MAC Based Bandwidth Limit

  • 0
  • 1
  • Question
  • Updated 4 years ago
I want to make internet access policy (including bandwidth limitation). I cannot depend on username and password since it is to easy to be shared. I cannot use IP address too, since we implement DHCP for all clients. So the option is only MAC based. Our BD8000 is doing the routing for LAN. So, I think the best place for making it is on the uplink router facing to Internet. But the problem is to do MAC based policy on the uplink router where the LAN is routed by BD8000. The clients are connected to LAN via access switches which have VLAN trunk line to BD8000 Any idea?
Photo of Mrxlazuardin

Mrxlazuardin

  • 1,534 Points 1k badge 2x thumb

Posted 4 years ago

  • 0
  • 1
Photo of Alexandr P

Alexandr P, Embassador

  • 12,576 Points 10k badge 2x thumb
For ingress limiting you can use metering:
create meter < meter-name >

configure meter < metername > {committed-rate <cir > [Gbps | Mbps | Kbps]} {max-burstsize < burst-size > [Kb | Mb]} {out-actions [drop | set-drop-precedence {dscp [none | < dscp-value >]}}

entry <ACLrulename>{
if {
<match-conditions>;
} then {
meter <name>;
}
}

configure access-list <aclname> [any | ports <portlist> | vlan <vlanname>] {ingress | egress}

For egress limiting - rate limiting:

configure ports < port_list > rate-limit egress [no-limit | < cir-rate > [Kbps | Mbps | Gbps] {max-burst-size < burst-size > [Kb | Mb]}]

Thank you!

Photo of Mrxlazuardin

Mrxlazuardin

  • 1,534 Points 1k badge 2x thumb
Hi Alexandr,

It seem that this solution is to do the access limitation on our BD8000, right? Actually I'm still looking for solution how to "notify: the IP-MAC address pair to the uplink router so I can do the limitation there. Anyway, is it possible to do the limitation only for Internet traffic and do no limitation for layer 3 LAN traffic? Is it possible to have RADIUS based value?

Best regards,
Photo of Alexandr P

Alexandr P, Embassador

  • 12,576 Points 10k badge 2x thumb
Hi!

You can do egress limitation per uplink port.
And you can do ingress limitation per port. but condition in ACL - which you want:
entry <ACLrulename>{
if {
<match-conditions>;
} then {
meter <name>;
}
}
where <match-conditions> is IP-MAC address pair.

All possible match conditions you can take from Concept Guide.

Thank you!