avc on wlan : application visibility & control
DESCRIPTION
Dans cette présentation, nous verrons comment les solutions Wi-Fi Cisco permettent de garantir la performance des applications avec la solution Application Visibility and Control (AVC): reconnaissance des applications et génération de tableaux de bord, QoS avancée pour garantir notamment le transport de la voix, instrumentation adaptée à la vidéo et au multicast (Videostream)… Nous verrons pour finir comment cette solution s'inscrit dans une stratégie globale du réseau de l'entreprise (Wi-Fi, LAN, WAN…)TRANSCRIPT
Wi-Fi et Performance applicative
Vincent Makowski
Enterprise Networking Specialist
AVC on WLAN Application Visibility & Control
Cisco Confidential 3 C97-730476-00 © 2014 Cisco and/or its affiliates. All rights reserved.
What is An Application?
3
HTTP
FTP
SMTP
POP3
IMAP
HTTPS
Are these
applications?
Or just ports?
80
20/21
25
110
143
443
What about these?
Cisco Confidential 4 C97-730476-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Overview – The Need for AVC
• Wireless is quickly becoming the primary access method, making network reliability and consistent application performance a critical necessity
• NBAR is a deep-packet inspection technology that supports stateful L4-L7 classification – Controller can classify >1000 applications
• Used with Protocol Discovery to get an idea of what the traffic patterns are in the network
• NBAR recognizes application and passes on this information to other features like QoS, NetFlow or Firewall which can take action based on this classification
Cisco Confidential 5 C97-730476-00 © 2014 Cisco and/or its affiliates. All rights reserved.
How AVC Improves Wireless Networks
• QoS integration: NBAR helps identify both high and low priority traffic so appropriate QoS can be applied on a per WLAN basis
— Protecting key applications when there is congestion on the network
• NetFlow integration: NBAR can export traffic data to a NetFlow Collector
— Provides for capacity planning and network usage base-lining, while trending of application usage helps network admin to plan for network infrastructure upgrades
Cisco Confidential 6 C97-730476-00 © 2014 Cisco and/or its affiliates. All rights reserved.
New: Cisco Enterprise + Meraki architectural integration
Flexibility Simplicity
Cisco
ONE Architecture
Cisco Enterprise
ISR / ASA
Catalyst
Aironet
CLI, SNMP,
Embedded GUI
Cisco Meraki
MX
MS
MR
Cloud Management Cisco ISE
Policy & Control
Cisco Prime
Management
& Analytics
Wireless Deployment Models
Centralized Model Converged Access Flex-Connect
AP AP AP AP
CAPWAP
Tunnels
5508/WiSM2 File
Serv
er
550
8
ISR
392
5
Internet R
T
P
Lo
cal
Se
rv
er
MC MC MA
AVC on WLAN Centralized & FlexConnect deployment
Cisco Confidential 9 C97-730476-00 © 2014 Cisco and/or its affiliates. All rights reserved.
5508 WLC/5508
2960X
GA Controller Firewall
DMZ
ISE PI MSE
Intranet Intranet
AP CAPWAP termination at
Controller - 802.11 to 802.3 at controller
AP CAPWAP termination at
Controller
MC MC
Centralized Wireless Model: Current Campus Architecture
No Visibility into Client Traffic -
Tunneled
WAN BLOCK
Native Traffic only after WLC Decap
802.3 native traffic
AVC
MA MA
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 10
Branch Office
Data Center
File Server
7500 Flex controller
ISR 3925
Internet
AP-2
AP-1
RTP
Local Server AP-3
Current Flex Architecture
MC
Multiple CAPWAP Tunnel terminating at Central
Controller; CAPWAP, 802.11 control ploughed back to WLC
Flex-Connect Wireless Model: Current Branch Architecture
AP converts 802.11 to 802.3 - Local
MAC
Switch sees native client traffic - like
wired scenario
Data Traffic will not hit WLC -
Either get locally switched
OR
Get routed from the branch
AVC
AVC on Flex Controller would work ONLY if traffic is centrally switched…
Cisco Confidential 11 C97-730476-00 © 2014 Cisco and/or its affiliates. All rights reserved.
AVC For Wireless Deployments (CUWN)
Current Mobility Architecture
AP AP AP AP
CAPWAP
Tunnels
5508/WiSM2 AVC/NBAR2
Netflow Export (one per WLC)
AVC Profile Action - Drop or Mark per App
QoS Classification/Marking
QoS Policing
Notes:
The switches/routers in path just carry CAPWAP - config to “trust”
CAPWAP DSCP needs to be done on the switches
Cisco Confidential 12 C97-730476-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Enabling AVC on Wireless
• AVC Can be Provisioned and Monitored Using Controller GUI
(or PI 1.3 min)
• AVC is enabled per WLAN;
Monitoring is turned on for WLAN
• Profiles can then be created based on traffic
• Can monitor real-time applications on the Controller UI.
• Viewing long-term reports would a NetFlow collector
• AVC on controller can classify and take action on 1056 apps
• Two actions, either DROP or MARK
• Max 16 AVC profiles on a WLC; 32 MAX rules per profile
• AVC stats are displayed only for the top 10 applications on GUI.
Enable AVC
Create Profile
Cisco Confidential 13 C97-730476-00 © 2014 Cisco and/or its affiliates. All rights reserved.
How to See What Applications Are Supported?
Cisco Confidential 14 C97-730476-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Possible Rules: DROP, MARK
A Rule Can Drop an Application .. or Remark it
Note: The above 2 rules can also be a part of same AVC Profile
Cisco Confidential 15 C97-730476-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Sample AVC Reports on Controller UI
15
Cisco Confidential 16 C97-730476-00 © 2014 Cisco and/or its affiliates. All rights reserved.
What is That Client Really Using
Use the Monitor > Client > Details page to examine the top 10 applications in use by a particular client
Cisco Confidential 17 C97-730476-00 © 2014 Cisco and/or its affiliates. All rights reserved.
NetFlow Integration – Defining An Exporter
• Configuring an exporter on the WLC allows for the collection of application statistics for export to an external monitor
1
2
3
4 5
Cisco Confidential 18 C97-730476-00 © 2014 Cisco and/or its affiliates. All rights reserved.
NetFlow Integration – Identifying the Monitor
• Use the Monitor function to map the exporter to the address where the collected statistics will be sent
1
2
3
Only a single monitor can be defined on the Controller
4
5 6
Cisco Confidential 19 C97-730476-00 © 2014 Cisco and/or its affiliates. All rights reserved.
AVC Quick Summary
• NBAR on WLC can classify and take action on 1056 different applications.
• Two actions either DROP or MARK are possible on any classified application.
• Maximum 16 AVC profiles can be created on WLC. ( Rate limiting in Roadmap)
• Each AVC profile can be configured with maximum 32 rules.
• Same AVC profile can be mapped to multiple WLANs.
• 1 NetFlow exporter and monitor can be configured on WLC.
• NBAR stats are displayed only for top 10 applications on GUI . CLI can be used to see all applications.
• Any application, which is not supported/recognized by NBAR engine on WLC, is captured under bucket of UNCLASSFIED traffic.
Coming Soon … Granular Policy for AVC (Release 8) User and Device specific Application Policies
ROLE BASED APPLICATION POLICY
• Alice(Nurse) and Bob(IT Admin) are both employees in a hospital
• Both Alice and connected to same SSID.
• Bob can access certain applications (for e.g. YouTube), Alice cannot
ROLE BASED + DEVICE TYPE APPLICATION POLICY
• Alice can access EMR info on an IT provisioned Windows Laptop
• Alice cannot access EMR info on her personal iPAD
ROLE BASED + DEVICE TYPE + APPLICATION SPECIFIC POLICY
• Alice has limited access (rate limit) to Skype on her iPhone and limited
download (directional) for Bittorrent
AVC on WLAN Converged Access deployment
Cisco Confidential 22 C97-730476-00 © 2014 Cisco and/or its affiliates. All rights reserved.
5508 5508
DMZ ISE
PI
MSE
Intranet
MA MAMA
AP CAPWAP termination at 3850
SPG2 SPG3 SPG4
MC MC
5760
3850 3750 3850
AP CAPWAP termination at 3850
5760
MA
Converged Access Wireless Model: New Campus Architecture
NG access switch sees native client
traffic 3850 sees native
client traffic, does 802.11 to 802.3
AVC
AVC
Cisco Confidential 23 C97-730476-00 © 2014 Cisco and/or its affiliates. All rights reserved.
5508 5508
3750
Intranet Intranet
MA MAMA
AP CAPWAP termination at 5760 Controller
AP CAPWAP termination at 3850
SPG1 SPG2 SPG3 SPG4
MC MC
5760
3850 3750 3850
AP CAPWAP termination at 3850
5760
MA
Converged Access Wireless Model: Use 5760 in Distribution to terminate CAPWAP for some AP’s
Features can be applied to NG access switch
Native traffic hits the switch after
5760
AVC
AVC
MA
MA
Cisco Confidential 24 C97-730476-00 © 2014 Cisco and/or its affiliates. All rights reserved.
WAN BLOCK
Campus BLOCK
5760
3850/
Converged Access
AVC/NBAR2 - Wireless Traffic
Netflow Export (AP and Switch)
Upstream QoS - AP to Switch -
NBAR2 Integrated QoS
Downstream QoS - Switch to AP NBAR2 Integrated QoS
AVC/NBAR2 - Wired Traffic (Roadmap)
Notes:
The 5760 is an advanced controller in the distribution (like the
5508’s) that will be equipped with features like Netflow export and
Downstream QoS for wireless clients, as shown
AVC Deployment: Converged Access
Catalyst Switch QoS (Ingress/Egress)
Note: Dots in picture are marked against one device only for representation - they apply to all routers
Cisco Confidential 25 C97-730476-00 © 2014 Cisco and/or its affiliates. All rights reserved.
AVC Deployment: Configuration
Cisco Confidential 26 C97-730476-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Application Visibility – Cat 3850
flow record fr-avc
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match flow direction
match application name
match wireless ssid
collect counter bytes long
collect counter packets long
collect wireless ap mac address
collect wireless client mac address
end
flow monitor fm-avc
record fr-avc
cache timeout inactive 200
end
wlan <>
ip flow mon fm-avc input
ip flow mon fm-avc output
end
Cat3850#sh avc client 8c70.5a20.35b4 top 10 application agg
Cumulative Stats:
No. AppName Packet-Count Byte-Count AvgPkt-Size usage%
-----------------------------------------------------------------------------------
1 http 69451 72146465 1038 67
2 youtube 16284 17117601 1051 15
3 rtmpe 9349 9266013 991 8
4 hulu 8096 7974952 985 7
5 unknown 1686 126067 74 0
6 rtmp 1593 1723269 1081 2
7 netflix 1305 1371679 1051 1
8 ssl 937 530577 566 0
9 dns 748 70418 94 0
10 facebook 512 372629 727 0
Last Interval(90 seconds) Stats:
No. AppName Packet-Count Byte-Count AvgPkt-Size usage%
------------------------------------------------------------------------------------
1 http 65410 68322192 1044 78
2 rtmpe 8812 9242082 1048 11
3 youtube 5752 6262985 1088 7
4 rtmp 1593 1723269 1081 2
5 netflix 1305 1371679 1051 2
6 unknown 797 76004 95 0
7 dns 265 29420 111 0
8 flash-video 206 196639 954 0
9 ssl 148 62384 421 0
10 hulu 82 25238 307 0
Cisco Confidential 27 C97-730476-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Application Visibility – AP
APf0f7.55ae.c2f7#sh avc cft 8c70.5a20.35b4
Flow ID Src IP Dst IP S-Port D-Port AppID App Name FlowAge Priority
---------------------------------------------------------------------------
2515 192.168.10.36 54.245.239.118 50802 443 1316 netflix 60 0
2507 192.168.10.36 69.164.8.157 49822 80 3 http 30 0
2503 192.168.10.36 74.125.228.124 50799 80 1 unknown 60 0
2498 192.168.10.36 54.243.105.142 50797 80 1 unknown 60 0
2495 192.168.10.36 192.168.10.255 137 137 1421 netbios-ns 30 0
2488 192.168.10.36 74.125.228.123 50715 80 3 http 60 0
2478 192.168.10.36 74.217.78.158 50789 80 3 http 60 0
2464 192.168.10.36 74.217.78.146 50784 80 3 http 60 0
2453 192.168.10.36 192.168.10.46 49616 23 42 telnet 30 0
2428 192.168.10.36 107.22.167.61 50759 80 3 http 60 0
2414 192.168.10.36 31.13.73.65 50754 443 1454 facebook 60 0
2408 192.168.10.36 192.204.4.56 50748 80 3 http 60 0
2407 192.168.10.36 165.254.158.75 50747 80 3 http 60 0
2397 192.168.10.36 192.204.4.56 50738 80 1317 hulu 60 0
2362 192.168.10.36 23.33.187.96 50714 80 1317 hulu 60 0
1711 192.168.10.36 72.21.207.18 50387 80 3 http 60 0
1551 192.168.10.36 152.2.63.68 50348 8000 1478 shoutcast 60 0
856 192.168.10.36 108.175.34.76 49958 80 3 http 60 0
295 192.168.10.36 74.125.228.117 49612 443 1073 gmail 60 0
293 192.168.10.36 66.163.36.181 49611 443 1312 ssl 60 0
286 192.168.10.36 108.160.163.50 49609 80 1485 dropbox 90 0
285 192.168.10.36 74.125.132.125 49608 5222 1324 gtalk-chat 60 0
Number of Flow IDs for the above Client is 22
APf0f7.55ae.c2f7#sh avc nbar stat
Dumping NBAR2 Statistics :
ID Protocol Name IN OUT
=== ============= == ===
0 none 219 0
1 unknown 5123 3324
3 http 58958 265383
13 dhcp 40 5
42 telnet 911 784
72 dns 1194 655
82 youtube 11632 58788
117 flash-video 1219 6285
120 audio-over-http 616 2739
1067 rtmp 247 1346
1073 gmail 268 346
1312 ssl 15980 75504
1316 netflix 1050 3000
1317 hulu 12943 31299
1324 gtalk-chat 50 51
1404 ping 79 3
1416 rtmpe 9413 51515
1421 netbios-ns 423 0
1453 twitter 74 118
1454 facebook 263 438
1456 google-services 961 1564
1457 google-plus 380 715
1462 yahoo-mail 59 59
1478 shoutcast 2208 8112
1485 dropbox 40 68
================================
Cisco Confidential 28 C97-730476-00 © 2014 Cisco and/or its affiliates. All rights reserved.
3.3.x SE Deliverables
• Configuration pushed from Controller/Switch to AP using CSM
• NBAR2 runs on AP
• NBAR2 on AP identifies the application and AP sends flow to application binding, user identification, etc to Controller/Switch.
• Controller/Switch consolidates the flows from all the APs and sends those to external collector and also to local FNF cache.
• Controller/Switch facilitates WebUI display, hosts top-N CLIs.
• Controller/Switch is responsible for ageing out the records.
• Controller/Switch sends out optional records for user-mac to user-name, and app-id to app-name/app-description.
• No control for AVC in 3.3.0.(Roadmap)
Cisco Confidential 29 C97-730476-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Coming soon … AVC Phase 2 (Release XE3.6)
VideoStream Multicast on Wireless
Cisco Confidential 31 C97-730476-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Video Multicast Delivery Challenges
1
2
5.5
6
9
12
18
24
36
48
54
M0
M1
...
M14
M15
802.11 Data Rates
B/G
N
Video Server
AP 1140
• Multicast packets (UDP) are sent as broadcast packets over the air per 802.11 standard
• Broadcast packets do not use error correction: “fire and forget”
• Broadcast packets are sent at Lowest supported mandatory data rate:
1 MB for B/G (400K actual) 6 MB for A (2.7 MB actual)
Technical Challenges
Choppy, Unreliable Video
• Video Stream does not utilize 802.11 N High Throughput data rates
• Heavy utilization of channel due to high rate of very slow packets
• Video delivery is not reliable causing poor Quality of Experience
Video Impact
Default 802.11B/G mandatory data rates
Cisco Confidential 32 C97-730476-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Video Multicast Delivery Solution
1
2
5.5
6
9
12
18
24
36
48
54
M0
M1
...
M14
M15
802.11 Data Rates
B/G
N
Video Server
• IGMP state monitored for each client. Only send video to clients requesting
• Multicast packets replicated at AP and sent to individual clients at their data reate
• Resource Reservation Control (RRC) used to prevent channel oversubscription. Works in conjunction with Voice CAC
• Stream Prioritization ensures important videos take precedence over others
• SAP/SNMP error message created when Channel Subscription violated
Technical Solution
• Smooth, Reliable Video delivered to multiple clients
• Quality of Video protected in varying channel load conditions
• Prevents video flooding
• Prioritizes Business Video over other video
Video Impact
Default 802.11B/G mandatory data rates
Intelligence in the AP
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 33
Reliable Multicast – Controller Configuration
Enable controller for Multicast
Configure AP Multicast Mode – Multicast
Configure a UNIQUE Multicast Group Address
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 34
Reliable Multicast – Controller Configuration
Enable IGMP Snooping
Enable Global Multicast Mode & IGMP Snooping
Configure IGMP Timeout
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 35
Reliable Multicast – Controller Configuration
Enable Multicast Direct
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 36
Reliable Multicast – CUWN Controller Configuration
Add Media Stream
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 37
Reliable Multicast – CUWN Controller Configuration Network Configuration, EDCA Parameters
By default configured for WMM
Voice clients on the Network – Configure Voice & Video Optimized
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 38
Reliable Multicast – Controller Configuration
CAC, Media/Media
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 39
Reliable Multicast – Controller Configuration
CAC, Media/Voice
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 40
Reliable Multicast – Controller Configuration
CAC, Media/Video
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 41
Reliable Multicast – Controller Configuration
WLAN configuration
Configure WLAN QOS to GOLD
Enable Multicast Direct
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 42
Reliable Multicast – Controller Configuration
Step 14 - Enable 802.11a network & WLAN
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 43
AP Multicast – IOS-XE Controller Configuration
To enable Multicast-Multicast: ap capwap multicast x.x.x.x
CT-5760-B#sh wireless multicast
Multicast : Disabled
mDNS : Disabled
AP Capwap Multicast : Unicast
Wireless Broadcast : Disabled
Wireless Multicast non-ip-mcast : Disabled
Vlan Non-ip-mcast Broadcast MGID
------------------------------------------------------
1 Enabled Enabled Enabled
500 Enabled Enabled Disabled
700 Enabled Enabled Disabled
Multicast-Unicast by default
Key Takeaway
Cisco Confidential 45 C97-730476-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Key Takeaway
4
5
Identify various applications in my network
NBAR2 uses DPI to identify 1000+ applications
Collect traffic information and performance metrics without
hardware probe
Embedded monitoring exports information in standard NFv9
Provide data for proactive monitoring and troubleshooting
Both Cisco Prime Infrastructure and 3rd party are supported
Tune my network to improve application performance
Application-aware QoS leveraging NBAR2 to identify applications
How? What can AVC do for me?
Cisco Confidential 46 C97-730476-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Private Cloud
Application Performance Monitoring for iWAN Track and Report Application Flows and Performance
Branch DC/Headquarters
WAN
Enterprise Edge
AVC
AVC
AVC
AVC
CSR
NetFlow/IPFIX Records
(Same provisioning, same format)
• Traffic statistics records
• Application Response Time records
• Media monitoring records (Application, Jitter, Loss, etc)
Partner Tools Ecosystem
InfoVista
Plixer
ActionPacked
CompuWare
CA Technologies
Living Objects
Glue
Collecting Collecting Collecting
P r o v i s i o n i n g
Exporting
NetFlow v9 Export/IPFIX Export
Proliferation
of Devices
Users/ Machines
Cisco Confidential 47 C97-730476-00 © 2014 Cisco and/or its affiliates. All rights reserved.
BEFORE Manual RF Management
AFTER Dynamic RF Management
Wired-Like Video Delivery over Wireless
Cisco VideoStream Technology
Global Enterprise
CEO
Meeting
M&A
Negotiation
Sports
Event
CEO
Meeting
M&A
Negotiation
Sports
Event
Cisco Confidential 48 C97-730476-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Many Other Features to support Applications…
Event Driven RRM (CleanAir)
QoS: Profile on SSID, Bandwidth Contract
Voice & Video CAC
mDNS Gateway (protocol Bonjour…)
Client Link
…
Thank you.