MX QOS Wireshark Traffic Analysis

Solved
JonasResende
Here to help

MX QOS Wireshark Traffic Analysis

Hey community,

 

I have a doubt regarding the traffic capture performed in the MX.

 

I have created a SDWAN traffic shaping rules in the MX like below.

JonasResende_0-1630097135536.png

 

In order to confirm that the traffic was being tagged as per DSCP configured in the rule, I have performed a pcap.

 

In the wireshark, it's possible to see see that the traffic is really reaching the correct DSCP, however it's only happen in the traffic coming from public IP to private IP.

 

JonasResende_1-1630097576290.png

 

 

From private to public all the traffic is marked as CS0, even having the rule created.

 

JonasResende_2-1630097652603.png

 

Shouldn't it be opposite? 

 

Why traffic coming from private is not marked with EF, instead traffic coming from public?

1 Accepted Solution
ww
Kind of a big deal
Kind of a big deal

Your capture is from the lan before it hits the mx. For lan to wan you have to look in a capture from the wan port

View solution in original post

5 Replies 5
ww
Kind of a big deal
Kind of a big deal

Your capture is from the lan before it hits the mx. For lan to wan you have to look in a capture from the wan port

Bruce
Kind of a big deal

@JonasResende, as @ww stated if you’re capturing on the LAN interface then you won’t see the DSCP on the packet for outbound traffic (i.e. private to public) since the capture is performed before the MX processes the packet. For the inbound traffic (i.e. public to private) the packet has already been processed and so has the DSCP marking applied - I’ve noted before that the shaping and markings get applied in both directions (which makes sense since you can specify different upstream and downstream throughput limits).

 

If you capture on the WAN interface you just need o be aware that if the traffic is going into an SD-WAN/AutoVPN tunnel then you’ll lose visibility of the source and destination IP addresses as the IPSec header obscures this. However you should still be able to see the DSCP markings on packets as they are copied from the inside to outside header - I know there has been plenty of debate in the community as to whether this actually happens or not, but my own testing has shown that it does.

 

Final point to remember is that although you can DSCP mark traffic going towards the internet nothing is going to act on it, and somethings may well reset the DSCP markings. It’s really only useful for traffic within your own network where devices (e.g. switches) are configured to prioritise and queue traffic based on those markings.

JonasResende
Here to help

@Bruce and @ww thanks for the explanation.

 

@Bruce , I am a bit confused with your final point. If I created the rules to have this prioritization, on the traffic coming from LAN to Internet, does it mean that the packet can suffer DSCP change? Or will it really reach the rule created ? Or should be better I create the rules in MR or MS?

 

All the rest, is very clear for me.

Bruce
Kind of a big deal

@JonasResende, the final point is just that when traffic is on the internet you have no control over it. So any DSCP markings you apply are ignored (so the traffic will not be prioritised in any way on the internet), and in some cases DSCP markings may get set back to Best Effort (0) by devices on the internet. The priority setting on the MX is only locally significant (it puts traffic into the high priority queue), it only applies to the traffic as it leaves the MX, after that it means nothing.

 

As your MX will mark traffic in both directions your traffic will always be marked and processed correctly by the MX (even if it’s marked as Best Effort on the internet the MX will remark it), but to make any use of those markings you’ll need to make sure that QoS is configured correctly on the device inside your network (i.e. the DSCP markings are trusted and the traffic queued based on these).

 

Hope that makes it a little clearer.

JonasResende
Here to help

Perfectly @Bruce . That's very clear for me.

 

Regards.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels