With the increase
in emerging technologies such as VoIP/IP telephony, video, data warehousing,
sales force
automation, customer relationship management, call centers,
procurement, and human resources management, network management systems are
required that allow you to identify traffic per application. Several years ago,
this was a relatively easy task, because there were several different
transmission protocols: TCP for UNIX communication, IPX for Novell file server
sharing, SNA for mainframe sessions, and so on. The consolidation toward IP
eliminated several of these protocols but introduced a new challenge for the
network operator: how to distinguish between various
applications if they all
use IP. Collecting different interface counters was not good enough any more.
From a monitoring point, it got worse. These days most server applications have
a Web graphical user interface (GUI), and most traffic on the network is based
on HTTP. In this case, traffic
classification for deploying different service
classes requires deep packet inspection, which some accounting techniques offer.
Because of these changes, we need a new methodology to collect
application-specific details, and accounting is the chosen technology. An
example is Cisco Network-Based Application Recognition (NBAR), which is
described in Chapter 10, "NBAR."
The collected accounting information can
help you do the following:
Monitor and profile applications:
- In the entire network
- Over specific expense links
Monitor application usage per group or individual user
Deploy QoS and assign applications to
different classes of service
Assemble a traffic matrix based on
application usage
A collection of application-specific
details is also very useful for network baselining. Running an audit for the
first time sometimes leads to surprises, because more applications are active on
the network than the administrator expected. Application monitoring is also a
prerequisite for QoS deployment in the network. To classify applications in
different classes, their specific requirements should be studied in advance, as
well as the communication patterns and a traffic matrix per application.
Real-time applications such as voice and video require tight SLA parameters,
whereas e-mail and backup traffic would accept best-effort support without a
serious impact.
The next question to address is how to
identify a specific application on the network.
In most environments, applications fall into the following
distinct categories:
Applications that can be identified by
TCP or UDP port number. These are either "well-known" (0 through 1023) or
registered port numbers (1024 through 49151). They are assigned by the Internet
Assigned Numbers Authority (IANA).
Applications that use dynamic
and/or private application port numbers (49152 through 65535), which are
negotiated before connection establishment and sometimes are changed dynamically
during the session.
Applications that are identified via the
type of service (ToS) bit. Examples such as voice and videoconferencing (IPVC)
can be identified via the TOS value.
Subport classification of the following:
- HTTP: URLs, MIME (Multipurpose Internet Mail Extension) types
or hostnames
- Citrix applications: traffic based on published application
name
Classification based on the
combination of packet inspection and multiple application-specific attributes.
RTP Payload Classification is based on this algorithm, in which the packet is
classified as RTP based on multiple attributes in the RTP header.
In some of these cases, deeper packet
inspection is needed. This can be performed by Cisco NBAR, for example.
Figure 1-7 displays
traffic details per application, aggregated over tim