AVC in a Wired Network

Application Visibility and Control

Application Visibility and Control (AVC) is a Cisco solution that classifies applications using deep packet inspection with the Network-Based Application Recognition (NBAR2) engine, enabling application-aware and application-intelligent network operations.

AVC classification and monitoring

AVC enables application-aware network operations by classifying and monitoring application traffic using advanced inspection and reporting tools. It achieves this visibility through these configuration methods.

These are the key classification and monitoring capabilities of AVC:

  • AVC classifies applications using Network-Based Application Recognition (NBAR2) deep packet inspection.

  • You can configure AVC on wired access ports for standalone switches.

  • You can enable NBAR2 can be enabled explicitly using protocol-discovery or implicitly by attaching a QoS policy with a match protocol classifier.

  • You can configure wired AVC Flexible NetFlow (FNF) on an interface to provide per-interface statistics for clients, servers, and applications.

  • Traffic monitoring is similar to application-client-server-stats in application-statistics and application-performance profiles in Easy Performance Monitor (ezPM).

AVC class map and policy map formats

AVC class map formats

Class Map Format

Class map example

Direction
match protocol protocol name 
class-map match-any NBAR-VOICE
 match protocol ms-lync-audio

Both ingress and egress

Combination filters

 
class-map match-any NBAR-VOICE
match protocol ms-lync-audio
match dscp ef

Both ingress and egress

AVC policy formats

Policy format

QoS action

Egress policy based on match protocol filter

Mark and police

Ingress policy based on match protocol filter

Mark and police

This table describes AVC policy formats with examples.

AVC Policy Format

AVC Policy Example

Basic set

 
policy-map MARKING-IN
class NBAR-MM_CONFERENCING
set dscp af41

Basic police

 
policy-map POLICING-IN 
class NBAR-MM_CONFERENCING 
police cir 600000 
set dscp af41

Basic set and police

 
policy-map webex-policy
       class webex-class
 set dscp ef
 police 5000000

Multiple set and police including default

 
policy-map webex-policy
	class webex-class			 
 set dscp af31 
 police 4000000
	class class-webex-category	
	set dscp ef
 	police 6000000
	class class-default
	set dscp <>

Hierarchical police

 
policy-map webex-policy
	class webex-class			 
	police 5000000
	service-policy client-in-police-only
 policy-map client-in-police-only 
 class webex-class	
	police 100000
	class class-webex-category
 set dscp ef
 	police 200000

Hierarchical set and police

 
policy-map webex-policy
 class class-default
 police 1500000
	service policy client-up-child
	policy-map client-up-child
	class webex-class	
 police 100000
 set dscp ef
	class class-webex-category
	police 200000
	set dscp af31

Guidelines and limitations for wired AVC

These are NBAR-based QoS policy configuration guidelines.

Interface and protocol

  • Attachment should be done only on physical layer 2 and layer 3 ports, and these ports cannot be part of a port channel. Attachment to trunk ports are not supported.

  • Do not configure NBAR with transmit (Tx) Switched Port Analyzer (SPAN) on the same interface.

  • Use only IPv4 unicast (TCP/UDP) traffic.

  • IPv6 classification is not supported.

  • Use NBAR2 match criteria (match protocol ) only with marking or policing actions. Do not use NBAR2 match criteria with queuing features. Limit concurrent protocols to 255 across all policies due to hardware constraints in match protocol .

  • Do not configure AVC on

    • Logical interfaces.

    • The management port (Gig 0/0).

Feature compatibility

  • Do not configure NBAR and ACL logging on the same switch.

  • Attach only one NBAR-based QoS mechanism (either protocol-based or attribute-based) to a port at a time.

  • Only these attributes are supported for attribute-based QoS

    • traffic-class

    • business-relevance

  • Protocol-discovery, application-based QoS, and wired AVC Flexible NetFlow (FNF) can be configured together, but not with non-application-based FNF on the same interface at the same time.

  • You can attach up to two wired AVC monitors (with different predefined records) per interface.

Management and performance

  • The Web UI supports application visibility configuration and monitoring. Use the CLI to perform application control for NBAR-based QoS. Web UI does not support Application Control.

  • To manage and check wired AVC traffic from the Web UI, first configure these commands using the CLI:

    • ip http authentication local

    • ip nbar http-service

Legacy WDAVC QoS limitations

  • Only marking and policing are supported.

  • Only physical interfaces are supported.

  • There is a delay in the QoS classification since the application classification is done offline (while the initial packet/s of the flow are meanwhile forwarded before the correct QoS classification).

Configure AVC on wired ports

This task guides you through configuring AVC on wired ports, including protocol-discovery, AVC QoS policies, and application-based flexible NetFlow.

Protocol-Discovery, application-based QoS, and application-based flexible NetFlow are independent features. You can configure them independently or together on the same interface at the same time.

Procedure

Step 1

Configure visibility. Enable protocol-discovery on the interface.

Activate NBAR2 engine by enabling protocol-discovery using the ip nbar protocol-discovery command in interface configuration mode. For more details, refer to Enable application recognition on an interface

Step 2

Create AVC QoS policy

Step 3

Configure application-based Flexible Netflow

Enable application recognition on an interface

To enable application recognition on an interface, complete the following steps:

Procedure

Step 1

Use the configure terminal command to enter global configuration mode.

Example:

Switch# configure terminal

Step 2

Use the interface interface-id command to specify the interface for which protocol-discovery is enabled.

Example:

Switch(config)# interface gigabitethernet 1/1

Step 3

Use the ip nbar protocol-discovery command to enable application recognition on the interface by activating NBAR2 engine.

Example:

Switch(config-if)# ip nbar protocol-discovery

Step 4

Use the end command to return to privileged EXEC mode.

Example:

Switch(config-if)# end

Create an AVC QoS policy

Perform these tasks to create an AVC Quality of Service (QoS) policy.

This procedure is applicable to IE9300 switches and is cloned from the 9200 documentation.

Procedure

Step 1

Create a class map with match protocol filters .

Step 2

Create a policy map

Step 3

Apply a QoS policy to the switch port

Create a Class Map

You must create a class map before configuring any match protocol filter. You can apply the QoS actions such as marking and policing to the traffic. The AVC match protocol filters are applied to the wired access ports. For more information about the protocols that are supported, refer to http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_nbar/prot_lib/config_library/nbar-prot-pack-library.html .

Procedure

Step 1

Use the configure terminal command to enter global configuration mode.

Example:

Switch# configure terminal

Step 2

Use the class-map class-map-name command to create a class map.

Example:

Switch(config)# class-map webex-class

Step 3

Use the match protocol application-name command to specify a match to the application name.

Example:

Switch(config-cmap)# match protocol webex-media

Step 4

Use the end command to return to the privileged EXEC mode.

Example:

Switch(config-if)# end

Create a policy map

Complete the following steps to create a policy map.

Procedure

Step 1

Use the configure terminal command to enter global configuration mode.

Example:

Switch# configure terminal

Step 2

Use the policy-map policy-map-name command to create a policy map.

Example:

Switch(config)# policy-map webex-policy

By default, no policy maps are defined.

The default behavior of a policy map is to set the DSCP to 0 if the packet is an IP packet and to set the CoS to 0 if the packet is tagged. No policing is performed.

Note

 

To delete an existing policy map, use the no policy-map policy-map-name global configuration command.

Step 3

Use the class [ class-map-name | class-default ] command todefine a traffic classification.

Example:

Switch(config-pmap)# class webex-class

By default, no policy map and class maps are defined.

If a traffic class has already been defined by using the class-map global configuration command, specify its name for class-map-name in this command.

A class-default traffic class is predefined and can be added to any policy. It is always placed at the end of a policy map. With an implied match any is included in the class-default class, all packets that have not already matched the other traffic classes will match class-default .

Note

 

To delete an existing class map, use the no class class-map-name policy-map configuration command.

Step 4

Use the police rate-bps burst-byte command to configure a policer.

Example:

Switch(config-pmap-c)# police 100000 80000

Defines a policer for the classified traffic.

By default, no policer is defined.

  • For rate-bps, specify an average traffic rate in bits per second (b/s). The range is 8000 to 10000000000.

  • For burst-byte, specify the normal burst size in bytes. The range is 1000 to 512000000.

Step 5

Use the set { dscp new-dscp | cos cos-value } command to classify the IP traffic.

Example:

Switch(config-pmap-c)# set dscp 45

Classifies IP traffic by setting a new value in the packet.

  • For dscp new-dscp , enter a new DSCP value to be assigned to the classified traffic. The range is 0 to 63.

Step 6

Use the end command to return to the privileged EXEC mode.

Example:

Switch(config-if)# end

Apply QoS policy to the switch port

Complete the following steps to apply a QoS policy to the switch port.

Procedure

Step 1

Use the configure terminal command to enter global configuration mode.

Example:

Switch# configure terminal

Step 2

Use the interface interface-id command to enter interface configuration mode.

Example:

Switch(config)# interface Gigabitethernet 1/1

Step 3

Use the service-policy input policymapname command to apply the local policy to the interface.

Example:

Switch(config-if)# service-policy input MARKING_IN

Step 4

Use the end command to return to the privileged EXEC mode.

Example:

Switch(config-if)# end

Configure Wired AVC Flexible NetFlow

Perform these tasks to configure Wired AVC Flexible NetFlow.

Procedure

Step 1

Create a flow record

Step 2

Configure a bidirectional flow record for record-1

Step 3

Configure a bidirectional flow record for record-2

Step 4

Configure a flow record for ingress traffic

Step 5

Configure a flow record for egress traffic

Step 6

Create a flow exporter

Step 7

Associate a flow monitor to an interface

Create a flow record

Wired AVC Flexible Netflow (FNF) supports two types of predefined flow records—legacy bidirectional flow records and directional flow records (ingress and egress).

You can configure the following predefined flow records and associate them with a flow monitor:

  • Two bidirectional flow records

  • Two directional flow records

The legacy bidirectional records are client/server application statistics records, and the new directional records are application-stats for input/output.

Configure a bidirectional flow record for record-1

Use this procedure to create a bidirectional flow record. This task enables you to configure flow record parameters and collect statistics for AVC support on Cisco IE9300 switches.

Procedure

Step 1

Use the configure terminal command to enter global configuration mode.

Example:

Switch# configure terminal

Step 2

Use the flow record flow_record_name command to enter flow record configuration mode

Example:

Switch(config)# flow record fr-wdavc-1

Step 3

(Optional) Use the description description command to create a description for the flow record.

Example:

Switch(config-flow-record)# description fr-wdavc-1

Step 4

Use these command to configure match criteria for IP version, protocol, and application name.

  1. Use the match ipv4 version command to specify a match to the IP version from the IPv4 header.

    Example:

    Switch(config-flow-record)# match ipv4 version

  2. Use the match ipv4 protocol command to specify a match to the IPv4 protocol.

    Example:

    Switch(config-flow-record)# match ipv4 protocol

  3. Use the match application name command to specify a match to the application name.

    Example:

    Switch(config-flow-record)# match application name1

    Note

     
    This action is mandatory for AVC support, as the action allows the flow to be matched against the application.

Step 5

Use these commands to specify match criteria for the client and server IPv4 addresses, server transport port, and flow observation point.

  1. Use the match connection client ipv4 address command to specify a match to the IPv4 address of the client (flow initiator).

    Example:

    Switch(config-flow-record)# match connection client ipv4 address

  2. Use the match connection client transport port command to specify a match to the transport port of the server.

    Example:

    Switch(config-flow-record)# match connection client transport port

  3. Use the match connection server ipv4 address command to specify a match to the IPv4 address of the server (flow responder).

    Example:

    Switch(config-flow-record)# match connection server ipv4 address

  4. Use the match connection server transport port command to specify a match to the transport port of the server.

    Example:

    Switch(config-flow-record)# match connection server transport port

  5. Use the match flow observation point command to specify a match to the observation point ID for flow observation metrics.

    Example:

    Switch(config-flow-record)# match flow observation point

Step 6

Use these commands to configure collection of flow direction and connection initiator.

  1. Use the collect flow direction command to specify the collector flow direction.

    Example:

    Switch(config-flow-record)# collect flow direction

    Specifies to collect the direction — Ingress or Egress — of the relevant side — Initiator or Responder — of the bi-directional flow that is specified by the initiator keyword in the collect connection initiator command in the following step. Depending on the value specified by the initiator keyword, the flow direction keyword takes the following values:

    • 0x01 = Ingress Flow

    • 0x02 = Egress Flow

    When the initiator keyword is set to initiator, the flow direction is specified from the initiator side of the flow. When the initiator keyword is set to responder, the flow direction is specified from the responder side of the flow. For wired AVC, the initiator keyword is always set to initiator.

  2. Use the collect connection initiator command to specify the collector side of the flow (initiator or responder).

    Example:

    Switch(config-flow-record)# collect connection initiator

    Direction of the flow specified — collect flow direction command.

    The initiator keyword provides the information about the direction of the flow:

    • 0x01 = Initiator - the flow source is the initiator of the connection.

    For wired AVC, the initiator keyword is always set to initiator.

Step 7

Use these commands to collect connection initiation and traffic counters for client and server.

  1. Use the collect connection new-connections command to specify the number of connection initiations observed.

    Example:

    Switch(config-flow-record)# collect connection new-connections

  2. Use the collect connection client counter packets long command to specify the number of packets sent by the client.

    Example:

    Switch(config-flow-record)# collect connection client counter packets long

  3. Use the collect connection client counter bytes network long command to specify the total number of bytes transmitted by the client.

    Example:

    Switch(config-flow-record)# collect connection client counter bytes network long

  4. Use the collect connection server counter packets long command to specify the number of packets sent by the server.

    Example:

    Switch(config-flow-record)# collect connection server counter packets long

  5. Use the collect connection server counter bytes network long command to specify the the total number of bytes transmitted by the server.

    Example:

    Switch(config-flow-record)# collect connection server counter bytes network long

Step 8

Use these command to collect absolute timestamps for the first and last packets in the flow.

  1. Use the collect timestamp absolute first command to specify the time, in milliseconds, when the first packet was seen in the flow.

    Example:

    Switch(config-flow-record)# collect timestamp absolute first

  2. Use the collect timestamp absolute last command to specify the time, in milliseconds, when the most recent packet was seen in the flow.

    Example:

    Switch(config-flow-record)# collect timestamp absolute last

Step 9

Use these commands to Exit configuration mode and verify the flow record.

  1. Use the end command to return to the privileged EXEC mode.

    Example:

    Switch(config-if)# end

  2. Use the show flow record command to display information about all the flow records.

    Example:

    Switch# show flow record

Configure a bidirectional flow record for record-2

Use this procedure to create a bidirectional flow record. This task enables you to configure flow record parameters and collect statistics for AVC support on Cisco IE9300 switches.

Procedure

Step 1

Use the configure terminal command to enter global configuration mode.

Example:

Switch# configure terminal

Step 2

Use the flow record flow_record_name command to enter flow record configuration mode

Example:

Switch(config)# flow record fr-wdavc-1

Step 3

(Optional) Use the description description command to create a description for the flow record.

Example:

Switch(config-flow-record)# description fr-wdavc-1

Step 4

Use these command to configure match criteria for IP version, protocol, and application name.

  1. Use the match ipv4 version command to specify a match to the IP version from the IPv4 header.

    Example:

    Switch(config-flow-record)# match ipv4 version

  2. Use the match ipv4 protocol command to specify a match to the IPv4 protocol.

    Example:

    Switch(config-flow-record)# match ipv4 protocol

  3. Use the match application name command to specify a match to the application name.

    Example:

    Switch(config-flow-record)# match application name1

    Note

     
    This action is mandatory for AVC support, as the action allows the flow to be matched against the application.

Step 5

Use these commands to specify match criteria for the client and server IPv4 addresses, server transport port, and flow observation point.

  1. Use the match connection client ipv4 address command to specify a match to the IPv4 address of the client (flow initiator).

    Example:

    Switch(config-flow-record)# match connection client ipv4 address

  2. (Optional) Use the match connection client transport port command to specify a match to the connection port of the client as a key field for a flow record.

    Example:

    Switch(config-flow-record)# match connection client transport port

  3. Use the match connection server ipv4 address command to specify a match to the IPv4 address of the server (flow responder).

    Example:

    Switch(config-flow-record)# match connection server ipv4 address

  4. Use the match connection server transport port command to specify a match to the transport port of the server.

    Example:

    Switch(config-flow-record)# match connection server transport port

  5. Use the match flow observation point command to specify a match to the observation point ID for flow observation metrics.

    Example:

    Switch(config-flow-record)# match flow observation point

Step 6

Use these commands to configure collection of flow direction and connection initiator.

  1. Use the collect flow direction command to specify the collector flow direction.

    Example:

    Switch(config-flow-record)# collect flow direction

    Specifies to collect the direction — Ingress or Egress — of the relevant side — Initiator or Responder — of the bi-directional flow that is specified by the initiator keyword in the collect connection initiator command in the following step. Depending on the value specified by the initiator keyword, the flow direction keyword takes the following values:

    • 0x01 = Ingress Flow

    • 0x02 = Egress Flow

    When the initiator keyword is set to initiator, the flow direction is specified from the initiator side of the flow. When the initiator keyword is set to responder, the flow direction is specified from the responder side of the flow. For wired AVC, the initiator keyword is always set to initiator.

  2. Use the collect connection initiator command to specify the collector side of the flow (initiator or responder).

    Example:

    Switch(config-flow-record)# collect connection initiator

    Direction of the flow specified — collect flow direction command.

    The initiator keyword provides the information about the direction of the flow:

    • 0x01 = Initiator - the flow source is the initiator of the connection.

    For wired AVC, the initiator keyword is always set to initiator.

Step 7

Use these commands to collect connection initiation and traffic counters for client and server.

  1. Use the collect connection new-connections command to specify the number of connection initiations observed.

    Example:

    Switch(config-flow-record)# collect connection new-connections

  2. Use the collect connection client counter packets long command to specify the number of packets sent by the client.

    Example:

    Switch(config-flow-record)# collect connection client counter packets long

  3. Use the collect connection client counter bytes network long command to specify the total number of bytes transmitted by the client.

    Example:

    Switch(config-flow-record)# collect connection client counter bytes network long

  4. Use the collect connection server counter packets long command to specify the number of packets sent by the server.

    Example:

    Switch(config-flow-record)# collect connection server counter packets long

  5. Use the collect connection server counter bytes network long command to specify the the total number of bytes transmitted by the server.

    Example:

    Switch(config-flow-record)# collect connection server counter bytes network long

Step 8

Use these command to collect absolute timestamps for the first and last packets in the flow.

  1. Use the collect timestamp absolute first command to specify the time, in milliseconds, when the first packet was seen in the flow.

    Example:

    Switch(config-flow-record)# collect timestamp absolute first

  2. Use the collect timestamp absolute last command to specify the time, in milliseconds, when the most recent packet was seen in the flow.

    Example:

    Switch(config-flow-record)# collect timestamp absolute last

Step 9

Use these commands to Exit configuration mode and verify the flow record.

  1. Use the end command to return to the privileged EXEC mode.

    Example:

    Switch(config-if)# end

  2. Use the show flow record command to display information about all the flow records.

    Example:

    Switch# show flow record

Configure a flow record for ingress traffic

Perform these steps to create an ingress directional flow record:

Procedure

Step 1

Use the configure terminal command to enter global configuration mode.

Example:

Switch# configure terminal

Step 2

Use the flow record flow_record_name command to enter flow record configuration mode

Example:

Switch(config)# flow record fr-wdavc-1

Step 3

(Optional) Use the description description command to create a description for the flow record.

Example:

Switch(config-flow-record)# description fr-wdavc-1

Step 4

Use these command to configure match criteria for IP version, protocol, and application name.

  1. Use the match ipv4 version command to specify a match to the IP version from the IPv4 header.

    Example:

    Switch(config-flow-record)# match ipv4 version

  2. Use the match ipv4 protocol command to specify a match to the IPv4 protocol.

    Example:

    Switch(config-flow-record)# match ipv4 protocol

  3. Use the match ipv4 source address command to specify a match to the IPv4 source address as a key field.

    Example:

    Switch(config-flow-record)# match ipv4 source address

  4. Use the match ipv4 destination address command to specify a match to the IPv4 destination address as a key field.

    Example:

    Switch(config-flow-record)# match ipv4 destination address

  5. Use the match transport source-port command to specify a match to the transport source port as a key field.

    Example:

    Switch(config-flow-record)# match transport source-port

  6. Use the match transport destination-port command to specify a match to the transport destination port as a key field.

    Example:

    Switch(config-flow-record)# match transport destination-port

  7. Use the match interface input command to specify a match to the input interface as a key field.

    Example:

    Switch(config-flow-record)# match interface input

  8. Use the match application name command to specify a match to the application name.

    Example:

    Switch(config-flow-record)# match application name

    Specifies a match to the application name.

    Note

     
    This action is mandatory for AVC support, as this allows the flow to be matched against the application.

Step 5

Use these commands to collect statistics.

  1. Use the collect interface output command to specify the output interface from the flows.

    Example:

    Switch(config-flow-record)# collect interface output

  2. Use the collect counter bytes long command to specify the number of bytes in a flow.

    Example:

    Switch(config-flow-record)# collect counter bytes long

  3. Use the collect counter packets long command to specify the number of packets in a flow.

    Example:

    Switch(config-flow-record)# collect counter packets long

  4. Use the collect timestamp absolute first command to specify the time, in milliseconds when the first packet is seen in the flow.

    Example:

    Switch(config-flow-record)# collect timestamp absolute first

  5. Use the collect timestamp absolute last command to specify the time, in milliseconds when the first packet is seen in the flow.

    Example:

    Switch(config-flow-record)# collect timestamp absolute last

Step 6

Use these commands to Exit configuration mode and verify the flow record.

  1. Use the end command to return to the privileged EXEC mode.

    Example:

    Switch(config-if)# end

  2. Use the show flow record command to display information about all the flow records.

    Example:

    Switch# show flow record

Configure a flow record for egress traffic

Perform these steps to create an egress directional flow record.

Procedure

Step 1

Use the configure terminal command to enter global configuration mode.

Example:

Switch# configure terminal

Step 2

Use the flow record flow_record_name command to enter flow record configuration mode

Example:

Switch(config)# flow record fr-wdavc-1

Step 3

(Optional) Use the description description command to create a description for the flow record.

Example:

Switch(config-flow-record)# description fr-wdavc-1

Step 4

Use these command to configure match criteria for IP version, protocol, and application name.

  1. Use the match ipv4 version command to specify a match to the IP version from the IPv4 header.

    Example:

    Switch(config-flow-record)# match ipv4 version

  2. Use the match ipv4 protocol command to specify a match to the IPv4 protocol.

    Example:

    Switch(config-flow-record)# match ipv4 protocol

  3. Use the match ipv4 source address command to specify a match to the IPv4 source address as a key field.

    Example:

    Switch(config-flow-record)# match ipv4 source address

  4. Use the match ipv4 destination address command to specify a match to the IPv4 destination address as a key field.

    Example:

    Switch(config-flow-record)# match ipv4 destination address

  5. Use the match transport source-port command to specify a match to the transport source port as a key field.

    Example:

    Switch(config-flow-record)# match transport source-port

  6. Use the match transport destination-port command to specify a match to the transport destination port as a key field.

    Example:

    Switch(config-flow-record)# match transport destination-port

  7. Use the match interface output command to specify a match to the input interface as a key field.

    Example:

    Switch(config-flow-record)# match interface output

  8. Use the match application name command to specify a match to the application name.

    Example:

    Switch(config-flow-record)# match application name

    Specifies a match to the application name.

    Note

     
    This action is mandatory for AVC support, as this allows the flow to be matched against the application.

Step 5

Use these commands to collect statistics.

  1. Use the collect interface input command to specify the input interface from the flows.

    Example:

    Switch(config-flow-record)# collect interface input

  2. Use the collect counter bytes long command to specify the number of bytes in a flow.

    Example:

    Switch(config-flow-record)# collect counter bytes long

  3. Use the collect counter packets long command to specify the number of packets in a flow.

    Example:

    
Switch(config-flow-record)# 
                                collect counter packets long

  4. Use the collect timestamp absolute first command to specify the time, in milliseconds when the first packet is seen in the flow.

    Example:

    Switch(config-flow-record)# collect timestamp absolute first

  5. Use the collect timestamp absolute last command to specify the time, in milliseconds when the first packet is seen in the flow.

    Example:

    Switch(config-flow-record)# collect timestamp absolute last

Step 6

Use these commands to Exit configuration mode and verify the flow record.

  1. Use the end command to return to the privileged EXEC mode.

    Example:

    Switch(config-if)# end

  2. Use the show flow record command to display information about all the flow records.

    Example:

    Switch# show flow record

Configure a flow monitor

You can create a flow monitor and associate it with a flow record.

Procedure

Step 1

Use the configure terminal command to enter global configuration mode.

Example:

Switch# configure terminal

Step 2

Use the flow monitor monitor-name command to create a flow monitor and enters flow monitor configuration mode.

Example:

Switch(config)# flow monitor flow-monitor-1

Step 3

(Optional) Use the description description command to create a description for the flow record.

Example:

Switch(config-flow-monitor)# description flow-monitor-1

Step 4

Use the record record-name command to specify the name of a record that was created previously.

Example:

Switch(config-flow-monitor)# record flow-record-1

Step 5

Use the exporter exporter-name command to specify the name of an exporter that was created previously.

Example:

Switch(config-flow-monitor)# exporter flow-exporter-1

Step 6

(Optional) Use the cache { entries number-of-entries | timeout { active | inactive } | type normal } command to configure flow cache parameters.

Example:

Switch(config-flow-monitor)# cache timeout active 1800

Example:

Switch(config-flow-monitor)# cache timeout inactive 200

Example:

Switch(config-flow-monitor)# cache type normal

entries number-of-entries — Specifies the maximum number of flow entries in the flow cache in the range from 16 to 65536.

Note

 

Only normal cache type is supported.

Step 7

Use the end command to return to the privileged EXEC mode.

Example:

Switch(config-if)# end

Step 8

Use these commands to monitor flow monitor statistics.

  1. Use the show flow monitor command to displays information about all the flow monitors.

    Example:

    Switch# show flow monitor

  2. Use the show flow monitor flow-monitor-name command to display information about the specified wired AVC flow monitor.

    Example:

    Switch# show flow monitor flow-monitor-1

  3. Use the show flow monitor flow-monitor-name statistics command to display statistics for wired AVC flow monitor.

    Example:

    Switch# show flow monitor flow-monitor-1 statistics

  4. Use the show flow monitor flow-monitor-name cache format table command to display flow cache contents in a tabular format.

    Example:

    Switch# show flow monitor flow-monitor-1 cache format table

  5. Use the show flow monitor flow-monitor-name cache format record command to display flow cache contents in similar format as the flow record.

    Example:

    Switch# show flow monitor flow-monitor-1 cache format record

  6. Use the show flow monitor flow-monitor-name cache format csv command to display flow cache contents in CSV format.

    Example:

    Switch# show flow monitor flow-monitor-1 cache format csv

Step 9

Use the clear flow monitor flow-monitor-name statistics command to clear the statistics of the specified flow monitor.

Example:

Switch# clear flow monitor flow-monitor-1 statistics

Clears the statistics of the specified flow monitor. Use the show flow monitor flow-monitor-1 statistics command after using the clear flow monitor flow-monitor-1 statistics to verify that all the statistics have been reset.

Associate flow monitor to an interface

You can attach two different wired AVC monitors with different predefined records to an interface at the same time.

Procedure

Step 1

Use the configure terminal command to enter global configuration mode.

Example:

Switch# configure terminal

Step 2

Use the interface interface-id command to specify interface and enter interface configuration mode.

Example:

Switch(config)# interface Gigabitethernet 1/1

Step 3

Use the ip flow monitor monitor-name { input | output } command to associate a flow monitor to the interface for input and/or output packets.

Example:

Switch(config-if) # ip flow monitor flow-monitor-1 input

Step 4

Use the end command to return to the privileged EXEC mode.

Example:

Switch(config-if)# end

NBAR2 custom applications

NBAR2 custom applications are user-defined protocols that allow identification of local or specific applications not covered by the default NBAR2 protocol pack. The custom applications

  • enable recognition of organization- or geography-specific applications, and

  • take precedence over built-in protocols and can include selector IDs for reporting.

The custom applications allow customization using the ip nbar custom myappname command in the global configuration mode.

NBAR2 custom application customization types and methods

NBAR2 supports these types of application customization.

  • Generic protocol customization: HTTP, SSL, DNS

  • Composite customization: Based on multiple underlying protocols, such as server-name .

  • Layer3 or Layer4 customization: IPv4 address, DSCP values, TCP or UDP ports, flow source or destination direction

  • Byte Offset customization: Based on specific byte values in the payload. the supported customizations are:

HTTP customization

HTTP customization is a method that allows traffic identification based on these HTTP fields

  • cookie - HTTP Cookie

  • host - Host name of Origin Server containing resource

  • method - HTTP method

  • referrer - Address the resource request was obtained from

  • url - Uniform Resource Locator path

  • user-agent - Software used by agent sending the request

  • version - HTTP version

  • via - HTTP via field

Define custom applications that match specific HTTP field values to implement HTTP customization.

You can create a custom application named MYHTTP that matches the HTTP host “*mydomain.com” with selector ID 10 by entering the ip nbar custom MYHTTP http host *mydomain.com id 10 command in configuration mode.

SSL customization

SSL customization is a feature that allows you to manage SSL encrypted traffic by extracting information from the SSL Server Name Indication (SNI) or Common Name (CN).

You can create a custom application named MYSSL that matches the SSL unique-name“*mydomain.com” with selector ID 11 by entering the ip nbar custom MYSSL ssl unique-name *mydomain.com id 11 command in configuration mode.

DNS customization

DNS customization is a feature that allows NBAR2 to analyze DNS request and response traffic, correlate DNS responses to applications, and cache returned IP addresses used for later packet flows associated with that specific application.

Define and extend applications based on DNS domains

DNS customization enables the use of specific commands to define or extend applications based on DNS domain names.

Use the ip nbar customapplication-namednsdomain-name idapplication-id command for DNS customization.

Use the ip nbar customapplication-namedns domain-name domain-nameextendsexisting-application command to extend an existing application.

For more information on DNS-based customization, see http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_nbar/configuration/xe-3s/asr1000/qos-nbar-xe-3s-asr-1000-book/nbar-custapp-dns-xe.html.

You can create a custom application named MYDNS that matches the DNS domain name “*mydomain.com” with selector ID 12 by entering the ip nbar custom MYDNS dns domain-name *mydomain.com id 12 command in configuration mode.

Composite customization

Composite customization is a feature in NBAR2 that allows users to define custom applications by specifying domain names found in HTTP, SSL, or DNS traffic.

You can create a custom application named MYDOMAIN using HTTP, SSL, or DNS domain name “*mydomain.com” with selector ID 13 by entering the ip nbar custom MYDOMAIN composite server-name *mydomain.com id 13 command in configuration mode.

L3/L4 Customization

Layer3 or layer4 customization is a process that matches traffic based on the packet tuple and always applies to the first packet of a flow.

You can create a custom application named LAYER4CUSTOM matching IP addresses 10.56.1.10 and 10.56.1.11, TCP and DSCP ef with selector ID 14 by entering the ip nbar custom LAYER4CUSTOM transport tcp id 14 command in configuration mode. Here is an example. 

Switch# configure terminal
Switch(config)# ip nbar custom LAYER4CUSTOM transport tcp id 14
Switch(config-custom)# ip address 10.56.1.10 10.56.1.11
Switch(config-custom)# dscp ef

Monitor custom applications

This topic describes the use of show commands to monitor custom applications and protocols on Cisco devices.

Show commands to monitor custom applications

Use the show ip nbar protocol-id | inc Custom command to monitor nbar custom statistics. 

Device# show ip nbar  protocol-id | inc Custom
LAYER4CUSTOM             14            Custom
MYDNS                    12            Custom
MYDOMAIN                 13            Custom
MYHTTP                   10            Custom
MYSSL                    11            Custom

Use the show ip nbar protocol-discovery protocol CUSTOM_APP command to monitor nbar custom specific (here it is SSL) statistics. 

Switch# show ip nbar  protocol-id MYSSL
Protocol Name             id            type
----------------------------------------------
MYSSL                    11            Custom

NBAR2 dynamic hitless protocol pack

NBAR2 dynamic hitless protocol packs are software packages that update protocol support on your device without upgrading the Cisco software. Each pack includes application signatures and attributes. Every software release contains a built-in protocol pack.

  • Protocol packs are easy and fast to load.

  • They are easy to upgrade to a higher version or revert to a lower version protocol pack.

  • They do not require the switch to be reloaded.

Update NBAR2 protocol pack

If a new application protocol needs to be recognized by NBAR2, a protocol pack update can be loaded without reloading the switch or replacing the Cisco software.


Note

Download the latest protocol packs from the Cisco Software center at https://software.cisco.com/download/home.

Load NBAR2 protocol pack

Perform these steps to load the NBAR2 protocol pack.

Before you begin

Before loading a new protocol pack, you must copy the protocol pack to the flash on all the switch members.

Procedure

Step 1

Use the enable command to enter the privileged EXEC mode.

Example:

Switch> enable

Enter your password if prompted.

Step 2

Use the configure terminal command to enter global configuration mode.

Example:

Switch# configure terminal

Step 3

Use the ip nbar protocol-pack protocol-pack [ force ] command to load the protocol pack.

Example:

Switch(config)# ip nbar protocol-pack flash:defProtoPack

Use the force keyword to specify and load a protocol pack of a lower version, which is different from the base protocol pack version. Doing so also removes the configuration that is not supported by the current protocol pack on the switch.

Example:

Switch(config)# ip nbar protocol-pack flash:OldDefProtoPack force

Use the default ip nbar protocol-pack command to revert to the built-in protocol pack.

Example:

Switch(config)# default ip nbar protocol-pack

Step 4

Use the end command to return to privileged EXEC mode.

Example:

Switch(config-if)# end

Step 5

(Optional) Use the show ip nbar protocol-pack {protocol-pack | active } [ detail ] command to display the protocol pack information.

Example:

Switch# show ip nbar protocol-pack active

  • Verify the loaded protocol pack version, publisher, and other details using this command.

  • Use the protocol-pack argument to display information about the specified protocol pack.

  • Use the active keyword to display active protocol pack information.

  • Use the detail keyword to display detailed protocol pack information.

Monitor AVC statistics on the switch

Use this procedure to monitor application visibility and statistics on the switch and access ports.

These commands can be used to monitor application visibility on the switch and access ports.

Procedure

Step 1

(Optional) Use the show ip nbar protocol-discovery [ interface interface-type interface-number ] [ stats { byte-count | bit-rate | packet-count | max-bit-rate }] [ protocol protocol-name | top-n number ] command to monitor the statistics for all interfaces on which the NBAR Protocol Discovery feature is enabled are displayed.

Table 1. Syntax description

Command Syntax

Description

interface

(Optional) Specifies that Protocol Discovery statistics for the interface are to be displayed.

type

Type of interface or subinterface whose policy configuration is to be displayed.

number

Port, connector, VLAN, or interface card number.

stats

(Optional) Specifies that the byte count, byte rate, or packet count is to be displayed.

byte-count

(Optional) Specifies that the byte count is to be displayed.

max-bit-rate

(Optional) Specifies that the maximum bit rate is to be displayed.

packet-count

(Optional) Specifies that the packet count is to be displayed.

protocol

(Optional) Specifies that statistics for a specific protocol are to be displayed.

protocol-name

(Optional) User-specified protocol name for which the statistics are to be displayed.

top-n

(Optional) Specifies that a top-n is to be displayed. A top-n is the number of most active NBAR-supported protocols, where n is the number of protocols to be displayed. For instance, if top-n 3 is entered, the three most active NBAR-supported protocols will be displayed.

number

(Optional) Specifies the number of most active NBAR-supported protocols to be displayed.

Step 2

(Optional) Use the show policy-map interface interface-type interface-number command to display information of policy map applied to the interface. For details com configuration, refer to AVC configuration examples

AVC configuration examples

This topic provides examples for creating class maps, policy maps, and monitoring configurations for AVC on Cisco switches.

This example shows how to create class maps with apply match protocol filters for application name:

Switch# configure terminal
Switch(config)# class-map match-any NBAR-VOICE
Switch(config-cmap)# match protocol ms-lync-audio
Switch(config-cmap)# end

This example shows how to create policy maps and define existing class maps for egress QoS.

Switch # configure terminal
Switch(config)# policy-map test-avc-up
Switch(config-pmap)# class cat-browsing
Switch(config-pmap-c)# police 150000
Switch(config-pmap-c)# set dscp 12
Switch(config-pmap-c)# end

This example shows how to create policy maps and define existing class maps for ingress QoS.

Switch# configure terminal
Switch(config)# policy-map test-avc-down
Switch(config-pmap)# class cat-browsing
Switch(config-pmap-c)# police 200000
Switch(config-pmap-c)# set dscp 10
Switch(config-pmap-c)# end

This example shows how to apply policy maps to a switch port.

Switch# configure terminal
Switch(config)# interface GigabitEthernet 1/1
Switch(config-if)# switchport mode access 
Switch(config-if)# switchport access vlan 20
Switch(config-if)# service-policy input POLICING_IN
Switch(config-if)# end

This example shows how to create class maps based on NBAR attributes.

Switch# configure terminal
Switch(config)# class-map match-all rel-relevant
Switch(config-cmap)# match protocol attribute business-relevance business-relevant
Switch(config)# class-map match-all rel-irrelevant
Switch(config-cmap)# match protocol attribute business-relevance business-irrelevant
Switch(config)# class-map match-all rel-default
Switch(config-cmap)# match protocol attribute business-relevance default
Switch(config)# class-map match-all class--ops-admin-and-rel
Switch(config-cmap)# match protocol attribute traffic-class ops-admin-mgmt
Switch(config-cmap)# match protocol attribute business-relevance business-relevant

This example shows how to create policy maps based on class maps based on NBAR attributes.

Switch# configure terminal
Switch(config)# policy-map attrib--rel-types
Switch(config-pmap)# class rel-relevant
Switch(config-pmap-c)# set dscp ef
Switch(config-pmap-c)# class rel-irrelevant
Switch(config-pmap-c)# set dscp af11
Switch(config-pmap-c)# class rel-default
Switch(config-pmap-c)# set dscp default
Switch(config)# policy-map attrib--ops-admin-and-rel
Switch(config-pmap)# class class--ops-admin-and-rel
Switch(config-pmap-c)# set dscp cs5

This example shows how to attach a policy map based on NBAR attributes to a wired port.

Switch# configure terminal
Switch(config)# interface GigabitEthernet1/2
Switch(config-if)# service-policy input attrib--rel-types

Show commands to monitor the configuration

Use the show ip nbar protocol-discovery command to display a report of the protocol discovery statistics per interface.

This is a sample output for the statistics per interface.

Switch# show ip nbar protocol-discovery interface GigabitEthernet1/1 
GigabitEthernet1/1 
Last clearing of "show ip nbar protocol-discovery" counters 00:03:16
                                  Input                               Output
Protocol                          Packet Count                        Packet Count       
                                  Byte Count                          Byte Count
                                  30sec Bit Rate (bps)                30sec Bit Rate (bps)  
                                  30sec Max Bit Rate (bps)            30sec Max Bit Rate (bps)
------------------------ ------------------------ ---------------------------------------------------
ms-lync                           60580                               55911
                                  31174777                            28774864
                                  3613000                             93000
                                  3613000                             3437000
Total                             60580                               55911
                                  31174777                            28774864
                                  3613000                             93000
                                  3613000                             3437000
                                  -------                             --------

Use the show policy-map interface command to display the QoS statistics and the configured policy maps on all interfaces.

This is a sample output for the policy-maps configured on all the interfaces:

Switch# show policy-map int
GigabitEthernet1/1 
 Service-policy input: MARKING-IN 
  Class-map: NBAR-VOICE (match-any) 
    718 packets 
    Match: protocol ms-lync-audio 
      0 packets, 0 bytes 
      30 second rate 0 bps 
   QoS Set 
      dscp ef 
   Class-map: NBAR-MM_CONFERENCING (match-any) 
      6451 packets 
      Match: protocol ms-lync      
        0 packets, 0 bytes 
        30 second rate 0 bps 
      Match: protocol ms-lync-video 
        0 packets, 0 bytes 
        30 second rate 0 bps 
      QoS Set 
        dscp af41 
    Class-map: class-default (match-any) 
      34 packets 
      Match: any

Show commands to monitor attributes-based QoS configuration

Use the show policy-map interface command to display the attribute-based QoS statistics and the configured policy maps on all interfaces.

This sample output for the policy-maps configured on all the interfaces:

Switch# show policy-map interface gigabitEthernet 1/2
GigabitEthernet1/2
  Service-policy input: attrib--rel-types
    Class-map: rel-relevant (match-all)
      20 packets
      Match: protocol attribute business-relevance business-relevant
      QoS Set
        dscp ef
    Class-map: rel-irrelevant (match-all)
      0 packets
      Match: protocol attribute business-relevance business-irrelevant
      QoS Set
        dscp af11
    Class-map: rel-default (match-all)
      14 packets
      Match: protocol attribute business-relevance default
      QoS Set
        dscp default
    Class-map: class-default (match-any)
      0 packets
      Match: any

Use the show ip nbar protocol-attribute command to display all the protocol attributes used by NBAR.

This example shows sample output for some of the attributes.

Switch# show ip nbar protocol-attribute cisco-jabber-im
 Protocol Name : cisco-jabber-im
               encrypted : encrypted-yes
                  tunnel : tunnel-no
                category : voice-and-video
            sub-category : enterprise-media-conferencing
       application-group : cisco-jabber-group
          p2p-technology : p2p-tech-no
           traffic-class : transactional-data
      business-relevance : business-relevant
         application-set : collaboration-apps
            
Switch# show ip nbar protocol-attribute google-services
   Protocol Name : google-services
               encrypted : encrypted-yes
                  tunnel : tunnel-no
                category : other
            sub-category : other
       application-group : google-group
          p2p-technology : p2p-tech-yes
           traffic-class : transactional-data
      business-relevance : default
         application-set : general-browsing
            
Switch# show ip nbar protocol-attribute dns
  Protocol Name : google-services
               encrypted : encrypted-yes
                  tunnel : tunnel-no
                category : other
            sub-category : other
       application-group : google-group
          p2p-technology : p2p-tech-yes
           traffic-class : transactional-data
      business-relevance : default
         application-set : general-browsing
            
Switch# show ip nbar protocol-attribute unknown
      Protocol Name : unknown
               encrypted : encrypted-no
                  tunnel : tunnel-no
                category : other
            sub-category : other
       application-group : other
          p2p-technology : p2p-tech-no
           traffic-class : bulk-data
      business-relevance : default
         application-set : general-misc

Show commands to monitor flow monitor configuration

Use the show flow monitor wdavc command to display information about the specified wired AVC flow monitor. 

Switch# show flow monitor wdavc
Flow Monitor wdavc:
  Description:       User defined
  Flow Record:       wdavc
  Flow Exporter:     wdavc-exp (inactive)
  Cache:
    Type:                 normal (Platform cache)
    Status:               not allocated
    Size:                 12000 entries
    Inactive Timeout:     15 secs
    Active Timeout:       1800 secs

Use the show flow monitor wdavc statistics command to monitor for wired AVC flow monitor statistics. 

Switch# show flow monitor wdavc statistics
Cache type:                               Normal (Platform cache)
  Cache size:                                12000
  Current entries:                              13
  Flows added:                                  26
  Flows aged:                                   13
    - Active timeout      (  1800 secs)          1
    - Inactive timeout    (    15 secs)         12

Use the clear flow monitor wdavc statistics command to clear the specified flow monitor. statistics.

Use the show flow monitor wdavc statistics command after using the clear flow monitor wdavc statistics to verify that all the statistics have been reset. The following is a sample output of the show flow monitor wdavc statistics command after clearing flow monitor statistics. 

Switch# show flow monitor wdavc statistics
Cache type: Normal (Platform cache) 
  Cache size: 12000 
  Current entries: 0 
  Flows added: 0 
  Flows aged: 0

Show commands to monitor cache information

Use the show flow monitor wdavc cache format table command to display flow cache contents in a tabular format. 

Switch# show flow monitor wdavc cache format table
Cache type:                               Normal (Platform cache)
  Cache size:                                12000
  Current entries:                              13
  Flows added:                                  26
  Flows aged:                                   13
    - Active timeout      (  1800 secs)          1
    - Inactive timeout    (    15 secs)         12
CONN IPV4 INITIATOR ADDR  CONN IPV4 RESPONDER ADDR  CONN RESPONDER PORT  FLOW OBSPOINT ID  IP VERSION  IP PROT  APP NAME                     flow dirn ...................
------------------------  ------------------------  -------------------  ----------------  ----------  -------  ---------------------------  --------- 
64.103.125.147            144.254.71.184                             53        4294967305           4       17  port dns                     Input     ....................
64.103.121.103            10.1.1.2                                   67        4294967305           4       17  layer7 dhcp                  Input     ....contd...........
64.103.125.3              64.103.125.97                              68        4294967305           4       17  layer7 dhcp                  Input     ....................
10.0.2.6                  157.55.40.149                             443        4294967305           4        6  layer7 ms-lync               Input     ....................
64.103.126.28             66.163.36.139                             443        4294967305           4        6  layer7 cisco-jabber-im       Input     ....contd...........
64.103.125.2              64.103.125.29                              68        4294967305           4       17  layer7 dhcp                  Input     ....................
64.103.125.97             64.103.101.181                             67        4294967305           4       17  layer7 dhcp                  Input     ....................
192.168.100.6             10.10.20.1                               5060        4294967305           4       17  layer7 cisco-jabber-control  Input     ....contd...........
64.103.125.3              64.103.125.29                              68        4294967305           4       17  layer7 dhcp                  Input     ....................
10.80.101.18              10.80.101.6                              5060        4294967305           4        6  layer7 cisco-collab-control  Input     ....................
10.1.11.4                 66.102.11.99                               80        4294967305           4        6  layer7 google-services       Input     ....contd...........
64.103.125.2              64.103.125.97                              68        4294967305           4       17  layer7 dhcp                  Input     ....................
64.103.125.29             64.103.101.181                             67        4294967305           4       17  layer7 dhcp                  Input     ....................

Use the show flow monitor wdavc cache format record command to display flow cache contents in similar format as the flow record. 

Switch# show flow monitor wdavc cache format record
Cache type:                               Normal (Platform cache)
  Cache size:                                12000
  Current entries:                              13
  Flows added:                                  26
  Flows aged:                                   13
    - Active timeout      (  1800 secs)          1
    - Inactive timeout    (    15 secs)         12
CONNECTION IPV4 INITIATOR ADDRESS:        64.103.125.147
CONNECTION IPV4 RESPONDER ADDRESS:        144.254.71.184
CONNECTION RESPONDER PORT:                53
FLOW OBSPOINT ID:                         4294967305
IP VERSION:                               4
IP PROTOCOL:                              17
APPLICATION NAME:                         port dns
flow direction:                           Input
timestamp abs first:                      08:55:46.917
timestamp abs last:                       08:55:46.917
connection initiator:                     Initiator
connection count new:                     2
connection server packets counter:        1
connection client packets counter:        1
connection server network bytes counter:  190
connection client network bytes counter:  106
CONNECTION IPV4 INITIATOR ADDRESS:        64.103.121.103
CONNECTION IPV4 RESPONDER ADDRESS:        10.1.1.2
CONNECTION RESPONDER PORT:                67
FLOW OBSPOINT ID:                         4294967305
IP VERSION:                               4
IP PROTOCOL:                              17
APPLICATION NAME:                         layer7 dhcp
flow direction:                           Input
timestamp abs first:                      08:55:47.917
timestamp abs last:                       08:55:47.917
connection initiator:                     Initiator
connection count new:                     1
connection server packets counter:        0
connection client packets counter:        1
connection server network bytes counter:  0
connection client network bytes counter:  350
CONNECTION IPV4 INITIATOR ADDRESS:        64.103.125.3
CONNECTION IPV4 RESPONDER ADDRESS:        64.103.125.97
CONNECTION RESPONDER PORT:                68
FLOW OBSPOINT ID:                         4294967305
IP VERSION:                               4
IP PROTOCOL:                              17
APPLICATION NAME:                         layer7 dhcp
flow direction:                           Input
timestamp abs first:                      08:55:47.917
timestamp abs last:                       08:55:53.917
connection initiator:                     Initiator
connection count new:                     1
connection server packets counter:        0
connection client packets counter:        4
connection server network bytes counter:  0
connection client network bytes counter:  1412
CONNECTION IPV4 INITIATOR ADDRESS:        10.0.2.6
CONNECTION IPV4 RESPONDER ADDRESS:        157.55.40.149
CONNECTION RESPONDER PORT:                443
FLOW OBSPOINT ID:                         4294967305
IP VERSION:                               4
IP PROTOCOL:                              6
APPLICATION NAME:                         layer7 ms-lync
flow direction:                           Input
timestamp abs first:                      08:55:46.917
timestamp abs last:                       08:55:46.917
connection initiator:                     Initiator
connection count new:                     2
connection server packets counter:        10
connection client packets counter:        14
connection server network bytes counter:  6490
connection client network bytes counter:  1639
CONNECTION IPV4 INITIATOR ADDRESS:        64.103.126.28
CONNECTION IPV4 RESPONDER ADDRESS:        66.163.36.139
CONNECTION RESPONDER PORT:                443
FLOW OBSPOINT ID:                         4294967305
IP VERSION:                               4
IP PROTOCOL:                              6
APPLICATION NAME:                         layer7 cisco-jabber-im
flow direction:                           Input
timestamp abs first:                      08:55:46.917
timestamp abs last:                       08:55:46.917
connection initiator:                     Initiator
connection count new:                     2
connection server packets counter:        12
connection client packets counter:        10
connection server network bytes counter:  5871
connection client network bytes counter:  2088
CONNECTION IPV4 INITIATOR ADDRESS:        64.103.125.2
CONNECTION IPV4 RESPONDER ADDRESS:        64.103.125.29
CONNECTION RESPONDER PORT:                68
FLOW OBSPOINT ID:                         4294967305
IP VERSION:                               4
IP PROTOCOL:                              17
APPLICATION NAME:                         layer7 dhcp
flow direction:                           Input
timestamp abs first:                      08:55:47.917
timestamp abs last:                       08:55:47.917
connection initiator:                     Initiator
connection count new:                     1
connection server packets counter:        0
connection client packets counter:        2
connection server network bytes counter:  0
connection client network bytes counter:  712
CONNECTION IPV4 INITIATOR ADDRESS:        64.103.125.97
CONNECTION IPV4 RESPONDER ADDRESS:        64.103.101.181
CONNECTION RESPONDER PORT:                67
FLOW OBSPOINT ID:                         4294967305
IP VERSION:                               4
IP PROTOCOL:                              17
APPLICATION NAME:                         layer7 dhcp
flow direction:                           Input
timestamp abs first:                      08:55:47.917
timestamp abs last:                       08:55:47.917
connection initiator:                     Initiator
connection count new:                     1
connection server packets counter:        0
connection client packets counter:        1
connection server network bytes counter:  0
connection client network bytes counter:  350
CONNECTION IPV4 INITIATOR ADDRESS:        192.168.100.6
CONNECTION IPV4 RESPONDER ADDRESS:        10.10.20.1
CONNECTION RESPONDER PORT:                5060
FLOW OBSPOINT ID:                         4294967305
IP VERSION:                               4
IP PROTOCOL:                              17
APPLICATION NAME:                         layer7 cisco-jabber-control
flow direction:                           Input
timestamp abs first:                      08:55:46.917
timestamp abs last:                       08:55:46.917
connection initiator:                     Initiator
connection count new:                     1
connection server packets counter:        0
connection client packets counter:        2
connection server network bytes counter:  0
connection client network bytes counter:  2046
CONNECTION IPV4 INITIATOR ADDRESS:        64.103.125.3
CONNECTION IPV4 RESPONDER ADDRESS:        64.103.125.29
CONNECTION RESPONDER PORT:                68
FLOW OBSPOINT ID:                         4294967305
IP VERSION:                               4
IP PROTOCOL:                              17
APPLICATION NAME:                         layer7 dhcp
flow direction:                           Input
timestamp abs first:                      08:55:47.917
timestamp abs last:                       08:55:47.917
connection initiator:                     Initiator
connection count new:                     1
connection server packets counter:        0
connection client packets counter:        2
connection server network bytes counter:  0
connection client network bytes counter:  712
CONNECTION IPV4 INITIATOR ADDRESS:        10.80.101.18
CONNECTION IPV4 RESPONDER ADDRESS:        10.80.101.6
CONNECTION RESPONDER PORT:                5060
FLOW OBSPOINT ID:                         4294967305
IP VERSION:                               4
IP PROTOCOL:                              6
APPLICATION NAME:                         layer7 cisco-collab-control
flow direction:                           Input
timestamp abs first:                      08:55:46.917
timestamp abs last:                       08:55:47.917
connection initiator:                     Initiator
connection count new:                     2
connection server packets counter:        23
connection client packets counter:        27
connection server network bytes counter:  12752
connection client network bytes counter:  8773
CONNECTION IPV4 INITIATOR ADDRESS:        10.1.11.4
CONNECTION IPV4 RESPONDER ADDRESS:        66.102.11.99
CONNECTION RESPONDER PORT:                80
FLOW OBSPOINT ID:                         4294967305
IP VERSION:                               4
IP PROTOCOL:                              6
APPLICATION NAME:                         layer7 google-services
flow direction:                           Input
timestamp abs first:                      08:55:46.917
timestamp abs last:                       08:55:46.917
connection initiator:                     Initiator
connection count new:                     2
connection server packets counter:        3
connection client packets counter:        5
connection server network bytes counter:  1733
connection client network bytes counter:  663
CONNECTION IPV4 INITIATOR ADDRESS:        64.103.125.2
CONNECTION IPV4 RESPONDER ADDRESS:        64.103.125.97
CONNECTION RESPONDER PORT:                68
FLOW OBSPOINT ID:                         4294967305
IP VERSION:                               4
IP PROTOCOL:                              17
APPLICATION NAME:                         layer7 dhcp
flow direction:                           Input
timestamp abs first:                      08:55:47.917
timestamp abs last:                       08:55:53.917
connection initiator:                     Initiator
connection count new:                     1
connection server packets counter:        0
connection client packets counter:        4
connection server network bytes counter:  0
connection client network bytes counter:  1412
CONNECTION IPV4 INITIATOR ADDRESS:        64.103.125.29
CONNECTION IPV4 RESPONDER ADDRESS:        64.103.101.181
CONNECTION RESPONDER PORT:                67
FLOW OBSPOINT ID:                         4294967305
IP VERSION:                               4
IP PROTOCOL:                              17
APPLICATION NAME:                         layer7 dhcp
flow direction:                           Input
timestamp abs first:                      08:55:47.917
timestamp abs last:                       08:55:47.917
connection initiator:                     Initiator
connection count new:                     1
connection server packets counter:        0
connection client packets counter:        1
connection server network bytes counter:  0
connection client network bytes counter:  350

Use the show flow monitor wdavc cache format csv command to display flow cache contents in CSV format. 

Switch# show flow monitor wdavc cache format csv
Cache type:                               Normal (Platform cache)
  Cache size:                                12000
  Current entries:                              13
  Flows added:                                  26
  Flows aged:                                   13
    - Active timeout      (  1800 secs)          1
    - Inactive timeout    (    15 secs)         12
CONN IPV4 INITIATOR ADDR,CONN IPV4 RESPONDER ADDR,CONN RESPONDER PORT,FLOW OBSPOINT ID,IP VERSION,IP 
PROT,APP NAME,flow dirn,time abs first,time abs last,conn initiator,conn count new,conn server packets 
cnt,conn client packets cnt,conn server network bytes cnt,conn client network bytes cnt
64.103.125.147,144.254.71.184,53,4294967305,4,17,port 
dns,Input,08:55:46.917,08:55:46.917,Initiator,2,1,1,190,106
64.103.121.103,10.1.1.2,67,4294967305,4,17,layer7 
dhcp,Input,08:55:47.917,08:55:47.917,Initiator,1,0,1,0,350
64.103.125.3,64.103.125.97,68,4294967305,4,17,layer7 
dhcp,Input,08:55:47.917,08:55:53.917,Initiator,1,0,4,0,1412
10.0.2.6,157.55.40.149,443,4294967305,4,6,layer7 ms-
lync,Input,08:55:46.917,08:55:46.917,Initiator,2,10,14,6490,1639
64.103.126.28,66.163.36.139,443,4294967305,4,6,layer7 cisco-jabber-
im,Input,08:55:46.917,08:55:46.917,Initiator,2,12,10,5871,2088
64.103.125.2,64.103.125.29,68,4294967305,4,17,layer7 
dhcp,Input,08:55:47.917,08:55:47.917,Initiator,1,0,2,0,712
64.103.125.97,64.103.101.181,67,4294967305,4,17,layer7 
dhcp,Input,08:55:47.917,08:55:47.917,Initiator,1,0,1,0,350
192.168.100.6,10.10.20.1,5060,4294967305,4,17,layer7 cisco-jabber-
control,Input,08:55:46.917,08:55:46.917,Initiator,1,0,2,0,2046
64.103.125.3,64.103.125.29,68,4294967305,4,17,layer7 
dhcp,Input,08:55:47.917,08:55:47.917,Initiator,1,0,2,0,712
10.80.101.18,10.80.101.6,5060,4294967305,4,6,layer7 cisco-collab-
control,Input,08:55:46.917,08:55:47.917,Initiator,2,23,27,12752,8773
10.1.11.4,66.102.11.99,80,4294967305,4,6,layer7 google-
services,Input,08:55:46.917,08:55:46.917,Initiator,2,3,5,1733,663
64.103.125.2,64.103.125.97,68,4294967305,4,17,layer7 
dhcp,Input,08:55:47.917,08:55:53.917,Initiator,1,0,4,0,1412
64.103.125.29,64.103.101.181,67,4294967305,4,17,layer7 
dhcp,Input,08:55:47.917,08:55:47.917,Initiator,1,0,1,0,350

AVC troubleshooting: questions and answers

  • Question: My IPv6 traffic is not being classified.

    Answer: Currently only IPv4 traffic is supported.

  • Question: My multicast traffic is not being classified.

    Answer: Currently only unicast traffic is supported.

  • Question: I send ping but I don’t see traffic being classified.

    Answer: Only TCP/UDP protocols are supported.

  • Question: I see that most of my traffic is CAPWAP traffic, why?

    Answer: Make sure that you have enabled NBAR on an access port that is not connected to a wireless access port. All traffic coming from APs will be classified as capwap. Actual classification in this case happens either on the AP or WLC.

  • Question: In protocol-discovery, I see traffic only on one side. Along with that, there is a lot of unknown traffic.

    Answer: This usually indicates that NBAR sees asymmetric traffic: one side of the traffic is classified in one switch member and the other on a different member. The recommendation is to attach NBAR only on access ports where we see both sides of the traffic. If you have multiple uplinks, you can’t attach NBAR on them due to this issue. Similar issue happens if you configure NBAR on an interface that is part of a port channel.

  • Question: With protocol-discovery, I see an aggregate view of all application. How can I see traffic distribution over time?

    Answer: WebUI will give you view of traffic over time for the last 48 hours.

  • Question: I can't configure queue-based egress policy with match protocol protocol-name command.

    Answer: Only shape and set DSCP are supported in a policy with NBAR2 based classifiers. Common practice is to set DSCP on ingress and perform shaping on egress based on DSCP.

  • Question: Why can’t I attach NBAR to an SVI?

    Answer: NBAR is only supported on physical interfaces.

    Question: I don’t have NBAR2 attached to any interface but I still see that NBAR2 is activated.

    Answer: If you have any class-map with match protocol protocol-name , NBAR will be globally activated on the but no traffic will be subjected to NBAR classification. This is an expected behavior and it does not consume any resources.

  • Question: I see some traffic under the default QOS queue. Why?

    Answer: For each new flow, it takes a few packets to classify it and install the result in the hardware. During this time, the classification would be 'un-known' and traffic will fall under the default queue.

Feature history for AVC in a wired network

Table 2. Feature History Table

Release

Feature

Feature Information

Cisco IOS XE Cupertino 17.7.x

Application Visibility and Control in a Wired Network

AVC is a critical part of Cisco’s efforts to evolve its Branch and Campus solutions from being strictly packet and connection based to being application-aware and application-intelligent.

Use Cisco Feature Navigator to find information about platform and software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn .