Layer 7 application visibility and control (AVC) seems like the hottest buzz in the industry right now. Cisco has had web AVC in its Ironport Web Security appliances but just announced it on its routers for all protocols. Cisco ISR G2 and ASR 1000 routers will now have the ability to detect applications and use QoS MQC to control them. Some examples of control mechanisms include bandwidth control, class-based marking, traffic shaping and policing, drop, weighted fair queuing and low latency queuing. The Cisco AVC engine recognizes and classifies a wide variety of protocols and applications, including web-based and other difficult-to-classify applications and protocols that use dynamic TCP/UDP port assignments.
Here are a few examples of they types of applications supported:
For a complete list see here
To obtain AVC in the Cisco ISR G2 router you will need 15.2.2T IOS code. In the IOS XE 3.4S release Cisco introduced application visibility and control features on its ASR 1000 series of routers. The ASR 1000 uses hardware accelerated stateful deep packet inspection to fully reconstruct flows at layer 7 to determine the application type. This information is then used to provide application and session based classification and management of IP traffic. Since the whole process is hardware accelerated using the Quantum Flow Processors in the ASR 1000 performance can scale up to 10Gbps and 3 million sessions in a single router.
There are essentially three components to the AVC solution. First is the ASR 1000 itself which does the work. Second is the Cisco Collection Manager software for log aggregation. Third is the Cisco Insight reporting software. See the diagram below for a visual of how they interact.
As you can see from the diagram flexible netflow v9 is used to send application flow information to the collection manager which store the information in its database. Then cisco Insight is used to data mine that database to give you reports, graphs, statistics, and all sorts of other visibility into applications on your network. Here are some examples of the netflow v9 structure and various reports from Insight.
The application visibility and control feature licenses for ASR 1000 (ASR1002-F, ASR1002, ASR1004, ASR1006, ASR1013) and ASR 1001 are available as of IOS XE 3.4S. Here are the licensing break downs:
- The Cisco ASR 1000 Series Router Application Visibility and Control RTU license (FLASR1-AVC-RTU(=)) enables you to configure Network-Based Application Recognition (NBAR) and advanced application awareness on the Cisco ASR 1000 Series Routers or application reporting (visibility) and usage in application control in quality-of-service (QoS) policies.
- The Cisco ASR 1000 Series Router Application Visibility and Control Upgrade license (FLASR1-AVC- UPG(=)) enables you to upgrade from current existing FPI licence to the new advanced Application Visibility and Control (AVC) licence.
- The Cisco Insight reporting RTU licence ((FLASR1-NSIGHT-RTU(=)) is a complementary external SW component to the ASR 1000 Series Router Application Visibility and Control RTU license - the Cisco Insight is an external web based reporting tool which can be installed on any external generic server which comply to its pre-requisites, the licence is per ASR 1000 unit.
Datasheet for AVC: http://tools.cisco.com/search/display?url=http%3A%2F%2Fwww.cisco.com%2Fen%2FUS%2Fsolutions%2Fcollateral%2Fns1015%2Fns483%2Fns780%2Fat_a_glance_c45-649117.pdf&pos=7&strqueryid=1&websessionid=m8JX0wvZscG9EQXfEKZhnZe
For ISR G2 AVC configuration
<i>The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.</i>
<blockquote><p><span><strong>More from Jamey Heary: </strong></span><br />* <a href="http://www.networkworld.com/community/node/33210">Credit Card Skimming: How thieves can steal your card info without you knowing it </a><br />* <a href="http://www.networkworld.com/community/node/49560">Google Nexus One vs. Top 10 Phone Security Requirements</a><br />* <a href=" http://www.networkworld.com/community/node/44457">Why you should always shred your boarding pass</a><br />*<a href=" http://www.networkworld.com/community/node/44055"> Video rental records are afforded more privacy protections than your online data</a><br />* <a href="http://" http://www.networkworld.com/community/node/43983">The truth about new SSL attacks</a><br />* <a href=" http://www.networkworld.com/community/node/42489"> 2009 Top Urban Legends in IT Security/a><br /><br /><span><strong>Go to</strong> <a href="http://www.networkworld.com/community/heary"><font color="#333366"><strong>Jamey's Blog</strong></font></a><strong> for more articles on security.</strong> </span></p></blockquote>
Jamey Heary, CCIE #7680, sits on the PCI Security Standards Council- Board of Advisors where he provides strategic and technical guidance for future PCI standards. Jamey is the author of Cisco NAC Appliance: Enforcing Host Security with Clean Access. (Check out all of Jamey Heary's books from Cisco Press.) He also has a patent pending on a new DDoS mitigation technique.
Jamey sits on several security advisory boards for Cisco Systems and is a founding member of the Colorado Healthcare InfoSec Users Group. He is an experienced speaker who is recognized as an expert in network security architecture, regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and he is a Certified HIPAA Security Professional. He has been working in the IT field for 15 years and in IT security for 10 years. Jamey is currently a Distinguished Systems Engineer at Cisco Systems.