Software-Defined Application Visibility and Control

Software-defined application visibility and control

A software-defined application visibility and control system is a network-level application visibility and control (AVC) controller that

  • aggregates application data from multiple devices and sources

  • provides composite analytics and telemetry on enterprise network traffic, and

  • enables centralized deployment and management of protocol pack updates.

SD-AVC recognizes most enterprise network traffic and provides analytics, visibility, and telemetry into application recognition on the network. SD-AVC profiles all endpoints connected to access nodes, including wireless bridged virtual machines, to perform anomaly detection operations such as Network Address Translation (NAT). SD-AVC alerts you when the same MAC address is used at the same time on different networks.

You can enable the Software-Defined Application Visibility and Control feature on a per-WLAN basis. You can enable or disable Software-Defined Application Visibility and Control functionalities independently.


Note

Restart the Capwapd process or reload the AP to resume SD-AVC operation after the SD-AVC process (stilepd) crashes.

Feature history

This table provides release and related information about the feature explained in this section.

This feature is also available in all the releases subsequent to the one in which they are introduced in, unless noted otherwise.

Table 1. Feature history for Software-defined application visibility and control

Feature Name

Release Information

Feature Description

Software-defined application visibility and control (SD-AVC) wireless support with IPv6

Cisco IOS XE 17.18.1

From Cisco IOS XE 17.18.1 onwards, this feature extends the support for adding IPv6 SD-AVC controller or end-point address.

These platforms are supported:

  • Cisco Catalyst 9800 controllers: 9800-40, 9800-80, 9800-L, 9800-CL, 9800-SW, CW9800M, CW9800H1, and CW9800H2.

  • Cisco Catalyst 9300/9400 switches in Fabric mode.

  • Cisco Wave 2, Wi-Fi 6/6E, and Wi-Fi 7 APs.

SD-AVC IPv6 is not supported on Cisco Wireless AireOS Controllers, Cisco Embedded Wireless Controller on Catalyst APs, and Cisco Wave 1 APs.

Software-defined application visibility and control (SD-AVC) wireless support with IPv4

Cisco IOS XE 17.17.1

From Cisco IOS XE 17.17.1 onwards, this feature extends the support for adding the AP and controller payload code for only IPv4 SD-AVC addresses.

Software-defined application visibility and control

Cisco IOS XE 17.7.1

Software-Defined AVC aggregates application data from multiple sources and provides composite application information.

These commands are introduced:

  • address and avcsd-service

  • controller and destination-ports

  • dscp

  • segment

  • source-interface

  • transport and application-updates

  • vrf and showsdavc ap download status

  • showsdavc status ap

Enable software-defined application visibility and control on a WLAN (CLI)

Allow the system to recognize and manage applications on a WLAN by enabling software-defined application visibility and control using commands.

Procedure

Step 1

Enter the global configuration mode.

Example:

Device# configure terminal

Step 2

Configure WLAN policy profile and enter the wireless policy configuration mode.

Example:

Device(config)# wireless profile policy test-policy-profile

Step 3

Disable central switching and enable local switching.

Example:

Device(config-wireless-policy)# no central switching

Step 4

Enable application recognition on the wireless policy profile by activating the NBAR2 engine.

Example:

Device(config-wireless-policy)# ip nbar protocol-discovery

Step 5

Exit wireless policy configuration mode and return to the privileged EXEC mode.

Example:

Device(config-wireless-policy)# end

Configure software-defined application visibility and control global parameters (CLI)

Enable SD-AVC globally and configure connectivity parameters for SD-AVC controllers using commands.

Procedure

Step 1

Enter the global configuration mode.

Example:

Device# configure terminal

Step 2

Enable SD-AVC and enter the software-definition service configuration mode.

Example:

Device(config-sd-service)# avc sd-service

Step 3

Configure a segment name identifying a group of devices sharing the same application services.

Example:

Device(config-sd-service)# segment AppRecognition

Step 4

Enter SD service controller configuration mode to configure connectivity parameters.

Example:

Device(config-sd-service)# controller

Step 5

Configure controller IP address. Supports only IPv4 address.

Example:

Device(config-sd-service-controller)# address 209.165.201.0

Step 6

Configure the destination port for communicating with the controller.

Example:

Device(config-sd-service-controller)# destination-ports sensor-exporter 21730

Step 7

Enable DSCP marking and configure source interface for communicating with the controller.

Example:

Device(config-sd-service-controller)# dscp 16
Device(config-sd-service-controller)# source-interface GigabitEthernet21

Step 8

Configure transport protocols for communicating with the controller and associate the VRF with the source interface.

Example:

Device(config-sd-service-controller)# transport application-updates https url-prefix cisco
Device(config-sd-service-controller)# vrf doc-test

Step 9

Exit the SD service controller configuration mode and enter the privileged EXEC mode.

Example:

Device(config-sd-service-controller)# end