DISCLAIMER - I am not a switch router guy, and I'm new to Adtran, I know enough to be incompetent, flame on.... these are not my actual ips but close enough to represent
I have a 3448. I bought this because I thought I could use it to limit uploads/download bandwidth per port, which I was told by an Adtran support person this won't really do it at a per switch port level. However reading some of the documents it seems I could implement some class weighted fair quing which might accomplish this. My main goal is to prevent my 15 year old from consuming all the ISP bandwidth downloading game updates, uploading youtube files, and streaming HD media. My current wifi router doesn't give me that capability.
I have wifi router ip at 10.218.9.2, provides DHCP services to 10.218.9.1 - 200 on this router
I have eth 0/1 on 3448 at 10.218.10.2
I have 3448 default gw pointing to 10.218.9.2
-------------------------------------------------------------------
If I can't grab DHCP off wifi router, that's okay, i just need to understand limitations
-------------------------------------------------------------------
I have DHCP pool set to 10.218.9.0 on 3448
I have DHCP pool exclude set to 10.218.9.1 to 10.218.9.200 on 3448
I have vlan 1 (default) set to switchport 1, set to access mode, ip 10.218.15.2 <--- Full bandwidth
I have vlan 2 set to switchport 2, set to access mode, ip 10.218.16.2 <-- Want to limit bandwidth to 3 mb down/up on this link - web, video, files, voip, want to provide 10.219.9.X DHCP to computers, from 10.218.9.2
I have vlan 3 set to switchport 3, set to access mode, ip 10.218.17.2 <-- Want to limit bandwidth to 5 mb down/up on this link - web, video, files, want to provide 10.218.9.X DHCP to computers, from 10.218.9.2
I have vlan 4 set to switchport 4, set to access mode, ip 10.218.18.2 <-- No bandwidth limits, want to provide 10.218.9.X DHCP to computers, from 10.218.9.2
I have vlan 5 set to switchport 5, set to access mode, ip 10.218.19.2 <-- No bandwidth limits, want to provide 10.218.9.X DHCP to computers, from 10.218.9.2
I have vlan 5 set to switchport 6, set to access mode, ip 10.218.19.2 <-- No bandwidth limits, want to provide 10.218.9.X DHCP to computers, from 10.218.9.2
I have vlan 5 set to switchport 7, set to access mode, ip 10.218.19.2 <-- No bandwidth limits, want to provide 10.218.9.X DHCP to computers, from 10.218.9.2
I have vlan 5 set to switchport 8, set to access mode, ip 10.218.19.2 <-- No bandwidth limits, want to provide 10.218.9.X DHCP to computers, from 10.218.9.2
I have ip route 10.218.9.0 255.255.255.0 10.218.10.2, but I am not sure if I need more or if this is correct
I believe I have the firewall configured to allow any traffic in and out, but I could be wrong. I don't understand the policies and access control lists well. I did the above with the help of one of the adtran training power packs. Based on the above - entire config attached - I can plug a client pc into switch port 1, and ping from a client ip (call it 10.218.15.50) to 10.218.15.2 (eth 0/1), and to all the vlan ips listed above. What I can't do is ping 10.218.9.2, the wifi router (and the gateway to the internet) from the client pc on switch port 1, nor can I ping any of the vlans from outside eth 0/1.
I have read that having an ip helper address is needed to get the vlans to use the dhcp from the 3448, and I have tried that over the last few days without much luck.
I have been able to do a simple basic configuration, where all the switch ports (1-8) are on 10.10.10.1 DHCPing, and going out to the internet over 10.218.9.2. This doesn't allow the other computers to ping or connect in to the 10.10.10.1 addresses though. Which I assume to be a firewall or routing issue. What I posted above, if I can get it to work, is the best case scenario, but it's more complex than my abilities I think.
Any assistance or guidance would be greatly appreciated, thanks in advance.
Your best bet will probably be to control your traffic patterns per IP address through QOS policies. You are not going to be able to use the same IP on multiple VLAN interfaces on your router.
First, you will want to make sure whatever devices you are trying to limit have static IPs. If you don't want to fully bother with setting up static IPs on devices (such as phones, game consoles, etc...) you can setup a static DHCP assignment by hardware/MAC address through AOS (assuming you are using the 3400 for DHCP). SeeConfiguring DHCP in AOS - configuration example begins on page 7.
From there, you can apply policies based on IP address. I've done something similar for one of my company's executives, where we handle the dedicated access at his house.
Sample Config:
First, setup an ACL to match the host traffic. You should setup 2 ACLs, one for each direction.
ip access-list extended kids_net_upload
remark Traffic from Kids Network
permit ip host 10.218.9.10 any
!
ip access-list extended kids_net_download
remark Traffic to Kids Network
permit ip any host 10.218.9.10
Then setup 2 QOS policies, one for your WAN and one for the LAN.
qos map UPLOAD 5
match ip list kids_net_upload
shape average 3000000
qos map UPLOAD 10
match any
!
qos map DOWNLOAD 5
match ip list kids_net_download
shape average 3000000
qos map DOWNLOAD 10
match any
And apply to interfaces. Remember, you can only control bandwidth from the interface sending it, not the interface receiving it. So you basically have to slow down traffic being sent out the WAN and LAN, respectively. While this isn't the best QOS option, it is normally pretty effective.
interface WAN
qos-policy out UPLOAD
interface LAN_VLAN
qos-policy out DOWNLOAD
This should give you some granular control for traffic control on your router. Doing it port based would leave the potential for someone to move a cable to a port without control and take advantage of the bandwidth. By binding the same IP to the host in the router and then applying traffic control per IP, you guarantee that device will always get that IP and have its bandwidth limited. You can also put multiple host IPs in an ACL, although I think if the same QOS policy is applied to an ACL, all hosts will share that bandwidth, so you could end up jamming 20 hosts into a 3mb limiter. You can also build multi ACLs and multiple QOS matchers. There are multiple ways to skin this cat, so to speak, but this is one of the most direct and simplest approaches.
I'll give that a shot and send an update. Thanks for the advice in advance.