@Joseph W. Doherty wrote: "I use nbar as this is required to identify traffic and must be on the same interface as the service policy; the rest of the config has for example "match protocol skinny" which needs nbar I beleive. " NB: BTW, you don't need to activate interface NBAR for CBWFQ class "match protocol xxx". (This command is used to obtain NBAR analysis of what kind of traffic is crossing an interface.) Sorry, I'm still confused over your network management vs. your provider's . Your provider is providing VPN beyond your ATM interface, across the Internet? If so, unclear what "their" QoS is doing. Again, if you have CBR, p2p, what you do on you ATM interface, with QoS, shouldn't really need provider QoS. It's possible, although unusual, they support QoS across their network, but that would generally "stop" once/if they need to forward your Internet traffic to another ISP or backbone provider. Also, if they are providing a CBR service, your QoS markings shouldn't matter once you hand off your traffic to them. It's fine you're not a QoS Guru, but that's why posting to these forums can be useful, as you may obtain responses from those with a bit more experience. Hi, Thanks for that I misunderstood the NBAR which means I can take that off, our DSL connections are not internet connections they don't leave the suppliers network. They provide a network across their network to our WAN connection on a leased line provided by them also; we then provide internet access to the sites, due to this they can honor our markings and put in place QOS of which they provide three standard profiles. We select the profile we think would work best and implement that for traffic leaving our DSL sites and the provider does the rest including routing between sites.
... View more
@Joseph W. Doherty wrote: It's unclear to me what your provider is providing vis-à-vis QoS. If you have a p2p CBR ATM PVC, you should be able to perform any QoS you like, independent of your provider. (This because the CBR sets and guarantees a fixed amount of bandwidth.) You've set your LLQ to 50%. The general recommendation is to not exceed 1/3 of the bandwidth. This to insure you have sufficient bandwidth for non-LLQ traffic and to also insure LLQ doesn't self congest. (The latter also depends on the nature of your LLQ traffic. If, for example, your VoIP bearer traffic uses a CODEC that uses a fixed bandwidth per flow it's predictable, while VoIP bearer traffic using a CODEC that uses a variable bandwidth per flow it's not.) It's debatable whether CS6 and CS7 should be in your real-time class. They, like VoIP control traffic (unknown how you're marking it), "by-the-book", often get their own classes, to guarantee their service requirements. (They both might be okay in the class-default if you use FQ as recommended by Georg.) BTW, you're using NBAR discovery for? Your DSL, it's not PPPoE, is it? If so, you lose 8 bytes from your MTU which will cause max size Ethernet packets to be fragmented. (This can possibly be mitigated with further configuration.) Also BTW, if you want to make your real-time class matching a bit more efficient, you can consider matching IP Prec 5 for both DSCP EF and CS5. The policy as I explained is to set up our QOS to match the suppliers QOS which is applied to our ADSL2+ and they supply the IPVPN site to site using PPPoE but the configuration for this is in the rest of the config. I use nbar as this is required to identify traffic and must be on the same interface as the service policy; the rest of the config has for example "match protocol skinny" which needs nbar I beleive. The QOS question was just one small part of the set up to make sure I hadn't missed something as I am not a QOS Guru.
... View more
I know there is plenty of information regarding QOS already in the community however, I would like to know the design steps before the actual configuration to ensure I am not forgetting a step. We have 887ISR on DSL and we have some voip handsets at the site, we have agreement from the supplier that they will apply QOS to our traffic as it will be part of our IPVPN. The supplier has given us a spread sheet showing class,marking,DSCP,profile1; class is just the name of the class and I have CS5,EF,CS6,CS7 under markings, DSCP has 40,46,48,56 and profile 1 shows the percentage in this case 50% as it is realtime traffic. Marking is to ensure VoIP packets are marked correctly and DSCP are the numbers we should be looking for to apply a higher QOS percentage both marking and DSCP are the same as CS5=DSCP46. class-map match-any RealTime match ip dscp ef match ip dscp CS5 match ip dscp CS6 match ip dscp CS7 ! policy-map QOS class RealTime priority percent 50 ! interface ATM0.1 point-to-point ip nbar protocol-discovery pvc 0/XX cbr XXX service-policy out QOS ! Can anyone see and glaring misunderstanding on my part or do I have the translation from supplier to QOS correct, I have only included the realtime portion there is more to the QOS profile than just realtime. Many thanks for taking the time to read.
... View more
We have the above Wireless Lan Controller and when you check for updates there seems to be one image that is being changed this is 03.06.09 however the highest version is 03.07.05.E.
Can someone please let me know which we should be using at this time i.e. is one version supported and the other is just to resolve an issue?
... View more
*******2nd error from WLC******* May 10 11:26:24 BST: *%CAPWAP-3-DTLS_CONN_ERR: 1 wcm: 0041.d28e.7a00: DTLS connection not found forAP xx:xx:191:97 (32412), Controller: xx:xx:xx:54 (5246) send packet May 10 11:26:24 BST: *%CAPWAP-3-RCB_MARKED_FOR_DEL: 1 wcm: Dropping discovery request from AP 0041.d28e.7a00 - cleanup process is in progress May 10 11:26:26 BST: %DOT1X-5-FAIL: Authentication failed for client (a434.d972.9106) on Interface Ca21 AuditSessionID ac1410015af2443b002d0213 May 10 11:26:29 BST: *%LOG-3-Q_IND: 1 wcm: Dropping discovery request from AP 0041.d28e.7a00 - cleanup process is in progress[...It occurred 3 times.!] May 10 11:26:29 BST: *%CAPWAP-3-DTLS_CONN_ERR: 1 wcm: 0041.d28e.7a00: DTLS connection not found forAP xx:xx:191:97 (32412), Controller: xx:xx:xx:54 (5246) send packet May 10 11:26:34 BST: *%CAPWAP-3-DTLS_CONN_ERR: 1 wcm: 0041.d28e.7a00: DTLS connection not found forAP xx:xx:191:97 (32412), Controller: xx:xx:xx:54 (5246) send packet May 10 11:26:34 BST: *%CAPWAP-3-RCB_MARKED_FOR_DEL: 1 wcm: Dropping discovery request from AP 0041.d28e.7a00 - cleanup process is in progress May 10 11:26:39 BST: *%LOG-3-Q_IND: 1 wcm: Dropping discovery request from AP 0041.d28e.7a00 - cleanup process is in progress[...It occurred 3 times.!] May 10 11:26:39 BST: *%CAPWAP-3-DTLS_CONN_ERR: 1 wcm: 0041.d28e.7a00: DTLS connection not found forAP xx:xx:191:97 (32412), Controller: xx:xx:xx:54 (5246) send packet May 10 11:26:39 BST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Capwap12, changed state to down May 10 11:26:43 BST: %DOT1X-5-FAIL: Authentication failed for client (40f0.2f79.cf81) on Interface Ca19 AuditSessionID ac1410015af41a6e002d65b3
... View more
Disconnection error show DTLS but I don't have encryption on for this AP
*May 9 12:11:37.943: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS. *May 9 12:11:38.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: xx.xx.xx.54 peer_port: 5246 *May 9 12:12:07.999: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_connection_db.c:2214 Max retransmission count reached for Connection 0x627E8280! *May 9 12:12:37.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to xx.xx.xx.54:5246 *May 9 12:12:37.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS. *May 9 12:12:38.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: xx.xx.xx.54 peer_port: 5246 *May 9 12:12:38.487: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: xx.xx.xx.54 peer_port: 5246 *May 9 12:12:38.491: %CAPWAP-5-SENDJOIN: sending Join Request to xx.xx.xx.54 *May 9 12:12:43.851: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller cisco-wlc
... View more
The APs are in Local mode I think to use FlexMode you should use a Cat 3850 switch as a mobility anchor which we don't have, occasionally all the APs in the other areas will go down together however I have 5 in my area that are very stable (never go down) and of the other 21 APs 5 have been up for 1 Day at the present time and the others have been up for various amounts of time. when the AP drops it then starts the join process and reconnects to the WLC using another IP, I did think at first that it was a timeout issue but have checked all the timeouts in the WLC.
Management IP Vlan 20 172.20.XX.XX
AP-Manger Vlan5 172.16.XX.XX
AP-Manager Vlan21 172.21.XX.XX
--------------------------------Error from Logs------------------------------------------
May 10 10:33:32 BST: *%CAPWAP-3-DTLS_CONN_ERR: 1 wcm: f80b.cbf1.a8c0: DTLS connection not found forAP 10:0:110:166 (16090), Controller: 172:16:16:54 (5246) send packet
May 10 10:33:33 BST: *%CAPWAP-3-RCB_MARKED_FOR_DEL: 1 wcm: Dropping discovery request from AP f80b.cbf1.a8c0 - cleanup process is in progress
ASA not used by ourselves, there are no unauthorized DHCP servers we monitor for rogue servers/PCs etc.
... View more
I have a SINGLE wlc 5700 With 26 access points in different parts of the network, if staff are in Building1 then on the wired network they are allocated a printer based on their IP range from the group policy, in the WLC they all connect to the same WLC which allows them to request DHCP (different range to wired) from a server but if they are in different buildings they are on the same IP range so I can't differentiate between the locations in the group policy to allocate printers.
My second question maybe easier on the WLC we have three vlans under controller>Interface>wireless Interface they are labelled mangement, AP-Manager, AP-Manager when the APS connect some connect directly to the management interface and some with each of the AP-Managers, we do see APs disconnecting during the day and rejoining a different interface. Have we made a mistake with our set up?
System time = NTP
Software version = 03.07.01E Release Software (fc3)
... View more
My ISP has said they will set up their side to give 50% policed real time traffic and 30% for our application traffic burstable then 5% anything else burstable. The QOS below is my attempt to do this but I was advised that to apply it to the Dialer 1 interface I hade to create a second policy-map (ADSLOut) which had the class-default and the child policy (QOSADSL) within that. When I did this I can't apply it to the Dialer 1 interface but if I use the child policy then it will allow me to apply that, will this work the same way. class-map match-all RealTime match ip dscp ef class-map match-all General match any class-map match-any Application match ip dscp cs3 match ip dscp af41 ! policy-map QOSADSL class RealTime bandwidth percent 50 class Application priority percent 30 class General priority percent 5 class class-default shape peak percent 85 policy-map ADSLOut class class-default service-policy QOSADSL ! ! interface Dialer1 <Snipped> bandwidth 1240 ip nbar protocol-discovery ip flow ingress ip flow egress load-interval 30 tx-ring-limit 3 tx-queue-limit 3 service-policy output QOSADSL or service-policy output ADSLOut
... View more