[27617] in resnet
Re: SOHO WiFi routers and residential networking
daemon@ATHENA.MIT.EDU (Ryan Dorman)
Thu May 3 14:22:52 2012
Content-Language: en-US
Content-Type: multipart/alternative; boundary="_000_D9D0C3D6A031FD41B81047D41FDC129D0BCD6FDD89DCEX07bbbbnet_"
MIME-Version: 1.0
Message-ID: <D9D0C3D6A031FD41B81047D41FDC129D0BCD6FDD89@DCEX07.bbbb.net>
Date: Thu, 3 May 2012 14:20:28 -0400
Reply-To: Resnet Forum <RESNET-L@listserv.nd.edu>
From: Ryan Dorman <Ryan.Dorman@blackboard.com>
To: RESNET-L@listserv.nd.edu
In-Reply-To: <CAL_ebD=KRuawWbNN05A7nZgLj_tU55MBKpRPyo-e01BeYaWGuA@mail.gmail.com>
--_000_D9D0C3D6A031FD41B81047D41FDC129D0BCD6FDD89DCEX07bbbbnet_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Yep, happy to help with staring at captures.. its far more interesting than=
"Strategy" whatever that means:)
As a general rule ( I say general I know there are exceptions, styles and o=
ther such that engineers use for IPAM) a /24 is the largest size network yo=
u should put end user PC's on. Especially given the chatty nature of Mac m=
ulticast/rendezvoux traffic, MS broadcast traffic etc etc it can result in =
a single packet being responded to by 100's of machines that it was not ult=
imately destined for....
-rd
From: Resnet Forum [mailto:RESNET-L@LISTSERV.ND.EDU] On Behalf Of Chris Web=
ster
Sent: Thursday, May 03, 2012 11:04 AM
To: RESNET-L@LISTSERV.ND.EDU
Subject: Re: SOHO WiFi routers and residential networking
Packet captures are almost always useful in identifying problems that can't=
be explained simply based on the symptoms (which it's why it's one of the =
first things network people look for). I'm happy to take a look at any capt=
ures you have, with the caveat that the problem might be totally over my he=
ad.
/24 is CIDR notation meaning a block of 256 IP addresses. Wikipedia link is=
the best I can do right now... I'll see if I can come up with a better exp=
lanatory article later: http://en.wikipedia.org/wiki/Classless_Inter-Domain=
_Routing#IPv4_CIDR_blocks
-Chris
On Thu, May 3, 2012 at 1:49 PM, Crowe, Sheila <sheila@montana.edu<mailto:sh=
eila@montana.edu>> wrote:
I'm sure that we have done packet captures, Adam...would it help to see tho=
se?
Ryan, I'm not sure what you mean by subnets bigger than "/24." (I'm gonna =
read the Eric Leahy paper at lunch). I'm learning a little about networkin=
g along the way, aren't I?
My plan for the responses from the RESNET-L is to combine the suggestions a=
nd questions and present them to the network guy for analysis and answers.
Keep them coming! And thank you very much for sharing your expertise with =
me.
Sheila Crowe
Montana State University
-----Original Message-----
From: Resnet Forum [mailto:RESNET-L@LISTSERV.ND.EDU<mailto:RESNET-L@LISTSER=
V.ND.EDU>] On Behalf Of Brock, Adam
Sent: Wednesday, May 02, 2012 9:24 PM
To: RESNET-L@LISTSERV.ND.EDU<mailto:RESNET-L@LISTSERV.ND.EDU>
Subject: Re: SOHO WiFi routers and residential networking
Also, did anyone try getting a packet capture of the unicast traffic, or wa=
s that just a theory?
Sent from my Brockberry.
________________________________
From: Ryan Dorman <Ryan.Dorman@blackboard.com<mailto:Ryan.Dorman@blackboard=
.com>>
Sender: Resnet Forum <RESNET-L@LISTSERV.ND.EDU<mailto:RESNET-L@LISTSERV.ND.=
EDU>>
Date: Wed, 2 May 2012 21:33:01 -0500
To: RESNET-L@LISTSERV.ND.EDU<mailto:RESNET-L@LISTSERV.ND.EDU><RESNET-L@LIST=
SERV.ND.EDU<mailto:RESNET-L@LISTSERV.ND.EDU>>
ReplyTo: Resnet Forum <RESNET-L@LISTSERV.ND.EDU<mailto:RESNET-L@LISTSERV.ND=
.EDU>>
Subject: Re: [RESNET-L] SOHO WiFi routers and residential networking
My questions, slightly re-phrased:
1. For those of you who have a similar network, do you utilize either=
Storm Control or flood blocking? Why do you use one rather than the other=
?
a. We used storm control in the dorms back in my day (ha ha ha)... it=
was one of our bandaid procedures for sasser/blaster (hence why I did not =
describe it as the good old days). It has advantage of dealing with multip=
le types of traffic, not just Unicast.
b. This is a good article explaining the differences http://ericleahy.=
com/?p=3D611
2. Do you use some other measure to deal with unicast packet floods?
a. No
3. Considering the physical environment (single wired jacks), what do=
you feel is best practice when it comes to stopping unicast packet floods?
a. There are a couple things I would look at here more from a design =
perspective then a flood protection angle
i. How b=
ig are your subnets? If they are huge (bigger then /24) you're going to st=
art running up against broadcast issues.
ii. Have y=
ou considered Private VLAN's? Might help limit outages to a smaller group =
of people
iii. Do you=
limit the number of MAC addresses on a single port?
It surprises me that you are seeing unicast flooding like this.. in campus =
environments, and even in datacenters I have found that that is relatively =
rare. Granted, I don't work in in reshalls anymore and the nature of that =
traffic is different then here in sell-out world :) but I'd be interested t=
o see traces of who is flooding who and from what process etc etc...
Ryan Dorman
Director, Enterprise Technology Strategy Blackboard Inc.
O: 202.463.4860 x2618<tel:202.463.4860%20x2618>
M: 202.370.7889<tel:202.370.7889>
From: Resnet Forum [mailto:RESNET-L@LISTSERV.ND.EDU<mailto:RESNET-L@LISTSER=
V.ND.EDU>] On Behalf Of Crowe, Sheila
Sent: Tuesday, May 01, 2012 2:15 PM
To: RESNET-L@LISTSERV.ND.EDU<mailto:RESNET-L@LISTSERV.ND.EDU>
Subject: Re: SOHO WiFi routers and residential networking
Thank you to Rand, Bruce and my hero, Adam Brock.
A bit more detailed information to help all the Cisco network guru types he=
lp me. To recap...
We have 2 housing areas: residence halls and family and graduate apartment=
s. Both areas have Cisco 2960 layer 2 switches and Cisco 3750 fiber switch=
es. In the residence halls we have one wired port per pillow and almost ub=
iquitous wireless coverage via Aruba APs and a single controller. ResNet i=
s charged as part of the room and board in the residence halls.
We don't provide wireless coverage in family and graduate housing. Our fam=
ily housing area was wired about 13 years ago and provided only one wired j=
ack per apartment; because of that, virtually every customer in family hous=
ing uses a soho wireless router. Prior to our upgrade in June, we were usi=
ng 3Com fiber switches and Cisco 2960 layer 2 switches, When we upgraded th=
is section of our network (from 3Com fiber switches to Cisco 3750s), we imm=
ediately had a BIG problem with our network dropping in family housing; no =
problems in the res halls. Backwards soho routers were not the problem bec=
ause we use DHCP snooping. Prior to the upgrade, our network ran like a sca=
lded cat in FGH. It was ultimately decided that the problem was caused by =
the larger concentration of SOHO wireless routers in that area producing un=
icast packet floods. Our team has discovered that Cisco switches have a fe=
ature called flood blocking that will block unicast and multicast floods at=
the switchpor!
t level. We are deploying this slowly. I am told that it is NOT Cisco's =
Storm Control.
My questions, slightly re-phrased:
1. For those of you who have a similar network, do you utilize either=
Storm Control or flood blocking? Why do you use one rather than the other=
?
2. Do you use some other measure to deal with unicast packet floods?
3. Considering the physical environment (single wired jacks), what do=
you feel is best practice when it comes to stopping unicast packet floods?
If you need more detail from me, please ask. Any information or feedback i=
s appreciated. If you prefer, please feel free to contact me off-list.
Thank you!
Sheila Crowe
MSU ResNet
sheila@montana.edu<mailto:sheila@montana.edu><mailto:sheila@montana.edu<mai=
lto:sheila@montana.edu>>
From: Resnet Forum [mailto:RESNET-L@LISTSERV.ND.EDU<mailto:RESNET-L@LISTSER=
V.ND.EDU>]<mailto:[mailto:RESNET-L@LISTSERV.ND.EDU<mailto:RESNET-L@LISTSERV=
.ND.EDU>]> On Behalf Of Osborne, Bruce W
Sent: Tuesday, May 01, 2012 5:48 AM
To: RESNET-L@LISTSERV.ND.EDU<mailto:RESNET-L@LISTSERV.ND.EDU><mailto:RESNET=
-L@LISTSERV.ND.EDU<mailto:RESNET-L@LISTSERV.ND.EDU>>
Subject: Re: SOHO WiFi routers and residential networking
That is only the port part of the configuration. There are some global sett=
ings too.
Also, your switch uplink or the switch port with the DHCP server needs to b=
e trusted for this to function correctly. The three processes used here are=
"ARP inspection", "DHCO snooping", and "IP source guard". The features can=
vary, depending on your model of switch.
Here is one example of Cisco's documentation. This one is for 3550 switches=
. http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/releas=
e/12.2_25_see/configuration/guide/swdhcp82.html
Bruce Osborne
Network Engineer
IT Network Services
(434) 592-4229<tel:%28434%29%20592-4229>
LIBERTY UNIVERSITY
Training Champions for Christ since 1971
From: Hall, Rand [mailto:hallr@MERRIMACK.EDU<mailto:hallr@MERRIMACK.EDU>]<m=
ailto:[mailto:hallr@MERRIMACK.EDU<mailto:hallr@MERRIMACK.EDU>]>
Sent: Monday, April 30, 2012 12:39 PM
Subject: Re: SOHO WiFi routers and residential networking
Sheila,
Good luck blocking rogues. :-) Your best bet is to hold to your commitment =
to providing service to the jack. To that you can add some basic best pract=
ice suggestions to people who want to try using a wireless router or bridge=
(enable encryption, negotiate channel selection with neighbors, etc).
Your network folks will want to turn on DHCP Snooping. Sometimes a resident=
will plug a router in "backwards" and offer up DHCP leases to their neighb=
ors--not a pretty sight. If they are new to Cisco they might appreciate a s=
ample interface config for some ideas. Feel free to share:
switchport access vlan xx
switchport mode access
switchport protected
switchport port-security maximum 6
switchport port-security
switchport port-security aging time 1
switchport port-security violation restrict switchport port-security agin=
g type inactivity ip arp inspection limit rate 15 burst interval 10 storm=
-control broadcast level pps 50 10 storm-control multicast level pps 50 10=
spanning-tree portfast spanning-tree bpduguard enable ip verify source =
ip dhcp snooping limit rate 10
Rand
Rand P. Hall
Director, Network Services askIT!
Merrimack College
978-837-3532<tel:978-837-3532><tel:978-837-3532<tel:978-837-3532>>
rand.hall@merrimack.edu<mailto:rand.hall@merrimack.edu><mailto:rand.hall@me=
rrimack.edu<mailto:rand.hall@merrimack.edu>>
If I had an hour to save the world, I would spend 59 minutes defining the p=
roblem and one minute finding solutions. - Einstein
On Fri, Apr 27, 2012 at 1:48 PM, Crowe, Sheila <sheila@montana.edu<mailto:s=
heila@montana.edu><mailto:sheila@montana.edu<mailto:sheila@montana.edu>>> w=
rote:
In early March, I participated in a thread started by Jeannie Abney about w=
hat other schools' polices are for residents bringing personal wireless rou=
ters onto your network. I added some questions pertaining to single family=
apartments (vs. residence halls) and got some great feedback. I would lik=
e to take it a step further and ask some more questions based on the type o=
f network that we have.
We have a Cisco network, a core at the origin of the commodity internet pip=
e, and a subnet for each of our buildings (really areas). In the residence=
halls we have a large Aruba wireless network installed so that every build=
ing is blanketed for secure wireless internet access. In the residence ha=
lls, ResNet is charged out to every resident regardless of whether they use=
it or not.
We do not provide ubiquitous wireless coverage in family housing because Re=
sNet is an opt-in service. Additionally, our family housing area was wired =
about 13 years ago and only provided one wired jack per apartment. As I'm s=
ure you can imagine, virtually every customer in family housing has a soho =
wireless router. When we upgraded this section of our network (from 3Com s=
witches to Cisco), we immediately had a BIG problem with our network droppi=
ng constantly. It was ultimately decided that it was the SOHO wireless rou=
ters causing the problem; namely, unicast packet floods through our Cisco s=
witch ports. Only recently it was discovered that Cisco switches have a fea=
ture that will block unicast and multicast floods. We are deploying this s=
lowly.
Now for the questions. For those of you who have a similar network, do you =
employ this Cisco feature or do you simply block all "rogue" wireless conne=
ctions? Or do you have another measure in place to deal with the unicast p=
acket floods? Also, do your network engineers consider this a stopgap meas=
ure ("band-aid") to deal with residences where you do not offer WiFi?
Please do share all of the details about this issue (or non-issue) on your =
network as you know them. And thanks a million!
Sheila Crowe
Montana State University ResNet
406.994.4230<tel:406.994.4230><tel:406.994.4230<tel:406.994.4230>>
406.209.7243<tel:406.209.7243><tel:406.209.7243<tel:406.209.7243>>
P.S. I'm hoping to see all of you at the 2012 Student Technology Conference=
at Claremont Colleges!
___________________________________________________ You are subscribed to t=
he ResNet-L mailing list.
To subscribe, unsubscribe or search the archives, go to http://LISTSERV.ND.=
EDU/archives/resnet-l.html ________________________________________________=
___
___________________________________________________ You are subscribed to t=
he ResNet-L mailing list.
To subscribe, unsubscribe or search the archives, go to http://LISTSERV.ND.=
EDU/archives/resnet-l.html ________________________________________________=
___
___________________________________________________ You are subscribed to t=
he ResNet-L mailing list.
To subscribe, unsubscribe or search the archives, go to http://LISTSERV.ND.=
EDU/archives/resnet-l.html ________________________________________________=
___
___________________________________________________ You are subscribed to t=
he ResNet-L mailing list.
To subscribe, unsubscribe or search the archives, go to http://LISTSERV.ND.=
EDU/archives/resnet-l.html ________________________________________________=
___
This email and any attachments may contain confidential and proprietary inf=
ormation of Blackboard that is for the sole use of the intended recipient. =
If you are not the intended recipient, disclosure, copying, re-distribution=
or other use of any of this information is strictly prohibited. Please imm=
ediately notify the sender and delete this transmission if you received thi=
s email in error.
___________________________________________________ You are subscribed to t=
he ResNet-L mailing list.
To subscribe, unsubscribe or search the archives, go to http://LISTSERV.ND.=
EDU/archives/resnet-l.html ________________________________________________=
___
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives, go to http://LISTSERV.ND.=
EDU/archives/resnet-l.html
___________________________________________________
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--
Chris Webster
Senior Technician
OIT Walk-in Center
North Carolina State University
Ph: 919.513.2676
Fax: 919.513.2945
Email: chris.webster@ncsu.edu<mailto:chris.webster@ncsu.edu>
Web: http://go.ncsu.edu/wic/
___________________________________________________ You are subscribed to t=
he ResNet-L mailing list.
To subscribe, unsubscribe or search the archives, go to http://LISTSERV.ND.=
EDU/archives/resnet-l.html ________________________________________________=
___
This email and any attachments may contain confidential and proprietary inf=
ormation of Blackboard that is for the sole use of the intended recipient. =
If you are not the intended recipient, disclosure, copying, re-distribution=
or other use of any of this information is strictly prohibited. Please imm=
ediately notify the sender and delete this transmission if you received thi=
s email in error.
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--_000_D9D0C3D6A031FD41B81047D41FDC129D0BCD6FDD89DCEX07bbbbnet_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3D"EN-US" link=3D"blue" vlink=3D"purple">
<div class=3D"WordSection1">
<p class=3D"MsoNormal"><a name=3D"_MailEndCompose"><span style=3D"font-size=
:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
D">Yep, happy to help with staring at captures.. its far more interesting t=
han “Strategy” whatever that means</span></a><span style=3D"fon=
t-size:11.0pt;font-family:Wingdings;color:#1F497D">J</span><span style=3D"f=
ont-size:11.0pt;font-family:"Calibri","sans-serif";colo=
r:#1F497D"><o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">As a general rule ( I say
<b>general</b> I know there are exceptions, styles and other such that engi=
neers use for IPAM) a /24 is the largest size network you should put end us=
er PC’s on. Especially given the chatty nature of Mac multicast=
/rendezvoux traffic, MS broadcast traffic etc
etc it can result in a single packet being responded to by 100’s of =
machines that it was not ultimately destined for….
<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">-rd<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<p class=3D"MsoNormal"><b><span style=3D"font-size:10.0pt;font-family:"=
;Tahoma","sans-serif"">From:</span></b><span style=3D"font-s=
ize:10.0pt;font-family:"Tahoma","sans-serif""> Resnet F=
orum [mailto:RESNET-L@LISTSERV.ND.EDU]
<b>On Behalf Of </b>Chris Webster<br>
<b>Sent:</b> Thursday, May 03, 2012 11:04 AM<br>
<b>To:</b> RESNET-L@LISTSERV.ND.EDU<br>
<b>Subject:</b> Re: SOHO WiFi routers and residential networking<o:p></o:p>=
</span></p>
<p class=3D"MsoNormal"><o:p> </o:p></p>
<div>
<p class=3D"MsoNormal">Packet captures are almost always useful in identify=
ing problems that can't be explained simply based on the symptoms (which it=
's why it's one of the first things network people look for). I'm happy to =
take a look at any captures you have,
with the caveat that the problem might be totally over my head.<o:p></o:p>=
</p>
</div>
<div>
<p class=3D"MsoNormal"><o:p> </o:p></p>
</div>
<p class=3D"MsoNormal">/24 is CIDR notation meaning a block of 256 IP addre=
sses. Wikipedia link is the best I can do right now... I'll see if I c=
an come up with a better explanatory article later: <a href=3D"http://=
en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#IPv4_CIDR_blocks">http=
://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#IPv4_CIDR_blocks</a=
><o:p></o:p></p>
<div>
<p class=3D"MsoNormal"><br>
-Chris <o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p> </o:p></p>
<div>
<p class=3D"MsoNormal">On Thu, May 3, 2012 at 1:49 PM, Crowe, Sheila <<a=
href=3D"mailto:sheila@montana.edu" target=3D"_blank">sheila@montana.edu</a=
>> wrote:<o:p></o:p></p>
<p class=3D"MsoNormal">I'm sure that we have done packet captures, Adam...w=
ould it help to see those?<br>
<br>
Ryan, I'm not sure what you mean by subnets bigger than "/24." &n=
bsp;(I'm gonna read the Eric Leahy paper at lunch). I'm learning a li=
ttle about networking along the way, aren't I?<br>
<br>
My plan for the responses from the RESNET-L is to combine the suggestions a=
nd questions and present them to the network guy for analysis and answers.<=
br>
<br>
Keep them coming! And thank you very much for sharing your expertise =
with me.<o:p></o:p></p>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><br>
Sheila Crowe<br>
Montana State University<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt">-----Original Message=
-----<br>
From: Resnet Forum [mailto:<a href=3D"mailto:RESNET-L@LISTSERV.ND.EDU">RESN=
ET-L@LISTSERV.ND.EDU</a>] On Behalf Of Brock, Adam<br>
Sent: Wednesday, May 02, 2012 9:24 PM<br>
To: <a href=3D"mailto:RESNET-L@LISTSERV.ND.EDU">RESNET-L@LISTSERV.ND.EDU</a=
><br>
Subject: Re: SOHO WiFi routers and residential networking<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt">Also, did anyone try =
getting a packet capture of the unicast traffic, or was that just a theory?=
<br>
Sent from my Brockberry.<br>
________________________________<br>
From: Ryan Dorman <<a href=3D"mailto:Ryan.Dorman@blackboard.com">Ryan.Do=
rman@blackboard.com</a>><br>
Sender: Resnet Forum <<a href=3D"mailto:RESNET-L@LISTSERV.ND.EDU">RESNET=
-L@LISTSERV.ND.EDU</a>><br>
Date: Wed, 2 May 2012 21:33:01 -0500<br>
To: <a href=3D"mailto:RESNET-L@LISTSERV.ND.EDU">RESNET-L@LISTSERV.ND.EDU</a=
><<a href=3D"mailto:RESNET-L@LISTSERV.ND.EDU">RESNET-L@LISTSERV.ND.EDU</=
a>><br>
ReplyTo: Resnet Forum <<a href=3D"mailto:RESNET-L@LISTSERV.ND.EDU">RESNE=
T-L@LISTSERV.ND.EDU</a>><br>
Subject: Re: [RESNET-L] SOHO WiFi routers and residential networking<br>
<br>
My questions, slightly re-phrased:<br>
<br>
1. For those of you who have a similar network, do you=
utilize either Storm Control or flood blocking? Why do you use one r=
ather than the other?<o:p></o:p></p>
</div>
<p class=3D"MsoNormal">a. We used storm control in the=
dorms back in my day (ha ha ha)... it was one of our bandaid procedures fo=
r sasser/blaster (hence why I did not describe it as the good old days). &n=
bsp;It has advantage of dealing with multiple types of
traffic, not just Unicast.<o:p></o:p></p>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><br>
b. This is a good article explaining the differences <a=
href=3D"http://ericleahy.com/?p=3D611" target=3D"_blank">
http://ericleahy.com/?p=3D611</a><br>
<br>
<br>
<br>
2. Do you use some other measure to deal with unicast =
packet floods?<br>
<br>
a. No<br>
<br>
<br>
3. Considering the physical environment (single wired =
jacks), what do you feel is best practice when it comes to stopping unicast=
packet floods?<br>
<br>
a. There are a couple things I would look at here more=
from a design perspective then a flood protection angle<br>
<br>
 =
; &nb=
sp; i.  =
; How big are your subnets? If they are huge (bigger the=
n /24) you're going to start running up against broadcast issues.<br>
<br>
 =
; &nb=
sp; ii. &nbs=
p; Have you considered Private VLAN's? Might help limit outages=
to a smaller group of people<br>
<br>
 =
; &nb=
sp; iii. &nbs=
p; Do you limit the number of MAC addresses on a single port?<br>
<br>
<o:p></o:p></p>
</div>
<p class=3D"MsoNormal">It surprises me that you are seeing unicast flooding=
like this.. in campus environments, and even in datacenters I have found t=
hat that is relatively rare. Granted, I don't work in in reshalls any=
more and the nature of that traffic is
different then here in sell-out world :) but I'd be interested to see trac=
es of who is flooding who and from what process etc etc...<o:p></o:p></p>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><br>
Ryan Dorman<br>
Director, Enterprise Technology Strategy Blackboard Inc.<br>
<br>
O: <a href=3D"tel:202.463.4860%20x2618">202.463.4860 x2618</a><br>
M: <a href=3D"tel:202.370.7889">202.370.7889</a><br>
<br>
From: Resnet Forum [mailto:<a href=3D"mailto:RESNET-L@LISTSERV.ND.EDU">RESN=
ET-L@LISTSERV.ND.EDU</a>] On Behalf Of Crowe, Sheila<br>
Sent: Tuesday, May 01, 2012 2:15 PM<br>
To: <a href=3D"mailto:RESNET-L@LISTSERV.ND.EDU">RESNET-L@LISTSERV.ND.EDU</a=
><br>
Subject: Re: SOHO WiFi routers and residential networking<br>
<br>
Thank you to Rand, Bruce and my hero, Adam Brock.<o:p></o:p></p>
</div>
<p class=3D"MsoNormal">A bit more detailed information to help all the Cisc=
o network guru types help me. To recap...<o:p></o:p></p>
<div>
<div>
<p class=3D"MsoNormal"><br>
We have 2 housing areas: residence halls and family and graduate apar=
tments. Both areas have Cisco 2960 layer 2 switches and Cisco 3750 fi=
ber switches. In the residence halls we have one wired port per pillo=
w and almost ubiquitous wireless coverage via Aruba
APs and a single controller. ResNet is charged as part of the room a=
nd board in the residence halls.<br>
<br>
We don't provide wireless coverage in family and graduate housing. Ou=
r family housing area was wired about 13 years ago and provided only one wi=
red jack per apartment; because of that, virtually every customer in family=
housing uses a soho wireless router.
Prior to our upgrade in June, we were using 3Com fiber switches and =
Cisco 2960 layer 2 switches, When we upgraded this section of our network (=
from 3Com fiber switches to Cisco 3750s), we immediately had a BIG problem =
with our network dropping in family housing;
no problems in the res halls. Backwards soho routers were not the pr=
oblem because we use DHCP snooping. Prior to the upgrade, our network ran l=
ike a scalded cat in FGH. It was ultimately decided that the problem =
was caused by the larger concentration of
SOHO wireless routers in that area producing unicast packet floods. =
Our team has discovered that Cisco switches have a feature called flood blo=
cking that will block unicast and multicast floods at the switchpor!<br>
t level. We are deploying this slowly. I am told that it =
is NOT Cisco's Storm Control.<br>
<br>
My questions, slightly re-phrased:<br>
<br>
1. For those of you who have a similar network, do you=
utilize either Storm Control or flood blocking? Why do you use one r=
ather than the other?<br>
<br>
<br>
2. Do you use some other measure to deal with unicast =
packet floods?<br>
<br>
<br>
3. Considering the physical environment (single wired =
jacks), what do you feel is best practice when it comes to stopping unicast=
packet floods?<br>
<br>
<br>
If you need more detail from me, please ask. Any information or feedb=
ack is appreciated. If you prefer, please feel free to contact me off=
-list.<br>
<br>
Thank you!<br>
Sheila Crowe<br>
MSU ResNet<br>
<a href=3D"mailto:sheila@montana.edu">sheila@montana.edu</a><mailto:<a h=
ref=3D"mailto:sheila@montana.edu">sheila@montana.edu</a>><br>
<br>
<br>
From: Resnet Forum [mailto:<a href=3D"mailto:RESNET-L@LISTSERV.ND.EDU">RESN=
ET-L@LISTSERV.ND.EDU</a>]<mailto:[mailto:<a href=3D"mailto:RESNET-L@LIST=
SERV.ND.EDU">RESNET-L@LISTSERV.ND.EDU</a>]> On Behalf Of Osborne, Bruce =
W<br>
Sent: Tuesday, May 01, 2012 5:48 AM<br>
To: <a href=3D"mailto:RESNET-L@LISTSERV.ND.EDU">RESNET-L@LISTSERV.ND.EDU</a=
><mailto:<a href=3D"mailto:RESNET-L@LISTSERV.ND.EDU">RESNET-L@LISTSERV.N=
D.EDU</a>><br>
Subject: Re: SOHO WiFi routers and residential networking<br>
<br>
That is only the port part of the configuration. There are some global sett=
ings too.<br>
<br>
Also, your switch uplink or the switch port with the DHCP server needs to b=
e trusted for this to function correctly. The three processes used here are=
"ARP inspection", "DHCO snooping", and "IP source=
guard". The features can vary, depending on your model of
switch.<br>
<br>
Here is one example of Cisco's documentation. This one is for 3550 switches=
. <a href=3D"http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/soft=
ware/release/12.2_25_see/configuration/guide/swdhcp82.html" target=3D"_blan=
k">
http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/=
12.2_25_see/configuration/guide/swdhcp82.html</a><br>
<br>
<br>
Bruce Osborne<br>
Network Engineer<br>
IT Network Services<br>
<br>
<a href=3D"tel:%28434%29%20592-4229">(434) 592-4229</a><br>
<br>
LIBERTY UNIVERSITY<br>
Training Champions for Christ since 1971<br>
<br>
From: Hall, Rand [mailto:<a href=3D"mailto:hallr@MERRIMACK.EDU">hallr@MERRI=
MACK.EDU</a>]<mailto:[mailto:<a href=3D"mailto:hallr@MERRIMACK.EDU">hall=
r@MERRIMACK.EDU</a>]><br>
Sent: Monday, April 30, 2012 12:39 PM<br>
Subject: Re: SOHO WiFi routers and residential networking<br>
<br>
Sheila,<br>
<br>
Good luck blocking rogues. :-) Your best bet is to hold to your commitment =
to providing service to the jack. To that you can add some basic best pract=
ice suggestions to people who want to try using a wireless router or bridge=
(enable encryption, negotiate channel
selection with neighbors, etc).<br>
<br>
Your network folks will want to turn on DHCP Snooping. Sometimes a resident=
will plug a router in "backwards" and offer up DHCP leases to th=
eir neighbors--not a pretty sight. If they are new to Cisco they might appr=
eciate a sample interface config for some
ideas. Feel free to share:<br>
<br>
switchport access vlan xx<br>
switchport mode access<br>
switchport protected<br>
switchport port-security maximum 6<br>
switchport port-security<br>
switchport port-security aging time 1<br>
switchport port-security violation restrict switchport port-sec=
urity aging type inactivity ip arp inspection limit rate 15 burst int=
erval 10 storm-control broadcast level pps 50 10 storm-control =
multicast level pps 50 10 spanning-tree portfast spanning-tree
bpduguard enable ip verify source ip dhcp snooping limit rate =
10<br>
<br>
<br>
Rand<br>
<br>
Rand P. Hall<br>
Director, Network Services =
askIT!<br>
Merrimack College<br>
<a href=3D"tel:978-837-3532">978-837-3532</a><tel:<a href=3D"tel:978-837=
-3532">978-837-3532</a>><br>
<a href=3D"mailto:rand.hall@merrimack.edu">rand.hall@merrimack.edu</a><m=
ailto:<a href=3D"mailto:rand.hall@merrimack.edu">rand.hall@merrimack.edu</a=
>><br>
<br>
If I had an hour to save the world, I would spend 59 minutes defining the p=
roblem and one minute finding solutions. - Einstein<br>
<br>
On Fri, Apr 27, 2012 at 1:48 PM, Crowe, Sheila <<a href=3D"mailto:sheila=
@montana.edu">sheila@montana.edu</a><mailto:<a href=3D"mailto:sheila@mon=
tana.edu">sheila@montana.edu</a>>> wrote:<br>
In early March, I participated in a thread started by Jeannie Abney about w=
hat other schools' polices are for residents bringing personal wireless rou=
ters onto your network. I added some questions pertaining to single f=
amily apartments (vs. residence halls)
and got some great feedback. I would like to take it a step further =
and ask some more questions based on the type of network that we have.<br>
<br>
We have a Cisco network, a core at the origin of the commodity internet pip=
e, and a subnet for each of our buildings (really areas). In the resi=
dence halls we have a large Aruba wireless network installed so that every =
building is blanketed for secure wireless
internet access. In the residence halls, ResNet is charged out to e=
very resident regardless of whether they use it or not.<br>
<br>
We do not provide ubiquitous wireless coverage in family housing because Re=
sNet is an opt-in service. Additionally, our family housing area was wired =
about 13 years ago and only provided one wired jack per apartment. As I'm s=
ure you can imagine, virtually every
customer in family housing has a soho wireless router. When we upgra=
ded this section of our network (from 3Com switches to Cisco), we immediate=
ly had a BIG problem with our network dropping constantly. It was ult=
imately decided that it was the SOHO wireless
routers causing the problem; namely, unicast packet floods through our Cis=
co switch ports. Only recently it was discovered that Cisco switches have a=
feature that will block unicast and multicast floods. We are deployi=
ng this slowly.<br>
<br>
Now for the questions. For those of you who have a similar network, do you =
employ this Cisco feature or do you simply block all "rogue" wire=
less connections? Or do you have another measure in place to deal wit=
h the unicast packet floods? Also, do your network
engineers consider this a stopgap measure ("band-aid") to deal w=
ith residences where you do not offer WiFi?<br>
<br>
Please do share all of the details about this issue (or non-issue) on your =
network as you know them. And thanks a million!<br>
<br>
Sheila Crowe<br>
Montana State University ResNet<br>
<a href=3D"tel:406.994.4230">406.994.4230</a><tel:<a href=3D"tel:406.994=
.4230">406.994.4230</a>><br>
<a href=3D"tel:406.209.7243">406.209.7243</a><tel:<a href=3D"tel:406.209=
.7243">406.209.7243</a>><br>
<br>
P.S. I'm hoping to see all of you at the 2012 Student Technology Conference=
at Claremont Colleges!<br>
<br>
___________________________________________________ You are subscribed to t=
he ResNet-L mailing list.<br>
<br>
To subscribe, unsubscribe or search the archives, go to <a href=3D"http://L=
ISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_blank">
http://LISTSERV.ND.EDU/archives/resnet-l.html</a> _________________________=
__________________________<br>
<br>
___________________________________________________ You are subscribed to t=
he ResNet-L mailing list.<br>
<br>
To subscribe, unsubscribe or search the archives, go to <a href=3D"http://L=
ISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_blank">
http://LISTSERV.ND.EDU/archives/resnet-l.html</a> _________________________=
__________________________<br>
___________________________________________________ You are subscribed to t=
he ResNet-L mailing list.<br>
<br>
To subscribe, unsubscribe or search the archives, go to <a href=3D"http://L=
ISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_blank">
http://LISTSERV.ND.EDU/archives/resnet-l.html</a> _________________________=
__________________________<br>
___________________________________________________ You are subscribed to t=
he ResNet-L mailing list.<br>
<br>
To subscribe, unsubscribe or search the archives, go to <a href=3D"http://L=
ISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_blank">
http://LISTSERV.ND.EDU/archives/resnet-l.html</a> _________________________=
__________________________<br>
<br>
This email and any attachments may contain confidential and proprietary inf=
ormation of Blackboard that is for the sole use of the intended recipient. =
If you are not the intended recipient, disclosure, copying, re-distribution=
or other use of any of this information
is strictly prohibited. Please immediately notify the sender and delete th=
is transmission if you received this email in error.<br>
___________________________________________________ You are subscribed to t=
he ResNet-L mailing list.<br>
<br>
To subscribe, unsubscribe or search the archives, go to <a href=3D"http://L=
ISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_blank">
http://LISTSERV.ND.EDU/archives/resnet-l.html</a> _________________________=
__________________________<br>
<br>
___________________________________________________<br>
You are subscribed to the ResNet-L mailing list.<br>
<br>
To subscribe, unsubscribe or search the archives, go to <a href=3D"http://L=
ISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_blank">
http://LISTSERV.ND.EDU/archives/resnet-l.html</a><br>
___________________________________________________<br>
<br>
___________________________________________________<br>
You are subscribed to the ResNet-L mailing list.<br>
<br>
To subscribe, unsubscribe or search the archives,<br>
go to <a href=3D"http://LISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_=
blank">http://LISTSERV.ND.EDU/archives/resnet-l.html</a><br>
___________________________________________________<o:p></o:p></p>
</div>
</div>
</div>
<p class=3D"MsoNormal"><br>
<br clear=3D"all">
<o:p></o:p></p>
<div>
<p class=3D"MsoNormal"><o:p> </o:p></p>
</div>
<p class=3D"MsoNormal">-- <br>
Chris Webster<br>
Senior Technician<br>
OIT Walk-in Center<br>
North Carolina State University<br>
<br>
Ph: 919.513.2676<br>
Fax: 919.513.2945<br>
Email: <a href=3D"mailto:chris.webster@ncsu.edu" target=3D"_blank">chris.we=
bster@ncsu.edu</a><br>
Web: <a href=3D"http://go.ncsu.edu/wic/" target=3D"_blank">http://go.ncsu.e=
du/wic/</a><o:p></o:p></p>
</div>
<p class=3D"MsoNormal">___________________________________________________ =
You are subscribed to the ResNet-L mailing list.
<o:p></o:p></p>
<p>To subscribe, unsubscribe or search the archives, go to <a href=3D"http:=
//LISTSERV.ND.EDU/archives/resnet-l.html">
http://LISTSERV.ND.EDU/archives/resnet-l.html</a> _________________________=
__________________________
<o:p></o:p></p>
</div>
<br>
<font face=3D"Arial" color=3D"Blue" size=3D"2">This email and any attachmen=
ts may contain confidential and proprietary information of Blackboard that =
is for the sole use of the intended recipient. If you are not the intended =
recipient, disclosure, copying, re-distribution
or other use of any of this information is strictly prohibited. Please imm=
ediately notify the sender and delete this transmission if you received thi=
s email in error.<br>
</font>
</body>
</html>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--_000_D9D0C3D6A031FD41B81047D41FDC129D0BCD6FDD89DCEX07bbbbnet_--
