Limit available bandwidth for WIFI CAPWAPP traffic on branch routers
(I am fairly new to QoS so please excuse any obvious errors/omissions etc)
I have been asked to look at implementing QoS policing or shaping on our branch routers to limit the amount of bandwidth that is used by wireless users. Each branch office has a Cisco 2951 router (running c2951-universalk9-mz.SPA.153-2.T2.bin) that has its own pipe (of varying capacity ranging from 10mbps-100mbps) that connects it to the hub (data centre). Each branch uses Cisco APs that connect back to the WLC5508 controller in the Hub site using FlexConnect central switching and all traffic between client and the server is CAPWAPP encapuslated. The APs reside on a dedicated VLAN with their own sub-interface on the 2951 router
Each branch router already has the following service policies associated with it
WAN Interface (Policy applied OUTBOUND) - [This is where the controller resides]
policy-map CBWFQ-QOS class Voice+Routing priority percent 10 class Video+Signalling bandwidth percent 20 class Citrix+RDP bandwidth percent 40 class Scavenger bandwidth percent 1 class class-default bandwidth percent 29 ! policy-map QOS-100Mb class class-default shape average 100000000 service-policy CBWFQ-QOS ! interface GigabitEthernet0/0 bandwidth 100000 service-policy output QOS-100Mb
LAN Interface (Policy applied INBOUND) - [This is where the AP's resides]
policy-map QoS-Classification class Mark_Voice-RTP set dscp ef class Mark_Voice-Control set dscp af31 class Mark_Video-RTP set dscp af41 class Mark_Video-Control set dscp af31 class Mark_Citrix-RDP set dscp af11 class Mark_Telnet-SNMP set dscp af12 class Mark_SSH set dscp af13 class class-default set ip dscp default !
I know we can make use of the QoS feature on the controller but would then end up having separate SSIDs per site (since each site has different uplink bandwidth) something which is not very efficient for obvious reasons. I have done some research on the possible solution and would like to share the proposed config so would appreciate if the experts out here can provide feedback and suggest any other better way of achieving this
# Create ACL to be used in class-map and match on CAPWAPP Control (5246) and data (5247)
ip access-list extended WIFI-CAPWAPP-ACL permit udp any host <controller IP> range 5246 5247 !
# Create Class-Map to match above ACL class-map match-all WIFI-CAPWAPP-CM description Match CAPWAP traffic between Controller and AP match access-group name WIFI-CAPWAPP-ACL !
# Since the AP sub-interface on the 2951 already has policy applied in the inbound direction, remove the existing policy and create new policy to include new class statements and the existing ones
policy-map WIFI-PM description Policing to limit CAPWAP WIFI traffic to 20% of Bandwidth class WIFI-CAPWAPP-CM police cir percent 20 conform-action transmit exceed-action drop class Mark_Voice-RTP set dscp ef class Mark_Voice-Control set dscp af31 class Mark_Video-RTP set dscp af41 class Mark_Video-Control set dscp af31 class Mark_Citrix-RDP set dscp af11 class Mark_Telnet-SNMP set dscp af12 class Mark_SSH set dscp af13 class class-default set ip dscp default !
# Apply the new policy to the LAN interface (Wireless AP interface)
interface GigabitEthernet0/1.X service policy input WIFI-PM
Each branch office has a Cisco 2951 router (running c2951-universalk9-mz.SPA.153-2.T2.bin) that has its own pipe (of varying capacity ranging from 10mbps-100mbps) that connects it to the hub (data centre).
Let me get this straight ... You've got sites with 100 Mbps and you're using a tiny 2951 router? And let me guess, these sites are experiencing slow connection?
If the answer to these two questions are "yes" then my answer is this: Your QoS config won't many any difference because the 2951 is NOT designed for 100 Mbps. 2951 can do up to about 80 Mbps. If you want 100 Mbps router then you're potentially looking at a 3925E, 3945 or the newly-released 4331/4351 routers.
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Yes, you could do something like what you've posted, but there may be other options and/or possible improvements.
The port your LWAP attaches to might allow a port specific policer and/or marker (BTW, your posted policy doesn't explicitly mark the traffic). Using such, would avoid forcing all your other ports through a shared policy trying to deal with the LWAP traffic.
You might use an egress policy, something like:
priority percent 35
bandwidth remaining 81 percent
bandwidth remaining 1 percent
bandwidth remaining 9 percent
BTW, did you enable adjust TCP mss on your controller (to allow for LWAP tunneling overhead)?
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...