Configuring Application Visibility and Control

Finding Feature Information

Your software release may not support all of the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http:/​/​www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Information About Application Visibility and Control

Application Visibility and Control (AVC) classifies applications using deep packet inspection techniques with the Network-Based Application Recognition engine, and provides application-level visibility and control (QoS) in wireless networks. After the applications are recognized, the AVC feature enables you to either drop, mark, or police the data traffic.

Using AVC, we can detect more than 1000 applications. AVC enables you to perform real-time analysis and create policies to reduce network congestion, costly network link usage, and infrastructure upgrades.

Note
You can view list of 30 applications in Top Applications in Monitor Summary section of the UI.

Restrictions for Application Visibility and Control

  • AVC is supported only on the following access points:

    • Cisco Aironet 1260 Series Access Points

    • Cisco Aironet 1600 Series Access Points

    • Cisco Aironet 2600 Series Access Point

    • Cisco Aironet 2600 Series Wireless Access Points

    • Cisco Aironet 2700 Series Access Point

    • Cisco Aironet 3500 Series Access Points

    • Cisco Aironet 3600 Series Access Points

  • AVC is not supported on Cisco Aironet 702W, 702I (128 M memory), and 1530 Series Access Points.

  • Dropping or marking of the data traffic (control part) is not supported for software Release 3.3.

  • Dropping or marking of the data traffic (control part) is supported in software Release 3E.

  • Multicast traffic classification is not supported.

  • Only the applications that are recognized with App visibility can be used for applying QoS control.

  • IPv6 including ICMPv6 traffic classifications are not supported.

  • Datalink is not supported for NetFlow fields for AVC.

  • The following commands are not supported for AVC flow records:

    • collect flow username

    • collect interface { input | output}

    • collect wireless client ipv4 address

    • match interface { input | output}

    • match transport igmp type

  • The template timeout cannot be modified on exporters configured with AVC. Even if the template timeout value is configured to a different value, only the default value of 600 seconds is used.

  • For the username information in the AVC-based record templates, ensure that you configure the options records to get the user MAC address to username mapping.

  • The total number of flows for which downstream AVC QoS supported per client is 1000.

  • The maximum number of flows supported for Catalyst 3850 Series Switch is 48 K.

  • Google shares resources among several of their services because of which for some of the traffic it is not possible to say it is unique to one application. Therefore we added google-services for traffic that cannot be distinguished. The behavior you experience is expected.

How to Configure Application Visibility and Control

Configuring Application Visibility and Control (GUI)

Configuring Application Visibility (GUI)

You can apply the default flow record (wireless avc basic) to the default flow monitor (wireless-avc-basic).

If you are using the flow record and flow monitor you have created, then the record name and monitor name should be same. This is specific only for configuring AVC from GUI and not for the CLI configuration.

You can use the flow monitor you have created either for upstream or downstream, or both, but ensure that you use the same record name while mapping with the flow monitor.

    Step 1   Choose Configuration > Wireless > WLAN.

    The WLAN page appears.

    Step 2   Click on the corresponding WLAN ID to open the WLAN > Edit page and click AVC.

    The Application Visibility page appears.

    1. Select the Application Visibility Enabled check box to enable AVC on a WLAN.
    2. In the Upstream Profile text box, enter the name of the AVC profile.
    3. In the Downstream Profile text box, enter the name of the AVC profile.

    To enable AVC, you need to enter the profile names for the upstream and downstream profiles. The profile names are the flow monitor names. By default, the flow monitor names (wireless-avc-basic) appear in the Upstream Profile and Downstream Profile text boxes. For the default flow monitor, the default flow record (wireless avc basic) will be taken. The default flow record is generated by the system and is available.

    You can change the profile names for the upstream and downstream profiles but ensure that the same flow records are available for the flow monitors.

    The upstream and downstream profiles can have different profile names but there should be flow records available for the flow monitors.

    Step 3   Click Apply to apply AVC on the WLAN.
    Step 4   To disable AVC on a specific WLAN, perform the following steps:
    • Choose Configuration > Wireless > WLAN to open the WLAN page.
    • Click on the corresponding WLAN ID to open the WLAN > Edit page.
    • Click AVC to open the Application Visibility page.
    • Uncheck the Application Visibility Enabled check box.
    • Click Apply to disable AVC on the specific WLAN.

    Monitoring Application Visibility and Control

    Monitoring Application Visibility and Control (CLI)

    This section describes the new commands for application visibility.

    The following commands can be used to monitor application visibility on the switch and access points.

    Table 1 Monitoring Application Visibility Commands on the switch

    Command

    Purpose

    show avc client client-mac top n application [aggregate | upstream | downstream]

    Displays information about top "N" applications for the given client MAC.

    show avc wlan ssid top n application [aggregate | upstream | downstream]

    Displays information about top "N" applications for the given SSID.

    avc top user[enable | disable]

    Enables or disables the information about top "N" application.

    show avc wlan wlan-id application app name topN [aggregate | upstream | downstream]

    Displays to know network usage information on a per user basis within an application.

    Note   

    On Catalyst 4500E Supervisor Engine 8-E, in the information about top N users that is displayed, the client's MAC address and username are not displayed. This issue occurs only within 90 seconds after the client is disconnected.

    show wlan id wlan-id

    Displays information whether AVC is enabled or disabled on a particular WLAN.

    show flow monitor flow_monitor_name cache

    Displays information about flow monitors.

    show wireless client mac-address mac-address service-policy { input | output }

    Displays information about policy mapped to the wireless clients.

    show ip nbar protocol-discovery[interfaceinterface-type interface-number] [stats{byte-count | bit-rate | packet-count | max-bit-rate}] [protocolprotocol-name | top-nnumber]

    Displays the statistics gathered by the NBAR Protocol Discovery feature.

    • (Optional) Enter keywords and arguments to fine-tune the statistics displayed. For more information on each of the keywords, refer to the show ip nbar protocol-discoverycommand in Cisco IOS Quality of Service Solutions Command Reference.

    Note   

    When you configure NBAR, you must enable Protocol Discovery on the interface.

    show policy-map target

    show policy-map

    show policy-map policy-name

    show policy-map interfaceinterface-type interface-number

    Displays information about policy map.

    Table 2 Clearing Application Visibility Statistics Commands

    Command

    Purpose

    clear avc client mac stats

    Clears the statistics per client.

    clear avc wlan wlan-name stats

    Clears the statistics per WLAN.

    Monitoring Application Visibility and Control (GUI)

    You can view AVC information on a WLAN in a single shot using a AVC on WLAN pie chart on the Home page of the switch. The pie chart displays the AVC data (Aggregate - Application Cumulative usage %) of the first WLAN. In addition, the top 5 WLANs based on clients are displayed first. Click on any one of the WLANs to view the corresponding pie chart information. If AVC is not enabled on the first WLAN, then the Home page does not display the AVC pie chart.

      Step 1   Choose Monitor > Controller > AVC > WLANs.

      The WLANs page appears.

      Step 2   Click the corresponding WLAN profile.

      The Application Statistics page appears.

      From the Top Applications drop-down list, choose the number of top applications you want to view and click Apply. The valid range is between 5 to 30, in multiples of 5.

      1. On the Aggregate, Upstream, and Downstream tabs, you can view the application cumulative and last 90 seconds statistics and usage percent with the following fields:

        • Application name

        • Packet count

        • Byte count

        • Average packet size

        • usage (%)

      Step 3   Choose Monitor > Clients > Client Details > Clients.

      The Clients page appears.

      Step 4   Click Client MAC Address and then click AVC Statistics tab.

      The Application Visibility page appears.

      1. On the Aggregate, Upstream, and Downstream tabs, you can view the application cumulative and last 90 seconds statistics and usage percent with the following fields:

        • Application name

        • Packet count

        • Byte count

        • Average packet size

        • usage (%)

      Examples: Application Visibility and Control

      Examples: Application Visibility Configuration

      This example shows how to create a flow record, create a flow monitor, apply the flow record to the flow monitor, and apply the flow monitor on a WLAN: 
      SwitchControllerDevice# configure terminal
SwitchControllerDevice(config)# flow record fr_v4
SwitchControllerDevice(config-flow-record)# match ipv4 protocol
SwitchControllerDevice(config-flow-record)# match ipv4 source address
SwitchControllerDevice(config-flow-record)# match ipv4 destination address
SwitchControllerDevice(config-flow-record)# match transport destination-port
SwitchControllerDevice(config-flow-record)# match flow direction
SwitchControllerDevice(config-flow-record)# match application name
SwitchControllerDevice(config-flow-record)# match wireless ssid
SwitchControllerDevice(config-flow-record)# collect counter bytes long
SwitchControllerDevice(config-flow-record)# collect counter packets long
SwitchControllerDevice(config-flow-record)# collect wireless ap mac address
SwitchControllerDevice(config-flow-record)# collect wireless client mac address
SwitchControllerDevice(config)#end


SwitchControllerDevice# configure terminal
SwitchControllerDevice# flow monitor fm_v4
SwitchControllerDevice(config-flow-monitor)# record fr_v4
SwitchControllerDevice(config-flow-monitor)# cache timeout active 1800
SwitchControllerDevice(config)#end


SwitchControllerDevice(config)#wlan wlan1
SwitchControllerDevice(config-wlan)#ip flow monitor fm_v4 input
SwitchControllerDevice(config-wlan)#ip flow mon fm-v4 output
SwitchControllerDevice(config)#end

      Additional References for Application Visibility and Control

      Related Documents

      Related Topic Document Title
      System management commands

      System Management Command Reference Guide, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series)

      Flexible NetFlow configuration

      Flexible NetFlow Configuration Guide, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series)

      Flexible NetFlow commands

      Flexible NetFlow Command Reference, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series)

      QoS configuration

      QoS Configuration Guide, Cisco IOS XE Release 3E (Cisco WLC 5700 Series)

      QoS commands

      QoS Command Reference, Cisco IOS XE Release 3E (Cisco WLC 5700 Series)

      Standards and RFCs

      Standard/RFC Title
      None

      MIBs

      MIB MIBs Link
      All supported MIBs for this release.

      To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

      http:/​/​www.cisco.com/​go/​mibs

      Technical Assistance

      Description Link

      The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

      To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

      Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

      http:/​/​www.cisco.com/​support

      Feature History and Information For Application Visibility and Control

      Release Feature Information
      Cisco IOS XE 3.3SE This feature was introduced.

      Cisco IOS XE 3E

      		AVC control with QoS was introduced.