Zoom app on iPhone not marking QoS on Meraki APs

DanZ
Getting noticed

Zoom app on iPhone not marking QoS on Meraki APs

I have a strange issue.  We have the Zoom app deployed on our corporate iPhones.  We have a mix of Meraki APs and Cisco APs.  We are trying to verify that QoS is set for all Zoom traffic.  We found doing packet captures that we were seeing iPhones with Zoom mark QoS appropriately on Traditional Cisco Controller managed APs.  Video is AF41 and voice is EF.  When those clients were on Meraki APs, we did not see the traffic marked.  All Zoom traffic was CS0.  It was almost as though the iPhone detected the access point it was on and stopped marking QoS (both DSCP and 802.11e). 

 

We thought it might be Fastlane related as Fastlane is on by default on Meraki and we had it off on our Cisco controllers.  Sure enough, when we enabled Fastlane on the Cisco controller SSID, the Zoom iOS app stopped marking traffic via DSCP or 802.11e.

 

Anyone seen anything like this?  Other iOS apps such as Facetime seem to mark QoS no matter what.  Also Zoom on Android marked QoS no matter what.

 

Can you turn Fastlane off on Meraki?

 

QoS working - no FastlaneQoS working - no FastlaneQoS not working - Fastlane enabledQoS not working - Fastlane enabled

 

QoS not working - MerakiQoS not working - Meraki

11 REPLIES 11
PhilipDAth
Kind of a big deal
Kind of a big deal

To use FastLane on an Apple device you pretty much have to have an MDM.  That MDM then has to authorise apps that are allowed to use FastLane.

 

An example of an MDM that can do this is Meraki Systems Manager.

https://documentation.meraki.com/SM/Other_Topics/Using_Fast_Lane_with_Systems_Manager 

That does make sense.  But our MDM is Microsoft Intune and it's doesn't support pushing Fastlane QoS profiles like other MDMs do.

 

But even without an MDM, how do apps like FaceTime set QoS?

 

And when we have Fastlane disabled on the wireless network, we do see the Zoom app setting QoS.

GIdenJoe
Kind of a big deal
Kind of a big deal

I've seen feedback since may that intune still does not support the pushing of Fastlane which is odd.

 

About the apps:
The apps if programmed correctly and big apps like teams, facetime etc. are programmed correctly always tag the appropriate traffic with the appropriate DSCP/CoS and 802.11e UP tagging.  However the OS rewrites the tags to 0 by default unless allowed by the profile.

 

So in the MDM application you can choose to allow all apps to retain their correct tagging or whitelist certain apps and in this case the non whitelisted apps will have their traffic rewritten to 0 before leaving the device.

 

I believe if you would use apple configurator on a single apple device you can only have all apps retain their markings.

DanZ
Getting noticed

You may be right about needing the MDM to allow apps to set QoS. But I still don't get why some apps (Facetime) can set QoS without the MDM setting and other (Zoom) can not.  This app also sets QoS just fine without an MDM https://apps.apple.com/us/app/fast-lane-qos/id1217974755

PhilipDAth
Kind of a big deal
Kind of a big deal

Facetime - Made by Apple, built into the OS, ships with phone, you can't even remove it.

Zoom - None of the above.

 

https://apps.apple.com/us/app/fast-lane-qos/id1217974755 this Cisco app also can set QoS with no issue

GIdenJoe
Kind of a big deal
Kind of a big deal

I just checked in my test dashboard and see that there is a separate section for apple video/audio.

So there is a differentiation between native apple apps and other appstore apps.

 

GIdenJoe_0-1605553825838.png

 

DanZ
Getting noticed

Interesting.  So by default, without an MDM that can set QoS (which Microsoft cannot), iOS apps cannot mark QoS on a Fastlane network.

 

Native apple apps are an exception.  And the Cisco Fastlane test app also seems to be an exception.

 

Another thing not totally clear is how the SSID signals that it is a Fastlane network.  On Cisco there is a dropdown option.  Enabling this option:

 

2020-11-16_16-33-27-fastlane-cisco.png

 

Will do a bunch of stuff on the controller.  Enables WMM, DSCP to 802.11e maps, an AVC profile, etc.  On Meraki I think it is just on by default.

 

But some part of enabling it "tells" the clients that this is a Fastlane network I am assuming.

Bruce
Kind of a big deal

The management frames pass a piece of information that indicates that the network is Fastlane capable to the clients, and the the clients make a similar indication to the AP - hence why the Dashboard can tell you if your client is Fastlane capable. So far as I know there is no way to turn off Fastlane on the Meraki wireless.

 

I just did some brief reading and it appears that when you enable Fastlane on an SSID on the Cisco controller it does a number of things, as you state, and one of these things is that it pushes a whitelist of applications to the Apple device that are authorised to apply upstream QoS markings - this potentially explains the change in the behaviour on the Cisco 1142 AP - without Fastlane enabled standard Wifi QoS is being using, when Fastlane is enabled the Apple device is restricting what applications can use upstream QoS marking.

 

I'm guess this then extends to the Meraki world in that since Fastlane is always enabled the Apple device will always restrict the upstream QoS marking unless you use an MDM to provide the whitelist of which applications can be marked.

 

Reference: https://www.cisco.com/c/dam/en/us/td/docs/wireless/controller/technotes/8-3/Optimizing_WiFi_Connecti... (Page 11)

DanZ
Getting noticed

Just to close the loop on this.  It appears Microsoft Intune still does not support Fastlane whitelisting for Apps.  We had to open a case with Meraki to disable Fastlane on our network.  That was a change that support could make but we could not.

GIdenJoe
Kind of a big deal
Kind of a big deal

In these times you are supposed to ENABLE Fastlane.
But in turn you need to add the wireless profile to your apple devices via MDM or apple configurator.
Because now you have control which apps may mark their traffic.

This is just the same on domain joined windows pc's, they need to be allowed to mark certain app's traffic.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels