Application Visibility and Control DeploymentGuide

Document ID: 115756

Contents

Introduction Prerequisites Requirements Components Used Conventions Application Visibility and Control AVC Facts Configure AVC Visibility Configure AVC Profile Configure AVC NetFlow Monitor Related Information

Introduction

This document provides information about the new Application Visibility and Control (AVC) featuredeveloped in the controller software version 7.4.100.0 and PI version 1.3. This document explains thefunctionality and configuration, and provides deployment scenario examples of the new AVC feature on thecontroller and PI.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

Wireless LAN Controller (WLC) software release 7.4• PI software release 1.3•

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Application Visibility and Control

AVC provides application−aware control on a wireless network and enhances manageability and productivity.AVC is already supported on ASR and ISR G2 platforms. The support of AVC embedded within the WLANinfrastructure extends as this as an end−to−end solution, which gives a complete visibility of applications inthe network and allows the administrator to take some action on the same.

AVC has these components:

Next−generation Deep Packet Inspection (DPI) technology called Network Based ApplicationRecognition (NBAR2), which allows for identification and classification of applications. NBAR is adeep−packet inspection technology available on Cisco IOS® based platforms, which supports statefulL4 − L7 classification. NBAR2 is based on NBAR and has extra requirements such as having aCommon Flow Table for all IOS features that use NBAR. NBAR2 recognizes application and passesthis information to other features such as Quality of Service (QoS), NetFlow and Access Control List(ACL), which can take action based on this classification.

•

QoS: Ability to remark applications using DiffServ to prioritize and de−prioritize the applications.• A template for Cisco NetFlow v9 to select and export data of interest Cisco PrimeAssurance(Optional) or a third−party NetFlow collector of your choice to collect, analyze and savereports for troubleshooting, capacity planning and compliance purposes.

•

The key use cases for NBAR AVC are capacity planning, network usage base lining and better understandingof what applications are consuming bandwidth. Trending of application usage helps the network administratorplan for network infrastructure upgrade, improve quality of experience by protecting key applications frombandwidth−hungry applications when there is congestion on the network, capability to prioritize orde−prioritize, and drop certain application traffic.

AVC is supported on 2500, 5500, 7500, 8500 and WiSM2 controllers on Local and Flex Modes (for WLANsconfigured for central switching only in 7.4 release).

AVC Facts

You can monitor real−time applications on the Controller User Interface. In order to store and viewlong−term reports you need to export the flow entries to a NetFlow collector.

•

AVC on a controller can classify and take action on 1039 different applications.• Two actions, either DROP or MARK, are possible on any classified application.• A maximum of 16 AVC profiles can be created on a WLC.• Each AVC profile can be configured with a maximum of 32 rules.• Same AVC profile can be mapped to multiple WLANs. However, one WLAN can have only oneAVC profile.

•

Only 1 NetFlow exporter and monitor can be configured on a WLC.• AVC stats are displayed only for the top 10 applications on GUI. CLI can be used to see allapplications.

•

AVC is supported on WLANs configured for central switching only.• If the AVC profile mapped to WLAN has a rule for MARK action, that application takes precedenceas per the QoS profile configured in AVC rule overriding the QoS profile configured on WLAN.

•

Any application, which is not supported or recognized by AVC engine on WLC, is captured under thebucket of UNCLASSIFIED traffic.

•

IPv6 traffic cannot be classified.• AAA override of AVC profiles is not supported.• AVC profile can be configured per WLAN and cannot be applied per user basis.• AVC is not supported in vWLC and SRE WLC.• Multicast traffic is not supported by AVC application•

Configure AVC Visibility

Complete these steps:

Open a web browser on the wired laptop. Enter your WLC IP Address.1.

Create an OPEN WLAN with naming convention, for example, �POD1−Client�, then enableApplication Visibility on that WLAN under the QoS tab. Map this WLAN to management interface.

2.

In order to enable Application Visibility, click WLAN ID and click the QoS tab. Then, check theenable option for Application Visibility. Click Apply.

3.

Once Application Visibility is enabled on the specific WLAN, from the associated wireless client startdifferent types of traffic using the applications (already installed) such as Cisco Jabber/WebExConnect, Skype, Yahoo Messenger, HTTP, HTTPS/SSL, Microsoft Messenger, YouTube, Ping,Trace route, etc.

Once traffic is initiated from wireless client, visibility of different traffic can be observed globally forall WLANs, Per Client Basis and Per WLAN Basis. This provides a good overview to theadministrator of the network bandwidth utilization and type of traffic in the network per client, perWLAN and globally.

As mentioned previously, visibility of traffic can be monitored:

Globally for all WLANs♦ Individual WLAN♦ Individual Client♦

4.

In order to check the visibility globally for all WLANs on WLC, click Monitor Screen and scrolldown.

5.

Note: The Monitor screen lists the applications classified by AVC engine running on WLC for all theWLANs. The top 10 applications in the last 90 seconds in both Upstream (U) and Downstream (D)directions will be listed on this page.In order to have more granular visibility per WLAN click Monitor > Applications. This page lists allthe WLANs where AVC visibility is enabled.

6.

Click the individual WLAN ID. This screen is visible which lists aggregate data for the top 10applications running on that particular WLAN.

7.

Note: This page provides more granular visibility per WLAN and lists the top 10 applications in thelast 90 seconds, as well as cumulative stats for the top 10 applications. The previous screen lists theaggregate traffic on a particular WLAN, which includes upstream as well as downstream data. Youcan view UPSTREAM and DOWNSTREAM stats individually per WLAN from the same page byclicking the Upstream and Downstream tab.In order to have further granular visibility of the top 10 applications per client on a particular WLANwhere AVC visibility is enabled, click Monitor > Clients. Then, click any individual client MACentry listed on that page.

After clicking on an individual client MAC entry, the client details page opens. This page has twotabs: one for general information and another named AVC Statistics. Click the AVC Statistics tab tosee the AVC stats for the top 10 applications for that particular client.

8.

Note: This page provides further granular stats per client associated on WLAN where AVC visibilityis enabled, and lists the top 10 applications in last the 90 seconds as well as cumulative stats for top10 applications. The previous screen lists the aggregate traffic per client, which includes upstream aswell as downstream stats. You can view UPSTREAM and DOWNSTREAM stats individually perclient from same page by clicking the Upstream and Downstream tab.

Clearing stats � This is possible through CLI [clear avc stats wlan | client < wlan_id | client_mac |all >]

Configure AVC Profile

The AVC feature on a WLC not only gives a visibility of applications running in the network, but also givesthe administrator an option to control the applications running in the network by creating an AVC profile.AVC profiles can be configured to take these actions on the recognized applications:

Action DROP (Traffic for that application will be dropped)• Action MARK (Particular applications can be marked with different QoS profiles available on aWLC, or the administrator can custom define the DSCP value for that application)

•

In order to see all the applications supported by NBAR2 engine for stats, visibility and control action(DROP/MARK) click Wireless > Application Visibility And Control > AVC Applications. Thispage lists all the applications in sorted order with the application group they belong.

1.

Note: While creating the Drop/Mark action for any application under AVC profile, an applicationgroup needs to be selected. Also, the same can be accomplished by choosing the application from thelist of AVC applications. This page lists all the applications with application group they belong, andwith simple lookup for applications using browser �FIND� option. An administrator can findapplications and groups, and use this group in AVC profile to configure the Drop or Mark action.AVC on WLC supports visibility of 1039 different applications.In order to configure any action (drop/mark), the AVC profile must be created first. In order toconfigure the AVC profile click Wireless > Application Visibility And Control > AVC Profiles,then click New to create the AVC profile.

2.

Enter AVC profile name and click Apply. In the example below, the �Block_Youtube� profile namewas created.

3.

After Apply is clicked, the AVC profile is created and you can see the above−created profile, whichcan be clicked further to create rules to take drop/mark action. Maximum of 16 AVC profiles can becreated on a WLC.

After creating the AVC profiles, you can click on any profile name and create rules for individualprofiles. Maximum of 32 rules can be configured in each profile. Rules can be configured to takeeither the DROP or MARK action. If no rule is configured for any application the default action is�Allow� with QoS policy configured on a WLAN. In order to create rules under profile clickWireless > Application Visibility And Control > AVC Profiles, then click any of the createdprofiles.

4.

Click Add New Rule. The next page is displayed where the administrator can select the applicationgroup from the first drop−down which filters the applications that belong to that group only. Then,from the second drop−down application can be selected. Once the application is chosen, theadministrator can select from the third drop−down what action to take on that application. After theaction is selected, click Apply.

5.

Note: The same process is accomplished by clicking on the application in the Application list.

Choose the desired action (Drop or Mark) for that application.6.

Note: WLC in release 7.4 and later can classify 1026 applications, and provide an option to take anyaction. In order to take an action on any application, the administrator must select an applicationgroup first where that application belongs. This filters the list of applications for that applicationgroup only. The reason for this implementation is all 1026 applications cannot be displayed in a singledrop−down.

After Apply is clicked, the action rule is created and displayed as captured in the next screen. You canadd more rules under the AVC profile on the same page. Maximum of 32 rules can be configured in asingle AVC profile.

Another rule can be configured under the same AVC profile to MARK traffic with a different QoSprofile or custom DSCP value. In the example below, another AVC profile was created followingsteps 3, 4 and 5 with the name, �Mark_Http_Webex�. In this example this AVC profile is used tocreate a rule to mark �Http� with low priority and give �Webex� more precedence.

7.

As discussed in previous steps, click the AVC profile name to create rules for the profile. Click AddNew Rule.

8.

Choose Application Group from the first drop−down and Application Name as Webex from thesecond drop−down. Then, configure Action as Mark and select QoS profile as Platinum. ClickApply.

9.

After Apply is clicked, the action rule is created and displayed as captured in below screen. ClickAdd New Rule on same page to create another rule to MARK another application �Http�.

10.

In order to create another rule in the same profile click Add New Rule on the same page. ChooseApplication group from the first drop−down and Application name as http from the seconddrop−down. Then, configure Action as Mark with QoS profile as Bronze. Click Apply.

After Apply is clicked, the action rule is created and displayed as captured in below screen. In theexample, two rules have been created under the Mark_HTTP_Webex profile.

11.

Note: For the same AVC profile two rules are created. The administrator can configure up to 32 rulesin the same AVC profile. Individual rules can be configured for the MARK or DROP action in thesame profile. A single rule can only be configured with a single action, either MARK or DROP.

The administrator is also flexible while configuring Action as MARK to choose the DCSP value asCustom instead of selecting �Platinum/Gold/Silver/Bronze�. Once Custom is chosen as the DSCPvalue, a text field is visible. This is where the admin can enter a custom DSCP value in range of 0 −63.

Apply these AVC profiles on the WLAN. Only one AVC profile can be mapped to a single WLAN. Asingle AVC profile can be mapped to multiple WLANs. Once an AVC profile is mapped to a WLANand if it has a rule for MARK action, that application has precedence as per QoS profile configured inAVC rule overriding the QoS profile configured on the WLAN. All the AVC profiles created arevisible under the AVC Profile drop−down in the WLAN under the QoS tab.

12.

In order to see the AVC profile in the drop−down on the WLAN click WLANs > WLAN ID, thenclick the QoS tab.

All the AVC profiles are visible under the AVC Profile drop−down. The administrator can select theAVC profile on the WLAN as per network requirement.

For example, select the Block_Youtube AVC profile from the drop−down and click Apply.

13.

Note: If AVC visibility is not enabled on the WLAN, an AVC profile is selected and Apply isclicked, AVC visibility is automatically enabled. In order to disable AVC visibility from WLAN,AVC profile, which is mapped to WLAN, must be removed first by choosing None from thedrop−down.

Once AVC profiles are applied on WLAN it is also visible under Monitor > Applications. All theWLANs with AVC Visibility enabled are displayed.

Now if you try to open www.youtube.com from wireless clients, you will observe that client cannotplay any YouTube videos. Also, if applicable, open your Facebook account and try to open anyYouTube video. You will observe YouTube videos cannot be played.

Because YouTube is blocked in the AVC profile and AVC profile has been mapped to WLAN, youcannot access YouTube videos via browser, or even via YouTube application or from any otherwebsite.

Note: If your browser was already open with www.Youtube.com, refresh the browser for the AVCprofile to take effect.

14.

The next example is changing the AVC profile on the WLAN to test the MARK operation of theAVC feature. From the drop−down under the QoS tab on the WLAN, choose theMark_Http_Webex AVC profile created in the previous steps. Then, click Apply.

15.

After the AVC profiles are applied on the WLAN, it is also visible under Monitor > Applications.All the WLANs with AVC Visibility enabled are displayed.

After the Mark_Http_Webex AVC profile is applied on the WLAN, initiate or login to yourindividual WebEx account (if you have one) and initiate some HTTP connections. Observe themarking for these two applications under client details. Once the AVC profile is mapped to a WLANand has a rule for the MARK action, that application takes precedence as per QoS profile configuredin AVC rule overriding the QoS profile configured on the WLAN.

Although the WLAN in this example is mapped to the default QoS profile (SILVER), the AVCprofile has been created and mapped to this WLAN to MARK application WebEx and HTTP with adifferent QoS profile. Traffic for application WebEx will be marked with PLATINUM profile andtraffic for all HTTP application will be marked with BRONZE profile. The rest of the application,which does not match any rule in AVC profile, will be marked with QoS profile configured onWLAN (SILVER in this example).

16.

In order to see the marking stats for client traffic click Monitor > Clients, then click any individualclient MAC entry listed on that page.

After clicking on the individual client MAC entry, the client details page opens. This page has twotabs: one for general information and another named AVC Statistics. Click the AVC Statistics tab,then click the UPSTREAM tab to notice the Marking operation of the AVC profile.

17.

In the above example output the WebEx application is getting OUT DSCP value as 46 because theWebEx application has been configured with Platinum QoS profile. The HTTP application is gettingOUT DSCP value as 10 because the HTTP application has been configured with Bronze profile.

Configure AVC NetFlow Monitor

A NetFlow monitor is configured on the WLC to collect all the stats generated on a WLC. These can beexported to the NetFlow collector. In this example it is a Cisco Performance Application Manager (PAM),which is a licensed application running on Cisco Prime Infrastructure 1.3 and later.

Add NetFlow Exporter first on the WLC by configuring Exporter (NetFlow collector). In thisexample Cisco PAM is an exporter. It collects all the NetFlow stats generated by the WLC. In order toadd an exporter in the WLC, click Wireless > NetFlow > Exporter, then click New.

1.

Enter the details of PAM, Exporter IP, as an example below 10.10.105.3 and Port Number as 9991,which will collect all the NetFlow stats generated by the WLC. Then, click Apply.

Note: Only one exporter can be added in the WLC.

2.

After adding Exporter details on the WLC, a Monitor needs to be created. This will store the NetFlowstats and export the same to the PAM server. In order to create a Monitor, click Wireless > NetFlow> Monitor, then click New.

3.

Enter any name to create the Monitor entry. Then, click Apply.4.

Once applied, the Monitor entry is created. It needs to be further mapped to the Exporter created instep 2.

Note: Only one Monitor entry can be added in the WLC.

5.

Click the Monitor entry created and map it to the Exporter entry (Cisco PAM). The Exporter entrythat is created above will be listed under the exporter name drop−down. Record name�ipv4_client_app_flow_record� is auto−generated by WLC. This records all the AVC stats andexports to the Cisco PAM. Choose this record entry from the drop−down and click Apply.

6.

After the Monitor entry is created and the Exporter entry is mapped to the same, it should map to theWLAN. In order to map the same click WLANs. Then, click the specific WLAN ID. Click the QoStab and choose the Monitor entry created from NetFlow Monitor drop−down. Then, click Apply onthe WLAN Edit page.

Note: Application Visibility has to be enabled for the NetFlow Monitor to work.

7.

Open a new tab on the browser and login to the Cisco Prime Infrastructure Server in order to addindividual WLCs to PAM.

Username: XXXXXXPassword: XXXXXXX

8.

Add the WLC in Cisco PAM. In order to add a WLC to Cisco PAM, login to Cisco PAM and clickOperate > Device Work Center. Then, click Add Device.

9.

Enter the details of the individual WLC, such as POD WLC Management IP Address (for example,POD4 = 10.10.40.2) and Community String as public. Then, click Add.

10.

After the WLC is added, start some traffic from wireless clients. You can view the number of clientsper WLAN and usage per client. In order to see the usage by clients click Home > DetailDashboards > Application. Filter the Application Box as All, Site as Unassigned, and NetworkAware as Wireless > PODX−Client. Then, click Go.

11.

Note: You can see the number of clients on WLAN �POD1−Client� which is filtered under NetworkAware. Also, in the same screen, you can see the applications used by both the clients.In order to see the application usage by a particular client, click Home > Detail Dashboards > EndUser Experience > Under Filter.Then, select the client IP.

12.

In order to see application usage per WLAN, click Home > Detail Dashboards > End UserExperience > Under Filter. Choose the Network Aware as WLAN (POD1−Client in this example).Then, click Go.

13.

Related Information

WLAN Controller Information• Cisco Prime Network Control System Series Appliances• Cisco Mobility Services Engine• Cisco Aironet 3500 Series• Technical Support & Documentation − Cisco Systems•

Contacts & Feedback | Help | Site Map© 2012 − 2013 Cisco Systems, Inc. All rights reserved. Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks ofCisco Systems, Inc.

Updated: Jan 18, 2013 Document ID: 115756