Trying to wrap my head around the best way to apply traffic shaping rules to tag/enforce DSCP ZOOM traffic via MR access points. We are applying DSCP tags from ZOOM so my assumption is that I need to enforce those on the SSIDs which we have done below. But because zoom uses 443/80 and I choose the ports as definitions it tags all 443/80 with DSCP7 which I am not sure I want.
On the edge we are prioritizing traffic based on those tags and destination IPs (long list of ZOOM/Teans CIDRS) so this works because all wireless traffic over the ports below are prioritized through the network to the FW. FW then decides what to prioritize based on our QOS policies.
Teams seems easier as we are using specific UDP ranges whereas ZOOM uses http/https ports which can turn into a problem. Is there a better way to do this to only tag ZOOM specific traffic using definitions?
Yeah man, we have done all that. I am more focused on the Meraki side as to what is the best way to enforce/apply those tags on the AP/wireless side.
I am NOT specifying destination ZOOM CIDRs in the shaping rules in Meraki. Are you saying don't specify 443/80 on the traffic shaping rules? The only place I am specifying them on the firewall and I have to in order to be sure the FW is only prioritizing traffic to and from those specific IPs.
On my PAN FW We are matching ports/destination IPs and DSCP tags to prioritize traffic so what I am trying to accomplish is to ensure the tags we are prioritizing are being sent from ZOOM, honored/applied if not already by Meraki and then prioritized accordingly.
Good point, so to be clear, we have ZOOM configured to push DSCP tags but our windows clients aren't honoring them along with some OSX clients in the office.
So to get around that we are trying to enforce them via Meraki as well as no bandwidth limits for traffic matching those DSCP markings. But what does it matter if ZOOM is enforcing them and as well as Meraki? I mean if the tag is there no harm no foul, if it isn't then Meraki should apply it right?
if I'm not mistaken, this is egress from the user device/client, inbound from the SaaS/provider is untagged and so there may be some benefit* to tagging the traffic inbound.
Apologies as I haven't read the support article on this topic. Also if I'm not mistaken per the QoS/design guide on WiFi, by the time the return traffic hits the AP, it is already considered 'too late' and flagging UP or DSCP/fastlane or other priority mechanism at that point is in fact too late. Anyways I love this topic and hope I am not spewing mis-information. 😄
A few key points to consider:
1) If the downstream traffic (flowing from the MX down to the access point) already has the correct DSCP tag (should be DSCP 46 (EF), not CS7 which is reserved for network protocols the AP will tag it at layer 2 with the correct 802.11 UP marking of 6 which translates to the voice queue. However that is also contested since zoom does not use a separate stream for their audio and thus should actually be put into DSCP 34 (AF41) with a layer 2 tagging of 5 (video queue).
2) Upstream traffic is dependent on the tagging the endpoint gives to the traffic so the network can't even influence how fast those packets reach the air.
3) Meraki needs a way to just match on existing DSCP value to modify or add layer 2 marking manually.
I have no MX, I have PAN firewalls at the office.
At home, outside of my network and sans Meraki I get the correct tags via my ZOOM client installed via the MSI file. I want the same behavior in the office but again something is not translating. Sometimes clients get all CS7 (56) and sometimes they get none at all. All of them share the same wireless/core/firewall which is prioritizing traffic, but why some get tagged with 1 tag and others get no tags is the problem I am having. And since this is only deployed on our wireless I am looking at the APs as part of the problem.
But traffic that is tagged is being influenced and given priority, I can see that.
ZOOM admin console:
Packet capture from my home office, so the only influence here is ZOOM sending DSCP tags 56 and 40 to my client and vice versa so I know ZOOM can tag its traffic correctly on both windows and OSX.
What I don't fully understand is the correlation of ZOOM sending tags and Meraki honoring them if seen, adding them if not seen and or stripping them?
I see CS5 and CS7 in your capture so I assume you captured while having all those rules in place. If your endpoints AND the downstream traffic is already tagged by your zoom installation you should not include them in your rules, then it will keep the original tagging. That was the whole point of my post: if your traffic is DSCP tagged it will add the correct WMM UP tagging but to see those tags you must do an OTA capture since those tags will or stripped by your OS or re translated to COS tags but that depends too much on the behavior of your OS.
Yeah so that is from my house, so the only rules applying there are ZOOM marking them which it is doing. In the office doing a packet capture from the firewall for wireless clients I don't see any tags or I see all (CS7) 56 which is just odd. So I figured Meraki must be doing something nefarious because on the backbone we are just trusting the tags and prioritizing traffic based on them.
Below is from the firewall for a wireless client at the office and all their traffic towards the internet. You can see all this users traffic is tagged as CS7 and we see the complete opposite from other users with 0 tags whatsoever.
I wanted to be sure that if Meraki does see those tags it doesn't limit bandwidth to them. So that is where the traffic shaping rules came into play and how to best ensure we had them configured correctly. When checking all the moving parts we are seeing odd behavior and not sure what is causing it.
Make a long story short we are tagging traffic from ZOOM and we aren't seeing those tags applied correctly to wireless clients. We know those clients can send/receive those tags because we see them outside the office, why inside the office we don't see the same behavior is the unknown.
Do you know if I specify a localsubnet on a rule will Meraki tag all packets on that subnet that match the ports I have defined on that same rule? Its just not clear on what exactly those definitions are doing.
Let me see if I can decipher what wired office clients are doing.
Once again, Meraki will not change tags if you don't configure it to. I sane person would never tag CS7 on user traffic. But it clearly shows in your first screenshot you configured Meraki to do so.
So downstream you won't see the tags coming in to the wired interface of the AP but you will see the tags your Zoom config has. Upstream traffic will first be tagged by your client and then be sent over the air. When it reaches the AP will keep the current tag if no matching rule has found OR if you did put a rule that matches or put the use default QoS rules it will apply those to the packets leaving the wired interface of the AP.
The reason I did is because 56/CS7 is what Cisco recommended and ZOOM defaults to.
These are the default rules you are referring to? If so have you had good results using them? I can set ZOOM to use whatever I want and can go as far as to match those default rules.
Update to all this, it seems OSX clients won't tag ZOOM traffic over a Meraki SSID, but the AP will tag that traffic once it sees it. I assume this is due to fast lane on OSX but I really don't have any way to confirm that. Can you disable fast lane via Meraki?
At the end of the day we have it working mostly for what we want and these are the traffic shaping rules we ended up with. We see the tags from the client or the wired side of the AP if the client isn't tagging it.