Guest

Cisco 5700 Series Wireless LAN Controllers

Wireless LAN Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 5700 Switches)

  • Viewing Options

  • PDF (1.3 MB)
  • Feedback
Support for AVC on Wireless LAN

Contents

Support for AVC on Wireless LAN

Application Visibility and Control (AVC) classifies applications using deep packet inspection techniques with the Network-Based Application Recognition (NBAR2) engine, and provides application-level visibility and control into Wi-Fi networks. After the applications are recognized, the AVC feature enables you to either drop or mark the data traffic.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Restrictions for Support for AVC on Wireless LAN

  • AVC is supported on WLANs configured for central switching only.
  • IPv6 including ICMPv6 traffic classifications are not supported.
  • Datalink is not supported for NetFlow fields for AVC.
  • Multicast traffic is not supported.
  • The template timeout cannot be modified on exporters configured with AVC. Even if the template timeout value is configured to a different value, only the default value of 600 seconds is used.

Information About Support for Cisco Application Visibility and Control on Wireless LAN

AVC on Wireless LAN Overview

Application Visibility and Control (AVC) solution for wireless networks identifies more than 1000 business– or consumer–class applications using deep packet inspection (DPI). The support of AVC embedded within the WLAN infrastructure extends as an end-to-end solution, which gives a complete visibility of applications in the network and allows administrators to do one of the following:

  • Mark applications for further prioritization.
  • Block applications for security reasons.
  • Conserve limited network bandwidth.

Components of an Application Visibility and Control Network

Application Visibility and Control feature consist of the following components:

  • Cisco Network-Based Application Recognition Version 2 (NBAR2)— a next-generation DPI technology that identifies more than 1000 applications and supports application categorization, with the ability to update the protocol definition.
  • Cisco NetFlow v9— to select and export data of interest, allowing easy consumption of application performance statistics by Cisco and third-party applications
  • Cisco Prime™ Infrastructure— an enterprise-grade infrastructure and service-monitoring tool which reports application and network performance to facilitate up to 30 different reports for application visibility.

Benefits for Support for AVC on Wireless LAN

  • Improved quality of experience for all wireless users through application-level optimization and control.
  • Proactive monitoring and end-to-end application visibility to accelerate troubleshooting and minimize network downtime.
  • Network capacity management and planning through greater visibility of application usage and performance.
  • Prioritization of business-critical applications and sub-flows like Cisco Jabber voice or IM sessions.

How to Configure Support for AVC on Wireless LAN

Creating a Flow Record

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    flow record flow_record_name

    4.    description flow_record_description

    5.    match ipv4 {protocol | source address | destination address}

    6.    match transport {source-port | destination-port}

    7.    match application name

    8.    match wireless ssid

    9.    collect counter {bytes | packets} long

    10.    collect wireless {ap | client} mac address

    11.    end


DETAILED STEPS
      Command or Action Purpose
    Step 1 enable


    Example:
    Device> enable
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.
     
    Step 2 configure terminal


    Example:
    Device# configure terminal
     

    Enters global configuration mode.

     
    Step 3 flow record flow_record_name


    Example:
    Device (config)# flow record fr_name
    Device(config-flow-record)#
     
    Enters flow record configuration mode.  
    Step 4 description flow_record_description


    Example:
    Device(config-flow-record)# description fr_desc
    
     

    (Optional) Describes the flow record as a maximum 63-character string.

     
    Step 5 match ipv4 {protocol | source address | destination address}


    Example:
    Device(config-flow-record)# match ipv4 protocol
    Device(config-flow-record)# match ipv4 source address
    Device(config-flow-record)# match ipv4 destination address
     
    • Specifies a match to the IPv4 protocol.
    • Specifies a match to the IPv4 source address-based field.
    • Specifies a match to the IPv4 destination address-based field.
     
    Step 6 match transport {source-port | destination-port}


    Example:
    Device(config-flow-record)# match transport source-port
    Device(config-flow-record)# match transport destination-port
    
     
    • Specifies a match to the transport layer source-port field.
    • Specifies a match to the transport layer destination-port field.
     
    Step 7 match application name


    Example:
    Device(config-flow-record)# match application name
    
    
     
    • Specifies a match to the application name.
     
    Step 8 match wireless ssid


    Example:
    Device(config-flow-record)# match wireless ssid
    
    
     
    • Specifies a match to the SSID name identifying the wireless network.
     
    Step 9 collect counter {bytes | packets} long


    Example:
    Device(config-flow-record)# collect counter bytes long
    Device(config-flow-record)# collect counter packets long
    
    
     
    • Specifies to collect counter fields total bytes.
    • Specifies to collect counter fields total packets.
     
    Step 10 collect wireless {ap | client} mac address


    Example:
    Device(config-flow-record)# collect wireless ap mac address
    Device(config-flow-record)# collect wireless client mac address
    
    
     
    • Specifies to collect the MAC addresses of the access points that the wireless client is associated with.
    • Specifies to collect MAC address of the client on the wireless network.
     
    Step 11 end


    Example:
    Router(config)# end
     

    Leaves global configuration mode and returns to privileged EXEC mode.

     

    Creating a Flow Exporter

    You can create a flow export to define the export parameters for a flow. This is an optional procedure for configuring flow parameters.

    SUMMARY STEPS

      1.    enable

      2.    configure terminal

      3.    flow exporter flow_exporter_name

      4.    description string

      5.    destination {hostname | ip-address}

      6.    transport udp port-value

      7.    option application-table timeout seconds

      8.    option usermac-table timeout option_resend_time

      9.    end


    DETAILED STEPS
        Command or Action Purpose
      Step 1 enable


      Example:
      Device> enable
       

      Enables privileged EXEC mode.

      • Enter your password if prompted.
       
      Step 2 configure terminal


      Example:
      Device# configure terminal
       

      Enters global configuration mode.

       
      Step 3 flow exporter flow_exporter_name


      Example:
      Device (config)# flow exporter fe_name
      Device(config-flow-exporter)#
       
      Enters flow exporter configuration mode.  
      Step 4 description string


      Example:
      Device (config-flow-exporter)# decription fe_desc
       

      Describes the flow record as a maximum 63-character string.

       
      Step 5 destination {hostname | ip-address}


      Example:
      Device (config)# (config-flow-exporter) # destination 192.0.2.1
       
      Specifies the hostname or IPv4 address of the system to which the exporter sends data.  
      Step 6 transport udp port-value


      Example:
      Device (config-flow-exporter) # transport udp 2
       
      Configures a port value for the UDP protocol. The range is from 1 to 65535.  
      Step 7 option application-table timeout seconds


      Example:
      Device (config-flow-exporter) # transport udp 2
       
      (Optional) Specifies application table timeout option. The valid range is from 1 to 86400 seconds.  
      Step 8 option usermac-table timeout option_resend_time


      Example:
      Device (config-flow-exporter) # transport udp 2
       
      (Optional) Specifies wireless usermac-to-username table option. The range is from 1 to 86400 seconds.  
      Step 9 end


      Example:
      Router(config)# end
       

      Leaves global configuration mode and returns to privileged EXEC mode.

       

      Creating a Flow Monitor

      You can create a flow monitor and associate it with a flow record and a flow exporter.
      SUMMARY STEPS

        1.    enable

        2.    configure terminal

        3.    flow monitor flow_monitor_name

        4.    description flow_monitor_description

        5.    record flow_record-name

        6.    exporter flow-exporter-name

        7.    cache timeout {active | inactive} {active | inactive}

        8.    end

        9.    show flow monitor flow-monitor-name


      DETAILED STEPS
          Command or Action Purpose
        Step 1 enable


        Example:
        Device> enable
         

        Enables privileged EXEC mode.

        • Enter your password if prompted.
         
        Step 2 configure terminal


        Example:
        Device# configure terminal
         

        Enters global configuration mode.

         
        Step 3 flow monitor flow_monitor_name


        Example:
        Device (config)# flow monitor fm_name
        Device(config-flow-monitor)#
         

        Creates a flow monitor and enters flow monitor configuration mode.

         
        Step 4 description flow_monitor_description


        Example:
        Device(config-flow-record)# description fm_desc
         

        (Optional) Describes the flow record as a maximum 63-character string.

         
        Step 5 record flow_record-name


        Example:
        Device (config-flow-monitor)# record fr_name
         

        Specifies the name of a recorder that was created previously.

         
        Step 6 exporter flow-exporter-name


        Example:
        Device (config-flow-monitor)# exporter fe_name
        
         

        Specifies the name of an exporter that was created previously.

         
        Step 7 cache timeout {active | inactive} {active | inactive}


        Example:
        Device(config-flow-monitor)# cache timeout active 1800
        Device(config-flow-monitor)# cache timeout inactive 200
        
        
         

        Specifies flow cache timeout parameters. You can configure for a time period of 1 to 604800 seconds.

        Note   

        To achieve optimal result for the AVC flow monitor, it is recommended that you configure the inactive cache timeout value to be greater than 90 seconds.

         
        Step 8 end


        Example:
        Device(config)# end
         

        Leaves global configuration mode and returns to privileged EXEC mode.

         
        Step 9 show flow monitor flow-monitor-name


        Example:
        Device # show flow monitor fm_name
         
         

        Configuring Wireless LAN to Apply Flow Monitor

        You can configure a Wireless LAN to apply flow monitor in IPV4 and IPv6 Input/Output direction.
        SUMMARY STEPS

          1.    enable

          2.    configure terminal

          3.    wlan wlan-name wlan-id

          4.    ip flow monitor flow-monitor-name {input | ouput}

          5.    end


        DETAILED STEPS
            Command or Action Purpose
          Step 1 enable


          Example:
          Device> enable
           

          Enables privileged EXEC mode.

          • Enter your password if prompted.
           
          Step 2 configure terminal


          Example:
          Device# configure terminal
           

          Enters global configuration mode.

           
          Step 3 wlan wlan-name wlan-id


          Example:
          Device (config)# wlan wlan-name 11
          Device(config-wlan)#
           

          Enters WLAN configuration submode. For wlan-id, enter the WLAN ID. The range is 1 to 512.

           
          Step 4 ip flow monitor flow-monitor-name {input | ouput}


          Example:
          Device (config-wlan)# ip flow monitor fm_name input
          Device (config-wlan)# ip flow monitor fm_name output
          
           

          Associates a flow monitor to the WLAN for input or output packets.

           
          Step 5 end


          Example:
          Router(config)# end
           

          Leaves global configuration mode and returns to privileged EXEC mode.

           

          Monitoring Application Visibility and Control

          The following commands can be used to monitor application visibility and control on the device.
          SUMMARY STEPS

            1.    show avc client client-mac top n application [aggregate|upstream|downstream]

            2.    show avc wlan ssidtop n application [aggregate|upstream|downstream]

            3.    show flow monitor flow_monitor_name cache


          DETAILED STEPS
            Step 1   show avc client client-mac top n application [aggregate|upstream|downstream]


            Example:
            Cumulative Stats:
            No.  AppName    Packet-Count    Byte-Count    AvgPkt-Size    usage%
            ---------------------------------------------------------------------
            1    skinny     7343            449860        61             94
            2    unknown    99              13631         137            3
            3    dhcp       18              8752          486            2
            4    http       18              3264          181            1
            5    tftp       9               534           59             0
            6    dns        2               224           112            0
            
            Last Interval(90 seconds) Stats:
            No.  AppName    Packet-Count    Byte-Count    AvgPkt-Size    usage%
            ---------------------------------------------------------------------
            1    skinny     9               540           60             100
            

            Displays information about top “n” applications for the given client MAC.

            Step 2   show avc wlan ssidtop n application [aggregate|upstream|downstream]


            Example:
            Device# show avc wlan Lobby_WLAN top 10 application aggregate
            Cumulative Stats:
            No.  AppName    Packet-Count    Byte-Count    AvgPkt-Size    usage%
            ---------------------------------------------------------------------
            1    ssl        10598677        1979525706    997            42
            2    vnc        5550900         3764612847    678            14
            3    http       3043131         2691327197    884            10
            4    unknown    1856297         1140264956    614            4
            5    video-over-http 1625019    2063335150    1269           8
            6    binary-over-http 1329115   1744190344    1312           6
            7    webex-meeting 1146872      540713787     471            2
            8    rtp        923900          635650544     688            2
            9    unknown    752341          911000213     1210           3
            10   youtube    631085          706636186     1119           3
            
            
            
            Last Interval(90 seconds) Stats:
            No.  AppName    Packet-Count    Byte-Count    AvgPkt-Size    usage%
            ---------------------------------------------------------------------
            1    vnc        687093          602731844     877            68
            2    video-over-http 213272     279831588     1312           31
            3    ssl        6515            5029365       771            1
            4    webex-meeting 3649         1722663       472            0
            5    http       2634            1334355       506            0
            6    unknown    1436            99412         69             0
            7    google-services 722        378121        523            0
            8    linkedin   655             393263        600            0
            9    exchange   432             167390        387            0
            10   gtalk-chat 330             17330         52             0
            

            Displays information about top “n” applications for the given SSID.

            Step 3   show flow monitor flow_monitor_name cache


            Example:
            Device# show flow monitor FLOW-MONITOR-1
            Flow Monitor FLOW-MONITOR-1:
              Description:        Used for basic traffic analysis
              Flow Record:        flow-record-1
              Flow Exporter:      flow-exporter-1
                                  flow-exporter-2
              Cache:
                Type:             normal
                Status:           allocated
                Size:             4096 entries / 311316 bytes
                Inactive Timeout: 15 secs
                Active Timeout:   1800 secs
                Update Timeout:   1800 secs

            Displays information about flow monitors.


            Clearing Application Visibility and Control Statistics

            The following commands can be used to clear the statistics of application visibility and control.
            SUMMARY STEPS

              1.    clear avc client mac statistics

              2.    clear avc wlan ssid-namestatistics


            DETAILED STEPS
                Command or Action Purpose
              Step 1 clear avc client mac statistics


              Example:
              Device# clear avc client mac statistics
               

              Clears the statistics per client.

               
              Step 2 clear avc wlan ssid-namestatistics


              Example:
              Device# clear avc wlan 
               

              Clears the statistics per WLAN.

               

              Configuration Examples for Support for AVC on Wireless LAN

              Example Configuring Support for AVC on Wireless LAN

              This example shows how to create a flow record, create a flow monitor, apply the flow record to the flow monitor, and apply the flow monitor on a WLAN:

              Device(config)# flow record fr_v4
              Device(config-flow-record)# match ipv4 protocol
              Device(config-flow-record)# match ipv4 source address
              Device(config-flow-record)# match ipv4 destination address
              Device(config-flow-record)# match transport destination-port
              Device(config-flow-record)# match flow direction
              Device(config-flow-record)# match application name
              Device(config-flow-record)# match wireless ssid
              Device(config-flow-record)# collect counter bytes long
              Device(config-flow-record)# collect counter packets long
              Device(config-flow-record)# collect wireless ap mac address
              Device(config-flow-record)# collect wireless client mac address
              Device(config)#end
              
              Device# configure terminal
              Device# flow monitor fm_v4
              Device(config-flow-monitor)# record fr_v4
              Device(config-flow-monitor)# cache timeout active 1800
              Device(config)#end
              
              Device(config)#wlan wlan1
              Device(config-wlan)#ip flow monitor fm_v4 input
              Device(config-wlan)#ip flow mon fm-v4 output
              Device(config)#end
              
              Device(config)#flow monitor fm_v4 cache
              

              Additional References Support for AVC on Wireless LAN

              Related Documents

              Related Topic

              Document Title

              Cisco IOS commands

              Cisco IOS Master Commands List, All Releases

              Overview of Cisco IOS NetFlow

              Cisco IOS NetFlow Overview

              List of the features documented in the Cisco IOS NetFlow Configuration Guide

              Cisco IOS NetFlow Features Roadmap

              The minimum information about and tasks required for configuring NetFlow and NetFlow Data Export

              Getting Started with Configuring NetFlow and NetFlow Data Export

              Tasks for configuring NetFlow to capture and export network traffic data

              Configuring NetFlow and NetFlow Data Export

              Tasks for configuring NetFlow multicast support

              Configuring NetFlow Multicast Accounting

              Tasks for detecting and analyzing network threats with NetFlow

              Detecting and Analyzing Network Threats With NetFlow

              Tasks for configuring Cisco NBAR

              Classifying Network Traffic Using NBAR

              NBAR commands.

              Cisco IOS Quality of Service Solutions Command Reference

              Standards

              Standards

              Title

              No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.

              MIBs

              MIBs

              MIBs Link

              None

              No new MIBs were created for this feature.

              To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

              http:/​/​www.cisco.com/​go/​mibs

              RFCs

              RFCs

              Title

              No new or modified RFCs are supported by this feature.

              Technical Assistance

              Description

              Link

              The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

              http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

              Feature Information for Support for AVC on Wireless LAN

              The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

              Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

              Table 1 Feature Information for Support for AVC on Wireless LAN

              Feature Name

              Releases

              Feature Information

              Support for AVC on Wireless LAN

              Cisco IOS XE Release 3.3SE

              The Cisco Application Visibility and Control (AVC) solution for wireless networks identifies more than 1000 business– or consumer–class applications using deep packet inspection (DPI).

              The following commands are introduced or modified in the feature documented in this module:
              • flow record record_name
              • flow exporter flow_exporter_name
              • flow monitor flow_monitor_name