Table of Contents
This document introduces the Application Visibility and Control (AVC) feature for the Cisco Converged Access CT5760 and Cat3850/3650 products in Release 3.6. This guide is designed to help you deploy and monitor new features introduced in Release 3.6. All sections apply to both the 5760 series controllers and the 3850/3650 switches.
The document builds on previous releases with the assumption that users are familiar with the Converged Access products. See CT5760 Controller Deployment Guide , Converged Access CT 5760 AVC Deployment Guide, Cisco IOS XE Release 3.3, and Cisco Catalyst 3850 Switch Deployment Guide for released feature not covered in this guide.
- IOS 3.6 platforms—5760/3850/3650.
- NBAR2 protocol pack 8.0.
- More than 1000 applications.
- AVC is supported only on the following access points—AP 1600, 2600, 2700, 3600, 3700 and 1532. AVC is not supported on AP 700.
- Wireless clients only.
- Centralized and Converged Access.
- Flexible Netflow Version 9 Export to PI (PAM) and external collectors (Plixir and ActionPacked).
CT5760 is an innovative UADP ASIC based wireless controller deployed as a centralized controller in the next generation unified wireless architecture. CT5760 controllers are specifically designed to function as Unified model central wireless controllers. They also support the newer Mobility functionality with Converged Access switches in the wireless architecture.
CT5760 controllers are deployed behind a core switch/router. The core switch/router is the only gateway into the network for the controller. The uplink ports connected to the core switch are configured as EtherChannel trunk to ensure port redundancy.
As a component of the Cisco Unified Wireless Network, the 5760 series works in conjunction with Cisco Aironet access points, the Cisco Prime infrastructure, and the Cisco Mobility Services Engine to support business-critical wireless data, voice, and video applications.
Network Based Application Recognition (NBAR2) provides application-aware control on a wireless network and enhances manageability and productivity. It also extends Cisco's Application Visibility and Control (AVC) as an end-to-end solution, which gives a complete visibility of applications in the network and allows the administrator take action on the same.
NBAR2 is a deep-packet inspection technology available on Cisco IOS based platforms, which supports stateful L4 - L7 classification. NBAR2 is based on NBAR and has extra requirements such as having a Common Flow Table for all IOS features which use NBAR. NBAR2 recognizes application and passes on this information to other features such as QoS, NetFlow and Firewall, which can take action based on this classification.
Quality of Service (QoS) is an important feature of the end-to-end AVC functionality. Proper QoS support enables prioritization and policy enforcement on NBAR identified applications. AVC related QoS policies are applied on any direction (Upstream/Downstream) of the client traffic.
Application control is done on the AP for Upstream QoS and Switch/Controller for Downstream QoS with NBAR classification done on the AP. Client QoS Policies are supported by NBAR for this feature. You can configure and monitor Application Visibility and link it to QoS from both the GUI and CLI.
Step 1 From a web browser, open the WLC GUI interface and then from the main menu, go to Configuration > Wireless > WLAN. Perform Step 3 if the WLAN is already created or exists and you want to enable AVC on that particular WLAN.
Step 5 Now that Application Visibility is enabled, associate a wireless client to the AVC enabled WLAN and access different types of traffic using applications such as Webex meeting, Skype, Yahoo Messenger, HTTP, HTTPS/SSL, Microsoft Messenger, YouTube, Ping, Trace route, and so on. Once traffic is initiated from the wireless client, visibility of different traffic is observed globally for all WLANs, Per Client Basis, and Per WLAN Basis. This provides a good overview to the administrator of the network bandwidth utilization and type of traffic in the network per client, per WLAN, and globally.
Navigate to the Home page of the controller which displays AVC for WLAN pie chart. The pie chart displays the AVC data (Aggregate - Application Cumulative usage %). The top WLANs based on WLAN ID are displayed first.
1. With IOS XE Release 3.6, the NBAR feature on IOS controllers not only gives visibility of applications running in the network but also gives administrators an option to control the applications running in the network by creating QoS policies and applying them to a WLAN. QoS policies can be configured to take the following actions on the recognized applications:
Here, an Egress Policy that will POLICE (rate limit) the WebEx meeting running on wireless clients is created. You can use any other application from the protocol list such as Google Talk, YouTube, Netflix, and so on.
4. Check the Enable Application Recognition check box. This displays all the applications supported by the NBAR2 engine and will list down all the applications in sorted order (Ascending order (0 to 9 and A to Z)).
– In Protocol Choice— Select webex-meeting from the Available Protocols list and move it to the Assigned Protocols list. You can select any application from the Available Protocol list such as YouTube, Netflix and so on.
5. To apply the QoS Policy (PoliceWebex) to a WLAN, go to Configuration > Wireless > WLAN > WLANs > WLAN Name > QOS tab. Only one QoS Policy can be mapped to a single WLAN. However, a QoS Policy can be mapped to multiple WLANs.
6. Now, go back to the wireless clients and check the video quality that is running the WebEx meeting application. The video quality should be pixelated and fuzzy. This is because the rate of the webex-meeting protocol was limited to 100 Kbps.
7. To remove the QoS Policy from the WLAN, go to Configuration > Wireless > WLAN > WLANs > WLAN Name > QOS tab. In the QoS Client Policy area, select the Egress Policy as None from the Assign Policy drop-down list and click OK and then Apply.
13. Now, go back to the webex meeting running on your wireless clients and check the video. The video will be dropped. This is because the webex-meeting protocol was configured as Dropped in the QoS Policy.
20. Now, open Cisco Jabber IM from a wireless client connected to SSID. To check the QoS stats including the DSCP value of client traffic, you will need to use the CLI. Telnet/console to the WLC and run the following CLI command on the Controller CLI:
Note For CLI configurations of AVC and QoS Policies, refer to Appendix: Configuration Examples using CLI.
- You can map only one AV Upstream and Downstream profile on a WLAN. But the same AV Upstream and Downstream profiles can be mapped to multiple WLANs.
- Only 1 NetFlow exporter and monitor can be configured per WLAN.
- AVC statistics are displayed for the top 30 applications on both the GUI and CLI. This is configurable from 5 to 30, in multiples of 5. The default is set to 10 on the GUI.
- Any application that is not supported/recognized by the NBAR engine on the WLC, is captured under a bucket of UNCLASSFIED/Unknown traffic.
- There is no limit on the number of AV profiles that can be created on WLC.
Note For additional information on Netflow Configuration, refer to Cisco Flexible NetFlow Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches).
The following sample output of the show ip nbar protocol-pack active detail command displays detailed information about the active protocol pack that is provided by default with a licensed Cisco image on a device: