Dual link, dual marking, bidirectional.

  • 1
  • Question
  • Updated 5 years ago
  • Answered
We have a simple policy in some sites with either Juniper/Fortinet router/FW L3 and Aerohive/Meraki L2 edge(s). We let the AP's categorise traffic and mark packets/frames normally with QoS classes i.e. WMM/DSCPCoS of either 2, 7, or none. 2 gets policy routed out the slower link, 7 gets forwarded or explicitly put in EF queue (5 I know!) and sent out the faster/better link, and none just goes out the faster link with default attributes.

Now that we can finally use L7 Services to 'classify' for example Bittorrent w/ Aerohive and policy route out our secondary link, I am left confused as to how I need to explicitly 'classify' and then 'mark' traffic with the AP330/HMOL... will the classification be only local on the AP queues(yes without a marker)? What would a default marker map treat it subsequently or do we need a *custom* marker map to explicitly mark (or mutate if set previously by hosts)?

Note: We can trivially use DSCP values on the Juniper upstream or ToS (in hex ;) on the Fortinet.... but in this Aerohive/Fortinet case we wish to mark Bittorrent for example and recognise the thusly marked ToS on the Fortinet.

Maybe I am overthinking this, but as 802.1e maps to 802.1p and:

802.1p : 2 -> 802.1e : 2 -> CoS/IPP : 2 -> CS2 -> DSCP : 16 -> ToS : 64 -> ToS Hex 40 , Hex mask FF (for Fortinet PBR)

802.1p : 7 -> 802.1w : 7 -> CoS/IPP : 7 -> CS7 -> DSCP : 56 -> ToS : 224 -> ToS Hex E0 , Hex mask FF (for Fortinet PBR)

Do I just turn on the default marker map and set the classifier to 'Bittorrent' and QoS Class '2' ?
Photo of irldexter

irldexter

  • 37 Posts
  • 1 Reply Like

Posted 5 years ago

  • 1
Photo of irldexter

irldexter

  • 37 Posts
  • 1 Reply Like
Correction: Above should say '802.1e' not '802.1w' in second last line.

Looking for examples of classification and subsequent marking over and above principles here: http://www.aerohive.com/pdfs/Aerohive... and http://www.aerohive.com/pdfs/Aerohive...

Do I need to edit the default marker map when created?
Photo of Tash Hepting

Tash Hepting

  • 55 Posts
  • 29 Reply Likes
QOS isn't my strongest subject, but I'll take a stab at it...

If you classify an app (i.e. bittorrent) as QoS class 2, and the default marker map sets class 2 to the DSCP value you need for your wired network, I think you're done. You should only have to modify the marker map if you want to customize the values marked on each queue.

Cheers,
Tash
Photo of irldexter

irldexter

  • 37 Posts
  • 1 Reply Like
Thanks Tash, appreciate your response... as that was my feeling too! As a long time network engineer and ex-cisco kid... for some reason my mind goes to mush when trying to map all the standards together, sure there are charts, and in theory it should be straight forward, however it comes down to how vendors implement and name things e.g. case in point http://revolutionwifi.blogspot.com.au...

Anyone else out there confirm 100% the thinking in the initial question?
Photo of irldexter

irldexter

  • 37 Posts
  • 1 Reply Like
So I strained my brain with some bitmasks in hex and also moved traffic from QoS class 2 to QoS class 0 (scavenger) for the lower end stuff to go out the Fortinet secondary link. Default Aerohive QoS class 2 = DSCP 8 (which is ToS 20 in hex) and 'df' works as an explicit ToS hex mask as we only want to match the 4th of 6 bits (or the 6th in the full byte as we don't care about the last two ECN bits).

Fortinet is now policy routing based upon DSCP 8 traffic which is being decided upon by Aerohive application viz classifier and marker maps.... let's see what happens under load :)
Photo of irldexter

irldexter

  • 37 Posts
  • 1 Reply Like
Oooops, I think the ToS bitmask is wrong and should be 'fc'...

0010 0000 = ToS 32 = ToS Hex 0x20 = DSCP 8 (6 bits)
1111 1100 = Match first 6 bits explicitly and don't care about the last 2bits thus -> 11111100 = Decimal 252 = 0xFC
Photo of irldexter

irldexter

  • 37 Posts
  • 1 Reply Like
We still can not rate limit explicit Application Services or QoS classes on the WAP right, it's still up to the upstream L3 gateway?

Note: I understand the potential resource consumption however we can only classify, queue, mark, mutate and punt it on right/wrong?
Photo of Tash Hepting

Tash Hepting

  • 55 Posts
  • 29 Reply Likes
You can now rate limit on the AP per user-profile per QoS class. I'm not exactly sure which version this went live with, but it's definitely in 6.0r2a. Check in the user profile configuration under the "QoS" section.

You can either throttle the use profile, or setup a Rate Control and Queuing Policy to get per-queue control over the throttling. Combine this with a classifier map and you can setup that user profile to throttle specific services or DPI-based applications.

When the application visibility and control came out I used this to mess around with Netflix video streams. Surprisingly, it could still play while rate-limited to 256kbps. It looked terrible though.

Photo of irldexter

irldexter

  • 37 Posts
  • 1 Reply Like
Hiya, great stuff Tash, we do both already... however I guess it's per bucket that the app is in, so unless we broke out an app in to a totally separate and unique class, we could only control an individual app that way.

Also: WMM/802.11e seems to pre-mark packets if signalled by the client as we saw traffic outside of the 0 non-marked in the user qos counters on the APs even though we only application classified 2 classes. So to explain, we used app viz to classify apps to either QoS Class 2 or 7 but still saw traffic outside of 0 on 3 and 5?
Photo of irldexter

irldexter

  • 37 Posts
  • 1 Reply Like
Hi there everyone, so I've noticed something about this approach that seems to be a flaw in the thinking/technology for Policy Based Routing based upon application signatures/heuristics and FW session ID's / turbo CAM style cut-through switching: http://community.aerohive.com/aerohiv... would welcome your feedback...