Controllerless Networks

I am looking to enable SFB Heuristics on some instant clusters.   The SFB Aruba VRD states that once enabled it tags VOIP traffic with the default vaues meaning VOICE will be DSCP 48.  I am looking to tag VOIP DSCP 46.   If I change the default WMM values does the SFB Heuristics tag accordingly?  If anyone knows how this behaves or was able to effectively tag to a specified DSCP value I would appreciate your input.

Thanks

You have to create an ACL for the wireless SSID, for UCC.

wlan access-rule example_s4b_test

rule alias <domain_name_for_S4B_server> match tcp 443 443 permit log classify-media
OR
rule any any match tcp 443 443 permit log classify-media

rule any any match tcp 5060 5060 permit log classify-media
rule any any match tcp 5061 5061 permit log classify-media
rule any any match tcp 5223 5223 permit log classify-media

rule any any match udp 50000 50020 permit tos 46 (The RTP UDP port range should be found out by consulting SfB admin. In this example it is 50000 – 50020. Check the tos value, its non default / custom. )

rule any any match any any any permit
end
commit apply

So this should do the job!

Use following commands to check:

Home IAP# show datapath user

Look for M flag in the output. 

Home IAP# show datapath session | i V

Look for V flag in output.

Thanks for the information!   In your example will only the traffic matching the 50000 to 50020 range be marked 46?   How will the traffic that is classified as skype using classify-media be handled?  Will it be tagged?

Will only this be marked 46? 

rule any any match udp 50000 50020 permit tos 46

What will this be marked?

rule any any match tcp 443 443 permit log classify-media

 rule any any match tcp 5060 5060 permit log classify-media
rule any any match tcp 5061 5061 permit log classify-media
rule any any match tcp 5223 5223 permit log classify-media

The classify-media ACL, is what tells IAP to study / monitor, the identified traffic for control packets before a voice call.

Here is the user guide snippet, explaining this:

"

Voice and video devices use a signaling protocol to establish, control, and terminate voice and video calls. These
control or signaling sessions are usually permitted using predefined ACLs. If the control signaling packets are
encrypted, the IAP cannot determine the dynamic ports that are used for voice or video traffic.

In these cases, the IAP has to use an ACL with the classify-media option enabled to identify the voice or video flow based on a deep packet inspection and analysis of the actual traffic. Instant identifies and prioritizes voice and video traffic
from applications such as Skype for Business, Apple Facetime, and Jabber.

Skype for Business uses Session Initiation Protocol (SIP) over TLS or HTTPS to establish, control, and terminate
voice and video calls. Apple Facetime uses Extensible Messaging and Presence Protocol (XMPP) over TLS or
HTTPS for these functions.

The following CLI example shows the media classification for VoIP calls:

(Instant AP)(config)# wlan access-rule example_s4b_test
(Instant AP)(example_s4b_test)# rule alias <domain_name_for_S4B_server> match tcp 443 443 permit log classify-media
(Instant AP)(example_s4b_test)# rule any any match tcp 5060 5060 permit log classify-media
(Instant AP)(example_s4b_test)# rule any any match tcp 5061 5061 permit log classify-media
(Instant AP)(example_s4b_test)# rule any any match tcp 5223 5223 permit log classify-media
(Instant AP)(example_s4b_test)# rule any any match any any any permit
(Instant AP)(example_s4b_test)# end
(Instant AP)# commit apply

 "

Actual voice call happens on UDP ports and is automatically priotirized, to a default value of 48. If you want to use a custom value instead, then an ACL with the specified ToS value as well is needed.

I see the CRD they walk through a SFB call using heuristics where the initiating client is not tagging.    Step 2 says the IAP in this case identifies the traffic as SFB and corrects the DSCP tag.   You are saying this is done using an ACL correct?  If so what would I be matching on given the heuristics data is what I need to look at?

1. In upstream direction (client to controller) the AP looks at L2 Priority (WMM-AC as BE) and allocates the DSCP
24 according to the DSCM-WMM mapping in the controller.
2. The controller identifies the SfB VO traffic type using heuristics and corrects the DSCP tag to 46 in the
downstream direction (controller to client).
3. AP assigns WMM-AC as VO as per DSCP-WMM mapping in the controller.

Please take a look at attached picture and see if it answers your question, as to how ALG (setup by the ACL i mentioned) changes the values.

In the picture, the default value 48 is used, however as shown previously it can be made custom 46 too.

Yes this all makes sense.  My challenge I guess is the ACL you metioned below regarding changing to the specified TOS value.   What would I be matching on?  Would you happen to have an example ACL?   Would it match off the heuristic ALG data?  Thanks again.

---

wrote:

"If you want to use a custom value instead, then an ACL with the specified ToS value as well is needed."

---

I recommend sticking to the default values in IAP UCC, which is voice 48, video 40. With this method you really do not have to find out the voice RTP stream's UDP ports range!

You can go with the following then:

wlan access-rule example_s4b_test

rule any any match tcp 443 443 permit log classify-media
rule any any match tcp 5061 5061 permit log classify-media
rule any any match any any any permit
end

commit apply

Note:

Skype ports for control messaging is TCP 5061 & 443, which needs to be studied / monitored by IAP via classify media flag. Resulting RTP UDP stream will be automatically prioritised with default values of video 40 and voice 48.

If non default values for ToS are a must, only then the ACL for UDP ports, shown in previous example, is needed.

How about the domain for SfB server?

If you do not know the domain name, then use the ACL above, where any traffic destined to port 443 is monitored via classify media. Although not the best configuration, as now IAP has to do way more work!

Hence recommended is to find the domain name of SfB server from SfB admin and put that in the ACL destined to TCP port 443.

Great information thank you.  If I leave the default TOS marking the traffic will arrive at the wired network with DSCP 48 per WMM default correct?  If so that will not match our current WAN config of DSCP 46 for EF (VOIP).   

If the client was tagging properly would this make everything far simpler?   At that point I could simply change my WMM values on the SSID to VOICE DSCP 46 correct?    The issue is we are doing Skype online and tags may be removed upon ingress from the internet.

If the client was tagging properly, then that should work, based on WMM values you set AFAIK. I have not tested that though.

Bringing back an old thread, but relevant to something I'm looking at now. The DSCP values used across their network are non-standard, and configuring the WMM-DSCP mapping values appears to have no affect. The IAPs are reconfiguring DSCP values upstream to the defaults.

Is this a bug, or is there additional configuration steps needed? I'm hoping we don't have to configure ACLs matching these traffic types and setting DSCP values, and there is a way for the IAP to simply "trust" the DSCP and map it over from the client, which is correctly marking traffic.

I understand that trusting client DSCP/QoS markings is insecure and not typically recommended, but the customer has this built already and wants to utilize the client markings and stick to their chosen DSCP values that is configured on their router links.