I currently have a 10Gb fiber connection into a Cisco 6500. I then have two fiber cables from the Cisco 6500 to each of the Edge Core Cumulus Switches for redundancy and load balancing.
Each has a connection to a Radius/DHCP server.
Each also has a connection to an Ubiquiti Power Beam acting as a host antenna. It is then wirelessly linked to a client Antenna to provide them internet access.
This is the most simple form of the setup I require.
The Cisco 6500 is a temporary device used to do the BGP until such time as this has been configured on the Edge Cores to replace this. It is transparent and simply passes the traffic through.
Bandwidth/Rate Limiting is currently something I am struggling to grasp. From the following :
I understand I can use Layer 2 to limit the rate of the connection, I presume from this, I can, using the MAC address specify a specific rate. From the link above however from what I understand this can only be achieved using Netfilter and is only applicable to ingress traffic (I presume what would be the customer upload).
I cannot see any way that limiting the egress tarffic is currently possible (I presume again this would effectively be the client download speed).
Looking at the follwing link:
Particulary the last comment by hunterthomson, it appears it may be possible to limit egress traffic on Layer3 using iptables and traffic control. If I understand correctly I can set some static rules in the firewall (based on the client IP) to limit the egress rate. Providing I give the same IP to the same client this should work.
My Radius/DHCP server will be configured to provide static IP's.
So to wrap it all together, potentially I can limit ingress traffic using Layer 2 and Netfilter by referencing the users MAC. I can then on Layer 3 tag traffic using iptables and traffic control so that when the request is fullfilled and sent back to the Edgecore it limits the rate at which this traffic is allowed to pass through to the client.
If this is the case I assume I could create a quick script and cron to run every few minutes, collect all the DHCP leases from my Radius/DHCP including the necessary speed. Using this information I could then dynamically create both Netfilter and Iptable rules which would achieve dynamic filtering of both ingress and egress traffic.
My question really boils down to whether this is a feasible solution, whether any one has tried this or whether I have the wrong end of the stick completely.
Any other information or discussion about the possibiltiy of this is greatly appreciated.
Just for my info I found the following which may help
root@leaf2:/home/cumulus# cat /etc/cumulus/acl/policy.d/customer1.rules
INGRESS_INTF = br-100
INGRESS_CHAIN = FORWARD
-A $INGRESS_CHAIN --in-interface $INGRESS_INTF -j police --set-mode KB --set-rate 100 --set-burst 100