DisclaimerThe Author of this

usmanashaikh · ‎11-10-2014

Hi Experts,

(I am fairly new to QoS so please excuse any obvious errors/omissions etc)

I have been asked to look at implementing QoS policing or shaping on our branch routers to limit the amount of bandwidth that is used by wireless users. Each branch office has a Cisco 2951 router (running c2951-universalk9-mz.SPA.153-2.T2.bin) that has its own pipe (of varying capacity ranging from 10mbps-100mbps) that connects it to the hub (data centre). Each branch uses Cisco APs that connect back to the WLC5508 controller in the Hub site using FlexConnect central switching and all traffic between client and the server is CAPWAPP encapuslated. The APs reside on a dedicated VLAN with their own sub-interface on the 2951 router

Each branch router already has the following service policies associated with it

WAN Interface (Policy applied OUTBOUND) - [This is where the controller resides]

policy-map CBWFQ-QOS
class Voice+Routing
priority percent 10
class Video+Signalling
bandwidth percent 20
class Citrix+RDP
bandwidth percent 40
class Scavenger
bandwidth percent 1
class class-default
bandwidth percent 29
!
policy-map QOS-100Mb
class class-default
shape average 100000000
service-policy CBWFQ-QOS
!
interface GigabitEthernet0/0
bandwidth 100000
service-policy output QOS-100Mb

LAN Interface (Policy applied INBOUND) - [This is where the AP's resides]

policy-map QoS-Classification
class Mark_Voice-RTP
set dscp ef
class Mark_Voice-Control
set dscp af31
class Mark_Video-RTP
set dscp af41
class Mark_Video-Control
set dscp af31
class Mark_Citrix-RDP
set dscp af11
class Mark_Telnet-SNMP
set dscp af12
class Mark_SSH
set dscp af13
class class-default
set ip dscp default
!

interface GigabitEthernet0/1.X
service-policy input QoS-Classification

I know we can make use of the QoS feature on the controller but would then end up having separate SSIDs per site (since each site has different uplink bandwidth) something which is not very efficient for obvious reasons. I have done some research on the possible solution and would like to share the proposed config so would appreciate if the experts out here can provide feedback and suggest any other better way of achieving this

# Create ACL to be used in class-map and match on CAPWAPP Control (5246) and data (5247)

ip access-list extended WIFI-CAPWAPP-ACL
permit udp any host <controller IP> range 5246 5247
!

# Create Class-Map to match above ACL
class-map match-all WIFI-CAPWAPP-CM
description Match CAPWAP traffic between Controller and AP
match access-group name WIFI-CAPWAPP-ACL
!

# Since the AP sub-interface on the 2951 already has policy applied in the inbound direction, remove the existing policy and create new policy to include new class statements and the existing ones

policy-map WIFI-PM
description Policing to limit CAPWAP WIFI traffic to 20% of Bandwidth
class WIFI-CAPWAPP-CM
police cir percent 20 conform-action transmit exceed-action drop
class Mark_Voice-RTP
set dscp ef
class Mark_Voice-Control
set dscp af31
class Mark_Video-RTP
set dscp af41
class Mark_Video-Control
set dscp af31
class Mark_Citrix-RDP
set dscp af11
class Mark_Telnet-SNMP
set dscp af12
class Mark_SSH
set dscp af13
class class-default
set ip dscp default
!

# Apply the new policy to the LAN interface (Wireless AP interface)

interface GigabitEthernet0/1.X
service policy input WIFI-PM

Any feedback is greatly appreciated

Thanks

Leo Laohoo · ‎11-10-2014

Each branch office has a Cisco 2951 router (running c2951-universalk9-mz.SPA.153-2.T2.bin) that has its own pipe (of varying capacity ranging from 10mbps-100mbps) that connects it to the hub (data centre).

Let me get this straight ... You've got sites with 100 Mbps and you're using a tiny 2951 router? And let me guess, these sites are experiencing slow connection?

If the answer to these two questions are "yes" then my answer is this: Your QoS config won't many any difference because the 2951 is NOT designed for 100 Mbps. 2951 can do up to about 80 Mbps. If you want 100 Mbps router then you're potentially looking at a 3925E, 3945 or the newly-released 4331/4351 routers.

usmanashaikh · ‎11-11-2014

Many Thanks Leo for replying.

Only one of the many sites we have is 100Mbps and we are looking at replacing the hardware on that site so thanks again for the suggestions

All other sites are mainly 10-20Mbps and the WAN interface config reflects the corresponding link bandwidth on each branch router

Based on this would the config for the LAN interface above be OK?

Joseph W. Doherty · ‎11-11-2014

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Yes, you could do something like what you've posted, but there may be other options and/or possible improvements.

The port your LWAP attaches to might allow a port specific policer and/or marker (BTW, your posted policy doesn't explicitly mark the traffic). Using such, would avoid forcing all your other ports through a shared policy trying to deal with the LWAP traffic.

You might use an egress policy, something like:

policy-map sample

class LLQ

priority percent 35

class hi-priority

bandwidth remaining 81 percent

fair-queue

class lo-priority

bandwidth remaining 1 percent

fair-queue

class class-default

bandwidth remaining 9 percent

fair-queue

PS:

BTW, did you enable adjust TCP mss on your controller (to allow for LWAP tunneling overhead)?

Limit available bandwidth for WIFI CAPWAPP traffic on branch routers