Wireless Access

Hi, I'm trying to configure QOS on a Aruba controller to put specific traffic in the lowest priority queue possible (background).

I've already got a working QOS setup with S4B but I'm looking into applying QOS for a specific bandwidth consuming application.

I've red about traffic mgmt, QOS based on user roles, et cetera but not real life examples except for S4B QOS deployments

The source and destination IP's are known as well as the layer 4 port to configure the specfic policy.

I'm not looking in setting up bandwidth limitations. The application should be able to utilize the full bandwidth if it is available. The data generated by this aplication should be handled as background, not interfering with any other traffic.

Anyone who has knowledge/experience with configuring QOS for a specific application?

Unfortunately, QOS typically is only effective at a contention boundary, like on a WAN link, or over wireless link between an access point an a client.  It is only really effective if both the client and the infrastructure (access point), can tag the QOS for the application.  Typically the "background" queue will not slow down traffic much less than the default queue.

What is this application and what problem are you trying to solve...?

Hi Colin,

The problem that I'm trying to solve is that some WAN links are occasionally fully saturated by our SCCM  systems, which are updates downloaded by our clients. Usually this isn't an issue but occasionally large updates are offered causing slowness.

I'm aware that QOS should be configured, at least, between the WAN endpoints. However, from my point if view, the WAN routers can only determine this type of trafic if the Aruba Controllers marks this traffic outside the GRE tunnel. Thats why I would like to now how to accomplish this setup.

On the SCCM systems theselves there is no much to control, or in any way to control exacty wat we want. We can limit the amount of traffic based on the physical interface but then we don't want these updates to take a long time as these are also security related fixes.

Deploying a local SCCM system on location is not an option, 1 due to the WLAN design (tunnel mode) and 2 because this is not inline with company policy.

QOS would be the best way to go forward I think as it should avoid/mitigate the update system utilizing all badnwidth and also fully use bandwidth  if it is available.

Happy to know if there are other possible scenario's to avoid the issue.

hi Jer,

You should be able to do this either with a dot1p or ToS marking session acl. Consider the following contrived example for ToS based on IP and not port (you could add tcp 12345 if you know the SCCM ports explicitly, but probably IP is enough)

netdestination SCCM
  host 1.2.3.4
  host 5.6.7.8
!
ip access-list session sccm_tosmarker
    user  alias SCCM any permit tos XX
    alias SCCM user any permit tos XX
!

  Then shove that access-list somewhere into the user role as appropriate.

Seems the values are hidden behind n/a these days, but you can find them in a doc like the Lync VRD (Link), essentially we get the following

      DSCP      dot1p
BK    8          1,2
BE    24         0,3
VI    40          5 
VO    56          6

as the default value the ssid profile uses. As usual with ToS vs. DSCP there is some overlap and variation in what the numbers mean and how to enter them, but I digress.

The key thing to remember is that the ssid-profile dscp values are range based. Try very much to resist the urge to change them, often it results in unexpected results, instead set a value of XX above that falls into the range.

Aruba's docs don't clearly imply the range nature of these, but you can search around online for "dscp to wmm ac mapping" (for example this) to see that it's pretty standard behaviour. As such, you don't have to pick the exact value to match a well known DSCP value, but it probably is best to do so.

TL;DR; Thus, you should put a value of 8 in for XX above, or, use a dot1p marker with value=1

Finally, once you think it's all setup and ready to go, kick off an update to a client and use 'show acl hit' to make sure it's getting pinged, and, "show ap debug radio-stats ap-name <> radio <> advanced | include WMM"   (naturally you will need to find the ap-name and radio (0=5ghz,1=2.4ghz) depending on where your test client is at the time)

you should see this stat going up rapidly due to your now BK prioritised traffic

Tx WMM [BK] 125123  <<<<

Tx WMM [BE] 125

Tx WMM [VO] 55753

then of course double check it with a quick pcap to make sure the outer IP header is really set as you need it to be.

---

@Jer wrote:

Hi Colin,

 

The problem that I'm trying to solve is that some WAN links are occasionally fully saturated by our SCCM  systems, which are updates downloaded by our clients. Usually this isn't an issue but occasionally large updates are offered causing slowness.

 

I'm aware that QOS should be configured, at least, between the WAN endpoints. However, from my point if view, the WAN routers can only determine this type of trafic if the Aruba Controllers marks this traffic outside the GRE tunnel. Thats why I would like to now how to accomplish this setup.

 

On the SCCM systems theselves there is no much to control, or in any way to control exacty wat we want. We can limit the amount of traffic based on the physical interface but then we don't want these updates to take a long time as these are also security related fixes.

Deploying a local SCCM system on location is not an option, 1 due to the WLAN design (tunnel mode) and 2 because this is not inline with company policy.

 

QOS would be the best way to go forward I think as it should avoid/mitigate the update system utilizing all badnwidth and also fully use bandwidth  if it is available.

 

Happy to know if there are other possible scenario's to avoid the issue.

---

I would hire a professional to design a way to do this within your system.  Marking QOS is one thing, but choosing where and how to enforce it so that all your applications still function can be complex.  In this day and age where missing a security update could be costly to your business, you want to make sure that you have all of your bases covered.

From how it looks, you also have a wired network that you also need to consider, so that means it is not as simple as marking an ACL on a WLAN controller.

The Lync documentation shows you how to prioritize a single application over everything else, which is not hard to do as long as the client is also doing prioritization in the other direction.  De-prioritizing an application requires more care.

Thanks for the suggestion.

Will try the ACL recomendation in my test lab to see if the ACL is being hit once an SCCM update starts.

The endpoint devices between the WAN are important as well to succeed in achieving my goal. A soon as the controller/AP flags the SCCM traffic in the range of background, I then can check using pcap to confirm and finally test if the QOS on the router (LAN) is able to interpret and mark the traffic as required..

Dugem, do you have experience yourself with this scenario, or is it theory based?

Hi Jer, whilst I can't be sure to your exact use case, everything I wrote was based on my direct experience (not including aos 8)  :)

alright I appreciate sharing this technical info with us and I will give it a try.

Its good to know that you have experience with a setup in which you are able to prevent/reduce the risk of specific high bandwidth consuming traffic, from causing bad experience of other applications.