Configures upstream/downstream rate limits and VLAN ID. Clients matching this user-defined role filters are associated with the specified VLAN, and assigned the specified data rates.

Supported in the following platforms:

  • Access Points — AP505i, AP510i/e, AP560i/h
  • Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000


assign [rate-limit|VLAN]
assign rate-limit [from-client|to-client] <1-65536>
assign vlan <1-4094>


assign rate-limit [from-client|to-client] <1-65536>

assign rate-limit [from-client|to-client] <1-65536>

Assigns an upstream and downstream traffic rate limit
  • from-client – Assigns a rate limit, in Kbps, for the upstream (from client) traffic

  • to-client – Assigns a rate limit, in Kbps, for the downstream (to client) traffic

  • <1-65536> – Specify upstream and/or downstream rate limits from 1 - 65536 Kbps.

Note: Wireless clients matching this user-defined role are assigned the configured rate limits.
assign vlan <1-4094>

assign vlan <1-4094>

Assigns a VLAN (identified by VLAN‘s ID). Clients matching this user-defined role are associated with the specified VLAN. The VLAN ID represents the shared SSID each user employs to interoperate within the network (once authenticated by the local RADIUS server).

This feature is disabled by default.

  • <1-4094> – Specify the VLAN ID from 1 - 4094.

Note: A wireless client that fails to match any user-defined role is assigned to the default role (configured as a role policy setting) and is mapped to the default VLAN under the WLAN.

User Guidelines

ACLs can only be used with tunnel or isolated-tunnel modes. They do not work with the local and automatic modes.

In case of bridge VLAN, the default bridging mode is ‘auto‘. Change the bridging mode to ‘tunnel‘. This extends the controller‘s existing VLAN onto the AP and ensures that wireless clients are served IP addresses.

The VLAN configured under the user-defined role need not exist under the WLAN. But, when using tunneled VLAN bridges, configure an additional bridge VLAN. If the VLAN bridging mode is ‘local‘, no additional VLAN configuration is required.


rfs4000-229D58(config-role-policy-test-user-role-test)#assign rate-limit to-client 200
rfs4000-229D58(config-role-policy-test-user-role-test)#show context
 user-role test precedence 1
  assign vlan 1
  assign rate-limit to-client 200
The following examples define a role used to forward the IP traffic from all engineers in Test_Company, Santa Clara, USA onto VLAN 2.
  1. Create a new role policy with name ‘test-policy‘..
    <DEVICE>(config)#role-policy test-policy
  2. Specify the LDAP server used for this role policy.
    <DEVICE>(config-role-policy-test-policy)#ldap-query self
    <DEVICE>(config-role-policy-test-policy)#ldap-server 1 host bind-dn 
    CN=Administrator,CN=Users,DC=testtest,DC=com base-dn CN=Administrator,CN=Users,
    DC=com bind-password 0 test port 389
    <DEVICE>(config-role-policy-test-policy)#ldap-timeout 2
  3. Create a user-defined role.
    <DEVICE>(config-role-policy-test-policy)#user-role SCEngineer precedence 100
  4. Define the role by adding appropriate values and match operators.
    <DEVICE>(config-role-policy-test-policy-user-role-SCEngineer)#city exact santa-clara
    <DEVICE>(config-role-policy-test-policy-user-role-SCEngineer)#company exact ExampleCompany
    <DEVICE>(config-role-policy-test-policy-user-role-SCEngineer)#country exact usa
    <DEVICE>(config-role-policy-test-policy-user-role-SCEngineer)#title contains engineer
    <DEVICE>(config-role-policy-test-policy-user-role-SCEngineer)#assign vlan-id 2
  5. Apply role policy to an access point.
    ap7161-99BFA8(config-device-ap7161)# use role-policy test-policy

Related Commands


Removes the upstream and/or downstream rate limits applied to this user-defined role. Also removes the VLAN ID.