Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Rate Limit Wireless Guest Traffic


I am looking for help on a requirement a customer has with Wireless Guest traffic

We have several large offices enabled with WiFi and at each office there are Cisco 2602 APs. These register to foreign WLAN Controllers in a Data Centre over WAN circuits. The Guest traffic is tunnelled back to Anchor Controllers also in the Data Centre and then switched out onto the Internet. 

What I am hoping to achieve is to limit Guest SSID traffic on a per site basis, both inbound and outbound, to 10% of the WAN bandwidth. This is to stop guest users taking all available bandwidth.

I can add a QoS policy to the WAN circuits at each site to restrict the Guest traffic outbound but cant find a way to restrict the traffic inbound protecting the bandwidth for corporate users. 

I am not allowed to amend the QoS policies on the Data Centre WAN circuits as this would mean adding a QoS policy for each remote WiFi enabled office. 

I have seen the URL,, but this does not fit the requirements we have.

Has anyone else come across this type of issue and if so what was done to protect the WAN circuit from guest WiFi traffic inbound


Thanks Martyn Taylor


Hall of Fame Super Gold

Another way of doing things

Another way of doing things is apply a policy shaping rule on the VLAN (or the default gateway) of the guest SSID is attached to.  

New Member

Thanks but I cant see how

Thanks but I cant see how that will restrict the traffic per site to 10% of each remotes sites WAN bandwidth. Adding a shaping policy will shape the traffic for all guests as the guest subnet is derived from the Anchor WLC.

New Member

I to have a similar issue

I to have a similar issue with rate limiting the Guest Services Protocol97 (EoIP) Tunnel to 500K of a T1 at each site.  My variation is I have access to both DC and Site routers for configuration, but have never rate limited a pass-through layer 2 tunnel.  Any help would be much appreciated and it may give martaylor some additional ideas.


martaylor, being you don't have access to the DC router, have you thought of using the QOS rate limiting on the anchor controller to limit inbound (internet) traffic at the anchor?  It's not idea, but you can limit by average bandwidth and still allow them a burst rate if you chose. 

New Member

Hi Martyn, I have the same

Hi Martyn,


I have the same issue now but our APs in the offices are working in FlexConnect mode.

Do you have found solution?





Hi,I haven't come across this


I haven't come across this type of issue

But information is provided on below link is complete, so where you are stucking ?.