Re: Application Visibility and Control - 8540 WLC

Steve1983v · ‎10-23-2024

Hi All,

Just a question around configuration of AVC on a 8540 WLC
I have a centrally switched network consisting of a few thousand ipad devices connected to 2802i WAPs
Every so often when an apple update comes out they flood the WAN link of the WLC and strangle the network

Using AVC I was hoping to rate-limit specifically apple updates.
Can someone explain if this is the best way to go about this? (unable to setup a MDM at this time)
If I set a limit of 500Mbps does that apply to each AP or is that for the entire WLAN?
Ideally, I want to have a hard-set limit of 500mbps for that traffic so it just takes longer for the update to complete but any other traffic is not hindered.

The documentation that I've looked at doesn't really explain how it "rate-limits" the traffic
I was looking at the following doco
Cisco Wireless Controller Configuration Guide, Release 8.10 - Wireless Quality of Service [Cisco Wireless LAN Controller Software] - Cisco

Thanks

Flavio Miranda · ‎10-24-2024

@Steve1983v

I believe you can do this using QoS profile

config qos average-data-rate {bronze | silver | gold | platinum} {per-ssid | per-client} {downstream |
upstream} rate

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-guide/b_cg810.pdf

Steve1983v · ‎10-24-2024

Hi Flavio

Thankyou for your response
I was originally looking at using a QoS profile however when looking at the documentation
Wireless Bi-Directional Rate Limiting Deployment Guide - Cisco
Acording to this document it states the following:

When the controller is connected and central switching is used the controller will handle the downstream enforcement of per-client rate limit only.
The AP will always handle the enforcement of the upstream traffic and per-SSID rate limit for downstream traffic.

This is not what I'm after, I do not want the enforcement to happen at the AP level, and I don't want to enforce per-client either. I only have an issue when the devices attempt an IOS update. Hence why I wanted a global rate limit not a per-client limit.

The document also states

Using AVC rule, you can limit the bandwidth of a particular application for all the clients joined on the WLAN. These bandwidth contracts coexist with per-client downstream rate limiting. The per-client downstream rate limits takes precedence over the per-application rate limits.

This would perfectly suit me as I really only want to rate limit traffic of one application
I would just like some clarification of how it works, (Per SSID or Per client, is it global or at the AP level).
This would determine what my rate-limit would be set too.

Thanks

Flavio Miranda · ‎10-24-2024

I understand that you dont want to rate limit the client but one application but, actually, take control on the access point level is the best approach in my opinion. Why carrey the traffic to the WLC to be dropped? Make all sense to me the upstream take please on the AP.

About the AVC prifile, keep in mind this restriction

Restrictions for Application Visibility and Control

NBAR2 engine fails to recognize the HTTPS traffic, hence fails to block this traffic when configured to drop in a Flex AVC profile.

Most probably this uptades use HTTPS traffic

Steve1983v · ‎10-24-2024

I saw that restriction that you listed, however I thought Flex AVC profiles only apply to locally switched WLANs? I would be using a standard AVC profile for a centrally switched WLAN where that restriction does not apply.

Thanks

Flavio Miranda · ‎10-24-2024

Well, you probably will figure this out. But, this "NBAR2 engine fails to recognize the HTTPS traffic" sounds more like an afirmative statement to me.

Haydn Andrews · ‎10-24-2024

Might find QoS at the wired side might be best to handle it as well

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

Rich R · ‎11-02-2024

As Falvio says your QOS enforcement for this should be as far upstream as possible, not on the controller.

At least it should be ingress on your internet router but better still if you can get it policed outbound from the ISP router so that it never reaches your internet router.

The main problem you're going to have though is recognising, classifying, marking and policing the correct traffic. MDM policy to regulate the problem at source is really the only way to deal with this effectively.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390