We got the centralized guest SSID deployment for the visitors. Customer asked us to throttle the guest users bandwidth per site basis. I think we can only implement the per-SSID and per-User throttling for the centralized guest SSID. Is there anyway to do per site basis?
This requirement popped up due to the varying bandwidths in different sites such as 4, 8, 10 mbps.
The only way I can think off the top on my head is to create a different WLAN profile with the same SSID name. You can have one site with WLAN ID 1 but all the others have to have WLAN ID 17 or higher to do this. This would allow you to then set separate limits on a per WLAN and since each WLAN is tied to a different site, that should work. Now if you have like 10+ sites, then I wouldn't do this, because it just becomes a nightmare. You might be able to use foreign maps, if you have a WLC at each site and the guest anchors centralized and place guest traffic from a site to a dmz vlan and police the vlan. There is no straight configuration to do what you want, but more of various workarounds.
One more doubt. Our APs are in flexconnect mode. If I am enforcing the per-SSID rate limiting to 10mbps for the guests, will it be applied on AP?. Each AP will allow the consolidated bandwidth of 10mbps under guest SSID instead of globally limiting guest SSID to 10mbps?. the following spreadsheet is confusing.
|Local Mode||FlexConnect Central Switching||FlexConnect Local Switching||Flex Connect Standalone|
|Per client Downstream||WLC||WLC||AP||AP|
|Per SSID Downstream||AP||AP||AP||AP|
|Per client Upstream||AP||AP||AP||AP|
|Per SSID Upstream||AP||AP||AP||AP|
If the AP is doing the policing, then its on each AP since the AP's don't communicate. If the traffic goes to the WLC, then the WLC can police the traffic since everything come into it. That is why you need to really understand what you are getting. This whole limit bandwidth, etc., works, but does it work how you want it to work. In flexconnect local switching for example, that means traffic egress the AP and gets put onto the wired network. So on the wired side, you can set a policy on the layer 3 svi to limit that traffic. But in case you are dumping guest onto another subnet with other traffic and using ACL's on the WLC to secure the guest traffic, well you really can't police the traffic on the svi, because you will limit all the traffic. Best thing to do is think it out and draw it out and see if its possible to accomplish or not. Bandwidth limiting has been removed from many of my customers, due to user complaints and or limiting it to a point that its useless. There are also guest that might require to present and might have a video and need to download a presentation or files, well, do you want to limit that especially if they are a guest of one of the executives or higher up's.... not really.
If I apply qos policy on the local CE for the port-number 5247(capwap data channel), will it limit the bandwidth per site by basis for the guest SSID?
We are using local-switching for the corporate SSID, i dont think corporate SSID traffic will be going via the capwap data channel.
I really don't think that will work. You might end up breaking the join. If you are trying to limit so that traffics is limited before it is sent over the WAN, you would have to figure out something different. You would have to use local switching and place that guest traffic in a GRE/VRF to the DMZ and police it at the site. This will not use the guest anchors however. You will have to figure out some other workaround that what the WLC can provide you.
You can use QOS to do this. When you configure QoS on the access point, you can select specific network traffic, prioritize it, and use congestion-management and congestion-avoidance techniques to provide preferential treatment. Implementing QoS in your wireless LAN makes network performance more predictable and bandwidth utilization more effective.
For more information please refer to the link :