[27607] in resnet
Re: SOHO WiFi routers and residential networking
daemon@ATHENA.MIT.EDU (Crowe, Sheila)
Tue May 1 17:16:28 2012
Content-Language: en-US
Content-Type: multipart/alternative; boundary="_000_D0A43E8CC19B144398DFEC438095CB180E39ACD51BEXCMSmsumonta_"
MIME-Version: 1.0
Message-ID: <D0A43E8CC19B144398DFEC438095CB180E39ACD51B@EXCMS.msu.montana.edu>
Date: Tue, 1 May 2012 15:14:34 -0600
Reply-To: Resnet Forum <RESNET-L@listserv.nd.edu>
From: "Crowe, Sheila" <sheila@montana.edu>
To: RESNET-L@listserv.nd.edu
In-Reply-To: <7F8CAE21F9C1C94A90F11320EF3974CE327E2E82@LUEMSMAIL01.University.liberty.edu>
--_000_D0A43E8CC19B144398DFEC438095CB180E39ACD51BEXCMSmsumonta_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Thank you to Rand, Bruce and my hero, Adam Brock.
A bit more detailed information to help all the Cisco network guru types he=
lp me. To recap...
We have 2 housing areas: residence halls and family and graduate apartment=
s. Both areas have Cisco 2960 layer 2 switches and Cisco 3750 fiber switch=
es. In the residence halls we have one wired port per pillow and almost ub=
iquitous wireless coverage via Aruba APs and a single controller. ResNet i=
s charged as part of the room and board in the residence halls.
We don't provide wireless coverage in family and graduate housing. Our fam=
ily housing area was wired about 13 years ago and provided only one wired j=
ack per apartment; because of that, virtually every customer in family hous=
ing uses a soho wireless router. Prior to our upgrade in June, we were usi=
ng 3Com fiber switches and Cisco 2960 layer 2 switches, When we upgraded th=
is section of our network (from 3Com fiber switches to Cisco 3750s), we imm=
ediately had a BIG problem with our network dropping in family housing; no =
problems in the res halls. Backwards soho routers were not the problem bec=
ause we use DHCP snooping. Prior to the upgrade, our network ran like a sca=
lded cat in FGH. It was ultimately decided that the problem was caused by =
the larger concentration of SOHO wireless routers in that area producing un=
icast packet floods. Our team has discovered that Cisco switches have a fe=
ature called flood blocking that will block unicast and multicast floods at=
the switchport level. We are deploying this slowly. I am told that it is=
NOT Cisco's Storm Control.
My questions, slightly re-phrased:
1. For those of you who have a similar network, do you utilize either=
Storm Control or flood blocking? Why do you use one rather than the other=
?
2. Do you use some other measure to deal with unicast packet floods?
3. Considering the physical environment (single wired jacks), what do=
you feel is best practice when it comes to stopping unicast packet floods?
If you need more detail from me, please ask. Any information or feedback i=
s appreciated. If you prefer, please feel free to contact me off-list.
Thank you!
Sheila Crowe
MSU ResNet
sheila@montana.edu
From: Resnet Forum [mailto:RESNET-L@LISTSERV.ND.EDU] On Behalf Of Osborne, =
Bruce W
Sent: Tuesday, May 01, 2012 5:48 AM
To: RESNET-L@LISTSERV.ND.EDU
Subject: Re: SOHO WiFi routers and residential networking
That is only the port part of the configuration. There are some global sett=
ings too.
Also, your switch uplink or the switch port with the DHCP server needs to b=
e trusted for this to function correctly. The three processes used here are=
"ARP inspection", "DHCO snooping", and "IP source guard". The features can=
vary, depending on your model of switch.
Here is one example of Cisco's documentation. This one is for 3550 switches=
. http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/releas=
e/12.2_25_see/configuration/guide/swdhcp82.html
Bruce Osborne
Network Engineer
IT Network Services
(434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971
From: Hall, Rand [mailto:hallr@MERRIMACK.EDU]<mailto:[mailto:hallr@MERRIMAC=
K.EDU]>
Sent: Monday, April 30, 2012 12:39 PM
Subject: Re: SOHO WiFi routers and residential networking
Sheila,
Good luck blocking rogues. :-) Your best bet is to hold to your commitment =
to providing service to the jack. To that you can add some basic best pract=
ice suggestions to people who want to try using a wireless router or bridge=
(enable encryption, negotiate channel selection with neighbors, etc).
Your network folks will want to turn on DHCP Snooping. Sometimes a resident=
will plug a router in "backwards" and offer up DHCP leases to their neighb=
ors--not a pretty sight. If they are new to Cisco they might appreciate a s=
ample interface config for some ideas. Feel free to share:
switchport access vlan xx
switchport mode access
switchport protected
switchport port-security maximum 6
switchport port-security
switchport port-security aging time 1
switchport port-security violation restrict
switchport port-security aging type inactivity
ip arp inspection limit rate 15 burst interval 10
storm-control broadcast level pps 50 10
storm-control multicast level pps 50 10
spanning-tree portfast
spanning-tree bpduguard enable
ip verify source
ip dhcp snooping limit rate 10
Rand
Rand P. Hall
Director, Network Services askIT!
Merrimack College
978-837-3532<tel:978-837-3532>
rand.hall@merrimack.edu<mailto:rand.hall@merrimack.edu>
If I had an hour to save the world, I would spend 59 minutes defining the p=
roblem and one minute finding solutions. - Einstein
On Fri, Apr 27, 2012 at 1:48 PM, Crowe, Sheila <sheila@montana.edu<mailto:s=
heila@montana.edu>> wrote:
In early March, I participated in a thread started by Jeannie Abney about w=
hat other schools' polices are for residents bringing personal wireless rou=
ters onto your network. I added some questions pertaining to single family=
apartments (vs. residence halls) and got some great feedback. I would lik=
e to take it a step further and ask some more questions based on the type o=
f network that we have.
We have a Cisco network, a core at the origin of the commodity internet pip=
e, and a subnet for each of our buildings (really areas). In the residence=
halls we have a large Aruba wireless network installed so that every build=
ing is blanketed for secure wireless internet access. In the residence ha=
lls, ResNet is charged out to every resident regardless of whether they use=
it or not.
We do not provide ubiquitous wireless coverage in family housing because Re=
sNet is an opt-in service. Additionally, our family housing area was wired =
about 13 years ago and only provided one wired jack per apartment. As I'm s=
ure you can imagine, virtually every customer in family housing has a soho =
wireless router. When we upgraded this section of our network (from 3Com s=
witches to Cisco), we immediately had a BIG problem with our network droppi=
ng constantly. It was ultimately decided that it was the SOHO wireless rou=
ters causing the problem; namely, unicast packet floods through our Cisco s=
witch ports. Only recently it was discovered that Cisco switches have a fea=
ture that will block unicast and multicast floods. We are deploying this s=
lowly.
Now for the questions. For those of you who have a similar network, do you =
employ this Cisco feature or do you simply block all "rogue" wireless conne=
ctions? Or do you have another measure in place to deal with the unicast p=
acket floods? Also, do your network engineers consider this a stopgap meas=
ure ("band-aid") to deal with residences where you do not offer WiFi?
Please do share all of the details about this issue (or non-issue) on your =
network as you know them. And thanks a million!
Sheila Crowe
Montana State University ResNet
406.994.4230<tel:406.994.4230>
406.209.7243<tel:406.209.7243>
P.S. I'm hoping to see all of you at the 2012 Student Technology Conference=
at Claremont Colleges!
___________________________________________________ You are subscribed to t=
he ResNet-L mailing list.
To subscribe, unsubscribe or search the archives, go to http://LISTSERV.ND.=
EDU/archives/resnet-l.html ________________________________________________=
___
___________________________________________________ You are subscribed to t=
he ResNet-L mailing list.
To subscribe, unsubscribe or search the archives, go to http://LISTSERV.ND.=
EDU/archives/resnet-l.html ________________________________________________=
___
___________________________________________________ You are subscribed to t=
he ResNet-L mailing list.
To subscribe, unsubscribe or search the archives, go to http://LISTSERV.ND.=
EDU/archives/resnet-l.html ________________________________________________=
___
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--_000_D0A43E8CC19B144398DFEC438095CB180E39ACD51BEXCMSmsumonta_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40"><head><meta http-equiv=3DContent-Type content=
=3D"text/html; charset=3Dus-ascii"><meta name=3DGenerator content=3D"Micros=
oft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Cambria;
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Times-Roman;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1771655901;
mso-list-type:hybrid;
mso-list-template-ids:1015193330 67698703 67698713 67698715 67698703 67698=
713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]--></head><body lang=3DEN-US link=3Dblue vli=
nk=3Dpurple><div class=3DWordSection1><p class=3DMsoNormal><span style=3D'f=
ont-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Thank you=
to Rand, Bruce and my hero, Adam Brock. <o:p></o:p></spa=
n></p><p class=3DMsoNormal><span style=3D'font-size:11.0pt;font-family:"Cal=
ibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=3DMs=
oNormal><span style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";=
color:#1F497D'>A bit more detailed information to help all the Cisco networ=
k guru types help me. To recap…<o:p></o:p></span></p><p class=
=3DMsoNormal><span style=3D'font-size:11.0pt;font-family:"Calibri","sans-se=
rif";color:#1F497D'><o:p> </o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'=
>We have 2 housing areas: residence halls and family and graduate apa=
rtments. Both areas have Cisco 2960 layer 2 switches and Cisco 3750 f=
iber switches. In the residence halls we have one wired port per pill=
ow and almost ubiquitous wireless coverage via Aruba APs and a single contr=
oller. ResNet is charged as part of the room and board in the residen=
ce halls. <o:p></o:p></span></p><p class=3DMsoNormal><span style=3D'font-si=
ze:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:=
p></span></p><p class=3DMsoNormal><span style=3D'font-size:11.0pt;font-fami=
ly:"Calibri","sans-serif";color:#1F497D'>We don’t provide wireless co=
verage in family and graduate housing. Our family housing area was wi=
red about 13 years ago and provided only one wired jack per apartment; beca=
use of that, virtually every customer in family housing uses a soho wireles=
s router. Prior to our upgrade in June, we were using 3Com fiber swit=
ches and Cisco 2960 layer 2 switches, When we upgraded this section of our =
network (from 3Com fiber switches to Cisco 3750s), we immediately had a BIG=
problem with our network dropping in family housing; no problems in the re=
s halls. Backwards soho routers were not the problem because we use D=
HCP snooping. Prior to the upgrade, our network ran like a scalded cat in F=
GH. It was ultimately decided that the problem was caused by the larg=
er concentration of SOHO wireless routers in that area producing unicast pa=
cket floods. Our team has discovered that Cisco switches have a featu=
re called flood blocking that will block unicast and multicast floods at th=
e switchport level. We are deploying this slowly. I am told tha=
t it is NOT Cisco’s Storm Control.</span><span style=3D'font-size:11.=
0pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p><p class=3DM=
soNormal><span style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif"=
'><o:p> </o:p></span></p><p class=3DMsoNormal><span style=3D'font-size=
:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>My questions, sli=
ghtly re-phrased: <o:p></o:p></span></p><p class=3DMsoListParagraph style=
=3D'text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span =
style=3D'color:#1F497D'><span style=3D'mso-list:Ignore'>1.<span style=3D'fo=
nt:7.0pt "Times New Roman"'> </span></s=
pan></span><![endif]><span style=3D'color:#1F497D'>For those of you who hav=
e a similar network, do you utilize either Storm Control or flood blocking?=
Why do you use one rather than the other? <o:p></o:p></span></p><p c=
lass=3DMsoNormal><span style=3D'color:#1F497D'><o:p> </o:p></span></p>=
<p class=3DMsoListParagraph style=3D'text-indent:-.25in;mso-list:l0 level1 =
lfo1'><![if !supportLists]><span style=3D'color:#1F497D'><span style=3D'mso=
-list:Ignore'>2.<span style=3D'font:7.0pt "Times New Roman"'> &n=
bsp; </span></span></span><![endif]><span style=3D'color:=
#1F497D'>Do you use some other measure to deal with unicast packet floods?&=
nbsp; <o:p></o:p></span></p><p class=3DMsoNormal><span style=3D'color:#1F49=
7D'><o:p> </o:p></span></p><p class=3DMsoListParagraph style=3D'text-i=
ndent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span style=3D'c=
olor:#1F497D'><span style=3D'mso-list:Ignore'>3.<span style=3D'font:7.0pt "=
Times New Roman"'> </span></span></span=
><![endif]><span style=3D'color:#1F497D'>Considering the physical environme=
nt (single wired jacks), what do you feel is best practice when it comes to=
stopping unicast packet floods? <o:p></o:p></span></p><p class=3DMso=
ListParagraph><o:p> </o:p></p><p class=3DMsoNormal><span style=3D'font=
-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>If you need =
more detail from me, please ask. Any information or feedback is appre=
ciated. If you prefer, please feel free to contact me off-list. <o:p>=
</o:p></span></p><p class=3DMsoNormal><span style=3D'font-size:11.0pt;font-=
family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p=
class=3DMsoNormal><span style=3D'font-size:11.0pt;font-family:"Calibri","s=
ans-serif";color:#1F497D'>Thank you! <o:p></o:p></span></p><p class=3DMsoNo=
rmal><span style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";col=
or:#1F497D'>Sheila Crowe<o:p></o:p></span></p><p class=3DMsoNormal><span st=
yle=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>M=
SU ResNet<o:p></o:p></span></p><p class=3DMsoNormal><span style=3D'font-siz=
e:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>sheila@montana.e=
du<o:p></o:p></span></p><p class=3DMsoNormal><span style=3D'font-size:11.0p=
t;font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p><p class=
=3DMsoNormal><span style=3D'font-size:11.0pt;font-family:"Calibri","sans-se=
rif";color:#1F497D'><o:p> </o:p></span></p><div><div style=3D'border:n=
one;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=3DMs=
oNormal><b><span style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif=
"'>From:</span></b><span style=3D'font-size:10.0pt;font-family:"Tahoma","sa=
ns-serif"'> Resnet Forum [mailto:RESNET-L@LISTSERV.ND.EDU] <b>On Behalf Of =
</b>Osborne, Bruce W<br><b>Sent:</b> Tuesday, May 01, 2012 5:48 AM<br><b>To=
:</b> RESNET-L@LISTSERV.ND.EDU<br><b>Subject:</b> Re: SOHO WiFi routers and=
residential networking<o:p></o:p></span></p></div></div><p class=3DMsoNorm=
al><o:p> </o:p></p><p class=3DMsoNormal><span style=3D'font-size:11.0p=
t;font-family:"Calibri","sans-serif";color:#1F497D'>That is only the port p=
art of the configuration. There are some global settings too.<o:p></o:p></s=
pan></p><p class=3DMsoNormal><span style=3D'font-size:11.0pt;font-family:"C=
alibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=3D=
MsoNormal><span style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif=
";color:#1F497D'>Also, your switch uplink or the switch port with the DHCP =
server needs to be trusted for this to function correctly. The three proces=
ses used here are “ARP inspection”, “DHCO snooping”=
, and “IP source guard”. The features can vary, depending on yo=
ur model of switch.<o:p></o:p></span></p><p class=3DMsoNormal><span style=
=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p=
> </o:p></span></p><p class=3DMsoNormal><span style=3D'font-size:11.0p=
t;font-family:"Calibri","sans-serif";color:#1F497D'>Here is one example of =
Cisco’s documentation. This one is for 3550 switches. <a href=3D"http=
://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2=
_25_see/configuration/guide/swdhcp82.html">http://www.cisco.com/en/US/docs/=
switches/lan/catalyst3550/software/release/12.2_25_see/configuration/guide/=
swdhcp82.html</a><o:p></o:p></span></p><p class=3DMsoNormal><span style=3D'=
font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nb=
sp;</o:p></span></p><p class=3DMsoNormal><span style=3D'font-size:11.0pt;fo=
nt-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p=
><p class=3DMsoNormal style=3D'margin-right:.5in;text-autospace:none'><b><s=
pan style=3D'font-size:10.0pt;font-family:"Verdana","sans-serif";color:#001=
B3E'>Bruce Osborne</span></b><span style=3D'font-size:10.0pt;font-family:"V=
erdana","sans-serif";color:#001B3E'><o:p></o:p></span></p><p class=3DMsoNor=
mal style=3D'margin-right:.5in;text-autospace:none'><i><span style=3D'font-=
size:10.0pt;font-family:"Verdana","sans-serif";color:#001B3E'>Network Engin=
eer</span></i><span style=3D'font-size:10.0pt;font-family:"Cambria","serif"=
;color:#1F497D'><o:p></o:p></span></p><p class=3DMsoNormal style=3D'margin-=
right:.5in;text-autospace:none'><b><span style=3D'font-size:10.0pt;font-fam=
ily:"Verdana","sans-serif";color:#001B3E'>IT Network Services</span></b><sp=
an style=3D'font-size:10.0pt;font-family:"Cambria","serif";color:#1F497D'><=
o:p></o:p></span></p><p class=3DMsoNormal style=3D'margin-right:.5in;text-a=
utospace:none'><span style=3D'font-size:10.0pt;font-family:"Verdana","sans-=
serif";color:#001B3E'> </span><span style=3D'font-size:10.0pt;font-fam=
ily:"Cambria","serif";color:#1F497D'><o:p></o:p></span></p><p class=3DMsoNo=
rmal style=3D'margin-right:.5in;text-autospace:none'><b><span style=3D'font=
-size:10.0pt;font-family:"Verdana","sans-serif";color:#001B3E'>(434) 592-42=
29</span></b><span style=3D'font-size:10.0pt;font-family:"Cambria","serif";=
color:#1F497D'><o:p></o:p></span></p><p class=3DMsoNormal style=3D'margin-r=
ight:.5in;text-autospace:none'><span style=3D'font-size:10.0pt;font-family:=
"Verdana","sans-serif";color:#001B3E'> </span><span style=3D'font-size=
:10.0pt;font-family:"Cambria","serif";color:#1F497D'><o:p></o:p></span></p>=
<p class=3DMsoNormal style=3D'margin-right:.5in;text-autospace:none'><b><sp=
an style=3D'font-size:10.0pt;font-family:"Verdana","sans-serif";color:#AA00=
00'>LIBERTY UNIVERSITY<o:p></o:p></span></b></p><p class=3DMsoNormal style=
=3D'margin-right:.5in;text-autospace:none'><i><span style=3D'font-size:11.0=
pt;font-family:Times-Roman;color:#AA0000'>Training Champions for Christ sin=
ce 1971<o:p></o:p></span></i></p><p class=3DMsoNormal><span style=3D'font-s=
ize:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o=
:p></span></p><p class=3DMsoNormal><b><span style=3D'font-size:10.0pt;font-=
family:"Tahoma","sans-serif"'>From:</span></b><span style=3D'font-size:10.0=
pt;font-family:"Tahoma","sans-serif"'> Hall, Rand <a href=3D"mailto:[mailto=
:hallr@MERRIMACK.EDU]">[mailto:hallr@MERRIMACK.EDU]</a> <br><b>Sent:</b> Mo=
nday, April 30, 2012 12:39 PM<br><b>Subject:</b> Re: SOHO WiFi routers and =
residential networking<o:p></o:p></span></p><p class=3DMsoNormal><o:p> =
;</o:p></p><p class=3DMsoNormal>Sheila,<o:p></o:p></p><div><p class=3DMsoNo=
rmal><o:p> </o:p></p></div><div><p class=3DMsoNormal>Good luck blockin=
g rogues. :-) Your best bet is to hold to your commitment to providing serv=
ice to the jack. To that you can add some basic best practice suggestions t=
o people who want to try using a wireless router or bridge (enable encrypti=
on, negotiate channel selection with neighbors, etc).<o:p></o:p></p><div><p=
class=3DMsoNormal><o:p> </o:p></p></div><div><p class=3DMsoNormal>You=
r network folks will want to turn on DHCP Snooping. Sometimes a resident wi=
ll plug a router in "backwards" and offer up DHCP leases to their=
neighbors--not a pretty sight. If they are new to Cisco they might appreci=
ate a sample interface config for some ideas. Feel free to share:<o:p></o:p=
></p></div><div><p class=3DMsoNormal><o:p> </o:p></p></div><div><div><=
p class=3DMsoNormal> switchport access vlan xx<o:p></o:p></p></div><di=
v><p class=3DMsoNormal> switchport mode access<o:p></o:p></p></div><di=
v><p class=3DMsoNormal> switchport protected<o:p></o:p></p></div><div>=
<p class=3DMsoNormal> switchport port-security maximum 6<o:p></o:p></p=
></div><div><p class=3DMsoNormal> switchport port-security<o:p></o:p><=
/p></div><div><p class=3DMsoNormal> switchport port-security aging tim=
e 1<o:p></o:p></p></div><div><p class=3DMsoNormal> switchport port-sec=
urity violation restrict<o:p></o:p></p></div><div><p class=3DMsoNormal>&nbs=
p;switchport port-security aging type inactivity<o:p></o:p></p></div><div><=
p class=3DMsoNormal> ip arp inspection limit rate 15 burst interval 10=
<o:p></o:p></p></div><div><p class=3DMsoNormal> storm-control broadcas=
t level pps 50 10<o:p></o:p></p></div><div><p class=3DMsoNormal> storm=
-control multicast level pps 50 10<o:p></o:p></p></div><div><p class=3DMsoN=
ormal> spanning-tree portfast<o:p></o:p></p></div><div><p class=3DMsoN=
ormal> spanning-tree bpduguard enable<o:p></o:p></p></div><div><p clas=
s=3DMsoNormal> ip verify source<o:p></o:p></p></div><div><p class=3DMs=
oNormal> ip dhcp snooping limit rate 10<o:p></o:p></p></div><div><p cl=
ass=3DMsoNormal><o:p> </o:p></p></div><div><p class=3DMsoNormal> =
<o:p></o:p></p></div><div><p class=3DMso=
Normal>Rand<o:p></o:p></p></div><div><p class=3DMsoNormal> <o:p></o:p>=
</p></div><div><p class=3DMsoNormal>Rand P. Hall<o:p></o:p></p></div><div><=
p class=3DMsoNormal>Director, Network Services  =
; askIT!<=
o:p></o:p></p></div><div><p class=3DMsoNormal>Merrimack College<o:p></o:p><=
/p></div><div><p class=3DMsoNormal><a href=3D"tel:978-837-3532" target=3D"_=
blank">978-837-3532</a><o:p></o:p></p></div><div><p class=3DMsoNormal><a hr=
ef=3D"mailto:rand.hall@merrimack.edu" target=3D"_blank">rand.hall@merrimack=
.edu</a><o:p></o:p></p></div><div><p class=3DMsoNormal><o:p> </o:p></p=
></div><div><p class=3DMsoNormal><span style=3D'font-size:9.0pt;font-family=
:"Verdana","sans-serif";color:#555555'>If I had an hour to save the world, =
I would spend 59 minutes defining the problem and one minute finding soluti=
ons. – Einstein</span> <o:p></o:p></p></div><p class=3DMsoNormal styl=
e=3D'margin-bottom:12.0pt'><o:p> </o:p></p><div><p class=3DMsoNormal>O=
n Fri, Apr 27, 2012 at 1:48 PM, Crowe, Sheila <<a href=3D"mailto:sheila@=
montana.edu" target=3D"_blank">sheila@montana.edu</a>> wrote:<o:p></o:p>=
</p><div><div><p class=3DMsoNormal style=3D'mso-margin-top-alt:auto;mso-mar=
gin-bottom-alt:auto'>In early March, I participated in a thread started by =
Jeannie Abney about what other schools’ polices are for residents bri=
nging personal wireless routers onto your network. I added some quest=
ions pertaining to single family apartments (vs. residence halls) and got s=
ome great feedback. I would like to take it a step further and ask so=
me more questions based on the type of network that we have.<o:p></o:p></p>=
<p class=3DMsoNormal style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt=
:auto'> <o:p></o:p></p><p class=3DMsoNormal style=3D'mso-margin-top-al=
t:auto;mso-margin-bottom-alt:auto'>We have a Cisco network, a core at the o=
rigin of the commodity internet pipe, and a subnet for each of our building=
s (really areas). In the residence halls we have a large Aruba wirele=
ss network installed so that every building is blanketed for secure wireles=
s internet access. In the residence halls, ResNet is charged ou=
t to every resident regardless of whether they use it or not. <o:p></=
o:p></p><p class=3DMsoNormal style=3D'mso-margin-top-alt:auto;mso-margin-bo=
ttom-alt:auto'> <o:p></o:p></p><p class=3DMsoNormal style=3D'mso-margi=
n-top-alt:auto;mso-margin-bottom-alt:auto'>We do not provide ubiquitous wir=
eless coverage in family housing because ResNet is an opt-in service. Addit=
ionally, our family housing area was wired about 13 years ago and only prov=
ided one wired jack per apartment. As I’m sure you can imagine, virtu=
ally every customer in family housing has a soho wireless router. Whe=
n we upgraded this section of our network (from 3Com switches to Cisco), we=
immediately had a BIG problem with our network dropping constantly. =
It was ultimately decided that it was the SOHO wireless routers causing the=
problem; namely, unicast packet floods through our Cisco switch ports. Onl=
y recently it was discovered that Cisco switches have a feature that will b=
lock unicast and multicast floods. We are deploying this slowly. &nbs=
p;<o:p></o:p></p><p class=3DMsoNormal style=3D'mso-margin-top-alt:auto;mso-=
margin-bottom-alt:auto'> <o:p></o:p></p><p class=3DMsoNormal style=3D'=
mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Now for the questions. =
For those of you who have a similar network, do you employ this Cisco featu=
re or do you simply block all “rogue” wireless connections?&nbs=
p; Or do you have another measure in place to deal with the unicast packet =
floods? Also, do your network engineers consider this a stopgap measu=
re (“band-aid”) to deal with residences where you do not offer =
WiFi? <o:p></o:p></p><p class=3DMsoNormal style=3D'mso-margin-top-alt=
:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=3DMsoNormal=
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Please do sha=
re all of the details about this issue (or non-issue) on your network as yo=
u know them. And thanks a million! <o:p></o:p></p><p class=3DMsoNorma=
l style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p><=
/o:p></p><p class=3DMsoNormal style=3D'mso-margin-top-alt:auto;mso-margin-b=
ottom-alt:auto'>Sheila Crowe<o:p></o:p></p><p class=3DMsoNormal style=3D'ms=
o-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Montana State University =
ResNet<o:p></o:p></p><p class=3DMsoNormal style=3D'mso-margin-top-alt:auto;=
mso-margin-bottom-alt:auto'><a href=3D"tel:406.994.4230" target=3D"_blank">=
406.994.4230</a><o:p></o:p></p><p class=3DMsoNormal style=3D'mso-margin-top=
-alt:auto;mso-margin-bottom-alt:auto'><a href=3D"tel:406.209.7243" target=
=3D"_blank">406.209.7243</a><o:p></o:p></p><p class=3DMsoNormal style=3D'ms=
o-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p c=
lass=3DMsoNormal style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:aut=
o'>P.S. I’m hoping to see all of you at the 2012 Student Technology C=
onference at Claremont Colleges! <o:p></o:p></p><p class=3DMsoNormal style=
=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></=
p></div></div><p class=3DMsoNormal>________________________________________=
___________ You are subscribed to the ResNet-L mailing list. <o:p></o:p></p=
><p>To subscribe, unsubscribe or search the archives, go to <a href=3D"http=
://LISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_blank">http://LISTSER=
V.ND.EDU/archives/resnet-l.html</a> _______________________________________=
____________ <o:p></o:p></p></div><p class=3DMsoNormal><o:p> </o:p></p=
></div></div><p class=3DMsoNormal>_________________________________________=
__________ You are subscribed to the ResNet-L mailing list. <o:p></o:p></p>=
<p>To subscribe, unsubscribe or search the archives, go to <a href=3D"http:=
//LISTSERV.ND.EDU/archives/resnet-l.html">http://LISTSERV.ND.EDU/archives/r=
esnet-l.html</a> ___________________________________________________ <o:p><=
/o:p></p><p class=3DMsoNormal>_____________________________________________=
______ You are subscribed to the ResNet-L mailing list. <o:p></o:p></p><p>T=
o subscribe, unsubscribe or search the archives, go to <a href=3D"http://LI=
STSERV.ND.EDU/archives/resnet-l.html">http://LISTSERV.ND.EDU/archives/resne=
t-l.html</a> ___________________________________________________ <o:p></o:p=
></p></div></body></html>=
___________________________________________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--_000_D0A43E8CC19B144398DFEC438095CB180E39ACD51BEXCMSmsumonta_--
