[27597] in resnet
Re: SOHO WiFi routers and residential networking
daemon@ATHENA.MIT.EDU (Hall, Rand)
Mon Apr 30 12:52:03 2012
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=f46d0407152b52dff104bee8189b
Message-ID: <CANajV=PfQjDV9Lz3DT_EpFUqMDUHo7RV9UoBwvNAxecwtsfTeg@mail.gmail.com>
Date: Mon, 30 Apr 2012 12:39:16 -0400
Reply-To: Resnet Forum <RESNET-L@listserv.nd.edu>
From: "Hall, Rand" <hallr@MERRIMACK.EDU>
To: RESNET-L@listserv.nd.edu
In-Reply-To: <D0A43E8CC19B144398DFEC438095CB180E39ACCF8E@EXCMS.msu.montana.edu>
--f46d0407152b52dff104bee8189b
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
Sheila,
Good luck blocking rogues. :-) Your best bet is to hold to your commitment
to providing service to the jack. To that you can add some basic best
practice suggestions to people who want to try using a wireless router or
bridge (enable encryption, negotiate channel selection with neighbors, etc)=
.
Your network folks will want to turn on DHCP Snooping. Sometimes a resident
will plug a router in "backwards" and offer up DHCP leases to their
neighbors--not a pretty sight. If they are new to Cisco they might
appreciate a sample interface config for some ideas. Feel free to share:
switchport access vlan xx
switchport mode access
switchport protected
switchport port-security maximum 6
switchport port-security
switchport port-security aging time 1
switchport port-security violation restrict
switchport port-security aging type inactivity
ip arp inspection limit rate 15 burst interval 10
storm-control broadcast level pps 50 10
storm-control multicast level pps 50 10
spanning-tree portfast
spanning-tree bpduguard enable
ip verify source
ip dhcp snooping limit rate 10
Rand
Rand P. Hall
Director, Network Services askIT!
Merrimack College
978-837-3532
rand.hall@merrimack.edu
If I had an hour to save the world, I would spend 59 minutes defining the
problem and one minute finding solutions. =96 Einstein
On Fri, Apr 27, 2012 at 1:48 PM, Crowe, Sheila <sheila@montana.edu> wrote:
> In early March, I participated in a thread started by Jeannie Abney about
> what other schools=92 polices are for residents bringing personal wireles=
s
> routers onto your network. I added some questions pertaining to single
> family apartments (vs. residence halls) and got some great feedback. I
> would like to take it a step further and ask some more questions based on
> the type of network that we have.****
>
> ** **
>
> We have a Cisco network, a core at the origin of the commodity internet
> pipe, and a subnet for each of our buildings (really areas). In the
> residence halls we have a large Aruba wireless network installed so that
> every building is blanketed for secure wireless internet access. In the
> residence halls, ResNet is charged out to every resident regardless of
> whether they use it or not. ****
>
> ** **
>
> We do not provide ubiquitous wireless coverage in family housing because
> ResNet is an opt-in service. Additionally, our family housing area was
> wired about 13 years ago and only provided one wired jack per apartment. =
As
> I=92m sure you can imagine, virtually every customer in family housing ha=
s a
> soho wireless router. When we upgraded this section of our network (from
> 3Com switches to Cisco), we immediately had a BIG problem with our networ=
k
> dropping constantly. It was ultimately decided that it was the SOHO
> wireless routers causing the problem; namely, unicast packet floods throu=
gh
> our Cisco switch ports. Only recently it was discovered that Cisco switch=
es
> have a feature that will block unicast and multicast floods. We are
> deploying this slowly. ****
>
> ** **
>
> Now for the questions. For those of you who have a similar network, do yo=
u
> employ this Cisco feature or do you simply block all =93rogue=94 wireless
> connections? Or do you have another measure in place to deal with the
> unicast packet floods? Also, do your network engineers consider this a
> stopgap measure (=93band-aid=94) to deal with residences where you do not=
offer
> WiFi? ****
>
> ** **
>
> Please do share all of the details about this issue (or non-issue) on you=
r
> network as you know them. And thanks a million! ****
>
> ** **
>
> Sheila Crowe****
>
> Montana State University ResNet****
>
> 406.994.4230****
>
> 406.209.7243****
>
> ** **
>
> P.S. I=92m hoping to see all of you at the 2012 Student Technology
> Conference at Claremont Colleges! ****
>
> ** **
> ___________________________________________________ You are subscribed to
> the ResNet-L mailing list.
>
> To subscribe, unsubscribe or search the archives, go to
> http://LISTSERV.ND.EDU/archives/resnet-l.html____________________________=
_______________________
>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--f46d0407152b52dff104bee8189b
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
Sheila,<div><br></div><div>Good luck blocking rogues. :-) Your best bet is =
to hold to your commitment to providing service to the jack. To that you ca=
n add some basic best practice suggestions to people who want to try using =
a wireless router or bridge (enable encryption, negotiate channel selection=
with neighbors, etc).<div>
<br></div><div>Your network folks will want to turn on DHCP Snooping. Somet=
imes a resident will plug a router in "backwards" and offer up DH=
CP leases to their neighbors--not a pretty sight. If they are new to Cisco =
they might appreciate a sample interface config for some ideas. Feel free t=
o share:</div>
<div><br></div><div><div>=A0switchport access vlan xx</div><div>=A0switchpo=
rt mode access</div><div>=A0switchport protected</div><div>=A0switchport po=
rt-security maximum 6</div><div>=A0switchport port-security</div><div>=A0sw=
itchport port-security aging time 1</div>
<div>=A0switchport port-security violation restrict</div><div>=A0switchport=
port-security aging type inactivity</div><div>=A0ip arp inspection limit r=
ate 15 burst interval 10</div><div>=A0storm-control broadcast level pps 50 =
10</div>
<div>=A0storm-control multicast level pps 50 10</div><div>=A0spanning-tree =
portfast</div><div>=A0spanning-tree bpduguard enable</div><div>=A0ip verify=
source</div><div>=A0ip dhcp snooping limit rate 10</div><div><br></div><di=
v> =A0 =A0 =A0 =A0 =A0 =A0</div>
<div>
Rand</div><div>=A0</div><div>Rand P. Hall</div><div>Director, Network Servi=
ces=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 askIT!</div><div>Merrim=
ack College</div><div><a href=3D"tel:978-837-3532" value=3D"+19788373532" t=
arget=3D"_blank">978-837-3532</a></div>
<div><a href=3D"mailto:rand.hall@merrimack.edu" target=3D"_blank">rand.hall=
@merrimack.edu</a></div>
<div><br></div><div><span style=3D"line-height:17px;color:rgb(85,85,85);fon=
t-size:12px;font-family:Verdana,'BitStream vera Sans',Helvetica,san=
s-serif">If I had an hour to save the world, I would spend 59 minutes defin=
ing the problem and one minute finding solutions. =96 Einstein</span>
</div><br>
<br><br><div class=3D"gmail_quote">On Fri, Apr 27, 2012 at 1:48 PM, Crowe, =
Sheila <span dir=3D"ltr"><<a href=3D"mailto:sheila@montana.edu" target=
=3D"_blank">sheila@montana.edu</a>></span> wrote:<br><blockquote class=
=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padd=
ing-left:1ex">
<div lang=3D"EN-US" link=3D"blue" vlink=3D"purple"><div><p class=3D"MsoNorm=
al">In early March, I participated in a thread started by Jeannie Abney abo=
ut what other schools=92 polices are for residents bringing personal wirele=
ss routers onto your network.=A0 I added some questions pertaining to singl=
e family apartments (vs. residence halls) and got some great feedback.=A0 I=
would like to take it a step further and ask some more questions based on =
the type of network that we have.<u></u><u></u></p>
<p class=3D"MsoNormal"><u></u>=A0<u></u></p><p class=3D"MsoNormal">We have =
a Cisco network, a core at the origin of the commodity internet pipe, and a=
subnet for each of our buildings (really areas).=A0 In the residence halls=
we have a large Aruba wireless network installed so that every building is=
blanketed for secure wireless internet access.=A0 =A0In the residence hall=
s, ResNet is charged out to every resident regardless of whether they use i=
t or not.=A0 <u></u><u></u></p>
<p class=3D"MsoNormal"><u></u>=A0<u></u></p><p class=3D"MsoNormal">We do no=
t provide ubiquitous wireless coverage in family housing because ResNet is =
an opt-in service. Additionally, our family housing area was wired about 13=
years ago and only provided one wired jack per apartment. As I=92m sure yo=
u can imagine, virtually every customer in family housing has a soho wirele=
ss router.=A0 When we upgraded this section of our network (from 3Com switc=
hes to Cisco), we immediately had a BIG problem with our network dropping c=
onstantly. =A0It was ultimately decided that it was the SOHO wireless route=
rs causing the problem; namely, unicast packet floods through our Cisco swi=
tch ports. Only recently it was discovered that Cisco switches have a featu=
re that will block unicast and multicast floods. =A0We are deploying this s=
lowly. =A0<u></u><u></u></p>
<p class=3D"MsoNormal"><u></u>=A0<u></u></p><p class=3D"MsoNormal">Now for =
the questions. For those of you who have a similar network, do you employ t=
his Cisco feature or do you simply block all =93rogue=94 wireless connectio=
ns?=A0 Or do you have another measure in place to deal with the unicast pac=
ket floods?=A0 Also, do your network engineers consider this a stopgap meas=
ure (=93band-aid=94) to deal with residences where you do not offer WiFi?=
=A0 <u></u><u></u></p>
<p class=3D"MsoNormal"><u></u>=A0<u></u></p><p class=3D"MsoNormal">Please d=
o share all of the details about this issue (or non-issue) on your network =
as you know them.=A0 And thanks a million! <u></u><u></u></p><p class=3D"Ms=
oNormal">
<u></u>=A0<u></u></p><p class=3D"MsoNormal">Sheila Crowe<u></u><u></u></p><=
p class=3D"MsoNormal">Montana State University ResNet<u></u><u></u></p><p c=
lass=3D"MsoNormal"><a href=3D"tel:406.994.4230" value=3D"+14069944230" targ=
et=3D"_blank">406.994.4230</a><u></u><u></u></p>
<p class=3D"MsoNormal"><a href=3D"tel:406.209.7243" value=3D"+14062097243" =
target=3D"_blank">406.209.7243</a><u></u><u></u></p><p class=3D"MsoNormal">=
<u></u>=A0<u></u></p><p class=3D"MsoNormal">P.S. I=92m hoping to see all of=
you at the 2012 Student Technology Conference at Claremont Colleges! <u></=
u><u></u></p>
<p class=3D"MsoNormal"><u></u>=A0<u></u></p></div></div>___________________=
________________________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to <a href=3D"http://LISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_=
blank">http://LISTSERV.ND.EDU/archives/resnet-l.html</a>
___________________________________________________
</p></blockquote></div><br></div>
</div>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--f46d0407152b52dff104bee8189b--
