SD-AVC Notes and Limitations

General

Note/Limitation

Description

Maximum number of participating network devices

Maximum number of network devices participating with SD-AVC (running the SD-AVC agent): 6000

Setup

Note/Limitation

Description

MD5 checksum of OVA download

When installing or upgrading the SD-AVC network service, download the OVA package, copy it to the device that will host the network service, then verify the MD5 checksum of the package before installing. The correct MD5 checksum value apears on the Download Software page when downloading the package.

Network Service gateway interface attached to VRF

For the SD-AVC Network Service, running on a host device, if the host interface that is used as a gateway interface is attached to a VRF, see Operating the SD-AVC Network Service with Host Interface Attached to a VRF for configuration details.

Running and startup configurations of participating devices

SD-AVC adds two lines to the running and startup configurations of participating devices:

  • To enable the MS Office 365 Web Service, which improves classification of Microsoft Office traffic:

    ip nbar protocol-pack bootflash:sdavc/sdavc_ppdk.pack force
    
    
  • When SD-AVC deploys Protocol Packs to a device:

    ip nbar protocol-pack harddisk:sdavc/protocol-pack-name.pack
    
    

Classification

Note/Limitation

Description

Interval before sending application data

SD-AVC requires a few minutes to learn from the network traffic before the application data is sent to the SD-AVC Network Service and compiled at the network level. See SD-AVC and Application Recognition.

SD-AVC application rules pack less relevant for client-to-client traffic

SD-AVC provides application classification for server-based applications. The SD-AVC application rules pack is less relevant for client-to-client traffic, which is more granular and dynamic. Client-to-client traffic is classified by NBAR2 running on each network element.

Proxy or CDN

In the case of a proxy or content delivery network (CDN), multiple applications may use the same IP/port combination. The network devices themselves classify such traffic fully. However, for these applications, the SD-AVC agent operating on a device may report application data to the SD-AVC network service with a lesser degree of detail: they may be reported with less detailed classification granularity or not at all.

Reported bandwidth of Unclassified Traffic Discovery

For traffic that appears in the Unclassified Traffic view, the reported bandwidth is based on samples and may not be accurate in some cases. See Unclassified Traffic Analysis and Discovery.

High-stress flows may not be discovered by the Unclassified Traffic Discovery feature

High-stress flows that require a large amount of system resources may be excluded from the traffic reported in the Unclassified Traffic view. For example, the Timeline may show a high-bandwidth of unknown/generic traffic that is not reported in the table. This is done to minimize the utilization of resources in case of high stress flows and skip the discovery mechanism. See Unclassified Traffic Analysis and Discovery.

High Availability

Note/Limitation

Description

Error status and Protocol Pack deployment during high availability switchover and switchback

In SD-AVC high availability configurations, if the primary SD-AVC network service becomes unavailable, network devices switch to the secondary SD-AVC network service. When the primary SD-AVC network service becomes available again, the devices switch back to primary.

The switchover and switchback processes require approximately 30 minutes. During this time:

  • Service in the network continues normally without interruption.

  • The SD-AVC Dashboard > Application Visibility page shows an error status for the devices.

  • The SD-AVC Dashboard > Protocol Packs page shows that the devices are not active. During this brief period, SD-AVC does not deploy Protocol Packs to the devices.

See SD-AVC High Availability.

Protocol Pack

Note/Limitation

Description

Cisco ISR4000 Series: hard disk limitation

Protocol Pack files must be loaded on the boot flash. For ISR4000 routers operating with SD-AVC, it is not recommended to install a hard disk. Doing so will cause Protocol Pack deployment by SD-AVC to fail.

Protocol Pack deployment during high availability switchover and switchback

See High Availability.

REST API

Note/Limitation

Description

User-defined application source

In the initial release of the REST API, only one source is supported.

Total number of user-defined applications available

For each network segment:

  • Maximum user-defined applications: 1100

  • Maximum L3L4 rules: 20000

  • Maximum serverNames: 50000

  • Maximum wildcards followed by period (.): 50000 (maximum serverNames)

    Example: *.cisco.com matches www.cisco.com, developer.cisco.com

  • Maximum prefix wildcards as part of a server name: 256

    Example: *ample.com matches www.example.com

High-availability SD-AVC configurations

High-availability SD-AVC configurations are supported.

On the primary and secondary SD-AVC network services, configure the same REST API-based user-defined application configuration.