Skip to main content

2 Messages


110 Points

Wed, Sep 27, 2017 3:48 PM


Single WLAN with dynamic VLAN rate limiting

We have an SSID setup with 802.1x authentication. The Virtual Smart Zone places you in the correct VLAN (Dynamic vlan) depending on your group membership. We want to rate limit one of the VLANs. What is the best solution and is this possible?


34 Messages


920 Points

3 years ago

The best way to accomplish this is to use SmartZone role-based policy. When you get group membership (group attribute) from RADIUS, you can use that attribute to assign the user/device to a role, which has a User Traffic Profile (UTP) assigned to it. That UTP can contain L3-7 policies as well as rate limiting. Configuration steps are as follows:
  1. create a UTP with the rate limit policy (you can also do this from the role context, so it's an easier UI flow)
  2. create a role and tie that UTP to it
  3. configure your attribute-to-role mapping within the AAA server profile 

388 Messages


5.9K Points

3 years ago

Marcus is perfectly conrrect.

And You must prepare ruckus VSA on ruckus server.

 It must also send VSA with auth-accept-packet on Radius server.

Then STRING into Ruckus-vsa and Role including UTF and VLAN is bound on vSZ.


3 Messages


90 Points

3 years ago

Hi guys. I have similar issue. One SSID, dynamic vlan with 10 vlans. In each vlan I will have max 5 users. I want to apply rate limit for vlan: 10 Mbps for vlan1, 20 Mbps for vlan2, 30 Mbps for vlan3 and so on. Rate limit I want is for entire vlan, not for single user. I followed Marcus's suggest and I think in point 3 he indicates to create many User Traffic Profile mapping. Group attribute has the same name of group greated on radius server.

After that, do I need to add some configurations on radius server or ruckus SZ? I cannot undestand the indications of Jeronimo. 

Thank you!