Configuring Application Visibility for Switches
This section lists the prerequisite configurations to enable Application Visibility in New HPE Aruba Networking Central.
Ensure that the switch supports Application Visibility. See Supported Switches for Application Visibility
Application Visibility is available for Switches with a Foundation license.
To configure Application Visibility, perform the following steps:
-
To enable the V2 default profile mode for AOS-CX 6400 Switch Series, run the profile v2-default command followed by configuration save and reboot commands.
switch(config)# profile v2-defaultNote:In AOS-CX 6400 Switch Series, Application Visibility is supported only on 6400V2 (R0X38C, R0X40C, R0X41C, R0X42C, R0X43C, R0X44C, and R0X45C) line cards.
-
To disable IP source-lockdown resource-extended, run the following command:
switch(config)# no ip source-lockdown resource-extended -
To enable Application Visibility globally, run the following commands:
switch(config)# app-recognition
Switch(config-app-recognition)# enable
-
Enable flow-tracking if the AOS-CX switch runs 10.13 or later versions.
Flow-tracking obtains application visibility and DNS latency telemetry. To enable flow-tracking, run the following commands:
switch(config)# flow-tracking
Switch(config-flow-tracking)# enable
-
Enable Application Visibility per client port or per user-role.
-
To enable Application Visibility for port, run the following commands:
switch(config)# interface <PORT-NUMBER>
Switch(config-if)# app-recognition enable
-
To enable Application Visibility for user-role, run the following commands:
switch(config)# port-access role guest
switch(config-pa-role)# app-recognition enable
-
-
To configure IPFIX, enable IPFIX on both client-facing and uplink ports to export application details to Traffic Insight.
-
To specify the IPv4 flow configuration, run the following commands:
switch(config)# flow exporter flow-exp-prof
description Export flows to traffic insight profile
destination type traffic-insight
destination traffic-insight TI-01
switch(config)# flow record flow-rec-v4-prof
description Record used for ipv4 traffic analysis
match ipv4 destination address
match ipv4 protocol
match ipv4 source address
match ipv4 version
match transport destination port
match transport source port
collect counter bytes
collect counter packets
collect timestamp absolute first
collect timestamp absolute last
collect application name
collect application https url
collect application dns response-code
collect application tls-attributes
switch(config)# flow monitor flow-mon-prof
description Monitor for analyzing ipv4 traffic
cache timeout active <TIMEOUT_VALUE> --> 30-604800 seconds; default is 30 seconds.
exporter flow-exp-prof
record flow-rec-v4-prof
switch(config)# interface <Inbound_Interface>
switch(config-if)#ip flow monitor flow-mon-prof in -->Enable IPv4 flow monitor on both inbound and outbound interfaces
switch(config)# interface <Outbound_Interface>
switch(config-if)# ip flow monitor flow-mon-prof in
-
To specify the IPv6 flow configuration, run the following commands:
switch(config)# flow exporter flow-exp-prof
description Export flows to traffic insight profile
destination type traffic-insight
destination traffic-insight TI-01
switch(config)# flow record flow-rec-v6-prof
description Record used for ipv6 traffic analysis
match ipv6 destination address
match ipv6 protocol
match ipv6 source address
match ipv6 version
match transport destination port
match transport source port
collect counter bytes
collect counter packets
collect timestamp absolute first
collect timestamp absolute last
collect application name
collect application https url
collect application dns response-code
collect application tls-attributes
switch(config)# flow monitor flow-v6-mon-prof
description Monitor for analyzing ipv6 traffic cache timeout active <TIMEOUT_VALUE> -->30-604800 seconds; default is 30 seconds.
exporter flow-v6-mon-prof
record flow-rec-v6-prof
switch(config)# interface <Inbound_Interface>
switch(config-if)#ipv6 flow monitor flow-v6-mon-prof in -->Enable IPv6 flow monitor on both inbound and outbound interfaces
switch(config)# interface <Outbound_Interface>
switch(config-if)# ipv6 flow monitor flow-v6-mon-prof in
-
Enable forwarding-status if the AOS-CX switch runs 10.14 or later versions.
The following example adds forwarding-status collect field to flow-rec-v4-prof on the 6300, except for S3L75A, S3L76A, S3L77A and Aruba 6400 Switch Series platforms:
switch(config)# flow record flow-rec-v4-prof
collect forwarding-status
-
-
To configure Traffic Insight, create and enable Traffic Insight instance and specify the flow source:
switch(config)# traffic-insight TI-01 -->Creates a Traffic Insight instance
switch(config-ti)# source ipfix -->Sets the source protocol to collect flow information
switch(config-ti)# enable -->Enables Traffic Insight
-
Create a monitor for application flows in the Traffic Insight profile.
switch(config)# traffic-insight TI-01
switch(config-ti)# monitor app-mon type application-flows
Show Commands
The following show commands display details on traffic flow:
switch# show ip flows
switch# show traffic-insight TI-01 monitor-type application-flows app-mon
switch# show traffic-insight TI-01 monitor-type application-flows app-mon app-details|tls-cert-visibility|tls-visibility|url-details]
switch# diag
switch# diag-dump flow-tracking basic
switch# diag-dump traffic-insight basic
What's Next
For more information on Application Visibility, see the following topics: