dpi

Profile Config Commands

Enables DPI (Deep Packet Inspection) on this profile. DPI is an advanced packet analysis technique, which analyzes packet and packet content headers to determine the nature of network traffic. When enabled, DPI inspects packets of all flows to identify applications (such as, Netflix, Twitter, Facebook, etc.) and extract metadata (such as, host name, server name, TCP-RTT, etc.) for further use by the WiNG firewall.

This command is also available in the device configuration mode.

Supported in the following platforms:

  • Access Points — AP505, AP510
  • Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax

dpi {custom-app|logging|metadata}
dpi {custom-app <CUSTOM-APP-NAME>}
dpi {logging [level [<0-7>|alerts|critical|debugging|emergencies|errors|informational|
notifications|warnings]|on]}
dpi {metadata [http|ssl|tcp-rtt|voice-video]}
dpi {metadata [http|ssl|voice-video]}
dpi {metadata tcp-rtt {app-group <APPLICATION-GROUP-NAME>}}

Parameters

dpi {custom-app <CUSTOM-APP-NAME>}
dpi Enables DPI on this profile/device context and configures DPI settings. When enabled, all flow traffic is subjected to DPI for detection of applications, application categories, custom applications, and metadata extraction.
custom-app <CUSTOM-APP-NAME> Optional. Adds custom application to this profile
  • <CUSTOM-APP-NAME> – Specify custom application name (should be existing and configured)

If no custom application is specified, the system detects the PACE built-in applications.

Note: For more information on application categories and application detection, see application.
dpi {logging [level [<0-7>|alerts|critical|debugging|emergencies|errors|informational|
notifications|warnings]|on]}
dpi Enables DPI on this profile/device context and configures DPI settings. When enabled, all flow traffic is subjected to DPI for detection of applications, application categories, custom applications, and metadata extraction.
logging [level [<0-7>| alerts|critical| debugging| emergencies|errors|informational| notifications| warnings]|on] Optional. Enables DPI logging and sets the logging level
  • level – Configures the DPI logging level. Use one of the following options to specify the logging level:
    • <0-7> Logging severity level
    • alerts Immediate action needed (1)
    • critical Critical conditions (2)
    • debugging Debugging messages (7)
    • emergencies System is unusable (0)
    • errors Conditions (3)
    • nformational Informational messages (6)
    • notifications Normal but significant conditions (5) - Default setting
    • warnings Warning conditions (4)

Either specify the logging level index (from 0 - 7) or the description. For example, to log all alerts either enter ‘1‘ or ‘alerts‘.

  • on – Enables application detection event logging. DPI logging is disabled by default.
dpi {metadata [http|ssl|voice-video]}
dpi Enables DPI on this profile/device context and configures DPI settings. When enabled, all flow traffic is subjected to DPI for detection of applications, application categories, custom applications, and metadata extraction.
metadata [http|ssl|voice-video] Optional. Enables metadata extraction from following flows:
  • http – HTTP flows. This option is disabled by default.
  • ssl – SSL flows. This option is disabled by default.
  • voice-video – Voice and video classified flows. This option is disabled by default.
dpi {metadata tcp-rtt {app-group <APPLICATION-GROUP-NAME>}}
dpi Enables DPI on this profile/device context and configures DPI settings. When enabled, all flow traffic is subjected to DPI for detection of applications, application categories, custom applications, and metadata extraction.
metadata tcp-rtt {app-group <APPLICATION-GROUP-NAME>} Optional. Enables TCP-RTT (Transmission Control Protocol - Round Trip Time) metadata collection for application groups. Before executing this command, ensure that you have created at least one application group.

Enable this option in the profile/device contexts of the AP7522, AP7532, AP7562, AP8432, AP8533 access point models, as only these APs support TCP-RTT metadata collection.

  • app-group – Optional. Specifies the customized application-group name containing the applications for which TCP-RTT is to be collected
    • <APPLICATION-GROUP-NAME> – Specify the app-group name (should be existing and configured). If not specified, the system collects TCP-RTT metadata for all the customized app-groups created. You can enable TCP-RTT metadata collection on eight (8) application groups at a time.

For more information on creating customized application-groups, see application-group .

The TCP-RTT metadata is viewable only on the NSight dashboard. Therefore, ensure the NSight server and database is up and NSight analytics data collection is enabled.

Example

nx9500-6C8809(config-profile-testNX9500)#dpi logging on

nx9500-6C8809(config-profile-testNX9500)#dpi logging level 7

nx9500-6C8809(config-profile-testNX9500)#show context
profile nx9000 testNX9500
 bridge vlan 10
  ip igmp snooping
  ip igmp snooping querier
  ipv6 mld snooping
.........................................................
 router bgp
 dpi logging on
 dpi logging level debugging
nx9500-6C8809(config-profile-testNX9500)#

nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#dpi metadata tcp-rtt app-group amazon

Related Commands

no Disables DPI (application assurance) on this profile