Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE 16.11.x

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents

Find Matches in This Book

Results

Updated:: May 31, 2019

Chapter: Configuring Bi-Directional Rate Limiting Support with AAA Override

Configuring Bi-Directional Rate Limiting Support with AAA Override
Information About Bi-Directional Rate Limiting with AAA Override
Configuring Time of Day
Verifying Time of Day Configuration

Configuring Bi-Directional Rate Limiting Support with AAA Override

Information About Bi-Directional Rate Limiting with AAA Override

When a wireless client joins an access point, certain QoS policies get enforced on the access point. One such feature is the rate limiting for both upstream and downstream traffic at AP. The rate limiting feature when clubbed with AAA override supports specific set of policies based on the time of day and day of week. The AAA override then applies these policies coming from a RADIUS server to the access point.

Let’s consider a use case of time of the day in conjunction with user role. Usually, the user role is used as an extra matching criteria along with the time of day. You can club the time of day usage with any matching criteria to get the desired result. The matching will be performed when the client joins the controller.

You can configure policies as two separate components:

Defining policy attributes as service templates that are specific to clients joining the network and applying policy match criteria.
Applying match criteria to the policy.

To configure Bi-Directional rate limiting, perform the following:

Create a class map.

Note

You can apply a service template using either a class map or parameter map.

Create a policy map.

Create a service template.

Note

If class-map has to be used, associate the class-map to the policy-map and associate the service-template to the class-map.

Associate the policy-map to the policy profile.

Configuring Time of Day

Creating a Class Map

Procedure

	Command or Action	Purpose
Step 1	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step 2	class-map type control subscriber match-all `class-map-name` Example: `Device(config)# class-map type control subscriber match-all match_tod`	Specifies the class map type and name.
Step 3	match join-time-of-day `start-time end-time` Example: `Device(config-filter-control-classmap)# match join-time-of-day 10:30 12:30`	Specifies a match to the time of day. Here, join time is considered for matching. For example, if the match filter is set from 11:00 am to 2:00 pm, a device joining at 10:59 am is not considered, even if it acquires credentials after 11:00 am. You should also disable AAA override for this command to work. Here, start-time and end-time specifies the 24-hour format.
Step 4	match day `day-of-week` Example: `Device(config-filter-control-classmap)# match day Mon`	Specifies a match to the day of week.
Step 5	end Example: `Device(config-filter-control-classmap)# end`	Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Creating a Policy Map

Procedure

Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

policy-map type control subscriber policy-map-name

Example:

Device(config)# policy-map type control subscriber match_tod

Specifies the policy map type.

Step 3

event identity-update match-all

Example:

Device(config-event-control-policymap)# event identity-update match-all

Specifies the match criteria to the policy map.

Step 4

class-num class class-map-name

Example:

Device(config-class-control-policymap)# 1 class match_tod do-until-failure

Example:

Device(config-action-control-policymap)# 1 activate service-template match_tod

Example:

Device(config-action-control-policymap)# map attribute-to-service table param

Configures the local profiling policy class map number and specifies how to perform the action or activates the service template or maps an identity-update attribute to an auto-configured template.

action-index activate service-template service-template-name

The following example shows how a parameter map has to be applied (service template is already associated with the parameter map param while creating it):

Step 5

end

Example:

Device(config-action-control-policymap)# end

Returns to privileged EXEC mode.

Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Step 6

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 7

wireless profile policy profile-policy

Example:

Device(config)# wireless profile policy default-policy-profile

Configures a wireless policy profile.

Caution

Do not configure aaa-override for native profiling under a named wireless profile policy.

Step 8

description profile-policy-description

Example:

Device(config-wireless-policy)# description "default policy profile"

Adds a description for the policy profile.

Step 9

subscriber-policy-name policy-name

Example:

Device(config-wireless-policy)# subscriber-policy-name match_tod

Configures the subscriber policy name.

Step 10

vlan vlan-id

Example:

Device(config-wireless-policy)# vlan 59

Configures a VLAN name or VLAN ID.

Step 11

end

Example:

Device(config-wireless-policy)# end

Returns to privileged EXEC mode.

Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Creating a Service Template

Procedure

Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

service-template service-template-name

Example:

Device(config)# service-template match_tod

Enters service template configuration mode.

Step 3

sgt sgt_value

Example:

Device(config-service-template)# sgt 100

Configures SGT.

Step 4

end

Example:

Device(config-service-template)# end

Returns to privileged EXEC mode.

Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Note

This way when a wireless client joins an access point on Monday (day of week), the client gets an SGT of 100 along with a VLAN.

Verifying Time of Day Configuration

To view class map details for a class map name, use the following command:

Device# show class-map type control subscriber name test
Class-map               Action                       Exec  Hit  Miss  Comp
---------                ------                      ----  ---  ----   ---
match-any test     match day Monday                    0     0    0     0    
match-any test     match join-time-of-day 8:00 18:00   0     0    0     0    
Key:
  "Exec" - The number of times this line was executed
  "Hit"  - The number of times this line evaluated to TRUE
  "Miss" - The number of times this line evaluated to FALSE
  "Comp" - The number of times this line completed the execution of its
       condition without a need to continue on to the end

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)