Re: 9800L and AVC setup help

perrymcgrew · ‎01-26-2024

Trying to figure out 9800L-F and AVC. I have read docs and believe I have it set up -- at least partially. I have 3 WLAN Policies in Configuration > Services > Application Visibility. Flow Monitors > Exported is defined as using the local 9800LF (exporter Type is Local). Flow Monitors > Monitor has wireless-avc-basic pointing to wireless-local-exporter

In the Profile Policies mentioned above, Policy Profile > QOS and AVC > Flow Monitor IPv4 Egress and Ingress are both pointing to wireless-avc-basic. This the same for all 3 Policies I have set in AVC.

Yet when I go to Monitoring > Services > Application Visibility, I am not getting what I expect.

It opens up with Source Type > SSID, SSID > All, Ditrection > All, Interval > Last 90 seconds and Clients. It displays "No data available" and lists 712 clients in the bottom portion. Never got this part to display anything.

Changing it from Clients to Applications and I do get graph and stats. But it is for All-SSID. If I choose the one WLAN SSID that is our corporate prodcution SSID, I get no results -- which is the one I really want to see. If I change it to the one of the other SSID, which is Management's BYOD SSID , I get the graphs and stats. The last SSID is an IT Test SSID that is not in use at the moment so I'd expect no traffic.

Any ideas?

TIA - Perry

RoadRunner4k · ‎01-29-2024

Which version of ios xe are you using?

Application Visibility and Control Deployment Guide for Cisco Catalyst 9800 Series Wireless Controllers, Cisco IOS XE Amsterdam 17.1

perrymcgrew · ‎01-29-2024

We are running IOS-XE 17.12.2. It's a long story why we ended up here...but the configuration was originally setup on previous version and had the same results.

I have read the setup docs and just can't see why I can't view Applications by the specific SSID I want to monitor.

RoadRunner4k · ‎01-29-2024

Is the NBAR files updated ?

NBAR2 Protocol Packs- 68.0.0

Release Notes for Cisco Protocol Pack 68.0.0 - Cisco

perrymcgrew · ‎01-29-2024

Yes, running Pack 68.
Works for this SSID:

CUN-WLC-9800LF#show avc status wlan LOR-MGMT
WLAN profile name: LOR-MGMT
----------------------------------------------------------
AVC configuration complete: YES

UN-WLC-9800LF#sh wireless profile policy detailed LOR-MGMT-Policy

Policy Profile Name : LOR-MGMT-Policy
Description : LOR-MGMT
Status : ENABLED
VLAN : LOR-MGMT
Multicast VLAN : 0
OSEN client VLAN :
Multicast Filter : DISABLED
QBSS Load : ENABLED
Passive Client : ENABLED
ET-Analytics : DISABLED
StaticIP Mobility : DISABLED
WLAN Switching Policy
Flex Central Switching : ENABLED
Flex Central Authentication : ENABLED
Flex Central DHCP : ENABLED
Flex NAT PAT : DISABLED
WLAN Flex Policy
VLAN based Central Switching : DISABLED
WLAN ACL
IPv4 ACL : GUEST_SPECTRUM_1&2
IPv6 ACL : Not Configured
Layer2 ACL : Not Configured
Preauth urlfilter list : Not Configured
Postauth urlfilter list : Not Configured
WLAN Timeout
Session Timeout : 28800
Idle Timeout : 300
Idle Threshold : 0
Guest LAN Session Timeout : DISABLED
WLAN Local Profiling
Subscriber Policy Name : Not Configured
RADIUS Profiling : DISABLED
HTTP TLV caching : ENABLED
DHCP TLV caching : ENABLED
DOT11 TLV accounting : DISABLED
CTS Policy
Inline Tagging : DISABLED
SGACL Enforcement : DISABLED
Default SGT : 0
WLAN Mobility
Anchor : DISABLED
AVC VISIBILITY : Enabled
IPv4 Flow Monitors
Ingress
wireless-avc-basic
Egress
wireless-avc-basic
IPv6 Flow Monitors
Ingress
wireless-avc-basic-ipv6
Egress
wireless-avc-basic-ipv6
NBAR Protocol Discovery : Disabled
Reanchoring : Disabled
Classmap name for Reanchoring
Reanchoring Classmap Name : Not Configured
QOS per SSID
Ingress Service Name : AutoQos-4.0-wlan-GT-SSID-Input-Policy
Egress Service Name : AutoQos-4.0-wlan-GT-SSID-Output-Policy
QOS per Client
Ingress Service Name : Not Configured
Egress Service Name : Not Configured
Umbrella information
Cisco Umbrella Parameter Map : Not Configured
DHCP DNS Option : ENABLED
Mode : ignore
Autoqos Mode : Guest
Call Snooping : Disabled
Tunnel Profile
Profile Name : Not Configured
Calendar Profile
Fabric Profile
Profile Name : Not Configured
Accounting list
Accounting List : RADIUS-Acct-Idnt
DHCP
required : DISABLED
server address : 0.0.0.0
Opt82
DhcpOpt82Enable : DISABLED
DhcpOpt82Ascii : DISABLED
DhcpOpt82Rid : DISABLED
APMAC : DISABLED
SSID : DISABLED
AP_ETHMAC : DISABLED
APNAME : DISABLED
POLICY TAG : DISABLED
AP_LOCATION : DISABLED
VLAN_ID : DISABLED

Need it to work on this SSID -- I can't see where the issue is - There is only 1 AVC setting on the profile

CUN-WLC-9800LF#show avc status wlan LOR-CORP
WLAN profile name: LOR-CORP
----------------------------------------------------------
AVC configuration complete: NO
Reason: [AVC_FNF_REASON_MULTIPLE_PP_SETTINGS] Multiple policy profile AVC settings associated with this WLAN
Related configuration: Policy profile name 'LOR-CORP-Policy'

CUN-WLC-9800LF#sh wireless profile policy detailed LOR-CORP-Policy

Policy Profile Name : LOR-CORP-Policy
Description : LOR-CORP
Status : ENABLED
VLAN : LOR-CORP
Multicast VLAN : 0
OSEN client VLAN :
Multicast Filter : DISABLED
QBSS Load : ENABLED
Passive Client : ENABLED
ET-Analytics : DISABLED
StaticIP Mobility : DISABLED
WLAN Switching Policy
Flex Central Switching : ENABLED
Flex Central Authentication : ENABLED
Flex Central DHCP : ENABLED
Flex NAT PAT : DISABLED
WLAN Flex Policy
VLAN based Central Switching : DISABLED
WLAN ACL
IPv4 ACL : Not Configured
IPv6 ACL : Not Configured
Layer2 ACL : Not Configured
Preauth urlfilter list : Not Configured
Postauth urlfilter list : Not Configured
WLAN Timeout
Session Timeout : 28800
Idle Timeout : 300
Idle Threshold : 0
Guest LAN Session Timeout : DISABLED
WLAN Local Profiling
Subscriber Policy Name : Not Configured
RADIUS Profiling : DISABLED
HTTP TLV caching : ENABLED
DHCP TLV caching : ENABLED
DOT11 TLV accounting : DISABLED
CTS Policy
Inline Tagging : DISABLED
SGACL Enforcement : DISABLED
Default SGT : 0
WLAN Mobility
Anchor : DISABLED
AVC VISIBILITY : Enabled
IPv4 Flow Monitors
Ingress
wireless-avc-basic
Egress
wireless-avc-basic
IPv6 Flow Monitors
Ingress
wireless-avc-basic-ipv6
Egress
wireless-avc-basic-ipv6
NBAR Protocol Discovery : Disabled
Reanchoring : Disabled
Classmap name for Reanchoring
Reanchoring Classmap Name : Not Configured
QOS per SSID
Ingress Service Name : AutoQos-4.0-wlan-ET-SSID-Input-AVC-Policy
Egress Service Name : AutoQos-4.0-wlan-ET-SSID-Output-Policy
QOS per Client
Ingress Service Name : Not Configured
Egress Service Name : Not Configured
Umbrella information
Cisco Umbrella Parameter Map : Not Configured
DHCP DNS Option : ENABLED
Mode : ignore
Autoqos Mode : Enterprise
Call Snooping : Disabled
Tunnel Profile
Profile Name : Not Configured
Calendar Profile
Fabric Profile
Profile Name : Not Configured
Accounting list
Accounting List : RADIUS-Acct-Idnt
DHCP
required : DISABLED
server address : 0.0.0.0
Opt82
DhcpOpt82Enable : DISABLED
DhcpOpt82Ascii : DISABLED
DhcpOpt82Rid : DISABLED
APMAC : DISABLED
SSID : DISABLED
AP_ETHMAC : DISABLED
APNAME : DISABLED
POLICY TAG : DISABLED
AP_LOCATION : DISABLED
VLAN_ID : DISABLED
VRF_NAME : DISABLED
Exclusionlist Params
Exclusionlist : ENABLED
Exclusion Timeout : 60
AAA Policy Params
AAA Override : DISABLED
NAC : DISABLED
AAA Policy name : default-aaa-policy
Vlan Fallback : DISABLED
WGB Policy Params
Broadcast Tagging : DISABLED
Client VLAN : DISABLED
Interim Accounting Updates : ENABLED
Hotspot 2.0 Server name : Not Configured
Mobility Anchor List
IP Address Priority
-------------------------------------------------------
mDNS Gateway
mDNS Service Policy name : default-mdns-service-policy
User Defined (Private) Network : Disabled
User Defined (Private) Network Unicast Drop : Disabled
Policy Proxy Settings
ARP Proxy State : ENABLED
IPv6 Proxy State : None
ARP Activity Limit
Exclusion : ENABLED
PPS : 100
Burst Interval : 5
NDP Activity Limit
Exclusion : ENABLED
PPS : 100
Burst Interval : 5
Airtime-fairness Profile
2.4Ghz ATF Policy : default-atf-policy
5Ghz ATF Policy : default-atf-policy
Link-local bridging : DISABLED

IP mac-binding : ENABLED