The Deep Packet Inspection (DPI) engine runs independently on the controller and on selected AP models (AP38xx and AP39xx). The DPI engine that is used depends on the underlying topology of the role. The controller DPI handles traffic for centralized topologies (Bridged@Controller and Routed) for traffic in both directions. The AP's DPI handles distributed topologies (Bridged@AP).
Enabling “App Visibility” in the WLAN causes end-user traffic of the particular WLAN to be sent to and processed by the respective DPI engine. For DPI and L7 filters to work, each instance of the DPI engine running on the AP or on the controller must inspect traffic that is moving in both directions of the connection.
The mixed topologies (B@AP & tunneled in same role) are not supported, and are disabled in the user interface, when L7 application rules are defined in a role. As a result, the “Contain to VLAN” Action option is unavailable for configuration of an L7 Application Rule.
For more information, see Configuration Rules with L7 Filters.