Controller Based WLANs

How do I prioritize traffic from a particular WiFi client on an SSID?

by on ‎07-08-2014 02:21 PM

Introduction : Many times, wlan administrators are informed to prioritize traffic from a particular wi-fi client, which is generally owned by an individual in a higher authority.

 

Environment: This article applies to Aruba Mobility Controllers running ArubaOS.

 

Network Topology :

 

  • Router) - Switch - Controller - Switch - Access Point ))))))   Clients
  • (Router) - Switch - Instant Access Points )))))

 

Configuration Steps :

 

Prioritizing all the traffic from a particular client on air (between client and access points) is not possible. You can enable WMM (Wi-Fi Multimedia) on a wireless network that can prioritize overall traffic in air by four categories, i, e  Voice, Video, Best Effort and Background.

Once the client traffic reaches the controller, it can be prioritized by
irrespective of voice, video or data.

To prioritize traffic from a individual client, you need to first separate the client from the others clients connecting to the SSID. We do this using UDR (User Derivative Rules). A UDR is configured with a condition that, when a client with certain MAC address connects to an SSID, it would be assigned a different role.

Thereby, lets configure a role first that prioritize the client traffic for any service and from any source to any destination:


(Aruba) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z

(Aruba) (config) #ip access-list session prioritize-traffic
(Aruba) (config-sess-prioritize-traffic)#any any any permit queue high
(Aruba) (config-sess-prioritize-traffic)#end
(Aruba) #
(Aruba) #show ip access-list prioritize-traffic

ip access-list session prioritize-traffic
prioritize-traffic
------------------
Priority  Source  Destination  Service  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         any     any          any      permit                           High                                                                           4

(Aruba) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z

(Aruba) (config) #user-role client-traffic-priority
(Aruba) (config-role) #access-list session prioritize-traffic
(Aruba) (config-role) #end
(Aruba) #
(Aruba) #write memory
Saving Configuration...

Configuration Saved.

(Aruba) #
(Aruba) #
(Aruba) #show rights client-traffic-priority

Derived Role = 'client-traffic-priority'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 ACL Number = 106/0
 Max Sessions = 65535


access-list List
----------------
Position  Name                Type     Location
--------  ----                ----     --------
1         prioritize-traffic  session

prioritize-traffic
------------------
Priority  Source  Destination  Service  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         any     any          any      permit                           High                                                                          4

Expired Policies (due to time constraints) = 0



Note:  Mentioned in blue are the name of the profiles.


Now, as the role "client-traffic-priority" is ready, we need to make sure this gets assigned to wi-fi client when its gets connected to an SSID. We do this by using UDR, as shown below:


(Aruba) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z

(Aruba) (config) #aaa derivation-rules user priority-client
(Aruba) (user-rule) #set role condition macaddr equals 7c:e9:d3:2d:3c:55 set-value client-traffic-priority
(Aruba) (user-rule) #end
(Aruba) #
(Aruba) #show aaa derivation-rules user priority-client

User Rule Table
---------------
Priority  Attribute  Operation  Operand/Group      Action    Value                    Total Hits  New Hits  Description
--------  ---------  ---------  -------------      ------    -----                    ----------  --------  -----------
1         macaddr    equals     7c:e9:d3:2d:3c:55  set role  client-traffic-priority  0           0

Rule Entries: 1



Now, as the UDR is configured, lets map it to the aaa profile, that is being used for the virtual-ap:


(Aruba) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z

(Aruba) (config) #aaa profile default
(Aruba) (AAA Profile "default") #user-derivation-rules priority-client
(Aruba) (AAA Profile "default") #end
(Aruba) #

(Aruba) #show aaa profile default

AAA Profile "default"
---------------------
Parameter                           Value
---------                           -----
Initial role                        logon
MAC Authentication Profile          N/A
MAC Authentication Default Role     guest
MAC Authentication Server Group     default
802.1X Authentication Profile       N/A
802.1X Authentication Default Role  guest
802.1X Authentication Server Group  N/A
L2 Authentication Fail Through      Disabled
RADIUS Accounting Server Group      N/A
RADIUS Interim Accounting           Disabled
XML API server                      N/A
RFC 3576 server                     N/A
User derivation rules               priority-client
Wired to Wireless Roaming           Enabled
SIP authentication role             N/A
Device Type Classification          Enabled
Enforce DHCP                        Disabled



Therefore, once the client connects to an SSID, hits the UDR rule, and as per the condition, it would fall into the configured role, which prioritizes the all the traffic to high queue.

 

 

Verification :

 

Now, its time to verify if the traffic is being prioritize.


(Aruba) #show user-table

Users
-----
    IP              MAC            Name     Role                     Age(d:h:m)  Auth  VPN link  AP name            Roaming   Essid/Bssid/Phy                              Profile  Forward mode  Type
----------     ------------       ------    ----                     ----------  ----  --------  -------            -------   ---------------                              -------  ------------  ----
172.16.30.101  7c:e9:d3:2d:3c:55            client-traffic-priority  00:00:06                    d8:c7:c8:cc:43:24  Wireless  SSID-client-priority/d8:c7:c8:44:32:40/g-HT  default  tunnel        Win 7

User Entries: 1/1

(Aruba) #
(Aruba) #
(Aruba) #show datapath session table | include 172.16.30.101

172.16.30.101   239.255.255.250 17   61926 1900   0/0     0 24  0   tunnel 27   2    1         161        FHTC
172.16.30.101   10.30.15.110    6    3762  443    0/0     0 24  0   tunnel 27   11   1         48         YHTC
172.16.30.101   10.9.15.43      6    3763  443    0/0     0 24  0   tunnel 27   8    2         104        YHTC
172.16.30.255   172.16.30.101   17   137   137    0/0     0 24  8   tunnel 27   83   0         0          FYH
172.16.30.101   172.16.30.255   17   137   137    0/0     0 24  1   tunnel 27   83   33        2574       FHTC
10.9.15.43      172.16.30.101   6    443   3763   0/0     0 24  1   tunnel 27   8    0         0          YH
10.30.15.110    172.16.30.101   6    443   3762   0/0     0 24  1   tunnel 27   11   0         0          YH
172.16.30.101   224.0.0.252     17   56863 5355   0/0     0 24  0   tunnel 27   b    2         116        FHTC



NOTE:          H denotes High-Queue
 

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.