This is the first post about Converged Access (applicable to 3850/3650/5760) QoS in detail.  The primary difference is these new platforms are using MQC (Modular QoS Command Line) oppose to MLS (Multi Layer Switching) QoS  in Legacy switch platforms (3750X,3560,2960,etc) when provisioning. So this new CA platforms QoS is align with 4500/6500 QoS config mechanism.

In addition to this difference, 3850 is having 8 Queues for wired & 4 Queues for wireless traffic (In legacy systems they had 4 queues & no differentiation possible wired to wireless).

Due to inherent differences between wireless and wired technology, difference touch points within QoS architecture has defined.

1. Wired to Wireless
2. Wireless to Wired

Below diagram show the QoS touch points Wired to Wireless touch pointsAs traffic travels out of the wireless port (any port directly attached to an AP), there are several QoS touch point to consider.
1. Client Level – Classified on egress using class maps & provide two strict priority for voice & video.
2. SSID Level – Classified  on egress using class maps. In addition to classifying & marking, there is a shape command to limit the rate of traffic at the SSID per radio (BSSID). A bandwidth for the SSID can also be configured to provide a ratio limit between the SSIDs sharing the same radio.

3. Radio Level – Traffic is subject to 4 egress queues, two of which are strict priority (for Voice & Video). The non-real-time queue is effectively the default class and the multicast-non-real time queue is used for all non real time multicast traffic. This is non configurable & generated based on the radio level shaper negotiation. Queing Sheduler is Class Based Weighted Fair Queue(CBWFQ) and bandwidth management is based on Approximate Fair Drop (AFD) algorithm, which provides faireness between users.

Below diagram illustrated the Wireless to Wired QoS touch points.Marking or Policing policies can be applied to individual clients or at the SSID as an aggregate.  If you do the classification or marking at the SSID level, it will have precedence over client level classification & marking.

As traffic leaves out wired port, again classification done by class maps & policing policies can be configured on physical port or on SVI. Queuing mechanism is CBWFQ and dual Low Latency Queues (LLQ) & the dropping algorithm is Weighted Tail Drop (WTD)

Now lets see how to default QoS configuration in these platform works. In MQC based products, QoS is enabled by default and any QoS markings are sent through the platform is untouched. There is one exception for this if traffic passes from a wireless-to-wired port or vice versa. In this situation QoS values are re-marked to default (0). However this is not the case with Wired-to-Wired traffic. This restriction can be disabled by disabling default un-trust command in 3850 global config as shown below.

3850-2#sh run | in qos  
qos wireless-default-untrust
3850-2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
3850-2(config)#no qos wireless-default-untrust

Also as described above, Radio level policy is non-configurable & hence it should be there in default config. You can verify that using “show policy-map interface wireless x” command. You should have a registered AP to check these.

3850-2#show ap summary 
Number of APs: 1
Global AP User Name: Not configured
Global AP Dot1x User Name: Not configured
AP Name                           AP Model  Ethernet MAC    Radio MAC       State         
----------------------------------------------------------------------------------------
AP3702I-1                         3702I     7cad.74ff.2bc6  08cc.68b4.0370  Registered 

3850-2#show policy-map interface wireless ?
  ap      Wireless AP
  client  Wireless Client
  radio   Wireless Radio
  ssid    Wireless SSID

3850-2#show policy-map interface wireless ap ?
  iifid  Wireless target iifid
  name   Wireless target identifier name
  |      Output modifiers
  <cr>

3850-2#show policy-map interface wireless ap 
AP AP3702I-1 iifid: 0x010605C000000008
  Service-policy output: defportac
    Class-map: class-default (match-any)
      Match: any 
        0 packets, 0 bytes
        30 second rate 0 bps
      Queueing  
      (total drops) 0
      (bytes output) 18512197
      shape (average) cir 1000000000, bc 4000000, be 4000000
      target shape rate 1000000000

      Service-policy : port_child_policy
        Class-map: non-client-nrt-class (match-any)
          Match: non-client-nrt 
            0 packets, 0 bytes
            30 second rate 0 bps
          Queueing  
          (total drops) 0
          (bytes output) 18512197
          bandwidth remaining ratio 10 

        Class-map: class-default (match-any)
          Match: any 
            0 packets, 0 bytes
            30 second rate 0 bps         
          (total drops) 0
          (bytes output) 0

3850-2#show policy-map interface wireless radio 
Radio dot11b iifid: 0x010605C000000008.0x00CC838000000004
  Service-policy output: def-11gn
    Class-map: class-default (match-any)
      Match: any 
        0 packets, 0 bytes
        30 second rate 0 bps
      shape (average) cir 200000000, bc 800000, be 800000
      target shape rate 200000000

Radio dot11a iifid: 0x010605C000000008.0x00CCB74000000005
  Service-policy output: def-11ac
    Class-map: class-default (match-any)
      Match: any 
        0 packets, 0 bytes
        30 second rate 0 bps
      shape (average) cir 1000000000, bc 4000000, be 4000000
      target shape rate 1000000000

As you can see client & SSID level QoS is user defined & hence nothing is there by default.

3850-2#show policy-map interface wireless ssid ?
  iifid  Wireless target iifid
  name   Wireless SSID name
  |      Output modifiers
  <cr>

3850-2#show policy-map interface wireless ssid 
***** NO OUTPUT ******

3850-2#show policy-map interface wireless client ?
  iifid  Wireless target iifid
  mac    Wireless target identifier name
  |      Output modifiers
  <cr>

3850-2#show policy-map interface wireless client 
**** NO OUTPUT *****

Below diagram illustrate the port specific QoS role of a converged access campus access switch like 3850/3650.

In next post we will see how to configure QoS depending on the role switchport plays as shown in the above.

References
1. End to End QoS Design- Quality of Service for Rich-Media & Cloud Networks (2nd Edition)
2. BRKCRS-2890 Converged Access QoS
3. BRKCRS-2501: Campus QoS Design—Simplified

Related Posts

1. 3850 QoS – Part 2
2. 3850 QoS – Part 3
3. 3850 QoS – Part 4
4. 3850 QoS – Part 5

In this post we will see the Queuing models available on this 3850 switch platforms. Due to the nature of Converged Access, there are separate queuing models for wired & wireless ports (any port directly attached to an AP)

A wireless port will provide 4 independent queues & in contrast a wired port will provide upto 8 queues. This 8 queue models will closely align with 4500/6500 queuing architecture & therefore much easier to align with QoS policies.

Basic architecture of this platform provides 24x1G access ports & 2x10G uplinks per ASIC (Application Specific Integrated Circuit) to 120G stack connection.(In 48 port switch has 2x ASIC). This also provide two seperate internal queues over the stack ring, giving access to the priority traffic & non-priority traffic. Ingress queuing is not configurable. Below diagram provide basic stack architecture of this platform.

In Egress Queuing, we can discuss this as Wired Egress & Wireless Egress queuing separately as queuing model is different in each scenario.

1. Wired Queuing
Egress wired queuing on the 3850 can be configured as 8Q3T, 1P7Q3T or 2P6Q3T. Since first one does not have priority queuing it is not recommended. If your core/distribution is having 4500/6500 platforms both share the 1P7Q3T model, so if you using 3850, you can easily align policies with your core/distribution.

• 1P7Q3T : Below diagram illustrate the 1P7Q3T egress queue mappings for a 3850 using 8-class model. The recommended buffer allocations for wired interface queues 7 through 1 are 10%, 10% 10%, 10%,10%, 10%,25%. By using “queue buffer-ratio” command you can configure this.

Below show the corresponding configuration for an 8-class 1P7Q3T egress queuing on a 3850.

C3850(config-pmap-c)# policy-map 1P7Q3T
C3850(config-pmap)# class VOICE
C3850(config-pmap-c)# priority level 1
C3850(config-pmap-c)# police rate percent 10
!
C3850(config-pmap-c-police)# class NW-CONTROL
C3850(config-pmap-c)# bandwidth remaining percent 5
C3850(config-pmap-c)# queue-buffers ratio 10
!
C3850(config-pmap-c)# class INT-VIDEO
C3850(config-pmap-c)# bandwidth remaining percent 23
C3850(config-pmap-c)# queue-buffers ratio 10
C3850(config-pmap-c)# queue-limit dscp af43 percent 80
C3850(config-pmap-c)# queue-limit dscp af42 percent 90
C3850(config-pmap-c)# queue-limit dscp af41 percent 100
!
C3850(config-pmap)# class SIGNALING
C3850(config-pmap-c)# bandwidth remaining percent 2
!
C3850(config-pmap-c)# class STREAMING-VIDEO
C3850(config-pmap-c)# bandwidth remaining percent 10
C3850(config-pmap-c)# queue-buffers ratio 10
C3850(config-pmap-c)# queue-limit dscp af33 percent 80
C3850(config-pmap-c)# queue-limit dscp af32 percent 90
C3850(config-pmap-c)# queue-limit dscp af31 percent 100
!
C3850(config-pmap-c)# class CRITICAL-DATA
C3850(config-pmap-c)# bandwidth remaining percent 24
C3850(config-pmap-c)# queue-buffers ratio 10
C3850(config-pmap-c)# queue-limit dscp af23 percent 80
C3850(config-pmap-c)# queue-limit dscp af22 percent 90
C3850(config-pmap-c)# queue-limit dscp af21 percent 100
!
C3850(config-pmap-c)# class SCAVENGER
C3850(config-pmap-c)# bandwidth remaining percent 1
C3850(config-pmap-c)# queue-buffers ratio 10
!
C3850(config-pmap-c)# class class-default
C3850(config-pmap-c)# bandwidth remaining percent 25
C3850(config-pmap-c)# queue-buffers ratio 25
!
C3850(config)# interface gigabitethernet 1/0/x
C3850(config-if)# service-policy out 1P7Q3T

• 2P6Q3T : This model only differ slightly from the previous one as it has been extended to cover 12-class model & the addition of a second priority queue for seperation for voice & video. Below diagram shows the 2P6Q3T egress queue mapping for catalyst 3850.

Below show the corresponding configuration for an 12-class 2P6Q3T egress queuing on a 3850.

C3850(config-pmap-c)# policy-map 2P6Q3T
C3850(config-pmap)# class VOICE
C3850(config-pmap-c)# priority level 1
C3850(config-pmap-c)# police rate percent 10
!
C3850(config-pmap-c)# class RT-VIDEO
C3850(config-pmap-c)# priority level 2
C3850(config-pmap-c)# police rate percent 20
!
C3850(config-pmap-c-police)# class MGT-CONTROL
C3850(config-pmap-c)# bandwidth remaining percent 10
C3850(config-pmap-c)# queue-buffers ratio 10
!
C3850(config-pmap-c)# class MULTIMEDIA-CONFERENCE
C3850(config-pmap-c)# bandwidth remaining percent 10
C3850(config-pmap-c)# queue-buffers ratio 10
C3850(config-pmap-c)# queue-limit dscp af43 percent 80
C3850(config-pmap-c)# queue-limit dscp af42 percent 90
C3850(config-pmap-c)# queue-limit dscp af41 percent 100
!
C3850(config-pmap-c)# class MULTIMEDIA-STREAMING
C3850(config-pmap-c)# bandwidth remaining percent 10
C3850(config-pmap-c)# queue-buffers ratio 10
C3850(config-pmap-c)# queue-limit dscp af33 percent 80
C3850(config-pmap-c)# queue-limit dscp af32 percent 90
C3850(config-pmap-c)# queue-limit dscp af31 percent 100
!
C3850(config-pmap-c)# class TRANSACTIONAL-DATA
C3850(config-pmap-c)# bandwidth remaining percent 10
C3850(config-pmap-c)# queue-buffers ratio 10
C3850(config-pmap-c)# queue-limit dscp af23 percent 80
C3850(config-pmap-c)# queue-limit dscp af22 percent 90
C3850(config-pmap-c)# queue-limit dscp af21 percent 100
!
C3850(config-pmap-c)# class BULK-SCAVENGER
C3850(config-pmap-c)# bandwidth remaining percent 5
C3850(config-pmap-c)# queue-buffers ratio 10
C3850(config-pmap-c)# queue-limit dscp af13 percent 80
C3850(config-pmap-c)# queue-limit dscp af12 percent 90
C3850(config-pmap-c)# queue-limit dscp af11 percent 100
!
C3850(config-pmap-c)# class class-default
C3850(config-pmap-c)# bandwidth remaining percent 25
C3850(config-pmap-c)# queue-buffers ratio 25
!
C3850(config)# interface gigabitethernet 1/0/x
C3850(config-if)# service-policy out 2P6Q3T

2. Wireless Queuing

• 2P2Q : The wireless queuing model is a 4 queue structure of which two are strict priority using for Voice & Video.The other queues are “class-default” or NRT (Non-Real-Time) & Multicast Queue (non-client-nrt-class). If your multicast traffic is marked as CS5, then it will go to the priority queue, so only multicast traffic marked as non-real time goes into this queue.

When scheduling, strict priority queues are fully serviced ahead of all other queues. When configuring more then one priority queue, only when the first priority queue has been fully serviced, scheduler will go to the 2nd priority queue. A strict priority queue is enabled with the “priority level x”  command in policy map configuration.

For the other two queues (class-default & non-client-ntr-class) scheduling is based on CBWFQ (Class Based Weighted Fair Queue). Below diagram illustrates this.

Approximate Fair Drop (AFD) is the bandwidth control algorithm used to control bandwidth allocation among classes that share the class-default queue of wireless interface. AFD provides fairness between clients by calculating virtual queue lengths at the radio, SSID & client levels.These virtual queue lengths trigger probabilistic drops at the client level for clients that are consuming greater than the fair share of bandwidth. Below diagram illustrates AFD concept

Below diagram shows 2P2Q wireless egress queuing model.

You can verify the policy-map configurations available on your 3850 switch using “show policy-map” command. As you can see “port_child_policy” policy-map is there with 10% bandwidth allocation to “non-client-nrt-class” class.

3850-2#show policy-map
  Policy Map port_child_policy
    Class non-client-nrt-class
      bandwidth remaining ratio 10

Let’s define two class maps named “VOICE” & “VIDEO” which will  match DSCP “ef” & “af41″ respectively. Then we will allocate 10% & 20% for those traffic & make them go via priority queues as shown  in the above 2P2Q model. Also allocate 60% of the bandwidth for the “class-default” class.

3850-2(config)#class-map VOICE
3850-2(config-cmap)#match dscp ef
!
3850-2(config-pmap)#class-map VIDEO
3850-2(config-cmap)#match dscp af41
!
3850-2(config-cmap)#policy-map port_child_policy 
3850-2(config-pmap)#class VOICE                  
3850-2(config-pmap-c)#?
Policy-map class configuration commands:
  admit            Admit the request for 
  bandwidth        Bandwidth
  exit             Exit from QoS class action configuration mode
  netflow-sampler  NetFlow action
  no               Negate or set default values of a command
  police           Police
  priority         Strict Scheduling Priority for this Class
  queue-buffers    queue buffer
  queue-limit      Queue Max Threshold for Tail Drop
  service-policy   Configure QoS Service Policy
  set              Set QoS values
  shape            Traffic Shaping
  <cr>

3850-2(config-pmap-c)#priority ? 
  <8-10000000>  Kilo Bits per second
  level         Multi-Level Priority Queue
  percent       % of total bandwidth
  <cr>

3850-2(config-pmap-c)#priority level 1

3850-2(config-pmap-c)#police ?
  <8000-10000000000>  Target Bit Rate (bits per second) (postfix k, m, g optional; decimal point allo
  cir                 Committed information rate
  rate                Specify police rate, PCR for hierarchical policies or SCR for single-level ATM 4.0 policer policies

3850-2(config-pmap-c)#police rate percent 10 conform-action transmit exceed-action drop 

3850-2(config-pmap)#class VIDEO                     
3850-2(config-pmap-c)#priority level 2
3850-2(config-pmap-c)#police rate percent 20 conform-action transmit exceed-action drop 

3850-2(config-pmap)#class class-default
3850-2(config-pmap-c)#bandwidth remaining ratio ?
  <1-100>  Ratio
3850-2(config-pmap-c)#bandwidth remaining ratio 60

This policy map is applied automatically by the WCM (Wireless Control Module) to all wireless ports (a port where an AP is directly attached). You can verify the policy configuration using “show policy-map” command.

3850-2#sh policy-map  port_child_policy
  Policy Map port_child_policy
    Class non-client-nrt-class
      bandwidth remaining ratio 10
    Class VOICE
      priority level 1
     police rate percent 10
       conform-action transmit 
       exceed-action drop 
    Class VIDEO
      priority level 2
     police rate percent 20
       conform-action transmit 
       exceed-action drop 
    Class class-default
      bandwidth remaining ratio 60

You can verify this policy is applied to wireless ports automatically. In my case I have two APs connected to G1/0/1 & G1/0/2(so those are wireless ports). You can see the Radio & AP level QoS as shown below (since they automatically applied).

3850-2#sh ap summary 
Number of APs: 2
Global AP User Name: Not configured
Global AP Dot1x User Name: Not configured
AP Name                           AP Model  Ethernet MAC    Radio MAC       State         
----------------------------------------------------------------------------------------
L3702-1                           3702I     7cad.74ff.2bc6  08cc.68b4.0370  Registered    
L3602-1                           3602I     4c00.82df.a4c1  f84f.57e3.1460  Registered    

3850-2#sh cdp nei
Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
L3602-1          Gig 1/0/2         125              R T   AIR-CAP36 Gig 0.1
L3702-1          Gig 1/0/1         142              R T   AIR-CAP37 Gig 0.1

3850-2#show policy-map interface wireless ap name L3602-1
AP L3602-1 iifid: 0x0105EE400000000A
  Service-policy output: defportangn
    Class-map: class-default (match-any)
      Match: any 
        0 packets, 0 bytes
        30 second rate 0 bps
      Queueing
      (total drops) 0
      (bytes output) 4165972
      shape (average) cir 600000000, bc 2400000, be 2400000
      target shape rate 600000000

      Service-policy : port_child_policy
        queue stats for all priority classes:
          Queueing
          priority level 1
          (total drops) 0
          (bytes output) 1376223

        queue stats for all priority classes:
          Queueing
          priority level 2
          (total drops) 0
          (bytes output) 4078

        Class-map: non-client-nrt-class (match-any)
          Match: non-client-nrt 
            0 packets, 0 bytes
            30 second rate 0 bps
          Queueing
          (total drops) 0
          (bytes output) 2845227
          bandwidth remaining ratio 10 

        Class-map: VOICE (match-any)
          Match:  dscp ef (46)
            0 packets, 0 bytes
            30 second rate 0 bps
          Priority: Strict, 
          Priority Level: 1 
          police:
             rate 10 %
             rate 60000000 bps, burst 1875000 bytes
              conformed 188116 bytes; actions:
                transmit 
              exceeded 0 bytes; actions:
                drop 
              conformed 0 bps, exceeded 0 bps

        Class-map: VIDEO (match-any)
          Match:  dscp af41 (34)
            0 packets, 0 bytes
            30 second rate 0 bps
          Priority: Strict, 
          Priority Level: 2 
          police:
             rate 20 %
             rate 120000000 bps, burst 3750000 bytes
              conformed 0 bytes; actions:
                transmit 
              exceeded 0 bytes; actions:
                drop 
              conformed 0 bps, exceeded 0 bps

        Class-map: class-default (match-any)
          Match: any 
            0 packets, 0 bytes
            30 second rate 0 bps
          Queueing
          (total drops) 0
          (bytes output) 128304
          bandwidth remaining ratio 60 

3850-2#show policy-map interface wireless radio 
Radio dot11b iifid: 0x0105EE400000000A.0x00D003000000000B
  Service-policy output: def-11gn
    Class-map: class-default (match-any)
      Match: any 
        0 packets, 0 bytes
        30 second rate 0 bps
      shape (average) cir 200000000, bc 800000, be 800000
      target shape rate 200000000

Radio dot11a iifid: 0x0105EE400000000A.0x00CD6AC00000000C
  Service-policy output: def-11an
    Class-map: class-default (match-any)
      Match: any 
        0 packets, 0 bytes
        30 second rate 0 bps
      shape (average) cir 400000000, bc 1600000, be 1600000
      target shape rate 400000000

Radio dot11b iifid: 0x010605C000000008.0x00CC838000000004
  Service-policy output: def-11gn
    Class-map: class-default (match-any)
      Match: any 
        0 packets, 0 bytes
        30 second rate 0 bps
      shape (average) cir 200000000, bc 800000, be 800000
      target shape rate 200000000

Radio dot11a iifid: 0x010605C000000008.0x00CCB74000000005
  Service-policy output: def-11ac
    Class-map: class-default (match-any)
      Match: any 
        0 packets, 0 bytes
        30 second rate 0 bps
      shape (average) cir 1000000000, bc 4000000, be 4000000
      target shape rate 1000000000

In next post we will see how to configure QoS on switchport where they play different roles & how to verify those configuration.

References
1. End to End QoS Design- Quality of Service for Rich-Media & Cloud Networks (2nd Edition)
2. BRKCRS-2890 Converged Access QoS
3. BRKCRS-2501: Campus QoS Design—Simplified

Related Posts

1. 3850 QoS – Part 1 (QoS Touch Points)
2. 3850 QoS – Part 3
3. 3850 QoS – Part 4
4. 3850 QoS – Part 5

Time has come to decide what to do in 2014. After clearing my CCIE wireless lab exam on Aug 2013, I was wondering what’s next for me. I know I will be busy with migrating my campus network to Converged Access (from CUWN) & enabling 802.11ac (deployment of 3700) would be two key tasks in the wireless space.

From study perspective, I have decided to go after CWNE (Certified Wireless Network Expert) certification within 2014.

I have already purchased official study guides for this & all arrived today.(Thanks Tuhin for posting these to me & become my study partner on this journey)

Happy Holidays everyone & merry X’mas

Is it possible to have wireless & wired client behind a WGB ? This is a query posted in CSC forum given below.

https://supportforums.cisco.com/message/4128630#4128630

Even I think this is not possible, but  when I tried it as shown below proven my assumption was wrong.

So here is the testing topology where WGB (3502-BR2) connecting to root AP using 5Ghz band. Wired clients connecting to R3750 switch connected to G0 of WGB where as Wireless clients are connecting to 2.4GHz radio of WGB (MRN-DATA SSID).

Here is the config of the C3750 where SVI defined for vlan 143.

hostname C3750-1
!
ip dhcp excluded-address 192.168.143.1 192.168.143.50
ip dhcp pool VLAN143
 network 192.168.143.0 255.255.255.0
 default-router 192.168.143.1 
 dns-server 192.231.203.132 192.231.203.3 
 domain-name mrn.com
!
interface Vlan143
 ip address 192.168.143.1 255.255.255.0
!
interface GigabitEthernet1/0/11
 description 1142-BR1
 switchport access vlan 143
 switchport mode access
end

Here is the 1142-BR1 config where MRN-WGB ssid defined to associate WGB.

hostname 1140-BR1
!
dot11 ssid MRN-WGB
   authentication open 
   authentication key-management wpa version 2
   wpa-psk ascii Cisco123
!
interface Dot11Radio1
 encryption mode ciphers aes-ccm 
 ssid MRN-WGB
 station-role root
 infrastructure-client
 bridge-group 1
!
interface BVI1
 ip address 192.168.143.10 255.255.255.0
 !
ip default-gateway 192.168.143.1

Here is the WGB (3502-BR2) configuration  where I have defined two SSID, One same  name as Root AP to associate to it on 5GHz & the MRN-DATA for users association in 2.4GHz.

hostname 3502-BR2
!
dot11 ssid MRN-DATA
   authentication open 
   authentication key-management wpa version 2
   guest-mode
   wpa-psk ascii Cisco12345
!
dot11 ssid MRN-WGB
   authentication open 
   authentication key-management wpa version 2
   wpa-psk ascii Cisco123
!
interface Dot11Radio0
 encryption mode ciphers aes-ccm 
 ssid MRN-DATA
 station-role root
 bridge-group 1
!
interface Dot11Radio1
 encryption mode ciphers aes-ccm 
 ssid MRN-WGB
 station-role workgroup-bridge
 bridge-group 1
!
interface BVI1
 ip address dhcp

Here is the R3750 switch configuration.

hostname R3750
!
interface FastEthernet1/0/10
 destcription PC1
 switchport access vlan 143
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet1/0/11
 description 3502-BR2
 switchport access vlan 143
 switchport mode access
 spanning-tree portfast

Once you do this configuration & connect wired PC to the R3750 switch in vlan 143 switchport you should see clients are getting DHCP from C3750. Also you should see MRN-DATA wireless SSID is visible & you can connect client using the pre-shared key defined.

Here is client association details on WGB where my iPhone connected to MRN-DATA SSID. You can see WGB itself taken an IP from DHCP on vlan 143.

3502-BR2#sh ip int bri | ex un
Interface                  IP-Address      OK? Method Status                Protocol
BVI1                       192.168.143.54  YES DHCP   up                    up     
!
3502-BR2#sho dot11 associations 
802.11 Client Stations on Dot11Radio1: 
SSID [MRN-WGB] : 
MAC Address    IP address      Device        Name            Parent         State     
a40c.c31a.ee60 192.168.143.10  ap1140-Parent 1140-BR1        -              Assoc    

802.11 Client Stations on Dot11Radio0: 
SSID [MRN-DATA] : 
MAC Address    IP address      Device        Name            Parent         State     
04f7.e4ea.5b66 192.168.143.56  unknown       -               self           Assoc

On Root AP (1142-BR1) you can see all clients behind WGB

1140-BR1#sh dot11 associations 
802.11 Client Stations on Dot11Radio1: 
SSID [MRN-WGB] : 
MAC Address    IP address      Device        Name            Parent         State     
001f.1618.dfec 192.168.143.57  WGB-client    -               44d3.caaf.4343 Assoc    
04f7.e4ea.5b66 192.168.143.56  WGB-client    -               44d3.caaf.4343 Assoc    
44d3.caaf.4343 192.168.143.54  WGB           3502-BR2        self           Assoc 

Here is the C3750 client information on vlan 143.

C3750-1#sh arp | in Vlan143
Internet  192.168.143.1           -   0000.0c07.ac0a  ARPA   Vlan143 <- Gateway
Internet  192.168.143.10         62   5475.d0f5.2ee7  ARPA   Vlan143 <- 1142-BR1
Internet  192.168.143.54         60   44d3.caaf.4343  ARPA   Vlan143 <- 3502-BVI1
Internet  192.168.143.56          0   04f7.e4ea.5b66  ARPA   Vlan143 <- iPhone5
Internet  192.168.143.57          3   001f.1618.dfec  ARPA   Vlan143 <- Wired PC
!
C3750-1#ping 192.168.143.57
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.143.57, timeout is 2 seconds:
!!!!!

You can verify wired device connectivity on R3750 like below.

R3750#sh mac address-table interface f1/0/11
          Mac Address Table
-------------------------------------------
Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
 143    0000.0c07.ac0a    DYNAMIC     Fa1/0/11
 143    001f.6d21.37cc    DYNAMIC     Fa1/0/11
 143    04f7.e4ea.5b66    DYNAMIC     Fa1/0/11
 143    44d3.caaf.4343    DYNAMIC     Fa1/0/11
Total Mac Addresses for this criterion: 4

R3750#sh mac address-table interface f1/0/10
          Mac Address Table
-------------------------------------------
Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
 143    001f.1618.dfec    DYNAMIC     Fa1/0/10 <-Wired PC

I have not tried configuring multiple vlan & see whether it works. You can try it by yourself & see.

Related Posts

1. WGB-CAPWAP with Multiple VLAN
2. WGB-IOS AP with Multiple VLAN
3. WGB Config Example
4.

In this post we will see how QoS mapping works in Converged Access switch platform (3850/3650). I have used IOS-XE 3.3.01SE  image for this post (It is important since behaviour is keep evolving this CA software product suit)

Switch Ports Model              SW Version        SW Image              Mode   
------ ----- -----              ----------        ----------            ----   
*    1 56    WS-C3850-48P       03.03.01SE        cat3k_caa-universalk9 INSTALL

To test this out we will use the below topology where 3850-1 switch stack acting as MC/MA (WLC integrated switch).

Here is the basic config of 3850-1 where it act as MC/MA

vlan 1410
 name WLN-STD-6
!
vlan 1610
 name NET-WAP-1
!
interface Vlan1410
 ip address 10.141.103.241 255.255.248.0
!
interface Vlan1610
 ip address 10.161.33.21 255.255.254.0
!
wireless mobility controller
wireless management interface Vlan1610
!
interface GigabitEthernet1/0/2
 description L1142-1
 switchport access vlan 1610
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/11
 description VOIP-1
 switchport access vlan 13
 switchport mode access
 switchport voice vlan 989
 spanning-tree portfast
!
wlan 3850 17 3850
 no broadcast-ssid
 client vlan WLN-STD-6
 radio dot11a
 no security wpa
 no shutdown
!
ap group 3850
  wlan 3850
  vlan WLN-STD-6

Here is a wireless sniff capturing Signaling & RTP media traffic coming from the 7925G. As expected, Signalling traffic having CS3 as DSCP with priority 4 as WMM-UP (or 802.11e) & RTP media traffic having EF as DSCP with priorty 6 as UP.

Now lets see a packet capture at G1/0/2 (wireless port connected to L1142-1). Here is a RTP packet coming from the phone. As you can see AP is encapsulated the original packet into CAPWAP with src as AP IP & dst as 3850 wireless mgt IP. Interestingly outer DSCP is set to default (0×00). Even signalling packet outer DSCP set to default (capture not shown here).

Why these set to Default ? If you remember the QoS Touch point post when traffic goes to wireless to wired, default behavior is UNTRUST. So you have to remove that from your switch config as shown below.

3850-1#sh run | in qos
qos wireless-default-untrust

3850-1#conf  t
Enter configuration commands, one per line.  End with CNTL/Z.
3850-1(config)#no qos wireless-default-untrust

Once you remove this default behavior you can see the outer CAPWAP is same as the original packet DSCP.(in RTP packet it is EF). Here is the packet capture this time on G1/0/2.

Now let’s get a capture at G1/0/11 where VoIP phone is connected to see what QoS values go there. You can see that outer CAPWAP DSCP equivalent CoS (ie 5) in the 802.1q header (as phone switch port configured for both voice & data vlan)

Below diagram summarize these QoS mapping changes when traffic going from a wireless port to wired port. When mapping wireless frame to outer CAPWAP, DSCP value is derived from the wireless frame UP (802.11e) value.  Below diagram not reflect that accurately.

On the reverse direction (Wired Phone to wireless phone) you can see the QoS preserved as long as you removed this default UNTRUST behavior between Wireless & Wied. (Between Wired to Wired it is TRUSTED by default). Here is the VoIP-1 to 7925G RTP traffic at G1/0/11 (Wired Port)

Here is  the capture at G1/0/2 (Wireless port)

Here is the downstream wireless traffic to 7925G. You can see outer CAPWAP DSCP is mapped to WMM_UP value (Priority 6).

Below diagram summarize these QoS mapping when traffic going from a wired port to a wireless port.Reference
1. BRKCRS-2890 – Converged Access Quality of Service

Related Posts

1. 3850 QoS – Part 1 (QoS Touch Points)
2. 3850 QoS – Part 2 (Queuing Models)
3. 3850 QoS – Part 3 (Port specific QoS Roles)
4. 3850 QoS – Part 5

In this post we will see how to configure QoS for wired & wireless ports based on its role.I have taken two example of VoIP phone connected switchprot (wired port) & AP connected switchport (wireless port).

Here is our CA topology & I will focus on 3850-2 switch for this QoS configuration. IOS-XE 3.3.1 is used for this post & behavior may be different if you are using an earlier version of software code.

I have configured two switch-ports (G1/0/11 & 12) in 3850-2 switch for VoIP phones as shown below

interface GigabitEthernet1/0/11
 description VOIP-1
 switchport access vlan 13
 switchport mode access
 switchport voice vlan 989
 spanning-tree portfast
!
interface GigabitEthernet1/0/12
 description VOIP-2
 switchport access vlan 13
 switchport mode access
 switchport voice vlan 989
 spanning-tree portfast

Now let’s see make a call between these two phones & see how QoS parameters change. I have configured below SAPN session & my monitoring PC (BackTrack) connected to G1/0/27 of this switch.

3850-2#sh run | in session
monitor session 1 source interface Gi1/0/11
monitor session 1 destination interface Gi1/0/47 encapsulation replicate
!
3850-2#sh run int g1/0/47
interface GigabitEthernet1/0/47
end

Here is the packet captures of signaling & RTP media packets coming from VoIP-1 phone connected to G1/0/11. Similarly Packets coming from VoIP-2 should have these classification when it comes to G1/0/12.

Now If we are look at packet going to VoIP-1 (only RTP traffic since signalling go back to CUCM). As you can see traffic going to VoIP-1 has EF (or Priority 5 in dot1q header) which is same as incoming values from VoIP-2. This is very important thing to remember in this 3850 platform, which is by default QoS values (DSCP or CoS)  received by a wired switchport will be trusted & pass-through to another wired switchport without a change.

Now let’s see how this work when make a call between wireless phone to wired phone. To do this we will create a open authentication wlan called “3850″ & map it to vlan 1410 under the AP group where L3602-1 configured for. (I used no broadcast-ssid since I am doing this in office environment & do not want to visible to normal users). Also I will uesd iPhone5 to illustrate QoS mapping changes as well.

3850-2(config)#wlan 3850 17 3850
3850-2(config-wlan)# no broadcast-ssid
3850-2(config-wlan)# client vlan WLN-STD-6
3850-2(config-wlan)# radio dot11a
3850-2(config-wlan)# no security wpa
3850-2(config-wlan)# no shutdown

3850-2#show ap groups 
Site Name: default-group
Site Description: 
WLAN ID   WLAN Name                        Interface
----------------------------------------------------
AP Name                         Ethernet MAC      Location
-----------------------------------------------------------
Site Name: SPG1-PW00
Site Description: 
WLAN ID   WLAN Name                        Interface
-----------------------------------------------------
21        LTUWireless                      WLN-STD-6               

AP Name                         Ethernet MAC      Location
-----------------------------------------------------------
L3702-1                          7cad.74ff.2bc6 default location
L3602-1                          4c00.82df.a4c1 default location

3850-2(config)#ap group SPG1-PW00
3850-2(config-apgroup)#wlan 3850
3850-2(config-wlan-apgroup)#vlan 1410

You can verify wireless client connectivity details as below. iPhone5 detail highlighted in purple color.

3850-2#show wireless client summary 
Number of Local Clients : 1
MAC Address    AP Name                          WLAN State              Protocol 
--------------------------------------------------------------------------------
04f7.e4ea.5b66 L3602-1                          17   UP                 11n(5)   
2c54.2dea.f4ea L3602-1                          17   UP                 11a        

3850-2#show wireless client mac-address 04f7.e4ea.5b66 detail 
Client MAC Address : 04f7.e4ea.5b66
Client Username: N/A
AP MAC Address : f84f.57e3.1460
AP Name: L3602-1
AP slot : 1
Client State : Associated
Wireless LAN Id : 17
Wireless LAN Name: 3850
BSSID : f84f.57e3.146e
Connected For : 2851 secs 
Protocol : 802.11n - 5 GHz
Channel : 36
Client IIF-ID : 0xf2a50000000025
ASIC : 0
IPv4 Address : 10.141.96.9
IPv6 Address : Unknown
Association Id : 2
Authentication Algorithm : Open System
Status Code : 0
Session Timeout : 0
Client CCX version : No CCX support
Input Policy Name  : unknown
Input Policy State : None
Output Policy Name  : unknown
Output Policy State : None
802.1P Priority Tag : Not supported
WMM Support : Enabled
U-APSD Support : Disabled
Power Save : ON
Current Rate : m7

If you do a wireless packet capture you would see the wireless frames coming from this iPhone5. I am using Jabber Voice (v9.1.6.21640) as the voice client. Here is a RTP packet coming from iPhone5. As you can see WMM-UP value is 5 even though actual IP packet DSCP is EF.In fact this should mark as priority 6 as per 802.11e standard, but most of these devices not correctly mark UP value.(if it is 7925G it is marked UP as 6 :))

Now let’s take a look at the packet capture at G1/0/2 wireless port while we are making a call between iPhone5 to VoIP-2.

interface GigabitEthernet1/0/2
 description L3602-1
 switchport access vlan 1610
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/47
end
!
monitor session 1 source interface Gi1/0/2
monitor session 1 destination interface Gi1/0/47

Here is the capture output of a signalling packet & RTP media traffic coming from iPhone5 to 7965 wired phone. As you can see the outer CAPWAP DSCP value is AF41 (which is corresponding to WMM-UP value of 5). Note that original packet DSCP is still EF.

Also note that I have removed default “untrust” behavior of this switch platform when traffic traverses wireless to wired or vice versa. If you do not do this outer CAPWAP DSCP will be re-written to BE (0×00) at this point.

3850-2(config)#no qos wireless-default-untrust

Now if you look at G1/0/12 packet capture you will see what QoS values goes when it received by VoIP phone. As you can see, based on the outer CAPWAP header DSCP value, swtich has re-written the 802.1q header CoS value & original packet DSCP. So VoIP phone getting the packet with DSCP AF41 (instead of EF)

So it is important to classify your traffic Based on a corporate QoS policy, rather trusting DSCP (or WMM-UP value for wireless frames), since there is no consistency of these different clients.

In a future post we will see how to classify traffic in order to get same treatment for wired & wireless traffic across the network.

Related Posts

1. 3850 QoS – Part 1 (QoS Touch Points)
2. 3850 QoS – Part 2 (Queuing Models)
3. 3850 QoS – Part 4 (Wireless QoS Mapping)
4. 3850 QoS – Part 5

Starting from WLC 7.5.x release, you can update the NBAR2 protocol packs independent to the controller software. Protocol packs are software packages that allow update of signature support without replacing the image on the Controller. You have an option to load protocol packs dynamically when new protocol support is being added. There will be two kinds of Protocol Packs-Major and Minor:

• Major protocol packs include support for new protocols, updates and bug fixes.
• Minor protocol packs typically do not include support for new protocols.
• Protocol packs are targeted to specific platform types, software versions and releases separately.Protocol Packs can be downloaded from CCO using the software type “NBAR2 Protocol Pack“.

Below link provide the information about available NBAR2 protocol packs for supported platforms.
http://www.cisco.com/en/US/docs/ios-xml/ios/qos_nbar/prot_lib/config_library/nbar-prot-pack-library.html

This link provide the protocol pack 4.1.1 specific information.
http://www.cisco.com/en/US/docs/wireless/controller/nbar2_prot_pack/4.1.1/b_nbar2_prot_pack_411_chapter_01.html

NBAR2 Protocol Pack 4.1.1 is supported on the following Cisco Wireless LAN Controller platforms:
1. Cisco 5508 Wireless Controller
2. Cisco Flex 7500 Series Wireless Controllers
3. Cisco 8510 Wireless Controller
4. Cisco Wireless Services Module 2 (WiSM2)

**** The Cisco 2504 Wireless Controller supports Application Visibility and Control, but does not support protocol packs ****

Protocol packs are released with specific NBAR engine versions. For example, WLC 7.5 has NBAR engine 13. The protocol pack file “pp-AIR-7.5-13-4.1.1.pack” (Format: pp-AIR-{release}-{engine version}-M.m.r.pack) will be located in the same location with the controller code version 7.5.

You can verify the AVC engine version & the protocol pack version of your controller as shown below

(BUN-PW00-WC01) >show avc engine version 
 AVC Engine Version: 13

(BUN-PW00-WC01) >show avc ?
profile        protocol-pack  

(BUN-PW00-WC01) >show avc protocol-pack ?            
version        Display AVC Protocol-Pack Version information.

(BUN-PW00-WC01) >show avc protocol-pack version 
 AVC Protocol Pack Name: Advanced Protocol Pack
 AVC Protocol Pack Version: 1.0

You can download a protocol pack to WLC like normal file transfer via FTP or TFTP. I have used TFTP method here. Datatype to be selected as “avc-protocol-pack” as shown below.

(BUN-PW00-WC01) >transfer download mode tftp   
(BUN-PW00-WC01) >transfer download datatype avc-protocol-pack 
(BUN-PW00-WC01) >transfer download path .
(BUN-PW00-WC01) >transfer download serverip x.x.13.2
(BUN-PW00-WC01) >transfer download filename pp-AIR-7.5-13-4.1.1.pack
(BUN-PW00-WC01) >transfer download start 

Mode............................................. TFTP  
Data Type........................................ AVC Protocol Pack
TFTP Server IP................................... 131.172.13.2
TFTP Packet Timeout.............................. 6
TFTP Max Retries................................. 10
TFTP Path........................................ ./
TFTP Filename.................................... pp-AIR-7.5-13-4.1.1.pack

Starting tranfer of AVC Protocol Pack
This may take some time.
Are you sure you want to start? (y/N) y
TFTP AVC Protocol Pack transfer starting.
TFTP receive complete... Loading Protocol Pack.
AVC Protocol Pack installed.

Once installation complete, you can verify the AVC protocol pack status using the same previous two commands as shown in the below.

(BUN-PW00-WC01) >show avc protocol-pack version 
 AVC Protocol Pack Name: Advanced Protocol Pack
 AVC Protocol Pack Version: 4.10001

(BUN-PW00-WC01) >show avc engine version 
 AVC Engine Version: 13

**** If you are using WLC 7.6.x code, then latest AVC protocol pack is “pp-AIR-7.6-13-6.3.0.pack“. You need to use this if your WLC is running on 7.6.x software release ****

When configuring AVC (specifically to re-calssify traffic), it is important to understand the interaction with QoS for the given WLAN.The NBAR2 functionality is based on the DSCP setting. The following occurs to the packets in Upstream and Downstream directions if AVC and QoS are configured on the same WLAN:

Upstream
1.Packet comes with or without inner DSCP from wireless side (wireless client).
2.AP will add DSCP in the CAPWAP header that is configured on WLAN (QoS based config).
3.WLC will remove CAPWAP header.
4.AVC module on the controller will overwrite the DSCP to the configured marked value in the AVC profile and send it out.

Downstream
1.Packet comes from switch with or without inner DSCP wired side value.
2.AVC module will overwrite the inner DSCP value.
3.Controller will compare WLAN QoS configuration (as per 802.1p value that is actually 802.11e) with inner DSCP value that NBAR had overwritten. WLC will choose the lesser value and put it into CAPWAP header for DSCP.
4.WLC will send out the packet to AP with QoS WLAN setting on the outer CAPWAP and AVC inner DSCP setting.
5.AP strips the CAPWAP header and sends the packet on air with AVC DSCP setting; if AVC was not applied to an application then that application will adopt the QoS setting of the WLAN.

Here is the link for the protocol list supported by NBAR2 for your reference
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6558/ps6616/product_bulletin_c25-627831.html

Reference1. AVC Feature Deployment Guide (Phase-2), Software Release 7.5
2. BRKNMS-1040 : Managing AVC with Cisco Prime Infrastructure 2.0

Related Posts

1. Configuring AVC on WLC 7.4

In this post we will see how to classify traffic in this switch platform. Real advantage of 3850 (or any other CA switch platform) is you can classify both wired & wireless traffic using the same classification rules on your access layer. In CUWN you cannot do this as all wireless traffic is CAPWAP tunnel back to your WLC.

Here is our CA topology where two PCs (PC-1 & PC-2) with Jabber clients connected to two VoIP phones. iPhone5 with Jabber client (v9.5.0.153580) using as wireless client for testing. We will see how we can use classification policy to mark this traffic consistently whether it is coming via wired or wireless.

Jabber using SIP (Session Initiation Protocol) TCP/UDP 5060 & 5061 for voice signalling & RTP (Real Time Protocol) UDP 16384-32767 as destination port range. There may be additional TCP ports using for directory services, file transfers between CUCM & jabber clients, but those protocol may not require any specific prioritization.

If you sniff a wireless packets when iPhone5 is making a jabber video call you can see the QoS setting of these frames. Here are two wireless frames, one for SIP signalling & one for RTP media.

When these wireless frame hits AP it will map original packet DSCP to outer CAPWAP header DSCP (unless you do WMM_UP to DSCP mapping). So signaling packet goes as CS3 & media packet goes as AF41. Here is the packet capture at G1/0/2 proving inner DSCP value copies across to outer CAPWAP DSCP.

If you are using window7 laptop as wireless client with Jabber (v9.2.2 Build 3271), you will see DSCP value will be 0 (or BE) for both signalling & media traffic (unless you classify at group policy level). So when it goes to wired network both video & signalling traffic goes as Best Effort in this scenario.

Let’s create a service policy to classify these traffic. Here is our interesting traffic classification in this scenario. This is more generic classification ACL & if you really want you can be more restrictive instead of any keyword.

3850-2(config)#ip access-list extended VOIP
3850-2(config-ext-nacl)#permit udp any any range 16384 32767

3850-2(config)#ip access-list extended SIP
3850-2(config-ext-nacl)#permit udp any any range 5060 5061       
3850-2(config-ext-nacl)#permit tcp any any range 5060 5061

Now let’s define class-map for each type of traffic. I have used “match-any” keyword, where you can use multiple classification ACL later on still using the same class-map.

3850-2(config)#class-map match-any VOIP-TRAFFIC
3850-2(config-cmap)#match access-group name VOIP

3850-2(config-cmap)#class-map match-any SIGNALLING  
3850-2(config-cmap)#match access-group name SIP 

Finally define a policy-map to re-classify the traffic

3850-2(config)#policy-map LTU-INGRESS-POLICY
3850-2(config-pmap)#class VOIP-TRAFFIC
3850-2(config-pmap-c)#set dscp ef
3850-2(config-pmap-c)#class SIGNALLING
3850-2(config-pmap-c)#set dscp CS3

Now you can apply this policy on your WLAN as shown below. I have used “client” keyword, then policy is applied to each wireless client authorized into the SSID and is applied independently to each of clients. When using service policy without client keyword, the policy applies to the SSID and treats all clients as aggregate (This is important to remember, specially if your ingress service policy include some policing element). Also note that WLAN to be disabled prior to apply the service policy via CLI.

3850-2(config-wlan)#service-policy ?
  client  Assign policy-map to all clients in WLAN
  input   Assign policy-map to WLAN input
  output  Assign policy-map to WLAN output

3850-2(config-wlan)#service-policy client ?
  input   Assign policy-map to all clients in WLAN
  output  Assign policy-map to all clients in WLAN

3850-2(config-wlan)#service-policy client input ?
  WORD  policy-map name

3850-2(config-wlan)#service-policy client input LTU-INGRESS-POLICY
% switch-1:wcm:Please disable WLAN before config client policies
3850-2(config-wlan)#shut
3850-2(config-wlan)#service-policy client input LTU-INGRESS-POLICY
3850-2(config-wlan)#no shut

You can verify your policy map configuration using “show policy-map <NAME>” command. Here is how our policy-map config looks like

3850-2#show policy-map LTU-INGRESS-POLICY
  Policy Map LTU-INGRESS-POLICY
    Class VOIP-TRAFFIC
      set dscp ef
    Class SIGNALLING
      set dscp cs3

3850-2#sh run | sec wlan 3850
wlan 3850 17 3850
 no broadcast-ssid
 client vlan WLN-STD-6
 radio dot11a
 no security wpa
 service-policy client input LTU-INGRESS-POLICY
 no shutdown

Now here is the traffic going out of the trunk port (G1/0/48) of 3850-2 switch. As you can see now traffic is classified according to your policy where signalling mark as DSCP CS3 & VoIP marking as EF.

Now if you look at the wired port traffic of (G1/0/11) when you make a jabber call between PC-1 & VoIP-2 you will see DSCP value of 0 for both media & signalling as shown below.

You can apply the same classification policy-map you created to these wiredports as well.

3850-2(config)#int range g1/0/11-12
3850-2(config-if-range)#service-policy input LTU-INGRESS-POLICY

Now if you look at the G1/0/12 (traffic going to VoIP-2) this time you will see media traffic go as EF. (if you take a packet capture of G1/0/48 you will see signalling traffic going as CS3 as well)

This is the real beauty of Converged access where you can apply same classification,marking,policing rule at your access layer to both wireless & wired traffic without any inconsistency. In CUWN you cannot do this as access layer switch does not have the visibility of inner IP packet (only see the CAPWAP traffic from AP to WLC).

In this example we have only used two traffic classes to illustrate the concept, but in real world you can use 8 class-map model to fit for all other type of traffic as well. In a future post we will see how to define a comprehensive service policy including policing as well.

Related Posts

1. 3850 QoS – Part 1 (QoS Touch Points)
2. 3850 QoS – Part 2 (Queuing Models)
3. 3850 QoS – Part 3 (Port specific QoS Roles)
4. 3850 QoS – Part 4 (Wireless QoS Mapping)

Cisco has released WLC 7.6.100.0 code (on 18th Dec 2013) to support new 3700 series AP which supports 802.11ac. Cisco 3700 AP supports 1.3Gbps data rate (wave1 of 802.11ac) with 4×4 MIMO & 3SS (Spatial Streams). Even though AP supports 1.3 Gbps limiting factor would be the 1G Ethernet port (at switch end & AP end).

To get the first hand experience, we have decided to upgrade one of our 5508 WLC to 7.6.100.0 release & get couple of existing 3600 AP swapped with 3700. Like any other software releases, this code comes with loads of un-resolved bugs. So carefully review the full release notes prior to upgrade your controller into this.

Below shows simple testing scenario we used to measure the performance of 802.11ac capable clients. We had 3 different products which supports 802.11ac, Google Nexus 5 (1SS), Samsung Galaxy S4 (1SS) & Macbook Air (2SS). I have used iPhone5 (802.11n only)

802.11ac only support in 5GHz & You have to set 80MHz channel width as 802.11ac use 4 channels bonding together to give higher throughput. So here is my WLC 802.11a/n/ac band DCA settings.

I have let RRM to determine the Channel allocation & power levels based on the environment. Here what my 3702 AP settles into.

Here is what I see few minutes later on the client association on this AP. As you can see there are 3 clients connected in 802.11ac mode & others with 802.11n in 5GHz band. (Note that I have disable 2.4GHz band on this AP)

Then to measure the throughput, we have measure the upload & download speed with iperf application. I have measured data in each 1s interval for 5min duration.

Here is the result with MacBook Air. Once you connected to the SSID, you will see the data rate as 867Mbps (This is max data rate this client supported & not the actual throughput)

Here is the actual download throughput of MBA over 5 min period. We got around 236Mbps in average.
Here is the actual upload throughput of MBA over 5 min period. Average upload throughput is 290Mbps.
If you connect 1SS devices like Nexus5 or Samsung S4, you will see data rate as 433Mbps. Again this is not the real throughput & here are the throughput result we got for Nexus 5.

Here is what we got for Samsung S4.

To comparison I have take iPhone5 download throughput. We got around 88Mbps in average.As you can see the overall performance is very good & clients are getting very high throughput. But still I feel 802.11ac performance is fluctuating drastically compare to 802.11n result.

We have to wait & see when more & more devices comes with 802.11ac to bench mark the 802.11ac performance.

You may already noticed that I have actively participated Cisco Support Community (CSC) forum after clearing my CCIE wireless lab exam. I found it is a great way of keep learning & giving something back to community.

Based on that contribution Cisco has recognized it by inducting me as Cisco Designated VIP (Wireless) in year 2014. Here are the full list of VIP for year 2014 in all tracks. There are 5 in the wireless track including myself.

Anyone can contributes to the CSC forums based on their skills & one day you can become a VIP. Here is what you need to do become a VIP.

As a VIP member, I will get a free entry to CiscoLive event & I have chosen Melbourne as location to go for. It is from 18th to 21st of March 2014. If you are coming drop me a line so we can catch up (I know I have connected to the people around the world, but would like to see in person if opportunity comes)

Finally Thanks Cisco for this recognition & would like to support the community in this way & hope to keep my VIP status in 2015 as well.
Related Posts

1. Words of Appreciation
2. Another Moment of Joy

In this post we will see how to upgrade prime using its command line interface (CLI). You can use GUI as well, but it is much quicker if you could upload the patch/upgrade files onto local FTP server & then apply it onto prime. You can use “show version” CLI command to verify current prime version.

primedev/admin# show version 
Cisco Application Deployment Engine OS Release: 2.0
ADE-OS Build Version: 2.0.1.038
ADE-OS System Architecture: x86_64
Copyright (c) 2005-2010 by Cisco Systems, Inc.
All rights reserved.
Hostname: primedev
Version information of installed applications
---------------------------------------------
Cisco Prime Network Control System
------------------------------------------
Version : 1.4.0.45
Patch: Cisco Prime Network Control System Version: Update-1_16_for_version_1_4_0_45

We will use this to upgrde to PI 1.4.1 (patch PI_1.4_0_45_Update_1-39.tar.gz) to support new 3700 series AP. You can download these patches from the software section of PI in CCO page as shown below. You also need to check the release notes (Here is 1.4.1 release notes) to make sure your upgrade path is correct & its compatibility with other products.

You can upload these patches or upgrade images to a repository on your prime. There is default repository called “defaultRepo” . I have created a separate  repository called “localftp” & create a username password like “admin/Cisco123″

primedev/admin(config)# repository ?
  <WORD>  Repository name (Max Size - 80)

primedev/admin(config)# repository localftp
primedev/admin(config-Repository)# ?
Configure Repository:
  do    EXEC command
  end   Exit from configure mode
  exit  Exit from this submode
  no    Negate a command or set its defaults
  url   Configure Repository URL
  user  Configure repository username and password for access

primedev/admin(config-Repository)# url disk:/ftp
primedev/admin(config-Repository)# user ?
  <WORD>  Username for repository access (Max Size - 30)

primedev/admin(config-Repository)# user admin ?
  password  Configure repository password for access

primedev/admin(config-Repository)# user admin password ?
  hash   Specifies an ENCRYPTED (hashed) password will follow
  plain  Specifies an UNENCRYPTED plain text password will follow

primedev/admin(config-Repository)# user admin password plain ?
  <WORD>  Plain text password for repository access (Max Size - 40)

primedev/admin(config-Repository)# user admin password plain Cisco123
primedev/admin(config-Repository)# exit
primedev/admin(config)# exit
primedev/admin# write memory 
Generating configuration...

You can create username & password for FTP access using the below command. There is default FTP user called “ftp-user” also there if you like to use it.

rimedev/admin# ncs password ?
  ftpuser  Modifies ftp username and password
  root     Modifies root user login password
primedev/admin# ncs password ftpuser ?
  <WORD>  Type in the username (Max Size - 80)
primedev/admin# ncs password ftpuser admin ?
  password  Modifies ftp password
primedev/admin# ncs password ftpuser admin password ?
  <WORD>  Type in the ftp password (Max Size - 80)

primedev/admin# ncs password ftpuser admin password Cisco123 
Initializing...
Updating FTP password.
This may take a few minutes...
Successfully updated location ftp user

Now using any FTP client you can connect to this FTP server to upload the patch file. I have used Filezila client which is freely available from here. You can use the “admin/Cisco123″ user credential connect to prime FTP server as shown below.

Then you can drag & drop the required patch file onto PI repository you created as shown below.Once copied you can verify using “show repository <Repository_Name>” command as shown below.

primedev/admin# show repository localftp
PI_1.4_0_45_Update_1-16.tar.gz
PI_1.4_0_45_Update_1-39.gz

Then you can install patch using the “patch install <filename> <repository_name>” CLI command as shown below. It may take few minutes (depend on the upgrade) & you should see the successful patch information message at the end.

primedev/admin# patch install ?
  <WORD>  Patch bundle file name (Max Size - 255)
primedev/admin# patch ?
  install  Install a Patch Bundle
  remove   Uninstall An Application Patch
primedev/admin# patch install ?
  <WORD>  Patch bundle file name (Max Size - 255)
primedev/admin# patch install PI_1.4_0_45_Update_1-39.gz ?
  <WORD>  Name of the configured remote repository (Max Size - 255)

primedev/admin# patch install PI_1.4_0_45_Update_1-39.gz localftp
Save the current ADE-OS running configuration? (yes/no) [yes] ? yes
Generating configuration...
Saved the ADE-OS running configuration to startup successfully
Initiating Application Patch installation...

Patch successfully installed

If it is software upgrade with upgrade bundle, then you have to use “application upgrade <upgradebundle_filename> <repository_name>” command

primedev/admin# application ?
  install       Install An Application Bundle
  remove        Uninstall An Application
  reset-config  Reset application configuration to factory defaults
  start         Start an Application
  stop          Stop an Application
  upgrade       Upgrade An Application Bundle

primedev/admin# application upgrade ?
  <WORD>  Application bundle file name (Max Size - 255)

primedev/admin# application upgrade <PI_Upgrade_bundle> ?
  <WORD>  Name of the configured remote repository (Max Size - 255)

primedev/admin# application upgrade <PI_Upgrade_bundle> <repository_name>

You can verify the version with “show version“  or “show application version NCS” command.

primedev/admin# sh version 
Cisco Application Deployment Engine OS Release: 2.0
ADE-OS Build Version: 2.0.1.038
ADE-OS System Architecture: x86_64
Copyright (c) 2005-2010 by Cisco Systems, Inc.
All rights reserved.
Hostname: primedev
Version information of installed applications
---------------------------------------------
Cisco Prime Network Control System
------------------------------------------
Version : 1.4.0.45
Patch: Cisco Prime Network Control System Version: Update-1_39_for_version_1_4_0_45
Patch: Cisco Prime Network Control System Version: Update-1_16_for_version_1_4_0_45

        ****    OR   ****

primedev/admin# show application ?
  >        Output Redirection.
  status   Show Application status Information
  version  Show Application Version Information
  |        Output modifiers.
  <cr>     Carriage return.

primedev/admin# show application version ?
  <WORD>  Application name for version (Max Size - 255)

primedev/admin# show application version ncs <- lowerecase not working
% Error finding version information for the application: ncs
primedev/admin# show application version NCS
Cisco Prime Network Control System
------------------------------------------
Version : 1.4.0.45
Patch: Cisco Prime Network Control System Version: Update-1_39_for_version_1_4_0_45
Patch: Cisco Prime Network Control System Version: Update-1_16_for_version_1_4_0_45

Here is some other useful CLI commands you can use with this product.

primedev/admin# show application status NCS
Health Monitor Server is running.
Reporting Server is running
Ftp Server is running
Database server is running
Tftp Server is running
Matlab Server is running
NMS Server is running.
SAM Daemon is running ...
DA Daemon is running ...
Syslog Daemon is running ...
status

primedev/admin# show logins cli
admin    pts/0        131.172.70.180   Sun Jan 12 12:25   still logged in   
admin    pts/0        131.172.70.180   Sun Jan 12 10:43 - 12:15  (01:32)    
admin    pts/0        131.172.70.180   Sat Jan 11 10:35 - 11:05  (00:30)    
wtmp begins Sat Jan 11 10:35:13 2014

primedev/admin# show running-config 
Generating configuration...   
hostname primedev     
ip domain-name latrobe.edu.au
!        
interface GigabitEthernet 0
  ip address 10.129.0.6 255.255.254.0
  ipv6 address autoconfig
!        
ip name-server x.x.x.2 x.x.x.1     
ip default-gateway 10.129.1.250       
clock timezone Australia/Melbourne       
ntp server x.x.x.x
!
username admin password hash $1$l3Q9q2Zv$g7QRjguS.VJ8TuBlpSRww1 role admin 
service sshd
!
repository defaultRepo
  url disk:/defaultRepo
repository localftp
  url disk:/ftp
  user admin password hash 74a43cee8d45b06fab03e0c57149222938d8f3a9
!
password-policy
  lower-case-required
  digit-required
  no-username
!
logging x.x.34.118:50003
logging loglevel 6
!
cdp timer 60
cdp holdtime 180
cdp run GigabitEthernet 0
icmp echo on

primedev/admin# show udi 
SPID: Cisco-VM-SPID
VPID: V01
Serial: PDEBFHIEJAG

primedev/admin# show ports
Process : portmap (3504)
     tcp: 0.0.0.0:111
     udp: 0.0.0.0:111
Process : Decap_main (28033)
     tcp: 127.0.0.1:2000
     udp: 0.0.0.0:514, 0.0.0.0:162
Process : Xvfb (27791)
     tcp: 0.0.0.0:6100, :::6100
Process : rpc.statd (3549)
     tcp: 0.0.0.0:763
     udp: 0.0.0.0:757, 0.0.0.0:760
Process : sam_daemon (28493)
     tcp: 0.0.0.0:2012
     udp: 127.0.0.1:24336
Process : java (28690)
     tcp: :::8009, :::48238, :::8080, :::16113, :::2001, ::ffff:10.129.0.6:61617, :::61237, :::8090, :::443
     udp: :::9991, :::14221, :::48909, :::52322
Process : java (27061)
     tcp: :::5001, :::8082
Process : java (27793)
     tcp: :::20555
Process : java (27360)
     tcp: :::20556, :::1199, :::9745, :::1299
     udp: :::18773
Process : java (27491)
     tcp: :::20558, :::21
Process : java (27674)
     tcp: :::20559
     udp: :::69, :::29001, :::29002, :::29003, :::29004, :::29005
Process : tnslsnr (27101)
     tcp: :::1522
Process : sshd (3929)
     tcp: :::22
Process : rsyslogd (28391)
     udp: 0.0.0.0:514, :::514
Process : ntpd (3910)
     udp: 10.129.0.6:123, 127.0.0.1:123, 0.0.0.0:123, fe80::250:56ff:feb9:123, ::1:123, :::123
Process : ora_pmon_wcs (27199)
     udp: ::1:11838
Process : ora_mmon_wcs (27228)
     udp: :::17770

Full list of PI v1.4.1 command reference you can find here.

References
1. Tips for Upgrading Prime Infrastructure (DOC-26972)
2. Steps to Install Update Patch for Prime Infrastructure (DOC-38649)
3. Cisco PI Classic View Configuration Guide, Release 1.4

In this post we will see how to take configuration back up of WLCs using Prime Infrastructure. If you have multiple controllers, then Prime Infrastructure would be the easiest way to automate the WLC configuration backup at regular interval. I have used Prime Infrastructure Release 1.4.1 to illustrate this.

You can use FTP/TFTP/SFTP method to take the configuration backup. First we will see how to backup WLC configuration to a local FTP server of PI. You can enable (by default it is disabled) this under “Administration -> Background Tasks -> Controller Configuration Backup” section as shown below.

Once you schedule the backup, you will see WLC configuration will be backup in default FTP folder of your Prime Infrastructure (disk:/ftp)

primedev/admin# dir disk:/ftp
Directory of disk:/ftp
       9767 Jan 12 2014 15:00:06  10_129_0_7_140112_1500.cfg
   17367740 Nov 26 2013 15:40:01  PI_1.4_0_45_Update_1-16.tar.gz
   52501585 Jan 12 2014 12:06:33  PI_1.4_0_45_Update_1-39.gz

           Usage for disk: filesystem 
                 1098838016 bytes total used
                27784806400 bytes free
                30455668736 bytes available

Now you can use any FTP client software to export it where ever you like. I have use FileZilla FTP client to export it to my PC

If you need to see the WLC configuration, then you can open it on a text editor & review the configuration.

Now let’s see how you can directly backup to external FTP server. To do this you need to first add external FTP server onto your Prime. You can do this under “Configure -> FTP/TFTP/SFTP” section as shown below.

Now if you go to “Administration -> Background Tasks -> Controller Configuration Backup” section you can modify the settings to point to newly created FTP server. You need to update FTP username/password according to your FTP server setting.

Now you can see the controller backup is saved in your external FTP server.Here is my external FTP server root folder when configuration backup is saved.

If you would like you can use TFTP as well. Below shows configuration backup is saved in a TFTP server on my PC.

Now you can modify the Controller Backup Configuration settings under Background Tasks to pointing to your TFTP server.

Now you can see your WLC configuration backed up to your TFTP server specified location & verify the successful backup entry on prime itself.

This is really useful if you have multiple controllers which needs to be backed up regularly. Always better to keep the configuration backup external to Prime itself, in case a issue with the Prime Infrastructure.

Reference
1. Cisco Prime Infrastructure  Configuration Guide, Release 1.4

Related Posts

1. Upgrade Prime using CLI

Cisco has released a new design guide named ” Real Time Traffic over Wireless LAN-RToWLAN” to replace the existing enterprise Mobility 7.3 Design Guide. Here is a snapshot of the RToWLAN solution architecture describe in this guide.

I think it is based on 7.5.x software release of Cisco controllers. This should be a good reference document if you are deploying Real-Time applications over wireless including voice/video.

What version of software you are running on your WLC ? 7.0.x 7.4.x  or 7.6.x Recently Cisco published this document (Cisco DOC 40178) stating they are going to deffer (ie no longer support available or you cannot download those software versions anymore)

So all releases made prior to Dec 2013 going to be deffer. Here is the bug CSCul68057  details which cause this. WLC will go unexpected reloads due to this

Effectively now you have 3 choices. Even though 7.6.100.0 is listed in the above, due to some critical bugs of that version Cisco is working on releasing 7.6MR1 in coming weeks, so you should not run 7.6.100.0 code unless you want to experience those issues :shock: .

1. 7.0MR5 (7.0.250.0- available in CCO)
2. 7.4MR2 (7.4.121.0- available in CCO)
3. 7.6MR1 (7.6.101.x- Pre Release Available)

Also it is mentioned “for complete fix, upgrade to FUS (Field Upgrade Software) 1.9.0.0 as well“. It is very important to make sure you adhere to this. Here is the release notes for this.

Release Notes for WLC Field Upgrade Software(FUS) for Release 1.9.0.0

So What is the best option ? Depend on what version you are running today, you can determine where to go. My preferred choice would be 7.4MR2. But if you are already running 802.11ac (3700AP or 3600 with ac module) then 7.6MR1. If you are still with 4400/WiSM1/2106 then 7.0MR5.

Cisco also recommending 7.4MR2 as that code went through “AssureWave” program & tested thoroughly (see the blue star below). Also you can refer this report for what features tested by Cisco under AssureWave program for 7.4.121.0 code.

Be on a safe code version !!!!

Update @ 5th March 2014.
Noticed this vulnerability notice on Cisco WLCs published today. I think that is the main reason for the above software code deferrals. Here is the summary of it & as you can see it leads to the 3 software codes listed in the above
If you are using IOS-XE products (5760/3850/3650) then those are not impacted by this vulnerability :smile:

Had another great time at CiscoLive 2014 here in Melbourne. Thanks to Cisco Support Forum (due to awarded VIP status), this time I got a free conference pass. Similar to other CiscoLive events in 2014, IoE (Internet of Everything) was the focus on opening key-note.

For me, I have utilized most my time in Breakout Sessions, specifically focusing Mobility & Converged Access topics. Also went to a session talking about CCDE (Cisco Certified Design Expert) certification. Also it was a great opportunity to meet colleagues, peers, Cisco specialist, vendors during this once a year event.

Here are some of the highlights of my time over there.

Wednesday morning went to “Managing the BYOD Evolution” mainly talks about how to use ISE with BYOD.  Here is the presentation of this session.

BRKEWN-2020 Managing the BYOD Evolution

During Wednesday to Friday, Sujith Ghosh – Sr Mgr Technical Marketing presented 3 sessions about all deployment models (FlexConnect, CUWN & CA). This gave some idea of what’s coming in WLC 8.0 & IOS-XE 3.6 the next major version of AireOS & IOS for these WLC platform. I only got opportunity to go for FlexConnect & CA sessions.

Here are the all 3 presentations pdf

1. BRKEWN-2016 Branch Office Wireless LAN Design
2. BRKEWN-2010 Design and Deployment of Enterprise WLANs
3. BRKEWN-2022 Converged Access Mobility Design & Architecture

Here is a moment with Sujith after one of his presentation.

Here is another great presentation  by Dave Zack about “Converged Access Architecture”.If you want to know in detail about CA, this is the presentation you should go for.

BRKARC-2665 Converged Access Architecture, Design and Deployment

On Thursday went for a 4 hr session about CCDE & it was great. Even though it is not on my radar for 2014, it may be for 2015-2016 as to become a Design Expert or Solution Architect is in my career goals.

Here are few things I learn about this CCDE certification.

1. Practical exam (8hr) is conducted once in a quarter. Here is the schedule for 2014
2. Available only at Pearson Professional Centres (PPC) around the world3. It is 8 hour computer based exam & results will be available immediately after the exam.
4. No prerequisite required for CCDE (only design experience is required)

Here is the presentation of this session
BRKCRT-8001 CCDE The Cisco Certified Design Expert

Last Breakout Session on Friday afternoon Surendra – Senior TAC Engineer did a great presentation about “Troubleshooting Converged Access”. Here is the pdf of that presentation. If you are deploying CA, you must go through this many times

BRKEWN-3021 Troubleshooting Converged Access Wireless Deployments

Here is Surendra & Leo Laohoo (Cisco Designated VIP for LAN & Wireless in CSC forum) with me before Surendra’s presentation.

Here is some other moments of the event while networking with others.

This is with two Cisco Press Authors (Ron Fuller @ccie5851 & David Jansen @ccie5952) & lucky to get a free sign copy of their NX-OS & Cisco Nexus Switching book.

@ CCIE cocktail reception

@world of SolutionsLooking forward for 2015 event as well….

When it comes to compare different Cisco wireless product here is the best place you should go for.

It lists all the supported feature of each product in a manner you can compare with related products easily. Certain features like client count per AP is documented here which is rare to find even within a datasheet. If you want to see what Cisco AP model support 802.11ac, you can find it easily as 3600, 2700 & 3700 series.

Here is the snapshot of Indoor Access Points, Outdoor AP & WLC comparison tables available in be above link.

If you have done IOS upgrade of this latest Cisco 3850 switch you may noticed a TFTP file transfer is taking longer time.

I have come across this issue multiple times & it almost took more than 20 min to copy ~250MB image to switch flash when using TFTP.  As shown in the below it took 1548s (~26min) to copy the image via TFTP & my transfer speed was ~1.3Mbps (166150 Bytes/Sec)

3850-2#copy tftp://10.128.13.2/cat3k_caa-universalk9.SPA.03.03.02.SE.150-1.EZ2.bin flash:
Destination filename [cat3k_caa-universalk9.SPA.03.03.02.SE.150-1.EZ2.bin]? 
Accessing tftp://10.128.13.2/cat3k_caa-universalk9.SPA.03.03.02.SE.150-1.EZ2.bin...
Loading cat3k_caa-universalk9.SPA.03.03.02.SE.150-1.EZ2.bin from 10.128.13.2 (via Vlan1600): !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 257243236 bytes]

257243236 bytes copied in 1548.260 secs (166150 bytes/sec)

Tried with different TFTP servers, different Operating Systems (Windows, MAC OX,etc) & every time it took more than 25 mins.

Then I did the same file transfer via FTP . This time it took only around 261s (4.3 min) & copied 7.5 Mbps (984249 Bytes/Sec) which is much better than the TFTP transfer speed  which was ~ 1.3 Mbps.

3850-2#copy ftp://10.128.8.214/firmware/cat3k_caa-universalk9.SPA.03.03.02.SE.150-1.EZ2.bin flash:
Destination filename [cat3k_caa-universalk9.SPA.03.03.02.SE.150-1.EZ2.bin]? 
Accessing ftp://10.128.8.214/firmware/cat3k_caa-universalk9.SPA.03.03.02.SE.150-1.EZ2.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 257243236/4096 bytes]

257243236 bytes copied in 261.360 secs (984249 bytes/sec)

Here is the file transfer rate If I do it via USB stick directly attached to the switch. As you can see file transferred within 60s & I got around 32.8Mbps (4295262 Bytes/Sec)  transfer rate. If it is new installation, you can use this method, but in a existing network IOS upgrade , it is practically difficult to use this method as you have to physically attach USB on to the switches.

3850-2#copy usbflash0:cat3k_caa-universalk9.SPA.03.03.02.SE.150-1.EZ2.bin flash:
Destination filename [cat3k_caa-universalk9.SPA.03.03.02.SE.150-1.EZ2.bin]? 
Copy in progress...CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
257243236 bytes copied in 59.890 secs (4295262 bytes/sec)

Based on the above, I did not have clear understanding why TFTP is that slow in this latest & greatest 3850 switch. But I stopped using TFTP for IOS image upgrade, instead get used to FTP method. I posted this thread on 30th September 2013 in CSC forum to find an answer. There was not direct answer to this for past 6 months. It all changed yesterday as I noticed Luke Primm from Cisco gave me the clear reason for this slow TFTP speeds & how to overcome that . Here is Luke’s word in response to my query.

” Hello Rasika,
By default, the Catalyst 3850 uses a tftp block size value of 512, which is the lowest possible value.  The reasoning behind this default value is to ensure interoperability with legacy tftp servers.

For IOS-XE version 3.3.2 and below, you will have to manually change the block size in the global configuration to speed up the transfer process.  The example below is a transfer comparison when using the default block size of 512K versus a transfer using the maximum block size value of 8192K.

Hope that helpls
Luke“

So here is how I can fix my slow TFTP transfer rate of this 3850 switch. You have to increase the TFTP blocksize from 512 bytes (min) to 8192 bytes (max)

3850-2(config)#ip tftp ?         
  blocksize         Specify TFTP client blocksize
  boot-interface    Force interface to use for TFTP booting
  min-timeout       Set minimum timeout period for retransmission
  source-interface  Specify interface for source address in TFTP connections

3850-2(config)#ip tftp blocksize ?
  <512-8192>  blocksize value

3850-2(config)#ip tftp blocksize 8192

Before go ahead & do the file transfer test & compare the result, let’s look at how this increased TFTP blocksize works.   RFC2348-TFTP Blocksize Option describe what options you can have. When you configure increased blocksize, TFTP client will initiate (if you copy a file to TFTP client)  the request with  blocksize option to set that increased value. Here in my example you can see 3850-2 switch send TFTP Read Request with blocksize 8192 as an option.

If the server is willing to accept the blocksize option, it sends an Option Acknowledgment (OACK) to the client.  The specified value must be less than or equal to the value specified by the client.  The client must then either use the size specified in the OACK, or send an ERROR packet, with error code 8, to terminate the transfer. In my case TFTP server accept this block size and send OACK.

So client is confirming usage of the increased block size & informing server that it is ready to accept data block 1.

Then data transfer starts with 8192 octet block sizes & here is the block 1.

So here is the final result with blocksize of 8192. As you can see below same file copied less than 2 mins

3850-2#copy tftp://10.128.13.2/cat3k_caa-universalk9.SPA.03.03.02.SE.150-1.EZ2.bin flash:
Destination filename [cat3k_caa-universalk9.SPA.03.03.02.SE.150-1.EZ2.bin]? 
Accessing tftp://10.128.13.2/cat3k_caa-universalk9.SPA.03.03.02.SE.150-1.EZ2.bin...
Loading cat3k_caa-universalk9.SPA.03.03.02.SE.150-1.EZ2.bin from 10.128.13.2 (via Vlan1600): !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 257243236 bytes]

257243236 bytes copied in 118.770 secs (2165894 bytes/sec)

As you can see, ~250MB file transfers less than 120s (or 2 min) & speed I was getting it ~16.5Mbps (2165894 bytes/Sec). This is a really great & TFTP file transfer rates won’t be slow it down.

So bottom line is configure “ip tftp blocksize 8192” command on your 3850 switch configuration as template command as long as that is supported by your TFTP server.

This is important as IOS-XE images are 250-300MB in size.  In legacy switches, even with 512 block size slow file transfer rates may not affect as image sizes are less than 32MB in size most of the cases. But I doubted you would waste 20min to copy a image across for a switch upgrade.

Thanks Luke :smile:

After 18 years of wait, there was a moment of joy when Sri Lanka won ICC world T20. That marks the end of T20 career of two legends in SL cricket Kumar Sangakkara & Mahela Jayawardana. Well done guys….

Here is some of video highlights of the evening.

I am proud to be a Sri Lankan & witnessing two great victories (1996 & 2014) in world cricket.

Exactly two years ago I started this blog & that journey has come a long way. I got below greetings from WordPress & thought about taking few minutes to talk about this journey so far.

Here is the blog stats as of today. Over 250k hits during  past 24 months & as you can see it is becoming popular day by day

Here are few of popular posts in my blog. In the past QoS & Multicast related topics were among the top x list. As a emerging trend I can see 3850/5760 (Cisco Converged Access) related posts getting popularity recent days.

Here is stats about from where my readers are coming from. USA, India, Australia, Germany & UK leading the way.

I enjoyed this journey very much & this blog gave me enormous opportunity to connect with entire world (If this blog was not there I even may not know you at all). Lots of you being touch with me & encouraging me all the time & that helped a lot. On the other hand I have faced tough situations due to my blog posts as well. I just want to emphasis this is my personal blog & they only reflect my understanding or opinion about particular product or technology. It does not reflect opinions of my employer or any other vendor (eg Cisco).

Thank you very much for supporting & keep encouraging me during this journey.. I would like to keep continue this blog & have another re-cap in one year time.

Related Posts

1. 100k Hits for My Blog !

I recently attended this CCIE Community Webcast held on 14th April 2014. You may need to register to view recorded session. Following were the speakers of this event

• Jeanne Beliveau-Dunn, Vice President and General Manager of Learning@Cisco
• Dave Mallory, Chief Technology Officer, Learning@Cisco, CCIE
• Yusuf Bhaiji, Senior Manager, Global Certifications, CCIE
• Bruno van de Werve, CCIE Routing and Switching Exam Program Manager, CCIE

One of the item in Agenda was upcoming CCIE Written & Lab exam policy update which I think good to know for every CCIE candidates. As per that there are few policy changes will takes place starting on Cisco’s next financial year (ie Aug 2014 onwards). Here are some of the key highlights in those policy changes.

1. CCIE/CCDE Written Exam
At the moment candidates who fail their written exam must wait 5 calendar days before they can take the written exam again. According to revised policy, candidate must wait 15 calendar days before re-taking the exam.

Also, currently there is no maximum re-takes for a written exam. But according to new policy maximum number of attempt for written exam limited to 4 attempts per year.

2. CCIE Lab Exam
As per the current policy, a candidate must wait 30 days prior to re-take the CCIE Lab exam & it does not vary depend on which attempt you are taking. According to new policy this waiting time vary depend on the number of failed attempts.

30 days wait time policy for the first two lab attempts only
90 days wait time policy for greater than 2 fail attempts & less than 6 failed attempts
180 days wait time policy for greater than 5 failed attempts

Which means if you fail CCIE lab first time, then you can go for the 2nd time with 30 days wait. But for the 3rd attempt you need to wait 90 days since your 2nd lab date. If you are going for 6th time, then you need to wait 180 days from your 5th lab attempt date.

3. Re-evaluation of Lab exam result
Currently a reread can be requested only for Routing & Switching lab exam or Service Provider lab exam. This involve another proctor load your configuration & completely re-mark & if they found any discrepancy & you have earned passed mark you will get successful outcome. For any other tracks no option of doing any re-evaluation.

According to new policy, Cisco will introduce a “Review Policy” for other tracks. You can request for review your exam result through CCIE Online Portal. It will involve a 2nd proctor to verify your answers any applicable system generated debug data saved from your exam.

4. Rescheduling Lab exam.
As per the current policy, you cannot re-schedule a CCIE lab exam if you are within 90 days for your scheduled exam date. According to new policy you can reschedule the exam even within 90 days period, but for a fee.

5. CCIE Emeritus Exception
If you are a CCIE with 10 years & your CCIE status become inactive (due to not fulfilling every 2 year re-taking a CCIE written exam) , Cisco will give you a one time opportunity to make your CCIE status active & move onto Emeritus Status where you do not want to re certify it in every 2 years. To do that you have to obtain “Cisco Business Transformation Certification”. Yes it is a new certification.

I know you may have many questions or clarification required around these points.Cisco will publish all these information on their website & you can contact them if any clarification required.