How to restrict user or SSID bandwidth on Instant APs (IAP) - Apr 2014

MVP Expert
MVP Expert

Tutorial by: Brendon

On an Aruba Instant AP you can restrict bandwidth per user-role or per SSID. 


So lets say you have a guest SSID account and you don’t want any one particular guest saturating the uploads or downloading or you don’t want your guest SSID to use more the 50kbps up in total; you can set both the upstream and downstream traffic to alleviate this problem (among many other scenarios).


Firstly you will need a pre-existing SSID or are creating a new SSID on an Instant AP, my example SSID here is called Limited.


Log into the web interface of the Instant Virtual Controller (default logon: admin/admin). Now in the top left-hand corner there will be a “Networks” box. In this box will be where your SSIDs are displayed. If you have already created your SSID click on its name and then the edit button that will appear to the right of it; Otherwise click on NEW.


Screen Shot 2014-04-15 at 13.36.28.png


You should now be faced with the WLAN Settings Tab. In the bottom left-hand corner of this window is a label “Show advanced options”, click on this to reveal the more options. This will reveal the “Bandwidth Limits” settings.


Screen Shot 2014-04-15 at 14.25.53.png


 Screen Shot 2014-04-15 at 14.28.01.png


If you want to set the max bandwidth capacity for the SSID fill in the kbps amounts for the downstream and/or upstream and continue to the end like normal. EG: 500kbps total up and down traffic.


Screen Shot 2014-04-15 at 14.30.14.png


If you want to limit the bandwidth for each individual user fill in the kbps amounts for the downstream and/or upstream and also check the “Per user” checkbox. This can be useful couple with the “Max client threshold” option just below the Bandwidth Limits options. EG: 500kbps per user up and down.


Screen Shot 2014-04-15 at 14.17.56.png


Now when you limit the upstream or downstream bandwidth limits you will find it will show in the role assignment. If I limit the up and down to 500kbps per user I get this:



Screen Shot 2014-04-15 at 15.20.52.png


Now as you can see here, the bandwidth contract is an access rule of the Limited Role. If you want to get more specific with your bandwidth limits you can create different roles with different bandwidth limits. Then use “Role Assignment Rules” to assign users into different role.


The example below assigns any device with a mac address of dc:86:d8:20:74:a6 to the Limit50 role and the rest to the Limit role.


The Limit50 role has a bandwidth contract of 50kbps per user while the Limit role has a bandwidth contract of 500kbps.


Limit 50 bandwidth contract access rule:

 Screen Shot 2014-04-15 at 15.55.36.png


The finish result:

Screen Shot 2014-04-15 at 15.37.22 1.png


You can get quite creative with how you use this, perhaps limit devices connecting to a particular AP or limit all devices except devices using a particular dot1x username. 


Note: I performed this tut from firmware version 


Happy hunting everyone! If you found this interesting or useful please kudo.


Thanks all,



Any questions?

Version history
Revision #:
2 of 2
Last update:
‎05-05-2014 12:34 PM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: