Solved: Yes, that's correct. Remember

justin.devos · ‎04-12-2016

Hi,

I have manipulated the QOS bronze class applicable to our wireless Guest network, to 802.1p tag to equal 1 (AF11) on the Cisco WLC configuration - see attached pic.

The silver class applicable to Corp Traffic has been left to default values, so from what I understand will default to a 802.1p tag of 0.

According to 802.1p priority queues:

Value of 1 - will be placed in the Q0 (lowest queue)

Value of 0 - will be placed in Q1

This is actually the desired outcome in our configuration. Do you agree with the above?

Question time:

Cisco recommend switchports connected to H-REAP/FlexConnect APs with at least one locally switched WLAN should be trunk ports set with the mls qos trust cos command.

1) Does the switchport connected to the wifi AP have to be a trunk? From my understanding 802.1p is essentially the COS value and the COS value can only exist on a 802.1q tagged trunk port? Correct? if so that would suggest the port has to be in trunk mode and not access mode for the marking to be visible? I'm asking because our AP switchports are currently set to access mode and I'm not sure if they need to be trunks?

2) If the switchport connected to the AP is configured with the mls qos trust cos command is this all the config that is required? Is there any other config required on the lightweight AP as the AP will be doing the marking?

Thanks,

Rasika Nayanajith · ‎04-12-2016

1) Does the switchport connected to the wifi AP have to be a trunk?

If AP is in Flexconnect mode, then yes, you need to configure switchport as trrunk port. See this post for QoS concerns in that situation.

https://mrncciew.com/2013/07/23/qos-for-h-reap/

If APs are in local mode, then switchport should be in Access port & trusting DSCP is the best practice.

2) If the switchport connected to the AP is configured with the mls qos trust cos command is this all the config that is required? Is there any other config required on the lightweight AP as the AP will be doing the marking?

'mls qos trust cos' is required only if you configure that switchport as trunkport & FlexConnect AP connects to it.

If AP is in loacl mode, read below post for better understanding how QoS work

https://mrncciew.com/2012/11/28/understanding-wireless-qos-part-1/

Again if you are running 8.0 or above code you have some other options as well. Refer this video for more details

https://www.youtube.com/watch?v=PhmhIojaEE8

HTH

Rasika

*** Pls rate all useful responses ***

View solution in original post

Rasika Nayanajith · ‎04-12-2016

1) Does the switchport connected to the wifi AP have to be a trunk?

If AP is in Flexconnect mode, then yes, you need to configure switchport as trrunk port. See this post for QoS concerns in that situation.

https://mrncciew.com/2013/07/23/qos-for-h-reap/

If APs are in local mode, then switchport should be in Access port & trusting DSCP is the best practice.

2) If the switchport connected to the AP is configured with the mls qos trust cos command is this all the config that is required? Is there any other config required on the lightweight AP as the AP will be doing the marking?

'mls qos trust cos' is required only if you configure that switchport as trunkport & FlexConnect AP connects to it.

If AP is in loacl mode, read below post for better understanding how QoS work

https://mrncciew.com/2012/11/28/understanding-wireless-qos-part-1/

Again if you are running 8.0 or above code you have some other options as well. Refer this video for more details

https://www.youtube.com/watch?v=PhmhIojaEE8

HTH

Rasika

*** Pls rate all useful responses ***

justin.devos · ‎04-13-2016

Thanks!! So with version 8 (which we are running), what they saying is the 802.1p configuration under the QOS profiles is irrelevant. You just configure trust dscp between your WLC and connected switch, as well as on the trunk interfaces to to wifi access points? That's all you need to do to get basic QOS configured?

Rasika Nayanajith · ‎04-13-2016

Yes, that's correct. Remember that above video talks about local mode AP operation.

I would test it in FlexConnect & see how it works prior to trusting DSCP on the AP connected switchport.

HTH

Rasika

*** Pls rate all useful responses ***

justin.devos · ‎05-23-2016

Just coming back to this topic, what if you want your AP to be the starting point of your trust boundary...

So my understanding of our previous discussion and my general understanding of Cisco QOS, first I should clarify:

- if a packet arrives at an AP from a trusted Cisco device - like a Cisco softphone for example the QOS marking will be trusted (if the port is configured with mls qos trust dscp) and that dscp value will be passed onto the next hop.

- if a packet arrives at an AP from a non Cisco device it will be remarked and put into best effort class of 0?

next question will be based on the answer :) thanks

Rasika Nayanajith · ‎05-23-2016

 - if a packet arrives at an AP from a trusted Cisco device - like a Cisco softphone for example the QOS marking will be trusted (if the port is configured with mls qos trust dscp) and that dscp value will be passed onto the next hop. 
 - if a packet arrives at an AP from a non Cisco device it will be remarked and put into best effort class of 0?

AP can't do this. This trust boundary concept available in Cisco catalyst switch platforms & not in AP.

Also mode AP operate also important from QoS perspective. If AP in FlexConnect mode, then AP will simply drop the traffic to the directly connected switch.

If AP operate in Local mode, then traffic will be tunnel (CAPWAP) back to WLC, so only WLC connected switch will see the IP packet as it is (all interim devices will see capwap encapsulated packets and QoS setting of those headers are derived at the AP for upstream traffic & at the WLC for downstream traffic)

HTH

Rasika

justin.devos · ‎05-24-2016

Interesting thanks

I'm running flexconnect mode (centrally switched) for the guest network and my objective is to mark all traffic on this SSID with the AF11 class under the bronze qos profile.

I'm also running flexconnect mode (locally switched) for the corp SSID on the silver qos profile

r.nobili1 · ‎09-03-2019

Hi Rasika, just a clarification:

As indicated here on WLC side (>8.0) we have to trust the controller with:

mls qos trust dscp

About the AP, if they are central switched:

mls qos trust dscp

But if they are in FlexConnect mode, with some SSID with outgoing local traffic (FlexConnect Local Switching + Central-Auth), and other SSID in Central-Switching. Which is the best choice? Reading here I understand that DSCP trust is still the most appropriate choice (as well the simple CAPWAP traffic on the native VLAN is correctly marked).

What could be the case where Trust DSCP choice is not adequate? (maybe something has changed in these 5 years since the draft of the article)

Thanks

Rasika Nayanajith · ‎09-03-2019

Hi Ricardo,

For local switching traffic, you have to trust CoS for the switchports those connected to FlexConnect APs.

Since you have mix of Central Switching SSID & Local Switching SSID, first decide what is most important. If it is central switching, then trust DSCP else CoS.

HTH

Rasika

*** Pls rate all useful responses ***

Wireless QOS best practise