Information about custom applications
Cisco Network-Based Application Recognition (NBAR) is a Cisco technology that performs the SD-WAN Application Intelligence Engine (SAIE) flow on network traffic to identify network applications according to their traffic characteristics.
![]() Note |
In Cisco vManage Release 20.7.1 and earlier releases, the SAIE flow is called the deep packet inspection (DPI) flow. |
The specific traffic characteristics of a network application are called an application signatures. Cisco packages the signature for an application, together with other information, as a protocol. Cisco packages a large set of protocols, covering numerous commonly occurring network applications, as a Protocol Pack. Cisco updates and distributes Protocol Packs regularly. They provide a database of network application signatures for NBAR to use to identify network application traffic.
The term network applications is defined broadly, and may include all of the following, and more:
-
Social media websites
-
Voice over IP (VoIP) applications
-
Streaming audio and video, such as Cisco Webex
-
Cloud applications, such as for cloud storage
-
SaaS applications
-
Custom network applications specific to an organization
Identifying applications is useful for monitoring network traffic, configuring application-aware traffic policy, and more.
To summarize network application signatures, protocols, and Protocol Packs, and how NBAR uses them:
-
The traffic of a network application has unique characteristics that can be used to identify the traffic as belonging to that specific application. These characteristics are called application signatures.
-
Cisco packages the signature for a specific network application as a protocol.
-
Cisco packages a large set of protocols, covering commonly occurring internet applications, as Protocol Packs.
-
Cisco NBAR performs the SAIE flow on traffic to gather the information required to identify the sources of the traffic, and uses protocols, such as those provided in Protocol Packs, to match that information to specific network applications. The result is that NBAR identifies the network applications producing traffic in the network.
Cisco Software-Defined Application Visibility and Control (SD-AVC) uses Cisco NBAR application identification to provide information about application usage within a network.
Custom applications
In addition to the standard protocols provided in a Protocol Pack, you can define protocols, called custom applications, to identify internet traffic, often for uncommon network applications that are of specific interest to their organization. Custom applications augment the protocols provided in a Protocol Pack.
You can use custom applications in the same way as any other protocol when configuring:
-
Cisco Catalyst SD-WAN policies
-
Application Quality of Experience (AppQoE) policies, such as application-aware routing, TCP acceleration, and Quality of Service (QoS)
![]() Note |
The following terms are used in the documentation of related technologies, and are equivalent: custom applications, custom protocols, user-defined applications |
Custom applications in Cisco Catalyst SD-WAN
Cisco Software-Defined AVC (SD-AVC) is a component of Cisco Application Visibility and Control (AVC). It functions as a centralized network service, operating with specific participating devices in a network. One function of Cisco SD-AVC, which is included as a component of Cisco Catalyst SD-WAN, is to create and manage custom applications. Cisco Catalyst SD-WAN uses this Cisco SD-AVC functionality, through SD-AVC REST APIs, to enable you to define custom applications within Cisco Catalyst SD-WAN.
As a Cisco Catalyst SD-WAN user, you can use Cisco SD-WAN Manager to define custom applications. Cisco SD-AVC then pushes the custom applications to devices in the network. The devices in the network use the custom applications and other application protocols to analyze traffic traversing the devices.
The process of defining a custom protocol includes choosing criteria to identify network traffic as coming from a specific network application. The criteria can include characteristics of hosts originating the traffic, such as server names, IP addresses, and so on.
Priority of protocols and custom applications
It is possible to define custom applications that match some of the same traffic as a protocol included in the Protocol Pack operating with Cisco NBAR. When matching traffic, custom applications have priority over Protocol Pack protocols. Deploying SD-AVC within an existing network does not require any changes to the network topology.
Custom application functionality
-
Releases earlier than Cisco vManage Release 20.5.1, Cisco IOS XE Catalyst SD-WAN Release 17.5.1a
Creating a custom application has the following effect:
A custom application does not affect visibility functionality (monitoring traffic) or control functionality (traffic policy) until a policy that makes use of the custom application is applied.
-
Releases Cisco vManage Release 20.5.1, Cisco IOS XE Catalyst SD-WAN Release 17.5.1a or later
Creating a custom application has the following effect:
-
A custom application affects application visibility functionality only (monitoring traffic), such as for protocol-discovery counters and Flexible NetFlow (FNF), and does not affect traffic policy.
-
When the custom application is used by a policy, it affects control functionality (traffic policy) also.
-
Packet trace and Network-wide Path Insights
From Cisco vManage Release 20.5.1, packet trace output includes these terms:
-
Classification name: This is the application classification of traffic for policy purposes.
-
Classification visibility name: This is the application classification of the traffic for traffic visibility purposes, such as for protocol-discovery counters and Flexible NetFlow (FNF).
The NBAR section of the Network-wide Path Insights (NWPI) Insight advanced views uses the same terms. In Cisco SD-WAN Manager, see this in .
In this example, the Classification name and Classification visibility name are different because custom applications are enabled only for visibility functionality (monitoring traffic).
Packet number in flow: 12
Classification state: Final
Classification name: ssl
Classification ID: 1312 [CANA-L7:453]
Candidate classification sources:
N/A
Early cls priority: 255
Permit apps list id: 0
Sdavc Early prioirty as app: 0
Classification visibility name: cisco_com
Classification visibility ID: 3714 [21:3714]
Number of matched sub-classifications: 0
Number of extracted fields: 0
Is PA (split) packet: False
Is FIF (first in flow) packet: False
TPH-MQC bitmask value: 0x4
Source MAC address: 00-00-5E-00-53-00
Destination MAC address: 00-00-5E-00-53-01
Traffic Categories: N/A
In this example, the Classification name and Classification visibility name match because custom applications are enabled for visibility functionality (monitoring traffic) and control functionality (traffic policy).
Packet number in flow: 12
Classification state: Final
Classification name: cisco_com
Classification ID: 1312 [CANA-L7:453]
Candidate classification sources:
N/A
Early cls priority: 255
Permit apps list id: 0
Sdavc Early prioirty as app: 0
Classification visibility name: cisco_com
Classification visibility ID: 3714 [21:3714]
Number of matched sub-classifications: 0
Number of extracted fields: 0
Is PA (split) packet: False
Is FIF (first in flow) packet: False
TPH-MQC bitmask value: 0x4
Source MAC address: 00-00-5E-00-53-00
Destination MAC address: 00-00-5E-00-53-01
Traffic Categories: N/A
Custom application names
From Cisco Catalyst SD-WAN Manager Release 20.16.1, when you create a new custom application and provide a name for the application, Cisco SD-WAN Manager appends "-Custom" to the name. This ensures that the name does not conflict with other application types, such as those from Protocol Packs, or cloud-sourced applications.
Restrictions for custom applications
-
Maximum number of custom applications: 1100
-
Maximum number of L3/L4 rules: 20000
-
Maximum number of server names: 50000
-
For server names, maximum instances of wildcard followed by a period (.): 50000
Example: *.cisco.com matches www.cisco.com, developer.cisco.com
-
For server names, maximum instances of prefix wildcard as part of server name: 256
Example: *ample.com matches www.example.com
-
Mapping the same domain to two different custom applications is not supported.
-
To enable first packet classification with SD-AVC, unencrypted DNS traffic must be redirected through the router running on Cisco IOS XE Catalyst SD-WAN devices and must be visible within the same VRF as the application traffic.
-
Creating custom applications though CLI is not supported in Cisco Catalyst SD-WAN policy.
-
SD-AVC state replication in disaster recovery (DR) is not supported in Cisco Catalyst SD-WAN Manager Release 20.12.1 and earlier. DR switchover resets SD-AVC state for Cisco Catalyst SD-WAN Manager Release 20.12.1 and earlier releases. Post switchover, custom applications will not be present in SD-AVC.
-
For NBAR to correctly categorize traffic based on domain name, the DNS traffic needs to pass unencrypted through the router.