Wireless Access

Whitepapers and concepts are nice and all but I can't replicate the High-Value traffic session failover between Cluster nodes. If i reboot an A-UAC L2 cluster member the High-Value traffic drops...

 

Shouldn't I see high value traffic on the second cluster member if I issued the "show datapath session high-value"

 

Also I'm failing at creating a custom "high-value" traffic test policy for icmp.

 

Ex: 

!sync-apps-s-uac
----------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
1 any any svc-icmp permit High 46 7 4
2 any any app icmp permit High 46 7 4

 

 

 

 

 

Hopefully these logs don't get too distorted...

 

(PDC-VMC2) [MDC] #show lc-cluster group-membership

Cluster Enabled, Profile Name = "PDC-Cluster"
Redundancy Mode On
Active Client Rebalance Threshold = 50%
Standby Client Rebalance Threshold = 75%
Unbalance Threshold = 5%
AP Load Balancing: Enabled
Active AP Rebalance Threshold = 50%
Active AP Unbalance Threshold = 5%
Active AP Rebalance AP Count = 30
Active AP Rebalance Timer = 1 minutes
Cluster Info Table
------------------
Type IPv4 Address Priority Connection-Type STATUS
---- --------------- -------- --------------- ------
peer 10.60.11.2 128 L2-Connected CONNECTED (Member, last HBT_RSP 22ms ago, RTD = 1.587 ms)
self 10.60.11.3 128 N/A CONNECTED (Leader)
(PDC-VMC2) [MDC] #
(PDC-VMC2) [MDC] #
(PDC-VMC2) [MDC] #show user-table

Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type Host Name User Type
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ---- --------- ---------
10.60.10.205 e8:4e:06:6d:a7:c7 allow-all-aar 00:00:42 G1-AP Wireless ACMX-Q/70:3a:0e:fa:26:e0/g-HT ACMX-Q tunnel Win 10 WIRELESS

User Entries: 1/1
Curr/**bleep** Alloc:2/146 Free:1/144 Dyn:3 AllocErr:0 FreeErr:0
(PDC-VMC2) [MDC] #
(PDC-VMC2) [MDC] #
(PDC-VMC2) [MDC] #
(PDC-VMC2) [MDC] #show datapath session high-value

Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
Q - Real-Time Quality analysis
u - Upstream Real-Time Quality analysis
I - Deep inspect, U - Locally destined
E - Media Deep Inspect, G - media signal
r - Route Nexthop, h - High Value
A - Application Firewall Inspect
B - Permanent, O - Openflow
L - Log

Sync-Flags: S - SYNC sent to Standby, A - ACKed by Standby
D - Marked for delayed delete
Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Packets Bytes SIDX Flags Sync-Flags User-MAC CPU ID
--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- --------- --------- -------- --------------- ------------ ----------------- -------
10.60.10.205 90.130.70.73 6 54994 27370 0/0 0 0 0 tunnel 12 cf 94982 4109824 c6a Ch S E8:4E:06:6D:A7:C72
(PDC-VMC2) [MDC] #exit

(PDC-VMM1) [mynode] #show global-user-table list

Global Users
------------
IP MAC Name Current switch Role Auth AP name Roaming Essid Bssid Phy Profile Type
---------- ------------ ------ -------------- ---- ---- ------- ------- ----- ----- --- ------- ----
10.60.10.205 e8:4e:06:6d:a7:c7 10.60.11.3 allow-all-aar G1-AP Wireless ACMX-Q 70:3a:0e:fa:26:e0 g-HT ACMX-Q Win 10

Total entries = 1
(PDC-VMM1) [mynode] #logon 10.60.11.2

(PDC-VMC1) [MDC] #show datapath session high-value

Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
Q - Real-Time Quality analysis
u - Upstream Real-Time Quality analysis
I - Deep inspect, U - Locally destined
E - Media Deep Inspect, G - media signal
r - Route Nexthop, h - High Value
A - Application Firewall Inspect
B - Permanent, O - Openflow
L - Log

Sync-Flags: S - SYNC sent to Standby, A - ACKed by Standby
D - Marked for delayed delete
Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Packets Bytes SIDX Flags Sync-Flags User-MAC CPU ID
--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- --------- --------- -------- --------------- ------------ ----------------- -------
(PDC-VMC1) [MDC] #

Is the cluster layer 2 for that vlan?

"Show user-table standby" should show the users that the are replicated from another controller.

"Show datapath session table" should have the flag "h" for high value sessions

L2 Connected cluster

 

If I issued the show user-table standby on the S-UAC I see the user.

 

show datapath session high-value on the S-UAC shows nothing. 

 

show datapath sessigh high-value on the A-UAC shows the "h" session.

 

The gateway for the client is a core switch.

I would open a TAC case, to see if something specific is preventing it from working. Those should be the only requirements.

Okay no worries.

 

As for creating a custom service like SSH to be a high-value..

 

Creating a session rule to make the APP as TOS 46, High Priority would trigger that being a "High-Value" as well?

UCC (voice/video calls that are identified) SSH sessions and TCP sessions longer than 10 seconds should automatically be considered high value sessions.