10-23-2024 11:42 PM - last edited on 10-24-2024 01:26 AM by rupeshah
Hi All,
Just a question around configuration of AVC on a 8540 WLC
I have a centrally switched network consisting of a few thousand ipad devices connected to 2802i WAPs
Every so often when an apple update comes out they flood the WAN link of the WLC and strangle the network
Using AVC I was hoping to rate-limit specifically apple updates.
Can someone explain if this is the best way to go about this? (unable to setup a MDM at this time)
If I set a limit of 500Mbps does that apply to each AP or is that for the entire WLAN?
Ideally, I want to have a hard-set limit of 500mbps for that traffic so it just takes longer for the update to complete but any other traffic is not hindered.
The documentation that I've looked at doesn't really explain how it "rate-limits" the traffic
I was looking at the following doco
Cisco Wireless Controller Configuration Guide, Release 8.10 - Wireless Quality of Service [Cisco Wireless LAN Controller Software] - Cisco
Thanks
10-24-2024 03:18 AM
I believe you can do this using QoS profile
config qos average-data-rate {bronze | silver | gold | platinum} {per-ssid | per-client} {downstream |
upstream} rate
https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-guide/b_cg810.pdf
10-24-2024 04:46 PM
Hi Flavio
Thankyou for your response
I was originally looking at using a QoS profile however when looking at the documentation
Wireless Bi-Directional Rate Limiting Deployment Guide - Cisco
Acording to this document it states the following:
This is not what I'm after, I do not want the enforcement to happen at the AP level, and I don't want to enforce per-client either. I only have an issue when the devices attempt an IOS update. Hence why I wanted a global rate limit not a per-client limit.
The document also states
10-24-2024 05:18 PM
I understand that you dont want to rate limit the client but one application but, actually, take control on the access point level is the best approach in my opinion. Why carrey the traffic to the WLC to be dropped? Make all sense to me the upstream take please on the AP.
About the AVC prifile, keep in mind this restriction
NBAR2 engine fails to recognize the HTTPS traffic, hence fails to block this traffic when configured to drop in a Flex AVC profile.
Most probably this uptades use HTTPS traffic
10-24-2024 05:25 PM
I saw that restriction that you listed, however I thought Flex AVC profiles only apply to locally switched WLANs? I would be using a standard AVC profile for a centrally switched WLAN where that restriction does not apply.
Thanks
10-24-2024 05:28 PM - edited 10-24-2024 05:31 PM
Well, you probably will figure this out. But, this "NBAR2 engine fails to recognize the HTTPS traffic" sounds more like an afirmative statement to me.
10-24-2024 04:37 PM
Might find QoS at the wired side might be best to handle it as well
11-02-2024 10:15 AM
As Falvio says your QOS enforcement for this should be as far upstream as possible, not on the controller.
At least it should be ingress on your internet router but better still if you can get it policed outbound from the ISP router so that it never reaches your internet router.
The main problem you're going to have though is recognising, classifying, marking and policing the correct traffic. MDM policy to regulate the problem at source is really the only way to deal with this effectively.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide