Calling DSCP or IP Precedence on traffic Policing

Similar Messages

• Traffic policing question on Cisco ASR 1001

  Hi Experts,
  I have a request to setup aggregated traffic policing on a Cisco ASR 1001 router for multiple networks within a router.
  Lets say I have a router with several subinterfaces:
  interface GigabitEthernet0/2
   description WAN
   ip address x.x.x.x x.x.x.x
  interface GigabitEthernet0/1.70
   description Lan_1
   encapsulation dot1Q 70
   ip address 192.168.55.1 255.255.255.0
  interface GigabitEthernet0/1.80
   description LAN_2
   encapsulation dot1Q 80
   ip address 192.168.56.1 255.255.255.0
  interface GigabitEthernet0/1.90
   description Servers
   encapsulation dot1Q 90
   ip address 172.16.10.1 255.255.255.0
  I have a WAN link 100Mbit/s and I need to police traffic, so that I have 30Mbit/s for servers (GigabitEthernet0/1.90) and the rest 70Mbit I want to share between Interface Lan_1 and LAN_2. The Idea is that I need 70Mbit/s equally shared between two interfaces, so that I have fair policing on both iunterfaces. What is the best way to achieve this?
  Many Thanks

  Hello
  The below configuration is a possible option, Its provides policing inbound from the clients interfaces and LLQ priority queung on the wan interface for the servers and  shaping values from LAN1 & 2 traffic is set to 35MB.each.
  Notice nothing is defined for the default class, however i am on the understanding this is given by default 1% of Hqos implementations.
  Maybe others on here could review to verify any problems with this post and share their thoughts?
  ip access-list extended SRVS_acl
   permit ip 172.16.10.0 0.0.0.255 any
  ip access-list extended LAN1_acl
   permit ip 192.168.55.0 0.0.0.255 any
  ip access-list extended LAN2_acl
   permit ip 192.168.56.0 0.0.0.255 any
  class-map match-all SRVS_CM
   match access-group name SRVS_acl
  class-map match-all LAN_1_CM
   match access-group name  LAN1_acl
  class-map match-all LAN_2_CM
   match access-group name LAN2_acl
  policy-map SRVS_PM
   class SRVS_CM
      police 30720000 conform-action transmit exceed-action drop
  policy-map LAN_2_PM
   class LAN_2_CM
      police 35840000 conform-action transmit 
  policy-map LAN_1_PM
   class LAN_1_CM
      police 35840000 conform-action transmit 
  interface GigabitEthernet0/1.70
  service-policy input LAN_1_PM
  interface GigabitEthernet0/1.90
   service-policy input SRVS_PM
  interface GigabitEthernet0/1.80
   service-policy input LAN_2_PM
  policy-map WAN_CHILD
   class SRVS_CM
    priority 30720
   class LAN_1_CM
    shape average 35840000
   class LAN_2_CM
    shape average 35840000
   class class-default
    fair-queue
  policy-map WAN_PARENT
   class class-default
    shape average 102400000
    service-policy WAN_CHILD
  int  GigabitEthernet0/2
  bandwidth 102400
  service-policy output WAN_PARENT
  res
  Paul

• Traffic Policies IN NAC

  Hello friends,
  For host remediation we shld allow for access to a particular destination or by default it is accessible?????
  OR
  traffic policies are applied after a host passes posture assessment and remediation.??? to limit network access.
  Thanks

  Hello Faisal,
  Thanks for reponse,
  My setup is IN-band virtual mode.
  From ur mail what i understand is if the host want to succeed posture assesment he has to be permited for the particular destination.
  for example: host is not updated with full AV then he has to permit access to AV server for the updates in the temporary role,
  access-list will be like : permit tcp any host 10.10.10.10 (AV Server) eq (port)
  correct me if i m wrong  ?????
  2) After host get success in host posture assessment after that also we can limit the host for a particular destination.
  where is option that we can specify such access-list.
  Thanks

• ISG: Service with traffic policing counts dropped packets.

  Hello,
  Our company has a router Cisco 7304 NPEG100. ("show version" in the  bottom of this message). We are planing to start ISG services at this router, but there is a bug CSCei4190. When I set traffic policing in service, accounting in this service counts  packets that has been dropped by traffic policing.
  Here is example of my definition of service in RADIUS:
  User-Name = 'Internet-Service'
  Cisco-AVPair += "ip:traffic-class=in access-group 2000 priority 10"
  Cisco-AVPair += "ip:traffic-class=out access-group 2001 priority 10"
  Cisco-AVPair += "ip:traffic-class=in default drop"
  Cisco-AVPair += "ip:traffic-class=out default drop"
  Cisco-AVPair += "prepaid-config=TRAFFIC_PREPAID"
  Cisco-AVPair += "accounting-list=ISG_ACCT"
  Cisco-Service-Info += "QU;256000;D;512000"
  Acct-Interim-Interval += '60'
  When I remove Cisco-Service-Info += "QU;256000;D;512000" from service  definition, all traffic are counting correctly.
  I did not found in Bug Details, which version of IOS, I should use in my  7304 router where this bug is fixed.
  Cisco IOS Software, 7300 Software (C7300-A3JK91S-M), Version 12.2(31)SB17,  RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2009 by Cisco Systems, Inc.
  Compiled Fri 30-Oct-09 12:35 by vpernank
  ROM: System Bootstrap, Version 12.2(22r)S, RELEASE SOFTWARE (fc1)
  BOOTLDR: 7300 Software (C7300-BOOT-M), Version 12.2(20)S6, RELEASE 
  SOFTWARE (fc4)
  7304 uptime is 17 hours, 24 minutes
  Uptime for this control processor is 17 hours, 24 minutes
  System returned to ROM by reload at 06:22:24 TSK Wed Feb 23 2005
  System restarted at 18:46:54 TSK Mon Mar 22 2010
  System image file is "disk0:c7300-a3jk91s-mz.122-31.SB17.bin"
  cisco 7300 (NPEG100) processor (revision B) with 983040K/65536K bytes of  memory.
  SB-1 CPU at 800Mhz, Implementation 0x401, Rev 0.2, 512KB L2 Cache
  4 slot midplane, Version 67.49
  Last reset from software reset or reload
  4 FastEthernet interfaces
  3 Gigabit Ethernet interfaces
  1021K bytes of non-volatile configuration memory.
  62592K bytes of ATA compact flash in bootdisk (Sector size 512 bytes).
  125952K bytes of ATA compact flash in disk0 (Sector size 512 bytes).
  Configuration register is 0x2102

  I am getting other logs sent to the syslog server, yes, just not the firewall-related "dropped packet" logs.  Here's an example of one that does make it through:
  5790: *Apr 30 15:05:27.039 UTC: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-647534746 1500 bytes is out-of-order; expectedseq:3647406270. Reason: TCP reassembly queue overflow - session 192.168.1.179:3895 to 54.240.160.142:80 on zone-pair inside-to-Transitclass WB-Browsing
  I am not allowing all the traffic across the box.  The "self-to-inside" zone-pair just allows the *firewall itself* to initiate any traffic to the inside zone.  That's temporary until I get all the management traffic to and from the firewall defined, then I will lock it down further.
  And I added the "ip inspect log drop-pkt" and it did not appear to make any difference.
  Any other suggestions?
  -Mat

• 2950 Traffic Policing

  Hi,
  I'm trying to configure traffic policing on a Catalyst 2950. The config is pretty straight-forward, or so I thought. I need to set up several policy-maps, each one policing traffic at different levels (5meg, 10meg, 20meg, etc.). My problem is, anything above 1Meg just doesn't seem to work as expected. Here's my config for a 10Meg policer:
  class-map match-all ALL-TRAFFIC
  match access-group 1
  policy-map 10mbs
  class ALL-TRAFFIC
  police 10000000 65536 exceed-action drop
  access-list 1 permit any
  Here's the interface config:
  interface FastEthernet0/24
  switchport access vlan 53
  load-interval 30
  service-policy input 10mbs
  spanning-tree portfast
  spanning-tree bpdufilter enable
  spanning-tree link-type point-to-point
  What happens is, when uploading files from the server attached to this port (ingress to the switch), my throughput is nowhere near 10Mb/s. I only end up getting about 2Mb/s consistently, with a large 600MB ISO file transfer.
  I've configured policers before in routers and other types of switches and I would at least get around 7 to 8Mb/s, if not immediately, after some time, due to TCP's native congestion avoidance. I may be missing something blatantly obvious, though, as I've been wrestling with this the past few hours.

  Although the page is about the 3550 I think most of the information is relevent to the 2950 as well (although the 2950 doesn't support the granularity of the 3550).
  http://www.cisco.com/en/US/partner/products/hw/switches/ps646/products_tech_note09186a00800feff5.shtml
  Have you tried using non connection-oriented traffic (UDP) to see what rates you achieve? I suspect TCP is probably suffering due to the policer dropping the packets.
  HTH
  Andy

• Traffic Policing on Service Provider Edge router.

  Hi,
  I'm confused about the traffic policing on service provider edge router. Suppose I have taken internet bandwidth from my ISP and he says that they will give me 100 Mbps bandwidth burstable upto 1Gbps. What does that mean? what is burstable here?
  I would appreiciate if anyone from service provider organization, can give a output of their edge router's running config. I just have to understand how the police our traffic. Here I'm talking about the Internet leased lines.

  This is probably something you will have to get your service provider to answer. Different service providers use the term burst in a different context. Some SP's are "NICE' and will setup no policer or shaper and will purely monitor the link for fair use allowing you to exceed what you have purchased as long as you don’t abuse the privilege. Other Serves providers may setup a dual rate policer with a CIR and a PIR to achieve the same. a 3rd scenario is as explained above where the SP will setup a policer for 100Mb/s and then calculate the burst value at 1/8 of a second (or less in some cases) which allows your traffic to burst to full line rate for that time slice,
  There are other scenarios but the point I’m trying to make is that service providers don’t all do this the same way which is why you should ask them what they mean and how long your traffic would be allowed to burst to line rate.
  PJ

• Cisco ASA QoS traffic policing - how to count conform burst

  hi,
  I have cisco ASA 8.4(5). I will do configuration for QoS traffic policing. Maximum output/input rate will be 850 Mbits/s.
  I am not sure if I need to do configuration also for conform burst ? if yes, can I count suitable value for it ? I must admit that I dont understand difference between conform rate and conform burst.
  access-list acl_qos_policing_admin extended permit ip any any
  class-map class_qos_policing_admin
   match access-list acl_qos_policing_admin
  policy-map policy_qos_policing_admin
   class  class_qos_policing_admin
   police output 850000000 xxxxxxx
   police input 850000000 xxxxxxx
  service-policy policy_qos_policing_admin interface
  inside_ADM

  Hi, I already have done configuration on production firewall. Bandwidth test worked very good for 200Mbps or 300 Mbps. But I got little strange results for bigger rate limits such 600Mbps or 850 Mbps. I could not see any dropped packets. I did test via http://www.speedtest.net. Maybe because
  I need to set conform-burst? there is now only default value (If you set bigger conform-rate then you get bigger conform-burst with default value).
  Interface inside_EDU:
    Service-policy: policy_qos_policing_edu
      Class-map: class_qos_policing_edu
        Output police Interface inside_EDU:
          cir 200000000 bps, bc 6250000 bytes
        Input police Interface inside_EDU:
          cir 200000000 bps, bc 6250000 bytes
  Interface inside_EDU:
    Service-policy: policy_qos_policing_edu
      Class-map: class_qos_policing_edu
        Output police Interface inside_EDU:
          cir 600000000 bps, bc 18750000 bytes
        Input police Interface inside_EDU:
          cir 600000000 bps, bc 18750000 bytes
  Interface inside_ADM:
    Service-policy: policy_qos_policing_admin
      Class-map: class_qos_policing_admin
        Output police Interface inside_ADM:
          cir 300000000 bps, bc 9375000 bytes
        Input police Interface inside_ADM:
          cir 300000000 bps, bc 9375000 bytes
  Interface inside_ADM:
    Service-policy: policy_qos_policing_admin
      Class-map: class_qos_policing_admin
        Output police Interface inside_ADM:
          cir 850000000 bps, bc 26562500 bytes
        Input police Interface inside_ADM:
          cir 850000000 bps, bc 26562500 bytes

• DSCP to CoS mapping: Avaya traffic

  It appears that Avaya marks its voice traffic as follows:
  L2 signaling cos 6 L3 signaling dscp 34
  L2 audio cod 6 L3 audio dscp 46
  Has anyone interacted with theses settings and what are the right mappings for 6500 series Modules?
  I am about to use the following:
  #mls qos map dscp-cos 34 46 to 6
  #mls qos map dscp-cos 48 to 5 "move IP control to cos 5)
  #mls qos map cos-dscp 0 8 16 24 32 46 48 56 leave cos to dscp unchanged.
  Finally use: #mls qos thrust dscp on input interfaces.
  Can anyone clarify?
  Thanks.

  The 6608 and 6624 internal port is treated as trust-cos to the Catalyst 6000. So the default COS-to-DSCP mapping of the cards will determine the DSCP values with which the IP packets are marked unless they are changed in the switch.
  The 6608 and 6624 will tag packets as follows:
  COS = 5 for rtp traffic
  COS = 3 for signalling traffic
  By default on the Catalyst 6000, these COS values map in IP packets to DSCP 24 (COS = 3) and 40 (COS = 5) as shown in the table below.
  Generally, the recommended DSCP values to use in a VoIP network differ slightly. They are:
  DSCP = 46 for rtp traffic (Recommended Expedited Forwarding (EF) value)
  COS = 26 for signalling traffic (AF31)
  It may be necessary to change the default COS-DSCP mapping on the Catalyst 6000 so that the DSCP markings in packets generated by the 6608 and 6624 cards conform to the network policy. For example, if other devices in the network are marking packets with the recommended values.
  Information on how to change the default COS-DSCP mapping is provided in the Mapping Received CoS Values to Internal DSCP Values section of Catalyst 6000 Family Software Configuration Guide.

• Application Traffic Policies

  Hi,
  Thanks for your previous helpful responses.
  I will be doing a POC at Customer site, I have the following applications listed that I will optimizing:
  Oracle
  MS windows (CIFS)
  MS Exchange
  EFAX- oracle
  RTGS- Real Traffic Gross settlements
  T24
  internet thru proxy server.
  Banknet - Intranet Service.
  DNS.
  Mcafee antivirus updates service.
  I guess one way to capture the traffic types is to run a sniffer on the network, how do i know exactly how the application works so as to know what kind of ATP to create for some of these applications mentioned and what kind of optimation to apply since all do not have a ATP defined in the default Cisco ATP.
  Thanks

  Obiora,
  There are several apps you list that are in the default application policies (CIFS, Oracle, Proxy server, etc.). I would recommend that you create a policy for Exchange via destination IP with full optimization as long is it's not encrypted by the Outlook clients.
  For the other apps, you are correct, you may have to run a sniffer to look at them as they may be customer apps. After you have found out what ports and/or IP addresses they will use, you can create customer policies if they don't fit into the default set.
  Hope that helps,
  Dan

• Need help understanding IP Precedence traffic types

  I was reading through the different IP Precedence values and most seemed to be fairly straight forward, but I'd like to make sure I have my facts correct. According to the list below, IP Precedence treats traffic lowest to highest priority with numbers 0-7, respectively, is that correct?
  Is it a matter of drop rates increase with the IP precedence value then as well?
  What type of traffic would fall under 4? I've never heard of Flash, or Flash Overide type traffic, a little clarity would be much appreciated.

  Disclaimer
  The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.
  Liability Disclaimer
  In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.
  Posting
  Interface fair-queue treats IP Prec marked traffic differently.  As interface FQ was the default on serial interfaces E1 or slower, you might consider it as "automatic".  (NB: FQ within pre-HQF class default, works the the later interface WFQ.)
  Explicitly configured QoS WRED (on interface or within CBWFQ), with defaults, treats IP Prec marked traffic differently.

• CUCM - DSCP for TelePresence Calls Enterprise Parameter

  Hi All,
  There is an enterprise parameter in newer versions of CUCM called "DSCP for TelePresence Calls" that is separate from "DSCP for Video Calls".
  Does anyone know what endpoints the former applies to? Is it just the traditional CTS endpoints (e.g CTS-3000), or is it all devices that include TelePresence in the name in CUCM for example Cisco TelePresence EX60?
  Cheers,
  Giles

  It's only for immersive room endpoints (e.g. CTS1300, 3000, TX9000, and the like).
  Sorry for the delayed response, I just spotted this as part of an unrelated Google search and am answering incase someone else finds this in their search results.

• Qos for H323 Video tele conference traffic

  Hi All,
  I am using Tandberg video equipment(bridge MPS200, endpoint MPX2000, MPX6000). My WAN routers are Cisco 2800/3800 connecting to MPLS network.
  Jitters are between 4ms - 20ms. Picture quality is not very good when I use the bridge calls out to 8 endpoints at 384Kbps.
  would you put audio and video traffic into the same class and mark it as EF, or seperate them with marking RTP audio as EF and RTP video = Ip precedence 4?
  thanks
  PH

  Just for the record
  The Cisco Enterprise QoS SRND reccomends putting Video AF41 in the PQ.
  1st ref 3-12
  policy-map WAN-EDGE
  class Voice
  priority percent 18 ! Voice gets 552 kbps of LLQ
  class Interactive Video
  priority percent 15 ! 384 kbps IP/VC needs 460 kbps of LLQ
  class Call Signaling
  bandwidth percent 5 ! BW guarantee for Call-Signaling
  class Network Control
  bandwidth percent 5 ! Routing and Network Management get min 5% BW
  class Critical Data
  bandwidth percent 27 ! Critical Data gets min 27% BW
  random-detect dscp-based ! Enables DSCP-WRED for Critical-Data class
  class Bulk Data
  bandwidth percent 4 ! Bulk Data gets min 4% BW guarantee
  www.cisco.com/go/srnd
  When provisioning for Interactive Video (IP Videoconferencing) traffic, the following guidelines are
  recommended:
  ? Interactive Video traffic should be marked to DSCP AF41; excess Interactive-Video traffic can be
  marked down by a policer to AF42 or AF43.
  ? Loss should be no more than 1 %.
  ? One-way Latency should be no more than 150 ms.
  ? Jitter should be no more than 30 ms.
  ? Overprovision Interactive Video queues by 20% to accommodate bursts
  Because IP Videoconferencing (IP/VC) includes a G.711 audio codec for voice, it has the same loss,
  delay, and delay variation requirements as voice, but the traffic patterns of videoconferencing are
  radically different from voice.

• URGENT! Setting QoS DSCP value on switches

  Hi,
  I desperately need replies to my problem below.
  I tried to set DSCP values to 2 applications, video and video conference, on cisco 3560 and cisco 2950 swtiches based on the source ip address of the servers.
  So on the switches, I created an access-list to identify the servers' ip addresses.
  Then I use "class-map match-any video" followed by "match access-group" for the access-list.
  Then I use "policy-map policy1", then "class video" then "set dscp ef".
  Finally I apply the policy to the INPUTS of all ports "service-policy input policy1"
  But when I use a sniffer to sniff the ports, I see that the DSCP value is not "EF", instead it is "0x20, class 4".
  Why is this so?
  Where have I done wrongly?
  Finally, on routers, where do I apply QOS policy? On input ports or output ports of routers?
  I urgently need help.
  Thank you.
  Regards,
  Rachel

  Rachel,
  Without seeing what you have in place so far, I'll see if I can answer some of those questions. If the switch connects to a router, then the outbound (egress) interface would in fact be that interface on the switch that connects to a router. Best practices dictate that the classification and marking should be done on the inbound (ingress) interface which connects the switch to the network where the host resides.
  If you wanted to implement an end-to-end QoS solution, then you should configure QoS on every interface between the source and destination. This is because even FastE/GigE ports can become congested due to worm outbreak or DOS attack. But if all you want to do right now is guarantee bandwidth to the video traffic across the WAN, that can be accomplished by a) classifying and marking the video traffic as close to the source as possible, and b) configuring queuing/scheduling on the outbound WAN interface based on those markings.
  Once the switch has marked the traffic with a DSCP value per (a), that DSCP value should remain intact until it reaches the WAN router per (b), and all the way until it reaches its destination. That is, unless there is a device somewhere in between that is remarking traffic. If the switch you reference is not directly connected to the router you reference, there could be another switch or router in between marking everything back to DSCP 0, meaning that all traffic is untrusted.
  I don't have a 2950 here with me, but without checking syntax this is basically what you should have, if you just want to mark video traffic EF and then guarantee bandwidth on the wan:
  2950:
  access-list permit
  class-map match-any VIDEO
  match access-group
  policy-map POLICY1
  class VIDEO
  set ip dscp 46 !
  interface
  service-policy input POLICY1
  Router:
  class-map match-any EF_VIDEO
  match ip dscp 46
  policy-map VIDEO_OUT
  class EF_VIDEO
  priority 1600
  interface
  service-policy output VIDEO_OUT
  If you are sniffing traffic on that switch to ensure that video traffic is being marked, make sure that you are sniffing the outbound interface toward the router, not the inbound interface from the host. That will ensure that your sniffer trace picks up the traffic after it has been marked DSCP 46.
  Just in case this post is related to your post where you want to lock the router WAN interface so that the 1.6 megs of video gets through but other traffic is dropped when the video takes the full 1.6 megs of bandwidth...
  QoS queuing/scheduling only kicks in when the interface experiences congestion. If there is no congestion on the interface, traffic will still be marked and policed per the service policy, but not queued/scheduled - it will just fly right through the interface with the new markings. The only way to force such congestion at 1.6 megs is to use traffic shaping. You would need to shape the entire interface down to 1.6 megs, and THEN apply the priority bandwidth. This can be accomplished with a hierarchical policy-map as follows:
  Router:
  class-map match-any EF_VIDEO
  match ip dscp 46
  policy-map VIDEO_OUT
  class EF_VIDEO
  priority 1600
  policy-map SHAPE_OUT
  class class-default
  shape average 1600000
  service-policy VIDEO_OUT
  interface
  service-policy output SHAPE_OUT
  I really hope I am helping you out here, please let me know how this works out. Good luck!
  Best Regards
  Robert

• Wireless QoS - CAPWAP getting tagged DSCP 26 while inner packet is DSCP 24.

  Hello,
  I'm facing an issue regarding QoS and wireless. I've attached a drawing of my set up as well. 
  My set up consists of a Cisco wireless 7925 phone, a 3702i access point, and a WISM2 controller (running newest 7.6 code). 
  My access point is connected to a 3750 switch, the switchport is in access mode, and is trusting the dscp values from the access point (mls qos trust dscp). QoS is also enabled on the switch (mls qos). 
  Please see my attached picture of a visual representation to what I'm going to describe. 
  In my particular scenario I'm looking at SKINNY traffic between the phone and the call manager. Per our Wired QoS design SKINNY traffic is tagged with DSCP 24 or CS3.  Traffic from the call manager to the phone is being tagged correctly all the way through (from the wired segment, to the controller and from the controller to the access point) the inner packet and the CAPWAP header is tagged correctly with DSCP 24. 
  Return traffic from the phone to the call manager is a different story. The phone is clearly tagging the SKINNY traffic with DSCP 24 as well, this is evident by looking at the inner packet in captures. However, the CAPWAP header is being tagged DSCP 26 for some reason. Basically it looks like the access point is building the CAPWAP header with the value of 26 despite the fact that the original packet is marked 24. 
  I'd like to further understand why this is happening in only one direction (from AP to the controller) and if there is any way to change the behavior. 
  One thing I might have stumbled on is how the 802.11e values map to DSCP values. Looking at the binary representations of 24 and 26, they both end up mapping back to the 802.11e value 3. My current thinking is the access point just sees this 802.11e value #3 and then tags it to 26 automatically instead of 24. I'm not sure why the access point can't read the correct DSCP value of the inner packet (being tagged by the phone) and simply map that same value to the CAPWAP header. 
  Any help or further insight into this would be greatly appreciated. 
  Thanks! 

  Return traffic from the phone to the call manager is a different story. The phone is clearly tagging the SKINNY traffic with DSCP 24 as well, this is evident by looking at the inner packet in captures. However, the CAPWAP header is being tagged DSCP 26 for some reason. Basically it looks like the access point is building the CAPWAP header with the value of 26 despite the fact that the original packet is marked 24.
  Note that when AP receives packet, it will only see the wireless header UP (user prioroity) value & not inner IP packet DSCP header. So all mapping of outer CAPWAP DSCP is based on UP value.  Refer this table & UP3 will map to AF31 (DSCP value 26)
  http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73/ch5_QoS.html#_Ref167257742
  I'd like to further understand why this is happening in only one direction (from AP to the controller) and if there is any way to change the behavior.
  When it comes from UCCM side, signaling traffic already marked with CS3. So when WLC map that to CAPWAP, it will simply use that IP packet DSCP value to derive the outer CAPWAP DSCP. So packet goes as CS3 in that direction.
  If you want to change this behavior (client to AP-> WLC), you can apply a qos service policy to re-write DSCP26 to CS3 on your 3750 switch where AP connects.
  http://mrncciew.com/2012/11/30/understanding-wireless-qos-part-2/
  Refer this post from Jerome to see background of this AF31 or CS3 debate when classifying voice control traffic.
  http://wirelessccie.blogspot.com.au/2011/02/wired-qos-for-voice-control-af31-dscp.html
  HTH
  Rasika
  **** Pls rate all useful responses ****

• "mls qos trust dscp" vs. "mls qos trust cos"

  Are these statements correct ?
  1. If using QoS profile without setting "wired qos protocol", always use "mls qos trust dscp" on the WLC trunk port
  - downstream wmm traffic will be policed down to "?" (this one I'm not sure, is it "not policed" or "policed down to cos 6 for platinum, etc")
  2. If using QoS profile with setting "wired qos protocol",
  - use "mls qos trust cos" on the WLC trunk port if you want outgoing LWAPP traffic COS/DSCP to reflect QoS profile setting and if you want to rewrite DSCP in the outgoing upstream traffic to QoS profile setting
  - use "mls qos trust dscp" on the WLC trunk port if you want LWAPP traffic COS/DSCP to reflect original DSCP setting and if you want to leave DSCP alone in the outgoing upstream traffic
  3. With either "mls qos trust cos" or "mls qos trust dscp" on WLC trunk port, downstream wmm traffic will be policed down to "wired qos protocol" setting (What if "wired qos protocol" is not set, will it be policed down to, for example, cos 6 for Platinum?)
  4. Always use "mls qos trust dscp" on non-HREAP AP ports
  Use "mls qos trust dscp" on HREAP AP ports, if you want to preserve upstream DSCP for locally switched WLANs
  Use "mls qos trust cos" on HREAP AP ports, if you want to QoS profile 802.1p to override upstream DSCP for locally switched WLANs
  5. Use either "mls qos trust dscp" or "mls qos trust cos" on switch-to-switch trunks

  Are these statements correct ?
  1. If using QoS profile without setting "wired qos protocol", always use "mls qos trust dscp" on the WLC trunk port
    - downstream wmm traffic will be policed down to "?" (this one I'm not sure, is it "not policed" or "policed down to cos 6 for platinum, etc")
  Ans: Not sure about always. you can use both 'mls qos trust dscp' and 'mls qos trust cos'. Since it is a trunk port the packets will have a cos value (802.1p tag) and hence you can trust cos. Downstream and upstream traffic both are capped to the WLAN max QoS value. for example if Wlan is set to silver, and if a packet comes in at platinum QoS, the AP will cap it to silver in upstream direction. Same holds true for a cos 5 / dscp 46 packet coming in from the wired side.
  2. If using QoS profile with setting "wired qos protocol",
    - use "mls qos trust cos" on the WLC trunk port if you want outgoing LWAPP traffic COS/DSCP to reflect QoS profile setting and if you want to rewrite DSCP in the outgoing upstream traffic to QoS profile setting
    - use "mls qos trust dscp" on the WLC trunk port if you want LWAPP traffic COS/DSCP to reflect original DSCP setting and if you want to leave DSCP alone in the outgoing upstream traffic
  Ans:
  3. With either "mls qos trust cos" or "mls qos trust dscp" on WLC trunk port, downstream wmm traffic will be policed down to "wired qos protocol" setting (What if "wired qos protocol" is not set, will it be policed down to, for example, cos 6 for Platinum?)
  Ans: Traffic in both direction wil always get capped to WLAN max QoS. Untagged (802.1p = 0) traffic will be treated as best effort.
  4. Always use "mls qos trust dscp" on non-HREAP AP ports
     Use "mls qos trust dscp" on HREAP AP ports, if you want to preserve upstream DSCP for locally switched WLANs
     Use "mls qos trust cos" on HREAP AP ports, if you want to QoS profile 802.1p to override upstream DSCP for locally switched WLANs
  Ans:
  5. Use either "mls qos trust dscp" or "mls qos trust cos" on switch-to-switch trunks
  Ans: I think on purely layer 2 switches you can trust dscp, but am not 100% sure.