Common Use Cases > Quota Enforcement

Quota Enforcement Scenarios

Quotas are an effective way to enforce fair sharing of the network or to ensure customers receive only the amount of access to the network for which they have paid. Quotas can enforce caps based on a data transfer amount or based on the amount of time on the network. After the quota has been reached, a variety of actions could take place, such as throttling or blocking all data, or throttling only particular types of traffic, or redirecting the user to a particular webpage.

To support quota enforcement scenarios, you need to configure the following:

  1. Create an adaptive response limit object to define how the quota is measured and to identify the users that have exceeded their quota by using a named network object.

    The adaptive response object can specify whether to set a network-traffic data-volume limit or a time limit. The adaptive response object identifies the traffic that is monitored against the specified quota as a network object. The network object can either be based on IP addresses, or based on Active Directory users or user groups. The adaptive response object tracks those that have exceeded their quota by dynamically adding them to a named network object.

  2. Add a policy (or policies) to the Optimizer policy tree for those who are over their limit.

    The policy that addresses those that have exceeded their quota is defined according to your business needs. You can choose to throttle their traffic or block it entirely. When they have HTTP traffic, you can also choose to redirect them to a webpage that you host or respond with a webpage that the Exinda Appliance hosts.

    If needed you can combine these, such that the first policy filters for HTTP traffic and then shows a webpage, but then other types of traffic are caught by a second policy that blocks the remaining traffic.

  3. Add policies to the Optimizer policy tree for those under the limit.

    The remaining policies define how to deal with the traffic of the users who have not yet exceeded their quota.

    Note

    Since the Exinda Appliance attempts to match the traffic to the filters in the policies (and virtual circuits) in the top-down order defined in the Optimizer policy tree, you need to set up the series of policies with the most specific filter criteria appearing first in the policy tree, which means the policies should appear in the following generalized order.

    • Those who have exceeded their quota and have HTTP traffic
    • Those who have exceeded their quota and have other types of traffic
    • Remaining traffic (that is, those who have not exceeded their quota)

To learn more about the individual components needed for quota enforcement, see Configure Adaptive Response Limit, Configure Network Objects, Configure Network User Groups, Configure HTML Response Object, Policy Tree, and Policies.

ClosedExample: Users each have a 10GB capped data quota

Consider an educational institution that has a group of students who have IP addresses in the subnet 192.168.0.0/16. Each student is allowed 10GB data transfer (uploads and downloads) per month. After the limit is reached, they are allowed no more data.

  1. Create a network object to represent the students.

    OPTION 1: Create a static network object using the Configuration > Objects > Network > Network Objects page.

    OPTION 2: Create a network user group object using the Configuration > Objects > Users & Groups > Network Groups page.

  2. Create an adaptive response limit object that defines the 10GB limit as well as the destination dynamic network object that will contain the students who exceeded their quota using the Configuration > Objects > Adaptive Response page.

  3. Configure the policy tree such that the students over quota are blocked from further data.

    In the virtual circuit that will process the student data, create a policy that will block the students who have exceeded their quota and ensure that it is first in the virtual circuit. The rest of the policies can manage the traffic however you like, perhaps choking P2P and throttling streaming.

ClosedExample: Users each have a 10GB data quota after which recreational traffic is severely throttled

Consider an educational institution that has a group of students who have IP addresses in the subnet 192.168.0.0/16. Each student is allowed 10GB data transfer (uploads and downloads) per month. After the limit is reached, they are allowed access to education resources, but recreational traffic is throttled.

  1. Similar to the example above, create a network object to represent the students.

  2. Similar to the example above, create an adaptive response limit object that defines the 10GB limit as well as the destination dynamic network object that will contain the students who exceeded their quota.

  3. Configure the policy tree such that the students over quota have different policy than those that are within their quota.

    Create two virtual circuits - one that maps to the Students-Over-Quota network object and one that maps to the Students network object. Ensure the Students Over Quota virtual circuit appears first. In this example, the students that have exceeded their monthly limit get placed in a 512 kbps virtual circuit, whereas all other students (the ones who have not exceeded their monthly limit) are placed in a 10Mbps Virtual Circuit.

    Note the policies within the two virtual circuits can be different so that what is throttled can be different for those over quota. For instance, perhaps you want to throttle recreational traffic more severely for those students who are over quota.

ClosedExample: Users have a 10GB capped data quota after which they are redirected to a page on your website that explains the quota

Consider an educational institution that has a group of students who have IP addresses in the subnet 192.168.0.0/16. Each student is allowed 10GB data transfer (uploads and downloads) per month. After the limit is reached, they are redirected to a website that explains the quota limit.

  1. Similar to the example above, create a network object to represent the students.

  2. Similar to the example above, create an adaptive response limit object that defines the 10 GB limit as well as the destination dynamic network object that will contain the students who exceeded their quota.

    To create the policy that redirects the traffic:

    1. Select HTTP Redirect as the policy action.
    2. Specify the URL that you would like the unauthenticated user to be redirected to in the Redirect URLfield.

      Traffic matching this policy will be forwarded to the specified URL, which will cause the specified URL to be presented to the client.

    3. Type the Filter Rules.

      The only allowable applications are HTTP, HTTP-ALT, and HTTPS. It is recommended to add three filter rules - one for each of these applications.

      For each of the filter rules specify the Filter traffic Source to be the destination network object that was created as part of the adaptive response limit object and specify the Filter traffic Direction to be Both.

    To create a policy that blocks remaining unauthenticated traffic:

    1. Select Discard as the policy action.
    2. If you want to block all unauthenticated traffic, then do not check the Discard only the first packet of the connection checkbox.

    3. Type the Filter Rules specifying the students over quota network object.

      Specify the Filter traffic Source to be the destination network object that was created as part of the adaptive response limit object and specify the Filter traffic Direction to be Both.

  3. Configure the policy tree such that the students over quota are redirected to a particular website when accessing web traffic and all other data access for those students is blocked, followed by policy for students who have not exceeded quota.
ClosedExample: Users have a two hour web usage quota after which they are presented with a webpage that indicates their time is up

Consider a public space with complimentary wifi access such as a shopping mall. Shoppers are allowed wifi access for 2 hours after which they are presented with a page that indicates that their time is up and thanking them for their patronage. In this scenario, the webpage can be "hosted" by the Exinda appliance.

  1. Similar to the example above, create a network object to represent the students.

  2. Create an adaptive response limit object that defines a 120 minute limit, as well as the destination dynamic network object that will contain the shoppers who exceeded their quota.

  3. Create an HTML Response object that defines what the webpage will look like once the shoppers have exceeded 2 hours of usage. See the Configuration > Objects > HTML Response page.

    In this example, when users exceed the two hour limit, they will see the following webpage:

  4. Configure the policy tree such that the shoppers over quota are presented with a HTML response web page when accessing web traffic and all other data access for those shoppers is blocked, followed by policy for shoppers who have had access for less than 2 hours.

    To create the policy that presents the HTML response web page:

    1. Select Return HTML Response as the policy action.
    2. Select the HTML Response Object that you created in step 3.

      Web traffic matching this policy will be sent back an HTML response with the contents of the HTML Response object, which will cause the a web page to be presented to the client.

    3. Type the Filter Rules.

      The only allowable applications are HTTP, HTTP-ALT, and HTTPS. It is recommended to add three filter rules - one for each of these applications.

      For each of the filter rules specify the Filter traffic Source to be the destination network object that was created as part of the adaptive response limit object and specify the Filter traffic Direction to be Both.

    To create a policy that blocks remaining traffic for the shoppers who are over quota:

    1. Select Discard as the policy action.
    2. If you want to block all traffic, then do not check the Discard only the first packet of the connection checkbox.

    3. Type the Filter Rules specifying the shoppers over quota network object.

      Specify the Filter traffic Source to be the destination network object that was created as part of the adaptive response limit object and specify the Filter traffic Direction to be Both.

| Exinda.com

Using the help

Last Updated: Monday, February 1, 2016 at 12:25 PM

Exinda Management Center 2.0 ExOS 7.4.1 | Copyright © 2016 Exinda Networks, Inc.