Wireless LAN Configuration Guide, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series)

Available Languages

Download Options

  • PDF     (1.2 MB)
    View with Adobe Reader on a variety of devices
Updated:October 7, 2013

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Contents

Support for AVC on Wireless LAN

Application Visibility and Control (AVC) classifies applications using deep packet inspection techniques with the Network-Based Application Recognition (NBAR2) engine, and provides application-level visibility and control into Wi-Fi networks. After the applications are recognized, the AVC feature enables you to either drop or mark the data traffic.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Restrictions for Support for AVC on Wireless LAN

  • AVC is supported on WLANs configured for central switching only.
  • IPv6 including ICMPv6 traffic classifications are not supported.
  • Datalink is not supported for NetFlow fields for AVC.
  • Multicast traffic is not supported.
  • The template timeout cannot be modified on exporters configured with AVC. Even if the template timeout value is configured to a different value, only the default value of 600 seconds is used.

Information About Support for Cisco Application Visibility and Control on Wireless LAN

AVC on Wireless LAN Overview

Application Visibility and Control (AVC) solution for wireless networks identifies more than 1000 business– or consumer–class applications using deep packet inspection (DPI). The support of AVC embedded within the WLAN infrastructure extends as an end-to-end solution, which gives a complete visibility of applications in the network and allows administrators to do one of the following:

  • Mark applications for further prioritization.

  • Block applications for security reasons.

  • Conserve limited network bandwidth.

Components of an Application Visibility and Control Network

Application Visibility and Control feature consist of the following components:

  • Cisco Network-Based Application Recognition Version 2 (NBAR2)— a next-generation DPI technology that identifies more than 1000 applications and supports application categorization, with the ability to update the protocol definition.
  • Cisco NetFlow v9— to select and export data of interest, allowing easy consumption of application performance statistics by Cisco and third-party applications
  • Cisco Prime™ Infrastructure— an enterprise-grade infrastructure and service-monitoring tool which reports application and network performance to facilitate up to 30 different reports for application visibility.

Benefits for Support for AVC on Wireless LAN

  • Improved quality of experience for all wireless users through application-level optimization and control.
  • Proactive monitoring and end-to-end application visibility to accelerate troubleshooting and minimize network downtime.
  • Network capacity management and planning through greater visibility of application usage and performance.
  • Prioritization of business-critical applications and sub-flows like Cisco Jabber voice or IM sessions.

How to Configure Support for AVC on Wireless LAN

Creating a Flow Record

Procedure
     Command or ActionPurpose
    Step 1 enable


    Example: 
    Device> enable
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.

     
    Step 2 configure terminal


    Example: 
    Device# configure terminal
     

    Enters global configuration mode.

     
    Step 3flow record flow_record_name


    Example: 
    Device (config)# flow record fr_name
Device(config-flow-record)#
          		Enters flow record configuration mode.  
    Step 4description flow_record_description


    Example: 
    Device(config-flow-record)# description fr_desc
     

    (Optional) Describes the flow record as a maximum 63-character string.

     
    Step 5match ipv4 {protocol | source address | destination address}


    Example: 
    Device(config-flow-record)# match ipv4 protocol
Device(config-flow-record)# match ipv4 source address
Device(config-flow-record)# match ipv4 destination address
     
    • Specifies a match to the IPv4 protocol.
    • Specifies a match to the IPv4 source address-based field.
    • Specifies a match to the IPv4 destination address-based field.
     
    Step 6match transport {source-port | destination-port}


    Example: 
    Device(config-flow-record)# match transport source-port
Device(config-flow-record)# match transport destination-port
     

    • Specifies a match to the transport layer source-port field.

    • Specifies a match to the transport layer destination-port field.

     
    Step 7match application name


    Example: 
    Device(config-flow-record)# match application name
     

    • Specifies a match to the application name.

     
    Step 8match wireless ssid


    Example: 
    Device(config-flow-record)# match wireless ssid
     

    • Specifies a match to the SSID name identifying the wireless network.

     
    Step 9collect counter {bytes | packets} long


    Example: 
    Device(config-flow-record)# collect counter bytes long
Device(config-flow-record)# collect counter packets long
     
    • Specifies to collect counter fields total bytes.
    • Specifies to collect counter fields total packets.
     
    Step 10collect wireless {ap | client} mac address


    Example: 
    Device(config-flow-record)# collect wireless ap mac address
Device(config-flow-record)# collect wireless client mac address
     

    • Specifies to collect the MAC addresses of the access points that the wireless client is associated with.

    • Specifies to collect MAC address of the client on the wireless network.

     
    Step 11 end


    Example: 
    Device(config)# end
     

    Leaves global configuration mode and returns to privileged EXEC mode.

     

    Creating a Flow Exporter

    You can create a flow export to define the export parameters for a flow. This is an optional procedure for configuring flow parameters.

    Procedure
       Command or ActionPurpose
      Step 1 enable


      Example: 
      Device> enable
       

      Enables privileged EXEC mode.

      • Enter your password if prompted.

       
      Step 2 configure terminal


      Example: 
      Device# configure terminal
       

      Enters global configuration mode.

       
      Step 3flow exporter flow_exporter_name


      Example: 
      Device (config)# flow exporter fe_name
Device(config-flow-exporter)#
              		Enters flow exporter configuration mode.  
      Step 4description string


      Example: 
      Device (config-flow-exporter)# description fe_desc
       

      Describes the flow record as a maximum 63-character string.

       
      Step 5destination {hostname | ip-address}


      Example: 
      Device (config)# (config-flow-exporter) # destination 192.0.2.1
              		Specifies the hostname or IPv4 address of the system to which the exporter sends data.  
      Step 6transport udp port-value


      Example: 
      Device (config-flow-exporter) # transport udp 2
              		Configures a port value for the UDP protocol. The range is from 1 to 65535.  
      Step 7option application-table timeout seconds


      Example: 
      Device (config-flow-exporter) # transport udp 2
              		(Optional) Specifies application table timeout option. The valid range is from 1 to 86400 seconds.  
      Step 8option usermac-table timeout option_resend_time


      Example: 
      Device (config-flow-exporter) # transport udp 2
              		(Optional) Specifies wireless usermac-to-username table option. The range is from 1 to 86400 seconds.  
      Step 9 end


      Example: 
      Device(config)# end
       

      Leaves global configuration mode and returns to privileged EXEC mode.

       

      Creating a Flow Monitor

      You can create a flow monitor and associate it with a flow record and a flow exporter.
      Procedure
         Command or ActionPurpose
        Step 1 enable


        Example: 
        Device> enable
         

        Enables privileged EXEC mode.

        • Enter your password if prompted.

         
        Step 2 configure terminal


        Example: 
        Device# configure terminal
         

        Enters global configuration mode.

         
        Step 3flow monitor flow_monitor_name


        Example: 
        Device (config)# flow monitor fm_name
Device(config-flow-monitor)#
         

        Creates a flow monitor and enters flow monitor configuration mode.

         
        Step 4description flow_monitor_description


        Example: 
        Device(config-flow-record)# description fm_desc
         

        (Optional) Describes the flow record as a maximum 63-character string.

         
        Step 5record flow_record-name


        Example: 
        Device (config-flow-monitor)# record fr_name
         

        Specifies the name of a recorder that was created previously.

         
        Step 6exporter flow-exporter-name


        Example: 
        Device (config-flow-monitor)# exporter fe_name
         

        Specifies the name of an exporter that was created previously.

         
        Step 7cache timeout {active | inactive} {active | inactive}


        Example: 
        Device(config-flow-monitor)# cache timeout active 1800
Device(config-flow-monitor)# cache timeout inactive 200
         

        Specifies flow cache timeout parameters. You can configure for a time period of 1 to 604800 seconds.

        Note   

        To achieve optimal result for the AVC flow monitor, it is recommended that you configure the inactive cache timeout value to be greater than 90 seconds.

         
        Step 8 end


        Example: 
        Device(config)# end
         

        Leaves global configuration mode and returns to privileged EXEC mode.

         
        Step 9show flow monitor flow-monitor-name


        Example: 
        Device # show flow monitor fm_name
                  		 

        Configuring Wireless LAN to Apply Flow Monitor

        You can configure a Wireless LAN to apply flow monitor in IPV4 and IPv6 Input/Output direction.
        Procedure
           Command or ActionPurpose
          Step 1 enable


          Example: 
          Device> enable
           

          Enables privileged EXEC mode.

          • Enter your password if prompted.

           
          Step 2 configure terminal


          Example: 
          Device# configure terminal
           

          Enters global configuration mode.

           
          Step 3wlan wlan-name wlan-id


          Example: 
          Device (config)# wlan wlan-name 11
Device(config-wlan)#
           

          Enters WLAN configuration submode. For wlan-id, enter the WLAN ID. The range is 1 to 512.

           
          Step 4ip flow monitor flow-monitor-name {input | ouput}


          Example: 
          Device (config-wlan)# ip flow monitor fm_name input
Device (config-wlan)# ip flow monitor fm_name output
           

          Associates a flow monitor to the WLAN for input or output packets.

           
          Step 5 end


          Example: 
          Device(config)# end
           

          Leaves global configuration mode and returns to privileged EXEC mode.

           

          Monitoring Application Visibility and Control

          The following commands can be used to monitor application visibility and control on the device.
          Procedure
            Step 1   show avc client client-mac top n application [aggregate|upstream|downstream]


            Example: 
            Cumulative Stats:
No.  AppName    Packet-Count    Byte-Count    AvgPkt-Size    usage%
---------------------------------------------------------------------
1    skinny     7343            449860        61             94
2    unknown    99              13631         137            3
3    dhcp       18              8752          486            2
4    http       18              3264          181            1
5    tftp       9               534           59             0
6    dns        2               224           112            0

Last Interval(90 seconds) Stats:
No.  AppName    Packet-Count    Byte-Count    AvgPkt-Size    usage%
---------------------------------------------------------------------
1    skinny     9               540           60             100

            Displays information about top “n” applications for the given client MAC.

            Step 2   show avc wlan ssidtop n application [aggregate|upstream|downstream]


            Example: 
            Device# show avc wlan Lobby_WLAN top 10 application aggregate
Cumulative Stats:
No.  AppName    Packet-Count    Byte-Count    AvgPkt-Size    usage%
---------------------------------------------------------------------
1    ssl        10598677        1979525706    997            42
2    vnc        5550900         3764612847    678            14
3    http       3043131         2691327197    884            10
4    unknown    1856297         1140264956    614            4
5    video-over-http 1625019    2063335150    1269           8
6    binary-over-http 1329115   1744190344    1312           6
7    webex-meeting 1146872      540713787     471            2
8    rtp        923900          635650544     688            2
9    unknown    752341          911000213     1210           3
10   youtube    631085          706636186     1119           3



Last Interval(90 seconds) Stats:
No.  AppName    Packet-Count    Byte-Count    AvgPkt-Size    usage%
---------------------------------------------------------------------
1    vnc        687093          602731844     877            68
2    video-over-http 213272     279831588     1312           31
3    ssl        6515            5029365       771            1
4    webex-meeting 3649         1722663       472            0
5    http       2634            1334355       506            0
6    unknown    1436            99412         69             0
7    google-services 722        378121        523            0
8    linkedin   655             393263        600            0
9    exchange   432             167390        387            0
10   gtalk-chat 330             17330         52             0

            Displays information about top “n” applications for the given SSID.

            Step 3   show flow monitor flow_monitor_name cache


            Example: 
            Device# show flow monitor FLOW-MONITOR-1
Flow Monitor FLOW-MONITOR-1:
  Description:        Used for basic traffic analysis
  Flow Record:        flow-record-1
  Flow Exporter:      flow-exporter-1
                      flow-exporter-2
  Cache:
    Type:             normal
    Status:           allocated
    Size:             4096 entries / 311316 bytes
    Inactive Timeout: 15 secs
    Active Timeout:   1800 secs
    Update Timeout:   1800 secs

            Displays information about flow monitors.

            Clearing Application Visibility and Control Statistics

            The following commands can be used to clear the statistics of application visibility and control.
            Procedure
               Command or ActionPurpose
              Step 1 clear avc client mac statistics


              Example: 
              Device# clear avc client mac statistics
               

              Clears the statistics per client.

               
              Step 2 clear avc wlan ssid-namestatistics


              Example: 
              Device# clear avc wlan
               

              Clears the statistics per WLAN.

               

              Configuration Examples for Support for AVC on Wireless LAN

              Example Configuring Support for AVC on Wireless LAN

              This example shows how to create a flow record, create a flow monitor, apply the flow record to the flow monitor, and apply the flow monitor on a WLAN: 

              Device(config)# flow record fr_v4
Device(config-flow-record)# match ipv4 protocol
Device(config-flow-record)# match ipv4 source address
Device(config-flow-record)# match ipv4 destination address
Device(config-flow-record)# match transport destination-port
Device(config-flow-record)# match flow direction
Device(config-flow-record)# match application name
Device(config-flow-record)# match wireless ssid
Device(config-flow-record)# collect counter bytes long
Device(config-flow-record)# collect counter packets long
Device(config-flow-record)# collect wireless ap mac address
Device(config-flow-record)# collect wireless client mac address
Device(config)#end

Device# configure terminal
Device# flow monitor fm_v4
Device(config-flow-monitor)# record fr_v4
Device(config-flow-monitor)# cache timeout active 1800
Device(config)#end

Device(config)#wlan wlan1
Device(config-wlan)#ip flow monitor fm_v4 input
Device(config-wlan)#ip flow mon fm-v4 output
Device(config)#end

Device(config)#flow monitor fm_v4 cache

              Additional References Support for AVC on Wireless LAN

              Related Documents

              Related Topic

              Document Title

              Cisco IOS commands

              Cisco IOS Master Commands List, All Releases

              Overview of Cisco IOS NetFlow

              Cisco IOS NetFlow Overview

              List of the features documented in the Cisco IOS NetFlow Configuration Guide

              Cisco IOS NetFlow Features Roadmap

              The minimum information about and tasks required for configuring NetFlow and NetFlow Data Export

              Getting Started with Configuring NetFlow and NetFlow Data Export

              Tasks for configuring NetFlow to capture and export network traffic data

              Configuring NetFlow and NetFlow Data Export

              Tasks for configuring NetFlow multicast support

              Configuring NetFlow Multicast Accounting

              Tasks for detecting and analyzing network threats with NetFlow

              Detecting and Analyzing Network Threats With NetFlow

              Tasks for configuring Cisco NBAR

              Classifying Network Traffic Using NBAR

              NBAR commands.

              Cisco IOS Quality of Service Solutions Command Reference

              Standards

              Standards

              Title

              No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.

              MIBs

              MIBs

              MIBs Link

              None

              No new MIBs were created for this feature.

              To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

              http:/​/​www.cisco.com/​go/​mibs

              RFCs

              RFCs

              Title

              No new or modified RFCs are supported by this feature.

              Technical Assistance

              Description

              Link

              The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

              http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

              Feature Information for Support for AVC on Wireless LAN

              The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

              Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to . An account on Cisco.com is not required.
              Table 1 Feature Information for Support for AVC on Wireless LAN

              Feature Name

              Releases

              Feature Information

              Support for AVC on Wireless LAN

              Cisco IOS XE Release 3.3SE

              The Cisco Application Visibility and Control (AVC) solution for wireless networks identifies more than 1000 business– or consumer–class applications using deep packet inspection (DPI).

              The following commands are introduced or modified in the feature documented in this module:
              • flow record record_name
              • flow exporter flow_exporter_name
              • flow monitor flow_monitor_name

              In Cisco IOS XE Release 3.3SE, this feature is supported on Cisco 5700 Wireless LAN Controllers.

              Configuration guide

              Copyright © 2015, Cisco Systems, Inc. All rights reserved.

              Was this Document Helpful?

              FeedbackFeedback

              Contact Cisco

              This Document Applies to These Products