Cisco Blogs

Cisco Blog > Enterprise Networks

IP SLA Video Operation – A powerful tool to mimic the real traffic demands on your network

With video increasingly becoming part of how you collaborate, you need to consider the impact of this incremental video on your network. Video brings many new challenges in order to meet user expectations for a flawless quality of experience. So is your network ready for rich media?

IP SLA video operation answers this question by synthetically generating traffic  mimicking real application traffic. The ability to generate realistic RTP stream similar to real life Cisco TelePresence allow you to stress the network and assess the demands these applications will impose on your network. Each type of media application can be expressed for the synthetic media generation system by media application profiles that contain personalities which incorporate characteristics such as bit rate, burst sizes, inter-packet-gaps, etc. These application profiles allow, for example, a catalyst switch to simulate the video playout from multiple places in the network. There may be multiple personalities based on different software versions or configurations of the media application. Cisco will make a set of comprehensive media application profiles available for download. IP SLA video operation, an enhancement to IP SLA, was announced on April 6, 2011 at ISC West in Las Vegas and is first introduced in IOS 12.2(58) SE on Cisco Catalyst 3750 and 3560 series switches. Over time, more products will be implementing this new operation.

Read More »

Tags: , , , , ,

Overcoming the Fear of IPv6

A few years back I set up IPv6 connectivity on my home network for the first time.  I had a rush of exhilaration when the first ping and traceroute commands completed successfully.  Suddenly, I was free of Network Address Translation and bypassing my firewall, connecting directly to any IPv6 device on the Internet.  But then it slowly dawned on me that those people same people could also directly connect to my device!  In a panic, I wondered if my SMB shares were visible to the world, or if criminals could relentlessly probe my open ports for zero-day vulnerabilities.   How could I even check if I had any open ports?  My fear got the best of me and I disabled IPv6.

I contacted my friend Dan and posed my dilemma to him.  How could I tell if my ports were locked down on a machine which ran IPv6?  A number of sites provided port scanners for IPv4, but nobody had a general purpose scanner for IPv6.  Hurricane Electric provided one, but only for devices that were on their network.  Dan hacked up a primitive IPv6 open port testing site, which uses NMAP to scan an IPv6 visitor for typically vulnerable ports before issuing a simple report.  I was pleased to discover that my computer did not answer on any of those commonly attacked ports.

In this process, I discovered that many modern operating systems with IPv6 enabled also come with a set of reasonable host firewall defaults which do not expose listening ports as much as I had expected based on my experience with IPv4.  Many hosts with IPv6 enabled by default also come with some very sensible settings to prevent network-launched crimes of opportunity from malicious users.

IPv6 also provides a natural defense against classic portscanning attacks, where an attacker probes for commonly vulnerable ports of every IP address on a subnet.  For densely packed IPv4 service provider networks with one IP address assigned per typical user, a few thousand probes across a known DSL or cable subnet can yield a rich collection of potential targets.  Since the address space of IPv6 is so much larger and sparsely populated than IPv4, blind portscanning of subnets becomes impractical since a typical IPv6 subnet contains quintillions of addresses hosting a relatively small number of end devices.

Despite the sensible security posture of IPv6, a network based firewall provides additional protections by thwarting attacks at the network perimeter, analyzing connection context and allowing greater control of policy and analytics.  An IPv6 Quick Start Guide for the Cisco ASA can be found in the World IPv6 Day – IPv6 Transition community at the Cisco Support Forums.  Please visit this forum and ask questions.  Overcome your fear of running IPv6 and start reaping the benefits of running IPv6 on your own network in time for World IPv6 Day.

Tags: ,


A few weeks ago, we introduced a new tool for network operators called mediatrace. On the router and switches, a mediatrace report presents several stanzas of data collected along a particular path. While the report is useful, there is a very high information density and the network operator could overlook an important item at a casual glance.

Mediascope was created as an intern project at Cisco to help in the visualization of mediatrace data. Mediascope uses the IOS Web Services Management Agent (WSMA) interface to execute mediatrace commands. As a flash based tool, mediascope can be hosted on a regular web server in your network and be available for general users (well except for ipad/iphone!).

The user initially logs into the mediascope tool with a mediascope specific password. Then the target router is identified and credentials for that node are provided. At this point, the user can ask mediascope to dynamically configure IOS performance monitor to discover the flows traversing the target router. The discovered flows are dynamically displayed in a list allowing the user to select the interesting flow and then continue on to the specific metrics to be gathered (lower part of Figure 1 below).

Figure 1. Mediascope Flow selection and Data Retrieval Selection

Figure 2. Mediascope Result Visualization

In Figure 2, we can see the result of the mediatrace run. Note from Figure 1 that the y-axis in the chart is selectable, as are the meanings of the color. In our example, the height of the circles conveys number of IP packets seen for the monitored flow, size conveys CPU utilization, and conditional coloring based on number of packets lost and jitter values. Of course, a much simpler chart could be constructed, but we wanted to show how easily very dense information could be represented.

Using the chart the operator is able to quickly identify the node that is at high CPI, but also the node that seems to be seeing packet loss.

We had a lot of fun creating mediascope. Check out our multi-language demos on YouTube!  We invite you to make your own audio version- with the challenge of no English words at all. I’m hoping we’ll see one in Klingon soon!

Mediascope demo: English German Spanish

Mediascope is open sourced under the BSD license.

Tags: , , , , , , ,

On Consumerisation, Spatial Streams and Why RF Matters

The devil, as they say, is in the details.

One of the key tenets of engineering is to reduce complexity, but in doing so it is important to understand the implications. While we might try to view one technology as it relates to another to help us simplify the details, it is important that we recognise how and where they differ.

Case in point.

When it comes to wireless networks, I often talk about how there are two questions I dislike being asked more than any others:

  1. How many clients can connect to an access point?
  2. What is the maximum range of an access point?

The reason is that I believe they are the wrong questions. They are being asked from perspective of someone trying to relate to a wireless network as if it were a wired network. What they are really asking is “how many switch ports do I need to cover this area?”

But wireless networks are not switched networks. While each connected device in a wired network has its own physical cable, and thereby its own gigabit Ethernet link, in a wireless network, every device connected to a particular access point shares the same RF spectrum, the same total available bandwidth.

For a standard access point in today’s deployments, that means a maximum total bandwidth of 144Mbps on the 2.4GHz band with a 20MHz channel and 300Mbps on the 5GHz band with a 40MHz channel using channel bonding.

But that is an over simplification.

Those aggregate bandwidths assume each client is connected at the highest available data rate. As we increase range, however, the data rate decreases, thereby reducing the overall channel utilisation. Therefore, with fewer access points, we are not just sharing a limited amount of bandwidth with more clients, but we are actually reducing the total available bandwidth.

Interference, particularly as access points cover larger areas, becomes an even greater issue. An increase in the signal to noise ratio leads to a decrease in the maximum sustainable data rate. This again reduces the overall channel utilisation.  The key here is that a wireless network’s ability to not only detect, but where possible mitigate interference is critical to its ability to sustain higher data rates and maximise the total available bandwidth in each cell.

All this assumes that the wireless clients connecting to the network are even capable of supporting those high data rates.

Most smartphones on the market today support only 802.11g in the 2.4GHz band, meaning that at most they can support 54Mbps.

Newer devices, such as the iPhone 4, support 802.11n, but only in 2.4GHz, and only with a single antenna, limiting them to a single “spatial stream”—in simple terms that means the maximum data rate they can support is 72Mbps.

This applies to tablet devices as well. While the new iPad2 supports 802.11n in both the 2.4GHz and 5GHz band, it too is limited to a single spatial stream. The Cius goes one step further with support for channel bonding in 5GHz, increasing the maximum data rate to 150Mbps.

Interestingly, we are now starting to see new access points enter the market using Atheros’ first-generation silicon supporting three spatial streams. While this increases the maximum data rate in the 5GHz band to 450Mbps, as we have just seen, this will have no impact on the multitude of mobile devices given their single spatial stream limitation.

Three spatial streams represents a key milestone for the 802.11 standard, and will become increasingly important over the next 2 to 3 years as battery technology improves and wireless chipsets incorporate better power saving designs. Of course, by that time we will be looking at access points supporting four spatial streams and 600Mbps—and again, be waiting for the mobile devices to catch up.

Adding to the complexity in all this are the applications these devices are running across the network. From FaceTime and Skype, to Business Video and Personal Telepresence, voice, and video in particular, are replacing data as the primary traffic type. However, the wireless networks that have been built over the last several years were not designed for voice and video, and certainly not at the device densities we are now seeing.

As we look to support these many different mobile devices entering the market today along with their high bandwidth applications, clearly the two key areas we must consider in our wireless network designs are access point density to control cell sizes, and interference detection and mitigation capabilities to ensure that we maximise the channel utilisation in each cell.

And so, I’d like to propose two different questions to consider at the start of a wireless deployment:

  1. How many different devices do you expect to connect to the wireless network?
  2. And what are the applications that will run across the network and what are their associated bandwidth requirements?

Wireless and wired networks fundamentally differ at the physical layer. While its not necessarily important to understand the details of RF communications, it is important to understand the implications.

RF Matters.

Stay mobile. Stay secure.


Tags: , , , , , , , ,

IPv6 MTU Gotchas and other ICMP issues

From my home network, I can successfully ping or traceroute to some IPv6 hosts, but I cannot subsequently open a web page or use other applications with it.  How can this be?  Maximum Transmission Unit (MTU) gotchas…


There is a subtle difference between IPv4 and IPv6 fragmentation strategies. IPv4 routers fragment traffic in the network when needed and then the receiving host reassembles those fragments.  This generally works well, but there are a number of potential issues.  Because of these issues, the IETF developed means for higher layer protocols such as TCP to determine the smallest MTU on a path and send appropriately sized datagrams in order to avoid fragmentation. The IPv6 designers presumed the presence of this Path MTU Discovery so that in IPv6, fragmentation no longer happens in the network but only at the hosts – and then only in special cases in that absolutely require it.

Read More »

Tags: , ,