Software-Defined Application Visibility and Control

Software-Defined Application Visibility and Control

Software-Defined Application Visibility and Control (SD-AVC) is a network-level AVC controller that aggregates application data from multiple devices and sources and provides composite application information.

SD-AVC collects application data from across the network and deploys protocol pack updates in a centralized manner. SD-AVC recognizes most enterprise network traffic and provides analytics, visibility, and telemetry into the network application recognition. SD-AVC profiles all the endpoints (including wireless bridged virtual machines) connected to the access nodes to perform anomaly detection operations, such as Network Address Translation (NAT). SD-AVC can discover and alert when the same MAC address is used simultaneously on different networks.

You can enable the Software-Defined Application Visibility and Control feature on a per-WLAN basis. Also, you can turn on and turn off the Software-Defined Application Visibility and Control functionalities independently.


Note

If the SD-AVC process (stilepd) crashes, Capwapd process restart or AP reload is required to resume the SD-AVC operation.

Until Cisco IOS XE 17.17.1, the AP and controller payload code supported only IPv4 SD-AVC addresses. Starting with Cisco IOS XE 17.18.1, this feature extends the payload to support IPv6 SD-AVC controllers.

Supported platforms for SD-AVC IPv6

Cisco IOS XE 17.18.1 supports SD-AVC IPv6 on the following platforms:

  • Cisco Catalyst 9800 controllers–9800-40, 9800-80, 9800-L, 9800-CL, and 9800-SW

  • Cisco Catalyst 9300/9400 switches in Fabric mode

  • Cisco Wave 2 and 11AX APs.


Note

SD-AVC IPv6 is not supported on Cisco Wireless AireOS Controllers, Cisco Embedded Wireless Controller on Catalyst APs, and Cisco Wave 1 APs.

Enabling Software-Defined Application Visibility and Control on a WLAN (CLI)

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

wireless profile policy policy-name

Example:

Device(config)# wireless profile policy test-policy-profile

Configures WLAN policy profile and enters wireless policy configuration mode.

Step 3

no central switching

Example:

Device(config-wireless-policy)# no central switching

Disables central switching and enables local switching.

Step 4

ip nbar protocol-discovery

Example:

Device(config-wireless-policy)# ip nbar protocol-discovery

Enables application recognition on the wireless policy profile by activating the NBAR2 engine.

Step 5

end

Example:

Device(config-wireless-policy)# end

Exits wireless policy configuration mode and returns to privileged EXEC mode.

Configuring Software-Defined Application Visibility and Control Global Parameters (CLI)


Note

Starting with Cisco IOS XE 17.18.1, this feature extends the payload to support IPv6 SD-AVC controllers.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

avc sd-service

Example:

Device(config-sd-service)# avc sd-service

Enables SD-AVC and enters software-definition service configuration mode.

Step 3

segment segment-name

Example:

Device(config-sd-service)# segment AppRecognition

Configures a segment name identifying a group of devices sharing the same application services.

Step 4

controller

Example:

Device(config-sd-service)# controller

Enters SD service controller configuration mode to configure connectivity parameters.

Step 5

address ip-address

Example:

Device(config-sd-service-controller)# address 209.165.201.0

Configures controller IP address. Supports only IPv4 address.

Step 6

destination-ports sensor-exporter value

Example:

Device(config-sd-service-controller)# destination-ports sensor-exporter 21730

Configures the destination port for communicating with the controller.

Step 7

dscp dscp-value

Example:

Device(config-sd-service-controller)# dscp 16

Enables DSCP marking.

Step 8

source-interface interface interface-number

Example:

Device(config-sd-service-controller)# source-interface GigabitEthernet21

Configures source interface for communicating with the controller.

Step 9

transport application-updates https url-prefix url-prefix-name

Example:

Device(config-sd-service-controller)# transport application-updates https url-prefix cisco

Configures transport protocols for communicating with the controller.

Step 10

vrf vrf-name

Example:

Device(config-sd-service-controller)# vrf doc-test

Associates the VRF with the source interface.

Step 11

end

Example:

Device(config-sd-service-controller)# end

Exits the SD service controller configuration mode and enters privileged EXEC mode.

List of package files

To view the list of package files list that are sent from the SD-AVC to the controller, use the following command:

Device# dir bootflash:sdavc
Directory of bootflash:/sdavc/

251671  -rw-             6728  Jun 26 2025 03:26:54 +00:00  sdavc_config.json
251674  -rw-              338  Jun 26 2025 03:21:55 +00:00  import_file_meta.json
251670  -rw-            10913  Jun 26 2025 03:20:52 +00:00  PPDK_C9400_HA_00a38d1dddb4fa0bc4b51f91f97744.pack
251669  -rw-             6487  Jun 26 2025 03:20:21 +00:00  pp_update_pp_minor_taxonomy_b72edc9e6ed2e42.json
251672  -rw-              912  Jun 26 2025 03:20:21 +00:00  pp_update_C9400_HA_a_v2_b30473cb9912.pack
348817  drwx             4096  Jun 26 2025 03:16:27 +00:00  container_application

11250098176 bytes total (3345641472 bytes free)

Verify SD-AVC controller connection status

To display the SD-AVC connection status and information summary in the controller, run the show avc sd-service info summary command. 

Device# show avc sd-service info summary
Status: CONNECTED

Device ID: SDA_BOX
Device segment name: C9400_HA 
Device address: 9.2.39.2
Device OS version: 17.18.01prd15
Device type: C9407R

Active controller:
   Type    : Primary
   Address : 9.2.39.36
   Status  : Connected
   Version : 4.4.0
   Last connection: 06:21:35.000 UTC Thu Jun 19 2025

Active SDAVC import files:
    Protocol pack:           Not loaded
    Secondary protocol pack: PPDK_C9400_HA_00a38d1dddb4fa0bc4b51f91f97744.pack
    Rules pack:              pp_update_C9400_HA_a_v2_b32d0890d8a3.pack

Verify SD-AVC details in AP

Verify SD-AVC package files in flash

To verify the protocol files received from the controller, run the show flash sdavc-pkg command in the AP. 

Cisco-AP# show flash sdavc-pkg
Files under /usr/bin/sdavc/
total 36K
drwxr-xr-x    2 Cisco    root            40 Jun 19 06:10 container_application
-rw-r--r--    1 Cisco    root          6487 Jun 19 06:11 pp_update_pp_minor_taxonomy_b72edc9e6ed2e42.json
-rw-r--r--    1 Cisco    root         10922 Jun 19 06:11 PPDK_C9400_HA_00a38d1dddb4fa0bc4b51f91f97744.pack
-rw-r--r--    1 Cisco    root           959 Jun 19 06:11 pp_update_C9400_HA_a_v2_b32d0890d8a3.pack
-rw-r--r--    1 Cisco    root           314 Jun 19 06:11 import_file_meta.json
-rw-r--r--    1 Cisco    root          6728 Jun 19 06:20 sdavc_config.json
---------------------------------------------------------------------------
Filesystem                Size      Used Available Use% Mounted on
/dev/mmcblk0p32           2.8G     12.7M      2.6G   0% /storage

Verify SD-AVC configurations from controller

To verify the SD-AVC configurations sent from the controller, run the show ap fast-path configuration sd-avc command in the AP. 

Cisco-AP# show ap fast-path configuration sd-avc
  source IP address     : 0.0.0.0
  source port (WLC)     : 9999
  destination IPV4 address: 9.2.39.36
  destination port (SD-AVC): 50000
  gateway MAC           : 00:0C:29:3C:00:8D
  ewlc SD-AVC MAC       : 00:00:00:05:00:01
  DSCP                  : 0
  Fast Path Admin State : enabled
  AP SD-AVC Status      : enabled

Verify SD-AVC enablement in AP

To verify the SD-AVC enablement in the AP, run the show avc status command. 

Cisco-AP# show avc status
VAP FNF-STATUS AVC-QOS-STATUS SD AVC-STATUS APM-STATUS
  0   Disabled       Disabled       Enabled   Disabled
  1   Disabled       Disabled       Enabled   Disabled
  2   Disabled       Disabled       Enabled   Disabled
  3   Disabled       Disabled      Disabled   Disabled
  4   Disabled       Disabled      Disabled   Disabled
  5   Disabled       Disabled      Disabled   Disabled
  6   Disabled       Disabled      Disabled   Disabled
  7   Disabled       Disabled      Disabled   Disabled
  8   Disabled       Disabled      Disabled   Disabled
  9   Disabled       Disabled      Disabled   Disabled
 10   Disabled       Disabled      Disabled   Disabled
 11   Disabled       Disabled      Disabled   Disabled
 12   Disabled       Disabled      Disabled   Disabled
 13   Disabled       Disabled      Disabled   Disabled
 14   Disabled       Disabled      Disabled   Disabled
 15   Disabled       Disabled      Disabled   Disabled