CT5760 Controller Deployment Guide
QoS Configuration
Downloads: This chapterpdf (PDF - 821.0KB) The complete bookPDF (PDF - 4.18MB) | Feedback

Table of Contents

QoS Configuration

Enabling QoS

Managing QoS

Marking Models

Per-Port or Per-Client Marking

Policing Models

Wireless Queuing

Wireless MultiMedia Configuration

Configure ISE in order to Authenticate and Push QoS Policies

Cisco IOS® Tool Command Language Scripting

QoS Configuration

The introduction of Cisco IOS® software on the WLC5760 controller brings a wide-range of wired/wireless QoS supports and capabilities:

  • Consistent configuration CLI for both wired and wireless QoS through Modular QoS CLI
  • Granular QoS policies per AP, SSID, radio, and client
  • Fair bandwidth allocation across wireless clients on an AP
  • Leverages proven Cisco IOS® and ASIC technology to provide line rate performance

Enabling QoS

Based on the Modular QoS CLI model, QoS is enabled by default on the WLC5760. Explicit marking of traffic is required in order to modify Class of Service (CoS) or Differentiated Services Code Point (DSCP) values for traffic from and to wired ports. Traffic from wireless to wireless ports or wireless to wired ports is considered untrusted. Though QoS is globally enabled if traffic passes through an SSID, it must be marked or trusted specifically, or all QoS values (DSCP, CoS) will be set to default (0).

Managing QoS

QoS policies on the WLC5760 are provisioned in a couple of ways.

  • Via CLI
  • Via AAA

The configuration examples herein demonstrate attachment of policies via CLI. AAA configuration of policies is shown later in this specific section. The QoS policy name, not the actual QoS policy, is passed from the AAA server to the WLC5760 platform. Due to this fact, the QoS policy configuration must be local to the platform regardless of which method is used to manage QoS on the platform.

Marking Models

The WLC5760 supports several marking models:

  • Per-Port Marking (wired)
  • Per-Client Marking (wireless)
  • Per-SSID Marking (wireless)
  • Per-VLAN Marking (wired)

From a unified policy standpoint, the Per-Port and Per-Client marking policy can be synonymous but applied to a different target (wireless client, physical client port). Each model is discussed herein.

Per-Port or Per-Client Marking

Similar to the Catalyst 4500, the Per-Port or Per-Client marking model matches VoIP on UDP/RTP ports 16384-32767. The signaling traffic is matched on SCCP ports (TCP 2000-2002), as well as on SIP ports (TCP/UDP 5060-5061). Transactional data traffic are matched on various ports. Unlike the Catalyst 3750-E examples, no explicit default class is required, because the implicit class default performs policy actions (such as marking or policing) on the WLC3850/5760.

!ACL configuration

ip access-list extended VOIP

remark Voice

permit udp any any range 16384 32767

ip access-list extended SIGNALING

remark SCCP

permit tcp any any range 2000 2002

remark SIP

permit tcp any any range 5060 5061

permit udp any any range 5060 5061

ip access-list extended TRANSACTIONAL-DATA

remark HTTPS

permit tcp any any eq 443

remark ORACLE-SQL*NET

permit tcp any any eq 1521

permit udp any any eq 1521

remark ORACLE

permit tcp any any eq 1526

permit udp any any eq 1526

permit tcp any any eq 1575

permit udp any any eq 1575

permit tcp any any eq 1630

permit udp any any eq 14002

permit udp any any eq 14006

 

!Class-map configuration

class-map match-all VOIP

match access-group name VOIP

class-map match-all SIGNALING

match access-group name SIGNALING

class-map match-all TRANSACTIONAL-DATA

match access-group name TRANSACTIONAL-DATA

!Per-Port or Per-Client Ingress Marking Policy-map Configuration

policy-map PER-PORT-MARKING

class VOIP

set dscp ef

class SIGNALING

set dscp cs3

class TRANSACTIONAL-DATA

set dscp af21

class class-default

set dscp default

!Policy attachment to interfaces

!Wireless Clients associating to WLAN OPEN

wlan OPEN 2 OPEN

band-select

client vlan 3

ip dhcp server 10.17.1.9 load-balance

no security wpa

no security wpa akm dot1x

no security wpa wpa2

no security wpa wpa2 ciphers aes

service-policy client input PER-PORT-MARKING

session-timeout 1800

no shutdown

Policing Models

Several policing models are available on the WLC5760.

  • Per-Port Policing
  • Per-Client Policing
  • Per-SSID Policing

Policing is offered in a number of ways and can be used in a hierarchical fashion as will be shown in the instance of client-based policies. In this instance, a policer can be used bi-directionally to police a client's traffic as an aggregate, as well as specific traffic classes associated with the client, such as voice.

Here is an example of FLAT Per-Port or Per-Client Policing configuration:

!ACL configuration

ip access-list extended VOIP

remark Voice

permit udp any any range 16384 32767

ip access-list extended SIGNALING

remark SCCP

permit tcp any any range 2000 2002

remark SIP

permit tcp any any range 5060 5061

permit udp any any range 5060 5061

ip access-list extended TRANSACTIONAL-DATA

remark HTTPS

permit tcp any any eq 443

remark ORACLE-SQL*NET

permit tcp any any eq 1521

permit udp any any eq 1521

remark ORACLE

permit tcp any any eq 1526

permit udp any any eq 1526

permit tcp any any eq 1575

permit udp any any eq 1575

permit tcp any any eq 1630

permit udp any any eq 14002

permit udp any any eq 14006

!Class-map configuration

class-map match-all VOIP

match access-group name VOIP

class-map match-all SIGNALING

match access-group name SIGNALING

class-map match-all TRANSACTIONAL-DATA

match access-group name TRANSACTIONAL-DATA

!Per-Port or Per-Client Ingress Policing Policy-map Configuration

policy-map PER-PORT-POLICING

class VOIP

set dscp ef

police 128000 conform-action transmit exceed-action drop

class SIGNALING

set dscp cs3

police 32000 conform-action transmit exceed-action drop

class TRANSACTIONAL-DATA

set dscp af21

class class-default

set dscp default

!Policy attachment to interfaces

!Wireless Clients associating to WLAN OPEN Policed bi-directionally

wlan OPEN 2 OPEN

band-select

client vlan 3

ip dhcp server 10.17.1.9

load-balance

no security wpa

no security wpa akm dot1x

no security wpa wpa2

no security wpa wpa2 ciphers aes

service-policy client input PER-PORT-POLICING

service-policy client output PER-PORT-POLICING

session-timeout 1800

Here is an example of Hierarchical Per-Client Policing configuration:

!Wireless Client Policy-map Client Aggregate policed to 2Mbps, Voice as a subset to 128k, signaling 32k

policy-map AGG-POLICE

class class-default

police 2000000 conform-action transmit exceed-action drop

service-policy PER-PORT-POLICING

policy-map PER-PORT-POLICING

class VOIP

set dscp ef

police 128000 conform-action transmit exceed-action drop

class SIGNALING

set dscp cs3

police 32000 conform-action transmit exceed-action drop

class TRANSACTIONAL-DATA

set dscp af21

class class-default

set dscp default

Wireless Queuing

Wireless queuing by default provides a queuing policy. This policy is shown in the show run command and contains a static traffic class, which cannot be modified. This class is attached to multicast non-real-time traffic associated with the wireless port only. In order to enable the additional queues on egress of the wireless port, the static policy-map port_child_policy must be modified to include the three additional classes. Priority queuing is supported for two of the queues, while class-default makes up the rest of the queue.

Here is an example of egress wireless queuing policy:

policy-map port_child_policy

class non-client-nrt-class

bandwidth remaining ratio 7

class RT1

priority level 1

police 6400000 conform-action transmit exceed-action drop

class RT2

priority level 2

police 19200000 conform-action transmit exceed-action drop

class class-default

bandwidth remaining ratio 63

In this example, the policy limits as an aggregate the priority queues RT1 and RT2 to an aggregate policed rate as shown. The policy also provides the additional non-real-time classes with a bandwidth associated with the bandwidth remaining ratio command. This ratio of available bandwidth is provided to the non-client-nrt (or multicast and non-client non-real-time traffic queue) and class-default queues.

Wireless MultiMedia Configuration

Wireless MultiMedia (WMM) separates traffic types into four QoS access categories: background, best effort, video, and voice.

(config) wlan <your WLAN name> (config-wlan) shutdown

(config-wlan) broadcast

(config-wlan) radio all (to enable this WLAN configuration on both AP radios and all Wi-Fi protocols)

(config-wlan) wmm require

(config-wlan) no security <your Current security setting>

(config-wlan) no shutdown

WMM configuration options include:

  • WMM Required - only WMM enabled clients can join the WLAN
  • WMM Optional - both non-WMM clients and WMM enabled client can join the WLAN

WMM enabled clients transmit all packets with WMM QoS header.

Non-WMM clients transmit no packets with WMM QoS header.


Note Note that non-WMM cannot receive packets from the AP that have a WMM QoS header.


All packets from and to non-WMM clients are sent with best effort Wi-Fi channel access.

Configure ISE in order to Authenticate and Push QoS Policies

Complete these steps to authenticate and push QoS policies.

1. Specify a condition where the expression is of NAS-Port-Type Virtual.

2. Create authentication parameters.

3. Authorization - Define result and use same condition.

4. Go to Policy > Results.

5. Choose Cisco-AV-Pair at bottom shown in Step 6.

6. Modify Advanced Attribute Settings with the Cisco av-pair name, ip:sub-qos-policy-in, or ip:sub-qos-polify-out, plus name of QoS policy local to the WLC3850/5760. When clients are associated and authenticated, the policy name is pushed to the WLC3850/5760.

Cisco IOS® Tool Command Language Scripting

With the introduction of the Cisco IOS® software on the WLC5760 controller, users can now implement the Tool Command Language (TCL) scripting feature on the controller.