Feedback
Contents
- Configuring Application Visibility and Control
- Finding Feature Information
- Information About Application Visibility and Control
- Restrictions for Application Visibility and Control
- Configuring Application Visibility and Control (CLI)
- Creating a Flow Record
- Creating a Flow Exporter (Optional)
- Creating a Flow Monitor
- Configuring WLAN to Apply Flow Monitor in IPV4 Input/Output Direction
- Configuring Application Visibility and Control (GUI)
- Monitoring Application Visibility and Control (CLI)
- Monitoring Application Visibility and Control (GUI)
- Examples: Application Visibility and Control Configuration
- Additional References for Application Visibility and Control
- Feature History and Information For Application Visibility and Control
Configuring Application Visibility and Control
Finding Feature Information
Your software release may not support all of the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Information About Application Visibility and Control
Application Visibility and Control (AVC) classifies applications using deep packet inspection techniques with the Network-Based Application Recognition engine, and provides application-level visibility and control into Wi-Fi networks. After the applications are recognized, the AVC feature enables you to either drop or mark the data traffic.
Using AVC, we can detect more than 1000 applications. AVC enables you to perform real-time analysis and create policies to reduce network congestion, costly network link usage, and infrastructure upgrades.
Configuring Application Visibility and Control (CLI)
Creating a Flow Record
SUMMARY STEPSBy default, wireless avc basic (flow record) is available. When you click Apply from the GUI, then the record is mapped to the flow monitor.
Default flow record cannot be edited or deleted. If you require a new flow record, you need to create one and map it to the flow monitor from CLI.
1. configure terminal
2. flow record flow_record_name
3. description string
4. match ipv4 protocol
5. match ipv4 source address
6. match ipv4 destination address
7. match transport source-port
8. match transport destination-port
9. match flow direction
10. match application name
11. match wireless ssid
12. collect counter bytes long
13. collect counter packets long
14. collect wireless ap mac address
15. collect wireless client mac address
16. end
DETAILED STEPSCreating a Flow Exporter (Optional)
SUMMARY STEPSYou can create a flow export to define the export parameters for a flow. This is an optional procedure for configuring flow parameters.
1. configure terminal
2. flow exporter flow_exporter_name
3. description string
4. destination {hostname | ip-address}
5. transport udp port-value
6. option application-table timeout seconds (optional)
7. option usermac-table timeout seconds (optional)
8. end
9. show flow exporter
10. end
DETAILED STEPSCreating a Flow Monitor
SUMMARY STEPS
1. configure terminal
2. flow monitor monitor-name
3. description description
4. record record-name
5. exporter exporter-name
6. cache timeout {active | inactive} (Optional)
7. end
8. show flow monitor
DETAILED STEPSConfiguring WLAN to Apply Flow Monitor in IPV4 Input/Output Direction
SUMMARY STEPS
1. configure terminal
2. wlan wlan-id
3. ip flow monitor monitor-name {input | output}
4. end
DETAILED STEPS
Command or Action Purpose
Step 1 configure terminal
Example:Switch# configure terminalEnters global configuration mode.
Step 2 wlan wlan-id
Example:Switch (config) # wlan 1Enters WLAN configuration submode. For wlan-id, enter the WLAN ID. The range is 1 to 64.
Step 3 ip flow monitor monitor-name {input | output}
Example:Switch (config-wlan) # ip flow monitor flow-monitor-1 inputAssociates a flow monitor to the WLAN for input or output packets.
Step 4 end
Example:Switch(config)# endReturns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring Application Visibility and Control (GUI)
You can apply the default flow record (wireless avc basic) to the default flow monitor (wireless-avc-basic).
If you are using the flow record and flow monitor you have created, then the record name and monitor name should be same. This is specific only for configuring AVC from GUI and not for the CLI configuration.
You can use the flow monitor you have created either for upstream or downstream, or both, but ensure that you use the same record name while mapping with the flow monitor.
Step 1 Choose . The WLAN page appears.
Step 2 Click on corresponding WLAN ID to open WLAN Edit page and click AVC. The Application Visibility page appears.
- Select the Application Visibility Enabled check box to enable AVC on a WLAN.
- In the Upstream Profile text box, enter the name of the AVC profile.
- In the Downstream Profile text box, enter the name of the AVC profile.
To enable AVC, you need to enter the profile names for the upstream and downstream profiles. The profile names are the flow monitor names. By default, the flow monitor names (wireless-avc-basic) appear in the Upstream Profile and Downstream Profile text boxes. For the default flow monitor, the default flow record (wireless avc basic) will be taken. The default flow record is generated by the system and is available.
You can change the profile names for the upstream and downstream profiles but ensure that the same flow records are available for the flow monitors.
The upstream and downstream profiles can have different profile names but there should be flow records available for the flow monitors.
Step 3 Click Apply to apply AVC on the WLAN. Step 4 Uncheck the Application Visibility Enabled check box on the WLAN page. AVC is disabled on WLAN.
Step 5 Click Apply.
Monitoring Application Visibility and Control (CLI)
This section describes the new commands for application visibility.
The following commands can be used to monitor application visibility on the switch and access points.
Table 1 Monitoring Application Visibility Commands on the switch Command
Purpose
show avc client client-mac top n application [aggregate | upstream | downstream] Displays information about top "N" applications for the given client MAC.
show avc wlan ssid top n application [aggregate | upstream | downstream] Displays information about top "N" applications for the given SSID.
show wlan id wlan-id Displays information whether AVC is enabled or disabled on a particular WLAN.
show flow monitor flow_monitor_name cache Displays information about flow monitors.
Monitoring Application Visibility and Control (GUI)
You can view AVC information on a WLAN in a single shot using a AVC on WLAN pie chart on the Home page of the switch. The pie chart displays the AVC data (Aggregate - Application Cumulative usage %) of the first WLAN. In addition, the top 5 WLANs based on clients are displayed first. Click on any one of the WLANs to view the corresponding pie chart information. If AVC is not enabled on the first WLAN, then the Home page does not display the AVC pie chart.
Step 1 Choose . The WLANs page appears.
Step 2 Click the corresponding WLAN profile. The Application Statistics page appears.
From the Top Applications drop-down list, choose the number of top applications you want to view and click Apply. The valid range is between 5 to 30, in multiples of 5.
Step 3 Choose . The Clients page appears.
Step 4 Click Client MAC Address and then click AVC Statistics tab. The Application Visibility page appears.
Examples: Application Visibility and Control Configuration
This example shows how to create a flow record, create a flow monitor, apply the flow record to the flow monitor, and apply the flow monitor on a WLAN:Switch# configure terminal Switch(config)# flow record fr_v4 Switch(config-flow-record)# match ipv4 protocol Switch(config-flow-record)# match ipv4 source address Switch(config-flow-record)# match ipv4 destination address Switch(config-flow-record)# match transport destination-port Switch(config-flow-record)# match flow direction Switch(config-flow-record)# match application name Switch(config-flow-record)# match wireless ssid Switch(config-flow-record)# collect counter bytes long Switch(config-flow-record)# collect counter packets long Switch(config-flow-record)# collect wireless ap mac address Switch(config-flow-record)# collect wireless client mac address Switch(config)#end Switch# configure terminal Switch# flow monitor fm_v4 Switch(config-flow-monitor)# record fr_v4 Switch(config-flow-monitor)# cache timeout active 1800 Switch(config)#end Switch(config)#wlan wlan1 Switch(config-wlan)#ip flow monitor fm_v4 input Switch(config-wlan)#ip flow mon fm-v4 output Switch(config)#endAdditional References for Application Visibility and Control
Related Documents
Related Topic Document Title System management commands System Management Command Reference Guide, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series)
Flexible NetFlow configuration Flexible NetFlow Configuration Guide, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series)
Flexible NetFlow commands Flexible NetFlow Command Reference, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series)
MIBs
Technical Assistance
Description Link The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.
To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.