[27604] in resnet
Re: SOHO WiFi routers and residential networking
daemon@ATHENA.MIT.EDU (Osborne, Bruce W)
Tue May 1 07:52:33 2012
Content-Language: en-US
Content-Type: multipart/alternative; boundary="_000_7F8CAE21F9C1C94A90F11320EF3974CE327E2E82LUEMSMAIL01Univ_"
MIME-Version: 1.0
Message-ID: <7F8CAE21F9C1C94A90F11320EF3974CE327E2E82@LUEMSMAIL01.University.liberty.edu>
Date: Tue, 1 May 2012 11:48:07 +0000
Reply-To: Resnet Forum <RESNET-L@listserv.nd.edu>
From: "Osborne, Bruce W" <bosborne@liberty.edu>
To: RESNET-L@listserv.nd.edu
--_000_7F8CAE21F9C1C94A90F11320EF3974CE327E2E82LUEMSMAIL01Univ_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
That is only the port part of the configuration. There are some global sett=
ings too.
Also, your switch uplink or the switch port with the DHCP server needs to b=
e trusted for this to function correctly. The three processes used here are=
"ARP inspection", "DHCO snooping", and "IP source guard". The features can=
vary, depending on your model of switch.
Here is one example of Cisco's documentation. This one is for 3550 switches=
. http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/releas=
e/12.2_25_see/configuration/guide/swdhcp82.html
Bruce Osborne
Network Engineer
IT Network Services
(434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971
From: Hall, Rand [mailto:hallr@MERRIMACK.EDU]
Sent: Monday, April 30, 2012 12:39 PM
Subject: Re: SOHO WiFi routers and residential networking
Sheila,
Good luck blocking rogues. :-) Your best bet is to hold to your commitment =
to providing service to the jack. To that you can add some basic best pract=
ice suggestions to people who want to try using a wireless router or bridge=
(enable encryption, negotiate channel selection with neighbors, etc).
Your network folks will want to turn on DHCP Snooping. Sometimes a resident=
will plug a router in "backwards" and offer up DHCP leases to their neighb=
ors--not a pretty sight. If they are new to Cisco they might appreciate a s=
ample interface config for some ideas. Feel free to share:
switchport access vlan xx
switchport mode access
switchport protected
switchport port-security maximum 6
switchport port-security
switchport port-security aging time 1
switchport port-security violation restrict
switchport port-security aging type inactivity
ip arp inspection limit rate 15 burst interval 10
storm-control broadcast level pps 50 10
storm-control multicast level pps 50 10
spanning-tree portfast
spanning-tree bpduguard enable
ip verify source
ip dhcp snooping limit rate 10
Rand
Rand P. Hall
Director, Network Services askIT!
Merrimack College
978-837-3532<tel:978-837-3532>
rand.hall@merrimack.edu<mailto:rand.hall@merrimack.edu>
If I had an hour to save the world, I would spend 59 minutes defining the p=
roblem and one minute finding solutions. - Einstein
On Fri, Apr 27, 2012 at 1:48 PM, Crowe, Sheila <sheila@montana.edu<mailto:s=
heila@montana.edu>> wrote:
In early March, I participated in a thread started by Jeannie Abney about w=
hat other schools' polices are for residents bringing personal wireless rou=
ters onto your network. I added some questions pertaining to single family=
apartments (vs. residence halls) and got some great feedback. I would lik=
e to take it a step further and ask some more questions based on the type o=
f network that we have.
We have a Cisco network, a core at the origin of the commodity internet pip=
e, and a subnet for each of our buildings (really areas). In the residence=
halls we have a large Aruba wireless network installed so that every build=
ing is blanketed for secure wireless internet access. In the residence ha=
lls, ResNet is charged out to every resident regardless of whether they use=
it or not.
We do not provide ubiquitous wireless coverage in family housing because Re=
sNet is an opt-in service. Additionally, our family housing area was wired =
about 13 years ago and only provided one wired jack per apartment. As I'm s=
ure you can imagine, virtually every customer in family housing has a soho =
wireless router. When we upgraded this section of our network (from 3Com s=
witches to Cisco), we immediately had a BIG problem with our network droppi=
ng constantly. It was ultimately decided that it was the SOHO wireless rou=
ters causing the problem; namely, unicast packet floods through our Cisco s=
witch ports. Only recently it was discovered that Cisco switches have a fea=
ture that will block unicast and multicast floods. We are deploying this s=
lowly.
Now for the questions. For those of you who have a similar network, do you =
employ this Cisco feature or do you simply block all "rogue" wireless conne=
ctions? Or do you have another measure in place to deal with the unicast p=
acket floods? Also, do your network engineers consider this a stopgap meas=
ure ("band-aid") to deal with residences where you do not offer WiFi?
Please do share all of the details about this issue (or non-issue) on your =
network as you know them. And thanks a million!
Sheila Crowe
Montana State University ResNet
406.994.4230<tel:406.994.4230>
406.209.7243<tel:406.209.7243>
P.S. I'm hoping to see all of you at the 2012 Student Technology Conference=
at Claremont Colleges!
___________________________________________________ You are subscribed to t=
he ResNet-L mailing list.
To subscribe, unsubscribe or search the archives, go to http://LISTSERV.ND.=
EDU/archives/resnet-l.html ________________________________________________=
___
___________________________________________________ You are subscribed to t=
he ResNet-L mailing list.
To subscribe, unsubscribe or search the archives, go to http://LISTSERV.ND.=
EDU/archives/resnet-l.html ________________________________________________=
___
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--_000_7F8CAE21F9C1C94A90F11320EF3974CE327E2E82LUEMSMAIL01Univ_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Cambria;
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Times-Roman;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3D"EN-US" link=3D"blue" vlink=3D"purple">
<div class=3D"WordSection1">
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">That is only the port par=
t of the configuration. There are some global settings too.<o:p></o:p></spa=
n></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">Also, your switch uplink =
or the switch port with the DHCP server needs to be trusted for this to fun=
ction correctly. The three processes used here are “ARP
inspection”, “DHCO snooping”, and “IP source guard=
”. The features can vary, depending on your model of switch.<o:p></o:=
p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">Here is one example of Ci=
sco’s documentation. This one is for 3550 switches. http://www.cisco.=
com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_see/confi=
guration/guide/swdhcp82.html<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<p class=3D"MsoNormal" style=3D"margin-right:.5in;text-autospace:none"><b><=
span style=3D"font-size:10.0pt;font-family:"Verdana","sans-s=
erif";color:#001B3E">Bruce Osborne</span></b><span style=3D"font-size:=
10.0pt;font-family:"Verdana","sans-serif";color:#001B3E=
"><o:p></o:p></span></p>
<p class=3D"MsoNormal" style=3D"margin-right:.5in;text-autospace:none"><i><=
span style=3D"font-size:10.0pt;font-family:"Verdana","sans-s=
erif";color:#001B3E">Network Engineer</span></i><span style=3D"font-si=
ze:10.0pt;font-family:"Cambria","serif";color:#1F497D">=
<o:p></o:p></span></p>
<p class=3D"MsoNormal" style=3D"margin-right:.5in;text-autospace:none"><b><=
span style=3D"font-size:10.0pt;font-family:"Verdana","sans-s=
erif";color:#001B3E">IT Network Services</span></b><span style=3D"font=
-size:10.0pt;font-family:"Cambria","serif";color:#1F497=
D"><o:p></o:p></span></p>
<p class=3D"MsoNormal" style=3D"margin-right:.5in;text-autospace:none"><spa=
n style=3D"font-size:10.0pt;font-family:"Verdana","sans-seri=
f";color:#001B3E"> </span><span style=3D"font-size:10.0pt;font-fa=
mily:"Cambria","serif";color:#1F497D"><o:p></o:p></span=
></p>
<p class=3D"MsoNormal" style=3D"margin-right:.5in;text-autospace:none"><b><=
span style=3D"font-size:10.0pt;font-family:"Verdana","sans-s=
erif";color:#001B3E">(434) 592-4229</span></b><span style=3D"font-size=
:10.0pt;font-family:"Cambria","serif";color:#1F497D"><o=
:p></o:p></span></p>
<p class=3D"MsoNormal" style=3D"margin-right:.5in;text-autospace:none"><spa=
n style=3D"font-size:10.0pt;font-family:"Verdana","sans-seri=
f";color:#001B3E"> </span><span style=3D"font-size:10.0pt;font-fa=
mily:"Cambria","serif";color:#1F497D"><o:p></o:p></span=
></p>
<p class=3D"MsoNormal" style=3D"margin-right:.5in;text-autospace:none"><b><=
span style=3D"font-size:10.0pt;font-family:"Verdana","sans-s=
erif";color:#AA0000">LIBERTY UNIVERSITY<o:p></o:p></span></b></p>
<p class=3D"MsoNormal" style=3D"margin-right:.5in;text-autospace:none"><i><=
span style=3D"font-size:11.0pt;font-family:Times-Roman;color:#AA0000">Train=
ing Champions for Christ since 1971<o:p></o:p></span></i></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<p class=3D"MsoNormal"><b><span style=3D"font-size:10.0pt;font-family:"=
;Tahoma","sans-serif"">From:</span></b><span style=3D"font-s=
ize:10.0pt;font-family:"Tahoma","sans-serif""> Hall, Ra=
nd [mailto:hallr@MERRIMACK.EDU]
<br>
<b>Sent:</b> Monday, April 30, 2012 12:39 PM<br>
<b>Subject:</b> Re: SOHO WiFi routers and residential networking<o:p></o:p>=
</span></p>
<p class=3D"MsoNormal"><o:p> </o:p></p>
<p class=3D"MsoNormal">Sheila,<o:p></o:p></p>
<div>
<p class=3D"MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class=3D"MsoNormal">Good luck blocking rogues. :-) Your best bet is to h=
old to your commitment to providing service to the jack. To that you can ad=
d some basic best practice suggestions to people who want to try using a wi=
reless router or bridge (enable encryption,
negotiate channel selection with neighbors, etc).<o:p></o:p></p>
<div>
<p class=3D"MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class=3D"MsoNormal">Your network folks will want to turn on DHCP Snoopin=
g. Sometimes a resident will plug a router in "backwards" and off=
er up DHCP leases to their neighbors--not a pretty sight. If they are new t=
o Cisco they might appreciate a sample interface
config for some ideas. Feel free to share:<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p> </o:p></p>
</div>
<div>
<div>
<p class=3D"MsoNormal"> switchport access vlan xx<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"> switchport mode access<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"> switchport protected<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"> switchport port-security maximum 6<o:p></o:p><=
/p>
</div>
<div>
<p class=3D"MsoNormal"> switchport port-security<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"> switchport port-security aging time 1<o:p></o:=
p></p>
</div>
<div>
<p class=3D"MsoNormal"> switchport port-security violation restrict<o:=
p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"> switchport port-security aging type inactivity=
<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"> ip arp inspection limit rate 15 burst interval=
10<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"> storm-control broadcast level pps 50 10<o:p></=
o:p></p>
</div>
<div>
<p class=3D"MsoNormal"> storm-control multicast level pps 50 10<o:p></=
o:p></p>
</div>
<div>
<p class=3D"MsoNormal"> spanning-tree portfast<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"> spanning-tree bpduguard enable<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"> ip verify source<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"> ip dhcp snooping limit rate 10<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class=3D"MsoNormal"> <o:p></o:p>=
</p>
</div>
<div>
<p class=3D"MsoNormal">Rand<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal">Rand P. Hall<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal">Director, Network Services &n=
bsp; askI=
T!<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal">Merrimack College<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><a href=3D"tel:978-837-3532" target=3D"_blank">978-8=
37-3532</a><o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><a href=3D"mailto:rand.hall@merrimack.edu" target=3D=
"_blank">rand.hall@merrimack.edu</a><o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:9.0pt;font-family:"Ver=
dana","sans-serif";color:#555555">If I had an hour to save t=
he world, I would spend 59 minutes defining the problem and one minute find=
ing solutions. – Einstein</span>
<o:p></o:p></p>
</div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><br>
<br>
<o:p></o:p></p>
<div>
<p class=3D"MsoNormal">On Fri, Apr 27, 2012 at 1:48 PM, Crowe, Sheila <<=
a href=3D"mailto:sheila@montana.edu" target=3D"_blank">sheila@montana.edu</=
a>> wrote:<o:p></o:p></p>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">In early March, I participated in a thread started by Jeannie Abne=
y about what other schools’ polices are for residents bringing person=
al wireless routers onto your network. I
added some questions pertaining to single family apartments (vs. residence=
halls) and got some great feedback. I would like to take it a step f=
urther and ask some more questions based on the type of network that we hav=
e.<o:p></o:p></p>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto"> <o:p></o:p></p>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">We have a Cisco network, a core at the origin of the commodity int=
ernet pipe, and a subnet for each of our buildings (really areas). In=
the residence halls we have a large Aruba
wireless network installed so that every building is blanketed for secure =
wireless internet access. In the residence halls, ResNet is cha=
rged out to every resident regardless of whether they use it or not.
<o:p></o:p></p>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto"> <o:p></o:p></p>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">We do not provide ubiquitous wireless coverage in family housing b=
ecause ResNet is an opt-in service. Additionally, our family housing area w=
as wired about 13 years ago and only
provided one wired jack per apartment. As I’m sure you can imagine, =
virtually every customer in family housing has a soho wireless router. =
; When we upgraded this section of our network (from 3Com switches to Cisco=
), we immediately had a BIG problem with our
network dropping constantly. It was ultimately decided that it was t=
he SOHO wireless routers causing the problem; namely, unicast packet floods=
through our Cisco switch ports. Only recently it was discovered that Cisco=
switches have a feature that will block
unicast and multicast floods. We are deploying this slowly. <o=
:p></o:p></p>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto"> <o:p></o:p></p>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">Now for the questions. For those of you who have a similar network=
, do you employ this Cisco feature or do you simply block all “rogue&=
#8221; wireless connections? Or do you have another
measure in place to deal with the unicast packet floods? Also, do yo=
ur network engineers consider this a stopgap measure (“band-aid”=
;) to deal with residences where you do not offer WiFi?
<o:p></o:p></p>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto"> <o:p></o:p></p>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">Please do share all of the details about this issue (or non-issue)=
on your network as you know them. And thanks a million!
<o:p></o:p></p>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto"> <o:p></o:p></p>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">Sheila Crowe<o:p></o:p></p>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">Montana State University ResNet<o:p></o:p></p>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto"><a href=3D"tel:406.994.4230" target=3D"_blank">406.994.4230</a><o:=
p></o:p></p>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto"><a href=3D"tel:406.209.7243" target=3D"_blank">406.209.7243</a><o:=
p></o:p></p>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto"> <o:p></o:p></p>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">P.S. I’m hoping to see all of you at the 2012 Student Techno=
logy Conference at Claremont Colleges!
<o:p></o:p></p>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto"> <o:p></o:p></p>
</div>
</div>
<p class=3D"MsoNormal">___________________________________________________ =
You are subscribed to the ResNet-L mailing list.
<o:p></o:p></p>
<p>To subscribe, unsubscribe or search the archives, go to <a href=3D"http:=
//LISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_blank">
http://LISTSERV.ND.EDU/archives/resnet-l.html</a> _________________________=
__________________________
<o:p></o:p></p>
</div>
<p class=3D"MsoNormal"><o:p> </o:p></p>
</div>
</div>
<p class=3D"MsoNormal">___________________________________________________ =
You are subscribed to the ResNet-L mailing list.
<o:p></o:p></p>
<p>To subscribe, unsubscribe or search the archives, go to <a href=3D"http:=
//LISTSERV.ND.EDU/archives/resnet-l.html">
http://LISTSERV.ND.EDU/archives/resnet-l.html</a> _________________________=
__________________________
<o:p></o:p></p>
</div>
</body>
</html>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--_000_7F8CAE21F9C1C94A90F11320EF3974CE327E2E82LUEMSMAIL01Univ_--
