Solved: Rate-Limit input to WAN interface for one VLAN

jasonww04 · ‎02-05-2014

I have a facility with multiple VLANs and one internet connection (10Mbps). I want the guest wireless VLAN to be limited to 2Mbps of the internet connection. Is there a way to limit the guest wireless VLAN traffic in such a way that it doesn't ever take up more than 2Mbps of the internet connection?

I've tried rate-limit on the VLAN interface:

interface GigabitEthernet0/0.20

description Residents

encapsulation dot1Q 20

ip address 172.20.108.1 255.255.255.0

ip access-group Residents_restriction-ACL in

ip nat inside

ip virtual-reassembly in

rate-limit input 2048000 384000 768000 conform-action transmit exceed-action drop

rate-limit output 2048000 384000 768000 conform-action transmit exceed-action drop

The problem with that is when the guest download rate is above 2Mbps it utilizes more than 2Mbps of the internet connection before the router trims the output to the VLAN down to 2Mbps. In other words, if the guest VLAN is downloading 5Mbps, it only receives 2Mbps but has utilized 5Mbps of the internet connection.

I've tried putting a rate-limit input on the WAN interface for traffic matching the VLAN but it doesn't work. Incoming traffic is not destined for the private IPs on the VLAN and NAT rules don't kick in until after rate-limit.

The ultimate goal is to always have 8Mbps download rate available to all non-guest VLANs.

willwetherman · ‎02-05-2014

Hi,

This is a common misconception as what you are actually doing is dropping traffic after it has consumed your WAN bandwidth. So traffic is being transmitted from the ISP at 10mbps and is then being dropped on your router to result in a rate of 2Mbps to the guest network.

Assuming that the majority of traffic is TCP, after some packets have been dropped on your interface, TCP will drop its transmit rate and then steadily increase again until its over 2Mbps and then drops again. With lots of clients downloading traffic you will probably only see a slight reduction in WAN utilization.

A possible workaround is to police inbound traffic a lot lower than 2Mbps to force TCP to reduce its rate more aggressively. Alternatively you could also try to shape outbound TCP acknowledgements to try and regulate the inbound bandwidth consumption. Unfortunately neither of these solutions can guarantee behaviour and they wont help much with UDP traffic but they are worth investigating.

View solution in original post

willwetherman · ‎02-05-2014

Hi,

This is a common misconception as what you are actually doing is dropping traffic after it has consumed your WAN bandwidth. So traffic is being transmitted from the ISP at 10mbps and is then being dropped on your router to result in a rate of 2Mbps to the guest network.

Assuming that the majority of traffic is TCP, after some packets have been dropped on your interface, TCP will drop its transmit rate and then steadily increase again until its over 2Mbps and then drops again. With lots of clients downloading traffic you will probably only see a slight reduction in WAN utilization.

A possible workaround is to police inbound traffic a lot lower than 2Mbps to force TCP to reduce its rate more aggressively. Alternatively you could also try to shape outbound TCP acknowledgements to try and regulate the inbound bandwidth consumption. Unfortunately neither of these solutions can guarantee behaviour and they wont help much with UDP traffic but they are worth investigating.

jasonww04 · ‎02-06-2014

I was afraid that would be the answer. Thanks.