Using SD-AVC

Using SD-AVC

Use the SD-AVC Dashboard to monitor and control SD-AVC functionality and statistics, and to configure Protocol Pack updates. Specifically, the Dashboard:

  • Provides information about devices operating with SD-AVC

  • Provides detailed traffic analytics

  • Enables setting up Protocol Pack deployment

Connecting

Using a Chrome browser with access to the device hosting the SD-AVC Network Service, open the SD-AVC Dashboard. The Dashboard is accessible using the service IP configured when setting up the SD-AVC Network Service, and port 8443, in the format:

https://<service-ip>:8443

Example:

https://10.56.196.153:8443

Note

The SD-AVC Dashboard uses the same authentication as the platform hosting the SD-AVC Network Service. The host platform may use locally configured usernames and passwords, or it may use other methods, such as an Authentication, Authorization, and Accounting (AAA) server.

If prompted, enter the username and password used on the host platform.

Connectivity Page

The Connectivity page lists the devices in the network that are operating with the SD-AVC Network Service, and indicates the connectivity and health status for each device.

Table 1 User Controls

Control

Description

Menu button

Display web interface tabs.

Search field

Enter a string in the Search field to filter the display of devices.

Home button

Open the main dashboard page.

Refresh button

Refresh display.

Time button

Display system time.
Table 2 Information Provided in the SD-AVC Connectivity Page

Field

Description

Hostname

Device hostname

IP

Device IP

Segment

Network segment: A group of devices that share the same purpose, such as routers within the same hub.

Connectivity

Device connectivity with the SD-AVC Network Service.

Connectivity messages are sent over UDP port 50000.

  • Green checkmark: All connectivity messages are being received.

  • Orange caution: Some connectivity messages have not been received. SD-AVC will monitor the device for restoration of connectivity. Wait a few minutes for the issue to resolve or escalate to red X.

  • Red X: No messages are being received.

Troubleshooting:

  • Check connectivity on UDP port 50000. If no problem is found with connectivity, contact Cisco TAC.

Update Health

Status of updates from the SD-AVC Network Service to the device. Updates include application and configuration data, and are made by standard FTP connection.

  • Green checkmark: The device has successfully accessed the SD-AVC Network Service and has installed any application data updates.

  • Orange caution: Some messages are being received; some are missing. Wait a few minutes for the issue to resolve or escalate to red X.

  • Red X: One of the following may have occurred:

    (a) No messages are being received.

    (b) The device has failed to install an application data update from the SD-AVC Network Service.

Troubleshooting:

  • Verfiy FTP connectivity on ports 20, 21.

  • On the device, execute show tech-support nbar platform to display NBAR data useful for troubleshooting. Save the output for use by TAC if the problem persists.

Exporter Health

Status of device data export to the SD-AVC Network Service.

  • Green checkmark: All messages are being received.

  • Orange caution: Some messages are being received; some are missing. Wait a few minutes for the issue to resolve or escalate to red X.

  • Red X: No messages are being received.

Troubleshooting:

  • Check FTP connectivity on UDP port 50000. If no problem is found with connectivity, contact Cisco TAC.

Traffic Health

Traffic health status in the network – indicates whether the device is processing traffic.

  • Green checkmark: The NBAR2 component on the device is processing traffic.

    Requires:

    • Connectivity between the SD-AVC Network Service and device

    • NBAR2 is enabled.

    • Device is processing traffic.

  • Orange caution: The SD-AVC Network Service has not received some expected application data from the device. Wait a few minutes for the issue to resolve or escalate to red X.

  • Red X: No application data is being received.

    Possible causes:

    • Connection error.

    • NBAR is not enabled.

    • The device is not processing traffic.

Troubleshooting:

  • Check FTP connectivity on UDP port 50000. If no problem is found with connectivity, contact Cisco TAC.

Classification Score

Last measured classification quality score for the device. This indicates the degree of classification quality (specificity), calculated according to traffic volume.

Higher score indicates better quality.

Asymmetric Index

Last measured degree of asymmetry seen by device. This is the ratio of asymmetric flows to total flows for TCP and DNS traffic.

0 is least asymmetry, and 10 is highest asymmetry.

Application Visibility Page

The Application Visibility page provides high-level information regarding the classification score of devices, and applications providing network traffic. Use the controls at the top to clear the statistics, filter by device, or select a time period (hours). The metrics and graphs displayed on the page are an average over the span of time indicated by the selected period.

Table 3 Application Visibility page

Metric

Description

Classification (over time) score

Degree of classification quality (specificity), calculated according to traffic volume.

First Packet classification ratio

Ratio of flows classified on the first packet, to total TCP/UDP flows.

SD-AVC Coverage Ratio

Ratio of flows covered by the SD-AVC application rules pack, to the total number of TCP/UDP flows.

Business Relevancy chart

Traffic business relevance, over the period selected in the Period menu.

Application Rules Page

The Application Rules page lists application data compiled by SD-AVC, organized into rules ready for export to participating devices in the network. The information is sent when the devices request an Application Rules Pack from the SD-AVC Network Service.

Asymmetric Sockets Page

The Asymmetric Sockets page lists the asymmetric flows currently being tracked by SD-AVC. In networks that do not employ asymmetric routing, the list may be empty.

Protocol Pack Update Page

The Protocol Pack Update page enables deploying Protocol Packs to devices in the network that are are using SD-AVC. The page contains tabs for loading and scheduling deployment of Protocol Pack files, and checking status.

Understanding Protocol Pack Files

Cisco releases Protocol Packs on an ongoing basis. Each Protocol Pack release provides updates that expand and improve AVC application recognition. Typically, it is recommended to use the latest Protocol Pack compatible with the OS running on a device. The Protocol Library page indicates the latest Protocol Pack and provides compatibility information.

Protocol Packs are available using the Cisco Download Software tool. When using the tool, specify a platform and then navigate to software downloads for the platform.

Protocol Pack filenames have the following format:

pp-adv-<platform-type>-<OS>-<engine-id>-<protocol-pack-version>.pack

Platform type may be, for example, asr1k, csr1000v, or isr4000. However, a Protocol Pack may be installed on any compatible device, even if that device is not indicated by the filename.

How SD-AVC Determines which Devices are Compatible with a Protocol Pack

The SD-AVC network service contains a Protocol Pack repository that stores specific Protocol Packs uploaded to the repository for deployment to devices in the network. The SD-AVC network service deploys a Protocol Pack in the repository to all compatible devices, at the time scheduled.

To determine compatibility, the SD-AVC network service compares the IOS version and engine ID of a Protocol Pack in the repository to the IOS version and engine running on devices in the network. If a Protocol Pack in the repository is compatible with a device, then the SD-AVC network service deploys the Protocol Pack from the repository to the device.

Deploying Protocol Packs Using SD-AVC

Use the SD-AVC network service to deploy Protocol Packs to devices operating with the service, as follows:

  1. Determine the Protocol Pack to deploy. The Protocol Library page provides compatibility information.

  2. Download the Protocol Pack using the Cisco Download Software tool. In the filename of the downloaded Protocol Pack, note the engine ID.

  3. In the SD-AVC Dashboard, use the Protocol Pack Update page to upload the Protocol Pack file into the Protocol Pack repository on the SD-AVC network service. SD-AVC determines which devices are compatible with the Protocol Packs in the repository.

  4. On the Protocol Pack Update page, open the Deployment Status tab. The SD-AVC network service indicates the Protocol Packs ready for deployment to compatible devices.

  5. On the Protocol Pack Update page, open the Deploy tab and schedule a time for deployment. At the specified time, the SD-AVC network service deploys the Protocol Pack to any compatible devices. If no time is scheduled, and if the Immediate option is not selected, then Protocol Pack deployment does not occur.

Protocol Pack Repository Tab

The Protocol Pack Repository is a collection of Protocol Pack files stored with the SD-AVC Network Service, for deployment to devices managed by the SD-AVC Network Service. The Protocol Pack Repository tab:

  • Displays Protocol Pack files in the repository.

  • Enables loading Protocol Pack files into the repository.

  • Enables removal of Protocol Pack files from the repository.

Table 4 Information in the Protocol Pack Repository Tab

Column

Description

Name

Protocol Pack filename.

Engine-ID

The engine ID is determined by the version of Cisco IOS XE. Protocol Pack files are compatible with specific engine ID versions.

Latest

A green checkmark in this column indicates that the Protocol Pack file is ready for deployment.

To downgrade from a later Protocol Pack to an earlier Protocol Pack (for example 31.0.0 to 30.0.0), delete the later Protocol Pack from the repository, upload the earlier version (30.0.0), and then deploy. SD-AVC deploys the Protocol Pack to all compatible devices managed by the SD-AVC Network Service.

Action

Enables deleting a Protocol Pack file from the repository.

Deploy Tab

The Deploy tab enables scheduling a deployment time or selecting Immediate for immediate deployment.

If no time is scheduled, the SD-AVC Network Service does not deploy any Protocol Packs.

Deployment Status Tab

The Deployment Status tab displays information about each device managed by the SD-AVC Network Service, as described in the following table. It indicates the current Protocol Pack, and any compatible Protocol Pack in the repository, if there is one.

If a Protocol Pack file is listed in the Candidate column, and if it differs from the Active Protocol Pack, then the Candidate Protocol Pack will be deployed at the scheduled deployment time.

Table 5 Information in the Deployment Status Tab

Column

Description

Hostname

Device hostname.

IP

Device IP.

Segment

 Network segment: A group of devices that share the same purpose, such as routers within the same hub.

Active Pack

Protocol Pack currently installed on the device.

Candidate

A compatible Protocol Pack in the repository.

Note: The latest Protocol Pack file in the repository compatible with the device may be an older Protocol Pack version, especially if the repository has not been kept up to date.

Current Status

Green: The active Protocol Pack and the candidate are the same, so no Protocol Pack will be deployed to the device.

Yellow/Orange: The candidate Protocol Pack is different from the active one, and it will be deployed at the scheduled time.

Red: The candidate Protocol Pack is different from the active one, and a recent attempt to deploy a Protocol Pack failed. In this case the Last Status column indicates that a deployment failed.

Last Status

Indicates the status of the most recent attempt, if any, to deploy a Protocol Pack to the device.

Module Statistics Page

The Module Statistics page displays statistics for various types of packets, for each device. Each device reports raw data about packet handling to the SD-AVC Network Service, which compiles statistics for each device. The statistics may be useful for monitoring or troubleshooting.

Click the X-icon to clear the module statistics.