C9800 QoS Configuration: Auto QoS, DSCP Mapping, and Wireless Profiles
Quality of Service (QoS) on the Catalyst 9800 wireless controller represents one of the most critical yet misunderstood operational domains for enterprise networks. You're operating in an environment where voice calls drop, video streams buffer, and background file transfers consume bandwidth that should be reserved for mission-critical applications. Without proper QoS configuration, your wireless network becomes a best-effort delivery system—fine for casual browsing, inadequate for business operations. This article walks you through the C9800's QoS architecture, DSCP mapping mechanisms, and the Auto QoS profiles that accelerate deployment while avoiding common configuration pitfalls.
Understanding 802.11e Wireless QoS Architecture
Before diving into C9800 configuration, you need to understand the foundation: IEEE 802.11e and Wi-Fi Multimedia (WMM). The wireless world doesn't use IP precedence or standard DSCP-to-queue mappings directly. Instead, 802.11e defines four Access Categories (ACs), each with distinct transmission priorities and channel access parameters:
- Voice (AC3): Highest priority, lowest latency. Used for VoIP, real-time protocols, and interactive applications. Typical DSCP values: EF (46), CS5 (40).
- Video (AC2): High priority, moderate latency tolerance. Used for video streaming, video conferencing. Typical DSCP values: AF41 (34), AF42 (36), AF43 (38).
- Best Effort (AC1): Normal priority. Standard data traffic, web browsing, email. DSCP 0-9.
- Background (AC0): Lowest priority. File backups, bulk transfers, non-critical traffic. DSCP 0-9.
The C9800 receives packets with DSCP markings (from applications, upstream network devices, or policy maps you configure) and must translate those DSCP values into 802.11e User Priority (UP) values, which then map to Access Categories. This translation layer is critical: misconfigure it, and voice traffic arrives marked as Background, losing all QoS benefits.
DSCP-to-User Priority Mapping on the C9800
The C9800 uses a fixed, hard-coded DSCP-to-UP mapping model called the Trust DSCP approach. This model operates in both directions: downstream (wired-to-wireless, traffic to clients) and upstream (wireless-to-wired, traffic from clients). When you configure QoS on the C9800, you're primarily defining how to classify, police, and set DSCP markings on traffic entering the wireless network. The device then automatically applies the Trust DSCP model to translate those DSCP values into 802.11e User Priority for transmission.
The RFC 8325 mapping (which the C9800 implements) assigns UP values based on DSCP codepoints:
| DSCP Value | DSCP Name | User Priority (UP) | Access Category |
|---|---|---|---|
| 46 | EF (Expedited Forwarding) | 5 | Voice (AC3) |
| 40, 32 | CS5, CS4 | 5, 4 | Voice, Video |
| 34, 36, 38 | AF41, AF42, AF43 | 4 | Video (AC2) |
| 26, 28, 30 | AF31, AF32, AF33 | 3 | Video (AC2) |
| 18, 20, 22 | AF21, AF22, AF23 | 2 | Best Effort (AC1) |
| 10, 12, 14 | AF11, AF12, AF13 | 1 | Best Effort (AC1) |
| 0-9, 11, 13, 15 | Default, CS0 | 0 | Background (AC0) |
Understanding this table is essential. If you want to guarantee voice quality, your voice packets must arrive at the C9800 with DSCP EF (46) or CS5 (40). If they arrive with no DSCP marking (0), they land in Background and compete with torrent downloads. This creates a dependency on upstream marking: applications must mark, or your border router must mark, or the C9800 must mark on ingress. The C9800 provides all three mechanisms via policy maps.
QoS Policy Architecture: Modular QoS CLI (MQC)
The C9800 uses Modular QoS CLI (MQC), the same architecture you use on ISR routers and Nexus switches. MQC consists of three building blocks:
- Class-maps: Define traffic classification rules (match DSCP, match protocols, match application names via NBAR2).
- Policy-maps: Define actions on matched traffic (set DSCP, police rate, drop, guarantee bandwidth).
- Service-policies: Apply policy-maps to specific targets (SSID ingress, SSID egress, per-client, per-radio).
On the C9800, you define QoS targets—the ingress and egress points where policies attach. For wireless, the primary targets are:
- SSID Ingress: Traffic arriving at the controller destined for clients on a specific SSID. Apply policies here to classify and mark traffic before it hits the radio.
- SSID Egress: Traffic generated by clients on a specific SSID, traveling upstream to the network. Apply policies here to police client-generated traffic.
- Client Ingress/Egress: Per-client policies (advanced, used for specific high-value applications or SLAs).
The C9800's QoS feature set differs from wired switches. You cannot apply ingress DSCP policing on wireless targets (you can only police on egress). You can set, drop, or shape traffic, but not all actions are available in all modes. Local mode supports set and police; FlexConnect mode supports set only (policing happens at the AP). Understanding this constraint shapes your deployment strategy.
Metal QoS Profiles: Platinum, Gold, Silver, Bronze
Cisco provides four predefined Metal QoS profiles—visual metaphors for application priority tiers. Each profile comes with a ceiling DSCP value, meaning the C9800 will not promote traffic above that DSCP level, even if applications or upstream devices set higher values. The ceiling prevents a misbehaving application from consuming Voice-priority bandwidth.
| Metal Profile | Ceiling DSCP | Use Case | Access Categories |
|---|---|---|---|
| Platinum | 46 (EF) | Voice, real-time, interactive | Voice (AC3), Video (AC2) |
| Gold | 34 (AF41) | Video, critical data | Video (AC2) |
| Silver | 22 (AF22) | Standard data, web, email | Best Effort (AC1) |
| Bronze | 8 (AF11) | Background, non-critical | Background (AC0) |
When you configure a Metal profile for an SSID or client, the C9800 applies a policy-map that sets the ceiling DSCP. If a client on a Silver SSID generates traffic marked DSCP 46 (EF, Voice), the C9800 will police it down to DSCP 22 (AF22, Video) because Silver's ceiling is 34 (AF41). This prevents executive assistants from accidentally claiming Voice priority and degrading actual voice calls. The profile acts as a guardrail against misconfiguration and misuse.
Auto QoS Profiles: Voice, Guest, Enterprise, Fastlane
Manually building class-maps, policy-maps, and service-policies for every SSID is labor-intensive and error-prone. Cisco's Auto QoS feature eliminates this by providing four predefined profiles, each with built-in ingress and egress policies. You select a profile, apply it to an SSID, and the C9800 handles the rest.
| Auto QoS Profile | SSID Ingress | SSID Egress | Port Egress | Radio Config |
|---|---|---|---|---|
| Voice | Platinum ceiling, ingress mark EF (46) | Platinum ceiling, police to guarantee bandwidth | Set DSCP EF, police egress | WMM enabled, EDCA Voice optimized |
| Guest | Bronze ceiling, ingress mark AF11 (8) | Bronze ceiling, no policing | No specific mark | WMM enabled, basic QoS |
| Enterprise | Silver ceiling, ingress classification by NBAR2 | Silver ceiling, police to rate-limit | No specific mark | WMM enabled, standard EDCA |
| Fastlane | Platinum ceiling, ingress recognition of Apple video calls | Platinum ceiling, egress guarantee | Set DSCP AF41 (34), guarantee bandwidth | WMM enabled, Fastlane+ Apple-optimized |
Voice profile suits dedicated VoIP SSIDs; Guest suits open networks where you allow connectivity but don't guarantee performance; Enterprise provides balanced QoS with NBAR2 application awareness; Fastlane optimizes specifically for Apple devices running Teams, Zoom, and FaceTime. You can also mix Auto QoS profiles across your controller, applying Voice to one SSID and Enterprise to another, since the profiles are configured at the SSID level and don't interfere with each other.
Fastlane and Fastlane+ for Apple Devices
Apple devices (iPhones, iPads, Macs) present a unique challenge: their built-in video calls (FaceTime, Teams) generate variable-rate streams that can starve on congested networks. Cisco's Fastlane (and the newer Fastlane+) profiles address this by recognizing Apple traffic and guaranteeing it Platinum priority.
Fastlane+ goes further. It leverages 802.11ax Buffer Status Report (BSR) to allow Apple devices to signal their buffer state to the access point. The AP then adjusts transmission timing to avoid excessive retransmissions, reducing latency and improving call quality. Fastlane+ requires both the C9800 and the AP to support 802.11ax (Wi-Fi 6); older 802.11ac hardware falls back to standard Fastlane.
Enabling Fastlane+ is straightforward: create an SSID, apply the Fastlane Auto QoS profile, and the C9800 automatically configures ingress recognition of Apple traffic (via NBAR2), sets DSCP to AF41 (Gold priority), and configures the radio for Fastlane+ parameters. No manual EDCA tuning required. This is a significant operational win for organizations heavily dependent on Apple devices.
EDCA Parameters and Radio-Level QoS Configuration
The Access Point (AP) enforces the actual Access Category priorities using Enhanced Distributed Channel Access (EDCA) parameters. These parameters define contention windows, transmission opportunities (TXOP), and inter-frame spacing for each Access Category. The C9800 pushes EDCA configurations to APs via the control plane.
Viewing current EDCA parameters on an AP requires the show controllers dotlRadio command (executed from the AP's CLI, not the controller). A typical output shows:
AP# show controllers dot11Radio 1 virtual
Dot11Radio1 EDCA Configuration:
AC_VO (Voice):
CWmin: 3 (2^3 - 1 = 7 slots)
CWmax: 7 (2^7 - 1 = 127 slots)
AIFSN: 2
TXOP: 3008 microseconds
AC_VI (Video):
CWmin: 7 (2^7 - 1 = 127 slots)
CWmax: 15 (2^15 - 1 = 32767 slots)
AIFSN: 2
TXOP: 6016 microseconds
AC_BE (Best Effort):
CWmin: 15 (2^15 - 1 = 32767 slots)
CWmax: 1023 (2^10 - 1 = 1023 slots)
AIFSN: 3
TXOP: 0 microseconds
AC_BK (Background):
CWmin: 15 (2^15 - 1 = 32767 slots)
CWmax: 1023 (2^10 - 1 = 1023 slots)
AIFSN: 7
TXOP: 0 microseconds
Voice has the smallest contention window (CWmin=3, meaning 7 random slots to defer), the shortest deferral time (AIFSN=2), and the highest transmission opportunity (TXOP=3008 microseconds). Background has the largest contention window (CWmin=15, 32767 slots) and longest deferral (AIFSN=7), losing almost every contention on the channel. These parameters are set by the C9800 when you apply Auto QoS profiles or manually configure EDCA. Unless you have highly specific use cases, the defaults work well.
Configuring QoS on an SSID: Step-by-Step Walkthrough
Here's a practical configuration example. Assume you're deploying an Enterprise SSID called "Corporate" and you want to apply Auto QoS with standard policing.
Step 1: Create the SSID and apply Auto QoS
C9800(config)# wireless tag policy my-policy
C9800(config-wireless-tag-policy)# service-policy input enterprise-policy
C9800(config-wireless-tag-policy)# service-policy output enterprise-policy
C9800(config-wireless-tag-policy)# exit
C9800(config)# wlan Corporate 1
C9800(config-wlan)# ssid Corporate
C9800(config-wlan)# security wpa2 psk ascii MyPassword123
C9800(config-wlan)# qos-profile silver
C9800(config-wlan)# no shutdown
C9800(config-wlan)# exit
The qos-profile command applies the Metal profile (silver, in this case, meaning AF22 ceiling). If you want Auto QoS instead, replace it with auto-qos-profile enterprise.
Step 2: Verify QoS Policy Application
C9800# show wlan id 1 summary
WLAN ID: 1
Profile Name: Corporate
Status: Enabled
Security: WPA2-PSK
QoS Policy Applied: Silver (Ceiling DSCP 22)
C9800# show policy-map interface Wlan-Vlan100 input
Service-policy input: silver-policy
Class-map: voice-traffic (match-any)
Match: dscp 46
Set: dscp 22 (down-mark to Silver ceiling)
Packets: 1234, Bytes: 567890
Class-map: class-default (match-any)
Set: dscp 22
Packets: 5678, Bytes: 9876543
This output confirms the SSID has Silver QoS applied and the policy-map is translating incoming traffic to the Silver ceiling.
Step 3: Monitor Traffic and Verify Mapping
C9800# show queuing interface Wlan-Vlan100
Interface Wlan-Vlan100 (SSID: Corporate)
Output Queue Statistics:
Voice (AC3): 45 packets, 12340 bytes, 0 drops
Video (AC2): 234 packets, 567890 bytes, 12 drops
Best Effort (AC1): 1234 packets, 9876543 bytes, 45 drops
Background (AC0): 567 packets, 234567 bytes, 123 drops
Monitor this output regularly. If Video is showing drops while Background is not, your policy is working—high-priority traffic gets queued preferentially. If all queues show equal drops, your QoS isn't having effect, indicating a configuration issue.
Advanced QoS with Application Visibility and Control (AVC)
The Cisco Network-Based Application Recognition (NBAR2) engine in the C9800 enables Application Visibility and Control (AVC). Instead of classifying by DSCP alone, you can classify by application signature (Zoom, Microsoft Teams, Facebook, BitTorrent, etc.). This is powerful for organizations that want fine-grained control without relying on applications or upstream devices to mark traffic.
Example: Restrict all BitTorrent to Bronze QoS, even if the application claims Voice priority.
C9800(config)# class-map match-any file-sharing
C9800(config-cmap)# match application bittorrent
C9800(config-cmap)# match application direct-connect
C9800(config-cmap)# exit
C9800(config)# policy-map enforce-bronze
C9800(config-pmap)# class file-sharing
C9800(config-pmap-c)# set dscp 8
C9800(config-pmap-c)# police 1000000 bps
C9800(config-pmap-c)# exit
C9800(config-pmap)# class class-default
C9800(config-pmap-c)# set dscp 0
C9800(config-pmap-c)# exit
C9800(config-pmap)# exit
C9800(config)# wlan OpenNet 5
C9800(config-wlan)# ssid OpenNet
C9800(config-wlan)# service-policy input enforce-bronze
C9800(config-wlan)# exit
Now any BitTorrent traffic on the OpenNet SSID is marked DSCP 8 (Bronze ceiling) and policed to 1 Mbps, preventing it from consuming bandwidth. All other traffic on the SSID gets DSCP 0 (Background). This approach scales well when you want application-aware policies without deploying a full DPI/SSL-inspection system.
Voice and Video Best Practices: Deployment Patterns
Real-world QoS deployments follow patterns that balance configuration complexity with operational reality. Here are three common scenarios:
Scenario 1: Dedicated Voice SSID
Organizations with 50+ active voice users often deploy a dedicated VoIP SSID ("VoIPNet") with Voice Auto QoS profile, separate from the general data SSID. This provides absolute isolation: only registered VoIP phones connect to VoIPNet, and the C9800 guarantees Platinum priority to all traffic on that SSID. Downside: requires VoIP phones to support multiple SSIDs or you need a guest password shared with the VoIP team. Benefit: voice quality is predictable and not affected by guest browsing or corporate updates.
C9800(config)# wlan VoIPNet 10
C9800(config-wlan)# ssid VoIPNet
C9800(config-wlan)# auto-qos-profile voice
C9800(config-wlan)# exit
Scenario 2: Single SSID with Metal Profiles
Many organizations use one SSID for all traffic and apply a Silver or Gold metal profile, relying on upstream marking (border router, user device OS) to set DSCP. Clients send packets, the border router or firewall marks them based on application or user identity, and the C9800 honors the marking (up to the ceiling). This requires upstream QoS discipline but avoids multiple SSIDs and associated management overhead.
C9800(config)# wlan Corporate 2
C9800(config-wlan)# ssid Corporate
C9800(config-wlan)# qos-profile gold
C9800(config-wlan)# exit
Scenario 3: Hybrid with NBAR2 Classification
Modern deployments combine upstream DSCP marking with NBAR2 application recognition on the C9800. Legitimate business applications (Office 365, Salesforce, Teams) are prioritized via NBAR2 matches; unknown applications default to Best Effort or Background. This catches both marked traffic (from upstream) and unmarked traffic (from new apps or misconfigured clients).
C9800(config)# class-map match-any critical-apps
C9800(config-cmap)# match application office-365
C9800(config-cmap)# match application salesforce
C9800(config-cmap)# match application microsoft-teams
C9800(config-cmap)# exit
C9800(config)# policy-map hybrid-qos
C9800(config-pmap)# class critical-apps
C9800(config-pmap-c)# set dscp 34
C9800(config-pmap-c)# exit
C9800(config-pmap)# class class-default
C9800(config-pmap-c)# trust dscp
C9800(config-pmap-c)# exit
C9800(config-pmap)# exit
C9800(config)# wlan Enterprise 3
C9800(config-wlan)# ssid Enterprise
C9800(config-wlan)# service-policy input hybrid-qos
C9800(config-wlan)# qos-profile silver
C9800(config-wlan)# exit
In this setup, Teams traffic gets DSCP 34 (Video/Gold) from the class-map match, upstream-marked traffic is trusted as-is (but capped at Silver ceiling), and everything else defaults to Background.
Verification and Troubleshooting: Key Commands
When QoS isn't performing, use these commands to diagnose:
! View SSID QoS configuration
C9800# show wlan id WLAN-ID summary
! View current policy-map attached to an SSID
C9800# show policy-map interface Wlan-VlanX input
C9800# show policy-map interface Wlan-VlanX output
! View queuing statistics (packets and drops per Access Category)
C9800# show queuing interface Wlan-VlanX
C9800# show queuing interface Wlan-VlanX | include Voice|Video|drops
! View client QoS statistics (per-device)
C9800# show wireless client {mac-address} detail | include QoS|DSCP
! View EDCA parameters on the AP (execute from AP CLI)
AP# show controllers dot11Radio 1 virtual | include EDCA|CWmin|AIFSN
! View DSCP markings on egress traffic
C9800# show policy-map interface Wlan-VlanX output
! View dropped packets and mark translations
C9800# show policy-map interface Wlan-VlanX input detail
! Verify auto-qos profile application
C9800# show running-config | include auto-qos-profile|qos-profile
A systematic troubleshooting approach: First, confirm the SSID has QoS enabled (show wlan id). Next, verify the policy-map is attached and showing statistics (show policy-map interface). Then check for excessive drops in low-priority queues (show queuing), which indicates congestion but correct prioritization. Finally, if voice is still poor, verify EDCA parameters on the AP match the QoS profile (show controllers dotlRadio). If EDCA is default and you applied Voice QoS, the configuration didn't push to the AP—check AP registration and controller-AP connectivity.
Key Takeaways: Design and Implementation Guidelines
Quality of Service on the Catalyst 9800 is achievable but requires understanding the full stack: 802.11e Access Categories, DSCP-to-UP mapping, MQC policy architecture, and radio-level EDCA configuration. Here are the critical points to retain:
- Wireless QoS depends on DSCP marking. If packets arrive with DSCP 0, they land in Background regardless of policy. Mark upstream, or mark at ingress on the C9800.
- Metal profiles are guardrails. Apply Silver or Gold to general SSIDs to prevent misbehaving applications from claiming Voice priority and degrading actual voice calls.
- Auto QoS profiles accelerate deployment. Voice, Guest, Enterprise, and Fastlane profiles eliminate manual class-map and policy-map configuration. Use them whenever they match your use case.
- NBAR2 classification scales. For hybrid DSCP + application-aware QoS, use NBAR2 to match critical applications and set their DSCP, then trust upstream marking for everything else (capped by metal ceiling).
- Monitor drops, not just packets. Drops in high-priority queues indicate misconfiguration or insufficient capacity. Drops in low-priority queues indicate working QoS.
- EDCA parameters cascade from controller to AP. When you apply QoS profiles on the C9800, the controller pushes EDCA to APs. Verify via show controllers dotlRadio on the AP; if EDCA doesn't change, check AP registration status.
- Fastlane+ for Apple is hands-off. If your organization relies on Apple FaceTime or Teams, apply the Fastlane profile to an SSID and let the C9800 handle recognition and prioritization. No manual tuning needed.
- Test with real traffic. Configure QoS in a test WLAN first, run voice calls and video streams, and verify via show queuing and show policy-map. Only then roll to production.
The C9800's QoS architecture is comprehensive, but the complexity lies not in the commands—they're straightforward—but in understanding the flow of DSCP values, Access Categories, and policy interactions. By mapping your application requirements to Metal profiles, leveraging Auto QoS where applicable, and validating with show commands, you'll deploy wireless QoS that actually delivers performance guarantees your business depends on.