Cisco Wireless LAN Controller Configuration Guide, Release 7.4
Configuring Application Visibility and Control
Downloads: This chapterpdf (PDF - 1.21MB) The complete bookPDF (PDF - 18.89MB) | Feedback

Configuring Application Visibility and Control

Configuring Application Visibility and Control

Information About Application Visibility and Control

Application Visibility and Control (AVC) classifies applications using deep packet inspection techniques with the Network-Based Application Recognition (NBAR) engine, and provides application-level visibility and control into Wi-Fi networks. After the applications are recognized, the AVC feature enables you to either drop or mark the data traffic.

Using AVC, we can detect more than 1000 applications. AVC enables you to perform real-time analysis and create policies to reduce network congestion, costly network link usage, and infrastructure upgrades.

Note


You can view list of 30 applications in Top Applications in Monitor Summary section of the UI.

AVC is supported on the following controller platforms: Cisco 2500 Series Wireless LAN Controllers, Cisco 5500 Series Wireless LAN Controllers, Cisco Flex 7500 Series Wireless LAN Controllers in central switching mode, Cisco 8500 Series Wireless LAN Controllers, and Cisco Wireless Services Module 2 (WiSM2).

AVC DSCP marks only the DSCP of the original packet in the controller in both directions (upstream and downstream). It does not affect the outer CAPWAP DCSP. AVC DSCP is applicable only when the application is classified. For example, based on the AVC profile configuration, if an application is classified as ftp or http, the corresponding DSCP marking is applied irrespective of the WLAN QoS. For downstream, the DSCP value of outer CAPWAP header and inner packet’s DSCP are taken from AVC DSCP. WLAN QoS is only applicable for all traffic from WLC to AP through CAPWAP. It does not change the DSCP of the original packet

Restrictions for Application Visibility and Control

  • IPv6 packet classification is not supported.
  • Layer 2 roaming is not supported across controllers.
  • Multicast traffic is not supported.

Configuring Application Visibility and Control (GUI)


    Step 1   Create and configure an AVC profile by following these steps:
    1. Choose Wireless > Application Visibility and Control > AVC Profiles.
    2. Click New.
    3. Enter the AVC profile name.
    4. Click Apply.
    5. On the AVC Profile Name page, click the corresponding AVC profile name.

      The AVC Profile > Edit page is displayed.

    6. Click Add New Rule.
    7. Choose the application group and the application name from the respective drop-down lists.

      View the list of default AVC applications available by choosing Wireless > Application Visibility and Control > AVC Applications.

    8. From the Action drop-down list, choose either of the following:
      • Drop—Drops the upstream and downstream packets that correspond to the chosen application.
      • Mark—Marks the upstream and downstream packets that correspond to the chosen application with the Differentiated Services Code Point (DSCP) value that you specify in the DSCP (0 to 63) drop-down list. The DSCP value helps you provide differentiated services based on the QoS levels.
        Note   

        The default action is to give permission to all applications.

    9. If you choose Mark from the Action drop-down list, choose a DSCP value from the DSCP (0 to 63) drop-down list.
      The DSCP value is a packet header code that is used to define QoS across the Internet. The DSCP values are mapped to the following QoS levels:
      • Platinum (Voice)—Assures a high QoS for Voice over Wireless.
      • Gold (Video)—Supports high-quality video applications.
      • Silver (Best Effort)—Supports normal bandwidth for clients.
      • Bronze (Background)—Provides the lowest bandwidth for guest services.

      You can also choose Custom and specify the DSCP value. The valid range is from 0 to 63.

    10. Click Apply.
    11. Click Save Configuration.
    Step 2   Associate an AVC profile to a WLAN by following these steps:
    1. Choose WLANs and click the corresponding WLAN ID.

      The WLANs > Edit page is displayed.

    2. Click the QoS tab.
    3. Choose the AVC profile from the AVC Profile drop-down list.
    4. Click Apply.
    5. Click Save Configuration.

    Configuring Application Visibility and Control (CLI)

    • Create or delete an AVC profile by entering this command: config avc profile avc-profile-name {create | delete}
    • Add a rule for an AVC profile by entering this command: config avc profile avc-profile-name rule add application application-name {drop | mark dscp-value}
    • Remove a rule for an AVC profile by entering this command: config avc profile avc-profile-name rule remove application application-name
    • Configure an AVC profile to a WLAN by entering this command: config wlan avc wlan-id profile avc-profile-name {enable | disable}
    • Configure application visibility for a WLAN by entering this command: config wlan avc wlan-id visibility {enable | disable}

      Note


      Application visibility is the subset of an AVC profile. Therefore, visibility is automatically enabled when you configure an AVC profile on the WLAN.


    • View information about all AVC profile or a particular AVC profile by entering this command: show avc profile {summary | detailed avc-profile-name}
    • View information about AVC applications by entering this command: show avc applications [application-group]
    • View various statistical information about AVC by entering this command: show avc statistics
    • Configure troubleshooting for AVC events by entering this command: debug avc events {enable | disable}
    • Configure troubleshooting for AVC errors by entering this command: debug avc error {enable | disable}

    Configuring NetFlow

    Information About NetFlow

    NetFlow is a protocol that provides information about network users and applications, peak usage times, and traffic routing. The NetFlow protocol collects IP traffic information from network devices to monitor traffic. The NetFlow architecture consists of the following components:
    • Collector—Entity that collects all the IP traffic information from various network elements.
    • Exporter—Network entity that exports the template with the IP traffic information. The controller acts as an exporter.

    Configuring NetFlow (GUI)


      Step 1   Configure the Exporter by following these steps:
      1. Choose Wireless > Netflow > Exporter.
      2. Click New.
      3. Enter the Exporter name, IP address, and the port number.

        The valid range for the port number is from 1 to 65535.

      4. Click Apply.
      5. Click Save Configuration.
      Step 2   Configure the NetFlow Monitor by following these steps:
      1. Choose Wireless > Netflow > Monitor.
      2. Click New and enter the Monitor name.
      3. On the Monitor List page, click the Monitor name to open the Netflow Monitor > Edit page.
      4. Choose the Exporter name and the Record name from the respective drop-down lists.
      5. Click Apply.
      6. Click Save Configuration.
      Step 3   Associate a NetFlow Monitor to a WLAN by following these steps:
      1. Choose WLANs and click the WLAN ID to open the WLANs > Edit page.
      2. In the QoS tab, choose the NetFlow Monitor from the Netflow Monitor drop-down list.
      3. Click Apply.
      4. Click Save Configuration.

      Configuring NetFlow (CLI)

      • Create an Exporter by entering this command: config flow create exporter exporter-name ip-addr port-number
      • Create a NetFlow Monitor by entering this command: config flow create monitor monitor-name
      • Associate or dissociate a NetFlow Monitor with an Exporter by entering this command: config flow {add | delete} monitor monitor-name exporter exporter-name
      • Associate or dissociate a NetFlow Monitor with a Record by entering this command: config flow {add | delete} monitor monitor-name record ipv4_client_app_flow_record
      • Associate or dissociate a NetFlow Monitor with a WLAN by entering this command: config wlan flow wlan-id monitor monitor-name {enable | disable}
      • See a summary of NetFlow Monitors by entering this command: show flow monitor summary
      • See information about the Exporter by entering this command: show flow exporter {summary | statistics}
      • Configure a debug of NetFlow by entering this command: debug flow {detail | error | info} {enable | disable}