Controlling bandwidth for guest users

Q: How can you control bandwidth utilization for your guest users vs. your internal users? We wouldn’t want guests using up all of my Internet bandwidth. Also, if guests and internal users use the same access points, what’s involved to keep the guests from seeing/accessing your internal servers? – Andrew F.

The Wizards gaze deeply into their crystal ball and respond:

Rohit Mehra, Bluesocket

There are two parts to this question, starting with bandwidth optimization, an important requirement for enterprise WLAN deployments. 802.11 is a shared bandwidth technology, so network contention becomes an issue as the number of users and network traffic increase. In some cases, certain users or applications could ‘hog’ all available bandwidth, bringing the network to a crawl. The best way to manage bandwidth is to use a central wireless infrastructure device such as a controller or a gateway (aggregating traffic from your access points), which will provide tools for traffic prioritization and QoS, besides bandwidth management. Depending on what you use, you could control bandwidth on incoming and outgoing traffic – by individual user, group (role), or even by service or application. For example, you could ensure that specific guests get a maximum bandwidth (e.g. 256K bit/sec), or all guests in your network are allocated an aggregate bandwidth (e.g. 2M bit/sec), thus allowing bandwidth to be available for internal employees and mission critical applications.

Your other question pertains to separating or securing your internal network from visitors or guests. The first step to achieve this is to use multiple Service Set Identifiers (SSID) and virtual LANs – a guest VLAN can be set up in a way that all users on that VLAN are only provided with Internet access, but have no access to internal network resources. A more robust and recommended approach is the same as mentioned earlier – to use any of the policy enabled wireless infrastructure appliances (gateways, controllers) that are now quite popular. These let you provide for granular access control mechanisms, which provide convenient management of privileges for different categories of users – based on type of user, destination, applications, user locations and time/date schedules.

Dan Simone, Trapeze Networks

You can control bandwidth characteristics of guests vs. your internal users by utilizing a system that ascribes a class of service over wireless based on the user’s identity. The access point should put the guests vs. your internal user’s traffic into different user queues. To keep the traffic isolated while using the same access points, you must first establish the identity of guests vs. internal users using strong authentication such as 802.1x and then utilize adequate encryption such as Temporal Key Integrity Protocol (TKIP) and AES. The identity of the internal user or guest will then determine which subnet the user is authorized to join. The access point will then utilize different unicast and multicast encryption keys based on which subnet a user joins. In this way, users are identified, placed on the right subnet and their traffic encrypted differently from other subnets for isolation.

Internal users and guests could use the same or separate SSIDs, but using multiple SSIDs is not an isolation mechanism, because any user can configure their device for which SSID to use. It is most important to use strong authentication and encryption for your internal users, while guests could be relegated to lesser authentication and encryption depending on your needs.

Joel Vincent, Meru Networks

You need a WLAN system that is can support dynamic QoS. The infrastructure (i.e. the access points) must be able to recognize on the fly whether a user is internal or external. This will let you set up priority for internal traffic over external traffic. The QoS capability gives you the advantage of allowing better service for guests when there is no internal traffic running on the network and yet guarantees that internal traffic gets the bandwidth when it is needed.

If you want to place static limits on external traffic for whatever reason (say, you don’t mind public access on your network but you don’t want it to be better than Starbucks), you should be able to establish bandwidth limits that are based on a user’s login.

If your WLAN system is incapable of advanced wireless control, such as being able to control air-link quality, then it is possible to establish a bandwidth limit using the routers and switches on the wired network. This is a bit more work and would require reconfiguration of wired LAN elements, but it is a possibility.

As for the separation of guest and internal traffic, you should have a WLAN system capable of supporting multiple Extended Service Set Identifiers (ESSID). In addition, you should be able to have ESSIDs that can exist with other ESSIDs without beaconing. Some systems don’t allow flexible beaconing, and force all ESSIDs to be advertised or none at all – which doesn’t meet the functionality you are looking for.

Bob O’Hara, Airespace

The first question is a quality of service question. There are several ways to control bandwidth utilization for different classes of users. Unfortunately, there is nothing available as part of the 802.11 standard, yet. To control bandwidth utilization today, your WLAN provider needs to measure and police the WLAN usage for every user on your WLAN. Then the access points must be able to queue data independently for each user, in order to dole out the packets and keep within the allocation for the user. Another way to do this would be to use a “packet shaper” device at your Internet gateway.

The second question is a security question. But it also bears on the first question, as well. What is required here is differential security being applied to different user classes. The first step is to be able to identify the different user classes, your guest users and internal users. This can be done by using access points that can support more than one WLAN at the same time, called virtual APs. Virtual APs look like normal access points to the users’ devices, just that there appear to be more access points than are physically present. Each WLAN can have its own SSID and security policy. The security policy might involve assigning different VLAN tags or access control lists (ACL) to the users of each WLAN. This would allow logical segregation of the users of each WLAN. Some equipment available today can also provide physical segregation of users on different WLANs also.