Information About Application Visibility and Control
Application Visibility and Control (AVC) is a subset of the entire Flexible NetFlow (FNF) package that can provide traffic information. The AVC feature employs a distributed approach that benefits from NBAR running on the access point (AP) or controller whose goal is to run deep packet inspection (DPI) and reports the results using FNF messages.
AVC enables you to perform real-time analysis and create policies to reduce network congestion, costly network link usage, and infrastructure upgrades. Traffic flows are analyzed and recognized using the NBAR2 engine. The specific flow is marked with the recognized protocol or application. This per-flow information can be used for application visibility using FNF. After the application visibility is established, a user can define control rules with policing mechanisms for a client.
Using AVC rules, you can limit the bandwidth of a particular application for all the clients joined on the WLAN. These bandwidth contracts coexist with per-client downstream rate limiting that takes precedence over the per-application rate limits.
FNF feature is supported in wireless, and relies on the NetFlow enablement on the controller for all modes: flex, local and Fabric.
In local mode, the NBAR runs on the controller hardware and the process client traffic flows through the data plane of the controller using the AP CAPWAP tunnels.
In FlexConnect or Fabric mode, NBAR runs on the AP, and only statistics are sent to the controller . When operating in these two modes, APs regularly send FNFv9 reports back to the controller . The controller's FNF feature consumes those FNFv9 reports to provide the application statistics shown by AVC.
The Fabric mode of operation does not populate the FNF cache. It relays the FNFv9 reports at the time they arrive. As a result, some configuration of flow monitors, for example, cache timeout, is not taken into account.
The behavior of the AVC solution changes based on the wireless deployments. The following sections describe the commonalities and differences in all scenarios:
Local Mode
-
NBAR is enabled on the controller .
-
AVC does not push the FNF configuration to the APs.
-
Roaming events are ignored.
However, AVC supports L3 roams in local mode as traffic flows through the anchor controller (where NBAR was initially processing the roaming client's traffic when the client joined).
-
IOSd needs to trigger NBAR attach.
-
Supports flow monitor cache.
-
Supports NetFlow exporter.
Flex Mode
-
NBAR is enabled on an AP
-
AVC pushes the FNF configuration to the APs.
-
Supports context transfer for roaming in AVC-FNF.
-
Supports flow monitor cache.
-
Supports NetFlow exporter.
Fabric Mode
-
NBAR is enabled on an AP.
-
AVC pushes the FNF configuration to the APs.
-
Supports context transfer for roaming in AVC-FNF.
-
Flow monitor cache is not supported.
-
Supports NetFlow exporter (for the C9800 embedded on Catalyst switches for SDA, there is no FNF cache on the box).
Prerequisites for Application Visibility and Control
-
The access points should be AVC capable.
However, this requirement is not applicable in Local mode.
-
For the control part of AVC (QoS) to work, the application visibility feature with FNF has to be configured.
Restrictions for Application Visibility and Control
-
IPv6 (including ICMPv6 traffic) packet classification is not supported in FlexConnect mode and Fabric mode. However, it is supported in Local mode.
-
Layer 2 roaming is not supported across controller controllers.
-
Multicast traffic is not supported.
-
AVC is supported only on the following access points:
-
Cisco Catalyst 9100 Series Access Points
-
Cisco Aironet 1800 Series Access Points
-
Cisco Aironet 2700 Series Access Point
-
Cisco Aironet 2800 Series Access Point
-
Cisco Aironet 3700 Series Access Points
-
Cisco Aironet 3800 Series Access Points
-
Cisco Aironet 4800 Series Access Points
-
Cisco Industrial Wireless 3702 Access Point
-
-
AVC is not supported on Cisco Aironet 702W, 702I (128 M memory), and 1530 Series access points.
-
Only the applications that are recognized with App visibility can be used for applying QoS control.
-
Data link is not supported for NetFlow fields in AVC.
-
You cannot map the same WLAN profile to both the AVC-not-enabled policy profile and the AVC-enabled policy profile.
-
AVC is not supported on the management port (Gig 0/0).
-
NBAR-based QoS policy configuration is allowed only on wired physical ports. Policy configuration is not supported on virtual interfaces, for example, VLAN, port channel and other logical interfaces.
When AVC is enabled, the AVC profile supports only up to 23 rules, which includes the default DSCP rule. The AVC policy will not be pushed down to the AP, if rules are more than 23.
AVC Configuration Overview
To configure AVC, follow these steps:
-
Create a flow monitor using the record wireless avc basic command.
-
Create a wireless policy profile.
-
Apply the flow monitor to the wireless policy profile.
-
Create a wireless policy tag.
-
Map the WLAN to the policy profile
-
Attach the policy tag to the APs.