Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
983
Views
0
Helpful
3
Replies

Limit available bandwidth for WIFI CAPWAPP traffic on branch routers

usmanashaikh
Level 1
Level 1

‎11-10-2014 06:23 AM - edited ‎03-07-2019 09:27 PM

Hi Experts,

(I am fairly new to QoS so please excuse any obvious errors/omissions etc)

I have been asked to look at implementing QoS policing or shaping on our branch routers to limit the amount of bandwidth that is used by wireless users. Each branch office has a Cisco 2951 router (running c2951-universalk9-mz.SPA.153-2.T2.bin) that has its own pipe (of varying capacity ranging from 10mbps-100mbps) that connects it to the hub (data centre). Each branch uses Cisco APs that connect back to the WLC5508 controller in the Hub site using FlexConnect central switching and all traffic between client and the server is CAPWAPP encapuslated. The APs reside on a dedicated VLAN with their own sub-interface on the 2951 router

Each branch router already has the following service policies associated with it

WAN Interface (Policy applied OUTBOUND) - [This is where the controller resides]

policy-map CBWFQ-QOS
 class Voice+Routing
  priority percent 10
 class Video+Signalling
  bandwidth percent 20
 class Citrix+RDP
  bandwidth percent 40
 class Scavenger
  bandwidth percent 1
 class class-default
  bandwidth percent 29
!
policy-map QOS-100Mb
 class class-default
  shape average 100000000
   service-policy CBWFQ-QOS
!
interface GigabitEthernet0/0
 bandwidth 100000
 service-policy output QOS-100Mb

 

LAN Interface (Policy applied INBOUND) - [This is where the AP's resides]

policy-map QoS-Classification
 class Mark_Voice-RTP
  set dscp ef
 class Mark_Voice-Control
  set dscp af31
 class Mark_Video-RTP
  set dscp af41
 class Mark_Video-Control
  set dscp af31
 class Mark_Citrix-RDP
  set dscp af11
 class Mark_Telnet-SNMP
  set dscp af12
 class Mark_SSH
  set dscp af13
 class class-default
  set ip dscp default
!

interface GigabitEthernet0/1.X
 service-policy input QoS-Classification

I know we can make use of the QoS feature on the controller but would then end up having separate SSIDs per site (since each site has different uplink bandwidth) something which is not very efficient for obvious reasons. I have done some research on the possible solution and would like to share the proposed config so would appreciate if the experts out here can provide feedback and suggest any other better way of achieving this

 

# Create ACL to be used in class-map and match on CAPWAPP Control (5246) and data (5247)

ip access-list extended WIFI-CAPWAPP-ACL
 permit udp any host <controller IP> range 5246 5247
!

# Create Class-Map to match above ACL
class-map match-all WIFI-CAPWAPP-CM
 description Match CAPWAP traffic between Controller and AP
 match access-group name WIFI-CAPWAPP-ACL
!

# Since the AP sub-interface on the 2951 already has policy applied in the inbound direction, remove the existing policy and create new policy to include new class statements and the existing ones

policy-map WIFI-PM
 description Policing to limit CAPWAP WIFI traffic to 20% of Bandwidth
 class WIFI-CAPWAPP-CM
   police cir percent 20 conform-action transmit exceed-action drop
 class Mark_Voice-RTP
  set dscp ef
 class Mark_Voice-Control
  set dscp af31
 class Mark_Video-RTP
  set dscp af41
 class Mark_Video-Control
  set dscp af31
 class Mark_Citrix-RDP
  set dscp af11
 class Mark_Telnet-SNMP
  set dscp af12
 class Mark_SSH
  set dscp af13
 class class-default
  set ip dscp default
!

#  Apply the new policy to the LAN interface (Wireless AP interface)

interface GigabitEthernet0/1.X
 service policy input WIFI-PM

 

Any feedback is greatly appreciated

Thanks

 

Labels:
0 Helpful
3 Replies 3

Leo Laohoo
Hall of Fame
Hall of Fame

‎11-10-2014 01:50 PM 

Each branch office has a Cisco 2951 router (running c2951-universalk9-mz.SPA.153-2.T2.bin) that has its own pipe (of varying capacity ranging from 10mbps-100mbps) that connects it to the hub (data centre).

Let me get this straight ... You've got sites with 100 Mbps and you're using a tiny 2951 router?   And let me guess, these sites are experiencing slow connection?  

 

If the answer to these two questions are "yes" then my answer is this:  Your QoS config won't many any difference because the 2951 is NOT designed for 100 Mbps.  2951 can do up to about 80 Mbps.  If you want 100 Mbps router then you're potentially looking at a 3925E, 3945 or the newly-released 4331/4351 routers.

0 Helpful

usmanashaikh
Level 1
Level 1
In response to Leo Laohoo

‎11-11-2014 02:00 AM

Many Thanks Leo for replying.

Only one of the many sites we have is 100Mbps and we are looking at replacing the hardware on that site so thanks again for the suggestions

All other sites are mainly 10-20Mbps and the WAN interface config reflects the corresponding link bandwidth on each branch router

Based on this would the config for the LAN interface above be OK?

 

 

 

 

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎11-11-2014 08:26 AM

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of   the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Yes, you could do something like what you've posted, but there may be other options and/or possible improvements.

The port your LWAP attaches to might allow a port specific policer and/or marker (BTW, your posted policy doesn't explicitly mark the traffic).  Using such, would avoid forcing all your other ports through a shared policy trying to deal with the LWAP traffic.

You might use an egress policy, something like:

policy-map sample

class LLQ

priority percent 35

class hi-priority

bandwidth remaining 81 percent

fair-queue

class lo-priority

bandwidth remaining 1 percent

fair-queue

class class-default

bandwidth remaining 9 percent

fair-queue

PS:

BTW, did you enable adjust TCP mss on your controller (to allow for LWAP tunneling overhead)?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card