Cisco Catalyst 9400 System Management Configuration Manual page 198

Restrictions for Wired Application Visibility and Control
• NBAR2 based match criteria match protocol will be allowed only with marking or policing actions.
NBAR2 match criteria will not be allowed in a policy that has queuing features configured.
• 'Match Protocol': up to 255 concurrent different protocols in all policies (8 bits HW limitation).
• AVC is not supported on management port (Gig 0/0).
• IPv6 packet classification is not supported.
• Only IPv4 unicast(TCP/UDP) is supported.
• Web UI: You can configure application visibility and perform application monitoring from the Web UI.
Application Control can only be done using the CLI. It is not supported on the Web UI.
To manage and check wired AVC traffic on the Web UI, you must first configure ip http authentication
local and ip nbar http-service commands using the CLI.
• NBAR and ACL logging cannot be configured together on the same switch.
• Protocol-discovery, application-based QoS, and wired AVC FNF cannot be configured together at the
same time on the same interface with the non-application-based FNF. However, these wired AVC features
can be configured with each other. For example, protocol-discovery, application-based QoS and wired
AVC FNF can be configured together on the same interface at the same time.
• Starting with Cisco IOS XE Fuji 16.9.1, up to two wired AVC monitors each with a different predefined
record can be attached to an interface at the same time.
• Two new directional flow records - ingress and egress - have been introduced in Cisco IOS XE Fuji
16.9.1, in addition to the two existing legacy flow records.
• Attachment should be done only on physical Layer2 (Access/Trunk) and Layer3 ports. Uplink can be
attached as long as it is a single uplink and is not part of a port channel.
• Performance: Each switch member is able to handle 2000 connections per second (CPS) at less than 50%
CPU utilization.
• Scale: Able to handle up to 20,000 bi-directional flows per 48 access ports and 10,000 bi-directional
flows per 24 access ports. (~200 flows per access port).
• Wired AVC allows only the fixed set of fields listed in the procedures of this chapter. Other combinations
are not allowed. For a regular FNF flow monitor, other combinations are allowed (for the list of supported
FNF fields, refer the "Configuring Flexible NetFlow" chapter of the Network Management Configuration
Guide).
• Starting with Cisco IOS XE 16.12.1 release, a new flow record has been included - the DNS flow record.
The DNS flow record is similar to the 5-tuple record and includes the DNS domain name field. It accounts
only for DNS related fields. This record doesn't have the interface field as a match filed, so the information
from all interfaces is aggregated into the same record.
• You cannot configure FNF on an interface when both AVC and ETA are configured on the interface.
• You can enable both AVC and ETA on the same port only for IPv4 unicast traffic.
System Management Configuration Guide, Cisco IOS XE Bengaluru 17.4.x (Catalyst 9400 Switches)
180
Configuring Application Visibility and Control in a Wired Network