What exactly is Cisco AVC?
Cisco Application Visibility and Control (AVC) is a solution which uses multiple technologies of the Cisco ASR 1000 Series Aggregation Services Routers (ASR 1000) and Cisco Integrated Service Routers Generation 2 (ISR G2), and network management tools which, together provide powerful and pervasive integrated solution for discovering and controlling applications. Network administrators gain visibility into applications running in their network and their performance, as well as being able to apply application policy control to improve application performance and control network resource usage.
How does Cisco AVC work?
AVC works by enabling the software features within the Cisco ASR 1000 and Cisco ISR G2, in conjunction with network management tools, to perform the following functions:
- Application recognition– use Deep Packet Inspection (DPI) to recognize and identify applications regardless of port number
- Performance monitoring- utilize embedded monitoring capabilities within the routers to extract and collect application usage, performance metrics, aggregate and export this information using open export format such as Netflow Version 9 and IPFIX to network management
- Network Management – enable Cisco and 3rd party network management to present visualization to the end users, as well as to provide feedback and implement policy to network devices to fine tune performance
- Control - control per-application bandwidth usage and intelligently select path to deliver application based on real time performance
Which technologies are used in Cisco AVC?
Cisco®AVC consists of the following technologies:
- Next-generation DPI technology called NBAR2, which can identify more than 1000 applications and support application categorization, with the ability to perform in-service update of application signatures.
- Flexible NetFlow (FNF) infrastructure and data export to select and export data of interest, allowing easy consumption of AVC information by Cisco and third-party applications.
- Performance collection engine to collect Application Response Time (ART) for TCP applications, and Media Monitoring (MMON) to collect voice and video performance such as jitter and loss. All the information is exported through Flexible Netflow infrastructure.
- Reporting and management tools, such as Cisco Prime™Infrastructure with Assurance module, an enterprise-grade infrastructure management and service monitoring tool for reporting of application and network performance, and a number of AVC Cisco Developer Network (CDN) partners such as ActionPacked, InfoVista, LivingObjects, and Plixer.
- QoS to facilitate optimization and control of application performance.
- Performance Routing (PfR) to provide per-application intelligent path selection based on real time performance data
Ordering, Licensing, Platform
What platforms support AVC?
For WAN platforms, AVC is currently supported on the Cisco ASR 1000 and Cisco ISR G2 routers. In addition, CIsco Wirelss LAN Controller (WLC) also supports AVC.
Which software release is required for AVC?
AVC is supported on the Cisco ASR 1000 starting IOS XE 3.4S and Cisco ISR G2 starting IOS 15.2(4)M2.
What licenses do I need licenses to run AVC?
AVC support is provided by Right-To-Use (RTU) license on both Cisco ASR 1000 and Cisco ISR G2
|ISR G2 (880 and 890)||Advanced IP license (advipservices)|
|ISR G2||AX license|
|ASR1K||Advanced IP Services (AIS) or Advanced Enterprise Services (AES) license, and in addition, AVC license (FLASR1-AVC-RTU)|
Can I run AVC if I have FPI license (FLASR1-FPI-RTU)?
No, starting IOS XE 3.4S, FPI license (FLASR1-FPI-RTU) is obsoleted by AVC license (FLASR1-AVC-RTU). There is an upgrade license (FLASR1-AVC-UPG) to upgrade your FPI license to AVC.
Is there a demo license for AVC?
The AVC license on the router is a right-to-use (RTU) license. In other words, this is a trust-based license and is available on the ASR1000 and ISR G2. Customers can enable the license for demo and evaluation purpose up to 60 days.
Do I need AVC license if I want to use NBAR2 and QoS?
Yes, both NBAR2 and QoS are components of AVC to provide per-application bandwidth control
Features and Functionalities
Where can I find AVC performance information?
The AVC performance depends on a number of factors, such as platform, memory, ESP (in case of ASR 1000), traffic profile, and features.
Do we support PBR with NBAR2 as part of AVC?
As of today, QoS an PfR are the main control mechanism for AVC. We are looking to add newer forms of control in future releases and PBR is one of those being investigated. Please reach out to ask-avc-pm alias for more specifics.
Will IPFIX export be support with AVC?
IPFIX is supported as of XE 3.7S and 15.2(4)M2.
How easy is it for a customer use AVC to control P2P traffic?
AVC identifies more than 1000 applications, several among these being P2P applications. In addition, AVC has a special category for P2P applications, which customers can use in their QoS policies to filter or rate limit P2P traffic. The following example shows how to identify and limit P2P applications.
class-map match-any p2p-app match protocol dht match protocol attribute sub-category p2p-file-transfer policy-map control-policy class p2p-app police 8000 conform-action transmit exceed-action drop
Can we drop traffic based on application id?
Yes, AVC integration with QoS allows you to create a policy to police or drop traffic based on NBAR2 application or NBAR2 application attributes such as category.
Is AVC IPv6 aware?
Yes, AVC supports identifying, monitoring, and controlling bandwidth for applications running over IPv6.
Does AVC work with ISG or PPP?
AVC is not yet supported with ISG subscriber side interface. Configuring AVC on the uplink interface is supported. NBAR2 and QoS are supported on the PPP virtual-template interface. We have tested up to 4000 PPP virtual-access interfaces.
Does AVC support VRF?
On Cisco ASR 1000, AVC can also collect and export information per VRF.
How many match protocol http url can an ASR support?
Currently, 20 match protocol http url is allowed. An error will be generated if more than 20 is attempted.
Where do I get a list of applications currently supported by NBAR2?
External, please go to http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6558/ps6616/product_bulletin_c25-627831.html Protocol Pack page, please go to http://www.cisco.com/en/US/docs/ios-xml/ios/qos_nbar/prot_lib/config_library/nbar-prot-pack-library.html
Where is the multi-stage classification introduced in IOS XE 3.7S?
For applications such as flash-video, it requires a few packets to determine the application. Before this feature, NBAR identifies the application as unknown before the final classification. This feature allows NBAR2 to store the interim classification information as unknown -> HTTP - > flash-video. The interim classification information can be used by features such as ip nbar protocol-discovery to reduce the number of packets being classified as unknown because NBAR2 cannot yet identify the final application.
Do I need to upgrade my router software to get the latest NBAR2 signatures?
No, since AVC utilizes NBAR2, which supports application signature update through NBAR2 Protocol Pack, new application signatures can be loaded into the routers while the routers are in-service. Minimum software release which supports loading NBAR2 Protocol Pack are IOS XE 3.7S and IOS 15.2(4)M2.
What is the process of installing protocol pack to the router and what is the impact?
The protocol pack will be provided as a file which needs to be put on router flash. Then apply configuration ip nbar protocol-pack <path_to_protocol_pack> to load the new protocol pack. It will deactivate the built-in protocol pack which comes with the IOS release, and start using the new protocol pack. During this process, the active traffic may be mis-classified which may last for 15-60 seconds depending on your router CPU load. In 15.2(4)M2 and XE 3.8S, NBAR2 supports URL-based custom applications, how many custom applications can be supported? URL based custom applications allow user-defined custom application based on HTTP hostname or URI or both. NBAR2 supports up to 121 custom applications. Out of 121 custom applications, NBAR2 supports up to 65 URL-based custom applications.
How many stateful signatures does NBAR2 support?
NBAR2 supports 256 stateful signatures. These are the signatures identified in show ip nbar protocol-id as type L7 STANDARD. In 15.2(4)M2 and 3.7S, there are 189 stateful signatures. This 256 stateful signatures limit will be increased in the next IOS and IOS XE release.
How does NBAR2 identify SSL application without decrypted it?
For SSL application, i.e. webex, office 365, NBAR2 uses the information during certificate exchange to identify such application. This avoids the need to decrypt traffic which is very expensive operation for the router to do.
Can I configure FNF to export data out of ASR1K management interface?
No, exporting FNF from ASR1K management interface is not supported. FNF supports exporting the data out of interface inside VRF.
I see sampler in the example for ASR1K AVC config, do I need it?
Sampler is a way for ASR1K to sampling only selected number of connections to reduce the load on the ASR1K for Internet Edge deployment. Currently, sampler is required for ASR1K to send a flow record which is used by Insight to discover the ASR1K device. It is mandatory for ASR1K AVC solution.
What are the management tools that we can use with AVC?
AVC exports information using open export format such as Netflow Version 9 and IPFIX. This allows Cisco and 3rd party network management products to support Cisco AVC. Cisco Prime™Infrastructure with Assurance module supports Cisco AVC. In addition, there are already AVC Cisco Developer Network (CDN) partners such as ActionPacked, InfoVista, LivingObjects, and Plixer. If the network management tools you are interested is not in this list, please contact ask-avc-pm.
Which 3rd party tools support AVC solution today and what do they support?
A number of AVC Cisco Developer Network (CDN) partners such as ActionPacked, InfoVista, LivingObjects, Plixer, CA and Compuware.
Will AVC be integrated with Cisco Prime?
Cisco Prime Infrastructure 1.2 supports AVC on ISR G2. Cisco Prime Infrastructure 2.0 (to be available Q2CY13) will support AVC on ASR 1000.
Is there a multi-tenant capable management tool available with AVC?
InfoVista SDM will support AVC on ISR G2 Q2CY13 and supports multi-tenant.
Can Cisco Prime Infrastructure associate IP address to username for AVC report?
Cisco Prime Infrastructure 1.2 supports per-user application usage. Cisco Prime Infrastructure 2.0 adds additional report based on users such as Top N users per application. The pulling of user information is done by having Cisco Prime Infrastructure manging the access switches and WLC, and 802.1x is enabled.
IOS Performance Agent
What is IOS Performance Agent, and how does it fit into Cisco AVC?
IOS Performance Agent (PA) is one of the software features used by Cisco AVC. It collects and exports Application Response Time (ART) such as Network Delay, Response Time, and Transaction Time for TCP applications. Network administrators can use this information to better understand application performance and bottlenecks in the network.