1. No category

PDF

Cisco Unified Access CT5760 Controllers and
Catalyst 3850/3650 Switches AVC Deployment
Guide, Cisco IOS XE Software Release 3.6
Last Updated: July, 2014
Introduction
This document introduces the Application Visibility and Control (AVC) feature for the Cisco Converged
Access CT5760 and Cat3850/3650 products in Release 3.6. This guide is designed to help you deploy
and monitor new features introduced in Release 3.6. All sections apply to both the 5760 series controllers
and the 3850/3650 switches.
The document builds on previous releases with the assumption that users are familiar with the Converged
Access products. See CT5760 Controller Deployment Guide, Converged Access CT 5760 AVC
Deployment Guide, Cisco IOS XE Release 3.3, and Cisco Catalyst 3850 Switch Deployment Guide for
released feature not covered in this guide.
AVC Compatible Features
Cisco IOS XE Release 3.6 supports the following AVC compatible features:
•
IOS 3.6 platforms—5760/3850/3650.
•
NBAR2 protocol pack 8.0.
•
More than 1000 applications.
•
AVC is supported only on the following access points—AP 1600, 2600, 2700, 3600, 3700 and 1532.
AVC is not supported on AP 700.
•
Wireless clients only.
•
Centralized and Converged Access.
•
Flexible Netflow Version 9 Export to PI (PAM) and external collectors (Plixir and ActionPacked).
Cisco Systems, Inc.
www.cisco.com
CT5760 Controller
CT5760 Controller
CT5760 is an innovative UADP ASIC based wireless controller deployed as a centralized controller in
the next generation unified wireless architecture. CT5760 controllers are specifically designed to
function as Unified model central wireless controllers. They also support the newer Mobility
functionality with Converged Access switches in the wireless architecture.
CT5760 controllers are deployed behind a core switch/router. The core switch/router is the only gateway
into the network for the controller. The uplink ports connected to the core switch are configured as
EtherChannel trunk to ensure port redundancy.
This new controller is an extensible and high performing wireless controller, which can scale up to 1000
access points and 12000 clients. The controller has 6 - 10 Gbps data ports.
As a component of the Cisco Unified Wireless Network, the 5760 series works in conjunction with Cisco
Aironet access points, the Cisco Prime infrastructure, and the Cisco Mobility Services Engine to support
business-critical wireless data, voice, and video applications.
AVC Overview
Network Based Application Recognition (NBAR2) provides application-aware control on a wireless
network and enhances manageability and productivity. It also extends Cisco's Application Visibility and
Control (AVC) as an end-to-end solution, which gives a complete visibility of applications in the
network and allows the administrator take action on the same.
NBAR2 is a deep-packet inspection technology available on Cisco IOS based platforms, which supports
stateful L4 - L7 classification. NBAR2 is based on NBAR and has extra requirements such as having a
Common Flow Table for all IOS features which use NBAR. NBAR2 recognizes application and passes
on this information to other features such as QoS, NetFlow and Firewall, which can take action based on
this classification.
2
Cisco Unified Access CT5760 Controllers and Catalyst 3850/3650 Switches AVC Deployment Guide, Cisco IOS XE Software Release 3.6
OL-xxxxx-xx <required for IOS documentation>
AVC Overview
Quality of Service (QoS) is an important feature of the end-to-end AVC functionality. Proper QoS
support enables prioritization and policy enforcement on NBAR identified applications. AVC related
QoS policies are applied on any direction (Upstream/Downstream) of the client traffic.
Upstream traffic refers to traffic from Wireless Client -> AP -> Switch -> Controller.
Downstream traffic refers to traffic from Controller -> Switch -> AP -> Wireless Client.
Application control is done on the AP for Upstream QoS and Switch/Controller for Downstream QoS
with NBAR classification done on the AP. Client QoS Policies are supported by NBAR for this feature.
You can configure and monitor Application Visibility and link it to QoS from both the GUI and CLI.
AVC Restrictions
•
IPv6 packet classification is not supported.
•
Multicast traffic is not supported.
Configuring AVC (GUI)
Complete these steps:
Step 1
From a web browser, open the WLC GUI interface and then from the main menu, go to Configuration
> Wireless > WLAN. Perform Step 3 if the WLAN is already created or exists and you want to enable
AVC on that particular WLAN.
Step 2
To create a new WLAN on the WLC, go to Configuration > Wireless > WLAN and click New.
Enter a number in the WLAN ID text box and a name in the SSID and Profile Name text boxes.
Cisco Unified Access CT5760 Controllers and Catalyst 3850/3650 Switches AVC Deployment Guide, Cisco IOS XE Software Release 3.6
OL-xxxxx-xx <required for IOS documentation>
3
AVC Overview
Map this WLAN to an interface. For example, VLAN 10 as shown below.
From the Security tab, select the appropriate security type according to the network requirement. In
this example, Layer 2 Security is None, i.e. we are using an open SSID for this setup.
4
Cisco Unified Access CT5760 Controllers and Catalyst 3850/3650 Switches AVC Deployment Guide, Cisco IOS XE Software Release 3.6
OL-xxxxx-xx <required for IOS documentation>
AVC Overview
Once the WLAN configuration is done, click Apply to create the WLAN.
Step 3
Click the corresponding WLAN ID to open the WLAN Edit page and click AVC.
The Application Visibility page is displayed. Perform the following:
a.
To enable AVC on a WLAN, check the Application Visibility Enabled check box.
b.
In the Upstream Profile text box, the default AV profile is automatically selected.
c.
In the Downstream Profile text box, the default AV profile is automatically selected.
Step 4
Click Apply to apply AVC on the WLAN.
Step 5
Now that Application Visibility is enabled, associate a wireless client to the AVC enabled WLAN and
access different types of traffic using applications such as Webex meeting, Skype, Yahoo Messenger,
HTTP, HTTPS/SSL, Microsoft Messenger, YouTube, Ping, Trace route, and so on. Once traffic is
Cisco Unified Access CT5760 Controllers and Catalyst 3850/3650 Switches AVC Deployment Guide, Cisco IOS XE Software Release 3.6
OL-xxxxx-xx <required for IOS documentation>
5
AVC Overview
initiated from the wireless client, visibility of different traffic is observed globally for all WLANs, Per
Client Basis, and Per WLAN Basis. This provides a good overview to the administrator of the network
bandwidth utilization and type of traffic in the network per client, per WLAN, and globally.
Monitoring Application Visibility (GUI)
Navigate to the Home page of the controller which displays AVC for WLAN pie chart. The pie chart
displays the AVC data (Aggregate - Application Cumulative usage %). The top WLANs based on WLAN
ID are displayed first.
Note
It will take about 90 seconds for applications to be visible after enabling AVC.
Complete these steps:
6
Step 1
Choose Monitor > Controller > AVC > WLANs. The WLANs page appears.
Step 2
Click the corresponding WLAN profile. In this example, POD1-Client.
Cisco Unified Access CT5760 Controllers and Catalyst 3850/3650 Switches AVC Deployment Guide, Cisco IOS XE Software Release 3.6
OL-xxxxx-xx <required for IOS documentation>
AVC Overview
The Application Statistics page appears. From the Top Applications drop-down list, choose the number
of top applications you want to view and click Apply.
The valid range is between 5 to 30, in multiples of 5.
a.
On the Aggregate, Upstream, and Downstream tabs, you can view the following information with
respect to WLAN:
– Application last 90 seconds statistics (Application name, packet count, byte count, average
packet size, and usage (%))
– Application Cumulative Statistics
– Application last 90 seconds Usage (%)
– Application Cumulative Usage (%)
Cisco Unified Access CT5760 Controllers and Catalyst 3850/3650 Switches AVC Deployment Guide, Cisco IOS XE Software Release 3.6
OL-xxxxx-xx <required for IOS documentation>
7
AVC Overview
8
Cisco Unified Access CT5760 Controllers and Catalyst 3850/3650 Switches AVC Deployment Guide, Cisco IOS XE Software Release 3.6
OL-xxxxx-xx <required for IOS documentation>
AVC Overview
Step 3
You can also monitor AV per Client. Choose Monitor > Clients > Client Details > Clients. The Clients
page appears.
Step 4
Click Client MAC Address and then click AVC Statistics tab. The Application Visibility page appears.
a.
On the Aggregate, Upstream, and Downstream tabs, you can view the following information with
respect to client:
– Application last 90 seconds statistics (Application name, packet count, byte count, average
packet size, and usage (%)
– Application Cumulative Statistics
– Application last 90 seconds Usage (%)
– Application Cumulative Usage (%)
Cisco Unified Access CT5760 Controllers and Catalyst 3850/3650 Switches AVC Deployment Guide, Cisco IOS XE Software Release 3.6
OL-xxxxx-xx <required for IOS documentation>
9
AVC Overview
Output by Client MAC Address:
Steps to Apply QoS Policies to Application Visibility Profiles (AVC Phase-2)
1.
With IOS XE Release 3.6, the NBAR feature on IOS controllers not only gives visibility of
applications running in the network but also gives administrators an option to control the
applications running in the network by creating QoS policies and applying them to a WLAN. QoS
policies can be configured to take the following actions on the recognized applications:
a. Action DROP—Traffic for that application is dropped.
Note
Only upstream traffic can be dropped.
b. Action MARK and POLICE —Particular applications are marked and policed with different
QOS profiles available on the WLC or the administrator can custom define the DSCP value for
that application.
Note
2.
10
This can be done for upstream and downstream traffic.
To configure any action (drop/mark), QoS policies must be created first. To create a QoS Policy, go
to Configuration > Wireless > QoS > QoS Policy > Add New.
Cisco Unified Access CT5760 Controllers and Catalyst 3850/3650 Switches AVC Deployment Guide, Cisco IOS XE Software Release 3.6
OL-xxxxx-xx <required for IOS documentation>
AVC Overview
3.
Creating an Egress (Downstream) QoS Policy:
Here, an Egress Policy that will POLICE (rate limit) the WebEx meeting running on wireless clients
is created. You can use any other application from the protocol list such as Google Talk, YouTube,
Netflix, and so on.
Perform the following:
– From the Policy Type drop-down list, select Client.
Note
Only Client QoS policies are supported for NBAR. SSID/Port QoS policies are not
supported for this feature.
– From the Policy Direction drop-down list, select Egress. Egress refers to Downstream traffic.
Note
You can only police/rate limit traffic with Egress policies. Traffic cannot be dropped in the
upstream direction.
– Policy Name and Description—In this example, we used PoliceWebex as the Policy name. You
can assign any name as desired.
Note
Do not click Apply until the entire QoS policy is created.
Cisco Unified Access CT5760 Controllers and Catalyst 3850/3650 Switches AVC Deployment Guide, Cisco IOS XE Software Release 3.6
OL-xxxxx-xx <required for IOS documentation>
11
AVC Overview
4.
Check the Enable Application Recognition check box. This displays all the applications supported
by the NBAR2 engine and will list down all the applications in sorted order (Ascending order (0 to
9 and A to Z)).
– In the Trust drop-down list—You can classify applications
using—Protocol/Category/Subcategory/Application-group. Select Protocol for a more
define/granular application selection.
– In Protocol Choice— Select webex-meeting from the Available Protocols list and move it to
the Assigned Protocols list. You can select any application from the Available Protocol list
such as YouTube, Netflix and so on.
– In the Police (kbps) text box—Configure as 100 (100 Kbps).
Note
12
A valid range for Policing is between 8 Kbps to 10000000 Kbps (10 Gbps).
Cisco Unified Access CT5760 Controllers and Catalyst 3850/3650 Switches AVC Deployment Guide, Cisco IOS XE Software Release 3.6
OL-xxxxx-xx <required for IOS documentation>
AVC Overview
Once done, click Add and you should see the following screen:
Now, go to the top right corner of the page and click Apply.
A Policy Successfully Created popup appears and the policy is created as shown below
Cisco Unified Access CT5760 Controllers and Catalyst 3850/3650 Switches AVC Deployment Guide, Cisco IOS XE Software Release 3.6
OL-xxxxx-xx <required for IOS documentation>
13
AVC Overview
Note
5.
A maximum number of 16 rules (from CLI) and 8 rules (from GUI) can be configured in a single
QoS Policy.
To apply the QoS Policy (PoliceWebex) to a WLAN, go to Configuration > Wireless > WLAN >
WLANs > WLAN Name > QOS tab. Only one QoS Policy can be mapped to a single WLAN.
However, a QoS Policy can be mapped to multiple WLANs.
In the QoS Client Policy area, select the Egress Policy from the Assign Policy drop-down list,
select the policy you want to use (in this case it is PoliceWebex) and then click OK.
14
Cisco Unified Access CT5760 Controllers and Catalyst 3850/3650 Switches AVC Deployment Guide, Cisco IOS XE Software Release 3.6
OL-xxxxx-xx <required for IOS documentation>
AVC Overview
Now, click Apply, you will see the Policy being applied under Existing Policy.
Cisco Unified Access CT5760 Controllers and Catalyst 3850/3650 Switches AVC Deployment Guide, Cisco IOS XE Software Release 3.6
OL-xxxxx-xx <required for IOS documentation>
15
AVC Overview
16
6.
Now, go back to the wireless clients and check the video quality that is running the WebEx meeting
application. The video quality should be pixelated and fuzzy. This is because the rate of the
webex-meeting protocol was limited to 100 Kbps.
7.
To remove the QoS Policy from the WLAN, go to Configuration > Wireless > WLAN > WLANs
> WLAN Name > QOS tab. In the QoS Client Policy area, select the Egress Policy as None from
the Assign Policy drop-down list and click OK and then Apply.
Cisco Unified Access CT5760 Controllers and Catalyst 3850/3650 Switches AVC Deployment Guide, Cisco IOS XE Software Release 3.6
OL-xxxxx-xx <required for IOS documentation>
AVC Overview
8.
After removing the QoS Policy from the WLAN, go back to the WebEx meeting application and
check the video quality. The video should be back to normal quality.
9.
Creating an Ingress QoS Policy:
Here, an Ingress Policy (Upstream) to DROP the WebEx meeting running on the wireless client is
created.
– Go to Configuration > Wireless > QoS > QoS-Policy and click Add New. Perform the
following steps:
– From the Policy Type drop-down list, select Client.
– From the Policy Direction drop-down list, select Ingress. Ingress refers for Upstream traffic.
Note
You can Drop traffic with Ingress Policies. Traffic can only be dropped in the upstream
direction.
– Policy Name and Description—In this example, we used DropWebex as the Policy name. You
can assign any name as desired.
– Do not click Apply until the entire QoS policy is created.
Cisco Unified Access CT5760 Controllers and Catalyst 3850/3650 Switches AVC Deployment Guide, Cisco IOS XE Software Release 3.6
OL-xxxxx-xx <required for IOS documentation>
17
AVC Overview
Continue to fill in the rest of the fields to create a QoS Policy as shown in the next section.
10. Check the Enable Application Recognition check box. This displays all the applications supported
by the NBAR2 engine and will list down all the applications in sorted order.
– In the Trust drop-down list—You can classify applications
using—Protocol/Category/Subcategory/Application-group. Protocol is chosen for this
example.
– In Protocol Choice—Select an application from the Available Protocols list and move it under
the Assigned Protocols list. In this example, we used webex-meeting.
– From the Mark drop-down list, select None.
– Leave the Police (Kbps) text box empty.
– Check the Drop check box.
18
Cisco Unified Access CT5760 Controllers and Catalyst 3850/3650 Switches AVC Deployment Guide, Cisco IOS XE Software Release 3.6
OL-xxxxx-xx <required for IOS documentation>
AVC Overview
Once done, click Add and you should see the following screen:
Now, go to the top right corner of the page and click Apply.
A Policy Successfully Created popup appears.
Cisco Unified Access CT5760 Controllers and Catalyst 3850/3650 Switches AVC Deployment Guide, Cisco IOS XE Software Release 3.6
OL-xxxxx-xx <required for IOS documentation>
19
AVC Overview
11. To apply the QoS policy (DropWebex) to a WLAN, go to Configuration > Wireless > WLAN >
WLANs > WLAN Name > QOS tab.
12. In the QoS Client Policy area, select the Ingress Policy (DropWebex) from the Assign Policy
drop-down list and then click OK.
Now, click Apply, you will see the Policy being applied under Existing Policy:
20
Cisco Unified Access CT5760 Controllers and Catalyst 3850/3650 Switches AVC Deployment Guide, Cisco IOS XE Software Release 3.6
OL-xxxxx-xx <required for IOS documentation>
AVC Overview
13. Now, go back to the webex meeting running on your wireless clients and check the video. The video
will be dropped. This is because the webex-meeting protocol was configured as Dropped in the QoS
Policy.
14. Adding MARKING to an existing Policy:
The objective of this is to add MARKING to an existing policy. In this example, we will MARK
cisco-jabber-im with DSCP value of 24.
15. Go to Configuration > Wireless > QoS > QoS-Policy and click the Policy “PoliceWebex”.
16. Once you open the policy (PoliceWebex), go to the Enable Application Recognition section and
perform the following:
Cisco Unified Access CT5760 Controllers and Catalyst 3850/3650 Switches AVC Deployment Guide, Cisco IOS XE Software Release 3.6
OL-xxxxx-xx <required for IOS documentation>
21
AVC Overview
– Under Protocol Choice—Select cisco-jabber-im from the Available Protocols list and move
it under the Assigned Protocols list.
– Under Mark—Select DSCP from the drop-down list and assign it a value of 24.
– Under Police—Here we left this field empty. But you can customize and define Policing rates
(0 to 1000000).
– Click Add.
17. You should see the following screen:
Now, go to the top right corner of the page and click Apply. A Policy Successfully Modified popup
appears.
18. The next step is to apply this QoS policy (PoliceWebex) to your WLAN. Go to Configuration >
Wireless > WLAN > WLANs > WLAN Name > QOS tab.
19. In the QoS Client Policy area, select the QoS Policy PoliceWebex from the Assign Policy
drop-down list under the Egress Policy and then click OK.
22
Cisco Unified Access CT5760 Controllers and Catalyst 3850/3650 Switches AVC Deployment Guide, Cisco IOS XE Software Release 3.6
OL-xxxxx-xx <required for IOS documentation>
AVC Overview
Once you click Apply, you will see the Policy being applied under Existing Policy.
20. Now, open Cisco Jabber IM from a wireless client connected to SSID. To check the QoS stats
including the DSCP value of client traffic, you will need to use the CLI. Telnet/console to the WLC
and run the following CLI command on the Controller CLI:
WLC5760#show policy-map interface wireless client
The following image displays the DSCP value and other QoS information that are assigned to the
jabber-im protocol.
Cisco Unified Access CT5760 Controllers and Catalyst 3850/3650 Switches AVC Deployment Guide, Cisco IOS XE Software Release 3.6
OL-xxxxx-xx <required for IOS documentation>
23
AVC Overview
The following table displays the correlation of DSCP class as shown in the command above with the
DSCP decimal value.
24
Cisco Unified Access CT5760 Controllers and Catalyst 3850/3650 Switches AVC Deployment Guide, Cisco IOS XE Software Release 3.6
OL-xxxxx-xx <required for IOS documentation>
AVC Overview
In this example, we used WebEx application. You can also test NBAR/AVC for other applications such
as Netflix, Facebook and Google Talk on their setup.
Note
For CLI configurations of AVC and QoS Policies, refer to Appendix: Configuration Examples
using CLI.
NBAR /AVC Summary
•
You can map only one AV Upstream and Downstream profile on a WLAN. But the same AV
Upstream and Downstream profiles can be mapped to multiple WLANs.
•
Only 1 NetFlow exporter and monitor can be configured per WLAN.
•
AVC statistics are displayed for the top 30 applications on both the GUI and CLI. This is
configurable from 5 to 30, in multiples of 5. The default is set to 10 on the GUI.
•
Any application that is not supported/recognized by the NBAR engine on the WLC, is captured
under a bucket of UNCLASSFIED/Unknown traffic.
•
There is no limit on the number of AV profiles that can be created on WLC.
Cisco Unified Access CT5760 Controllers and Catalyst 3850/3650 Switches AVC Deployment Guide, Cisco IOS XE Software Release 3.6
OL-xxxxx-xx <required for IOS documentation>
25
Appendix: Configuration Examples using CLI
NBAR Feature Limitation
•
IPv6 traffic cannot be classified.
•
Multicast traffic is not supported.
•
Protocol Pack is not upgradeable. It can be upgraded as part of a regular release.
Appendix: Configuration Examples using CLI
AVC CLI Configurations
1.
Creating a Flow Record:
config t
flow record fr-avc
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match flow direction
match application name
match wireless ssid
collect counter bytes long
collect counter packets long
collect wireless ap mac address
collect wireless client mac address
end
2.
Creating a Flow Exporter:
flow exporter IPv4export-1
destination 10.10.10.10
(IP address of your Netflow Collector. It should be a version 9 Netflow.)
transport udp 2055
3.
Creating a Flow Monitor:
config t
flow monitor fm-avc
record fr-avc
exporter IPv4export-1
cache timeout inactive 200
End
4.
Applying the Flow Monitor to a WLAN:
wlan avcwpa 3 avcwpa
client vlan 122
ip flow monitor fm_1 input
ip flow monitor fm_1 output
26
Cisco Unified Access CT5760 Controllers and Catalyst 3850/3650 Switches AVC Deployment Guide, Cisco IOS XE Software Release 3.6
OL-xxxxx-xx <required for IOS documentation>
Appendix: Configuration Examples using CLI
no security wpa akm dot1x
security wpa akm psk set-key ascii 0 cisco123
no shutdown
5.
Show Commands for Flow monitor:
show flow monitor name monitor-name cache
show flow record
show flow-sampler
show flow monitor
Note
6.
For additional information on Netflow Configuration, refer to Cisco Flexible NetFlow
Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches).
Creating QoS Policies:
class-map match-any Limit_youtube0_AVC_UI_CLASS
description AVC_UI_CLASS DO_NOT_CHANGE
match protocol youtube
class-map match-any Limit_youtube1_AVC_UI_CLASS
description AVC_UI_CLASS DO_NOT_CHANGE
match protocol webex-media
class-map match-any non-client-nrt-class
class-map match-any Ingress_Drop_youtube0_AVC_UI_CLASS
description AVC_UI_CLASS DO_NOT_CHANGE
match protocol youtube
class-map match-any Ingress_Drop_youtube1_AVC_UI_CLASS
description AVC_UI_CLASS DO_NOT_CHANGE
match protocol webex-media
policy-map Ingress_Drop_youtube
description [Client_Ingress_UI_policy UI_POLICY_DO_NOT_CHANGE]Dropping youtube
traffic
class Ingress_Drop_youtube0_AVC_UI_CLASS
drop
class Ingress_Drop_youtube1_AVC_UI_CLASS
set dscp 41
policy-map Limit_youtube
description [Client_Egress_UI_policy UI_POLICY_DO_NOT_CHANGE]rate limiting youtube
traffic
class Limit_youtube0_AVC_UI_CLASS
police 8000
class Limit_youtube1_AVC_UI_CLASS
set dscp 41
7.
Applying QoS Policies to a WLAN:
wlan POD1-Client 1 POD1-Client
client vlan VLAN0010
ip flow monitor wireless-avc-basic input
ip flow monitor wireless-avc-basic output
Cisco Unified Access CT5760 Controllers and Catalyst 3850/3650 Switches AVC Deployment Guide, Cisco IOS XE Software Release 3.6
OL-xxxxx-xx <required for IOS documentation>
27
Appendix: Configuration Examples using CLI
profiling local http
no security wpa akm dot1x
security wpa akm psk set-key ascii 0 cisco123
service-policy client input Ingress_Drop_youtube
service-policy client output Limit_youtube
service-policy type control subscriber POD1-PolicyMap
session-timeout 1800
no shutdown
8.
Show AVC Statistics:
show avc wlan <wlan name> top <n> application [aggregate/upstream/downstream]
9.
Show Commands for NBAR Protocol Pack:
The following sample output of the show ip nbar protocol-pack active command displays
information about the protocol pack that is provided by default with a licensed Cisco image on a
device:
5760# show ip nbar protocol-pack active
The following sample output of the show ip nbar protocol-pack active detail command
displays detailed information about the active protocol pack that is provided by default with a
licensed Cisco image on a device:
show ip nbar protocol-pack active detail
28
Cisco Unified Access CT5760 Controllers and Catalyst 3850/3650 Switches AVC Deployment Guide, Cisco IOS XE Software Release 3.6
OL-xxxxx-xx <required for IOS documentation>

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz