After reading few online posts about wireless QoS, I felt it is worth to spend some time to understand what’s going on packet level. So this will be the first part of wireless QoS related posts. I have used following lab set up for this exercise.
In this part, I will look at how QoS parameter (primarily DSCP/COS tag) of a packet change when it traverse from wireless client (C7921) to Wired client (PC). Before looking into the packet capture this is my basic understanding how it should work.
1. If wireless client device is WMM capable it will classify its application traffic into 8 user priorities(UP) & four Access Categories (Voice-VO, Video-VI, Best Effort-BE, Background-BK).In this case RTP media traffic with DSCP EF ( mark as WMM_UP of 6) & tcp control traffic with DSCP CS3 (WMM_UP of 4).
2. When AP receive this traffic, it will encapsulates the original packet into CAPWAP and added outer DSCP values based on the WMM_UP as long as QoS profile configured on WLC allow that level of QoS.
3. CAPWAP packet source would be Access Point IP & destination IP would be WLC ap-manager IP(In 5508 just mgt IP as no ap-manager interface).Source port would be high random UDP port & destination would be UDP 5247(capwap-data)
4. This outer DSCP value corresponds to WMM user priority(UP) of the incoming frame from the client & capped- max QoS profile (Platinum, Gold, Silver, Bronze) configured on the WLC.
5. If Switchport connected to AP is configured to trust DSCP it will trust this outer DSCP
6. If packet is sent to a trunk port it will derive a COS/802.1p value based on the outer DSCP trusted at the AP connected switch port.
7. When It comes to WLC & prior to send packet to wired side,it will re-write COS value based on the capped DSCP value (or outer DSCP) of the packet received from the AP
8. When packet goes from WLC to wired PC, If switchport connected WLC is configured to trust cos, it will trust cos & derive DSCP value based on cos-dscp table mapping on the switch.
9. Then packet will send to the wired client & original DSCP value may alter depend on how these mapping/QoS profile configured on the network environment.
If you capture wireless traffic over the air on the channel where AP is operating (see my post “Capturing Wireless Packets – Free Tool” how you can do this) you can see how the phone set WMM values into 802.11 frames when it sent to wireless media.As you see C7921(10.10.15.53) phone will be setting its RTP traffic DSCP to EF destined to wired PC (192.168.1.10).
Prior to send thie 802.11 frame into wireless media, QoS of the 802.11 frame is set to WMM_VO priority of 6 for voice traffic (this is different to Cisco/IETF setting for voice traffic (see the mapping table listed down in this post).Through the wireless media this packet get priority as contention window for WMM_VO packets are smaller than that for other(WMM_VI, WMM_BE, WMM_BK) wireless packets .
Next will see how packet capture looks like at the AP connected switch port(Fa1/0/13). You would notice original packet is CAPWAP encapsulated.
If you look at from bottom to top, you will see original packet is from wireless phone (C7921) to PC IP (192.168.1.10) with RTP payload (dest udp port range 16384-32767). This is marked with DSCP EF by the WMM capable wireless phone.
Also at the Access Point, AP encapsulates this packet in to CAPWAP (des port 5247) & sending it to WLC ap-mgr IP (as 44xx have ap-mgr interface, If it is 5508 it use just WLC mgt IP). AP will add outer DSCP according to incoming frame WMM-UP value & QoS profile configured on the WLAN.In my example I have configured Platinum QoS profile which is the highest QoS profile configured for sensitive traffic such as VoIP. AP will map WMM_UP 6 into DSCP EF (see mapping table shown bottom of this post) om outer IP header.
But if you look at the same packet on G1/0/1 (towards WLC- see below capture) you would see this outer DSCP value has been change to 0. Why is this ?
This is because switch ports will not trust DSCP/CoS of a incoming packet by default. Therefore even packet coming to Fa1/0/13 mark with EF (mapped to outer DSCP) switch will rewrite it to DSCP0 before sending out G1/0/1. If you configure “mls qos trust DSCP” on fa1/0/13 then you would see the packet capture at G1/0/1 something like below. Note that now Outer DSCP value is preserved as EF.
If you look at G1/0/1 captures carefully,you would see there are two packets corresponds to this conversation(7921->PC). One with CAPWAP encapsulation (from AP to WLC) & other with normal packet towards wired PC. Packet towards PC should have the original DSCP set up (EF). Below confirms that.
But if you look at outgoing packet at Fa1/0/4 (towards CME & Wired PC), you will see again DSCP value change to 0. This is due to the same reason, as Gi1/0/1 will not trust DSCP/CoS value of incoming packet by default, & rewrite to DSCP0.
To preserve the original DSCP value you have to configure “mls qos trust DSCP|CoS” on the interface connected to WLC. Cisco’s best practice is to trust the CoS value as switch port is configured as Layer 2-Trunk. Then switch will trust this CoS value of the incoming packet from Controller & re-write DSCP correspond to this CoS value prior to send it to wired infrastructure(via fa1/0/4). Below shows the capture at Fa1/0/4 when WLC connected switch (G1/0/1) configured for “mls qos trust cos“
Still here you can configure “mls qos trust dscp” & preserve the QoS values end to end. In this way switch will not re-write DSCP based on the incoming CoS value & hence cannot impose WLC QoS values to user traffic.
Following is the QoS related configs on the CAT2.
mls qos map cos-dscp 0 8 16 24 32 46 48 56
mls qos trust dscp
description WLC1 Trunk
mls qos trust cos
Following diagram summarized these QoS parameter mapping at the AP & WLC in a unified wireless deployment model (CAPWAP). We looked at Step 3 & 4 in this post.
Since my WLAN QoS profile is set to Platinum outer DSCP value was remain as EF. But if my QoS profile was Gold, then what would be the outer DSCP when it goes from AP ? It won’t be EF as QoS profile Gold does not allow EF (max is AF41 ).So outer DSCP capped to AF41 (even though inner DSCP is EF). Below table show the WMM user priority values & corresponding DSCP mapping values in each QoS profile.
Below two YouTube video post from Jerome Henry explain this in detail & you must watch those.
Wireless QoS, part 3-a by Jerome Henry
Wireless QoS, part 3-b by Jerome Henry
In the next post will see how the return traffic (PC -> C7921) QoS value get change at the transit points.(Fa1/0/4, G1/0/1, WLC, Fa1/0/13 & AP )
1. Understanding Wireless QoS – Part 2
2. Understanding Wireless QoS – Part 3
3. Understanding Wireless QoS – Part 4
4. Understanding Wireless QoS – Part 5
5. 3750/3560/2960 Wired QoS
6. Who do you trust ? (DSCP or CoS)
7. BYOD with QoS
8. QoS for H-REAP
9. VoIP Phone – Switchport Config
10. Autonomous AP – QoS
11. AAP QoS – A Closer Look
12. WMM & QoS Profile
Reblogged this on MisterDTV and commented:
Woh! A deep dive, but quite insightful. Gives the reader an appreciation that QoS does NOT happen by magic!
yes it is.. I had to dig deep like this as I am preparing for my CCIE-Wireless exam. Day by day getting interesting when I realize how QoS works bit by bit in wireless environment.
Pingback: Understanding Wireless QoS – Part 2 « ytd2525
Prasanna Yabaluri said:
Very helpful post! Many thanks!
You are welcome, Happy to share the knowledge as I gain…
That’s very useful blog. Thanks very much for the detailed descriptions.
I have a question with regards to the Per-User Bandwidth Contracts QoS Profile configuration. Does this influences the bandwidth only between the AP and the Clients or as well between the AP and WLC?
Thanks for the feedback.
Regarding your question about per user bandwidth in QoS profile, it depends on software code. In software code 7.0.x it only works for downstream traffic from AP to client. In 7.2 onwards cisco improved this to limit both upstream & downstream.
Once you restrict traffic rate at one place it affect the entire flow (usually between two hosts). Therefore it does not matter WLC-AP or AP-WLC too much.
I have done a quick post on this feature specific to 126.96.36.199 code which is in CCIEW v2.0 lab exam. Have a look
Thank you for answering my question. That’s helps a lot.
I have a question which is not related to QoS. I hope you don’t mind me posting it here. I am a bit confused with WLAN association with Vlan dynamic interfaces. I have seen configuration on a WLC where there are configured multiple Vlans. Only some of them are associated with WLANs but the clients are connected fine on this Vlans.
I thought that dynamic Vlan has to be associated with a WLAN or be a member of a interface group which is associated with a WLAN to work properly. Would you be able to advise.
You can use AAA override feature to override the interface assigned to a WLAN. For example if you configured a WLAN map to vlan 11 in WLAN configuration. But if you require you can assign vlan21 (you have to configure it on WLC ) by using AAA override for certain users depend on your requirement (eg staff user, users who use PEAP, etc). RADIUS server to be configured under which circumstance you need to override the vlan assignment.
I will do a AAA override in ACS 5.2 post soon. You can have better explanation through that.
I would change the mapping to mls qos map cos-dscp 0 8 16 26 32 46 48 56
This will map CoS 3 = 26.
Cisco has changed signalling traffic DSCP from AF31(26) to CS3(24) with recent codes. So current best practice it to map it to CS3.
In the exam, yes it depend what they ask for. If 26 yes then map to CoS 3=26.
Here is some info from Jerome
thanks for feedback
The best article I found on that matter.
You should sell it to Cisco 🙂
Thanks for your feedback….Great to see that helps you…
I like your idea & at the moment I am selling this to everyone of you Free of Charge… including Cisco…
Vinod Rathore said:
Before implementing AVC feature on WLC i captured traffic form wireless client (Laptop) to one of the real presence g/w and found the traffic from AP to Laptop has QoS_control_WMM field with Best_Effort marking.
As soon as i enabled AVC on WLC i was expecting to be marked voice/video traffic accordingly defined under AVC profile but it was not there even QoS_control_WMM field don’t present under Wi-Fi control frame ….. ???
do you have any idea ?? why
(FYI – i was capturing traffic from same laptop which was acting as wireless client in this case)
AVC works at WLC level. So it won’t help to classify traffic at wireless client level until it gets to WLC (upstream direction)
Even your wireless clients WMM capable, your application(real presence) may not classify the traffic correctly. So nothing can be done unless this application vendor make some improvement.(same goes with skype, etc).
In the downstream direction, you should see traffic get correctly classify as traffic hits WLC first before it comes to wireless client.
Vinod Rathore said:
Hello Rasika, Wish you happy new year ….. 🙂
I am doing the same test
as per your scenario when i am capturing the traffic on port number F1/0/13 i can see the DSCP value EF under CAPWAP but its not rewriting that value to outer DSCP and its showing me 0x00 ..
I have set 802.1e value under SSID to Platinum (WLAN > edit > SSID > QoS = Platinum), it means when traffic would come to AP it would write value to 6 (802.1p) and under CAPWAP DSCP value would remain EF/46 …. right ?
But i am getting outer DSCP value 0 …
Vinod Rathore said:
I have also enabled the mls qos on sw and put mls qos trust dscp command on AP connected interface …
Outer CAPWAP header DSCP always based on wireless frame WMM_UP (or 802.11e) value. Eventhough your wireless client IP packet has EF, wireless frame UP value may be 0. That’s why your AP map 0x00 in your outer CAPWAP header as DSCP.
You can either do wireless sniff to verify the UP value of incoming wireless frame to your AP. Are you using Cisco IP phone or something else ?
Vinod Rathore said:
I am using a laptop as wireless client and that is marking traffic to DSCP 46.
however when i am seeing client property on WLC for that laptop it shows me –
WMM State – Enabled
QoS Level – Platinum
802.1p Tag – 6
It means client is WMM enabled …
I understand that your mean by WMM client should set WMM_UP and when i capture traffic i should see QoS Control field under IEEE802.11 but it is not presented there in my capture … that’s what i explained somewhere in my earlier posts … 🙂
Yes, most of wireless clients do not mark this WMM_UP values correctly. Laptops are always send as BE in WMM_UP values.
If you cannot see QoS control field on wireless frame that mean client is not set it at all. You can verify this by setting “WMM Required” under WLAN QoS setting tab. Once you do this, if your client cannot connect, that mean client is not WMM capable (try that & see). If client connects, then wireless frame should have QoS control field.
Use a Cisco 7925G or 7921G as they are marking this UP values correctly.
Wireless QoS, part 3-a not working, pls help
This is the direct link. Pls check
Great post I still have to read the whole thing and I’m trying to understand this. I do have a quick question. So looks like on the trunk port to WLC “trust cos” is a best practice. On the access port to the AP’s “trust dscp” is a best practice. What about the switch connecting to the router? To make all this work the right way is it safe to say that we will follow the same logic, such as if the switch is connecting to the router with a trunk port (sub interfaces on the router) then we would do “trust dscp” but if the switch is connected via an access port to the router we would go with “trust cos”?
Simple rule is when you configure a switchport QoS details in L2 frame comes in 802.1q header. So if you want to trust QoS setting done by connected device, we have to trust CoS.
If a switchport configure as Acccess port, QoS setting is on IP header (DSCP value), so only option is Trust DSCP if you trusting the connected device set DSCP value.
Hope the clears your doubt
Thank you for the explanation. So as you said if the switch port is configured as an acces port QoS setting is on IP Header. Now if that is the case and I have a trunk port going to the WLC why would we want to use “trust dscp”. Now Cisco doesn’t recommend it but you mentioned that you have used it on the trunk port. Any specific reason for that?
WLC connected trunk ports, we have to trust COS as you have to trust what WLC set on that field.(otherwise original packet DSCP vaule preserve & WLC override won’t preserve)
In cases like inter-switch trunk links(Access to Distribution/core, Distri-Distri/core) we trust DSCP as packet classification (mostly DSCP) happen at the access layer & we want to preserve that classification throughout. So you have to trust DSCP in that case.
Hope it clear
it is really very useful post that explain what happen in clear way , but i have a question :
is it must to dedicated ssid for voice and video to configure QOS ,,
can i do QOS for VOICE and VIDEO and DATA in the same ssid ( cause my case that i have only one pc or smart phone that ( browsing and do calls and also received video )
also my platform is ct5760
Yes, you have to configure that SSID with Platinum profile & do necessary optimization of other settings.
so you mean in clear way ,, a user have smart phone if he want to just browse he should connect to normal ssid , if he want to make a call he should to disconnect and connect to voice ssid ,, is what i understand is correct ???
another question in CT5700 there is no platinum or gold profile under ssid it is some thing like ( ssid ingress and ssid egress & client ingress and client egress )
and under the whole QOS tab there are three target ( ssid , client and port ) is this a new trend in QOS ??
No, you should have single SSID which will give all the services Voice, Video & Data to fulfill the given requirement.
Using service policy you should be able to configure “platinum” profile equivalent config on your 5760.
but what is confuse me that if i applicable ,, in this situation there is no need to configure any qos profile ( platinum , gold , etc ) under this single ssid , am i right ?
because as i understand all traffic that ssid will receive will consider for example for voice
Read this & see, that should help you
many thanks i will read it i think it will help me
Thanks for this lovely post. I always find myself on your site when I get a wireless deployment issue! Fantastic info 🙂
I do need clarification with this one though.
So if I choose QoS profile for an SSID on WLC with AF41, Wireshark shows traffic from client to www as marked as AF41 , but return traffic is not marked.I am told marking for return traffic has to be done on the switches/routers?
QoS profile set the max DSCP value allow in that SSID. If you configure it as “Gold” upto AF41 value is allowed.
In your case, if wireless client traffic marked properly (has to be done by client itself) then at the AP level wireless frame QoS field (UP-User Priority) mapped to CAPWAP header DSCP field. It looks like you get AF41 there.
On return traffic, first traffic come from wired side to WLC. Before comes to WLC you need to ensure traffic is properly marked with appropriate DSCP values. Then if you configure to trust CoS on WLC-SW trunk link you should be able to see appropriate DSCP value set in outer CAPWAP header (DSCP). So at the AP this will translate on to proper UP value in wireless header.
Hope that clear
Yes it does.Thanks a lot for this.
Hi great Post,Want to ask one query regarding source and destination IP in capwap mode at different leve, 1 Client to AP – Src IP – Client , Dst-ip – Server. 2) AT AP – Src-ip – AP, Dest – wlc AP mgr IP, 3.) AT wlc – SRC IP – ? ,dst ip – actual server.as per my understanding source ip should be WLC AP MGR IP OR mgmt ip.Please revert.
Original IP packet Src_IP or Dst_IP won’t change during this flow.
At the AP, it will simply encapsulate CAPWAP (another IP header). So in this outer IP header, Src_IP will be AP mgt IP & Dst_IP would be WLC mgt or ap-mgr.
At WLC simple it will remove this outer header & forward it to wired switch to send it to final destination. Original IP packet will encapsulate with L2 (802.1q) header as link is trunk between WLC & SW. So original packet Src_IP & Dst_IP will preserve.
Hey there, very nice article. My question is, when a WMM client is transmitting traffic in, for example, the Voice AC does it use the AIFSN/CW/etc values from what the AP is advertising in beacons (WMM IE)? For example, by default the AP advertises the Voice AC AIFSN as 2. If the AP advertises the AIFSN as 100 (hypothetically), would the client use this value?
I do not think so.
If you found more info on this share it with me as well 🙂
Thank you very much for this useful and valuable explanation.
My question is :
I have WLC 5508 connected to 7k (F2 sereies), should I configure 7k switchport trunked to WLC with cos or it is already enabled on 7k by default?
I really appreciate you kind support.
Not sure exactly , but 7K config guide shout state what is default behaviour.
A single WLC can have multiple AP of various models(1130,1140,2600,3600), would each AP model respond to this QOS configuration differently?
Aldrin Luigi said:
Great work! Thanks for sharing it with us.
Thank you Aldrin,
mohamed Elaidi said:
Hello to the great community,
I wish I could get help for an urgent subject: I’m using a non-cisco environnement and working to enhance Qos performance. I releaze that I have low speed and increased latency in Wifi compared to wired (using ethernet) in my network.
Since I’m in urgence case: I would like to get simply: what parameter to check in the capture/trace in order to compare performance between 2 différentes CPE ( wireless in fixed network FTTH/xDSL) and if these are configurables or not (fixed by the standard)? if adjustable what values to recommand ?
it’ll be great as well if you have some examples for Qos camparing capture with différentes Qos rules implementation ?
Otherwise the blog is just particular ! couldn’t find any one sharing his knowledge/effort so far as the editor’s.
Thanks in adavance.
Malek Eljadidi said:
small question, can you cheat the priority system in 802.11 stream?