Consolidated Platform Configuration Guide, Cisco IOS XE 3.3SE (Catalyst 3850 Switches)
Configuring Application Visibility and Control
Downloads: This chapterpdf (PDF - 1.36MB) The complete bookPDF (PDF - 30.5MB) | Feedback

Configuring Application Visibility and Control

Finding Feature Information

Your software release may not support all of the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http:/​/​www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Information About Application Visibility and Control

Application Visibility and Control (AVC) classifies applications using deep packet inspection techniques with the Network-Based Application Recognition engine, and provides application-level visibility and control into Wi-Fi networks. After the applications are recognized, the AVC feature enables you to either drop or mark the data traffic.

Using AVC, we can detect more than 1000 applications. AVC enables you to perform real-time analysis and create policies to reduce network congestion, costly network link usage, and infrastructure upgrades.

AVC DSCP marks only the DSCP of the original packet in the controller in both directions (upstream and downstream). It does not affect the outer CAPWAP DCSP. AVC DSCP is applicable only when the application is classified. For example, based on the AVC profile configuration, if an application is classified as ftp or http, the corresponding DSCP marking is applied irrespective of the WLAN QoS. For downstream, the DSCP value of outer CAPWAP header and inner packet’s DSCP are taken from AVC DSCP. WLAN QoS is only applicable for all traffic from WLC to AP through CAPWAP. It does not change the DSCP of the original packet

Restrictions for Application Visibility and Control

Configuring Application Visibility and Control (CLI)

To configure AVC, follow these general steps:
  1. Create a flow record by specifying keys and non-key fields to the flow.
  2. Create an optional flow exporter by specifying the flow record as an option.
  3. Create a flow monitor based on the flow record and flow exporter.
  4. Configure WLAN to apply flow monitor in IPv4 input or output direction.

Creating a Flow Record

By default, wireless avc basic (flow record) is available. When you click Apply from the GUI, then the record is mapped to the flow monitor.

Default flow record cannot be edited or deleted. If you require a new flow record, you need to create one and map it to the flow monitor from CLI.

SUMMARY STEPS

    1.    configure terminal

    2.    flow record flow_record_name

    3.    description string

    4.    match ipv4 protocol

    5.    match ipv4 source address

    6.    match ipv4 destination address

    7.    match transport source-port

    8.    match transport destination-port

    9.    match flow direction

    10.    match application name

    11.    match wireless ssid

    12.    collect counter bytes long

    13.    collect counter packets long

    14.    collect wireless ap mac address

    15.    collect wireless client mac address

    16.    end


DETAILED STEPS
      Command or Action Purpose
    Step 1 configure terminal


    Example:
    Switch# configure terminal
     

    Enters global configuration mode.

     
    Step 2 flow record flow_record_name


    Example:
    Switch(config)# flow record record1
    Switch (config-flow-record)#
    
     

    Enters flow record configuration mode.

     
    Step 3 description string


    Example:
    Switch(config-flow-record)# description IPv4flow
    
     

    (Optional) Describes the flow record as a maximum 63-character string.

     
    Step 4 match ipv4 protocol


    Example:
    Switch (config-flow-record)# match ipv4 protocol
    
     

    Specifies a match to the IPv4 protocol.

     
    Step 5 match ipv4 source address


    Example:
    Switch (config-flow-record)# match ipv4 source address
    
     

    Specifies a match to the IPv4 source address-based field.

     
    Step 6 match ipv4 destination address


    Example:
    Switch (config-flow-record)# match ipv4 destination address
    
     

    Specifies a match to the IPv4 destination address-based field.

     
    Step 7 match transport source-port


    Example:
    Switch (config-flow-record)# match transport source-port
    
     

    Specifies a match to the transport layer source-port field.

     
    Step 8 match transport destination-port


    Example:
    Switch (config-flow-record)# match transport destination-port
    
     

    Specifies a match to the transport layer destination-port field.

     
    Step 9 match flow direction


    Example:
    Switch (config-flow-record)# match flow direction
    
     

    Specifies a match to the direction the flow was monitored in.

     
    Step 10 match application name


    Example:
    Switch (config-flow-record)# match application name
    
     

    Specifies a match to the application name.

     
    Step 11 match wireless ssid


    Example:
    Switch (config-flow-record)# match wireless ssid
    
     

    Specifies a match to the SSID name identifying the wireless network.

     
    Step 12 collect counter bytes long


    Example:
    Switch (config-flow-record)# collect counter bytes long
    
     

    Specifies to collect counter fields total bytes.

     
    Step 13 collect counter packets long


    Example:
    Switch (config-flow-record)# collect counter bytes long
    
     

    Specifies to collect counter fields total packets.

     
    Step 14 collect wireless ap mac address


    Example:
    Switch (config-flow-record)# collect wireless ap mac address
    
     

    Specifies to collect the BSSID with MAC addresses of the access points that the wireless client is associated with.

     
    Step 15 collect wireless client mac address


    Example:
    Switch (config-flow-record)# collect wireless client mac address
    
     

    Specifies to collect MAC address of the client on the wireless network.

     
    Step 16 end


    Example:
    Switch(config)# end
     

    Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

     

    Creating a Flow Exporter (Optional)

    You can create a flow export to define the export parameters for a flow. This is an optional procedure for configuring flow parameters.

    SUMMARY STEPS

      1.    configure terminal

      2.    flow exporter flow_exporter_name

      3.    description string

      4.    destination {hostname | ip-address}

      5.    transport udp port-value

      6.    option application-table timeout seconds (optional)

      7.    option usermac-table timeout seconds (optional)

      8.    end

      9.    show flow exporter

      10.    end


    DETAILED STEPS
        Command or Action Purpose
      Step 1 configure terminal


      Example:
      Switch# configure terminal
       

      Enters global configuration mode.

       
      Step 2 flow exporter flow_exporter_name


      Example:
      Switch(config)# flow exporter record1
      Switch (config-flow-exporter)#
      
       

      Enters flow exporter configuration mode.

       
      Step 3 description string


      Example:
      Switch(config-flow-exporter)# description IPv4flow
      
       

      Describes the flow record as a maximum 63-character string.

       
      Step 4 destination {hostname | ip-address}


      Example:
      Switch (config-flow-exporter) # destination 10.99.1.4
       

      Specifies the hostname or IPv4 address of the system to which the exporter sends data.

       
      Step 5 transport udp port-value


      Example:
      Switch (config-flow-exporter) # transport udp 2
       

      Configures a port value for the UDP protocol.

       
      Step 6 option application-table timeout seconds (optional)


      Example:
      Switch (config-flow-exporter)# option application-table timeout 500  
       

      (Optional) Specifies application table timeout option. The valid range is from 1 to 86400 seconds.

       
      Step 7 option usermac-table timeout seconds (optional)


      Example:
      Switch (config-flow-exporter)# option usermac-table timeout 1000  
       

      (Optional) Specifies wireless usermac-to-username table option. The valid range is from 1 to 86400 seconds.

       
      Step 8 end


      Example:
      Switch(config)# end
       

      Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

       
      Step 9 show flow exporter


      Example:
      Switch # show flow exporter
       

      Verifies your configuration.

       
      Step 10 end


      Example:
      Switch(config)# end
       

      Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

       

      Creating a Flow Monitor

      You can create a flow monitor and associate it with a flow record and a flow exporter.

      SUMMARY STEPS

        1.    configure terminal

        2.    flow monitor monitor-name

        3.    description description

        4.    record record-name

        5.    exporter exporter-name

        6.    cache timeout {active | inactive} (Optional)

        7.    end

        8.    show flow monitor


      DETAILED STEPS
          Command or Action Purpose
        Step 1 configure terminal


        Example:
        Switch# configure terminal
         

        Enters global configuration mode.

         
        Step 2 flow monitor monitor-name


        Example:
        Switch (config)# flow monitor flow-monitor-1
         

        Creates a flow monitor and enters flow monitor configuration mode.

         
        Step 3 description description


        Example:
        Switch (config-flow-monitor)# description flow-monitor-1
         

        Creates a description for the flow monitor.

         
        Step 4 record record-name


        Example:
        Switch (config-flow-monitor)# record flow-record-1
         

        Specifies the name of a recorder that was created previously.

         
        Step 5 exporter exporter-name


        Example:
        Switch (config-flow-monitor)# exporter flow-exporter-1
         

        Specifies the name of an exporter that was created previously.

         
        Step 6 cache timeout {active | inactive} (Optional)


        Example:
        Switch (config-flow-monitor)# cache timeout active 1800 
        Switch (config-flow-monitor)# cache timeout inactive 200 
         

        Specifies to configure flow cache parameters. You can configure for a time period of 1 to 604800 seconds (optional).

        Note    To achieve optimal result for the AVC flow monitor, we recommend you to configure the inactive cache timeout value to be greater than 90 seconds.
         
        Step 7 end


        Example:
        Switch(config)# end
         

        Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

         
        Step 8 show flow monitor


        Example:
        Switch # show flow monitor
         

        Verifies your configuration.

         

        Configuring WLAN to Apply Flow Monitor in IPV4 Input/Output Direction

        SUMMARY STEPS

          1.    configure terminal

          2.    wlan wlan-id

          3.    ip flow monitor monitor-name {input | output}

          4.    end


        DETAILED STEPS
            Command or Action Purpose
          Step 1 configure terminal


          Example:
          Switch# configure terminal
           

          Enters global configuration mode.

           
          Step 2 wlan wlan-id


          Example:
          Switch (config) # wlan 1
           

          Enters WLAN configuration submode. For wlan-id, enter the WLAN ID. The range is 1 to 64.

           
          Step 3 ip flow monitor monitor-name {input | output}


          Example:
          Switch (config-wlan) # ip flow monitor flow-monitor-1 input
           

          Associates a flow monitor to the WLAN for input or output packets.

           
          Step 4 end


          Example:
          Switch(config)# end
           

          Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

           

          Configuring Application Visibility and Control (GUI)

          You can apply the default flow record (wireless avc basic) to the default flow monitor (wireless-avc-basic).

          If you are using the flow record and flow monitor you have created, then the record name and monitor name should be same. This is specific only for configuring AVC from GUI and not for the CLI configuration.

          You can use the flow monitor you have created either for upstream or downstream, or both, but ensure that you use the same record name while mapping with the flow monitor.


            Step 1   Choose Configuration > Wireless > WLAN.

            The WLAN page appears.

            Step 2   Click on corresponding WLAN ID to open WLAN Edit page and click AVC.

            The Application Visibility page appears.

            1. Select the Application Visibility Enabled check box to enable AVC on a WLAN.
            2. In the Upstream Profile text box, enter the name of the AVC profile.
            3. In the Downstream Profile text box, enter the name of the AVC profile.

            To enable AVC, you need to enter the profile names for the upstream and downstream profiles. The profile names are the flow monitor names. By default, the flow monitor names (wireless-avc-basic) appear in the Upstream Profile and Downstream Profile text boxes. For the default flow monitor, the default flow record (wireless avc basic) will be taken. The default flow record is generated by the system and is available.

            You can change the profile names for the upstream and downstream profiles but ensure that the same flow records are available for the flow monitors.

            The upstream and downstream profiles can have different profile names but there should be flow records available for the flow monitors.

            Step 3   Click Apply to apply AVC on the WLAN.
            Step 4   Uncheck the Application Visibility Enabled check box on the WLAN page.

            AVC is disabled on WLAN.

            Step 5   Click Apply.

            Monitoring Application Visibility and Control (CLI)

            This section describes the new commands for application visibility.

            The following commands can be used to monitor application visibility on the switch and access points.

            Table 1 Monitoring Application Visibility Commands on the switch

            Command

            Purpose

            show avc client client-mac top n application [aggregate | upstream | downstream]

            Displays information about top "N" applications for the given client MAC.

            show avc wlan ssid top n application [aggregate | upstream | downstream]

            Displays information about top "N" applications for the given SSID.

            show wlan id wlan-id

            Displays information whether AVC is enabled or disabled on a particular WLAN.

            show flow monitor flow_monitor_name cache

            Displays information about flow monitors.

            Table 2 Clearing Application Visibility Statistics Commands

            Command

            Purpose

            clear avc client mac stats

            Clears the statistics per client.

            clear avc wlan ssid-name stats

            Clears the statistics per WLAN.

            Monitoring Application Visibility and Control (GUI)

            You can view AVC information on a WLAN in a single shot using a AVC on WLAN pie chart on the Home page of the switch. The pie chart displays the AVC data (Aggregate - Application Cumulative usage %) of the first WLAN. In addition, the top 5 WLANs based on clients are displayed first. Click on any one of the WLANs to view the corresponding pie chart information. If AVC is not enabled on the first WLAN, then the Home page does not display the AVC pie chart.


              Step 1   Choose Monitor > Controller > AVC > WLANs.

              The WLANs page appears.

              Step 2   Click the corresponding WLAN profile.

              The Application Statistics page appears.

              From the Top Applications drop-down list, choose the number of top applications you want to view and click Apply. The valid range is between 5 to 30, in multiples of 5.

              1. On the Aggregate, Upstream, and Downstream tabs, you can view the application cumulative and last 90 seconds statistics and usage percent with the following fields:
                • Application name
                • Packet count
                • Byte count
                • Average packet size
                • usage (%)
              Step 3   Choose Monitor > Clients > Client Details > Clients.

              The Clients page appears.

              Step 4   Click Client MAC Address and then click AVC Statistics tab.

              The Application Visibility page appears.

              1. On the Aggregate, Upstream, and Downstream tabs, you can view the application cumulative and last 90 seconds statistics and usage percent with the following fields:
                • Application name
                • Packet count
                • Byte count
                • Average packet size
                • usage (%)

              Examples: Application Visibility and Control Configuration

              This example shows how to create a flow record, create a flow monitor, apply the flow record to the flow monitor, and apply the flow monitor on a WLAN:
              Switch# configure terminal
              Switch(config)# flow record fr_v4
              Switch(config-flow-record)# match ipv4 protocol
              Switch(config-flow-record)# match ipv4 source address
              Switch(config-flow-record)# match ipv4 destination address
              Switch(config-flow-record)# match transport destination-port
              Switch(config-flow-record)# match flow direction
              Switch(config-flow-record)# match application name
              Switch(config-flow-record)# match wireless ssid
              Switch(config-flow-record)# collect counter bytes long
              Switch(config-flow-record)# collect counter packets long
              Switch(config-flow-record)# collect wireless ap mac address
              Switch(config-flow-record)# collect wireless client mac address
              Switch(config)#end
              
              
              Switch# configure terminal
              Switch# flow monitor fm_v4
              Switch(config-flow-monitor)# record fr_v4
              Switch(config-flow-monitor)# cache timeout active 1800
              Switch(config)#end
              
              
              Switch(config)#wlan wlan1
              Switch(config-wlan)#ip flow monitor fm_v4 input
              Switch(config-wlan)#ip flow mon fm-v4 output
              Switch(config)#end
              

              Additional References for Application Visibility and Control

              Related Documents

              Related Topic Document Title
              System management commands

              System Management Command Reference Guide, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series)

              Flexible NetFlow configuration

              Flexible NetFlow Configuration Guide, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series)

              Flexible NetFlow commands

              Flexible NetFlow Command Reference, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series)

              Standards and RFCs

              Standard/RFC Title
              None

              MIBs

              MIB MIBs Link
              All supported MIBs for this release.

              To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

              http:/​/​www.cisco.com/​go/​mibs

              Technical Assistance

              Description Link

              The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

              To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

              Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

              http:/​/​www.cisco.com/​support

              Feature History and Information For Application Visibility and Control

              Release Feature Information
              Cisco IOS XE 3.3SE This feature was introduced.