Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ACL's and QOS...... WTF

This thread has been viewed 5 times

  • 1.  ACL's and QOS...... WTF

    Posted Aug 06, 2013 04:10 AM

    Hi,

    we have access points in our branches across a WAN link back to head office. we have a QOS design already in place however.....

    i have an issue where aruba seems to be tagging packets as they are sent causing them to end up in our queues instead of best effort.

    this is causing issues with the limited bandwidth assigned to each queue.

     

    i have confirmed WMM is not enabled on any SSID and no 802.1p settings are used in any firewall policies

    we do have specific poilcies marking "queue" high or low however i am under the impression this is for the wireless side and does not take effect after the AP.

     

    the pachets seem to be getting tagged at or before the AP and sending "prioritized" packets down the tunnel.

     

    am i missing a setting or do i need to add an ACL to prevent this???????

    any assistance would be great



  • 2.  RE: ACL's and QOS...... WTF

    Posted Aug 06, 2013 05:16 AM
    Are you by any chance tagging this the traffic at the user-role or using an access-group in the interface going to the uplink ?


  • 3.  RE: ACL's and QOS...... WTF

    EMPLOYEE
    Posted Aug 06, 2013 09:45 AM

    Send the output of the "show datapath session table" command when this is happening...that can help you understand what is getting prioritized and what isn't.  

     

    If you have a ton of traffic, you can use filters like:

     

    show datapath session table | include 192.168.1.111

     



  • 4.  RE: ACL's and QOS...... WTF

    Posted Aug 06, 2013 08:21 PM
      |   view attached

    here is the result.....

    as you can see the packets are being identified "ToS" but nothing is showing as being prioritised.

    I have confirmed our WAN carrier has disabled NBAR.

     

    Are there any other possibilities within Aruba?

    can i Disable ToS all together



  • 5.  RE: ACL's and QOS...... WTF

    Posted Aug 06, 2013 08:56 PM

     

    Please verify the following

     

    Under the user-role :

     

    show rights <rolename> and see if there's any ACLs that have any ToS markings

     

    CLI

    vocera-badge-policy
-------------------
Priority  Source          Destination     Service              Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------          -----------     -------              ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         Brandeis-Voice  Brandeis-Voice  svc-vocera-data      permit                           High        46   5                                                 4
2         Brandeis-Voice  Brandeis-Voice  svc-vocera-data-tcp  permit                           High      46   5                                                 4
3         Brandeis-Voice  Brandeis-Voice  svc-vocera-control   permit                           High   46   5                                                 4
4         Brandeis-Voice  Brandeis-Voice  svc-vocera           permit                           High   46   5                                                 4

     GUI:Screen Shot 2013-08-06 at 8.51.19 PM.png

     

     

    Under the interface that goes back to the uplink switch make sure that there's no ip access-groups applied that may be marking that traffic :

     

    show ip access-group

     

    Port-Channel 0:
     session access list Trusted-Port-ACL is applied

     

    You can also do the following show acl hits and this will tell you if there's any ACLs applied to a particular interface

     

    Port Based Session ACL
    ----------------------
    Policy            Src                       Dst                      Service      Action  Dest/Opcode  New Hits  Total Hits  Index  Ipv4/Ipv6
    ------            ---                       ---                      -------      ------  -----------  --------  ----------  -----  ---------

     



  • 6.  RE: ACL's and QOS...... WTF

    Posted Aug 06, 2013 09:45 PM
      |   view attached

    Thanks,

    i have checked the ACL for all user roles adn none there is no reference to 802.1p or ToS anywhere.

    Same with the Port channels

    the only this that i can see that comes close is the Queue

     

    from what is displayed Aruba should not be marking packets ToS or otherwise

    can i disable Aruba from auto marking packets with ToS

     



  • 7.  RE: ACL's and QOS...... WTF

    EMPLOYEE
    Posted Aug 06, 2013 09:57 PM
    Would it be possible to see the entire config?

    Sent from my iPhone


  • 8.  RE: ACL's and QOS...... WTF

    Posted Aug 06, 2013 10:28 PM

    Ahhhhh

    might not need to i think i found it

    attached to the SSID profiles are DSCP markings as shown in attachment

     

    i was under the impression this was not in use unless WMM was ticked

     

    am i able to set these to "0" stopping all ToS?



  • 9.  RE: ACL's and QOS...... WTF
    Best Answer

    EMPLOYEE
    Posted Aug 06, 2013 10:31 PM
    Just blank out the lines and retest.

    Also...unless you need client support for it, get rid of tkip and run aes encryption only.


  • 10.  RE: ACL's and QOS...... WTF

    Posted Aug 07, 2013 12:50 AM

    Thanks