Rate limit individual users across WAN

Unanswered Question
Jul 15th, 2008

We have a client that is finding a need to limit the users at a remote location from pulling too much bandwidth across their WAN link. The remote site has about 120 users, all DHCP. They want to be able to limit a user from using more than, for exmaple, 25% of the WAN link. Would we need to rate-limit each IP address in the DHCP scope or just list each IP address in an access-list and apply one rate limit?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Paolo Bevilacqua Tue, 07/15/2008 - 10:39

You would need to limit each IP address individually.

But before you do that, consider the following:

1. rate-limit is very distructive for TCP. You should use shaping instead.

2. Normally on the wan link, you have a mechanism called fair sharing, that prevents any single flow to monopolize the circuit. So for example if you have a 2mbps link and 100 active users, each one would take 20 kbps of BW. consequently, it is not necessary to do anything, because the router do that automatically. The reciprocal advantage, is that when the circuit is free, the bandwith can be used in full.

Please rate post if it helps!

ereinoehl Wed, 07/16/2008 - 04:51

When you said fair sharing, did you mean using Weighted Fair Queueing?

Paolo Bevilacqua Wed, 07/16/2008 - 04:53

Yes. Weighted means that if one flow has some precedence set in the IP header, it should be trated accordingly.

As an appreciation to those providing answers, please rate useful posts with the scrollbox below!

ereinoehl Wed, 07/16/2008 - 06:51

They want to limit general network traffic for the users, not just a specific type of traffic. They had a user from one office login at another office and filled the WAN link while his profile transfered. Also the WAN link is a PPP Multilink with 2 T1s running about 1MB for data and another full T1, 1.5MB, 3825 router.

Paolo Bevilacqua Wed, 07/16/2008 - 07:04


WFQ works for general traffic and not for a specific type only.

If you configure "fair-queue" under the multilink interface, the situation you described will not happen any more.

A further step would be configuring QoS with priorities an BW limitations for classes, etc, but that is not always needed.


This Discussion