Wednesday, July 17, 2019

Need some help with QoS

Guys, Gals, I feel like I'm missing something that should be really basic--but I'm just not seeing it, so I've gotta ask for some help. Diagram is here: https://imgur.com/a/ww23rxq

My environment consists of Cisco 2960-X switches at the access, and 9500-48Y4C at the core. I've rolled out a marking policy to the access switches that very closely mimics the End-to-End QoS book. The core is simply trusting DSCP markings. Here's a snippet of the code I'm using for marking. Repeat this code for 7 other classes of traffic.

ip access-list extended VOIP-DATA remark RTP permit udp any any range 16384 32767 class-map match-any VOIP-DATA-CLASS match access-group name VOIP-DATA policy-map MARKING-POLICY class VOIP-DATA-CLASS set dscp ef 

I can see traffic being categorized and tagged correctly according to my policy when doing packet captures. However, I'm not getting any DSCP-tagged packets on the return traffic. Initially, this led me to think "Ah, I need to put this marking policy at my first network device at the WAN edge to mark packets on the ingress." I did this at the switch marked "Edge" on the diagram. (This switch provides WAN connectivity to our HA ASAs.) The same policy was configured and a "service-policy input MARKING-POLICY" command was applied to the interfaces connecting to the ISP equipment.

After some more packet captures though, I saw what might be the problem. The originating traffic has a random source port but a static destination port. So an HTTPS connection will have a destination port of 443. The return traffic uses the source port as 443. According to the access-lists I created, it's only looking at the destination ports, thus not marking the return traffic--regardless of where that marking policy exists on the network.

So my question: How should I tag this return traffic on the way back into the network? I want it to be tagged the entire time it is on the network, so I would think it should be tagged at the "Edge" switch. In the End-to-End QoS guide, I couldn't find anything that addresses this scenario. If it were as simple as creating another line on the access list with the source port specified, wouldn't it have been documented? This leads me to believe that I've just screwed something up. That's entirely possible. So tell me, what am I not getting here?



No comments:

Post a Comment