[27612] in resnet
Re: SOHO WiFi routers and residential networking
daemon@ATHENA.MIT.EDU (Brock, Adam)
Wed May 2 23:25:30 2012
Content-Language: en-US
Content-Type: text/plain; charset="Windows-1252"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID: <1298635790.2684613.1336015426163.JavaMail.rim@b12.c4.bise6.blackberry>
Date: Wed, 2 May 2012 22:23:44 -0500
Reply-To: "Brock, Adam" <Adam_Brock@BAYLOR.EDU>
From: "Brock, Adam" <Adam_Brock@BAYLOR.EDU>
To: RESNET-L@listserv.nd.edu
In-Reply-To: <D9D0C3D6A031FD41B81047D41FDC129D0BCD6FDAB5@DCEX07.bbbb.net>
Also, did anyone try getting a packet capture of the unicast traffic, or was that just a theory?
Sent from my Brockberry.
________________________________
From: Ryan Dorman <Ryan.Dorman@blackboard.com>
Sender: Resnet Forum <RESNET-L@LISTSERV.ND.EDU>
Date: Wed, 2 May 2012 21:33:01 -0500
To: RESNET-L@LISTSERV.ND.EDU<RESNET-L@LISTSERV.ND.EDU>
ReplyTo: Resnet Forum <RESNET-L@LISTSERV.ND.EDU>
Subject: Re: [RESNET-L] SOHO WiFi routers and residential networking
My questions, slightly re-phrased:
1. For those of you who have a similar network, do you utilize either Storm Control or flood blocking? Why do you use one rather than the other?
a. We used storm control in the dorms back in my day (ha ha ha)… it was one of our bandaid procedures for sasser/blaster (hence why I did not describe it as the good old days). It has advantage of dealing with multiple types of traffic, not just Unicast.
b. This is a good article explaining the differences http://ericleahy.com/?p=611
2. Do you use some other measure to deal with unicast packet floods?
a. No
3. Considering the physical environment (single wired jacks), what do you feel is best practice when it comes to stopping unicast packet floods?
a. There are a couple things I would look at here more from a design perspective then a flood protection angle
i. How big are your subnets? If they are huge (bigger then /24) you’re going to start running up against broadcast issues.
ii. Have you considered Private VLAN’s? Might help limit outages to a smaller group of people
iii. Do you limit the number of MAC addresses on a single port?
It surprises me that you are seeing unicast flooding like this.. in campus environments, and even in datacenters I have found that that is relatively rare. Granted, I don’t work in in reshalls anymore and the nature of that traffic is different then here in sell-out world :) but I’d be interested to see traces of who is flooding who and from what process etc etc…
Ryan Dorman
Director, Enterprise Technology Strategy
Blackboard Inc.
O: 202.463.4860 x2618
M: 202.370.7889
From: Resnet Forum [mailto:RESNET-L@LISTSERV.ND.EDU] On Behalf Of Crowe, Sheila
Sent: Tuesday, May 01, 2012 2:15 PM
To: RESNET-L@LISTSERV.ND.EDU
Subject: Re: SOHO WiFi routers and residential networking
Thank you to Rand, Bruce and my hero, Adam Brock.
A bit more detailed information to help all the Cisco network guru types help me. To recap…
We have 2 housing areas: residence halls and family and graduate apartments. Both areas have Cisco 2960 layer 2 switches and Cisco 3750 fiber switches. In the residence halls we have one wired port per pillow and almost ubiquitous wireless coverage via Aruba APs and a single controller. ResNet is charged as part of the room and board in the residence halls.
We don’t provide wireless coverage in family and graduate housing. Our family housing area was wired about 13 years ago and provided only one wired jack per apartment; because of that, virtually every customer in family housing uses a soho wireless router. Prior to our upgrade in June, we were using 3Com fiber switches and Cisco 2960 layer 2 switches, When we upgraded this section of our network (from 3Com fiber switches to Cisco 3750s), we immediately had a BIG problem with our network dropping in family housing; no problems in the res halls. Backwards soho routers were not the problem because we use DHCP snooping. Prior to the upgrade, our network ran like a scalded cat in FGH. It was ultimately decided that the problem was caused by the larger concentration of SOHO wireless routers in that area producing unicast packet floods. Our team has discovered that Cisco switches have a feature called flood blocking that will block unicast and multicast floods at the switchpor!
t level. We are deploying this slowly. I am told that it is NOT Cisco’s Storm Control.
My questions, slightly re-phrased:
1. For those of you who have a similar network, do you utilize either Storm Control or flood blocking? Why do you use one rather than the other?
2. Do you use some other measure to deal with unicast packet floods?
3. Considering the physical environment (single wired jacks), what do you feel is best practice when it comes to stopping unicast packet floods?
If you need more detail from me, please ask. Any information or feedback is appreciated. If you prefer, please feel free to contact me off-list.
Thank you!
Sheila Crowe
MSU ResNet
sheila@montana.edu<mailto:sheila@montana.edu>
From: Resnet Forum [mailto:RESNET-L@LISTSERV.ND.EDU]<mailto:[mailto:RESNET-L@LISTSERV.ND.EDU]> On Behalf Of Osborne, Bruce W
Sent: Tuesday, May 01, 2012 5:48 AM
To: RESNET-L@LISTSERV.ND.EDU<mailto:RESNET-L@LISTSERV.ND.EDU>
Subject: Re: SOHO WiFi routers and residential networking
That is only the port part of the configuration. There are some global settings too.
Also, your switch uplink or the switch port with the DHCP server needs to be trusted for this to function correctly. The three processes used here are “ARP inspection”, “DHCO snooping”, and “IP source guard”. The features can vary, depending on your model of switch.
Here is one example of Cisco’s documentation. This one is for 3550 switches. http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_see/configuration/guide/swdhcp82.html
Bruce Osborne
Network Engineer
IT Network Services
(434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971
From: Hall, Rand [mailto:hallr@MERRIMACK.EDU]<mailto:[mailto:hallr@MERRIMACK.EDU]>
Sent: Monday, April 30, 2012 12:39 PM
Subject: Re: SOHO WiFi routers and residential networking
Sheila,
Good luck blocking rogues. :-) Your best bet is to hold to your commitment to providing service to the jack. To that you can add some basic best practice suggestions to people who want to try using a wireless router or bridge (enable encryption, negotiate channel selection with neighbors, etc).
Your network folks will want to turn on DHCP Snooping. Sometimes a resident will plug a router in "backwards" and offer up DHCP leases to their neighbors--not a pretty sight. If they are new to Cisco they might appreciate a sample interface config for some ideas. Feel free to share:
switchport access vlan xx
switchport mode access
switchport protected
switchport port-security maximum 6
switchport port-security
switchport port-security aging time 1
switchport port-security violation restrict
switchport port-security aging type inactivity
ip arp inspection limit rate 15 burst interval 10
storm-control broadcast level pps 50 10
storm-control multicast level pps 50 10
spanning-tree portfast
spanning-tree bpduguard enable
ip verify source
ip dhcp snooping limit rate 10
Rand
Rand P. Hall
Director, Network Services askIT!
Merrimack College
978-837-3532<tel:978-837-3532>
rand.hall@merrimack.edu<mailto:rand.hall@merrimack.edu>
If I had an hour to save the world, I would spend 59 minutes defining the problem and one minute finding solutions. – Einstein
On Fri, Apr 27, 2012 at 1:48 PM, Crowe, Sheila <sheila@montana.edu<mailto:sheila@montana.edu>> wrote:
In early March, I participated in a thread started by Jeannie Abney about what other schools’ polices are for residents bringing personal wireless routers onto your network. I added some questions pertaining to single family apartments (vs. residence halls) and got some great feedback. I would like to take it a step further and ask some more questions based on the type of network that we have.
We have a Cisco network, a core at the origin of the commodity internet pipe, and a subnet for each of our buildings (really areas). In the residence halls we have a large Aruba wireless network installed so that every building is blanketed for secure wireless internet access. In the residence halls, ResNet is charged out to every resident regardless of whether they use it or not.
We do not provide ubiquitous wireless coverage in family housing because ResNet is an opt-in service. Additionally, our family housing area was wired about 13 years ago and only provided one wired jack per apartment. As I’m sure you can imagine, virtually every customer in family housing has a soho wireless router. When we upgraded this section of our network (from 3Com switches to Cisco), we immediately had a BIG problem with our network dropping constantly. It was ultimately decided that it was the SOHO wireless routers causing the problem; namely, unicast packet floods through our Cisco switch ports. Only recently it was discovered that Cisco switches have a feature that will block unicast and multicast floods. We are deploying this slowly.
Now for the questions. For those of you who have a similar network, do you employ this Cisco feature or do you simply block all “rogue” wireless connections? Or do you have another measure in place to deal with the unicast packet floods? Also, do your network engineers consider this a stopgap measure (“band-aid”) to deal with residences where you do not offer WiFi?
Please do share all of the details about this issue (or non-issue) on your network as you know them. And thanks a million!
Sheila Crowe
Montana State University ResNet
406.994.4230<tel:406.994.4230>
406.209.7243<tel:406.209.7243>
P.S. I’m hoping to see all of you at the 2012 Student Technology Conference at Claremont Colleges!
___________________________________________________ You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives, go to http://LISTSERV.ND.EDU/archives/resnet-l.html ___________________________________________________
___________________________________________________ You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives, go to http://LISTSERV.ND.EDU/archives/resnet-l.html ___________________________________________________
___________________________________________________ You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives, go to http://LISTSERV.ND.EDU/archives/resnet-l.html ___________________________________________________
___________________________________________________ You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives, go to http://LISTSERV.ND.EDU/archives/resnet-l.html ___________________________________________________
This email and any attachments may contain confidential and proprietary information of Blackboard that is for the sole use of the intended recipient. If you are not the intended recipient, disclosure, copying, re-distribution or other use of any of this information is strictly prohibited. Please immediately notify the sender and delete this transmission if you received this email in error.
___________________________________________________ You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives, go to http://LISTSERV.ND.EDU/archives/resnet-l.html ___________________________________________________
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
