Guaranteed traffic for leadership?
Posted: Tue Sep 25, 2018 2:10 pm
I'm serving as Stake Technology Specialist. I received a request from my stake president asking if there is any possible way that I could configure the system in the stake center such that there were guaranteed bandwidth available to the leadership. Basically, since he is at the building for several hours every Sunday beyond his sacrament meeting, he would like to have reliable access to Internet sites related to his calling in spite of how ever many other church members in other wards are saturating the LDSAccess wifi at the moment, and without having to tether his equipment to a cell phone data plan.
I am aware that I can use tm.lds.org to dynamically tighten the firewall filters on Sunday from normal to strict, so that members aren't able to access bandwidth-hogging services like video downloads, in the hope that it makes the overall bandwidth usage nicer for everyone (including the stake president), but that's not the same as actually guaranteeing bandwidth to any particular client.
The stake president even offered to provide a separate Access Point box in order to allow me to setup a second SSID/password (leadership would be told to use that network to get guaranteed bandwidth, while the general membership continues to use the LDSAccess SSID for whatever bandwidth is leftover). If I were to install that AP in between the ISP modem and the firewall box, then I've trivially met the bandwidth guarantees (the AP gets traffic first, and the firewall gets whatever is left over) - but bypassing the firewall filters is not wise. Conversely, if I put the AP downstream from the firewall, then it is competing with everything else the firewall is servicing (so filtering works, but not only did I not solve bandwidth, but it might actually be worse for the leadership SSID depending on whether the firewall treats the AP as a single client rather than as a passthrough device to multiple clients). Then, regardless of whether I were to stick an AP before or after the firewall, there's the even bigger issue that church policy recommends against installing any rogue equipment (inserting our own equipment instead of using what the FM group provides is NOT the way technology is supposed to be run).
I know that it is a common thing in enterprise-grade networking equipment to be able to set up separate subnets and/or SSID, where you can configure priority levels of service based on which subnet a client is connected to, or even based on client MAC addresses. However, in browsing through tm.lds.org, while the firewall equipment itself may be capable of such a network setup, the interface exposed to STS does NOT let me tweak anything along those lines (I can see that my firewall has three zones: USER serving 192.168.108.2 - 192.168.111.254, with all the Meraki AP tied to that zone; then FAC serving 10.173.33.2 - 10.173.33.14 and SP serving 10.156.171.2 - 10.156.171.254) - but no way to add a new zone, or to switch an AP over to a different zone, or anything else that would let me set up priority traffic for leadership.
Does anyone have ideas or solutions they have used for giving guaranteed bandwidth to leadership while still remaining compliant to policy? Or is this something where I will gently have to inform my stake president that as important as his calling is, I still can't bend the rules to give him better Internet access than anyone else in the building?
I am aware that I can use tm.lds.org to dynamically tighten the firewall filters on Sunday from normal to strict, so that members aren't able to access bandwidth-hogging services like video downloads, in the hope that it makes the overall bandwidth usage nicer for everyone (including the stake president), but that's not the same as actually guaranteeing bandwidth to any particular client.
The stake president even offered to provide a separate Access Point box in order to allow me to setup a second SSID/password (leadership would be told to use that network to get guaranteed bandwidth, while the general membership continues to use the LDSAccess SSID for whatever bandwidth is leftover). If I were to install that AP in between the ISP modem and the firewall box, then I've trivially met the bandwidth guarantees (the AP gets traffic first, and the firewall gets whatever is left over) - but bypassing the firewall filters is not wise. Conversely, if I put the AP downstream from the firewall, then it is competing with everything else the firewall is servicing (so filtering works, but not only did I not solve bandwidth, but it might actually be worse for the leadership SSID depending on whether the firewall treats the AP as a single client rather than as a passthrough device to multiple clients). Then, regardless of whether I were to stick an AP before or after the firewall, there's the even bigger issue that church policy recommends against installing any rogue equipment (inserting our own equipment instead of using what the FM group provides is NOT the way technology is supposed to be run).
I know that it is a common thing in enterprise-grade networking equipment to be able to set up separate subnets and/or SSID, where you can configure priority levels of service based on which subnet a client is connected to, or even based on client MAC addresses. However, in browsing through tm.lds.org, while the firewall equipment itself may be capable of such a network setup, the interface exposed to STS does NOT let me tweak anything along those lines (I can see that my firewall has three zones: USER serving 192.168.108.2 - 192.168.111.254, with all the Meraki AP tied to that zone; then FAC serving 10.173.33.2 - 10.173.33.14 and SP serving 10.156.171.2 - 10.156.171.254) - but no way to add a new zone, or to switch an AP over to a different zone, or anything else that would let me set up priority traffic for leadership.
Does anyone have ideas or solutions they have used for giving guaranteed bandwidth to leadership while still remaining compliant to policy? Or is this something where I will gently have to inform my stake president that as important as his calling is, I still can't bend the rules to give him better Internet access than anyone else in the building?