cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8440
Views
0
Helpful
14
Replies

QoS per SSID using anchor controller

MARK BAKER
Level 4
Level 4

I have a customer with two SSIDs being tunneled to an anchor controller. One SSID is guest and the other is contractors. The customer would like to rate-limit traffic from the anchor controller to the foreign controllers only for the guest SSID. There are a handful of internal foreign controllers that would be receiving this traffic. My thougth was to have the WLC tag the guest EoIP frames with 802.1p and rate-limit on a per foreign controller destination for packets that contained the 802.1p tag. That way we could rate-limit per site for only the guest traffic.

I haven't found any documentation talking about 802.1p tags over EoIP packets. Does anyone know if this is possible? So far, I have configured the QoS profile bronze on the anchor controller to add the 802.1p tag of 1 to the wired side and configured the switch to trust this tag. I did a packet capture and for one don't see an 802.1p tag on the outer EoIP header and the 802.1p tag on the inner packet is still at 0 (default).

Since the anchor controller doesn't have APs attached, does this QoS 802.1p tagging feature not work? What if I add an 802.1p tag from the connected switch to traffic in the guest IP range and pass that to the anchor controller. Would the anchor controller copy the 802.1p tag to the EoIP frame on it's way to the foreign controller?

NOTE: If I only rate limit the EOIP tunnel, I would be rate-limiting both the guest and contractor SSIDs together.

Thank you,

Mark

1 Accepted Solution

Accepted Solutions

Mark - I have not tested but would believe per SSID would limit all the users on that particular foreign controller to that value. So if you set it to 4Mb, then all the users on that SSID on that controller would aggregate to 4Mb upstream. Now apply the same to the anchor and you get 4Mb aggregate downstream to all your foreigns.

You could use "foreign maps" and use a single SSID on the anchor and foreigns, but then assign a different subnet to each SSID/foreign. Then upstream to your anchor you could police on the client src address per subnet and that might meet your requirements.

View solution in original post

14 Replies 14

MARK BAKER
Level 4
Level 4

Just updating this discussion

I was able to set a service-policy inbound on the switch port connected to the internet firewall to mark any return traffic to the guest SSID IP range to DSCP CS1. I am now able to see CS1 on packets leaving the switch on the way to the anchor controller and see that same value on the inner packet of EoIP leaving the anchor controller destined for the foreign controller, but not in the outer EoIP header itself. Does the WLC not copy the inner DSCP value to the outer DSCP value? How can you configure QoS on traffic that is using an anchor controller if it doesn't copy the DSCP value?

I've seen documentation that states the DSCP value is copied from the inner packet to the outer for LWAPP. Why wouldn't this hold true with EoIP?

Thank you,

Mark

Leo Laohoo
Hall of Fame
Hall of Fame

The customer would like to rate-limit traffic from the anchor controller to the foreign controllers only for the guest SSID.

You haven't specified what model is your WLC nor the firmware your WLC is running on.  Is this possible, heck yes!  You can set a rate limit in two different ways:  Per SSID (up to version 7.0.X) or per user (current firmware). 

I do not recommend setting the rate limit on the anchor controller because this means that traffic has to traverse the entire length of the network before rate limit is applied.  I'd recommend rate limit be applied to all WLC where the AP(s) are joined. 

If you have newer WLC, such as 5508, WiSM-2 and newer, I'd recommend you enable AVC so management will be able to see what kind of traffic the Guest SSID is pushing.  Don't enable all.  Just the usual stuff such as FB, Twitter, iTunes.  If you'd like you can even set to "DROP" non-corporate traffic such as bittorrent and such. 

Leo,

Thank you for the reply.

The WLC is a 5508 with 7.4 software.

The traffic we are looking to rate-limit is the traffic in the internet - anchor controller - foreign controller - AP - client direction, so rate-limiting on the anchor controller would police the traffic prior to the traffic traversing the WAN links.

I had read that per-user rate-limiting was not supported with web auth passthrough which I believe is when we just have a AUP continue button that has to be clicked to connect to the wireless. I also read that per SSID and per user rate-limiting was a per AP feature. That would mean we would have to set the rate-limit to the sum of all APs which would be a low per AP limit. I could be wrong on these points, but that is what I got out of the docs i've read.

I had originally set the guest SSID rate-limit to 1Mbs on the foreign WLC at a site with 10 APs and a 3Mbs WAN link thinking this would rate-limit all guest traffic to 1Mbs for that site. After reading that the setting was per AP, it appears my setting would be an effective 10Mbs rate-limit. By setting the rate-limit on the foreign WLC, I am also counting on TCP back-off and light UDP traffic to keep the WAN traffic close to the rate-limit which is not ideal, but appeared to be the only option to achieve my goal.

If the anchor WLC would copy the inner DSCP value to the EoIP header, I could do exactly what I am wanting to do. I could rate-limit like below. I am marking the guest SSID traffic from the internet firewall with DSCP CS1 prior to passing it to the anchor controller. Contractor SSID traffic is the default DSCP 0. I see the correct DSCP values in the inner header, but it's not copied to the EoIP outer header for traffic going to the foreign controllers, so I can't match it in my QoS policy.

siteA

foreign wlc = 10.1.1.1

10Mbs link

siteB

foreign wlc = 10.2.2.2

3Mbs link

siteA

match-all

ip 10.1.1.1

dscp = cs1

rate-limit = 3Mbs

siteB

match-all

ip 10.2.2.2

dscp = cs1

rate-limit = 1Mbs

Thank you,

Mark

If you set the QoS on the SSID then you have a choice of per-user or per-SSID.  It's not, as far as I'm aware, a per-AP QoS.

This is the paragraph that I read that led me to believe the per SSID rate-limit is at the AP level. At least the direction that I am concerned with (upstream - AP to client direction).

The bandwidth contract feature is enhanced so that rate limits can be defined on both upstream and downstream traffic. Rate limits can be defined per SSID and/or specified as a maximum rate limit for all clients. These rate limits can be individually configured. This feature is supported on AP1140, AP1040, AP3500, AP3600, AP1250, and AP1260. In centrally switched WLANs, the downstream traffic is rate limited by the controller and the upstream is rate limited by the APs. In local switched WLANs, both upstream and downstream are traffic are rate limited by the APs.

If the AP is controlling the rate-limit for upstream, wouldn't it be to the limit configured for the WLAN? If I set SSID limit to 1Mbs, wouldn't that be 1Mbs for that SSID on each AP for the upstream direction?

That paragraph came from http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn73.html

Thank you,

Mark

Interesting ...

Mark - I think what the documentation means is the AP enforces upstream shaping and the controller downstream.

We use per-user shaping on our Guest SSID at both the Foreign and Anchor. We found the Anchor controls downstream shaping and the Foreign controls upstream shaping with guest anchoring. Also keep in mind your AVC will only report on the Anchor for guest tunneling. We shape per-user guest at 800k across the enterprise and also use the pass-through AUP as well with no issues. The Anchor then connects to a dedicated port/zone on the firewall and an aggregate value of 40Mb shaping is applied there. So each user is shaped to 800K up/down and all users combined are capped at 40Mb. Hope this helps.

Darren,

Are you sure the Anchor controls the downstream shaping (internet toward wireless client)? If that is the case, it wouldn't work for us since there is a single WLAN at the Anchor that is found on 5+ Foreign controllers and we need to do per SSID shaping to keep the sum of all user traffic at each site to a certain limit which varies from site to site. With the Anchor doing the downstream shaping, wouldn't that limit all user traffic for all locations to the configured rate?

If I set upstream and downstream per SSID on the foreign controller, would that not limit the up stream at the AP and the downstream at the foreign controller (Not optimal since I would have to count on TCP backoff to maintain the limit since the traffic already would have crossed the WAN)? Did you set upstream only on the foreign and downstream only on the anchor to get your current functionality?

This document explains the bi-directional rate limiting, but doesn't include the anchor setup.

http://www.cisco.com/image/gif/paws/113682/bdr-limit-guide-00.pdfhttp://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bd3900.shtml#topic2

Thank you,
Mark

Darren,

I had per-user rate-limiting to set 1Mbs up/down configured on the foreign controller with no rate-limiting configured on the anchor controller. I ran a simple speed test and found that my upstream was limited to exactly 1Mbs but downstream wasn't limited at all. Just as you said the foreign controller or connected AP only controls the upstream and I assume it to be true that the anchor controls the downstream. Unfortunately this isn't what is needed in our situation. I really don't see, with what I have to work with, how I will be able to satisfy the requirement of per site per SSID variable rate-limiting.

If per SSID rate-limiting in the upstream direction enforced by the AP isn't per SSID per AP, then each AP would need to know how much traffic is being sent upstream through every other AP connected to the WLC. Is this information passed to each AP from the WLC since it knows the total BW usage of the SSID?

Thank you,

Mark

Mark - I have not tested but would believe per SSID would limit all the users on that particular foreign controller to that value. So if you set it to 4Mb, then all the users on that SSID on that controller would aggregate to 4Mb upstream. Now apply the same to the anchor and you get 4Mb aggregate downstream to all your foreigns.

You could use "foreign maps" and use a single SSID on the anchor and foreigns, but then assign a different subnet to each SSID/foreign. Then upstream to your anchor you could police on the client src address per subnet and that might meet your requirements.

Darren - That is exactly the solution to my problem. I will need to rate-limit on the ASA firewall for the internet return traffic in this case. I would have assigned more stars to your rating if I could.

NOTE: If the anchor WLC would just copy the DSCP from the inner packet to the outer EoIP packet, I could satisfy my requirement without having to reconfigure the anchor controller and associated network devices.

Here is a good post on the feature you have suggested.

http://wifinigel.blogspot.com/2011/08/creating-per-site-guest-vlans-on-guest.html

Thank you,

Mark

Excellent, glad that worked for you.  Have a good one.

*response removed* sorry i didn't read the full thread. My answer was already mentioned above

 I also read that per SSID and per user rate-limiting was a per AP feature. That would mean we would have to set the rate-limit to the sum of all APs which would be a low per AP limit. I could be wrong on these points, but that is what I got out of the docs i've read.
//you're right.

Per ssid rate limit applied to QoS profile or WLAN itself using over-ride - It is per AP>> per Radio>> per SSID and its connected client shares the bandwidth on that radio. And it is not per WLC or per VLAN. If needed per WLC ie., per vlan then use rate limiting at wired side infrastructure.

Download throttle limit x No. of AP’s x 2(for 2.4 and 5ghz radio).

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: