CHAPTER
45-1
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
45
Configuring AVC with DNS-AS
The Application Visibility Control (AVC) with Domain Name System as an Authoritative Source
(DNS-AS) feature (AVC with DNS-AS) provides a centralized means of controlling the identification
and classification of trusted network traffic in an organization. It accomplishes this by using—network
metadata stored in a DNS server that is authoritative to the domain in question, to identify applications,
Modular QoS CLI (MQC), to classify the corresponding traffic and apply suitable policies, and Flexible
NetFlow (FNF), to monitor and export application information to an external collector.
Starting with Cisco IOS XE Release 3.9.0E, the feature is available on Catalyst 4500E Series Switches
with Supervisor Engine 8-E, 8L-E, 7-E, 7L-E, and Catalyst 4500-X Series Switches. The ability to
export application information using FNF is supported beginning with Cisco IOS XE Release 3.9.2E.
Benefits of the feature:
• Application Visibility—Ensuring unambiguous visibility of applications.
The DNS-AS mechanism snoops requests and does not require a CPU-intensive, deep packet
inspection (DPI). Since traffic classification is by means of a DNS request and not DPI, this feature
is compatible in scenarios where network traffic is encrypted.
• Metadata Driven—Using information about applications.
This enables you to holistically program the network so it behaves like a self-driving car. You now
have information about all the required applications in your network, irrespective of whether traffic
is encrypted or not.
• Centralized Control—Using a cross-domain application intent policy controller.
The feature leverages an existing, universally available query-response mechanism, to enable local
DNS servers within an organization to act as authoritative servers and propagate application
classification information to client devices (switches) in an enterprise network.
• Control without Administrative Access—Proving alternatives to controller-based approaches.
The feature supports scenarios where your network may be in the cloud and you may not own it. You
can still control network devices across the Internet, even though you may not have administrative
control of these devices.
This chapter describes how to configure AVC with DNS-AS. It includes the following major sections:
• About AVC with DNS-AS, page 45-2
• Configuring AVC with DNS-AS, page 45-6
• Monitoring AVC with DNS-AS, page 45-20
• Troubleshooting AVC with DNS-AS, page 45-24
To Next Page
Loading...
Need help?
General
