Setting and enforcing quotas
Quotas are an effective way to enforce fair sharing of the network or to ensure customers receive only the amount of access to the network for which they have paid. Quotas can enforce caps based on a data transfer amount or based on the amount of time on the network. After the quota has been reached, a variety of actions could take place, such as throttling or blocking all data, or throttling only particular types of traffic, or redirecting the user to a particular webpage.
To support quota enforcement scenarios, you need to configure the following:
- Create an adaptive response limit object to define how the quota is measured and to identify the users that have exceeded their quota by using a named network objecta logical definition created and stored in the Exinda lilbrary, can represent any network component. The adaptive response object can specify whether to set a network-traffic data-volume limit or a time limit. The adaptive response object identifies the traffic that is monitored against the specified quota as a network object. The network object can either be based on IPInternet protocol addresses, or based on Active Directory users or user groups. The adaptive response object tracks those that have exceeded their quota by dynamically adding them to a named network object.
- Add a policy (or policies) to the Optimizer policy tree for those who are over their limit. The policy that addresses those that have exceeded their quota is defined according to your business needs. You can choose to throttle their traffic or block it entirely. When they have HTTP traffic, you can also choose to redirect them to a webpage that you host or respond with a webpage that the Exinda Appliance hosts. If needed you can combine these, such that the first policy filters for HTTP traffic and then shows a webpage, but then other types of traffic are caught by a second policy that blocks the remaining traffic.
- Add policies to the Optimizer policy tree for those under the limit. The remaining policies define how to deal with the traffic of the users who have not yet exceeded their quota.
Since the Exinda Appliance attempts to match the traffic to the filters in the policies (and virtual circuits) in the top-down order defined in the Optimizer policy tree, you need to set up the series of policies with the most specific filter criteria appearing first in the policy tree, which means the policies should appear in the following generalized order.
- Those who have exceeded their quota and have HTTP traffic
- Those who have exceeded their quota and have other types of traffic
- Remaining traffic (that is, those who have not exceeded their quota)
To learn more about the individual components needed for quota enforcement, see Configure Adaptive Response Limit, Configure Network Objects, Configure Network User Groups, Configure HTML Response Object, Policy Tree, and Policies.
Example: Each user has a 10GB capped data quota
Consider an educational institution that has a group of students who have IP addresses in the subnet 192.168.0.0/16. Each student is allowed 10GB data transfer (uploads and downloads) per month. After the limit is reached, they are allowed no more data.
- Create a network object to represent the students.
OPTION 1: Create a static network object using the Configuration > Objects > Network > Network Objects page.
OPTION 2: Create a network user group object using the Configuration > Objects > Users & Groups > Network Groups page.
- Create an adaptive response limit object that defines the 10GB limit as well as the destination dynamic network objectnetwork objects automatically updated and maintained by the Exinda appliance that will contain the students who exceeded their quota using the Configuration > Objects > Adaptive Response page.
- Configure the policy tree such that the students over quota are blocked from further data. In the virtual circuitlogical definitions that partition a a physical network circuit and used to determine what traffic passes through it and how much that will process the student data, create a policy that will block the students who have exceeded their quota and ensure that it is first in the virtual circuit. The rest of the policies can manage the traffic however you like, perhaps choking P2P and throttling streaming.
- Create an HTML Response object that defines what the webpage will look like once the shoppers have exceeded 2 hours of usage. See the Configuration > Objects > HTML Response page.
- Configure the policy tree such that the shoppers over quota are presented with a HTML response web page when accessing web traffic and all other data access for those shoppers is blocked, followed by policy for shoppers who have had access for less than 2 hours.
To create the policy that presents the HTML response web page:
- Select Return HTML Response as the policy action.
- Select the HTML Response Object that you created in step 3.
Web traffic matching this policy will be sent back an HTML response with the contents of the HTML Response object, which will cause the a web page to be presented to the client.
- Type the Filter Rules.
The only allowable applications are HTTP, HTTP-ALT, and HTTPS. It is recommended to add three filter rules - one for each of these applications.
For each of the filter rules specify the Filter traffic Source to be the destination network object that was created as part of the adaptive response limit object and specify the Filter traffic Direction to be Both.
To create a policy that blocks remaining traffic for the shoppers who are over quota:
- Select Discard as the policy action.
- If you want to block all traffic, then do not check the Discard only the first packet of the connection checkbox.
- Type the Filter Rules specifying the shoppers over quota network object.
Specify the Filter traffic Source to be the destination network object that was created as part of the adaptive response limit object and specify the Filter traffic Direction to be Both.