How to restrict user or SSID bandwidth on Instant APs (IAP) - Apr 2014
Tutorial by: Brendon
On an Aruba Instant AP you can restrict bandwidth per user-role or per SSID.
So lets say you have a guest SSID account and you don’t want any one particular guest saturating the uploads or downloading or you don’t want your guest SSID to use more the 50kbps up in total; you can set both the upstream and downstream traffic to alleviate this problem (among many other scenarios).
Firstly you will need a pre-existing SSID or are creating a new SSID on an Instant AP, my example SSID here is called Limited.
Log into the web interface of the Instant Virtual Controller (default logon: admin/admin). Now in the top left-hand corner there will be a “Networks” box. In this box will be where your SSIDs are displayed. If you have already created your SSID click on its name and then the edit button that will appear to the right of it; Otherwise click on NEW.
You should now be faced with the WLAN Settings Tab. In the bottom left-hand corner of this window is a label “Show advanced options”, click on this to reveal the more options. This will reveal the “Bandwidth Limits” settings.
If you want to set the max bandwidth capacity for the SSID fill in the kbps amounts for the downstream and/or upstream and continue to the end like normal. EG: 500kbps total up and down traffic.
If you want to limit the bandwidth for each individual user fill in the kbps amounts for the downstream and/or upstream and also check the “Per user” checkbox. This can be useful couple with the “Max client threshold” option just below the Bandwidth Limits options. EG: 500kbps per user up and down.
Now when you limit the upstream or downstream bandwidth limits you will find it will show in the role assignment. If I limit the up and down to 500kbps per user I get this:
Now as you can see here, the bandwidth contract is an access rule of the Limited Role. If you want to get more specific with your bandwidth limits you can create different roles with different bandwidth limits. Then use “Role Assignment Rules” to assign users into different role.
The example below assigns any device with a mac address of dc:86:d8:20:74:a6 to the Limit50 role and the rest to the Limit role.
The Limit50 role has a bandwidth contract of 50kbps per user while the Limit role has a bandwidth contract of 500kbps.
Limit 50 bandwidth contract access rule:
The finish result:
You can get quite creative with how you use this, perhaps limit devices connecting to a particular AP or limit all devices except devices using a particular dot1x username.
Note: I performed this tut from firmware version 18.104.22.168-22.214.171.124_42384.
Happy hunting everyone! If you found this interesting or useful please kudo.