Catalyst 9800 101 Series Episode 4 Application Visibility QoS Policies and Local Profiling

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hey everyone welcome back to the catalyst 9800 101 series my name is justin liu a technical marketing engineer here in cisco's enterprise network wireless bu last time we covered how to create a wlan using the advanced setup workflow and today in episode 4 of the series we'll be covering how to enable application visibility and then use that to create an app based qos policy and then we'll verify this qos policy afterwards we'll enable local profiling for device classification and then use that to create a local profiling policy which will apply different policies based on device type and finally we'll verify the local policy so before we get started let's go over exactly what application visibility and control or avc is avc is a cisco leading approach for deep packet inspection technology in wireless and wired products it leverages the network-based application recognition engine which will allow us to identify applications using the layer 7 signatures and this can run on either the aps or controllers the results are then reported via flexible netflow messages and are aggregated by the wlc the wlc can also act as an internal flow collector as well as export these netflow messages to external collectors such as cisco prime within the wlc ui users can view statistics about the different application performance over an interval of time additionally with application visibility enabled users can then define control rules with policing mechanisms at client level such as through app-based qos policies so now let's hop onto the wlc to see how we can enable this okay now that we're in the web ui the 9800 let's enable application visibility to do this we'll go to configuration services application visibility to enable application visibility we'll need to select the wireless policy profile in which to enable this in my case i'm going to select local policy this was the wireless policy profile we created last episode in the advanced wlan section so to do this we'll click the blue arrow next to local policy to move it to the enabled section and then we'll ensure that the check box under visibility is checked and then for local i'm going to ensure that box is checked as i'm going to be using the wlc as a local flow collector but if you're also using an external flow collector check the box next to external and input the ip address of your flow collector but here i'm going to uncheck external and then click apply and now we can see the configuration was successfully applied so application visibility is now enabled so now let's verify that application visibility is up and running correctly to do this we'll go to the dashboard and check if a client is connected to the pod1 pskw lan which is associated to the local policy wireless policy profile so if you click on clients we can see indeed we have a client connected to the pod one psk so now let's go to monitoring services application visibility and on this page you can select the wireless clients to connect to your network but in my case there's only one and then view the different types of applications that are being run as well as which ones being used the most or the least and get different statistics as well on the different applications so now that we've enabled and verified application visibility let's now create an app-based qos policy so to do this we'll go to configuration services qos and today we'll create a keyos policy that will block youtube.com and any youtube services so to do this we'll click add and again we'll go to policy name and name the policy youtube block next we'll go to add class maps and leave avc user defined as abc match as all mark type as none next we'll check the box next to drop and then for the match type we'll choose protocol and in the available protocols we'll search for youtube we'll select youtube and click the right arrow to move to the selected protocol section and click save and now any youtube traffic will be dropped and to apply this qos policy to local policy we'll click the right arrow to move to the selected section and ensure the box under ingress is checked so what this means is that the qos policy will be applied to traffic sent from a wireless source to a wired target so to save this we'll click apply to device but before we do so let's first verify that youtube.com is indeed working on a wireless client in this case my iphone so now that i'm on my iphone let's go to the cisco wlan youtube channel and as you can see we can access the youtube channel so now let's go back to the wlc and apply this qos policy and try this again so in the add qos window i'm going to click apply to device so because we've applied the qos policy any clients associated to the local policy wireless policy profile will lose connectivity so we'll wait for these clients to rejoin our network so now we're back and the iphone has reconnected back to our network so i'm going to open up a new tab and try to access the cisco wlan youtube page once more and now it looks like we're not able to connect to youtube.com and eventually this request will timeout and will be redirected to a cannot connect page so i'm going to speed up the video until we reach the cannot connect page so now the request is timed out and we've been redirected to safari could not open the page because the server stopped responding verifying that our qos policy blocking youtube.com in indeed works so now let's go enable local profiling for device classification on our wlc local profiling allows for the device type of the wireless clients that join the network to be noted and using this device type networked admins can create local profiling policies which can apply different access policies for device types for example one device type can be put into vlan 2 with qos policy 2 while another device type can be put into vlan 3 with qos policy 3. to classify the devices locally the 9800 uses the oui portion of the device mac address as well as http and dhcp profiling for more information please see the link in the description below so now let's hop into the web ui and see how we can enable local profiling and create these local policies so now that we're back in the web ui of the 9800 let's enable local profiling so that we can see the device types for the different wireless clients that are connected to our network so first we currently have one client connect to our network so we'll click and one on the active and here we can see that the device type is not available but i know for a fact my device is an iphone so to enable local profiling we'll go to configuration wireless wireless global and here in the box next to device classification we'll check it and click apply so now that local profiling has been successfully enabled let's go verify that my device is now being correctly classified as an iphone so to do this we'll go to monitoring wireless clients so now we can see that the mac addressed the client as well as the ip address are the same and now but the device type shows apple device as opposed to not available also if we go back to the main dashboard and scroll all the way down to the client device type section we can get a graphical breakdown for the different types of devices that are joined to our network currently there's only one device type shown here as there's only one client connected to our network if other clients join the network their device types will also populate this section so let me go join other devices to our network and i'll be back so now that i'm back i've connected two other devices to our wireless network i've connected an apple ipad which is at dot 11.16 and it's been classified as an apple device and also a google pixel 1.11.14 and this has been classified as a linux workstation and now with the iphone it's now being classified as an apple iphone as opposed to an apple device so now we can view the different types of devices on the monitoring page so go to monitoring services local profiling we can get a breakdown of different devices that are joined to our network so we have an apple iphone apple device and a linux workstation on the right side we get an exact count for the different types of devices that are joined to our network so we have one of each type so now let's configure a local policy using the device type so to do this we'll go to configuration local policy and here we'll create a new service template so our service template which will name iphone will define what type of access policies will apply for the device type so in this case i'm going to apply a vlan id of 2 and click apply to device so now to actually map the service template to be applied to specific devices we'll have to create a policy map so go to the policy map section and click add and here in the policy map name we'll name this apple iphone and in the match criteria list we'll click add to create a new match list and here for the service template we'll select our created iphone service template and in the device type we'll choose equals apple iphone then we'll click add criteria to save the mapping and click apply to device so now that we've created the policy map we'll now need to apply this to our local policy wireless policy profile so to do this we'll go to configuration tags and profiles policy and here we'll select the local policy policy profile we'll go to the access policy tab and then under local subscriber policy name we'll select the apple iphone policy map we created and click update and apply to device this will cause all our devices to lose connectivity to our network and they'll have to rejoin so i'll come back once our devices have rejoined the network so now that devices have rejoined our network we can see that the apple ipad has maintained the iphone 11.16 and device type of apple device as well as the pixel it's still 11.14 but now if you look at the iphone its ipaddress is now 2.11. so if you select this and go to general tab and then go to the security information sub tab we can see that the service template of iphone has been applied and it's now on vlan 2. so now if we select any of the other devices so like the apple ipad we can see that the iphone service template has not been applied and it's still on the management vlan so vlan id 11. and this is the case for the google pixel as well so if we select this we can verify that the vlan name is management and vlan id11 indicating that our local policy has indeed worked and with that we've come to the end of episode 4 of the 9800 101 series in summary we've enabled application visibility use that to create an app-based qos policy verify that qos policy and then we enable local profiling for device classification on our wlc and use that to create a local policy that will be applied to different device types and then verify that local policy please join us next time where we'll go over the detailed steps to define a secure employee wlan as well as a guest wlan and if you found this video helpful and informative please click the like button and subscribe to our youtube channel and as always thank you for watching and have a nice day

Info

Channel: Cisco Catalyst TV

Views: 529

Rating: undefined out of 5

Keywords: C9800, Catalyst 9800, Cisco Wi-Fi, Wi-Fi 6, Enterprise Wireless, C9800 Prime, Catalyst Wireless Primer Series, Cisco EN Wireless, Next Generation WLC, Wireless Controller

Id: -dkYUDzeIOM

Channel Id: undefined

Length: 12min 2sec (722 seconds)

Published: Thu Jun 10 2021