Configuring Application Visibility and Control in a Wireless Network

Application Visibility and Control (AVC) is a solution for Cisco network devices that provides application-level classification, monitoring, and traffic control to improve business-critical application performance, facilitate capacity management and planning, and reduce network operating costs. The Cisco AVC solution is provided within the Branch and Aggregation routers, Cisco Switches, and Cisco Wireless Controllers and Access points.

For information about AVC on Cisco Switches, see Configuring Application Visibility and Control in a Wired Network.

For information about AVC on Cisco Wireless Controllers and Access points, see Configuring Application Visibility and Control in a Wireless Network.

Finding Feature Information

Your software release may not support all of the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Information About Application Visibility and Control

Application Visibility and Control (AVC) classifies applications using deep packet inspection techniques with the Network-Based Application Recognition engine, and provides application-level visibility and control (QoS) in wireless networks. After the applications are recognized, the AVC feature enables you to either drop, mark, or police the data traffic.

AVC is configured by defining a class map in a QoS client policy to match a protocol.

Using AVC, we can detect more than 1000 applications. AVC enables you to perform real-time analysis and create policies to reduce network congestion, costly network link usage, and infrastructure upgrades.


Note

You can view list of 30 applications in Top Applications in Monitor Summary section of the UI.

Traffic flows are analyzed and recognized using the NBAR2 engine at the access point. For more information about the NBAR2 Protocol Library, see http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_nbar/prot_lib/config_library/nbar-prot-pack-library.html. The specific flow is marked with the recognized protocol or application, such as WebEx. This per-flow information can be used for application visibility using Flexible NetFlow (FNF).

AVC QoS actions are applied with AVC filters in both upstream and downstream directions. The QoS actions supported for upstream flow are drop, mark, and police, and for downstream flow are mark and police. AVC QoS is applicable only when the application is classified correctly and matched with the class map filter in the policy map. For example, if the policy has a filter based on an application name, and the traffic has also been classified to the same application name, then the action specified for this match in the policy will be applied.


Note

When you downgrade the controller from 8.0 to any earlier version, the AVC rate limit rules display the action as drop. This action is expected since the AVC rate limit rule is introduced in the controller version 8.0.


Cisco WLC Platform Flow
Cisco 2504 WLC 26,250
Cisco 5508 WLC 183,750
Cisco WiSM2 393,750
Cisco 8510 WLC 336,000
Cisco 5520 WLC 336,000
Cisco 8540 WLC 336,000

Application Visibility and Control Protocol Packs

Protocol packs are a means to distribute protocol updates outside the switch software release trains, and can be loaded on the switch without replacing the switch software.

The Application Visibility and Control Protocol Pack (AVC Protocol Pack) is a single compressed file that contains multiple Protocol Description Language (PDL) files and a manifest file. A set of required protocols can be loaded, which helps AVC to recognize additional protocols for classification on your network. The manifest file gives information about the protocol pack, such as the protocol pack name, version, and some information about the available PDLs in the protocol pack.

The AVC Protocol Packs are released to specific AVC engine versions. You can load a protocol pack if the engine version on the switch platform is the same or higher than the version required by the protocol pack.

Supported AVC Class Map and Policy Map Formats

Supported AVC Class Map Format

Class Map Format Class Map Example Direction
match protocol protocol name
class-map match-any webex-class
match protocol webex-media 

Both upstream and downstream
match protocol attribute category category-name
class-map match-any IM
match protocol attribute category instant-messaging 

Both upstream and downstream
match protocol attribute sub-category sub-category-name
class-map match-any realtimeconferencing
match protocol attribute sub-category voice-video-chat-collaboration

Both upstream and downstream
match protocol attribute application-group application-group-name
class-map match-any skype
match protocol attribute application-group skype-group

Both upstream and downstream
Combination filters
class-map match-any webex-class
match protocol webex 
match dscp 45
match wlan user-priority 6

Upstream only

Supported AVC Policy Format

Policy Format QoS Action
Upstream client policy based on match protocol filter Mark, police, and drop
Downstream client policy based on match protocol filter Mark and police

The following table describes the detailed AVC policy format with an example:

AVC Policy Format AVC Policy Example Direction
Basic set
policy-map webex-policy
	class webex-class			 
 set dscp ef //or set up,cos			 

Upstream and downstream
Basic police
policy-map webex-policy
	class webex-class			 
 police 5000000		 

Upstream and downstream
Basic set and police
policy-map webex-policy
	class webex-class
 set dscp ef //or set up,cos police 5000000		 

Upstream and downstream
Multiple set and police including default
policy-map webex-policy
	class webex-class			 
 set dscp af31 //or set up,cos 
 police 4000000
	class class-webex-category	
	set dscp ef //or set up,cos
	police 6000000
	class class-default
	set dscp <>				 				 			 	 

Upstream and downstream
Hierarchical police
policy-map webex-policy
	class webex-class			 
	police 5000000
	service-policy client-in-police-only				 			 
 policy-map client-in-police-only 
 class webex-class	
	police 100000
	class class-webex-category
 set dscp ef //or set up,cos
 police 6000000
	police 200000			 				 			 	 

Upstream and downstream
Hierarchical set and police
policy-map webex-policy
 class class-default
 police 1500000
	service policy client-up-child
	policy-map webex-policy
	class webex-class	
 police 100000
 set dscp ef
	class class-webex-category
	police 200000
	set dscp af31	 

Drop action

Any of the above examples apply to this format with this additional example:

policy-map webex-policy
	class webex-class
	drop
	class netflix
	set dscp ef //or set up,cos
	police 6000000				 		 				 
 class class-default
	set dscp <>				  	 

Upstream only

Prerequisites for Application Visibility and Control

  • The access points should be AVC capable.

  • For the control part of AVC (QoS) to work, the application visibility feature with FNF has to be configured.

Guidelines for Inter-Device Roaming with Application Visibility and Control

Follow these guidelines to prevent clients from getting excluded due to malformed QoS policies:

  • When a new QoS policy is added to the device, a QoS policy with the same name should be added to other device within the same roam or mobility domain.

  • When a device is loaded with a software image of a later release, the new policy formats are supported. If you have upgraded the software image from an earlier release to a later release, you should save the configuration separately. When an earlier release image is loaded, some QoS policies might show as not supported, and you should restore those QoS policies to supported policy formats.

Restrictions for Application Visibility and Control

  • AVC is supported only on the following access points:

    • Cisco Aironet 1260 Series Access Points

    • Cisco Aironet 1600 Series Access Points

    • Cisco Aironet 2600 Series Access Point

    • Cisco Aironet 2600 Series Wireless Access Points

    • Cisco Aironet 2700 Series Access Point

    • Cisco Aironet 3500 Series Access Points

    • Cisco Aironet 3600 Series Access Points

  • AVC is not supported on Cisco Aironet 702W, 702I (128 M memory), and 1530 Series Access Points.

  • Dropping or marking of the data traffic (control part) is not supported for software Release 3.3.

  • Dropping or marking of the data traffic (control part) is supported in software Release 3E.

  • Only the applications that are recognized with application visibility can be used for applying QoS control.

  • Multicast traffic classification is not supported.

  • Only the applications that are recognized with App visibility can be used for applying QoS control.

  • IPv6 including ICMPv6 traffic classifications are not supported.

  • Datalink is not supported for NetFlow fields for AVC.

  • The following commands are not supported for AVC flow records:

    • collect flow username

    • collect interface { input | output}

    • collect wireless client ipv4 address

    • match interface { input | output}

    • match transport igmp type

  • The template timeout cannot be modified on exporters configured with AVC. Even if the template timeout value is configured to a different value, only the default value of 600 seconds is used.

  • For the username information in the AVC-based record templates, ensure that you configure the options records to get the user MAC address to username mapping.

  • When there is a mix of AVC-enabled APs such as 3600, and non-AVC-enabled APs such as 1140, and the chosen policy for the client is AVC-enabled, the policy will not be sent to the APs that cannot support AVC.

  • Only ingress AVC statistics are supported. The frequency of statistics updates depends on the number of clients loaded at the AP at that time. Statistics are not supported for very large policy format sizes.

  • The total number of flows for which downstream AVC QoS supported per client is 1000.

  • The maximum number of flows supported for Catalyst 3850 Series Switch is 48 K.

  • These are some class map and policy map-related restrictions. For supported policy formats, see Supported AVC Class Map and Policy Map Formats

    .
    • AVC and non-AVC classes cannot be defined together in a policy in a downstream direction. For example, when you have a class map with match protocol, you cannot use any other type of match filter in the policy map in the downstream direction.

    • Drop action is not applicable for the downstream AVC QoS policy.

    • Match protocol is not supported in ingress or egress for SSID policy.

  • Google shares resources among several of their services because of which for some of the traffic it is not possible to say it is unique to one application. Therefore we added google-services for traffic that cannot be distinguished. The behavior you experience is expected.

  • AVC is not supported on management port (Gig 0/0).

  • NBAR based QoS policy configuration is allowed only on wired physical ports. Policy configuration is not supported on virtual interfaces, for example, VLAN, Port-Channel and other logical interfaces.

  • NBAR and NetFlow cannot be configured together at the same time on the same interface.

Configuring Application Visibility and Control (CLI)

To configure Application Visibility, follow these general steps:
  1. Create a flow record by specifying keys and non-key fields to the flow.
  2. Create an optional flow exporter by specifying the flow record as an option.
  3. Create a flow monitor based on the flow record and flow exporter.
  4. Configure WLAN to apply flow monitor in IPv4 input or output direction.
To configure Application Control, follow these general steps:
  1. Create an AVC QoS policy.
  2. Attach AVC QoS policy to the client in one of three ways: configuring WLAN, using ACS or ISE, or adding local policies.

To enable application recognition on an interface, see Configuring Application Visibility and Control in a Wired Network .

Creating a Flow Record

By default, wireless avc basic (flow record) is available. When you click Apply from the GUI, then the record is mapped to the flow monitor.

Default flow record cannot be edited or deleted. If you require a new flow record, you need to create one and map it to the flow monitor from CLI.

Procedure

  Command or Action Purpose
Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

flow record flow_record_name

Example:

Device(config)# flow record record1
Device (config-flow-record)#

Enters flow record configuration mode.

Step 3

description string

Example:

Device(config-flow-record)# description IPv4flow

(Optional) Describes the flow record as a maximum 63-character string.

Step 4

match ipv4 protocol

Example:

Device (config-flow-record)# match ipv4 protocol

Specifies a match to the IPv4 protocol.

Step 5

match ipv4 source address

Example:

Device (config-flow-record)# match ipv4 source address

Specifies a match to the IPv4 source address-based field.

Step 6

match ipv4 destination address

Example:

Device (config-flow-record)# match ipv4 destination address

Specifies a match to the IPv4 destination address-based field.

Step 7

match transport source-port

Example:

Device (config-flow-record)# match transport source-port

Specifies a match to the transport layer source-port field.

Step 8

match transport destination-port

Example:

Device (config-flow-record)# match transport destination-port

Specifies a match to the transport layer destination-port field.

Step 9

match flow direction

Example:

Device (config-flow-record)# match flow direction

Specifies a match to the direction the flow was monitored in.

Step 10

match application name

Example:

Device (config-flow-record)# match application name

Specifies a match to the application name.

Note 
This action is mandatory for AVC support, as this allows the flow to be matched against the application.
Step 11

match wireless ssid

Example:

Device (config-flow-record)# match wireless ssid

Specifies a match to the SSID name identifying the wireless network.

Step 12

collect counter bytes long

Example:

Device (config-flow-record)# collect counter bytes long

Specifies to collect counter fields total bytes.

Step 13

collect counter packets long

Example:

Device (config-flow-record)# collect counter bytes long

Specifies to collect counter fields total packets.

Step 14

collect wireless ap mac address

Example:

Device (config-flow-record)# collect wireless ap mac address

Specifies to collect the BSSID with MAC addresses of the access points that the wireless client is associated with.

Step 15

collect wireless client mac address

Example:

Device (config-flow-record)# collect wireless client mac address
Specifies to collect MAC address of the client on the wireless network.
Note 

The collect wireless client mac address is mandatory configuration for wireless AVC.

Step 16

end

Example:

Device(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Creating a Flow Exporter (Optional)

You can create a flow export to define the export parameters for a flow. This is an optional procedure for configuring flow parameters.

Procedure

  Command or Action Purpose
Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

flow exporter flow_exporter_name

Example:

Device(config)# flow exporter record1
Device (config-flow-exporter)#

Enters flow exporter configuration mode.

Step 3

description string

Example:

Device(config-flow-exporter)# description IPv4flow

Describes the flow record as a maximum 63-character string.

Step 4

destination {hostname | ip-address}

Example:

Device (config-flow-exporter) # destination 10.99.1.4

Specifies the hostname or IPv4 address of the system to which the exporter sends data.

Step 5

transport udp port-value

Example:

Device (config-flow-exporter) # transport udp 2

Configures a port value for the UDP protocol.

Step 6

option application-table timeout seconds (optional)

Example:

Device (config-flow-exporter)# option application-table timeout 500  

(Optional) Specifies application table timeout option. The valid range is from 1 to 86400 seconds.

Step 7

option usermac-table timeout seconds (optional)

Example:

Device (config-flow-exporter)# option usermac-table timeout 1000  

(Optional) Specifies wireless usermac-to-username table option. The valid range is from 1 to 86400 seconds.

Step 8

end

Example:

Device(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Step 9

show flow exporter

Example:

Device # show flow exporter

Verifies your configuration.

Step 10

end

Example:

Device(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Creating a Flow Monitor

You can create a flow monitor and associate it with a flow record and a flow exporter.

Procedure

  Command or Action Purpose
Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

flow monitor monitor-name

Example:

Device (config)# flow monitor flow-monitor-1

Creates a flow monitor and enters flow monitor configuration mode.

Step 3

description description

Example:

Device (config-flow-monitor)# description flow-monitor-1

Creates a description for the flow monitor.

Step 4

record record-name

Example:

Device (config-flow-monitor)# record flow-record-1

Specifies the name of a recorder that was created previously.

Step 5

exporter exporter-name

Example:

Device (config-flow-monitor)# exporter flow-exporter-1

Specifies the name of an exporter that was created previously.

Step 6

cache timeout { active | inactive} (Optional)

Example:

Device (config-flow-monitor)# cache timeout active 1800 
Device (config-flow-monitor)# cache timeout inactive 200 

Specifies to configure flow cache parameters. You can configure for a time period of 1 to 604800 seconds (optional).

Note 
To achieve optimal result for the AVC flow monitor, we recommend you to configure the inactive cache timeout value to be greater than 90 seconds.
Step 7

end

Example:

Device(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Step 8

show flow monitor

Example:

Device # show flow monitor

Verifies your configuration.

Creating AVC QoS Policy

To create AVC QoS policy, perform these general steps:
  1. Create a class map with match protocol filters.

  2. Create a policy map.

  3. Apply a policy map to the client in one of the following ways:

    1. Apply a policy map over WLAN either from the CLI or GUI.

    2. Apply a policy map through the AAA server (ACS server or ISE) from the CLI.

      For more information, refer to the Cisco Identity Services Engine User Guide and Cisco Secure Access Control System User Guide.

    3. Apply local policies either from the CLI or GUI.

Creating a Class Map

You need to create a class map before configuring any match protocol filter. The QoS actions such as marking, policing, and dropping can be applied to the traffic. The AVC match protocol filters are applied only for the wireless clients. For more information about the protocols that are supported, see http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_nbar/prot_lib/config_library/nbar-prot-pack-library.html.

Procedure
  Command or Action Purpose
Step 1

configure terminal

Example:
Device# configure terminal

Enters global configuration mode.

Step 2

class-map class-map-name

Example:
Device(config)# class-map webex-class

Creates a class map.

Step 3

match protocol { application-name | attribute category category-name | attribute sub-category sub-category-name | attribute application-group application-group-name}

Example:

Device(config)# class-map webex-class
Device(config-cmap)# match protocol webex-media

Device(config)# class-map class-webex-category
Device(config-cmap)# match protocol attribute category webex-media

Device# class-map class-webex-sub-category
Device(config-cmap)# match protocol attribute sub-category webex-media

Device# class-map class-webex-application-group
Device(config-cmap)# match protocol attribute application-group webex-media

Specifies match to the application name, category name, subcategory name, or application group.

Step 4

end

Example:
Device(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Creating a Policy Map

Procedure
  Command or Action Purpose
Step 1

configure terminal

Example:
Device# configure terminal

Enters global configuration mode.

Step 2

policy-map policy-map-name

Example:

Device(config)# policy-map webex-policy
Device(config-pmap)# 

Creates a policy map by entering the policy map name, and enters policy-map configuration mode.

By default, no policy maps are defined.

The default behavior of a policy map is to set the DSCP to 0 if the packet is an IP packet and to set the CoS to 0 if the packet is tagged. No policing is performed.

Note 

To delete an existing policy map, use the no policy-map policy-map-name global configuration command.

Step 3

class [class-map-name | class-default]

Example:

Device(config-pmap)# class-map webex-class
Device(config-pmap-c)# 

Defines a traffic classification, and enters policy-map class configuration mode.

By default, no policy map and class maps are defined.

If a traffic class has already been defined by using the class-map global configuration command, specify its name for class-map-name in this command.

A class-default traffic class is predefined and can be added to any policy. It is always placed at the end of a policy map. With an implied match any is included in the class-default class, all packets that have not already matched the other traffic classes will match class-default .

Note 

To delete an existing class map, use the no class class-map-name policy-map configuration command.

Step 4

police rate-bps burst-byte [exceed-action {drop | policed-dscp-transmit}]

Example:

Device(config-pmap-c)# police 100000 80000 drop

Defines a policer for the classified traffic.

By default, no policer is defined.

  • For rate-bps, specify an average traffic rate in bits per second (b/s). The range is 8000 to 10000000000.

  • For burst-byte, specify the normal burst size in bytes. The range is 8000 to 1000000.

  • (Optional) Specifies the action to take when the rates are exceeded. Use the exceed-action drop keywords to drop the packet. Use the exceed-action policed-dscp-transmit keywords to mark down the DSCP value (by using the policed-DSCP map) and to send the packet.

Step 5

set { dscp new-dscp | cos cos-value}

Example:

Device(config-pmap-c)# set dscp 45

Classifies IP traffic by setting a new value in the packet.

  • For dscp new-dscp , enter a new DSCP value to be assigned to the classified traffic. The range is 0 to 63.

Step 6

end

Example:
Device(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

What to do next

After creating your policy maps, attach the traffic policy or polices to an interface using the service-policy command.

Configuring Local Policies (CLI)

Creating a Service Template (CLI)

Procedure
  Command or Action Purpose
Step 1

configure terminal

Example:
Device# configure terminal

Enters global configuration mode.

Step 2

service-template service-template-name

Example:

Device(config)# service-template cisco-phone-template
Device(config-service-template)# 

Enters service template configuration mode.

Step 3

access-group acl_list

Example:

Device(config-service-template)# access-group foo-acl

Specifies the access list to be applied.

Step 4

vlan vlan_id

Example:

Device(config-service-template)# vlan 100

Specifies VLAN ID. You can specify a value from 1 to 4094.

Step 5

absolute-timer seconds

Example:

Device(config-service-template)# absolute-timer 20

Specifies session timeout value for service template. You can specify a value from 1 to 65535.

Step 6

service-policy qos { input | output}

Example:

Device(config-service-template)# service-policy qos input foo-qos

Configures QoS policies for the client.

Step 7

end

Example:
Device(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Creating a Parameter Map (CLI)

Parameter map is preferred to use than class map.

Procedure
  Command or Action Purpose
Step 1

configure terminal

Example:
Device# configure terminal

Enters global configuration mode.

Step 2

parameter-map type subscriber attribute-to-service parameter-map-name

Example:

Device(config)# parameter-map type subscriber attribute-to-service Aironet-Policy-para

Specifies the parameter map type and name.

Step 3

map-index map { device-type | mac-address | oui | user-role | username} { eq | not-eq | regex filter-name }

Example:

Device(config-parameter-map-filter)# 10 map device-type eq "WindowsXP-Workstation"

Specifies parameter map attribute filter criteria.

Step 4

interface-template interface-template-name

Example:

Device(config-parameter-map-filter-submode)# interface-template cisco-phone-template
Device(config-parameter-map-filter-submode)# 

Enters service template configuration mode.

Step 5

end

Example:
Device(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Creating a Policy Map (CLI)

Procedure
  Command or Action Purpose
Step 1

configure terminal

Example:
Device# configure terminal

Enters global configuration mode.

Step 2

policy-map type control subscriber policy-map-name

Example:

Device(config)# policy-map type control subscriber Aironet-Policy

Specifies the policy map type.

Step 3

event identity-update { match-all | match-first}

Example:

Device(config-policy-map)# event identity-update match-all

Specifies match criteria to the policy map.

Step 4

class_number class { class_map_name | always } { do-all | do-until-failure | do-until-success}

Example:

Device(config-class-control-policymap)# 1 class local_policy1_class do-until-success
Configures the local profiling policy class map number and specifies how to perform the action. The class map configuration mode includes the following command options:
  • always —Executes without doing any matching but return success.
  • do-all —Executes all the actions.
  • do-until-failure —Execute all the actions until any match failure is encountered. This is the default value.
  • do-until-success —Execute all the actions until any match success happens.
Step 5

action-index map attribute-to-service table parameter-map-name

Example:

Device(config-policy-map)# 10 map attribute-to-service table Aironet-Policy-para

Specifies parameter map table to be used.

Step 6

end

Example:
Device(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Applying a Local Policy for a Device on a WLAN (CLI)

Before you begin

If the service policy contains any device type-based rules in the parameter map, ensure that the device classifier is already enabled.


Note

You should use the device classification command to classify the device for it to be displayed correctly on the show command output.


Procedure
  Command or Action Purpose
Step 1

configure terminal

Example:
Device# configure terminal

Enters global configuration mode.

Step 2

wlan wlan-name

Example:

Device(config)# wlan wlan1

Enters WLAN configuration mode.

Step 3

service-policy type control subscriber policymapname

Example:
Device(config-wlan)# service-policy type control subscriber Aironet-Policy

Applies local policy to WLAN.

Step 4

profiling local http (optional)

Example:
Device(config-wlan)# profiling local http

Enables only profiling of devices based on HTTP protocol (optional).

Step 5

profiling radius http (optional)

Example:
Device(config-wlan)# profiling radius http

Enables profiling of devices on ISE (optional).

Step 6

no shutdown

Example:
Device(config-wlan)# no shutdown

Specifies not to shut down the WLAN.

Step 7

end

Example:
Device(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Configuring WLAN to Apply Flow Monitor in IPV4 Input/Output Direction

Procedure

  Command or Action Purpose
Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

wlan wlan-id

Example:


Device (config) # wlan 1

Enters WLAN configuration submode. For wlan-id, enter the WLAN ID. The range is 1 to 64.

Step 3

ip flow monitor monitor-name {input | output}

Example:


Device (config-wlan) # ip flow monitor flow-monitor-1 input

Associates a flow monitor to the WLAN for input or output packets.

Step 4

end

Example:

Device(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Information About AP downstream QoS

AP downstream QoS is the process of marking traffic from the controller to the AP. This is achieved by using the flow information from AP on the downstream traffic.

Polaris-based controllers do not support NBAR and the NBAR resides in the AP. When an AP is connected to the WLC (in local-mode with AVC-enabled) the AP performs the application visibility in the upstream and helps the controller to classify traffic (AP assist) in the downstream direction.

In the upstream direction, the control of the classified applications is done by the AP. In the downstream direction, after inspecting the first packet from the WLC, the AP informs the controller about the traffic session and the controller marks the traffic accordingly.


Note

AP assist is done only for application based marking.


Configuring Class-map for Downstream QoS

Follow the procedure given below to configure class-map for downstream QoS:

Procedure

  Command or Action Purpose
Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

class-map match-any class-map-name

Example:

Device(config)# class-map match-any class1

Configures a matching class-name under this classmap.

Step 3

match protocol ftp

Example:

Device(config-cmap)# match protocol ftp

Configures FTP as the match protocol.

Step 4

match protocol ftp-data

Example:

Device(config-cmap)# match protocol ftp-data

Configures FTP as the match protocol for data part only.

Configuring Policy with Policing for Downstream QoS

Follow the procedure given below to configure policing for downstream QoS:

Procedure

  Command or Action Purpose
Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

policy-map policy-map-name

Example:

Device(config)# policy-map policy1

Creates a policy map by entering the policy map name.

Step 3

class class-map-name

Example:

Device(config-pmap)#class class1

Specifies the name of the class whose policy you want to create.

Step 4

police cir bit-rate bc burst-rate

Example:

Device(config-pmap-c)# police cir 10000 bc 1500

Configures the policer with committed information rate bit rate and burst rates.

Step 5

conform-action transmit

Example:

Device(config-pmap-c-police)# conform-action transmit 

Transmits all the packets.

Step 6

exceed-action drop

Example:

Device(config-pmap-c-poice)# exceed-action drop

Drops all the packets.

Configuring Policy-map for Downstream QoS (set-dscp)

Follow the procedure given below to configure policy-map for downstream QoS (set-dscp):

Procedure

  Command or Action Purpose
Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

policy-map policy-map-name

Example:

Device(config)# policy-map policy1

Configures a matching policy-name under this policymap.

Step 3

class class-map-name

Example:

Device(config-pmap)#class class1

Specifies the name of the class whose policy you want to create.

Step 4

set dscp

Example:

Device(config-pmap-c)# set dscp af41

Matches packets with AF41 dscp .

Configuring Policy-map for Downstream QoS (drop)

Follow the procedure given below to configure policy-map for downstream QoS (drop):

Procedure

  Command or Action Purpose
Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

policy-map policy-map-name

Example:

Device(config)# policy-map policy1

Configures a matching policy-name under this policymap.

Step 3

class class-map-name

Example:

Device(config-pmap)#class class1

Specifies the name of the class whose policy you want to create.

Step 4

drop

Example:

Device(config-pmap-c)# drop

Drops all the packets.

Configuring Policy-map for Downstream QoS on the WLAN

Follow the procedure given below to configure policy-map for downstream QoS on the WLAN:

Before you begin

The following options are not supported for match app in the downstream direction on the WLAN:
  • set dscp

  • drop

  • policing

Procedure

  Command or Action Purpose
Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

wlan profile-name wlan-id ssid

Example:

Device(config)# wlan wlan11 11 test_p11

Configures the WLAN details.

Step 3

client vlanvlan-id

Example:

Device(config-wlan)# client vlan 1

Maps the VLAN group to the WLAN by entering the VLAN identifier, VLAN group, or the VLAN name.

Step 4

ip flow monitor flow-monitor input

Example:

Device(config-wlan)# ip flow monitor monitor1 input

Assigns the flow monitor that is created to the ingress interface.

Step 5

ip flow monitor flow-monitor output

Example:

Device(config-wlan)# ip flow monitor monitor1 output

Assigns the flow monitor that is created to the egress interface.

Step 6

service-policy client input policy-map-name

Example:

Device(config-wlan)# service-policy client input policy1

Assigns policy-map to all clients in WLAN.

Step 7

session-timeoit session-duration

Example:

Device(config-wlan)# session-timeout 10000

Sets the session timeout duration.

Step 8

shutdown

Example:

Device(config-wlan)# shutdown

Disables the WLAN.

Monitoring Application Visibility and Control

Monitoring Application Visibility and Control (CLI)

This section describes the new commands for application visibility.

The following commands can be used to monitor application visibility on the and access points.

Table 1. Monitoring Application Visibility Commands on the

Command

Purpose

show avc client client-mac top n application [ aggregate | upstream | downstream]

Displays information about top "N" applications for the given client MAC.

show avc wlan ssid top n application [ aggregate | upstream | downstream]

Displays information about top "N" applications for the given SSID.

avc top user[enable | disable]

Enables or disables the information about top "N" application.

show avc wlan wlan-id application app name topN [ aggregate | upstream | downstream]

Displays to know network usage information on a per user basis within an application.

Note 

On Catalyst 4500E Supervisor Engine 8-E, in the information about top N users that is displayed, the client's MAC address and username are not displayed. This issue occurs only within 90 seconds after the client is disconnected.

show wlan id wlan-id

Displays information whether AVC is enabled or disabled on a particular WLAN.

show flow monitor flow_monitor_name cache

Displays information about flow monitors.

show wireless client mac-address mac-address service-policy { input | output }

Displays information about policy mapped to the wireless clients.

show ip nbar protocol-discovery [ interface interface-type interface-number] [ stats{ byte-count | bit-rate | packet-count | max-bit-rate}] [ protocol protocol-name | top-n number]

Displays the statistics gathered by the NBAR Protocol Discovery feature.

  • (Optional) Enter keywords and arguments to fine-tune the statistics displayed. For more information on each of the keywords, refer to the show ip nbar protocol-discoverycommand in Cisco IOS Quality of Service Solutions Command Reference.

Note 

When you configure NBAR, you must enable Protocol Discovery on the interface.

show policy-map target

show policy-map

show policy-map policy-name

show policy-map interface interface-type interface-number

Displays information about policy map.

Table 2. Clearing Application Visibility Statistics Commands

Command

Purpose

clear avc client mac stats

Clears the statistics per client.

clear avc wlan wlan-name stats

Clears the statistics per WLAN.

Examples: Application Visibility and Control

Examples: Application Visibility Configuration

This example shows how to create a flow record, create a flow monitor, apply the flow record to the flow monitor, and apply the flow monitor on a WLAN:

Device# configure terminal
Device(config)# flow record fr_v4
Device(config-flow-record)# match ipv4 protocol
Device(config-flow-record)# match ipv4 source address
Device(config-flow-record)# match ipv4 destination address
Device(config-flow-record)# match transport destination-port
Device(config-flow-record)# match flow direction
Device(config-flow-record)# match application name
Device(config-flow-record)# match wireless ssid
Device(config-flow-record)# collect counter bytes long
Device(config-flow-record)# collect counter packets long
Device(config-flow-record)# collect wireless ap mac address
Device(config-flow-record)# collect wireless client mac address
Device(config)#end


Device# configure terminal
Device# flow monitor fm_v4
Device(config-flow-monitor)# record fr_v4
Device(config-flow-monitor)# cache timeout active 1800
Device(config)#end


Device(config)#wlan wlan1
Device(config-wlan)#ip flow monitor fm_v4 input
Device(config-wlan)#ip flow mon fm-v4 output
Device(config)#end

Examples: Application Visibility and Control QoS Configuration

This example shows how to create class maps with apply match protocol filters for application name, category, and subcategory:

Device# configure terminal
Device(config)# class-map cat-browsing
Device(config-cmap)# match protocol attribute category browsing
Device(config-cmap)#end

Device# configure terminal
Device(config)# class-map cat-fileshare
Device(config-cmap)# match protocol attribute category file-sharing
Device(config-cmap)#end

Device# configure terminal
Device(config)# class-map match-any subcat-terminal
Device(config-cmap)# match protocol attribute sub-category terminal
Device(config-cmap)#end

Device# configure terminal
Device(config)# class-map match-any webex-meeting
Device(config-cmap)# match protocol webex-meeting
Device(config-cmap)#end

This example shows how to create policy maps and define existing class maps for upstream QoS:


Device# configure terminal
Device(config)# policy-map test-avc-up
Device(config-pmap)# class cat-browsing
Device(config-pmap-c)# police 150000
Device(config-pmap-c)# set dscp 12
Device(config-pmap-c)#end


Device# configure terminal
Device(config)# policy-map test-avc-up
Device(config-pmap)# class cat-fileshare
Device(config-pmap-c)# police 1000000
Device(config-pmap-c)# set dscp 20
Device(config-pmap-c)#end


Device# configure terminal
Device(config)# policy-map test-avc-up
Device(config-pmap)# class subcat-terminal
Device(config-pmap-c)# police 120000
Device(config-pmap-c)# set dscp 15
Device(config-pmap-c)#end

Device# configure terminal
Device(config)# policy-map test-avc-up
Device(config-pmap)# class webex-meeting
Device(config-pmap-c)# police 50000000
Device(config-pmap-c)# set dscp 21
Device(config-pmap-c)#end

This example shows how to create policy maps and define existing class maps for downstream QoS:


Device# configure terminal
Device(config)# policy-map test-avc-down
Device(config-pmap)# class cat-browsing
Device(config-pmap-c)# police 200000
Device(config-pmap-c)# set dscp 10
Device(config-pmap-c)#end


Device# configure terminal
Device(config)# policy-map test-avc-up
Device(config-pmap)# class cat-fileshare
Device(config-pmap-c)# police 300000
Device(config-pmap-c)# set wlan user-priority 2
Device(config-pmap-c)# set dscp 20
Device(config-pmap-c)#end


Device# configure terminal
Device(config)# policy-map test-avc-up
Device(config-pmap)# class subcat-terminal
Device(config-pmap-c)# police 100000
Device(config-pmap-c)# set dscp 25
Device(config-pmap-c)#end

Device# configure terminal
Device(config)# policy-map test-avc-up
Device(config-pmap)# class webex-meeting
Device(config-pmap-c)# police 60000000
Device(config-pmap-c)# set dscp 41
Device(config-pmap-c)#end

This example shows how to apply defined QoS policy on a WLAN:


Device# configure terminal
Device(config)#wlan  alpha
Device(config-wlan)#shut
Device(config-wlan)#end
Device(config-wlan)#service-policy client input test-avc-up
Device(config-wlan)#service-policy client output test-avc-down
Device(config-wlan)#no shut
Device(config-wlan)#end

Example: Configuring QoS Attribute for Local Profiling Policy

The following example shows how to configure QoS attribute for a local profiling policy:

Device(config)# class-map type control subscriber match-all local_policy1_class
Device(config-filter-control-classmap)# match device-type android
Device(config)# service-template local_policy1_template
Device(config-service-template)# vlan 40
Device(config-service-template)# service-policy qos output local_policy1
Device(config)# policy-map type control subscriber local_policy1
Device(config-event-control-policymap)# event identity-update match-all
Device(config-class-control-policymap)# 1 class local_policy1_class do-until-success
Device(config-action-control-policymap)# 1 activate service-template local_policy1_template
Device(config)# wlan open_auth 9
Device(config-wlan)# client vlan VLAN40
Device(config-wlan)# service-policy type control subscriber local_policy1

Additional References for Application Visibility and Control

Related Documents

Related Topic Document Title
System management commands

System Management Command Reference Guide, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series)

Flexible NetFlow configuration

Flexible NetFlow Configuration Guide, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series)

Flexible NetFlow commands

Flexible NetFlow Command Reference, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series)

QoS configuration

QoS Configuration Guide, Cisco IOS XE Release 3E (Cisco WLC 5700 Series)

QoS commands

QoS Command Reference, Cisco IOS XE Release 3E (Cisco WLC 5700 Series)

Standards and RFCs

Standard/RFC Title
None

MIBs

MIB MIBs Link
All the supported MIBs for this release.

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

Technical Assistance

Description Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/support

Feature History and Information For Application Visibility and Control

Release Feature Information
Cisco IOS XE 3.3SE This feature was introduced.

Cisco IOS XE 3E

AVC control with QoS was introduced.