Table of Contents
Monitoring Application Visibility (GUI)
Steps to Apply QoS Policies to Application Visibility Profiles (AVC Phase-2)
Appendix: Configuration Examples using CLI
Cisco Unified Access CT5760 Controllers and Catalyst 3850/3650 Switches AVC Deployment Guide, Cisco IOS XE Software Release 3.6
Introduction
This document introduces the Application Visibility and Control (AVC) feature for the Cisco Converged Access CT5760 and Cat3850/3650 products in Release 3.6. This guide is designed to help you deploy and monitor new features introduced in Release 3.6. All sections apply to both the 5760 series controllers and the 3850/3650 switches.
The document builds on previous releases with the assumption that users are familiar with the Converged Access products. See CT5760 Controller Deployment Guide , Converged Access CT 5760 AVC Deployment Guide, Cisco IOS XE Release 3.3, and Cisco Catalyst 3850 Switch Deployment Guide for released feature not covered in this guide.
AVC Compatible Features
Cisco IOS XE Release 3.6 supports the following AVC compatible features:
- IOS 3.6 platforms—5760/3850/3650.
- NBAR2 protocol pack 8.0.
- More than 1000 applications.
- AVC is supported only on the following access points—AP 1600, 2600, 2700, 3600, 3700 and 1532. AVC is not supported on AP 700.
- Wireless clients only.
- Centralized and Converged Access.
- Flexible Netflow Version 9 Export to PI (PAM) and external collectors (Plixir and ActionPacked).
CT5760 Controller
CT5760 is an innovative UADP ASIC based wireless controller deployed as a centralized controller in the next generation unified wireless architecture. CT5760 controllers are specifically designed to function as Unified model central wireless controllers. They also support the newer Mobility functionality with Converged Access switches in the wireless architecture.
CT5760 controllers are deployed behind a core switch/router. The core switch/router is the only gateway into the network for the controller. The uplink ports connected to the core switch are configured as EtherChannel trunk to ensure port redundancy.
This new controller is an extensible and high performing wireless controller, which can scale up to 1000 access points and 12000 clients. The controller has 6 - 10 Gbps data ports.
As a component of the Cisco Unified Wireless Network, the 5760 series works in conjunction with Cisco Aironet access points, the Cisco Prime infrastructure, and the Cisco Mobility Services Engine to support business-critical wireless data, voice, and video applications.
AVC Overview
Network Based Application Recognition (NBAR2) provides application-aware control on a wireless network and enhances manageability and productivity. It also extends Cisco's Application Visibility and Control (AVC) as an end-to-end solution, which gives a complete visibility of applications in the network and allows the administrator take action on the same.
NBAR2 is a deep-packet inspection technology available on Cisco IOS based platforms, which supports stateful L4 - L7 classification. NBAR2 is based on NBAR and has extra requirements such as having a Common Flow Table for all IOS features which use NBAR. NBAR2 recognizes application and passes on this information to other features such as QoS, NetFlow and Firewall, which can take action based on this classification.
Quality of Service (QoS) is an important feature of the end-to-end AVC functionality. Proper QoS support enables prioritization and policy enforcement on NBAR identified applications. AVC related QoS policies are applied on any direction (Upstream/Downstream) of the client traffic.
Upstream traffic refers to traffic from Wireless Client -> AP -> Switch -> Controller.
Downstream traffic refers to traffic from Controller -> Switch -> AP -> Wireless Client.
Application control is done on the AP for Upstream QoS and Switch/Controller for Downstream QoS with NBAR classification done on the AP. Client QoS Policies are supported by NBAR for this feature. You can configure and monitor Application Visibility and link it to QoS from both the GUI and CLI.
Configuring AVC (GUI)
Step 1 From a web browser, open the WLC GUI interface and then from the main menu, go to Configuration > Wireless > WLAN. Perform Step 3 if the WLAN is already created or exists and you want to enable AVC on that particular WLAN.
Step 2 To create a new WLAN on the WLC, go to Configuration > Wireless > WLAN and click New.
Enter a number in the WLAN ID text box and a name in the SSID and Profile Name text boxes.
Map this WLAN to an interface. For example, VLAN 10 as shown below.
From the Security tab, select the appropriate security type according to the network requirement. In this example, Layer 2 Security is None, i.e. we are using an open SSID for this setup.
Once the WLAN configuration is done, click Apply to create the WLAN.
Step 3 Click the corresponding WLAN ID to open the WLAN Edit page and click AVC.
The Application Visibility page is displayed. Perform the following:
a. To enable AVC on a WLAN, check the Application Visibility Enabled check box.
b. In the Upstream Profile text box, the default AV profile is automatically selected.
c. In the Downstream Profile text box, the default AV profile is automatically selected.
Step 4 Click Apply to apply AVC on the WLAN.
Step 5 Now that Application Visibility is enabled, associate a wireless client to the AVC enabled WLAN and access different types of traffic using applications such as Webex meeting, Skype, Yahoo Messenger, HTTP, HTTPS/SSL, Microsoft Messenger, YouTube, Ping, Trace route, and so on. Once traffic is initiated from the wireless client, visibility of different traffic is observed globally for all WLANs, Per Client Basis, and Per WLAN Basis. This provides a good overview to the administrator of the network bandwidth utilization and type of traffic in the network per client, per WLAN, and globally.
Monitoring Application Visibility (GUI)
Navigate to the Home page of the controller which displays AVC for WLAN pie chart. The pie chart displays the AVC data (Aggregate - Application Cumulative usage %). The top WLANs based on WLAN ID are displayed first.
Note It will take about 90 seconds for applications to be visible after enabling AVC.
Step 1 Choose Monitor > Controller > AVC > WLANs. The WLANs page appears.
Step 2 Click the corresponding WLAN profile. In this example, POD1-Client.
The Application Statistics page appears. From the Top Applications drop-down list, choose the number of top applications you want to view and click Apply.
The valid range is between 5 to 30, in multiples of 5.
a. On the Aggregate, Upstream, and Downstream tabs, you can view the following information with respect to WLAN:
– Application last 90 seconds statistics (Application name, packet count, byte count, average packet size, and usage (%))
– Application Cumulative Statistics
– Application last 90 seconds Usage (%)
– Application Cumulative Usage (%)
Step 3 You can also monitor AV per Client. Choose Monitor > Clients > Client Details > Clients. The Clients page appears.
Step 4 Click Client MAC Address and then click AVC Statistics tab. The Application Visibility page appears.
a. On the Aggregate, Upstream, and Downstream tabs, you can view the following information with respect to client:
– Application last 90 seconds statistics (Application name, packet count, byte count, average packet size, and usage (%)
– Application Cumulative Statistics
– Application last 90 seconds Usage (%)
– Application Cumulative Usage (%)
Steps to Apply QoS Policies to Application Visibility Profiles (AVC Phase-2)
1. With IOS XE Release 3.6, the NBAR feature on IOS controllers not only gives visibility of applications running in the network but also gives administrators an option to control the applications running in the network by creating QoS policies and applying them to a WLAN. QoS policies can be configured to take the following actions on the recognized applications:
a. Action DROP—Traffic for that application is dropped.
Note Only upstream traffic can be dropped.
b. Action MARK and POLICE —Particular applications are marked and policed with different QOS profiles available on the WLC or the administrator can custom define the DSCP value for that application.
Note This can be done for upstream and downstream traffic.
2. To configure any action (drop/mark), QoS policies must be created first. To create a QoS Policy, go to Configuration > Wireless > QoS > QoS Policy > Add New.
3. Creating an Egress (Downstream) QoS Policy:
Here, an Egress Policy that will POLICE (rate limit) the WebEx meeting running on wireless clients is created. You can use any other application from the protocol list such as Google Talk, YouTube, Netflix, and so on.
– From the Policy Type drop-down list, select Client.
Note Only Client QoS policies are supported for NBAR. SSID/Port QoS policies are not supported for this feature.
– From the Policy Direction drop-down list, select Egress. Egress refers to Downstream traffic.
Note You can only police/rate limit traffic with Egress policies. Traffic cannot be dropped in the upstream direction.
– Policy Name and Description—In this example, we used PoliceWebex as the Policy name. You can assign any name as desired.
Note Do not click Apply until the entire QoS policy is created.
4. Check the Enable Application Recognition check box. This displays all the applications supported by the NBAR2 engine and will list down all the applications in sorted order (Ascending order (0 to 9 and A to Z)).
– In the Trust drop-down list—You can classify applications using—Protocol/Category/Subcategory/Application-group. Select Protocol for a more define/granular application selection.
– In Protocol Choice— Select webex-meeting from the Available Protocols list and move it to the Assigned Protocols list. You can select any application from the Available Protocol list such as YouTube, Netflix and so on.
– In the Police (kbps) text box—Configure as 100 (100 Kbps).
Note A valid range for Policing is between 8 Kbps to 10000000 Kbps (10 Gbps).
Once done, click Add and you should see the following screen:
Now, go to the top right corner of the page and click Apply.
A Policy Successfully Created popup appears and the policy is created as shown below
Note A maximum number of 16 rules (from CLI) and 8 rules (from GUI) can be configured in a single QoS Policy.
5. To apply the QoS Policy (PoliceWebex) to a WLAN, go to Configuration > Wireless > WLAN > WLANs > WLAN Name > QOS tab. Only one QoS Policy can be mapped to a single WLAN. However, a QoS Policy can be mapped to multiple WLANs.
In the QoS Client Policy area, select the Egress Policy from the Assign Policy drop-down list, select the policy you want to use (in this case it is PoliceWebex) and then click OK.
Now, click Apply, you will see the Policy being applied under Existing Policy.
6. Now, go back to the wireless clients and check the video quality that is running the WebEx meeting application. The video quality should be pixelated and fuzzy. This is because the rate of the webex-meeting protocol was limited to 100 Kbps.
7. To remove the QoS Policy from the WLAN, go to Configuration > Wireless > WLAN > WLANs > WLAN Name > QOS tab. In the QoS Client Policy area, select the Egress Policy as None from the Assign Policy drop-down list and click OK and then Apply.
8. After removing the QoS Policy from the WLAN, go back to the WebEx meeting application and check the video quality. The video should be back to normal quality.
9. Creating an Ingress QoS Policy:
Here, an Ingress Policy (Upstream) to DROP the WebEx meeting running on the wireless client is created.
– Go to Configuration > Wireless > QoS > QoS-Policy and click Add New. Perform the following steps:
– From the Policy Type drop-down list, select Client.
– From the Policy Direction drop-down list, select Ingress. Ingress refers for Upstream traffic.
Note You can Drop traffic with Ingress Policies. Traffic can only be dropped in the upstream direction.
– Policy Name and Description—In this example, we used DropWebex as the Policy name. You can assign any name as desired.
– Do not click Apply until the entire QoS policy is created.
Continue to fill in the rest of the fields to create a QoS Policy as shown in the next section.
10. Check the Enable Application Recognition check box. This displays all the applications supported by the NBAR2 engine and will list down all the applications in sorted order.
– In the Trust drop-down list—You can classify applications using—Protocol/Category/Subcategory/Application-group. Protocol is chosen for this example.
– In Protocol Choice—Select an application from the Available Protocols list and move it under the Assigned Protocols list. In this example, we used webex-meeting.
– From the Mark drop-down list, select None.
– Leave the Police (Kbps) text box empty.
Once done, click Add and you should see the following screen:
Now, go to the top right corner of the page and click Apply.
A Policy Successfully Created popup appears.
11. To apply the QoS policy (DropWebex) to a WLAN, go to Configuration > Wireless > WLAN > WLANs > WLAN Name > QOS tab.
12. In the QoS Client Policy area, select the Ingress Policy (DropWebex) from the Assign Policy drop-down list and then click OK.
Now, click Apply, you will see the Policy being applied under Existing Policy:
13. Now, go back to the webex meeting running on your wireless clients and check the video. The video will be dropped. This is because the webex-meeting protocol was configured as Dropped in the QoS Policy.
14. Adding MARKING to an existing Policy:
The objective of this is to add MARKING to an existing policy. In this example, we will MARK cisco-jabber-im with DSCP value of 24.
15. Go to Configuration > Wireless > QoS > QoS-Policy and click the Policy “PoliceWebex”.
16. Once you open the policy (PoliceWebex), go to the Enable Application Recognition section and perform the following:
– Under Protocol Choice—Select cisco-jabber-im from the Available Protocols list and move it under the Assigned Protocols list.
– Under Mark—Select DSCP from the drop-down list and assign it a value of 24.
– Under Police—Here we left this field empty. But you can customize and define Policing rates (0 to 1000000).
17. You should see the following screen:
Now, go to the top right corner of the page and click Apply. A Policy Successfully Modified popup appears.
18. The next step is to apply this QoS policy (PoliceWebex) to your WLAN. Go to Configuration > Wireless > WLAN > WLANs > WLAN Name > QOS tab.
19. In the QoS Client Policy area, select the QoS Policy PoliceWebex from the Assign Policy drop-down list under the Egress Policy and then click OK.
Once you click Apply, you will see the Policy being applied under Existing Policy.
20. Now, open Cisco Jabber IM from a wireless client connected to SSID. To check the QoS stats including the DSCP value of client traffic, you will need to use the CLI. Telnet/console to the WLC and run the following CLI command on the Controller CLI:
WLC5760#show policy-map interface wireless client
The following image displays the DSCP value and other QoS information that are assigned to the jabber-im protocol.
The following table displays the correlation of DSCP class as shown in the command above with the DSCP decimal value.
In this example, we used WebEx application. You can also test NBAR/AVC for other applications such as Netflix, Facebook and Google Talk on their setup.
Note For CLI configurations of AVC and QoS Policies, refer to Appendix: Configuration Examples using CLI.
NBAR /AVC Summary
- You can map only one AV Upstream and Downstream profile on a WLAN. But the same AV Upstream and Downstream profiles can be mapped to multiple WLANs.
- Only 1 NetFlow exporter and monitor can be configured per WLAN.
- AVC statistics are displayed for the top 30 applications on both the GUI and CLI. This is configurable from 5 to 30, in multiples of 5. The default is set to 10 on the GUI.
- Any application that is not supported/recognized by the NBAR engine on the WLC, is captured under a bucket of UNCLASSFIED/Unknown traffic.
- There is no limit on the number of AV profiles that can be created on WLC.
Appendix: Configuration Examples using CLI
AVC CLI Configurations
match ipv4 destination address
match transport destination-port
collect wireless ap mac address
collect wireless client mac address
destination 10.10.10.10
(IP address of your Netflow Collector. It should be a version 9 Netflow.)4. Applying the Flow Monitor to a WLAN:
security wpa akm psk set-key ascii 0 cisco123
5. Show Commands for Flow monitor:
show flow monitor name monitor-name cache
Note For additional information on Netflow Configuration, refer to Cisco Flexible NetFlow Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches).
class-map match-any Limit_youtube0_AVC_UI_CLASS
description AVC_UI_CLASS DO_NOT_CHANGE
class-map match-any Limit_youtube1_AVC_UI_CLASS
description AVC_UI_CLASS DO_NOT_CHANGE
class-map match-any non-client-nrt-class
class-map match-any Ingress_Drop_youtube0_AVC_UI_CLASS
description AVC_UI_CLASS DO_NOT_CHANGE
class-map match-any Ingress_Drop_youtube1_AVC_UI_CLASS
description AVC_UI_CLASS DO_NOT_CHANGE
policy-map Ingress_Drop_youtube
description [Client_Ingress_UI_policy UI_POLICY_DO_NOT_CHANGE]Dropping youtube traffic
class Ingress_Drop_youtube0_AVC_UI_CLASS
class Ingress_Drop_youtube1_AVC_UI_CLASS
description [Client_Egress_UI_policy UI_POLICY_DO_NOT_CHANGE]rate limiting youtube traffic
class Limit_youtube0_AVC_UI_CLASS
class Limit_youtube1_AVC_UI_CLASS
7. Applying QoS Policies to a WLAN:
wlan POD1-Client 1 POD1-Client
ip flow monitor wireless-avc-basic input
ip flow monitor wireless-avc-basic output
security wpa akm psk set-key ascii 0 cisco123
service-policy client input Ingress_Drop_youtube
service-policy client output Limit_youtube
service-policy type control subscriber POD1-PolicyMap
show avc wlan <wlan name> top <n> application [aggregate/upstream/downstream]
9. Show Commands for NBAR Protocol Pack:
The following sample output of the show ip nbar protocol-pack active command displays information about the protocol pack that is provided by default with a licensed Cisco image on a device:
5760# show ip nbar protocol-pack active
The following sample output of the show ip nbar protocol-pack active detail command displays detailed information about the active protocol pack that is provided by default with a licensed Cisco image on a device:
show ip nbar protocol-pack active detail