Cisco Catalyst 9500 Manual page 124

Restrictions for Wired Application Visibility and Control
• There is a delay in the QoS classification since the application classification is done offline (while
• NBAR2 based match criteria match protocol will be allowed only with marking or policing actions.
NBAR2 match criteria will not be allowed in a policy that has queuing features configured.
• 'Match Protocol': up to 255 concurrent different protocols in all policies (8 bits HW limitation).
• AVC is not supported on management port (Gig 0/0).
• IPv6 packet classification is not supported.
• Only IPv4 unicast(TCP/UDP) is supported.
• Web UI: You can configure application visibility and perform application monitoring from the Web UI.
Application Control can only be done using the CLI. It is not supported on the Web UI.
To manage and check wired AVC traffic on the Web UI, you must first configure ip http authentication
local and ip nbar http-service commands using the CLI.
• NBAR and ACL logging cannot be configured together on the same switch.
• Protocol-discovery, application-based QoS, and wired AVC FNF cannot be configured together at the
same time on the same interface with the non-application-based FNF. However, these wired AVC features
can be configured with each other. For example, protocol-discovery, application-based QoS and wired
AVC FNF can be configured together on the same interface at the same time.
• Starting with Cisco IOS XE Fuji 16.9.1, up to two wired AVC monitors each with a different predefined
record can be attached to an interface at the same time.
• Two new directional flow records - ingress and egress - have been introduced in Cisco IOS XE Fuji
16.9.1, in addition to the two existing legacy flow records.
• Attachment should be done only on physical Layer 2 and Layer 3 ports, and these ports cannot be part
of a port channel. Attachment to trunk ports are not supported.
• Performance: Each switch member is able to handle 2000 connections per second (CPS) at less than 50%
CPU utilization.
• Scale: Able to handle up to 20,000 bi-directional flows per 48 access ports and 10,000 bi-directional
flows per 24 access ports. (~200 flows per access port).
• Wired AVC allows only the fixed set of fields listed in the procedures of this chapter. Other combinations
are not allowed. For a regular FNF flow monitor, other combinations are allowed (for the list of supported
FNF fields, refer the "Configuring Flexible NetFlow" chapter of the Network Management Configuration
Guide).
• Starting with Cisco IOS XE 16.12.1 release, a new flow record has been included - the DNS flow record.
The DNS flow record is similar to the 5-tuple record and includes the DNS domain name field. It accounts
only for DNS related fields. This record doesn't have the interface field as a match filed, so the information
from all interfaces is aggregated into the same record.
System Management Configuration Guide, Cisco IOS XE Fuji 16.8.x (Catalyst 9500 Switches)
110
the initial packet/s of the flow are meanwhile forwarded before the correct QoS classification).
Configuring Application Visibility and Control in a Wired Network