- Preface
- Using the Command-Line Interface
-
- IP Multicast Routing Technology Overview
- Configuring IGMP
- Configuring IGMP Proxy
- Constraining IP Multicast in Switched Ethernet
- Configuring PIM
- Configuring PIM MIB Extension for IP Multicast
- Configuring MSDP
- Configuring Wireless Multicast
- Configuring SSM
- Configuring Basic IP Multicast Routing
- Configuring Multicast Routing over GRE Tunnel
- Configuring the Service Discovery Gateway
- IP Multicast Optimization: Optimizing PIM Sparse Mode in a Large IP Multicast Deployment
- IP Multicast Optimization: Multicast Subsecond Convergence
- IP Multicast Optimization: IP Multicast Load Splitting across Equal-Cost Paths
- IP Multicast Optimization: SSM Channel Based Filtering for Multicast
- IP Multicast Optimization: PIM Dense Mode State Refresh
- IP Multicast Optimization: IGMP State Limit
-
- Configuring the Device for Access Point Discovery
- Configuring Data Encryption
- Configuring Retransmission Interval and Retry Count
- Configuring Adaptive Wireless Intrusion Prevention System
- Configuring Authentication for Access Points
- Converting Autonomous Access Points to Lightweight Mode
- Using Cisco Workgroup Bridges
- Configuring Probe Request Forwarding
- Optimizing RFID Tracking
- Configuring Country Codes
- Configuring Link Latency
- Configuring Power over Ethernet
-
- Preventing Unauthorized Access
- Controlling Switch Access with Passwords and Privilege Levels
- Configuring TACACS+
- MACsec Encryption
- Configuring RADIUS
- Configuring Kerberos
- Configuring Local Authentication and Authorization
- Configuring Secure Shell (SSH)
- X.509v3 Certificates for SSH Authentication
- Configuring Secure Socket Layer HTTP
- Configuring IPv4 ACLs
- Configuring IPv6 ACLs
- Configuring DHCP
- Configuring IP Source Guard
- Configuring Dynamic ARP Inspection
- Configuring IEEE 802.1x Port-Based Authentication
- Configuring Web-Based Authentication
- Configuring Port-Based Traffic Control
- Configuring IPv6 First Hop Security
- Configuring Cisco TrustSec
- Configuring Control Plane Policing
- Configuring Wireless Guest Access
- Managing Rogue Devices
- Classifying Rogue Access Points
- Configuring wIPS
- Configuring Intrusion Detection System
-
- Administering the Switch
- Boot Integrity Visibility
- Performing Device Setup Configuration
- Configuring Autonomic Networking
- Configuring Right-To-Use Licenses
- Configuring Administrator Usernames and Passwords
- Configuring 802.11 parameters and Band Selection
- Configuring Aggressive Load Balancing
- Configuring Client Roaming
- Configuring Application Visibility and Control
- Configuring Application Visibility and Control
- Configuring Location Settings
- Configuring Voice and Video Parameters
- Configuring RFID Tag Tracking
- Configuring Location Settings
- Cisco Hyperlocation
- Monitoring Flow Control
- Configuring SDM Templates
- Configuring System Message Logs
- Configuring Online Diagnostics
- Managing Configuration Files
- Configuration Replace and Configuration Rollback
- Working with the Flash File System
- Upgrading the Switch Software
- Conditional Debug and Radioactive Tracing
- Troubleshooting the Software Configuration
- Index
- Finding Feature Information
- Information About Application Visibility and Control in a Wired Network
- Supported AVC Class Map and Policy Map Formats
- Restrictions for Wired Application Visibility and Control
- NBAR2 Custom Applications
- NBAR2 Dynamic Hitless Protocol Pack Upgrade
Configuring
Application Visibility and Control
Application Visibility and Control (AVC) is a solution for Cisco network devices that provides application-level classification, monitoring, and traffic control to improve business-critical application performance, facilitate capacity management and planning, and reduce network operating costs. The Cisco AVC solution is provided within the Branch and Aggregation routers, Cisco Switches, and Cisco Wireless Controllers and Access points.
For information about AVC on Cisco Switches, see Configuring Application Visibility and Control in a Wired Network.
For information about AVC on Cisco Wireless Controllers and Access points, see Configuring Application Visibility and Control.
- Finding Feature Information
- Information About Application Visibility and Control in a Wired Network
- Supported AVC Class Map and Policy Map Formats
- Restrictions for Wired Application Visibility and Control
- Monitoring Application Visibility and Control
- Examples: Application Visibility and Control
- Additional References for Application Visibility and Control
- Feature History and Information For Application Visibility and Control in a Wired Network
Finding Feature Information
Your software release may not support all of the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Information About Application Visibility and Control in a Wired Network
Application Visibility and Control (AVC) is a critical part of Cisco’s efforts to evolve its Branch and Campus solutions from being strictly packet and connection based to being application-aware and application-intelligent. Application Visibility and Control (AVC) classifies applications using deep packet inspection techniques with the Network-Based Application Recognition (NBAR2) engine. AVC can be configured on wired access ports for standalone switches as well as for a switch stack. NBAR2 can be activated either explicitly on the interface by enabling protocol-discovery or implicitly by attaching a QoS policy that contains match protocol classifier. Wired AVC Flexible NetFlow (FNF) can be configured on an interface to provide client, server and application statistics per interface. The record is similar to application-client-server-stats traffic monitor which is available in application-statistics and application-performance profiles in Easy Performance Monitor (Easy perf-mon or ezPM).
Supported AVC Class Map and Policy Map Formats
Supported AVC Class Map Format
| Class Map Format | Class Map Example | Direction |
|---|---|---|
| match protocol protocol name |
class-map match-any NBAR-VOICE match protocol ms-lync-audio |
Both ingress and egress |
| Combination filters |
class-map match-any NBAR-VOICE match protocol ms-lync-audio match dscp ef |
Both ingress and egress |
Supported AVC Policy Format
| Policy Format | QoS Action |
|---|---|
| Egress policy based on match protocol filter | Mark and police |
| Ingress policy based on match protocol filter | Mark and police |
| AVC Policy Format | AVC Policy Example | Direction |
|---|---|---|
| Basic set |
policy-map MARKING-IN class NBAR-MM_CONFERENCING set dscp af41 |
Ingress and egress |
| Basic police |
policy-map POLICING-IN class NBAR-MM_CONFERENCING police cir 600000 set dscp af41 |
Ingress and egress |
| Basic set and police |
policy-map webex-policy class webex-class set dscp ef cos police 5000000 |
Ingress and egress |
| Multiple set and police including default |
policy-map webex-policy class webex-class set dscp af31 cos police 4000000 class class-webex-category set dscp ef cos police 6000000 class class-default set dscp <> |
Ingress and egress |
| Hierarchical police |
policy-map webex-policy class webex-class police 5000000 service-policy client-in-police-only policy-map client-in-police-only class webex-class police 100000 class class-webex-category set dscp ef cos police 200000 |
Ingress and egress |
| Hierarchical set and police |
policy-map webex-policy class class-default police 1500000 service policy client-up-child policy-map webex-policy class webex-class police 100000 set dscp ef class class-webex-category police 200000 set dscp af31 |
Restrictions for Wired Application Visibility and Control
-
NBAR based QoS policy configuration is allowed only on wired physical ports. Policy configuration is not supported on virtual interfaces, for example, VLAN, Port-Channel and other logical interfaces.
-
NBAR2 based match criteria match protocol will be allowed only with marking or policing actions. NBAR2 match criteria will not be allowed in a policy that has queuing features configured.
-
‘Match Protocol’: up to 255 concurrent different protocols in all policies (8 bits HW limitation).
-
NBAR2 attributes based QOS is not supported (match protocol attribute).
-
AVC is not supported on management port (Gig 0/0).
-
IPv6 packet classification is not supported.
-
Only IPv4 unicast(TCP/UDP) is supported.
-
Web UI: You can configure application visibility and perform application monitoring from the Web UI. Application Control can only be done using the CLI. It is not supported on the Web UI.
-
NBAR and ACL logging cannot be configured together on the same switch.
-
Protocol-discovery, application-based QoS, and wired AVC FNF cannot be configured together at the same time on the same interface with the non-application-based FNF. However, these wired AVC features can be configured with each other. For example, protocol-discovery, application-based QoS and wired AVC FNF can be configured together on the same interface at the same time.
-
In Cisco IOS XE Denali 16.3.2, show flow monitor flow-monitor-name statistics and show flow monitor flow-monitor-name cache commands are not supported for wired AVC. These commands do not display any information specific to wired AVC.
-
A single predefined record is supported with wired AVC FNF.
-
Attachment should be done only on physical Layer2 (Access/Trunk) and Layer3 ports. Uplink can be attached as long as it is a single uplink and is not part of a port channel.
-
Performance: Each switch member is able to handle 500 connections per second (CPS) at less than 50% CPU utilization.
-
Scale: Able to handle up to 10,000 bi-directional flows per 48 access ports and 5000 bi-directional flows per 24 access ports. (~200 flows per access port).
Configuring Application Visibility and Control in a Wired Network
To configure application visibility and control on wired ports, follow these steps:
Configuring Visibility :
-
Activate NBAR2 engine by enabling protocol-discovery on the interface using the ip nbar protocol-discovery command in the interface configuration mode. See Enabling Application Recognition on an interface .
-
Creating an AVC QoS policy. See Creating AVC QoS Policy .
-
Applying AVC QoS policy to the interface. See Applying a QoS Policy to the switch port .
Configuring application-based Flexible Netflow :
-
Create a flow record by specifying key and non-key fields to the flow. See Creating a Flow Record .
-
Create a flow exporter to export the flow record. See Creating a Flow Exporter .
-
Create a flow monitor based on the flow record and the flow exporter. See Creating a Flow Monitor .
-
Attach the flow monitor to the interface. See Associating Flow Monitor to an interface .
Protocol-Discovery, application-based QoS and application-based FNF are all independent features. They can be configured independently or together on the same interface at the same time.
Enabling Application Recognition on an interface
To enable application recognition on an interface, follow these steps:
DETAILED STEPS
Creating AVC QoS Policy
Creating a Class Map
You need to create a class map before configuring any match protocol filter. The QoS actions such as marking and policing can be applied to the traffic. The AVC match protocol filters are applied to the wired access ports. For more information about the protocols that are supported, see http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_nbar/prot_lib/config_library/nbar-prot-pack-library.html.
1.
configure terminal
2.
class-map
class-map-name
3.
match protocol
application-name
4.
end
DETAILED STEPS
Creating a Policy Map
1.
configure terminal
3.
class [class-map-name |
class-default]
5.
set
{dscp
new-dscp
|
cos
cos-value}
6.
end
DETAILED STEPS
Applying a QoS Policy to the switch port
1.
configure terminal
2.
interface
interface-id
3.
service-policy input
policymapname
4.
end
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
configure terminal Example: Device# configure terminal
|
Enters global configuration mode. |
| Step 2 |
interface
interface-id
Example:
Device(config)# interface Gigabitethernet 1/0/1
|
Enters the interface configuration mode. |
| Step 3 |
service-policy input
policymapname
Example: Device(config-if)# service-policy input MARKING_IN
|
Applies local policy to interface. |
| Step 4 | end Example: Device(config)# end
| Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode. |
Configuring Wired AVC Flexible Netflow
- Creating a Flow Record
- Creating a Flow Exporter
- Creating a Flow Monitor
- Associating Flow Monitor to an interface
Creating a Flow Record
A single flow record can be configured and associated with a flow monitor.
1.
configure terminal
2.
flow
record
flow_record_name
3.
description
description
4.
match
ipv4
version
5.
match
ipv4
protocol
6.
match
application
name
7.
match connection client ipv4 address
8.
match connection server ipv4 address
9.
match connection server transport port
10.
match flow observation point
11.
collect flow direction
12.
collect connection initiator
13.
collect connection client counter packets long
14.
collect connection client counter bytes network
long
15.
collect connection server counter packets long
16.
collect connection server counter bytes network
long
17.
collect timestamp absolute first
18.
collect timestamp absolute last
19.
collect connection new-connections
20.
end
21.
show flow
record
DETAILED STEPS
| Command or Action | Purpose | |||
|---|---|---|---|---|
| Step 1 |
configure terminal Example: Device# configure terminal
|
Enters global configuration mode. | ||
| Step 2 | flow
record
flow_record_name
Example: Device(config)# flow record flow-record-1
|
Enters flow record configuration mode. | ||
| Step 3 | description
description
Example: Device(config-flow-record)# description flow-record-1
|
(Optional) Creates a description for the flow record. | ||
| Step 4 | match
ipv4
version
Example: Device (config-flow-record)# match ipv4 version
|
Specifies a match to the IP version from the IPv4 header. | ||
| Step 5 | match
ipv4
protocol
Example: Device (config-flow-record)# match ipv4 protocol
|
Specifies a match to the IPv4 protocol. | ||
| Step 6 | match
application
name
Example: Device (config-flow-record)# match application name
|
Specifies a match to the application name.
| ||
| Step 7 | match connection client ipv4 address
Example: Device (config-flow-record)# match connection client ipv4 address
|
Specifies a match to the IPv4 address of the client (flow initiator). | ||
| Step 8 | match connection server ipv4 address
Example: Device (config-flow-record)# match connection server ipv4 address
|
Specifies a match to the IPv4 address of the server (flow responder). | ||
| Step 9 | match connection server transport port
Example: Device (config-flow-record)# match connection server transport port
|
Specifies a match to the transport port of the server. | ||
| Step 10 | match flow observation point
Example: Device (config-flow-record)# match flow observation point
|
Specifies a match to the observation point ID for flow observation metrics. | ||
| Step 11 | collect flow direction
Example: Device (config-flow-record)# collect flow direction
|
When the initiator keyword is set to initiator, the flow direction is specified from the initiator side of the flow. When the initiator keyword is set to responder, the flow direction is specified from the responder side of the flow. For wired AVC, the initiator keyword is always set to initiator. | ||
| Step 12 | collect connection initiator
Example: Device (config-flow-record)# collect connection initiator
|
| ||
| Step 13 | collect connection client counter packets long
Example: Device (config-flow-record)# collect connection client counter packets long
|
Specifies to collect the number of packets sent by the client. | ||
| Step 14 | collect connection client counter bytes network
long
Example: Device (config-flow-record)# collect connection client counter bytes network long
|
Specifies to collect the total number of bytes transmitted by the client. | ||
| Step 15 | collect connection server counter packets long
Example: Device (config-flow-record)# collect connection server counter packets long
|
Specifies to collect the number of packets sent by the server. | ||
| Step 16 | collect connection server counter bytes network
long
Example: Device (config-flow-record)# collect connection server counter bytes network long
|
Specifies to collect the total number of bytes transmitted by the server. | ||
| Step 17 | collect timestamp absolute first
Example: Device (config-flow-record)# collect timestamp absolute first
|
Specifies to collect the time, in milliseconds, when the first packet was seen in the flow. | ||
| Step 18 | collect timestamp absolute last
Example: Device (config-flow-record)# collect timestamp absolute last
|
Specifies to collect the time, in milliseconds, when the most recent packet was seen in the flow. | ||
| Step 19 | collect connection new-connections
Example: Device (config-flow-record)# collect connection new-connections
|
Specifies to collect the number of connection initiations observed. | ||
| Step 20 | end Example: Device(config)# end
| Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode. | ||
| Step 21 |
show flow
record
Example: Device # show flow record
|
Displays information about all the flow records. |
Creating a Flow Exporter
You can create a flow exporter to define the export parameters for a flow.
1.
configure terminal
2.
flow
exporter
flow_exporter_name
3.
description
description
4.
destination {
hostname |
ipv4-address |
ipv6-address }
5.
option application-table
[
timeout
seconds ]
6.
end
7.
show flow exporter
8.
show flow exporter statistics
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
configure terminal Example: Device# configure terminal
|
Enters global configuration mode. |
| Step 2 | flow
exporter
flow_exporter_name
Example: Device(config)# flow exporter flow-exporter-1
|
Enters flow exporter configuration mode. |
| Step 3 | description
description
Example: Device(config-flow-exporter)# description flow-exporter-1
|
(Optional) Creates a description for the flow exporter. |
| Step 4 | destination {
hostname |
ipv4-address |
ipv6-address }
Example: Device (config-flow-exporter)# destination 10.10.1.1
|
Specifies the hostname, IPv4 or IPv6 address of the system to which the exporter sends data. |
| Step 5 | option application-table
[
timeout
seconds ]
Example: Device (config-flow-exporter)# option application-table timeout 500
|
(Optional) Configures the application table option for the flow exporter. The timeout option configures the resend time in seconds for the flow exporter. The valid range is from 1 to 86400 seconds. |
| Step 6 | end Example: Device(config)# end
| Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode. |
| Step 7 | show flow exporter
Example: Device # show flow exporter
|
Displays information about all the flow exporters. |
| Step 8 | show flow exporter statistics
Example: Device # show flow exporter statistics
|
Displays flow exporter statistics. |
Creating a Flow Monitor
You can create a flow monitor and associate it with a flow record.
1.
configure terminal
2.
flow monitor
monitor-name
3.
description
description
4.
record
record-name
5.
exporter
exporter-name
6.
cache type normal {
timeout {active |
inactive} |
type normal }
7.
end
8.
show flow
monitor
DETAILED STEPS
| Command or Action | Purpose | |||
|---|---|---|---|---|
| Step 1 |
configure terminal Example: Device# configure terminal
|
Enters global configuration mode. | ||
| Step 2 | flow monitor
monitor-name
Example: Device (config)# flow monitor flow-monitor-1
|
Creates a flow monitor and enters flow monitor configuration mode. | ||
| Step 3 |
description
description
Example: Device (config-flow-monitor)# description flow-monitor-1
|
(Optional) Creates a description for the flow monitor. | ||
| Step 4 |
record
record-name
Example: Device (config-flow-monitor)# record flow-record-1
|
Specifies the name of a record that was created previously. | ||
| Step 5 |
exporter
exporter-name
Example: Device (config-flow-monitor)# exporter flow-exporter-1
|
Specifies the name of an exporter that was created previously. | ||
| Step 6 | cache type normal {
timeout {active |
inactive} |
type normal }
Example: Device (config-flow-monitor)# cache timeout active 1800
Example: Device (config-flow-monitor)# cache timeout inactive 200
Example: Device (config-flow-monitor)# cache type normal
|
| ||
| Step 7 | end Example: Device(config)# end
| Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode. | ||
| Step 8 |
show flow
monitor
Example: Device # show flow monitor
|
Displays information about all the flow monitors.
|
Associating Flow Monitor to an interface
1.
configure terminal
2.
interface interface-id
3.
ip flow monitor
monitor-name
{
input |
output }
4.
end
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
configure terminal Example: Device# configure terminal
|
Enters global configuration mode. |
| Step 2 |
interface interface-id
Example:
Device(config)# interface Gigabitethernet 1/0/1
|
Enters the interface configuration mode. |
| Step 3 | ip flow monitor
monitor-name
{
input |
output }
Example:
Device (config-if) # ip flow monitor flow-monitor-1 input
|
Associates a flow monitor to the interface for input and/or output packets. |
| Step 4 | end Example: Device(config)# end
| Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode. |
NBAR2 Custom Applications
NBAR2 supports the use of custom protocols to identify custom applications. Custom protocols support protocols and applications that NBAR2 does not currently support.
In every deployment, there are local and specific applications which are not covered by the NBAR2 protocol pack provided by Cisco. Local applications are mainly categorized as:
NBAR2 provides a way to manually customize such local applications. You can manually customize applications using the command ip nbar custom myappname in global configuration mode. Custom applications take precedence over built-in protocols. For each custom protocol, user can define a selector ID that can be used for reporting purposes.
There are various types of application customization:
Generic protocol customization
Composite : Customization based on multiple underlying protocols – server-name
Layer3/Layer4 customization
Byte Offset : Customization based on specific byte values in the payload
- HTTP Customization
- SSL Customization
- DNS Customization
- Composite Customization
- L3/L4 Customization
- Examples: Monitoring Custom Applications
HTTP Customization
HTTP customization could be based on a combination of HTTP fields from:
HTTP Customization
Custom application called MYHTTP using the HTTP host “*mydomain.com” with Selector ID 10.
Device# configure terminal Device(config)# ip nbar custom MYHTTP http host *mydomain.com id 10
SSL Customization
Customization can be done for SSL encrypted traffic using information extracted from the SSL Server Name Indication (SNI) or Common Name (CN).
SSL Customization
Custom application called MYSSL using SSL unique-name “mydomain.com” with selector ID 11.
Device# configure terminal Device(config)#ip nbar custom MYSSL ssl unique-name *mydomain.com id 11
DNS Customization
NBAR2 examines DNS request and response traffic, and can correlate the DNS response to an application. The IP address returned from the DNS response is cached and used for later packet flows associated with that specific application.
The command ip nbar custom application-name dns domain-name id application-id is used for DNS customization. To extend an existing application, use the command ip nbar custom application-name dns domain-name domain-name extends existing-application.
For more information on DNS based customization, see http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_nbar/configuration/xe-3s/asr1000/qos-nbar-xe-3s-asr-1000-book/nbar-custapp-dns-xe.html .
DNS Customization
Custom application called MYDNS using the DNS domain name “mydomain.com” with selector ID 12.
Device# configure terminal Device(config)# ip nbar custom MYDNS dns domain-name *mydomain.com id 12
Composite Customization
NBAR2 provides a way to customize applications based on domain names appearing in HTTP, SSL or DNS.
Composite Customization
Custom application called MYDOMAIN using HTTP, SSL or DNS domain name “mydomain.com” with selector ID 13.
Device# configure terminal Device(config)# ip nbar custom MYDOMAIN composite server-name *mydomain.com id 13
L3/L4 Customization
Layer3/Layer4 customization is based on the packet tuple and is always matched on the first packet of a flow.
L3/L4 Customization
Custom application called LAYER4CUSTOM matching IP addresses 10.56.1.10 and 10.56.1.11, TCP and DSCP ef with selector ID 14.
Device# configure terminal Device(config)# ip nbar custom LAYER4CUSTOM transport tcp id 14 Device(config-custom)# ip address 10.56.1.10 10.56.1.11 Device(config-custom)# dscp ef
Examples: Monitoring Custom Applications
Show Commands for Monitoring Custom Applications
show ip nbar protocol-id | inc Custom
Device# show ip nbar protocol-id | inc Custom
LAYER4CUSTOM 14 Custom
MYDNS 12 Custom
MYDOMAIN 13 Custom
MYHTTP 10 Custom
MYSSL 11 Custom
show ip nbar protocol-discovery protocol CUSTOM_APP
WSW-157# show ip nbar protocol-id MYSSL Protocol Name id type ---------------------------------------------- MYSSL 11 Custom
NBAR2 Dynamic Hitless Protocol Pack Upgrade
Protocol packs are software packages that update the NBAR2 protocol support on a device without replacing the Cisco software on the device. A protocol pack contains information on applications officially supported by NBAR2 which are compiled and packed together. For each application, the protocol-pack includes information on application signatures and application attributes. Each software release has a built-in protocol-pack bundled with it.
Protocol packs provide the following features:
-
They are easy and fast to load.
-
They are easy to upgrade to a higher version protocol pack or revert to a lower version protocol pack.
-
They do not require the switch to be reloaded.
NBAR2 protocol packs are available for download on Cisco Software Center from this URL: https://software.cisco.com/download/navigator.html .
Prerequisites for the NBAR2 Protocol Pack
Before loading a new protocol pack, you must copy the protocol pack to the flash on all the switch members.
To load a protocol pack, see Examples: Loading the NBAR2 Protocol Pack .
Loading the NBAR2 Protocol Pack
1.
enable
2.
configure
terminal
3.
ip
nbar
protocol-pack
protocol-pack
[force]
4.
exit
5.
show
ip
nbar
protocol-pack
{protocol-pack |
active} [detail]
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
enable
Example: Device> enable |
Enables privileged EXEC mode. |
| Step 2 |
configure
terminal
Example: Device# configure terminal |
Enters global configuration mode. |
| Step 3 |
ip
nbar
protocol-pack
protocol-pack
[force]
Example: Device(config)# ip nbar protocol-pack flash:defProtoPack Example: Device(config)# default ip nbar protocol-pack |
Loads the protocol pack.
For reverting to the built-in protocol pack, use the following command: |
| Step 4 |
exit
Example: Device(config)# exit |
Returns to privileged EXEC mode. |
| Step 5 |
show
ip
nbar
protocol-pack
{protocol-pack |
active} [detail]
Example: Device# show ip nbar protocol-pack active |
Displays the protocol pack information.
|
Examples: Loading the NBAR2 Protocol Pack
Device> enable Device# configure terminal Device(config)# ip nbar protocol-pack flash:newDefProtoPack Device(config)# exit
Device> enable Device# configure terminal Device(config)# ip nbar protocol-pack flash:OldDefProtoPack force Device(config)# exit
Device> enable Device# configure terminal Device(config)# default ip nbar protocol-pack Device(config)# exit
Monitoring Application Visibility and Control
Monitoring Application Visibility and Control (CLI)
This section describes the new commands for application visibility.
The following commands can be used to monitor application visibility on the and access ports.
|
Command |
Purpose |
Examples: Application Visibility and Control
Examples: Application Visibility and Control Configuration
Device# configure terminal Device(config)# class-map match-any NBAR-VOICE Device(config-cmap)# match protocol ms-lync-audio Device(config-cmap)#end
Device# configure terminal Device(config)# policy-map test-avc-up Device(config-pmap)# class cat-browsing Device(config-pmap-c)# police 150000 Device(config-pmap-c)# set dscp 12 Device(config-pmap-c)#end
Device# configure terminal Device(config)# policy-map test-avc-down Device(config-pmap)# class cat-browsing Device(config-pmap-c)# police 200000 Device(config-pmap-c)# set dscp 10 Device(config-pmap-c)#end
Device# configure terminal Device(config)# interface GigabitEthernet 1/0/1 Device(config-if)# switchport mode access Device(config-if)# switchport access vlan 20 Device(config-if)# service-policy type control subscriber POLICING_IN Device(config-if)#end
Show Commands for Viewing the Configuration
show ip nbar protocol-discovery
Displays a report of the Protocol Discovery statistics per interface.
The following is a sample output for the statistics per interface:
Deviceqos-cat3k-reg2-r1# show ip nbar protocol-discovery int GigabitEthernet1/0/1
GigabitEthernet1/0/1
Last clearing of "show ip nbar protocol-discovery" counters 00:03:16
Input Output
----- ------
Protocol Packet Count Packet Count
Byte Count Byte Count
30sec Bit Rate (bps) 30sec Bit Rate (bps)
30sec Max Bit Rate (bps) 30sec Max Bit Rate (bps)
------------------------ ------------------------ ---------------------------------------------------
ms-lync 60580 55911
31174777 28774864
3613000 93000
3613000 3437000
Total 60580 55911
31174777 28774864
3613000 93000
3613000 3437000
show policy-map interface
Displays the QoS statistics and the configured policy maps on all interfaces.
The following is a sample output for the policy-maps configured on all the interfaces:
Deviceqos-cat3k-reg2-r1# show policy-map int
GigabitEthernet1/0/1
Service-policy input: MARKING-IN
Class-map: NBAR-VOICE (match-any)
718 packets
Match: protocol ms-lync-audio
0 packets, 0 bytes
30 second rate 0 bps
QoS Set
dscp ef
Class-map: NBAR-MM_CONFERENCING (match-any)
6451 packets
Match: protocol ms-lync
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol ms-lync-video
0 packets, 0 bytes
30 second rate 0 bps
QoS Set
dscp af41
Class-map: class-default (match-any)
34 packets
Match: any
Basic Troubleshooting(Questions and Answers)
Following are the basic questions and answers for troubleshooting wired Application Visibility and Control:
-
Question: My IPv6 traffic is not being classified.
Answer: Currently only IPv4 traffic is supported.
-
Question: My multicast traffic is not being classified
Answer: Currently only unicast traffic is supported
-
Question: I send ping but I don’t see them being classified
Answer: Only TCP/UDP protocols are supported
-
Question: Why can’t I attach NBAR to an SVI?
Answer: NBAR is only supported on physical interfaces.
-
Question: I see that most of my traffic is CAPWAP traffic, why?
Answer: Make sure that you have enabled NBAR on an access port that is not connected to a wireless access port. All traffic coming from AP’s will be classified as capwap. Actual classification in this case happens either on the AP or WLC.
-
Question: In protocol-discovery, I see traffic only on one side. Along with that, there are a lot of unknown traffic.
Answer: This usually indicates that NBAR sees asymmetric traffic: one side of the traffic is classified in one switch member and the other on a different member. The recommendation is to attach NBAR only on access ports where we see both sides of the traffic. If you have multiple uplinks, you can’t attach NBAR on them due to this issue. Similar issue happens if you configure NBAR on an interface that is part of a port channel.
-
Question: With protocol-discovery, I see an aggregate view of all application. How can I see traffic distribution over time?
Answer: WebUI will give you view of traffic over time for the last 48 hours.
-
Question: I can't configure queue-based egress policy with match protocol protocol-name command.
Answer: Only shape and set DSCP are supported in a policy with NBAR2 based classifiers. Common practice is to set DSCP on ingress and perform shaping on egress based on DSCP.
-
Question: I don’t have NBAR2 attached to any interface but I still see that NBAR2 is activated.
Answer: If you have any class-map with match protocol protocol-name, NBAR will be globally activated on the stack but no traffic will be subjected to NBAR classification. This is an expected behavior and it does not consume any resources.
-
Question: I see some traffic under the default QOS queue. Why?
Answer: For each new flow, it takes a few packets to classify it and install the result in the hardware. During this time, the classification would be 'un-known' and traffic will fall under the default queue.
Additional References for Application Visibility and Control
Related Documents
| Related Topic | Document Title |
|---|---|
|
QoS |
NBAR Configuration Guide, Cisco IOS XE 16 |
|
NBAR2 Protocol Pack Hitless Upgrade |
NBAR Configuration Guide, Cisco IOS XE 16 |
Technical Assistance
| Description | Link |
|---|---|
|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
Feature History and Information For Application Visibility and Control in a Wired Network
| Release | Feature Information |
|---|---|
|
Cisco IOS XE Denali 16.3.2 |
Wired AVC Flexible NetFlow (FNF) — The feature uses a flow record with an application name as the key, to provide client, server and application statistics, per interface. |
|
Cisco IOS XE Denali 16.3.1 |
This feature was introduced. |
Feedback