Solved: QoS Policy maps on Cisco WLAN AP Switch Port

Gehrig_W · ‎12-05-2023

Hello friends,

our Base network team has started recently to apply nice QoS policy map rules on switch-ports in this big hospital.

Honestly I have not much knowledge in that area, but it looks like they want to prioritize voice (Skype for Business) and Multimedia traffic. Unfortunately people in a WLAN-Only-office started complaining about interrupts on their WLAN-Skype-phone calls and other users complain about interrupts in IPad-Apps for patient information collection.

I'm concerned about the show npaket drops and believe, that the whole thing is not working on WLAN APs in "Local" AP mode, which send encrypted traffic to a central WLC via CAPWAP encapsulation.

Please comment the shown configuration and explain why the drops happen.

CISCO_SWITCH#show policy-map Interface Te6/0/27
TenGigabitEthernet6/0/27

Service-policy input: PM_MARKING

Class-map: CM_VOICE (match-any)
27888774 packets
Match: access-group name ACL_VOICE_UNIFY
Match: access-group name ACL_VOICE_S4B
QoS Set
dscp ef
police:
cir 300000 bps, bc 9375 bytes
conformed 0 bytes; actions:
transmit
exceeded 0 bytes; actions:
set-dscp-transmit dscp table policed-dscp
conformed 0000 bps, exceeded 0000 bps

Class-map: CM_MULTIMEDIA (match-any)
0 packets
Match: access-group name ACL_VIDEO_S4B
QoS Set
dscp af41
police:
cir 5000000 bps, bc 156250 bytes
conformed 0 bytes; actions:
transmit
exceeded 0 bytes; actions:
set-dscp-transmit dscp table policed-dscp
conformed 0000 bps, exceeded 0000 bps

Class-map: CM_CONTROL (match-any)
303257 packets
Match: access-group name ACL_VOICE_CTRL_UNIFY
Match: access-group name ACL_VOICE_CTRL_S4B
QoS Set
dscp af31
police:
cir 32000 bps, bc 1500 bytes
conformed 0 bytes; actions:
transmit
exceeded 0 bytes; actions:
set-dscp-transmit dscp table policed-dscp
conformed 0000 bps, exceeded 0000 bps

Class-map: CM_MED-APP (match-any)
0 packets
Match: access-group name ACL_MED_APP
QoS Set
dscp af21

Class-map: class-default (match-any)
6231941906 packets
Match: any
QoS Set
dscp default

Service-policy output: PM_QUEUING

queue stats for all priority classes:
Queueing
priority level 1

(total drops) 0
(bytes output) 3180186034

Class-map: CM_VOICE-MULTIMEDIA-DSCP_34_46 (match-any)
83121618 packets
Match: dscp ef (46)
Match: dscp af41 (34)
Priority: Strict,

Priority Level: 1
police:
cir 33 %
cir 1650000000 bps, bc 51562500 bytes
conformed 0 bytes; actions:
transmit
exceeded 0 bytes; actions:
drop
conformed 0000 bps, exceeded 0000 bps

Class-map: CM_CONTROL-DSCP_26 (match-any)
990389 packets
Match: dscp af31 (26)
Queueing

(total drops) 0
(bytes output) 0
QoS Set
dscp af31
bandwidth remaining 10%
queue-buffers ratio 10

Class-map: CM_SCAVENGER-DSCP_8 (match-any)
0 packets
Match: qos-group 1
Queueing

(total drops) 0
(bytes output) 0
bandwidth remaining 5%
queue-buffers ratio 5

Class-map: class-default (match-any)
46070025450 packets
Match: any
Queueing

(total drops) 38810978
(bytes output) 2671624291821
bandwidth remaining 30%
queue-buffers ratio 40

Thank You in advance

Wini

JPavonM · ‎12-18-2023

The most important parts not to forget in all this QoS stuff are 1a) Mark traffic on the client side by creating QoS Policies by application (Zoom, Teams, Jabber, WebEx, Meeting, FaceTime) as Windows does remark all with best efford by default, and 1b) Enable Fastlane and Enforce Apple devices with Faslane through your MDM (https://support.apple.com/en-gb/guide/deployment/depa2dad3c09/1/web/1.0), and 3) Create QoS profiles behind the WLC (WAN router of FW) to prioritize traffic to/from cloud (Zoom/Teams) or to voice servers at the DC.

We have implemented all of that in my company and end-users QoE has increased a lot.

View solution in original post

marce1000 · ‎12-05-2023

- I would advise to not do this on AP connected switch ports ; note that wireless controllers have features to for prioritizing traffic classes such as voice, video,... ; for the wireless environment that is the way to go ,
- The basic thing is that it makes no sense because the switchport only terminates 'unknown CAPWAP traffic'

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Rich R · ‎12-06-2023

You and Marce are right - this is DUMB - the QOS is destroying service for WiFi users!!!!!!!!

CAPWAP control for APs is UDP 5246 and should always be control plane priority same as BGP, OSPF etc because if that gets dropped the AP loses controller connection.
CAPWAP data for WiFi clients is all UDP 5247 should not be treated as low priority because it includes all that real-time traffic and any QOS for that client traffic should be configured on the WLC not the switch which then ensures that the AP and WLC treat it with appropriate priority.

Step 1: roll back the switch changes on AP ports ASAP
Step 2: if they want QOS then plan a Cisco approved WiFi QOS solution.
Read Rasika's answer here for a start: https://community.cisco.com/t5/wireless/wireless-qos-best-practise/m-p/2916583/highlight/true#M82534 and https://mrncciew.com/2021/09/24/aireos-qos-recommendations/

And of course Cisco guides:
https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2020/pdf/DGTL-BRKRST-2515.pdf
https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/Enterprise-Mobility-8-5-Design-Guide/Enterprise_Mobility_8-5_Deployment_Guide/ch5_QoS.html
https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/cisco-campus-lan-wlan-design-guide.html

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

MHM Cisco World · ‎12-06-2023

Apply QoS to all other interface except that connect to AP.

AP is tunnel traffic to WLC' if the tunnel failed then it switching locally.

MHM

JPavonM · ‎12-18-2023

The most important parts not to forget in all this QoS stuff are 1a) Mark traffic on the client side by creating QoS Policies by application (Zoom, Teams, Jabber, WebEx, Meeting, FaceTime) as Windows does remark all with best efford by default, and 1b) Enable Fastlane and Enforce Apple devices with Faslane through your MDM (https://support.apple.com/en-gb/guide/deployment/depa2dad3c09/1/web/1.0), and 3) Create QoS profiles behind the WLC (WAN router of FW) to prioritize traffic to/from cloud (Zoom/Teams) or to voice servers at the DC.

We have implemented all of that in my company and end-users QoE has increased a lot.

Gehrig_W · ‎12-19-2023

Thank You all for Your valuable answers.

I will ask our Network Base Team to delete the QoS policy map rules on switch-ports used for WLAN APs in this big hospital.

Merry Christmas and a happy new Year from Frankonia

Wini