Wireless rate limit

Hi,
My network infrastructure as simple as following:
LAN(edge switches 3560).......>Aggregator switch(3750)........>Firewall(ASA 5510)........>Router.......>Internet
I define 3 wireless VLANs with 3 SSIDs on the Aggregator switch(3750):
1. one SSID for company employees.
2. one SSID for wireless IP phones.
3. one SSID for company guest which access only internet.
And the wireless APs connected to the LAN(edge switches) direct with trunks.
My question is how to apply a rate limit for SSID for company guest to access internet with B.W. of 128kbps only.
I tried policy map to be applied on the aggregator switch(3750) on the VLAN interface, but, it is not working.
So, any suggested help, please.

Hi Ahmed:
With autonomous APs, rate limiting isn't possible.  All the autonomous APs support is QoS and that's pretty iffy.  At the core of the issue, you're dealing with radio waves and which ones arrive at the radio first, and who was prevented from talking because someone else was talking.  Dealing with these QoS and traffic shaping/policing issues are really tough with wireless because the transmission medium itself is unreliable.
The "Configuring QoS" chapter of the autonomous AP configuration guide
  http://tools.cisco.com/squish/5aCf1
will show you how you can map priority tagging to an SSID so that in that path from radio receiver to outbound on the fastethernet interface toward the rest of the network, you can control which SSID's packets get up into the network first, but the reverse path is a different story.  Because the wireless medium is half-duplex acknowledged, you can have a high priority packet out there on the radio interface trying to be beamed out to the client, and if the client isn't sending their ACK or what have you, it's going to sit and retry until its 63 retries are done before it gets out of the way to let the next high priority packet have a turn at getting transmitted out.
Once the traffic gets past the edge switch, the fact that it was at one time wireless is irrelevant.  You should look at it as a general "rate limiting one VLAN's traffic over another" and check with the routing protocols or traffic shaping folks.
Sincerely,
Rollin Kibbe
Network Management Systems Team

Similar Messages

  • Per user bandwidth rate limit.

                       How to configure per user bandwidth rate limit for wireless guest client, authentication server is ISE 1.2 & wireless controller is 5760.

    The Cisco 5760 WLC supports better QoS than other c
    ontrollers, allowing prioritization of mission-crit
    ical
    applications:

    The Cisco 5760 WLC supports four wireless hardware
    queues and priority-based queuing compared to
    software-based queuing in existing controllers.

    The Cisco 5760 WLC follows MQC based commands, allo
    wing usage of exact commands for configuring
    QoS on different types of network devices.

    The Cisco 5760 WLC supports QoS policies to be appl
    ied in a hierarchical fashion with more granularity
    per SSID per radio, while on the current controller
    s granularity is per WLAN.

    The Cisco 5760 WLC supports approximate fair bandwi
    dth to make sure of fairness at client, SSID, and
    radio levels for Non-Real Time (NRT) traffic. There
    fore, if one user consumes excessive bandwidth, we
    can
    limit the amount of bandwidth that user receives an
    d thereby not deprive other users.

  • WLC 5508 and Anchor/GuestNet rate limit traffic?

    Running WLCs 5508s 7.0.116.0 with GuestNet and Anchor setup, how can I limit the bandwidth on the GuestNet SSDI to 2 Mbps, etc?
    The DMZ WLC (Anchor) runs thru a ASA 5508 7x, can I rate limit traffic via ASA?

    That's really a matter of preference.  This document describes things to keep in mind when altering these QoS profile configurations, FYI.
    http://www.cisco.com/en/US/partner/docs/wireless/controller/7.0MR1/configuration/guide/cg_controller_setting.html#wp1254532
    It really depends on how many guests, what type of traffic, etc, to make a judgement call as to where you should set these.  I'm sorry but I don't have any examples from existing configurations, but hopefully the document explains how to best alter these settings.

  • WLC user rate limit on guest ssid anchor controller

    Hi,
    I have been looking through the forums & some cisco documents but not found a good example similar to what I am seeking to do so now I am turning to the expertise of my peers.
    We have been deploying 3502 APs remotely to locations with full T1s that backhaul to where I sit at HQ.
    Both the foreign and anchor controller are here at my location.
    I am seeking to rate limit per user the bandwidth each client will get on the guest internet ssid.
    As you know this traffic is encapsulated in capwap between the AP and the controller so I cant use a standard ACL on the switch or router.
    We are trying to keep the guest internet access usage in check on the T1 at any given site so the other ssid's & local lan traffic is not overly competing for the bandwidth.
    I found the place to edit the default profiles in the controller but the documentation really isnt clear on best practices.
    So I put it to you my fellow wireless engineers to suggest how you are implementing bandwidth management on your wireless guest internet.
    Thanks guys!           
    Oh and here is my hardware & software levels.
    5508wlc - forgeign
    4402wlc - anchor
    Software Version
    7.0.230.0

    Amjad,
    Thank you for taking the time to respond as well as the document link.
    It was pretty clear on the steps and what it would impact.
    Two things that push me for a different solution (assuming their is one).
    Note The values that you configure for the per-user bandwidth contracts affect only the amount of bandwidth going downstream (from the access point to the wireless client). They do not affect the bandwidth for upstream traffic (from the client to the access point).
    As you can see from the above note taken out of the linked document the roll based rate limit doesnt really rate limit the T1 traffic any guest user consumes it only limits usage from the AP down to the client.
    #1 I am looking for a solution that limits the users up & down streams (if possible) & also before it leaves the AP for the T1.
    The idea is to limit WAN utilization.
    #2 I read in the forums here others asking about the "user role" and saw some comments saying it is not considered "best practice" to use user roles.
    Let me clarify that our guest ssid's are using the http webpage pass through for authentication and it is really only the tic mark to indicate they understand the terms and conditions of using our internet as a guest service. No actual user accounts are used on the guest ssid's.
    ***One last question about this and any other changes***
    Will any change I make be on the "Foreign, Anchor" or both Controllers?

  • Service-Policy Or Bandwidth Rate Limit for IP

    Hii Netpros,
    Is this possible to configure the Service Policy(for Bandwidth) or Bandwidth Rate Limit for Single IP. For eg: If we want to configure the Service Policy(for Bandwidth) or Bandwidth Rate Limit of 2Mb for only IP " 10.10.10.3" on network  i.e the Host or device which is configured with this IP can access upto 2Mb only.
    Actual Network :-   We need this to configure this for wireless customers, Actually we have created one Vlan 2 (IP:- 10.10.10.1/29 @ our end router) , 10.10.10.2 on Basestation wiresss device (Vlan 2 allowed on this wireless device) and this wireless device is working as point to multipoint wireless. i.e 2 or more then 2 wireless customers or last mile will connect to this basestation wireless.  Wireless customer-1 is 10.10.10.3 (2Mb bandwidth)  and Wireless Customer-2  10.10.10.4 (512Kb).
    Hence we require to limit the bandwidth for this 2 wireless customers having different bandwidth. how to acheive & control bandwidth @ our end router for them. please suggest.
    Thanks

    This topic is probably better suited in another Infrastructure forum, but I suppose it depends on which features are supported by your Cisco hardware and software. This doc discusses a variety of options:
    http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpolsh.html
    For example, with the older CAR (committed access rate) approach:
    interface FastEthernet5/0
         rate-limit input access-group 101 20000000 [normal burst size] [excess burst size] conform-action transmit exceed-action drop
         rate-limit input access-group 102 5120000 [normal burst size] [excess burst size] conform-action transmit exceed-action drop
    access-list 101 permit ip 10.10.10.3 0.0.0.0
    access-list 102 permit ip 10.10.10.4 0.0.0.0
    You can observe CAR in action with "show interfaces fa5/0 rate-limit" for example.

  • Rate-limit for some MAC on aironet 1231

    Hello!
    I need to set rate-limit for some mac addresses on access point aironet 1231.Is it possible?
    If no, what ios or devices can do it?
    Thanks.

    No there is no option for rate-limit in Aironet but in controller, Rate-limiting is applicable to all traffic destined to the CPU from either direction (wireless or wired). Cisco recommends that you always run the controller with the default config advanced rate enable command in effect in order to rate-limit traffic to the controller and protect against denial-of-service (DoS) attacks. You can use the config advanced rate disable command to stop rate-limiting of Internet Control Message Protocol (ICMP) echo responses for testing purposes.

  • Possible to rate limit console input?

    I built a tool that allows us to input device information such as IP, VLAN, etc, etc and this tool builds the entire config file that can be pasted into a switch/router.  The problem is that when I start getting down near the banner and motd sections, the console cannot keep up with the input and it drops lines of input.
    Is there a way to rate limit the input when large configs are pasted into con 0?

    I built a tool that allows us to input device information such as IP, VLAN, etc, etc and this tool builds the entire config file that can be pasted into a switch/router.  The problem is that when I start getting down near the banner and motd sections, the console cannot keep up with the input and it drops lines of input.
    Is there a way to rate limit the input when large configs are pasted into con 0?

  • Bandwidth Rate-Limit -w- WWR-Queue

    How would one convert a layer-2 port's "switchport rate-limit" bandwidth statement, on a 6509 -w- WS-X6748-SFP ports, to a routed/layer-3 "wrr-queue" bandwidth statement policy? Basically trying to hard-core the port's speed to 20MB.  Current/tested layer-2 port bandwidth setting:
    rate-limit input 20000000 5000 5000 conform-action transmit exceed-action drop
    rate-limit output 20000000 5000 5000 conform-action transmit exceed-action drop
    Got lost in how to use/configure all WRR's four queues... just need to limit the port's bandwidth to 20MB.  Any suggestions would be appreciated.
    Thanks, Kevin

    1) Enabled QoS globally...
    2960(config)#mls qos
    2) Configure an ACL to define the matched traffic...
    2960(config)#access-list 111 permit ip any any
    3) Configure a class map for the matched traffic...
    2960(config)#class-map traffic
    2960(config-cmap)#match access 111
    4) Configure a policy-map to define action...
    2960(config)#policy-map Control
    2960(config-pmap)#class traffic
    2960(config-pmap-c)#police 10000000 8000 exceed-action drop
    5) Attached the policy-map to the interface.
    a) Example
    -In this case, I'll attach the policy map to port_1....
    2960(config)#int fa0/1
    2960(config-if)#service-policy input Control
    >>>>>> This will rate-limit traffic coming from the PC

  • How to rate-limit different IP's entering/leaving an Interface?

    Hi There,
    We are an ISP and have an interconnect with say Provider A. Customers of ours use Provider A for layer 2 and us for Layer 3 (IP/Internet).
    Customer #1 to #100 --- (10Mb) --> Provider A ---> ISP ---> Internet
    We'd like to rate limit some customers to 2mb/sec (in/out) on our end because at present they have a 10mb/sec connection coming from Provider A.
    The config we use to peer with Provider A is this:
    interface GigabitEthernet0/1.120
    description Interconnect with Provider A
    bandwidth 400000
    encapsulation dot1Q 120
    ip address A.B.C.1 255.255.255.252
    Customers of ours are simply routed out through this interface like so:
    Customer #1:
    ip route W.X.Y.Z. 255.255.255.255 A.B.C.2
    Customer #2:
    ip route J.K.L.M 255.255.255.255 A.B.C.2
    Is there a way to rate limit both these customers without needing to create a separate class map for each like so:
    class-map match-all CUSTOMER-1-2MB
    match access-group name ACL-CUSTOMER-1
    class-map match-all CUSTOMER-2-2MB
    match access-group name ACL-CUSTOMER-2
    policy-map POLICY-RATE-LIMIT
    class CUSTOMER-1-2MB
    police 2000000 375000 750000
    class CUSTOMER-2-2MB
    police 2000000 375000 750000
    interface GigabitEthernet0/1.120
    service-policy input POLICY-RATE-LIMIT
    service-policy output POLICY-RATE-LIMIT
    I've done this in the lab and I know it works, so Customer #1 ends up with 2mb/sec and Customer #2 gets 2mb/sec too.
    But in production, I'm talking about 100's of customers which we simply route out of this interface. I can't imagine having to configure 100's of class maps and policy maps for each customer to rate limit them to 2mb/sec like in the config above.
    Is there a better way to do this on the router???
    Thanks.
    Andy

    Hi All,
    Doing what Laurent suggested works great. We are able to rate-limit the desired customers by having a separate class-map for each customer that needs to be rate limited under the single policy-map.
    But now we're finding that the CPU utilization has increased by 20% because of this.
    We're pushing about 400M through this interface and rate limiting 7 customers on it.
    Given the large traffic flow through this interface (400M), is it common to see an increase in CPU utilisation by 20%???
    When we take the service-policy off the interface, sure enough the CPU drops by 20%.
    Here's the MQC applied:
    interface GigabitEthernet0/1.120
    bandwidth 400000
    encapsulation dot1Q 120
    ip address 203.17.x.x 255.255.255.252
    ip flow ingress
    service-policy input RATE-LIMIT
    service-policy output RATE-LIMIT
    class-map match-all CLASS-TCS-200338
    description Customer #1 rate limited to 4mb/sec
    match access-group name ACL-TCS-200338
    class-map match-all CLASS-TCS-200208
    description Customer #2 rate limited to 2mb/sec
    match access-group name ACL-TCS-200208
    class-map match-all CLASS-TCS-205593
    description Customer #3 rate limited to 3mb/sec
    match access-group name ACL-TCS-205593
    class-map match-all CLASS-TCS-205679
    description Customer #4 rate limited to 4mb/sec
    match access-group name ACL-TCS-205679
    class-map match-all CLASS-TCS-200441
    description Customer #5 rate limited to 4mb/sec
    match access-group name ACL-TCS-200441
    class-map match-all CLASS-TCS-200005
    description Customer #6 rate limited to 2mb/sec
    match access-group name ACL-TCS-200005
    class-map match-all CLASS-TCS-205560
    description Customer #7 rate limited to 4mb/sec
    match access-group name ACL-TCS-205560
    policy-map RATE-LIMIT
    class CLASS-TCS-200005
    police 2000000 375000 750000 conform-action transmit exceed-action transmit violate-action drop
    class CLASS-TCS-200208
    police 2000000 375000 750000 conform-action transmit exceed-action transmit violate-action drop
    class CLASS-TCS-200441
    police 4000000 750000 1500000 conform-action transmit exceed-action transmit violate-action drop
    class CLASS-TCS-200338
    police 4000000 750000 1500000 conform-action transmit exceed-action transmit violate-action drop
    class CLASS-TCS-205679
    police 4000000 750000 1500000 conform-action transmit exceed-action transmit violate-action drop
    class CLASS-TCS-205560
    police 4000000 750000 1500000 conform-action transmit exceed-action transmit violate-action drop
    class CLASS-TCS-205593
    police 3000000 562500 1125000 conform-action transmit exceed-action transmit violate-action drop
    Is this the correct behaviour of applying the service-policy to the interface whereby the CPU increases by 20% or can the MQC be fine tuned to have less of an impact on the CPU?
    Is the router just overloaded, taking into account it's only pushing about 400M? Should it be able to do more than this??
    Thanks.
    Andy

  • Rate-limit command 3560 does it exist?

    I have just come across a command in my router IOS which might be useful too me. I was wondering if the following command is available on a 3560 Switch. I don't see it on my 3550 but the IOS is quite old. I don't have a 3560 avaiable currently to check.
    Config t > int vlan x > rate-limit input/output
    does this exist on the 3560? I am also interest if it does in the Bits per second range and if available input/output.
    Thanks for any help

    Hello,
    what kind of feature are you looking for?
    CAR?
    http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_chapter09186a0080087f26.html#wp1037428
    For command list check the following link:
    Catalyst 3560 Switch Command Reference, Rel. 12.2(25)SEE
    http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/cr/index.htm
    For QOS configs:
    http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/scg/swqos.htm
    If you need to rate limit traffic on an interface check:
    Limiting the Bandwidth on an Egress Interface
    http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/scg/swqos.htm#wp1253412
    Hope this help a bit,
    if it does, please rate this post.
    Vlad

  • Setting dynamic rate limit

    I would like to know how to set the dynamic rate limit on the wan and the lan on the spa2102 voip adapter. can anyone help?

    There is no such function on any of the SPA2xxx or SPA3xxx series voice router.

  • Can I rate-limit on the sub-interface in cisco asr 1013?

    Hi,
    I am looking for the command of rate-limit on a sub-interface in cisco asr 1013.
    Cisco IOS Software, IOS-XE Software (X86_64_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.2(2)S, RELEASE SOFTWARE (fc1)
    IOS XE Version: 03.06.00.S
    Please let me know if it is possible in cisco asr 1013. If yes then what are the commands.
    Zobair

    The ASR no longer supports the rate-limit command, but it does support the same functionality in a QoS policy.
    Please find a sample configuration -
    ASR1004(config)#policy-map test
    ASR1004(config-pmap)#class class-default
    ASR1004(config-pmap-c)#shape average 10000
    Applying for both ingress and egress : -
    ASR1004(config)#int gig1/1/0
    ASR1004(config-if)#service-policy output test   
    or
    ASR1004(config-if)#service-policy input test

  • Bandwidth Management(Rate Limit) Using QoS Policies

    Hello,
    I need some advice. We have an ASA 5525 running version 8.6(1)2 and a 10 MG pipe. I have execs that want to limit bandwidth on users for stuff like youtube, stream media, and downloads. I found the article on ‘Bandwidth Management(Rate Limit) Using QoS Policies’ so it appears our firewall can do what we want. I’m not a cisco person. My knowledge is limited when it comes to configuration – that’s why we have SmartNet :). The advice I need is what to ask for, so to speak, when I put a case in. Can bandwidth be limited on end users and/or can they limit the ‘bandwidth rate limit’ to just youtube, steaming media, and downloads? If so, what should the limit be? and I’m assume this would be for ‘incoming’ traffic only? we’re running into some bandwidth hogs – usually youtube and/or streaming media. We have a Barracuda web filter which we’ve used to block and monitor activity but I simply do not have time to babysit this all day. I should also mention we do have critical data running up and down the pipe; such as credit card processing, DB replication between in house DB and hosted website, TPCx and EDI, FTP, and such that we don’t want restricted.
    Need input please,
    Thanks,
    D

    Hello,
    That's a question that you as the network admin of that organization could answer.
    How much traffic for business purposes must travel via HTTP/HTTPS?
    How much bandwith are you willing to provide to this 2 protocols?
    Those are the kind of answers you need to answer before setting the number
    Regards
    Remember to rate all of the helpful posts, Just click the 5 stars at the left of each post
    Julio

  • Prime Infrastructure 2 - API rate limit change?

    Good day -
    The Prime API is pretty sweet, and can give you JSON data back easily with a call like this:
    https://prime/webacs/api/v1/data/Clients.json?.full=true
    It is, however, limited to 100 results. We'd like to see more than that.
    How do I change this rate limit for the API?

    I have found that this command does work, but still limits to 1000. 
    https://prime/webacs/api/v1/data/Clients.json?.maxResults=9999&.full=true
    Now I get Tomcat a HTTP Status 503 error.  There's another setting I've not found yet.
    My json results say "@count":"6980", suggesting I have that many clients in the database.

  • Rate-limit on eompls VCs

    hello guys,
    is it possible to rate limit an eompls circuit between to PE (rate-limit per VC) ?

    Yes you can try with MQC. Have a class-map which matches any traffic and police the bandwidth
    policy-map l2test
    class l2test
    police 2048000 c t e d
    class l2test
    match any
    Let me know if it works

Maybe you are looking for

  • What's the transaction code for the acronym explainer?

    I found this once but for the life of me can't find it again. There's a transaction code for a utility that tells you what  SAP acronyms/abbreviations stand for.  Anyone care to enlighten me?

  • Android SDK Installer

    I am interested in doing some game development using Basic4Android. To do so, I need to install Java and the Android SDK. I have installed Java 7. The following software is installed on my laptop: Java 7 Update 7 (64-bit) Version 7.0.70 Java SE Devel

  • Error : Validity of certificate (...) PSE SSL ends in 1 day

    Dear all, I have a certificate problem with my WAS system. <u>"Validity of certificate from list with PSE type >SSL Client (Standard)< ends in 1 day, for more information, see the SAP System Log (transaction SM21)" </u> ==> I have a BSP website https

  • Default colors displayed in Mail

    I would like to know how to change this damned pink color of the sidebar of Mail. Are Others sidebars colors also customizable ?? (iPhoto is light blue, Finder is light green,...) Do you experienced this ??

  • Cloud Trial - Muse & Air install problems

    System: Windows 7 Pro. CS 5.5 Production Suite. After signing up for the cloud trial, Muse will not install. Also problems with Air. I uninstalled and removed all traces of both and tried reinstalling. No go. There may be some issue with Air because