francois.is

How to Test and Verify QoS in a Cisco Lab Using iperf3

by

sissokofrancois@gmail.com
in

Quality of Service (QoS) is one of those topics that can sound simple on paper but becomes tricky when you test it on real gear. In this post, we’ll walk step-by-step through setting up a small QoS lab using a router, a firewall, and two endpoint hosts — then validating the policy using iperf3.

The goal is to simulate prioritized application traffic (like voice), apply QoS policies on a router, enforce security boundaries on a firewall, and prove that marking, queuing, and shaping behave the way we expect.

1. Installing iperf3 on Linux (Ubuntu/Kali/Debian)

iperf3 is an excellent tool for generating test traffic such as:

  • UDP voice-like flows (EF/DSCP 46)
  • AF21/SSH-class traffic
  • Bulk TCP throughput for congestion testing

sudo apt update
sudo apt install iperf3

2. Setting Up iperf3 on Two Hosts (Server + Client)

Place the two hosts at different ends of your test network — one behind the router and the other behind the firewall. This forces traffic to traverse both devices and allows you to see QoS classifications, drops, and shaping on the router.

iperf3 -s -p 16384

iperf3 -c -p 16384 -u -b 200k –tos 0xb8 -t 20 -V

-u runs a UDP test

-b 200k simulates a voice codec

--tos 0xb8 sets DSCP to EF (46)

-p uses a custom port that we will allow through the firewall

3. Opening Firewall Ports (Hardware Firewall + Linux UFW)

On the hardware firewall:

Allow these in both directions:

TCP port 16384
UDP port 16384

sudo ufw allow 16384/tcp
sudo ufw allow 16384/udp

If UFW blocks either protocol, the iperf3 server will fail to respond and the client will appear to timeout.

4. Configuring QoS on a Cisco Router

QoS is configured in two places:

  1. Ingress — where you classify and optionally re-mark packets
  2. Egress — where you queue and shape traffic

In a lab, most engineers prefer applying QoS on LAN-side interfaces, not the WAN link.
This allows predictable, repeatable congestion without needing an ISP or artificial bandwidth constraint.

4.1 Ingress: Marking or Normalizing Traffic

To prevent users (or test hosts) from spoofing DSCP values, you can reset DSCP markings on ingress — except for trusted testing hosts.

Example: Classify trusted vs untrusted hosts

ip access-list extended ACL_TRUSTED
 permit ip host <Trusted-Host-1> any
 permit ip host <Trusted-Host-2> any
class-map match-any TRUSTED-HOSTS
 match access-group name ACL_TRUSTED
Policy: preserve DSCP for trusted hosts, reset everyone else
policy-map MARKING-CONTROL
 class TRUSTED-HOSTS
   ! No set command = DSCP preserved
 class class-default
   set dscp default     ! Strip unwanted markings
interface GigabitEthernet0/0
 service-policy input MARKING-CONTROL

4.2 Egress: Priority Queuing + Shaping

This is where Cisco QoS actually enforces:

  • Priority (LLQ) for voice
  • Bandwidth guarantees
  • Shaping

Classify EF (voice), AF21 (SSH), etc.a

class-map match-any VOICE
match dscp ef

class-map match-any SSH
match dscp af21

policy-map QOS-LAB
class VOICE
priority percent 10
class SSH
bandwidth percent 20
class class-default
fair-queue

policy-map OUT-SHAPER
class class-default
shape average 2000000 20000 20000
service-policy QOS-LAB

interface GigabitEthernet0/1
service-policy output OUT-SHAPER

5. Testing and Validating QoS

This is where the magic happens.

Use iperf3 to generate a known, marked stream:

iperf3 -c -u -b 200k –tos 0xb8
show policy-map interface GigabitEthernet0/1

You’ll see:

  • Zero packets in VOICE class
  • No drops
  • No queueing

While test is running
VOICE class should increment:

VOICE should remain clean while lower-priority classes see:

Increased queue depth

Drops in class-default

Shaping in effect

This is your confirmation that QoS is working end-to-end.

Conclusion

This small lab demonstrates everything a network engineer needs to validate QoS:

  • Installing and using iperf3
  • Allowing both TCP and UDP through firewalls
  • Configuring marking and de-marking policies
  • Building priority and shaping policies
  • Applying QoS at the correct interfaces
  • Verifying behavior with real traffic and router counters

QoS becomes significantly easier to understand when you can watch it classify and prioritize real flows. With two hosts, a router, and a firewall, you can reproduce most WAN QoS behaviors without touching your live network.

(Grammar edited by AI)

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *