In this post we will look at a wireless bridge configuration with QoS. Here is the topology for this post.
A VoIP phone (vlan 1) and a Laptop (vlan 6) is connected to a 2960 Switch where it is connected to Non-Root Bridge AAP2 (3502). A 3750 switch connected to a Root Bridge AAP1 (1142) where a wireless bridge is setup between AAP1 & AAP2 with native vlan 999 . All SVI, DHCP pools are defined on 3750 switch. A wireless phone is connected to network via a LAP (L1130) controlled by a WLC (4402-3)
I have not used any security for encryption/authentication (for simplicity). Also only configure 5 GHz (int d1). Here is the Root Bridge (AAP1) configuration looks like.
hostname AAP1 ! dot11 ssid MGMT vlan 999 authentication open infrastructure-ssid ! interface Dot11Radio1 ssid MGMT station-role root bridge ! interface Dot11Radio1.1 encapsulation dot1Q 1 bridge-group 10 ! interface Dot11Radio1.6 encapsulation dot1Q 6 bridge-group 60 ! interface Dot11Radio1.999 encapsulation dot1Q 999 native bridge-group 1 ! interface GigabitEthernet0.1 encapsulation dot1Q 1 bridge-group 10 ! interface GigabitEthernet0.6 encapsulation dot1Q 6 bridge-group 60 ! interface GigabitEthernet0.999 encapsulation dot1Q 999 native bridge-group 1 ! interface BVI1 ip address 192.168.99.99 255.255.255.0 ! ip default-gateway 192.168.99.1
Here is the Non Root Bridge (AAP2) configuration
hostname AAP2 ! dot11 ssid MGMT vlan 999 authentication open infrastructure-ssid ! interface Dot11Radio1 ssid MGMT station-role non-root bridge ! interface Dot11Radio1.1 encapsulation dot1Q 1 bridge-group 10 ! interface Dot11Radio1.6 encapsulation dot1Q 6 bridge-group 60 ! interface Dot11Radio1.999 encapsulation dot1Q 999 native bridge-group 1 ! interface g0.1 encapsulation dot1Q 1 bridge-group 10 ! interface g0.6 encapsulation dot1Q 6 bridge-group 60 ! interface g0.999 encapsulation dot1Q 999 native bridge-group 1 ! interface BVI1 ip address 192.168.99.100 255.255.255.0 ! ip default-gateway 192.168.99.1
Once you configure like above you should see AAP2 is associate to AAP1. Your PC & 7965 phone should get IP from respective vlan via DHCP configured on 3750. You can verify AAP2 association like below.
AAP1#sh dot11 ass 802.11 Client Stations on Dot11Radio1: SSID [MGMT] : MAC Address IP address Device Name Parent State 64ae.0c91.9420 0.0.0.0 Br-client - 64ae.0c93.7590 Assoc 64ae.0c93.7590 192.168.99.100 bridge AAP2 self Assoc AAP1#show dot11 associations all-client Address : 64ae.0c91.9420 Name : NONE IP Address : 0.0.0.0 Interface : Dot11Radio 1 Device : Br-client Software Version : NONE CCX Version : NONE Client MFP : Off State : Assoc Parent : 64ae.0c93.7590 SSID : MGMT VLAN : 0 Hops to Infra : 0 Clients Associated: 0 Repeaters associated: 0 Address : 64ae.0c93.7590 Name : AAP2 IP Address : 192.168.99.100 Interface : Dot11Radio 1 Device : bridge Software Version : 12.4 CCX Version : 5 Client MFP : Off State : Assoc Parent : self SSID : MGMT VLAN : 999 Hops to Infra : 1 Association Id : 1 Clients Associated: 1 Repeaters associated: 0 Tunnel Address : 0.0.0.0 Key Mgmt type : NONE Encryption : Off Current Rate : 54.0 Capability : WMM ShortHdr 11h Supported Rates : 54.0 Voice Rates : disabled Bandwidth : 20 MHz Signal Strength : -50 dBm Connected for : 137591 seconds Signal to Noise : 42 dB Activity Timeout : 29 seconds Power-save : Off Last Activity : 1 seconds ago Apsd DE AC(s) : NONE
Now if you want to make sure QoS is configured end to end (VoIP phone to wireless phone) you can verify it like this. We will start from the 7965 end.
1. Since Phone is connected to switchport where voice vlan is configured, you have to trust CoS on R2960 G 0/1. You have to ensure QoS is enabled on switch & CoS to DSCP maps 5-> 46 & 3-> 26 for at least these two type of traffic (if you want any other DSCP values you can change this mapping table).
mls qos mls qos map cos-dscp 0 10 18 26 34 46 48 56 interface GigabitEthernet0/1 description VOIP+PC switchport access vlan 6 switchport mode access switchport voice vlan 1 priority-queue out mls qos trust device cisco-phone mls qos trust cos spanning-tree portfast
2. Then AAP2 is connected to R2960 via a trunk port. For the traffic coming from phone already trusted at G0/1, so that configuring QoS on G0/8 won’t impact traffic initiating from 7965. But traffic coming to 7965 is going to be impacted by the QoS config on G 0/8. Since AAP2 translated wireless frame UP value on to CoS value before sending it to R2960, you have to trust CoS in G0/8.
interface GigabitEthernet0/8 switchport trunk native vlan 999 switchport trunk allowed vlan 1,6,999 switchport mode trunk priority-queue out mls qos trust cos
3. You need to make sure 802.11e to AVVID mapping happening at the AAP2. This will ensure Priority 6 value converted to CoS 5 for RTP traffic & Priority 4 value converted to CoS 3 for SCCP signalling traffic (vice versa as well). By default radio interfaces is trusting WMM UP values of wireless frames. If not you have to enable it “dot11 qos mode wmm” CLI command under radio interface.
AAP2# dot11 priority-map avvid
Similar concept applies to AAP1 where you have to enable 802.11e to AVVID mapping.
AAP1# dot11 priority-map avvid
4. For AAP1 connected switchport, you have to trust CoS as user traffic comes with 802.1q header which include CoS value set by AAP1.
mls qos mls qos map cos-dscp 0 10 18 26 34 46 48 56 interface FastEthernet1/0/11 switchport trunk encapsulation dot1q switchport trunk native vlan 999 switchport trunk allowed vlan 1,6,999 switchport mode trunk priority-queue out mls qos trust cos
5. In the unified wireless section, WLC connected port, you have to trust CoS since controller is changing 802.1p value according to QoS configuration of the controller.
interface GigabitEthernet1/0/1 description 4402-3 switchport trunk encapsulation dot1q switchport trunk native vlan 999 switchport trunk allowed vlan 140,998 switchport mode trunk switchport nonegotiate priority-queue out mls qos trust cos channel-group 1 mode on spanning-tree portfast trunk
5. Finally for the L1130 connected switchport you have to trust DSCP as WLC to AP traffic is always CAPWAP & only DSCP value is in the IP header.
interface FastEthernet1/0/3 switchport access vlan 20 switchport mode access priority-queue out mls qos trust dscp spanning-tree portfast
6.Since SCCP signalling traffic is going between CME & phones (7965 & 7921), you have to trust packet marking of CME on the port fa1/0/14 of 3750. Since this is access port, only DSCP value exist on the packets coming from CME. So trust DSCP is the only choice.
interface FastEthernet1/0/14 description CME - INTERNET no switchport ip address 192.168.128.1 255.255.255.0 ip ospf network point-to-point ip ospf 1 area 0 mls qos trust dscp
Once you configure like this you could make sure end to end traffic QoS is preserved across you network.
I have taken two packet captures, one by SAPN port G0/8 of R2960 switch & the othe one by sniffing wireless packet in 5 GHz to see what’s going on the bridge.
Here is the SCCP & RTP traffic coming from the 7965 VoIP phone. You can see SCCP traffic comes with CoS of 3 & Voice traffic comes with CoS of 5.
If you look at the traffic to 7965 VoIP phone it will looks like this. You can see RTP traffic comes with CoS 5 & SCCP traffic comes with CoS 3. This proves end to end QoS is preserved from wireless phone to wired phone.
Now if you look at a wireless capture it will looks like this. Since AAP1 to AAP2 , it use IAPP (Inter Access Point Protocol) or 802.11f-2003 wireshark capture shows as “Encapsulated Ethernet” in the data section.
But you can verify wireless header information as below. You can verify BSSID of AAP1 & AAP2, then determine packets direction.
AAP1#sh dot11 bssid Interface BSSID Guest SSID Dot11Radio1 a40c.c31a.ee60 No MGMT AAP2#sho dot11 bssid Interface BSSID Guest SSID Dot11Radio1 64ae.0c93.7590 No MGMT
Based on the above information you can see the below frame is from AAP2 to AAP1. Based on the User Priority of wireless frame we can tell it is signalling traffic (SCCP) going from 7965 to CME. Since we configured “dot11 priority-map avvid” on AAP1 these priority value translate to CoS of 3 when it goes to 3750 fa1/0/11.
Here is the return traffic coming from AAP1 to AAP2, as you can see it has the similar priority in wireless frames.
Here is the RTP traffic wireless captures where you can see traffic comes with priority value of 6 in wireless frames.
Update @4th Aug:
I found the Wireshark version (1.6.1) I used for the above did not have the capability to decode IAPP messages. But when I installed the latest version of wireshark (1.10.1) I was able to see full information even inside the IAPP.
Here is the packet capture of SCCP traffic going from wired phone to CME within the wireless bridge. You can see clearly original dot1q packet came from phone (with Prioirty 3 & Vlan ID 1) convert into 802.11 frame with priority 4
Here is the wireless capture of RTP traffic going from Wired Phone. As you can see original 802.1q (Priority 5 & Vlan ID 1) packet is going inside IAPP. In wireless frame Priority will be 6.
1. Understanding Wireless QoS – Part 1
2. Understanding Wireless QoS – Part 2
3. Understanding Wireless QoS – Part 3
4. Understanding Wireless QoS – Part 4
5. Understanding Wireless QoS – Part 5
6. 3750/3560/2960 Wired QoS
7. Who do you trust ? (DSCP or CoS)
8. BYOD with QoS
9. QoS for H-REAP
10. VoIP Phone – Switchport Config
11. Autonomous AP – QoS
12. AAP QoS – A Closer Look
13. WMM & QoS Profile
Thanks for the information and very detailed includes! Question: Why root-bridge? Why not root WGB? Is there a limitation on QoS settings? No doubt I am going to try this lab setup.
BTW: I liked your idea of documenting your lab setups so much I decided to do the same. It keeps things organized and sharing is always good! parkerlab.com
Thank you for comment & sharing this post…
Regarding your question, on AAP1 you have following options & i think only option is select as “root bridge”
AAP1(config-if)#station-role root ?
access-point Access point
ap-only Bridge root in access point only mode
bridge Bridge root (without wireless client)
fallback Root AP action if Ethernet port fails
For AAP2, you can configure it as WGB, but then you have to change AAP1 config as well (make its role as root AP). Then it won’t be a standard wireless bridge configuration
Here is the WGB configuration with multiple vlans.
If you test it & find something else pls share it with us
by the way had a look on your blog… its nice.. keep it up & good luck for your wireless lab exam
Thanks Rasika for the great blog and detailed explanation.
i am hitting my lab again soon, and it will be my Third Attempt. i am digging more into QoS for wireless bridges and have the following in my mind:
1) if i have dot1q tags and VLAN’s passing between bridges and connected on trunk from switch side then it is safe to trust COS on switch side . and use dot11 priority map avvid only to do proper mapping between 802.11e and dot1P cos Tags.
please correct me if i am mistaken.
2) if i am using only one single VLAN ( no dot1q tags) and my bridge is connected to an access port , then there is no use of priority map avvid , right?
and i must catch traffic besed on policy map based on dscp and make setting Cos to 4/6 on wireless output and 3/5 towead ethernet out.
and on switch trust dscp.
3) i am checking online and not able to find resource explaining which takes presedense over other , for example if i do priority map avvid and at the same time i make tagging with policy map , would they conflict each others….etc
unfortunately i am not able to test this with live capture RTP/SCCP traffic as i am using rack rental….
Thanks in advance.
1. Yes you are correct
2. If it is Access port, then trusting DSCP or if you want to re-classify then policy map is the way to go. I haven’t test this scenario to see what happen with priority map avvid & without that.
3. I would suggest if you do policy map do it on the switch port where AP connected. In that way traffic coming from AP can be re-classify the way wanted.
NB: Unless if they ask to do such granular QoS on those configurations, I do not bother about it.. make sure you clarify with proctor exactly what they want you to do with this regards. It would be a time waste if you do such a thing in a situation they are not expecting such configuration….
Anyway Good Luck this time & hope you get through
thanks for the reply Rasika, much appreciated…
Omar Hegazy said:
As i’m studying for CCIE wireless, i found your posts so useful to me.
Regarding this lab, i got confused about the concept of the mapping happened of the AVVID.
1- As far as i understand, AVVID should take place where there are 802.11e tags comes and enters the Cisco network via the AP either from the wifi side “non-cisco wireless client” or from the wired side “any laptop could be connected to the bridge ethernet port”. In this case, there is a Cisco phone connected to the wired side of the bridge, this phone should be sending CoS tags that matches with the Cisco 802.11p classification. But since the AP will not know that info, it will do the AVVID conversion from the Cisco 802.11p “wired side” to the 802.11e “radio side”. Then, AAP1 will convert back from radio to wired. So, in this case, i could have disabled AVVID and the tags would have been preserved “since i don’t need the conversion/conversion-back that the AAP2/AAP1 will do”, am i right?
2- Regarding Talal 2nd question, if i just trusted the DSCP, on the switch ports for AAP1&2, then nothing is needed to be done on both APs and even no AVVID needed, right? why would i reclassify DSCP to CoS on AAP2? i think i can just depend on DSCP and that’s it. I’m right?