How To Control Applications On Aerohive WLANs

The modern WLAN system is so much more than just a client access framework. It also offers a slew of security and performance-enhancing features that can increase the value of your wireless network. In this piece, I'll walk through how to use Application Visibility and Control (AVC) feature on an Aerohive wireless network.

AVC delivers information on client behavior that used to only be available from a mega-analyzer tool in the network core. AVC reports on applications in use across the WLAN, and lets administrators set policies to restrict or prioritize particular applications. This means you can ensure that business apps don't get crushed on the WLAN by users indulging in Hulu and YouTube.

Some vendors, such as Cisco, tack on licensing requirements for AVC capabilities, while others include the feature in the overall price. AVC is included with Aerohive's HiveManager. I run a small Aerohive network, so I was very pleased to see AVC show up as part of an update to my online HiveManager account.

It's up to you to enable and define how you want AVC to work for your environment, which I'll cover how to do here.

This walk-through assumes that you have an Aerohive WLAN and starts with a wireless network already in service. I'll show you how to see and report on applications running on your network and how to find the right fields to create usage policies.

The configuration process isn't exactly intuitive, but it's worth the trouble. I've used this capability for a couple of months now, and I can't imagine doing without AVC.

You'll need to log into your HiveManager account and ensure you're running the 6.0r2a or higher version of the code. If you have older code, just open a support ticket. Aerohive tends to be fast on the support turnaround.

After login, go to Dashboard>Applications, where I'll start the AVC configuration process. Note that before you begin, there is nothing shown in the Application window; it's up to you to shape the magic first. After you do, the page gets exciting.

AVC configuration starts with the definition of an Application Watchlist, which you'll find under Reports> Report Settings. The Watchlist is made up of as many as 30 applications to which you can apply policies. Building the list is as simple as moving applications from the left table to the right.

The applications come from a library on HiveManager, which is sourced from a third party. The list is occasionally updated during regular HiveManager updates. Because Aerohive is working from a third-party list, there are likely to be applications within your organization that won't be recognized.

(click image for larger view)
application watch list

After you define your Watchlist (and you can edit it later), hit the Update button at top of screen. At this point, you have applications of interest defined, but not pushed to your access points yet. (Remember, with Aerohive, there is no controller.)

To get the Watchlist pushed to your Aerohive APs, navigate to Configuration>Devices>Aerohive APs. You'll see the "angry red exclamation point" icon indicating a config change needs to be pushed to the APs to make them current. Select the APs that you want to participate in AVC, and then hit Update. This will bring you to a drop-down menu.

Here, you might be tempted to select "Upload and activate application signatures," but this is a point of confusion; the option you need is "Upload and activate configuration." The application signatures option applies to signature updates from Aerohive as it periodically updates its library.

(click image for larger view)
upload activate configuration

Remember, with Aerohive APs, almost any configuration change requires an access point reboot before it is complete, so make these sorts of changes during an outage window. The reboot requirement is one of the few aspects of Aerohive's operations that I wish was different.

Next page: The PayoffWith your Watchlist defined and pushed to access points on the network, now you get to see the in-use applications of interest called out in the once-empty Dashboard>Applications page. Though Aerohive says it may take 24 hours for application data to show, I have found it to be much quicker on my small network.

As you take in the graphs and counters for the Watchlist applications, you’ll also notice options for editing the view in the Applications perspective and generating reports. This is where you’ll start to make the feature work for you, and can tailor it to your own operational requirements.

(click image for larger view)
app usage over time

Application visibility can demystify what’s happening on your network, which is useful, but you also want some control so that priority applications work properly. Aerohive AVC lets you control traffic at Layer 7, or at the network layers. Here’s an example, but this is an area with a lot of potential options.

You’ll start configuring the “Control” part of AVC by selecting the network you are working with. Find it under Configuration>Additional Settings, and go to “QoS Settings.” Your goal is a new control (I’ll give BitTorrent a low priority as an example), so you want a new Classifier Map, under “QoS Classification and Marking.” This is where you have to know that the plus (+) sign is the door to a new Classifier Map.

(click image for larger view)
Classifier map

When the form for a new Classifier Map comes up, give it a name and description and select “Services.” Again, this isn’t the most intuitive workflow, but it does make sense after you play with it. Notice the familiar plus sign; click it; wait for the list of applications to populate; and choose the ones that you’d like to take action on, such as the BitTorrent example. Say OK when done selecting applications, and then choose what how you’d like to handle them.

You have a range of options available, including application prioritization and blocking. You can apply more granular controls using role-based actions.

(click image for larger view)
Set policy

Save your configurations, make sure you choose your new QoS map, and save until you are returned to the Configure Interfaces & User Access page. Finally, update the device settings for your APs (don’t forget the reboot), and everything you just did is now active.

You now have tasted Aerohive’s AVC. HiveManager yields almost infinite permutations that fall under the headings of visibility and control. Before you start applying controls, make sure you have a sense of just what you’re trying to achieve, as you can get lost in the possibilities. It’s also always a good idea to have well-defined policies written down before you start making things happen in the real world.

The policy controls outlined here are just the start. I haven’t even touched the likes of application firewall settings and rate limiting. You can get an overview of other Aerohive features here [PDF].