Security

Reply
Occasional Contributor I
Posts: 6
Registered: ‎03-17-2013

ACL's and QOS...... WTF

Hi,

we have access points in our branches across a WAN link back to head office. we have a QOS design already in place however.....

i have an issue where aruba seems to be tagging packets as they are sent causing them to end up in our queues instead of best effort.

this is causing issues with the limited bandwidth assigned to each queue.

 

i have confirmed WMM is not enabled on any SSID and no 802.1p settings are used in any firewall policies

we do have specific poilcies marking "queue" high or low however i am under the impression this is for the wireless side and does not take effect after the AP.

 

the pachets seem to be getting tagged at or before the AP and sending "prioritized" packets down the tunnel.

 

am i missing a setting or do i need to add an ACL to prevent this???????

any assistance would be great

MVP
Posts: 4,124
Registered: ‎07-20-2011

Re: ACL's and QOS...... WTF

Are you by any chance tagging this the traffic at the user-role or using an access-group in the interface going to the uplink ?
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: ACL's and QOS...... WTF

Send the output of the "show datapath session table" command when this is happening...that can help you understand what is getting prioritized and what isn't.  

 

If you have a ton of traffic, you can use filters like:

 

show datapath session table | include 192.168.1.111

 

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Occasional Contributor I
Posts: 6
Registered: ‎03-17-2013

Re: ACL's and QOS...... WTF

here is the result.....

as you can see the packets are being identified "ToS" but nothing is showing as being prioritised.

I have confirmed our WAN carrier has disabled NBAR.

 

Are there any other possibilities within Aruba?

can i Disable ToS all together

MVP
Posts: 4,124
Registered: ‎07-20-2011

Re: ACL's and QOS...... WTF

 

Please verify the following

 

Under the user-role :

 

show rights <rolename> and see if there's any ACLs that have any ToS markings

 

CLI

vocera-badge-policy
-------------------
Priority  Source          Destination     Service              Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------          -----------     -------              ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         Brandeis-Voice  Brandeis-Voice  svc-vocera-data      permit                           High        46   5                                                 4
2         Brandeis-Voice  Brandeis-Voice  svc-vocera-data-tcp  permit                           High      46   5                                                 4
3         Brandeis-Voice  Brandeis-Voice  svc-vocera-control   permit                           High   46   5                                                 4
4         Brandeis-Voice  Brandeis-Voice  svc-vocera           permit                           High   46   5                                                 4

 GUI:Screen Shot 2013-08-06 at 8.51.19 PM.png

 

 

Under the interface that goes back to the uplink switch make sure that there's no ip access-groups applied that may be marking that traffic :

 

show ip access-group

 

Port-Channel 0:
 session access list Trusted-Port-ACL is applied

 

You can also do the following show acl hits and this will tell you if there's any ACLs applied to a particular interface

 

Port Based Session ACL
----------------------
Policy            Src                       Dst                      Service      Action  Dest/Opcode  New Hits  Total Hits  Index  Ipv4/Ipv6
------            ---                       ---                      -------      ------  -----------  --------  ----------  -----  ---------

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor I
Posts: 6
Registered: ‎03-17-2013

Re: ACL's and QOS...... WTF

Thanks,

i have checked the ACL for all user roles adn none there is no reference to 802.1p or ToS anywhere.

Same with the Port channels

the only this that i can see that comes close is the Queue

 

from what is displayed Aruba should not be marking packets ToS or otherwise

can i disable Aruba from auto marking packets with ToS

 

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: ACL's and QOS...... WTF

Would it be possible to see the entire config?

Sent from my iPhone
Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Occasional Contributor I
Posts: 6
Registered: ‎03-17-2013

Re: ACL's and QOS...... WTF

Ahhhhh

might not need to i think i found it

attached to the SSID profiles are DSCP markings as shown in attachment

 

i was under the impression this was not in use unless WMM was ticked

 

am i able to set these to "0" stopping all ToS?

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: ACL's and QOS...... WTF

Just blank out the lines and retest.

Also...unless you need client support for it, get rid of tkip and run aes encryption only.
Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Occasional Contributor I
Posts: 6
Registered: ‎03-17-2013

Re: ACL's and QOS...... WTF

Thanks

Search Airheads
Showing results for 
Search instead for 
Did you mean: