Layer-7 application detection

Layer-7 application detection helps you to identify services on your network that are frequently accessed and therefore consume high levels of bandwidth. This feature also allows you to isolate the clients that use these services most intensively and to inspect their traffic.

Important: To use this function, you need to activate the layer-7 application detection. It is not enabled by default.

Application detection analyzes the inbound and outbound connections at each tracked interface, and it stores the statistics of the specified applications. As of LCOS version 10.12, layer-7 application detection captures IPv4 and IPv6 traffic separately.

In LANconfig, you enable and configure layer-7 application detection under Firewall/QoS > General > Layer-7 application detection.

Use this dialog to specify the following parameters:

Layer-7 application detection enabled

This entry is used to enable or disable layer-7 application detection.

Port table

Here you specify the ports that are to be tracked by layer-7 application detection. Enable or disable the available ports correspondingly.

VLAN table

Here you specify the VLAN IDs to be monitored and you determine the extent to which the layer-7 application detection collects traffic information.

Layer-7 application detection enabled for this VLAN: The device tracks general and application-specific data.
Track users: The device tracks user-specific data (user or client name and MAC address) in the specified VLAN.

Important: In order for layer-7 application discovery to be active in the VLAN, the data must collect application-specific data at the least.

Port-based tracking

Here you select the applications to be tracked. Optionally you can chose default applications or you can specify your own applications. You also specify the destination domains or the destination networks of the application. Extend the list according to your needs.

Note: You can specify several destination domains, destination networks or ports by using a comma-separated list in CIDR notation (classless inter-domain routing). You have the option of using IPv4 or IPv6 destination networks.

Update after

Specify an interval in minutes for updating the usage statistics.

When a client establishes a connection over a tracked interface, layer-7 application detection begins analyzing and recording the traffic volumes.

Note: The results of the recording and the usage statistics depend on the configuration that was specified for this connection.

Layer-7 application detection monitors the destination port of an application. If a connection Is detected arriving at port 80 or 443 (HTTP or HTTPS), the connection establishment is further analyzed. If a different destination port is used, the application is identified according to the applications entered into the "Port-based tracking" list.

Note: You define the applications to be detected under Configuration > Firewall/QoS > General > Application definitions. See Application definitions for layer-7 detection and layer-7 application control.

If the establishment of an HTTP/HTTPS connection is detected, this connection is subjected to deeper analysis. For HTTP connections, the application detection additionally extracts the destination host from the destination URL in the HTTP GET request.

Important: The only part to be used is the host; additional parts of the URL are truncated

If an HTTPS connection is detected, the layer-7 application detection attempts to identify the destination host in the following sequence:

Server name indication from the TLS "Client Hello"
Common name from the transmitted TLS server certificate
Reverse DNS request to the server IP address

For HTTP and HTTPS connections, the destination host name found is compared with the "HTTP/HTTPS tracking" list. This list contains the most widely used Web services/applications, including the components of their host names.

If neither the service nor the connection appear in the list, i.e. the application cannot be identified, then it is classified as a general HTTP or HTTPS service on the port.

Important: Allocation in this way requires the "Port-based tracking" list to include the entries HTTP and HTTPS.

If the destination service is known for every connection on a tracked interface, the combination with the connecting client makes is possible to track the connection and to determine which client caused what amount of traffic to / from a service.

The values found are available from the corresponding tables in the LCOS menu tree under Status > Layer-7-App-Detection.

Layer-7 application detection can be operated either centrally or decentrally on your network. Both options prevent traffic being listed multiple times:

Central: Layer-7 application detection is enabled on a central router in the LAN, and it is disabled on all other LANCOM devices.
Decentral: Layer-7 application detection is enabled only on the final bridges in the LAN, e.g. on access points or LANCOM routers with the clients connected directly to their LAN interfaces.

To avoid distorted results, the traffic should pass through just one single device or bridge running the layer-7 application detection.