Configuring Application Visibility and Control

Finding Feature Information

Your software release may not support all of the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http:/​/​www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Information About Application Visibility and Control

Application Visibility and Control (AVC) classifies applications using deep packet inspection techniques with the Network-Based Application Recognition engine, and provides application-level visibility and control into Wi-Fi networks. After the applications are recognized, the AVC feature enables you to either drop or mark the data traffic.

Using AVC, we can detect more than 1000 applications. AVC enables you to perform real-time analysis and create policies to reduce network congestion, costly network link usage, and infrastructure upgrades.

Note
You can view list of 30 applications in Top Applications in Monitor Summary section of the UI.

AVC DSCP marks only the DSCP of the original packet in the controller in both directions (upstream and downstream). It does not affect the outer CAPWAP DCSP. AVC DSCP is applicable only when the application is classified. For example, based on the AVC profile configuration, if an application is classified as ftp or http, the corresponding DSCP marking is applied irrespective of the WLAN QoS. For downstream, the DSCP value of outer CAPWAP header and inner packet’s DSCP are taken from AVC DSCP. WLAN QoS is only applicable for all traffic from WLC to AP through CAPWAP. It does not change the DSCP of the original packet

Restrictions for Application Visibility and Control

Configuring Application Visibility and Control (CLI)

To configure AVC, follow these general steps:
  1. Create a flow record by specifying keys and non-key fields to the flow.
  2. Create an optional flow exporter by specifying the flow record as an option.
  3. Create a flow monitor based on the flow record and flow exporter.
  4. Configure WLAN to apply flow monitor in IPv4 input or output direction.

Creating a Flow Record

By default, wireless avc basic (flow record) is available. When you click Apply from the GUI, then the record is mapped to the flow monitor.

Default flow record cannot be edited or deleted. If you require a new flow record, you need to create one and map it to the flow monitor from CLI.

SUMMARY STEPS

    1.    configure terminal

    2.    flow record flow_record_name

    3.    description string

    4.    match ipv4 protocol

    5.    match ipv4 source address

    6.    match ipv4 destination address

    7.    match transport source-port

    8.    match transport destination-port

    9.    match flow direction

    10.    match application name

    11.    match wireless ssid

    12.    collect counter bytes long

    13.    collect counter packets long

    14.    collect wireless ap mac address

    15.    collect wireless client mac address

    16.    end


DETAILED STEPS
     Command or ActionPurpose
    Step 1 configure terminal


    Example: 
    Switch# configure terminal
     

    Enters global configuration mode.

     
    Step 2flow record flow_record_name


    Example: 
    Switch(config)# flow record record1
Switch (config-flow-record)#
     

    Enters flow record configuration mode.

     
    Step 3description string


    Example: 
    Switch(config-flow-record)# description IPv4flow
     

    (Optional) Describes the flow record as a maximum 63-character string.

     
    Step 4match ipv4 protocol


    Example: 
    Switch (config-flow-record)# match ipv4 protocol
     

    Specifies a match to the IPv4 protocol.

     
    Step 5match ipv4 source address


    Example: 
    Switch (config-flow-record)# match ipv4 source address
     

    Specifies a match to the IPv4 source address-based field.

     
    Step 6match ipv4 destination address


    Example: 
    Switch (config-flow-record)# match ipv4 destination address
     

    Specifies a match to the IPv4 destination address-based field.

     
    Step 7match transport source-port


    Example: 
    Switch (config-flow-record)# match transport source-port
     

    Specifies a match to the transport layer source-port field.

     
    Step 8match transport destination-port


    Example: 
    Switch (config-flow-record)# match transport destination-port
     

    Specifies a match to the transport layer destination-port field.

     
    Step 9match flow direction


    Example: 
    Switch (config-flow-record)# match flow direction
     

    Specifies a match to the direction the flow was monitored in.

     
    Step 10match application name


    Example: 
    Switch (config-flow-record)# match application name
     

    Specifies a match to the application name.

     
    Step 11match wireless ssid


    Example: 
    Switch (config-flow-record)# match wireless ssid
     

    Specifies a match to the SSID name identifying the wireless network.

     
    Step 12collect counter bytes long


    Example: 
    Switch (config-flow-record)# collect counter bytes long
     

    Specifies to collect counter fields total bytes.

     
    Step 13collect counter packets long


    Example: 
    Switch (config-flow-record)# collect counter bytes long
     

    Specifies to collect counter fields total packets.

     
    Step 14collect wireless ap mac address


    Example: 
    Switch (config-flow-record)# collect wireless ap mac address
     

    Specifies to collect the BSSID with MAC addresses of the access points that the wireless client is associated with.

     
    Step 15collect wireless client mac address


    Example: 
    Switch (config-flow-record)# collect wireless client mac address
     

    Specifies to collect MAC address of the client on the wireless network.

     
    Step 16end


    Example:
    Switch(config)# end
     

    Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

     

    Creating a Flow Exporter (Optional)

    You can create a flow export to define the export parameters for a flow. This is an optional procedure for configuring flow parameters.

    SUMMARY STEPS

      1.    configure terminal

      2.    flow exporter flow_exporter_name

      3.    description string

      4.    destination {hostname | ip-address}

      5.    transport udp port-value

      6.    option application-table timeout seconds (optional)

      7.    option usermac-table timeout seconds (optional)

      8.    end

      9.    show flow exporter

      10.    end


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 configure terminal


      Example: 
      Switch# configure terminal
       

      Enters global configuration mode.

       
      Step 2flow exporter flow_exporter_name


      Example: 
      Switch(config)# flow exporter record1
Switch (config-flow-exporter)#
       

      Enters flow exporter configuration mode.

       
      Step 3description string


      Example: 
      Switch(config-flow-exporter)# description IPv4flow
       

      Describes the flow record as a maximum 63-character string.

       
      Step 4 destination {hostname | ip-address}


      Example: 
      Switch (config-flow-exporter) # destination 10.99.1.4
       

      Specifies the hostname or IPv4 address of the system to which the exporter sends data.

       
      Step 5transport udp port-value


      Example: 
      Switch (config-flow-exporter) # transport udp 2
       

      Configures a port value for the UDP protocol.

       

      Step 6option application-table timeout seconds (optional)


      Example: 
      Switch (config-flow-exporter)# option application-table timeout 500
       

      (Optional) Specifies application table timeout option. The valid range is from 1 to 86400 seconds.

       
      Step 7option usermac-table timeout seconds (optional)


      Example: 
      Switch (config-flow-exporter)# option usermac-table timeout 1000
       

      (Optional) Specifies wireless usermac-to-username table option. The valid range is from 1 to 86400 seconds.

       
      Step 8end


      Example:
      Switch(config)# end
       

      Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

       
      Step 9 show flow exporter


      Example: 
      Switch # show flow exporter
       

      Verifies your configuration.

       

      Step 10end


      Example:
      Switch(config)# end
       

      Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

       

      Creating a Flow Monitor

      You can create a flow monitor and associate it with a flow record and a flow exporter.

      SUMMARY STEPS

        1.    configure terminal

        2.    flow monitor monitor-name

        3.    description description

        4.    record record-name

        5.    exporter exporter-name

        6.    cache timeout {active | inactive} (Optional)

        7.    end

        8.    show flow monitor


      DETAILED STEPS
         Command or ActionPurpose
        Step 1 configure terminal


        Example: 
        Switch# configure terminal
         

        Enters global configuration mode.

         
        Step 2 flow monitor monitor-name


        Example: 
        Switch (config)# flow monitor flow-monitor-1
         

        Creates a flow monitor and enters flow monitor configuration mode.

         

        Step 3 description description


        Example: 
        Switch (config-flow-monitor)# description flow-monitor-1
         

        Creates a description for the flow monitor.

         

        Step 4 record record-name


        Example: 
        Switch (config-flow-monitor)# record flow-record-1
         

        Specifies the name of a recorder that was created previously.

         

        Step 5 exporter exporter-name


        Example: 
        Switch (config-flow-monitor)# exporter flow-exporter-1
         

        Specifies the name of an exporter that was created previously.

         

        Step 6cache timeout {active | inactive} (Optional)


        Example: 
        Switch (config-flow-monitor)# cache timeout active 1800 
        Switch (config-flow-monitor)# cache timeout inactive 200
         

        Specifies to configure flow cache parameters. You can configure for a time period of 1 to 604800 seconds (optional).

        Note    To achieve optimal result for the AVC flow monitor, we recommend you to configure the inactive cache timeout value to be greater than 90 seconds.
         
        Step 7end


        Example:
        Switch(config)# end
         

        Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

         
        Step 8 show flow monitor


        Example: 
        Switch # show flow monitor
         

        Verifies your configuration.

         

        Configuring WLAN to Apply Flow Monitor in IPV4 Input/Output Direction

        SUMMARY STEPS

          1.    configure terminal

          2.    wlan wlan-id

          3.    ip flow monitor monitor-name {input | output}

          4.    end


        DETAILED STEPS
           Command or ActionPurpose
          Step 1 configure terminal


          Example: 
          Switch# configure terminal
           

          Enters global configuration mode.

           
          Step 2 wlan wlan-id


          Example: 
          Switch (config) # wlan 1
           

          Enters WLAN configuration submode. For wlan-id, enter the WLAN ID. The range is 1 to 64.

           

          Step 3ip flow monitor monitor-name {input | output}


          Example: 
          Switch (config-wlan) # ip flow monitor flow-monitor-1 input
           

          Associates a flow monitor to the WLAN for input or output packets.

           
          Step 4end


          Example:
          Switch(config)# end
           

          Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

           

          Configuring Application Visibility and Control (GUI)

          You can apply the default flow record (wireless avc basic) to the default flow monitor (wireless-avc-basic).

          If you are using the flow record and flow monitor you have created, then the record name and monitor name should be same. This is specific only for configuring AVC from GUI and not for the CLI configuration.

          You can use the flow monitor you have created either for upstream or downstream, or both, but ensure that you use the same record name while mapping with the flow monitor.

            Step 1   Choose Configuration > Wireless > WLAN.

            The WLAN page appears.

            Step 2   Click on corresponding WLAN ID to open WLAN Edit page and click AVC.

            The Application Visibility page appears.

            1. Select the Application Visibility Enabled check box to enable AVC on a WLAN.
            2. In the Upstream Profile text box, enter the name of the AVC profile.
            3. In the Downstream Profile text box, enter the name of the AVC profile.

            To enable AVC, you need to enter the profile names for the upstream and downstream profiles. The profile names are the flow monitor names. By default, the flow monitor names (wireless-avc-basic) appear in the Upstream Profile and Downstream Profile text boxes. For the default flow monitor, the default flow record (wireless avc basic) will be taken. The default flow record is generated by the system and is available.

            You can change the profile names for the upstream and downstream profiles but ensure that the same flow records are available for the flow monitors.

            The upstream and downstream profiles can have different profile names but there should be flow records available for the flow monitors.

            Step 3   Click Apply to apply AVC on the WLAN.
            Step 4   Uncheck the Application Visibility Enabled check box on the WLAN page.

            AVC is disabled on WLAN.

            Step 5   Click Apply.

            Monitoring Application Visibility and Control (CLI)

            This section describes the new commands for application visibility.

            The following commands can be used to monitor application visibility on the switch and access points.

            Table 1 Monitoring Application Visibility Commands on the switch

            Command

            Purpose

            show avc client client-mac top n application [aggregate | upstream | downstream]

            Displays information about top "N" applications for the given client MAC.

            show avc wlan ssid top n application [aggregate | upstream | downstream]

            Displays information about top "N" applications for the given SSID.

            show wlan id wlan-id

            Displays information whether AVC is enabled or disabled on a particular WLAN.

            show flow monitor flow_monitor_name cache

            Displays information about flow monitors.

            Table 2 Clearing Application Visibility Statistics Commands

            Command

            Purpose

            clear avc client mac stats

            Clears the statistics per client.

            clear avc wlan ssid-name stats

            Clears the statistics per WLAN.

            Monitoring Application Visibility and Control (GUI)

            You can view AVC information on a WLAN in a single shot using a AVC on WLAN pie chart on the Home page of the switch. The pie chart displays the AVC data (Aggregate - Application Cumulative usage %) of the first WLAN. In addition, the top 5 WLANs based on clients are displayed first. Click on any one of the WLANs to view the corresponding pie chart information. If AVC is not enabled on the first WLAN, then the Home page does not display the AVC pie chart.

              Step 1   Choose Monitor > Controller > AVC > WLANs.

              The WLANs page appears.

              Step 2   Click the corresponding WLAN profile.

              The Application Statistics page appears.

              From the Top Applications drop-down list, choose the number of top applications you want to view and click Apply. The valid range is between 5 to 30, in multiples of 5.

              1. On the Aggregate, Upstream, and Downstream tabs, you can view the application cumulative and last 90 seconds statistics and usage percent with the following fields:

                • Application name

                • Packet count

                • Byte count

                • Average packet size

                • usage (%)

              Step 3   Choose Monitor > Clients > Client Details > Clients.

              The Clients page appears.

              Step 4   Click Client MAC Address and then click AVC Statistics tab.

              The Application Visibility page appears.

              1. On the Aggregate, Upstream, and Downstream tabs, you can view the application cumulative and last 90 seconds statistics and usage percent with the following fields:

                • Application name

                • Packet count

                • Byte count

                • Average packet size

                • usage (%)

              Examples: Application Visibility and Control Configuration

              This example shows how to create a flow record, create a flow monitor, apply the flow record to the flow monitor, and apply the flow monitor on a WLAN: 
              Switch# configure terminal
Switch(config)# flow record fr_v4
Switch(config-flow-record)# match ipv4 protocol
Switch(config-flow-record)# match ipv4 source address
Switch(config-flow-record)# match ipv4 destination address
Switch(config-flow-record)# match transport destination-port
Switch(config-flow-record)# match flow direction
Switch(config-flow-record)# match application name
Switch(config-flow-record)# match wireless ssid
Switch(config-flow-record)# collect counter bytes long
Switch(config-flow-record)# collect counter packets long
Switch(config-flow-record)# collect wireless ap mac address
Switch(config-flow-record)# collect wireless client mac address
Switch(config)#end


Switch# configure terminal
Switch# flow monitor fm_v4
Switch(config-flow-monitor)# record fr_v4
Switch(config-flow-monitor)# cache timeout active 1800
Switch(config)#end


Switch(config)#wlan wlan1
Switch(config-wlan)#ip flow monitor fm_v4 input
Switch(config-wlan)#ip flow mon fm-v4 output
Switch(config)#end

              Additional References for Application Visibility and Control

              Related Documents

              Related Topic Document Title
              System management commands

              System Management Command Reference Guide, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series)
              Flexible NetFlow configuration

              Flexible NetFlow Configuration Guide, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series)
              Flexible NetFlow commands

              Flexible NetFlow Command Reference, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series)

              Standards and RFCs

              Standard/RFC Title
              None

              MIBs

              MIB MIBs Link
              All supported MIBs for this release.

              To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

              http:/​/​www.cisco.com/​go/​mibs

              Technical Assistance

              Description Link

              The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

              To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

              Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

              http:/​/​www.cisco.com/​support

              Feature History and Information For Application Visibility and Control

              Release Feature Information
              Cisco IOS XE 3.3SE This feature was introduced.