
Inc 2 Enhancement # 3 Application Prioritization Based on source application Packets dropped depends on: Degree of congestion Priority of packets ADNS Inc II uses PacketShaper (Packeteer) Figure 21.27: Application Prioritization. Application Prioritization During periods of high traffic, when ADNS must drop packets, Increment II systems have the capability to prioritize traffic based on the source application. When there is no congestion, all data is routed and application priorities have no effect. The rate at which ADNS drops packets depends on the degree of congestion and the priority of packets. If congestion becomes serious enough, ADNS will start dropping all lower-priority packets to ensure higher-priority traffic is routed successfully. The ADNS uses the Packetshaper device manufactured by Packeteer to mark the priority of packets passing through the network. Fleet Forces Command (FLTFORCOM) has established a default set of application priorities. ADNS shore administrators will be able to add, subtract, and modify these priorities using the PacketShaper GUI included in the LQoSMAN 3.x Tool Kit. Application priorities at the shore are set specific to each ship, and affect traffic in the shore-to-ship direction. Since this accounts for 2/3 of all network traffic, the majority of congestion will occur in this direction and changes will noticeably affect performance. Shipboard LQoSMAN software does not include a PacketShaper GUI; the ADNS production facility sets initial priorities using the native PacketShaper WUI. Ships desiring to alter the priorities, listed on the following slides, must request the changes from AOR shore sites via record message traffic. ____________________________________________________________________________________________________________________________________________________
30
Unclassified Application Priorities
Priority Application or Traffic Type 6 Reserved for future use 5 Chat and DNS 4 3 CRIT_WEB, Aircraft Logistics 2 1 Medical Default Traffic -1 Web and SSL Figure 21.28: UNCLAS Application Priorities. ADNS marks only packets from the SECRET and UNCLAS enclaves. If other enclaves mark packets, ADNS will recognize the marks as long as they adhere to the priorities and IP packet markings recognized by ADNS. Packets must be marked on the Plain Text (PT) side of any encryption device, since, once a packet is encrypted, it is impossible to sort by application. Note: Application priorities are not recognized by EHF TIP. ___________________________________________________________________
31
Figure 21.29: Application Monitoring and Blocking.
Inc 2 Enhancement #4 Application Monitoring and Blocking PacketShaper Overview Traffic and Bandwidth Management system that delivers predictable efficient performance for applications running over the WAN 7 Layer classification, analysis, control, and reporting capabilities. Enables managers to keep critical traffic moving at an acceptable pace through bottlenecks and prevents any single type of traffic from monopolizing the link. Figure 21.29: Application Monitoring and Blocking. Application Monitoring and Blocking The SECRET PacketShaper monitors traffic and displays application-specific metric data. Using the native PacketShaper WUI, ship and shore administrators are able to monitor detailed information on network use, such as top talkers, top websites, application priority levels, percent of bandwidth allocation used, and the percent of bandwidth allocation used per application. The PacketShaper also has the ability to block IP traffic from any particular application that may be unauthorized, or overloading the network. Applications are blocked by setting the application priority to “discard”. Since shipboard administrators cannot normally adjust application priorities, applications are blocked at the shore. About PacketShaper PacketShaper is a scalable platform for optimized WAN application performance— an “all-in-one solution” for extending monitoring, shaping, acceleration and compression as well as centralized reporting and management across the distributed enterprise. It allows administrators to: Maximize Performance across the WAN Capitalize on Server Consolidation Realize True QoS for IP Telephony and VoIP Enhance Network Security
32
Figure 21.30: Application Monitoring and Blocking.
The Bottleneck High-Speed DISA/HSGR Backbone 64 kbps – 1.5 Mbps OC-3, OC-12, OC-48, OC-192 Figure 21.30: Application Monitoring and Blocking. 10/100/1000 Mbps ___________________________________________________________________ Problem: Traffic on the high-speed LAN hits the low-speed WAN access link before getting to the really high-speed shore infrastructure.
33
Figure 21.31: RF Link Monitoring.
Inc 2 Enhancement #5 RF Link Monitoring PacketShaper LQoSMan Trend reporting Future requirements Reports Figure 21.31: RF Link Monitoring. RF Link Monitoring Increment II provides an array of improved operator interfaces, reports, and user-configurable alarms to facilitate understanding ADNS operating status. Both the LQoSMAN and PacketShaper provide methods of collecting data for later analysis. LQoSMAN provides a detailed method of trend reporting and compiling reports from data up to one-year old. This data is useful to discover trends and analyze future requirements. The more important aspects are discussed in the following sections. __________________________________________________________________________
34
Figure 21.32: LQoSMAN Status Page.
The screen shot above (Figure 21.32) shows the LQoSMAN Status Page displaying a table of RF Connections, data rates for each RF link, and percent utilization/percent errors. This information comes directly from the ADNS router. For netted links such as EHF-TIP, LQoSMAN displays multiple members. It also displays a network map that is a graphical representation of the status page. __________________________________________________________________________
35
Figure 21.33: LQoSMAN Reports.
The LQoSMAN software provides the ability to monitor Cisco router connections and to monitor and report on the status of the network. While the Status page relays the near real-time status of the host, the Reports page allows administrators and operators to view historical (up to one year old) and current connection state data in tables, graphics, and charts. The historical data is particularly useful when analyzing trends, network patterns, or potential problems. Report data can be viewed directly on the Reports page, exported and saved to a comma-delimited text file, ed to another user, or printed. Users can generate the following types of reports: Status Reports Throughput Breakdown Reports Historical Reports Real-Time Graph __________________________________________________________________________
36
Figure 21.34: LQoSMAN Alarms.
ADNS administrators can monitor networks by setting visual and audible alarms based on link connectivity, utilization and error rates, and bandwidth utilization. Administrators can set which alarms will function, whether each alarm will be auditory, visual, or both, and the threshold at which each alarm will trip. Types of available alarms are: Cross Connect Alarm Link State Neighbor State Percent Error Threshold Percent Utilization Threshold Ping Status __________________________________________________________________________
37
Figure 21.35: ADNS Support Resources.
Support Organization Function Organization Phone In-Service Engineering Activity (ISEA SPAWAR SSC SD, Code 2631 Software Support Activity SPAWAR SSC CHAS, Code 50 Fleet Support Desk SPAWAR SSC SD Configuration Management ILS Management PEO C4I and Space Figure 21.35: ADNS Support Resources. ADNS Support Concept Program Support The ADNS ISEA, SPAWAR Systems Center San Diego (SSC-SD), Code 2631 and SSC Charleston (SSC-CH) jointly support ADNS. The ADNS Fleet Support Desk (FSD) provides overall system support, recording, tracking, and resolution of technical and logistics assistance requests. Additionally, the ISEA coordinates support with the Regional Maintenance Centers (RMC) and the Fleet Systems Engineering Teams (FSET) in accordance with governing directives. Operational and administrative support documents include System Operation Manuals (SOM), Technical Manuals, Interactive Engineering Technical Manuals (IETM), PMS procedures, Users Logistics Support Summary (ULSS) manuals, and FAMs. All ADNS documentation is available on the ADNS website: __________________________________________________________________________
38
THIS PAGE INTENTIONALLY BLANK
Support Organization Function Organization Phone In-Service Engineering Activity (ISEA SPAWAR SSC SD, Code 2631 Software Support Activity SPAWAR SSC CHAS, Code 50 Fleet Support Desk SPAWAR SSC SD Configuration Management ILS Management PEO C4I and Space THIS PAGE INTENTIONALLY BLANK
Similar presentations
