Re: Any Realtime Session stats DNAC webhook client session /bytes/ap/s

ciscoritz · ‎01-01-2025

is there any webhook realtime events that we can webhook out/syslog/snmptrap
like the 5508s/8540s there were enhanced traps from the WLCs . But in DNAC not sure if theres a way to stream to i know we can use clients API but when dealing with 20000 clients and alot of moving things quite quickly the API GET /clients at the client level isnt the best way. not sure if theres any way to subscribe to stream the client seession stats as they are disconnected. almost like Accounting like

Gabriel Zapodeanu · ‎01-10-2025

Please see if the User Defined Assurance issues may help you: https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/catalyst-center-assurance/2-3-7/b_cisco_catalyst_assurance_2_3_7_ug/b_cisco_catalyst_assurance_2_3_6_ug_chapter_01001.html#Cisco_Task_in_List_GUI.dita_ab....

ciscoritz · ‎08-18-2025

i dont know if that works .i cant find the client dissocation event that contains all the flags . not sure a webhook but id assume with all the traffic it would cripple DNAC

sidshas03 · ‎08-18-2025

Catalyst Center (DNAC) doesn’t offer a real-time, per-client “accounting-style” webhook stream (bytes/AP/SSID, join/assoc/disassoc with all flags). Its Event Notifications are coarse-grained (Assurance issues, UDA alerts, some inventory/health events) and aren’t meant to fire for every client transition—at your scale it would crush the box. If you need true session-level telemetry for ~20k clients, take it straight from the 9800 WLCs instead: use RADIUS accounting (start/stop + interim-updates) to a syslog/DB pipeline or ISE, enable model-driven telemetry (gRPC/gNMI dial-out) for wireless client/AP counters, and/or keep classic syslog/SNMP traps from the controllers for assoc/disassoc reasons. Then let DNAC do what it’s good at (assurance, correlation, UDA rules for patterns/bursts) and keep the high-volume event stream off DNAC. If you still want a DNAC hook in the loop, subscribe only to the few assurance events you care about and correlate them with the controller telemetry on your side.

ciscoritz · ‎08-20-2025

ya we been doing MDT been active for a few years but was curous on just DNAC which i thought since it GRPCd to DNAC they could stitch stream out. Our current method keeps on failing or issues here/there or restarting 9800 or a bug in the 9800 in the early days with MDT when a big traffic increase happens MDT just stops. and Stitching the data is horrible cause it sends it realtime and we get 8X data when In the past there were Enhanced SNMP Traps we used in the 5508/8540s for years but current 9800s only have Classic Very minimal stats and enhanced what we used. But when 9800s came out that enhanced snmp session was gone but it gave all parm at the disassociated trap in 1 was gone and a feature that we loved quite a bit as we have 50000 APs going on 10+ controllers.

A few years with bugs and issues along the way on the 9800s WLC do MDT with traffic-stats /wsa-client-event
its not a fun data source cause its too much data for a session stat and when it closes we have to have splunk/other system restich it up from enhanced snmp trap that contained all the parameters

Example what we went with for a few years.

telemetry ietf subscription 5001
encoding encode-kvgpb
filter xpath /wireless-client-oper:client-oper-data/traffic-stats
source-address 10.1.1.1
stream yang-push
update-policy on-change
receiver ip address 10.0.1.11 57001 protocol grpc-tcp

telemetry ietf subscription 5002
encoding encode-kvgpb
filter xpath /wireless-event-oper:wsa-client-event
source-address 10.1.1.1
stream yang-notif-native
update-policy on-change
receiver ip address 10.0.1.11 57001 protocol grpc-tcp

For other vendors like ruckus they use a nice syslog with all params/extreme i use RAD Acct radius to stream but it has to be set per SSID ...

ill check out RADIUS acct again (i did in past but was told it wasnt what we wanted) maybe that will be our answer. We loved seeing the session with some of mostly AP name / SSID/

I did try putting a feature request in to re-enable snmp enhanced traps or at least have the same full session close with all params in MDT so not alot of mid stiching needs to be done at close of sessions.

sidshas03 · ‎08-21-2025

Ya exactly, that’s the pain point right now. With MDT on 9800 it looks good on paper but in reality the stream just gets too heavy, especially when traffic spikes, and then either the process crashes or we end up losing continuity. Then later sitting in Splunk and trying to stitch everything back together from raw events is a headache. Earlier on 5508/8540 those enhanced SNMP traps gave everything clean at session close — AP name, SSID, flags, counters — one shot, done. That was gold. After moving to 9800s, the “classic” traps are bare minimum and the MDT firehose is overkill. We also tested RADIUS accounting per SSID, but at scale it felt patchy, not really giving the full picture the way we wanted. I think if Cisco could just bring back those enhanced disassociation traps or at least add a proper session-close summary in MDT, it would save a lot of post-processing. For now it looks like we’ll have to balance between MDT for counters and maybe RADIUS acct for session ends, but honestly nothing matches the simplicity of the old enhanced SNMP traps.

ciscoritz · ‎08-27-2025

Is there a way to feature request as this is a big painpoint when your dealing with 50000+ APs across many networks

fracjackmac · ‎08-27-2025

Hi @ciscoritz,

Feature requests are typically communicated through your account support team.

Any Realtime Session stats DNAC webhook client session /bytes/ap/ssid