[27616] in resnet
Re: SOHO WiFi routers and residential networking
daemon@ATHENA.MIT.EDU (Brock, Adam)
Thu May 3 14:19:00 2012
Content-Language: en-US
Content-Type: text/plain; charset="Windows-1252"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID: <1247857828.2729698.1336069128788.JavaMail.rim@b12.c4.bise6.blackberry>
Date: Thu, 3 May 2012 13:18:45 -0500
Reply-To: "Brock, Adam" <Adam_Brock@baylor.edu>
From: "Brock, Adam" <Adam_Brock@baylor.edu>
To: RESNET-L@listserv.nd.edu
In-Reply-To: <CAL_ebD=KRuawWbNN05A7nZgLj_tU55MBKpRPyo-e01BeYaWGuA@mail.gmail.com>
I'd say the problem isn't so much that a flood of unicast packets crippled your network, but more that there was a flood of unicast packets unexpectedly. I'd think you'd want to look at the packets and try and determine the cause of the packets, in addition to what you've proposed.
Sent from my Brockberry.
________________________________
From: Chris Webster <chris.webster@NCSU.EDU>
Sender: Resnet Forum <RESNET-L@LISTSERV.ND.EDU>
Date: Thu, 3 May 2012 13:03:56 -0500
To: RESNET-L@LISTSERV.ND.EDU<RESNET-L@LISTSERV.ND.EDU>
ReplyTo: Resnet Forum <RESNET-L@LISTSERV.ND.EDU>
Subject: Re: [RESNET-L] SOHO WiFi routers and residential networking
Packet captures are almost always useful in identifying problems that can't be explained simply based on the symptoms (which it's why it's one of the first things network people look for). I'm happy to take a look at any captures you have, with the caveat that the problem might be totally over my head.
/24 is CIDR notation meaning a block of 256 IP addresses. Wikipedia link is the best I can do right now... I'll see if I can come up with a better explanatory article later: http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#IPv4_CIDR_blocks
-Chris
On Thu, May 3, 2012 at 1:49 PM, Crowe, Sheila <sheila@montana.edu<mailto:sheila@montana.edu>> wrote:
I'm sure that we have done packet captures, Adam...would it help to see those?
Ryan, I'm not sure what you mean by subnets bigger than "/24." (I'm gonna read the Eric Leahy paper at lunch). I'm learning a little about networking along the way, aren't I?
My plan for the responses from the RESNET-L is to combine the suggestions and questions and present them to the network guy for analysis and answers.
Keep them coming! And thank you very much for sharing your expertise with me.
Sheila Crowe
Montana State University
-----Original Message-----
From: Resnet Forum [mailto:RESNET-L@LISTSERV.ND.EDU<mailto:RESNET-L@LISTSERV.ND.EDU>] On Behalf Of Brock, Adam
Sent: Wednesday, May 02, 2012 9:24 PM
To: RESNET-L@LISTSERV.ND.EDU<mailto:RESNET-L@LISTSERV.ND.EDU>
Subject: Re: SOHO WiFi routers and residential networking
Also, did anyone try getting a packet capture of the unicast traffic, or was that just a theory?
Sent from my Brockberry.
________________________________
From: Ryan Dorman <Ryan.Dorman@blackboard.com<mailto:Ryan.Dorman@blackboard.com>>
Sender: Resnet Forum <RESNET-L@LISTSERV.ND.EDU<mailto:RESNET-L@LISTSERV.ND.EDU>>
Date: Wed, 2 May 2012 21:33:01 -0500
To: RESNET-L@LISTSERV.ND.EDU<mailto:RESNET-L@LISTSERV.ND.EDU><RESNET-L@LISTSERV.ND.EDU<mailto:RESNET-L@LISTSERV.ND.EDU>>
ReplyTo: Resnet Forum <RESNET-L@LISTSERV.ND.EDU<mailto:RESNET-L@LISTSERV.ND.EDU>>
Subject: Re: [RESNET-L] SOHO WiFi routers and residential networking
My questions, slightly re-phrased:
1. For those of you who have a similar network, do you utilize either Storm Control or flood blocking? Why do you use one rather than the other?
a. We used storm control in the dorms back in my day (ha ha ha)... it was one of our bandaid procedures for sasser/blaster (hence why I did not describe it as the good old days). It has advantage of dealing with multiple types of traffic, not just Unicast.
b. This is a good article explaining the differences http://ericleahy.com/?p=611
2. Do you use some other measure to deal with unicast packet floods?
a. No
3. Considering the physical environment (single wired jacks), what do you feel is best practice when it comes to stopping unicast packet floods?
a. There are a couple things I would look at here more from a design perspective then a flood protection angle
i. How big are your subnets? If they are huge (bigger then /24) you're going to start running up against broadcast issues.
ii. Have you considered Private VLAN's? Might help limit outages to a smaller group of people
iii. Do you limit the number of MAC addresses on a single port?
It surprises me that you are seeing unicast flooding like this.. in campus environments, and even in datacenters I have found that that is relatively rare. Granted, I don't work in in reshalls anymore and the nature of that traffic is different then here in sell-out world :) but I'd be interested to see traces of who is flooding who and from what process etc etc...
Ryan Dorman
Director, Enterprise Technology Strategy Blackboard Inc.
O: 202.463.4860 x2618<tel:202.463.4860%20x2618>
M: 202.370.7889<tel:202.370.7889>
From: Resnet Forum [mailto:RESNET-L@LISTSERV.ND.EDU<mailto:RESNET-L@LISTSERV.ND.EDU>] On Behalf Of Crowe, Sheila
Sent: Tuesday, May 01, 2012 2:15 PM
To: RESNET-L@LISTSERV.ND.EDU<mailto:RESNET-L@LISTSERV.ND.EDU>
Subject: Re: SOHO WiFi routers and residential networking
Thank you to Rand, Bruce and my hero, Adam Brock.
A bit more detailed information to help all the Cisco network guru types help me. To recap...
We have 2 housing areas: residence halls and family and graduate apartments. Both areas have Cisco 2960 layer 2 switches and Cisco 3750 fiber switches. In the residence halls we have one wired port per pillow and almost ubiquitous wireless coverage via Aruba APs and a single controller. ResNet is charged as part of the room and board in the residence halls.
We don't provide wireless coverage in family and graduate housing. Our family housing area was wired about 13 years ago and provided only one wired jack per apartment; because of that, virtually every customer in family housing uses a soho wireless router. Prior to our upgrade in June, we were using 3Com fiber switches and Cisco 2960 layer 2 switches, When we upgraded this section of our network (from 3Com fiber switches to Cisco 3750s), we immediately had a BIG problem with our network dropping in family housing; no problems in the res halls. Backwards soho routers were not the problem because we use DHCP snooping. Prior to the upgrade, our network ran like a scalded cat in FGH. It was ultimately decided that the problem was caused by the larger concentration of SOHO wireless routers in that area producing unicast packet floods. Our team has discovered that Cisco switches have a feature called flood blocking that will block unicast and multicast floods at the switchpor!
t level. We are deploying this slowly. I am told that it is NOT Cisco's Storm Control.
My questions, slightly re-phrased:
1. For those of you who have a similar network, do you utilize either Storm Control or flood blocking? Why do you use one rather than the other?
2. Do you use some other measure to deal with unicast packet floods?
3. Considering the physical environment (single wired jacks), what do you feel is best practice when it comes to stopping unicast packet floods?
If you need more detail from me, please ask. Any information or feedback is appreciated. If you prefer, please feel free to contact me off-list.
Thank you!
Sheila Crowe
MSU ResNet
sheila@montana.edu<mailto:sheila@montana.edu><mailto:sheila@montana.edu<mailto:sheila@montana.edu>>
From: Resnet Forum [mailto:RESNET-L@LISTSERV.ND.EDU<mailto:RESNET-L@LISTSERV.ND.EDU>]<mailto:[mailto:RESNET-L@LISTSERV.ND.EDU<mailto:RESNET-L@LISTSERV.ND.EDU>]> On Behalf Of Osborne, Bruce W
Sent: Tuesday, May 01, 2012 5:48 AM
To: RESNET-L@LISTSERV.ND.EDU<mailto:RESNET-L@LISTSERV.ND.EDU><mailto:RESNET-L@LISTSERV.ND.EDU<mailto:RESNET-L@LISTSERV.ND.EDU>>
Subject: Re: SOHO WiFi routers and residential networking
That is only the port part of the configuration. There are some global settings too.
Also, your switch uplink or the switch port with the DHCP server needs to be trusted for this to function correctly. The three processes used here are "ARP inspection", "DHCO snooping", and "IP source guard". The features can vary, depending on your model of switch.
Here is one example of Cisco's documentation. This one is for 3550 switches. http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_see/configuration/guide/swdhcp82.html
Bruce Osborne
Network Engineer
IT Network Services
(434) 592-4229<tel:%28434%29%20592-4229>
LIBERTY UNIVERSITY
Training Champions for Christ since 1971
From: Hall, Rand [mailto:hallr@MERRIMACK.EDU<mailto:hallr@MERRIMACK.EDU>]<mailto:[mailto:hallr@MERRIMACK.EDU<mailto:hallr@MERRIMACK.EDU>]>
Sent: Monday, April 30, 2012 12:39 PM
Subject: Re: SOHO WiFi routers and residential networking
Sheila,
Good luck blocking rogues. :-) Your best bet is to hold to your commitment to providing service to the jack. To that you can add some basic best practice suggestions to people who want to try using a wireless router or bridge (enable encryption, negotiate channel selection with neighbors, etc).
Your network folks will want to turn on DHCP Snooping. Sometimes a resident will plug a router in "backwards" and offer up DHCP leases to their neighbors--not a pretty sight. If they are new to Cisco they might appreciate a sample interface config for some ideas. Feel free to share:
switchport access vlan xx
switchport mode access
switchport protected
switchport port-security maximum 6
switchport port-security
switchport port-security aging time 1
switchport port-security violation restrict switchport port-security aging type inactivity ip arp inspection limit rate 15 burst interval 10 storm-control broadcast level pps 50 10 storm-control multicast level pps 50 10 spanning-tree portfast spanning-tree bpduguard enable ip verify source ip dhcp snooping limit rate 10
Rand
Rand P. Hall
Director, Network Services askIT!
Merrimack College
978-837-3532<tel:978-837-3532><tel:978-837-3532<tel:978-837-3532>>
rand.hall@merrimack.edu<mailto:rand.hall@merrimack.edu><mailto:rand.hall@merrimack.edu<mailto:rand.hall@merrimack.edu>>
If I had an hour to save the world, I would spend 59 minutes defining the problem and one minute finding solutions. - Einstein
On Fri, Apr 27, 2012 at 1:48 PM, Crowe, Sheila <sheila@montana.edu<mailto:sheila@montana.edu><mailto:sheila@montana.edu<mailto:sheila@montana.edu>>> wrote:
In early March, I participated in a thread started by Jeannie Abney about what other schools' polices are for residents bringing personal wireless routers onto your network. I added some questions pertaining to single family apartments (vs. residence halls) and got some great feedback. I would like to take it a step further and ask some more questions based on the type of network that we have.
We have a Cisco network, a core at the origin of the commodity internet pipe, and a subnet for each of our buildings (really areas). In the residence halls we have a large Aruba wireless network installed so that every building is blanketed for secure wireless internet access. In the residence halls, ResNet is charged out to every resident regardless of whether they use it or not.
We do not provide ubiquitous wireless coverage in family housing because ResNet is an opt-in service. Additionally, our family housing area was wired about 13 years ago and only provided one wired jack per apartment. As I'm sure you can imagine, virtually every customer in family housing has a soho wireless router. When we upgraded this section of our network (from 3Com switches to Cisco), we immediately had a BIG problem with our network dropping constantly. It was ultimately decided that it was the SOHO wireless routers causing the problem; namely, unicast packet floods through our Cisco switch ports. Only recently it was discovered that Cisco switches have a feature that will block unicast and multicast floods. We are deploying this slowly.
Now for the questions. For those of you who have a similar network, do you employ this Cisco feature or do you simply block all "rogue" wireless connections? Or do you have another measure in place to deal with the unicast packet floods? Also, do your network engineers consider this a stopgap measure ("band-aid") to deal with residences where you do not offer WiFi?
Please do share all of the details about this issue (or non-issue) on your network as you know them. And thanks a million!
Sheila Crowe
Montana State University ResNet
406.994.4230<tel:406.994.4230><tel:406.994.4230<tel:406.994.4230>>
406.209.7243<tel:406.209.7243><tel:406.209.7243<tel:406.209.7243>>
P.S. I'm hoping to see all of you at the 2012 Student Technology Conference at Claremont Colleges!
___________________________________________________ You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives, go to http://LISTSERV.ND.EDU/archives/resnet-l.html ___________________________________________________
___________________________________________________ You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives, go to http://LISTSERV.ND.EDU/archives/resnet-l.html ___________________________________________________
___________________________________________________ You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives, go to http://LISTSERV.ND.EDU/archives/resnet-l.html ___________________________________________________
___________________________________________________ You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives, go to http://LISTSERV.ND.EDU/archives/resnet-l.html ___________________________________________________
This email and any attachments may contain confidential and proprietary information of Blackboard that is for the sole use of the intended recipient. If you are not the intended recipient, disclosure, copying, re-distribution or other use of any of this information is strictly prohibited. Please immediately notify the sender and delete this transmission if you received this email in error.
___________________________________________________ You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives, go to http://LISTSERV.ND.EDU/archives/resnet-l.html ___________________________________________________
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives, go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--
Chris Webster
Senior Technician
OIT Walk-in Center
North Carolina State University
Ph: 919.513.2676
Fax: 919.513.2945
Email: chris.webster@ncsu.edu<mailto:chris.webster@ncsu.edu>
Web: http://go.ncsu.edu/wic/
___________________________________________________ You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives, go to http://LISTSERV.ND.EDU/archives/resnet-l.html ___________________________________________________
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
