[27608] in resnet
Re: SOHO WiFi routers and residential networking
daemon@ATHENA.MIT.EDU (Osborne, Bruce W)
Wed May 2 08:00:57 2012
Content-Language: en-US
Content-Type: multipart/alternative; boundary="_000_7F8CAE21F9C1C94A90F11320EF3974CE327E3660LUEMSMAIL01Univ_"
MIME-Version: 1.0
Message-ID: <7F8CAE21F9C1C94A90F11320EF3974CE327E3660@LUEMSMAIL01.University.liberty.edu>
Date: Wed, 2 May 2012 11:58:12 +0000
Reply-To: Resnet Forum <RESNET-L@listserv.nd.edu>
From: "Osborne, Bruce W" <bosborne@liberty.edu>
To: RESNET-L@listserv.nd.edu
--_000_7F8CAE21F9C1C94A90F11320EF3974CE327E3660LUEMSMAIL01Univ_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Sheila,
I am not on our routing & switching team, but I try & keep up with what the=
y are doing.
Here are some configuration pieces from one of our 3750 dorm switches. I ho=
pe dome of this information will help your Cisco engineers.
Global:
udld enable
no ip source-route
ip dhcp snooping vlan 1-4094
no ip dhcp snooping information option
ip dhcp snooping database flash:dhcp-db
ip dhcp snooping
ip arp inspection vlan 2-71,73-253,255-999,1066,2000,2002-3999
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause channel-misconfig (STP)
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause sfp-config-mismatch
errdisable recovery cause gbic-invalid
errdisable recovery cause l2ptguard
errdisable recovery cause psecure-violation
errdisable recovery cause port-mode-failure
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause mac-limit
errdisable recovery cause vmps
errdisable recovery cause storm-control
errdisable recovery cause inline-power
errdisable recovery cause arp-inspection
errdisable recovery cause loopback
errdisable recovery cause small-frame
errdisable recovery interval 30
!
spanning-tree mode rapid-pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
spanning-tree uplinkfast
Sample data port:
interface GigabitEthernet1/0/1
switchport access vlan 3001
switchport mode access
switchport nonegotiate
switchport voice vlan 2101
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 1
switchport port-security violation restrict
switchport port-security aging type inactivity
ip arp inspection limit rate 50
srr-queue bandwidth share 1 45 10 45
srr-queue bandwidth shape 5 0 0 0
priority-queue out
mls qos trust device cisco-phone
mls qos trust cos
storm-control broadcast level bps 1m 999k
storm-control action shutdown
storm-control action trap
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard loop
end
Sample uplink Port:
interface Port-channel1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,1200,1223,1224,1249,1611,1900,1911,2001,210=
1
switchport trunk allowed vlan add 3001,3101
switchport mode trunk
ip arp inspection trust
ip dhcp snooping trust
!
interface GigabitEthernet1/0/49
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,1200,1223,1224,1249,1611,1900,1911,2001,210=
1
switchport trunk allowed vlan add 3001,3101
switchport mode trunk
ip arp inspection trust
srr-queue bandwidth share 1 45 10 45
srr-queue bandwidth shape 5 0 0 0
priority-queue out
udld port
mls qos trust dscp
channel-group 1 mode active
ip dhcp snooping trust
!
We do not enforce IP source guard on some VLans, hence there are exclusions=
in the global ip arp inspection line.
Bruce Osborne
Network Engineer
IT Network Services
(434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971
From: Crowe, Sheila [mailto:sheila@montana.edu]
Sent: Tuesday, May 01, 2012 5:15 PM
Subject: Re: SOHO WiFi routers and residential networking
Thank you to Rand, Bruce and my hero, Adam Brock.
A bit more detailed information to help all the Cisco network guru types he=
lp me. To recap...
We have 2 housing areas: residence halls and family and graduate apartment=
s. Both areas have Cisco 2960 layer 2 switches and Cisco 3750 fiber switch=
es. In the residence halls we have one wired port per pillow and almost ub=
iquitous wireless coverage via Aruba APs and a single controller. ResNet i=
s charged as part of the room and board in the residence halls.
We don't provide wireless coverage in family and graduate housing. Our fam=
ily housing area was wired about 13 years ago and provided only one wired j=
ack per apartment; because of that, virtually every customer in family hous=
ing uses a soho wireless router. Prior to our upgrade in June, we were usi=
ng 3Com fiber switches and Cisco 2960 layer 2 switches, When we upgraded th=
is section of our network (from 3Com fiber switches to Cisco 3750s), we imm=
ediately had a BIG problem with our network dropping in family housing; no =
problems in the res halls. Backwards soho routers were not the problem bec=
ause we use DHCP snooping. Prior to the upgrade, our network ran like a sca=
lded cat in FGH. It was ultimately decided that the problem was caused by =
the larger concentration of SOHO wireless routers in that area producing un=
icast packet floods. Our team has discovered that Cisco switches have a fe=
ature called flood blocking that will block unicast and multicast floods at=
the switchport level. We are deploying this slowly. I am told that it is=
NOT Cisco's Storm Control.
My questions, slightly re-phrased:
1. For those of you who have a similar network, do you utilize either=
Storm Control or flood blocking? Why do you use one rather than the other=
?
2. Do you use some other measure to deal with unicast packet floods?
3. Considering the physical environment (single wired jacks), what do=
you feel is best practice when it comes to stopping unicast packet floods?
If you need more detail from me, please ask. Any information or feedback i=
s appreciated. If you prefer, please feel free to contact me off-list.
Thank you!
Sheila Crowe
MSU ResNet
sheila@montana.edu<mailto:sheila@montana.edu>
From: Resnet Forum [mailto:RESNET-L@LISTSERV.ND.EDU]<mailto:[mailto:RESNET-=
L@LISTSERV.ND.EDU]> On Behalf Of Osborne, Bruce W
Sent: Tuesday, May 01, 2012 5:48 AM
To: RESNET-L@LISTSERV.ND.EDU<mailto:RESNET-L@LISTSERV.ND.EDU>
Subject: Re: SOHO WiFi routers and residential networking
That is only the port part of the configuration. There are some global sett=
ings too.
Also, your switch uplink or the switch port with the DHCP server needs to b=
e trusted for this to function correctly. The three processes used here are=
"ARP inspection", "DHCO snooping", and "IP source guard". The features can=
vary, depending on your model of switch.
Here is one example of Cisco's documentation. This one is for 3550 switches=
. http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/releas=
e/12.2_25_see/configuration/guide/swdhcp82.html
Bruce Osborne
Network Engineer
IT Network Services
(434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971
From: Hall, Rand [mailto:hallr@MERRIMACK.EDU]<mailto:[mailto:hallr@MERRIMAC=
K.EDU]>
Sent: Monday, April 30, 2012 12:39 PM
Subject: Re: SOHO WiFi routers and residential networking
Sheila,
Good luck blocking rogues. :-) Your best bet is to hold to your commitment =
to providing service to the jack. To that you can add some basic best pract=
ice suggestions to people who want to try using a wireless router or bridge=
(enable encryption, negotiate channel selection with neighbors, etc).
Your network folks will want to turn on DHCP Snooping. Sometimes a resident=
will plug a router in "backwards" and offer up DHCP leases to their neighb=
ors--not a pretty sight. If they are new to Cisco they might appreciate a s=
ample interface config for some ideas. Feel free to share:
switchport access vlan xx
switchport mode access
switchport protected
switchport port-security maximum 6
switchport port-security
switchport port-security aging time 1
switchport port-security violation restrict
switchport port-security aging type inactivity
ip arp inspection limit rate 15 burst interval 10
storm-control broadcast level pps 50 10
storm-control multicast level pps 50 10
spanning-tree portfast
spanning-tree bpduguard enable
ip verify source
ip dhcp snooping limit rate 10
Rand
Rand P. Hall
Director, Network Services askIT!
Merrimack College
978-837-3532<tel:978-837-3532>
rand.hall@merrimack.edu<mailto:rand.hall@merrimack.edu>
If I had an hour to save the world, I would spend 59 minutes defining the p=
roblem and one minute finding solutions. - Einstein
On Fri, Apr 27, 2012 at 1:48 PM, Crowe, Sheila <sheila@montana.edu<mailto:s=
heila@montana.edu>> wrote:
In early March, I participated in a thread started by Jeannie Abney about w=
hat other schools' polices are for residents bringing personal wireless rou=
ters onto your network. I added some questions pertaining to single family=
apartments (vs. residence halls) and got some great feedback. I would lik=
e to take it a step further and ask some more questions based on the type o=
f network that we have.
We have a Cisco network, a core at the origin of the commodity internet pip=
e, and a subnet for each of our buildings (really areas). In the residence=
halls we have a large Aruba wireless network installed so that every build=
ing is blanketed for secure wireless internet access. In the residence ha=
lls, ResNet is charged out to every resident regardless of whether they use=
it or not.
We do not provide ubiquitous wireless coverage in family housing because Re=
sNet is an opt-in service. Additionally, our family housing area was wired =
about 13 years ago and only provided one wired jack per apartment. As I'm s=
ure you can imagine, virtually every customer in family housing has a soho =
wireless router. When we upgraded this section of our network (from 3Com s=
witches to Cisco), we immediately had a BIG problem with our network droppi=
ng constantly. It was ultimately decided that it was the SOHO wireless rou=
ters causing the problem; namely, unicast packet floods through our Cisco s=
witch ports. Only recently it was discovered that Cisco switches have a fea=
ture that will block unicast and multicast floods. We are deploying this s=
lowly.
Now for the questions. For those of you who have a similar network, do you =
employ this Cisco feature or do you simply block all "rogue" wireless conne=
ctions? Or do you have another measure in place to deal with the unicast p=
acket floods? Also, do your network engineers consider this a stopgap meas=
ure ("band-aid") to deal with residences where you do not offer WiFi?
Please do share all of the details about this issue (or non-issue) on your =
network as you know them. And thanks a million!
Sheila Crowe
Montana State University ResNet
406.994.4230<tel:406.994.4230>
406.209.7243<tel:406.209.7243>
P.S. I'm hoping to see all of you at the 2012 Student Technology Conference=
at Claremont Colleges!
___________________________________________________ You are subscribed to t=
he ResNet-L mailing list.
To subscribe, unsubscribe or search the archives, go to http://LISTSERV.ND.=
EDU/archives/resnet-l.html ________________________________________________=
___
___________________________________________________ You are subscribed to t=
he ResNet-L mailing list.
To subscribe, unsubscribe or search the archives, go to http://LISTSERV.ND.=
EDU/archives/resnet-l.html ________________________________________________=
___
___________________________________________________ You are subscribed to t=
he ResNet-L mailing list.
To subscribe, unsubscribe or search the archives, go to http://LISTSERV.ND.=
EDU/archives/resnet-l.html ________________________________________________=
___
___________________________________________________ You are subscribed to t=
he ResNet-L mailing list.
To subscribe, unsubscribe or search the archives, go to http://LISTSERV.ND.=
EDU/archives/resnet-l.html ________________________________________________=
___
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--_000_7F8CAE21F9C1C94A90F11320EF3974CE327E3660LUEMSMAIL01Univ_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Cambria;
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Times-Roman;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1771655901;
mso-list-type:hybrid;
mso-list-template-ids:1015193330 67698703 67698713 67698715 67698703 67698=
713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3D"EN-US" link=3D"blue" vlink=3D"purple">
<div class=3D"WordSection1">
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">Sheila,<o:p></o:p></span>=
</p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">I am not on our routing &=
amp; switching team, but I try & keep up with what they are doing.<o:p>=
</o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">Here are some configurati=
on pieces from one of our 3750 dorm switches. I hope dome of this informati=
on will help your Cisco engineers.<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">Global:<o:p></o:p></span>=
</p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">udld enable<o:p></o:p></s=
pan></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">no ip source-route<o:p></=
o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">ip dhcp snooping vlan 1-4=
094<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">no ip dhcp snooping infor=
mation option<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">ip dhcp snooping database=
flash:dhcp-db<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">ip dhcp snooping<o:p></o:=
p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">ip arp inspection vlan 2-=
71,73-253,255-999,1066,2000,2002-3999<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">errdisable recovery cause=
udld<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">errdisable recovery cause=
bpduguard<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">errdisable recovery cause=
security-violation<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">errdisable recovery cause=
channel-misconfig (STP)<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">errdisable recovery cause=
pagp-flap<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">errdisable recovery cause=
dtp-flap<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">errdisable recovery cause=
link-flap<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">errdisable recovery cause=
sfp-config-mismatch<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">errdisable recovery cause=
gbic-invalid<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">errdisable recovery cause=
l2ptguard<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">errdisable recovery cause=
psecure-violation<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">errdisable recovery cause=
port-mode-failure<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">errdisable recovery cause=
dhcp-rate-limit<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">errdisable recovery cause=
mac-limit<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">errdisable recovery cause=
vmps<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">errdisable recovery cause=
storm-control<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">errdisable recovery cause=
inline-power<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">errdisable recovery cause=
arp-inspection<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">errdisable recovery cause=
loopback<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">errdisable recovery cause=
small-frame<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">errdisable recovery inter=
val 30<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">!<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">spanning-tree mode rapid-=
pvst<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">no spanning-tree optimize=
bpdu transmission<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">spanning-tree extend syst=
em-id<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">spanning-tree uplinkfast<=
o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">Sample data port:<o:p></o=
:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">interface GigabitEthernet=
1/0/1<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">switchport access vlan 30=
01<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">switchport mode access<o:=
p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">switchport nonegotiate<o:=
p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">switchport voice vlan 210=
1<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">switchport port-security =
maximum 2<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">switchport port-security<=
o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">switchport port-security =
aging time 1<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">switchport port-security =
violation restrict<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">switchport port-security =
aging type inactivity<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">ip arp inspection limit r=
ate 50<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">srr-queue bandwidth share=
1 45 10 45<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">srr-queue bandwidth shape=
5 0 0 0<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">priority-queue out<o:p></=
o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"> mls qos trust devic=
e cisco-phone<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">mls qos trust cos<o:p></o=
:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">storm-control broadcast l=
evel bps 1m 999k<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">storm-control action shut=
down<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">storm-control action trap=
<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">spanning-tree portfast<o:=
p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">spanning-tree bpduguard e=
nable<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">spanning-tree guard loop<=
o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">end<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">Sample uplink Port:<o:p><=
/o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">interface Port-channel1<o=
:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">switchport trunk encapsul=
ation dot1q<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">switchport trunk allowed =
vlan 1,1200,1223,1224,1249,1611,1900,1911,2001,2101<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">switchport trunk allowed =
vlan add 3001,3101<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">switchport mode trunk<o:p=
></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">ip arp inspection trust<o=
:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">ip dhcp snooping trust<o:=
p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">!<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">interface GigabitEthernet=
1/0/49<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">switchport trunk encapsul=
ation dot1q<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">switchport trunk allowed =
vlan 1,1200,1223,1224,1249,1611,1900,1911,2001,2101<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">switchport trunk allowed =
vlan add 3001,3101<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">switchport mode trunk<o:p=
></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">ip arp inspection trust<o=
:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">srr-queue bandwidth share=
1 45 10 45<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">srr-queue bandwidth shape=
5 0 0 0<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">priority-queue out<o:p></=
o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">udld port<o:p></o:p></spa=
n></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">mls qos trust dscp<o:p></=
o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">channel-group 1 mode acti=
ve<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">ip dhcp snooping trust<o:=
p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">!<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">We do not enforce IP sour=
ce guard on some VLans, hence there are exclusions in the global ip arp ins=
pection line.<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<div>
<p class=3D"MsoNormal" style=3D"margin-right:.5in;text-autospace:none"><b><=
span style=3D"font-size:10.0pt;font-family:"Verdana","sans-s=
erif";color:#001B3E">Bruce Osborne</span></b><span style=3D"font-size:=
10.0pt;font-family:"Verdana","sans-serif";color:#001B3E=
"><o:p></o:p></span></p>
<p class=3D"MsoNormal" style=3D"margin-right:.5in;text-autospace:none"><i><=
span style=3D"font-size:10.0pt;font-family:"Verdana","sans-s=
erif";color:#001B3E">Network Engineer</span></i><span style=3D"font-si=
ze:10.0pt;font-family:"Cambria","serif";color:#1F497D">=
<o:p></o:p></span></p>
<p class=3D"MsoNormal" style=3D"margin-right:.5in;text-autospace:none"><b><=
span style=3D"font-size:10.0pt;font-family:"Verdana","sans-s=
erif";color:#001B3E">IT Network Services</span></b><span style=3D"font=
-size:10.0pt;font-family:"Cambria","serif";color:#1F497=
D"><o:p></o:p></span></p>
<p class=3D"MsoNormal" style=3D"margin-right:.5in;text-autospace:none"><spa=
n style=3D"font-size:10.0pt;font-family:"Verdana","sans-seri=
f";color:#001B3E"> </span><span style=3D"font-size:10.0pt;font-fa=
mily:"Cambria","serif";color:#1F497D"><o:p></o:p></span=
></p>
<p class=3D"MsoNormal" style=3D"margin-right:.5in;text-autospace:none"><b><=
span style=3D"font-size:10.0pt;font-family:"Verdana","sans-s=
erif";color:#001B3E">(434) 592-4229</span></b><span style=3D"font-size=
:10.0pt;font-family:"Cambria","serif";color:#1F497D"><o=
:p></o:p></span></p>
<p class=3D"MsoNormal" style=3D"margin-right:.5in;text-autospace:none"><spa=
n style=3D"font-size:10.0pt;font-family:"Verdana","sans-seri=
f";color:#001B3E"> </span><span style=3D"font-size:10.0pt;font-fa=
mily:"Cambria","serif";color:#1F497D"><o:p></o:p></span=
></p>
<p class=3D"MsoNormal" style=3D"margin-right:.5in;text-autospace:none"><b><=
span style=3D"font-size:10.0pt;font-family:"Verdana","sans-s=
erif";color:#AA0000">LIBERTY UNIVERSITY<o:p></o:p></span></b></p>
<p class=3D"MsoNormal" style=3D"margin-right:.5in;text-autospace:none"><i><=
span style=3D"font-size:11.0pt;font-family:Times-Roman;color:#AA0000">Train=
ing Champions for Christ since 1971<o:p></o:p></span></i></p>
</div>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<div>
<div style=3D"border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in =
0in 0in">
<p class=3D"MsoNormal"><b><span style=3D"font-size:10.0pt;font-family:"=
;Tahoma","sans-serif"">From:</span></b><span style=3D"font-s=
ize:10.0pt;font-family:"Tahoma","sans-serif""> Crowe, S=
heila [mailto:sheila@montana.edu]
<br>
<b>Sent:</b> Tuesday, May 01, 2012 5:15 PM<br>
<b>Subject:</b> Re: SOHO WiFi routers and residential networking<o:p></o:p>=
</span></p>
</div>
</div>
<p class=3D"MsoNormal"><o:p> </o:p></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">Thank you to Rand, Bruce =
and my hero, Adam Brock. <o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">A bit more detailed infor=
mation to help all the Cisco network guru types help me. To recapR=
30;<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">We have 2 housing areas:&=
nbsp; residence halls and family and graduate apartments. Both areas =
have Cisco 2960 layer 2 switches and Cisco 3750 fiber switches. In
the residence halls we have one wired port per pillow and almost ubiquitou=
s wireless coverage via Aruba APs and a single controller. ResNet is =
charged as part of the room and board in the residence halls.
<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">We don’t provide wi=
reless coverage in family and graduate housing. Our family housing ar=
ea was wired about 13 years ago and provided only one wired jack per
apartment; because of that, virtually every customer in family housing use=
s a soho wireless router. Prior to our upgrade in June, we were using=
3Com fiber switches and Cisco 2960 layer 2 switches, When we upgraded this=
section of our network (from 3Com fiber
switches to Cisco 3750s), we immediately had a BIG problem with our networ=
k dropping in family housing; no problems in the res halls. Backwards=
soho routers were not the problem because we use DHCP snooping. Prior to t=
he upgrade, our network ran like a scalded
cat in FGH. It was ultimately decided that the problem was caused by=
the larger concentration of SOHO wireless routers in that area producing u=
nicast packet floods. Our team has discovered that Cisco switches hav=
e a feature called flood blocking that will
block unicast and multicast floods at the switchport level. We are d=
eploying this slowly. I am told that it is NOT Cisco’s Storm Co=
ntrol.</span><span style=3D"font-size:11.0pt;font-family:"Calibri"=
;,"sans-serif"">
<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif""><o:p> </o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">My questions, slightly re=
-phrased:
<o:p></o:p></span></p>
<p class=3D"MsoListParagraph" style=3D"text-indent:-.25in;mso-list:l0 level=
1 lfo2"><![if !supportLists]><span style=3D"color:#1F497D"><span style=3D"m=
so-list:Ignore">1.<span style=3D"font:7.0pt "Times New Roman"">&n=
bsp;
</span></span></span><![endif]><span style=3D"color:#1F497D">For those of y=
ou who have a similar network, do you utilize either Storm Control or flood=
blocking? Why do you use one rather than the other?
<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D"><o:p> </o:p></spa=
n></p>
<p class=3D"MsoListParagraph" style=3D"text-indent:-.25in;mso-list:l0 level=
1 lfo2"><![if !supportLists]><span style=3D"color:#1F497D"><span style=3D"m=
so-list:Ignore">2.<span style=3D"font:7.0pt "Times New Roman"">&n=
bsp;
</span></span></span><![endif]><span style=3D"color:#1F497D">Do you use som=
e other measure to deal with unicast packet floods?
<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D"><o:p> </o:p></spa=
n></p>
<p class=3D"MsoListParagraph" style=3D"text-indent:-.25in;mso-list:l0 level=
1 lfo2"><![if !supportLists]><span style=3D"color:#1F497D"><span style=3D"m=
so-list:Ignore">3.<span style=3D"font:7.0pt "Times New Roman"">&n=
bsp;
</span></span></span><![endif]><span style=3D"color:#1F497D">Considering th=
e physical environment (single wired jacks), what do you feel is best pract=
ice when it comes to stopping unicast packet floods?
<o:p></o:p></span></p>
<p class=3D"MsoListParagraph"><o:p> </o:p></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">If you need more detail f=
rom me, please ask. Any information or feedback is appreciated. =
If you prefer, please feel free to contact me off-list.
<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">Thank you!
<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">Sheila Crowe<o:p></o:p></=
span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">MSU ResNet<o:p></o:p></sp=
an></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><a href=3D"mailto:sheila@=
montana.edu">sheila@montana.edu</a><o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif""><o:p> </o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<div>
<div style=3D"border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in =
0in 0in">
<p class=3D"MsoNormal"><b><span style=3D"font-size:10.0pt;font-family:"=
;Tahoma","sans-serif"">From:</span></b><span style=3D"font-s=
ize:10.0pt;font-family:"Tahoma","sans-serif""> Resnet F=
orum
<a href=3D"mailto:[mailto:RESNET-L@LISTSERV.ND.EDU]">[mailto:RESNET-L@LISTS=
ERV.ND.EDU]</a>
<b>On Behalf Of </b>Osborne, Bruce W<br>
<b>Sent:</b> Tuesday, May 01, 2012 5:48 AM<br>
<b>To:</b> <a href=3D"mailto:RESNET-L@LISTSERV.ND.EDU">RESNET-L@LISTSERV.ND=
.EDU</a><br>
<b>Subject:</b> Re: SOHO WiFi routers and residential networking<o:p></o:p>=
</span></p>
</div>
</div>
<p class=3D"MsoNormal"><o:p> </o:p></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">That is only the port par=
t of the configuration. There are some global settings too.<o:p></o:p></spa=
n></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">Also, your switch uplink =
or the switch port with the DHCP server needs to be trusted for this to fun=
ction correctly. The three processes used here are “ARP
inspection”, “DHCO snooping”, and “IP source guard=
”. The features can vary, depending on your model of switch.<o:p></o:=
p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">Here is one example of Ci=
sco’s documentation. This one is for 3550 switches.
<a href=3D"http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/softwa=
re/release/12.2_25_see/configuration/guide/swdhcp82.html">
http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/=
12.2_25_see/configuration/guide/swdhcp82.html</a><o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<p class=3D"MsoNormal" style=3D"margin-right:.5in;text-autospace:none"><b><=
span style=3D"font-size:10.0pt;font-family:"Verdana","sans-s=
erif";color:#001B3E">Bruce Osborne</span></b><span style=3D"font-size:=
10.0pt;font-family:"Verdana","sans-serif";color:#001B3E=
"><o:p></o:p></span></p>
<p class=3D"MsoNormal" style=3D"margin-right:.5in;text-autospace:none"><i><=
span style=3D"font-size:10.0pt;font-family:"Verdana","sans-s=
erif";color:#001B3E">Network Engineer</span></i><span style=3D"font-si=
ze:10.0pt;font-family:"Cambria","serif";color:#1F497D">=
<o:p></o:p></span></p>
<p class=3D"MsoNormal" style=3D"margin-right:.5in;text-autospace:none"><b><=
span style=3D"font-size:10.0pt;font-family:"Verdana","sans-s=
erif";color:#001B3E">IT Network Services</span></b><span style=3D"font=
-size:10.0pt;font-family:"Cambria","serif";color:#1F497=
D"><o:p></o:p></span></p>
<p class=3D"MsoNormal" style=3D"margin-right:.5in;text-autospace:none"><spa=
n style=3D"font-size:10.0pt;font-family:"Verdana","sans-seri=
f";color:#001B3E"> </span><span style=3D"font-size:10.0pt;font-fa=
mily:"Cambria","serif";color:#1F497D"><o:p></o:p></span=
></p>
<p class=3D"MsoNormal" style=3D"margin-right:.5in;text-autospace:none"><b><=
span style=3D"font-size:10.0pt;font-family:"Verdana","sans-s=
erif";color:#001B3E">(434) 592-4229</span></b><span style=3D"font-size=
:10.0pt;font-family:"Cambria","serif";color:#1F497D"><o=
:p></o:p></span></p>
<p class=3D"MsoNormal" style=3D"margin-right:.5in;text-autospace:none"><spa=
n style=3D"font-size:10.0pt;font-family:"Verdana","sans-seri=
f";color:#001B3E"> </span><span style=3D"font-size:10.0pt;font-fa=
mily:"Cambria","serif";color:#1F497D"><o:p></o:p></span=
></p>
<p class=3D"MsoNormal" style=3D"margin-right:.5in;text-autospace:none"><b><=
span style=3D"font-size:10.0pt;font-family:"Verdana","sans-s=
erif";color:#AA0000">LIBERTY UNIVERSITY<o:p></o:p></span></b></p>
<p class=3D"MsoNormal" style=3D"margin-right:.5in;text-autospace:none"><i><=
span style=3D"font-size:11.0pt;font-family:Times-Roman;color:#AA0000">Train=
ing Champions for Christ since 1971<o:p></o:p></span></i></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<p class=3D"MsoNormal"><b><span style=3D"font-size:10.0pt;font-family:"=
;Tahoma","sans-serif"">From:</span></b><span style=3D"font-s=
ize:10.0pt;font-family:"Tahoma","sans-serif""> Hall, Ra=
nd
<a href=3D"mailto:[mailto:hallr@MERRIMACK.EDU]">[mailto:hallr@MERRIMACK.EDU=
]</a> <br>
<b>Sent:</b> Monday, April 30, 2012 12:39 PM<br>
<b>Subject:</b> Re: SOHO WiFi routers and residential networking<o:p></o:p>=
</span></p>
<p class=3D"MsoNormal"><o:p> </o:p></p>
<p class=3D"MsoNormal">Sheila,<o:p></o:p></p>
<div>
<p class=3D"MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class=3D"MsoNormal">Good luck blocking rogues. :-) Your best bet is to h=
old to your commitment to providing service to the jack. To that you can ad=
d some basic best practice suggestions to people who want to try using a wi=
reless router or bridge (enable encryption,
negotiate channel selection with neighbors, etc).<o:p></o:p></p>
<div>
<p class=3D"MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class=3D"MsoNormal">Your network folks will want to turn on DHCP Snoopin=
g. Sometimes a resident will plug a router in "backwards" and off=
er up DHCP leases to their neighbors--not a pretty sight. If they are new t=
o Cisco they might appreciate a sample interface
config for some ideas. Feel free to share:<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p> </o:p></p>
</div>
<div>
<div>
<p class=3D"MsoNormal"> switchport access vlan xx<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"> switchport mode access<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"> switchport protected<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"> switchport port-security maximum 6<o:p></o:p><=
/p>
</div>
<div>
<p class=3D"MsoNormal"> switchport port-security<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"> switchport port-security aging time 1<o:p></o:=
p></p>
</div>
<div>
<p class=3D"MsoNormal"> switchport port-security violation restrict<o:=
p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"> switchport port-security aging type inactivity=
<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"> ip arp inspection limit rate 15 burst interval=
10<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"> storm-control broadcast level pps 50 10<o:p></=
o:p></p>
</div>
<div>
<p class=3D"MsoNormal"> storm-control multicast level pps 50 10<o:p></=
o:p></p>
</div>
<div>
<p class=3D"MsoNormal"> spanning-tree portfast<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"> spanning-tree bpduguard enable<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"> ip verify source<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"> ip dhcp snooping limit rate 10<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class=3D"MsoNormal"> <o:p></o:p>=
</p>
</div>
<div>
<p class=3D"MsoNormal">Rand<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal">Rand P. Hall<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal">Director, Network Services &n=
bsp; askI=
T!<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal">Merrimack College<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><a href=3D"tel:978-837-3532" target=3D"_blank">978-8=
37-3532</a><o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><a href=3D"mailto:rand.hall@merrimack.edu" target=3D=
"_blank">rand.hall@merrimack.edu</a><o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:9.0pt;font-family:"Ver=
dana","sans-serif";color:#555555">If I had an hour to save t=
he world, I would spend 59 minutes defining the problem and one minute find=
ing solutions. – Einstein</span>
<o:p></o:p></p>
</div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<p class=3D"MsoNormal">On Fri, Apr 27, 2012 at 1:48 PM, Crowe, Sheila <<=
a href=3D"mailto:sheila@montana.edu" target=3D"_blank">sheila@montana.edu</=
a>> wrote:<o:p></o:p></p>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">In early March, I participated in a thread started by Jeannie Abne=
y about what other schools’ polices are for residents bringing person=
al wireless routers onto your network. I
added some questions pertaining to single family apartments (vs. residence=
halls) and got some great feedback. I would like to take it a step f=
urther and ask some more questions based on the type of network that we hav=
e.<o:p></o:p></p>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto"> <o:p></o:p></p>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">We have a Cisco network, a core at the origin of the commodity int=
ernet pipe, and a subnet for each of our buildings (really areas). In=
the residence halls we have a large Aruba
wireless network installed so that every building is blanketed for secure =
wireless internet access. In the residence halls, ResNet is cha=
rged out to every resident regardless of whether they use it or not.
<o:p></o:p></p>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto"> <o:p></o:p></p>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">We do not provide ubiquitous wireless coverage in family housing b=
ecause ResNet is an opt-in service. Additionally, our family housing area w=
as wired about 13 years ago and only
provided one wired jack per apartment. As I’m sure you can imagine, =
virtually every customer in family housing has a soho wireless router. =
; When we upgraded this section of our network (from 3Com switches to Cisco=
), we immediately had a BIG problem with our
network dropping constantly. It was ultimately decided that it was t=
he SOHO wireless routers causing the problem; namely, unicast packet floods=
through our Cisco switch ports. Only recently it was discovered that Cisco=
switches have a feature that will block
unicast and multicast floods. We are deploying this slowly. <o=
:p></o:p></p>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto"> <o:p></o:p></p>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">Now for the questions. For those of you who have a similar network=
, do you employ this Cisco feature or do you simply block all “rogue&=
#8221; wireless connections? Or do you have another
measure in place to deal with the unicast packet floods? Also, do yo=
ur network engineers consider this a stopgap measure (“band-aid”=
;) to deal with residences where you do not offer WiFi?
<o:p></o:p></p>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto"> <o:p></o:p></p>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">Please do share all of the details about this issue (or non-issue)=
on your network as you know them. And thanks a million!
<o:p></o:p></p>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto"> <o:p></o:p></p>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">Sheila Crowe<o:p></o:p></p>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">Montana State University ResNet<o:p></o:p></p>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto"><a href=3D"tel:406.994.4230" target=3D"_blank">406.994.4230</a><o:=
p></o:p></p>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto"><a href=3D"tel:406.209.7243" target=3D"_blank">406.209.7243</a><o:=
p></o:p></p>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto"> <o:p></o:p></p>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">P.S. I’m hoping to see all of you at the 2012 Student Techno=
logy Conference at Claremont Colleges!
<o:p></o:p></p>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto"> <o:p></o:p></p>
</div>
</div>
<p class=3D"MsoNormal">___________________________________________________ =
You are subscribed to the ResNet-L mailing list.
<o:p></o:p></p>
<p>To subscribe, unsubscribe or search the archives, go to <a href=3D"http:=
//LISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_blank">
http://LISTSERV.ND.EDU/archives/resnet-l.html</a> _________________________=
__________________________
<o:p></o:p></p>
</div>
<p class=3D"MsoNormal"><o:p> </o:p></p>
</div>
</div>
<p class=3D"MsoNormal">___________________________________________________ =
You are subscribed to the ResNet-L mailing list.
<o:p></o:p></p>
<p>To subscribe, unsubscribe or search the archives, go to <a href=3D"http:=
//LISTSERV.ND.EDU/archives/resnet-l.html">
http://LISTSERV.ND.EDU/archives/resnet-l.html</a> _________________________=
__________________________
<o:p></o:p></p>
<p class=3D"MsoNormal">___________________________________________________ =
You are subscribed to the ResNet-L mailing list.
<o:p></o:p></p>
<p>To subscribe, unsubscribe or search the archives, go to <a href=3D"http:=
//LISTSERV.ND.EDU/archives/resnet-l.html">
http://LISTSERV.ND.EDU/archives/resnet-l.html</a> _________________________=
__________________________
<o:p></o:p></p>
<p class=3D"MsoNormal">___________________________________________________ =
You are subscribed to the ResNet-L mailing list.
<o:p></o:p></p>
<p>To subscribe, unsubscribe or search the archives, go to <a href=3D"http:=
//LISTSERV.ND.EDU/archives/resnet-l.html">
http://LISTSERV.ND.EDU/archives/resnet-l.html</a> _________________________=
__________________________
<o:p></o:p></p>
</div>
</body>
</html>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--_000_7F8CAE21F9C1C94A90F11320EF3974CE327E3660LUEMSMAIL01Univ_--
