[27623] in resnet
Re: SOHO WiFi routers and residential networking
daemon@ATHENA.MIT.EDU (Joe Roth)
Fri May 4 09:15:10 2012
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=bcaec554da9c81797404bf35ad7a
Message-ID: <CAOjAW60vktKMeWetv-z0QH7G7e04uVyHn16vaXXMp=7Z=G_Pbw@mail.gmail.com>
Date: Fri, 4 May 2012 09:12:51 -0400
Reply-To: Resnet Forum <RESNET-L@listserv.nd.edu>
From: Joe Roth <jroth@binghamton.edu>
To: RESNET-L@listserv.nd.edu
In-Reply-To: <D0A43E8CC19B144398DFEC438095CB180E39DE0E82@EXCMS.msu.montana.edu>
--bcaec554da9c81797404bf35ad7a
Content-Type: text/plain; charset=ISO-8859-1
Sheila,
I am sure that we are probably running some of the same model Cisco
switches as you - we have used the 3750G-12S fiber switch for years and
just replaced some of them with 3560E-12D's, however we have never used the
flood block feature, but we have seen issues with unicast floods caused by
network configuration. Have them take a look at the ARP timeout on the
router(s) and the aging time on the mac address tables on the switches. I
am not sure about the size of your network, but are any of the mac address
tables on the switches filling up? This can cause erratic behavior. I am
not sure if they have ever looked at changing the SDM templates on any of
the switches, but here is a guide on that
http://www.cisco.com/en/US/products/hw/switches/ps5023/products_tech_note09186a00801e7bb9.shtml,
it can help optimize the switches depending on how they are using them.
HTH, these erratic types of problems are usually the hardest to solve
IMO.....
On Thu, May 3, 2012 at 1:49 PM, Crowe, Sheila <sheila@montana.edu> wrote:
> I'm sure that we have done packet captures, Adam...would it help to see
> those?
>
> Ryan, I'm not sure what you mean by subnets bigger than "/24." (I'm gonna
> read the Eric Leahy paper at lunch). I'm learning a little about
> networking along the way, aren't I?
>
> My plan for the responses from the RESNET-L is to combine the suggestions
> and questions and present them to the network guy for analysis and answers.
>
> Keep them coming! And thank you very much for sharing your expertise with
> me.
>
> Sheila Crowe
> Montana State University
>
> -----Original Message-----
> From: Resnet Forum [mailto:RESNET-L@LISTSERV.ND.EDU] On Behalf Of Brock,
> Adam
> Sent: Wednesday, May 02, 2012 9:24 PM
> To: RESNET-L@LISTSERV.ND.EDU
> Subject: Re: SOHO WiFi routers and residential networking
>
> Also, did anyone try getting a packet capture of the unicast traffic, or
> was that just a theory?
> Sent from my Brockberry.
> ________________________________
> From: Ryan Dorman <Ryan.Dorman@blackboard.com>
> Sender: Resnet Forum <RESNET-L@LISTSERV.ND.EDU>
> Date: Wed, 2 May 2012 21:33:01 -0500
> To: RESNET-L@LISTSERV.ND.EDU<RESNET-L@LISTSERV.ND.EDU>
> ReplyTo: Resnet Forum <RESNET-L@LISTSERV.ND.EDU>
> Subject: Re: [RESNET-L] SOHO WiFi routers and residential networking
>
> My questions, slightly re-phrased:
>
> 1. For those of you who have a similar network, do you utilize
> either Storm Control or flood blocking? Why do you use one rather than the
> other?
>
> a. We used storm control in the dorms back in my day (ha ha ha)...
> it was one of our bandaid procedures for sasser/blaster (hence why I did
> not describe it as the good old days). It has advantage of dealing with
> multiple types of traffic, not just Unicast.
>
> b. This is a good article explaining the differences
> http://ericleahy.com/?p=611
>
>
>
> 2. Do you use some other measure to deal with unicast packet floods?
>
> a. No
>
>
> 3. Considering the physical environment (single wired jacks), what
> do you feel is best practice when it comes to stopping unicast packet
> floods?
>
> a. There are a couple things I would look at here more from a design
> perspective then a flood protection angle
>
> i. How
> big are your subnets? If they are huge (bigger then /24) you're going to
> start running up against broadcast issues.
>
> ii. Have
> you considered Private VLAN's? Might help limit outages to a smaller group
> of people
>
> iii. Do
> you limit the number of MAC addresses on a single port?
>
>
> It surprises me that you are seeing unicast flooding like this.. in campus
> environments, and even in datacenters I have found that that is relatively
> rare. Granted, I don't work in in reshalls anymore and the nature of that
> traffic is different then here in sell-out world :) but I'd be interested
> to see traces of who is flooding who and from what process etc etc...
>
> Ryan Dorman
> Director, Enterprise Technology Strategy Blackboard Inc.
>
> O: 202.463.4860 x2618
> M: 202.370.7889
>
> From: Resnet Forum [mailto:RESNET-L@LISTSERV.ND.EDU] On Behalf Of Crowe,
> Sheila
> Sent: Tuesday, May 01, 2012 2:15 PM
> To: RESNET-L@LISTSERV.ND.EDU
> Subject: Re: SOHO WiFi routers and residential networking
>
> Thank you to Rand, Bruce and my hero, Adam Brock.
>
> A bit more detailed information to help all the Cisco network guru types
> help me. To recap...
>
> We have 2 housing areas: residence halls and family and graduate
> apartments. Both areas have Cisco 2960 layer 2 switches and Cisco 3750
> fiber switches. In the residence halls we have one wired port per pillow
> and almost ubiquitous wireless coverage via Aruba APs and a single
> controller. ResNet is charged as part of the room and board in the
> residence halls.
>
> We don't provide wireless coverage in family and graduate housing. Our
> family housing area was wired about 13 years ago and provided only one
> wired jack per apartment; because of that, virtually every customer in
> family housing uses a soho wireless router. Prior to our upgrade in June,
> we were using 3Com fiber switches and Cisco 2960 layer 2 switches, When we
> upgraded this section of our network (from 3Com fiber switches to Cisco
> 3750s), we immediately had a BIG problem with our network dropping in
> family housing; no problems in the res halls. Backwards soho routers were
> not the problem because we use DHCP snooping. Prior to the upgrade, our
> network ran like a scalded cat in FGH. It was ultimately decided that the
> problem was caused by the larger concentration of SOHO wireless routers in
> that area producing unicast packet floods. Our team has discovered that
> Cisco switches have a feature called flood blocking that will block unicast
> and multicast floods at the switchpor!
> t level. We are deploying this slowly. I am told that it is NOT Cisco's
> Storm Control.
>
> My questions, slightly re-phrased:
>
> 1. For those of you who have a similar network, do you utilize
> either Storm Control or flood blocking? Why do you use one rather than the
> other?
>
>
> 2. Do you use some other measure to deal with unicast packet floods?
>
>
> 3. Considering the physical environment (single wired jacks), what
> do you feel is best practice when it comes to stopping unicast packet
> floods?
>
>
> If you need more detail from me, please ask. Any information or feedback
> is appreciated. If you prefer, please feel free to contact me off-list.
>
> Thank you!
> Sheila Crowe
> MSU ResNet
> sheila@montana.edu<mailto:sheila@montana.edu>
>
>
> From: Resnet Forum [mailto:RESNET-L@LISTSERV.ND.EDU]<mailto:[mailto:
> RESNET-L@LISTSERV.ND.EDU]> On Behalf Of Osborne, Bruce W
> Sent: Tuesday, May 01, 2012 5:48 AM
> To: RESNET-L@LISTSERV.ND.EDU<mailto:RESNET-L@LISTSERV.ND.EDU>
> Subject: Re: SOHO WiFi routers and residential networking
>
> That is only the port part of the configuration. There are some global
> settings too.
>
> Also, your switch uplink or the switch port with the DHCP server needs to
> be trusted for this to function correctly. The three processes used here
> are "ARP inspection", "DHCO snooping", and "IP source guard". The features
> can vary, depending on your model of switch.
>
> Here is one example of Cisco's documentation. This one is for 3550
> switches.
> http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_see/configuration/guide/swdhcp82.html
>
>
> Bruce Osborne
> Network Engineer
> IT Network Services
>
> (434) 592-4229
>
> LIBERTY UNIVERSITY
> Training Champions for Christ since 1971
>
> From: Hall, Rand [mailto:hallr@MERRIMACK.EDU]<mailto:[mailto:
> hallr@MERRIMACK.EDU]>
> Sent: Monday, April 30, 2012 12:39 PM
> Subject: Re: SOHO WiFi routers and residential networking
>
> Sheila,
>
> Good luck blocking rogues. :-) Your best bet is to hold to your commitment
> to providing service to the jack. To that you can add some basic best
> practice suggestions to people who want to try using a wireless router or
> bridge (enable encryption, negotiate channel selection with neighbors, etc).
>
> Your network folks will want to turn on DHCP Snooping. Sometimes a
> resident will plug a router in "backwards" and offer up DHCP leases to
> their neighbors--not a pretty sight. If they are new to Cisco they might
> appreciate a sample interface config for some ideas. Feel free to share:
>
> switchport access vlan xx
> switchport mode access
> switchport protected
> switchport port-security maximum 6
> switchport port-security
> switchport port-security aging time 1
> switchport port-security violation restrict switchport port-security
> aging type inactivity ip arp inspection limit rate 15 burst interval 10
> storm-control broadcast level pps 50 10 storm-control multicast level pps
> 50 10 spanning-tree portfast spanning-tree bpduguard enable ip verify
> source ip dhcp snooping limit rate 10
>
>
> Rand
>
> Rand P. Hall
> Director, Network Services askIT!
> Merrimack College
> 978-837-3532<tel:978-837-3532>
> rand.hall@merrimack.edu<mailto:rand.hall@merrimack.edu>
>
> If I had an hour to save the world, I would spend 59 minutes defining the
> problem and one minute finding solutions. - Einstein
>
> On Fri, Apr 27, 2012 at 1:48 PM, Crowe, Sheila <sheila@montana.edu<mailto:
> sheila@montana.edu>> wrote:
> In early March, I participated in a thread started by Jeannie Abney about
> what other schools' polices are for residents bringing personal wireless
> routers onto your network. I added some questions pertaining to single
> family apartments (vs. residence halls) and got some great feedback. I
> would like to take it a step further and ask some more questions based on
> the type of network that we have.
>
> We have a Cisco network, a core at the origin of the commodity internet
> pipe, and a subnet for each of our buildings (really areas). In the
> residence halls we have a large Aruba wireless network installed so that
> every building is blanketed for secure wireless internet access. In the
> residence halls, ResNet is charged out to every resident regardless of
> whether they use it or not.
>
> We do not provide ubiquitous wireless coverage in family housing because
> ResNet is an opt-in service. Additionally, our family housing area was
> wired about 13 years ago and only provided one wired jack per apartment. As
> I'm sure you can imagine, virtually every customer in family housing has a
> soho wireless router. When we upgraded this section of our network (from
> 3Com switches to Cisco), we immediately had a BIG problem with our network
> dropping constantly. It was ultimately decided that it was the SOHO
> wireless routers causing the problem; namely, unicast packet floods through
> our Cisco switch ports. Only recently it was discovered that Cisco switches
> have a feature that will block unicast and multicast floods. We are
> deploying this slowly.
>
> Now for the questions. For those of you who have a similar network, do you
> employ this Cisco feature or do you simply block all "rogue" wireless
> connections? Or do you have another measure in place to deal with the
> unicast packet floods? Also, do your network engineers consider this a
> stopgap measure ("band-aid") to deal with residences where you do not offer
> WiFi?
>
> Please do share all of the details about this issue (or non-issue) on your
> network as you know them. And thanks a million!
>
> Sheila Crowe
> Montana State University ResNet
> 406.994.4230<tel:406.994.4230>
> 406.209.7243<tel:406.209.7243>
>
> P.S. I'm hoping to see all of you at the 2012 Student Technology
> Conference at Claremont Colleges!
>
> ___________________________________________________ You are subscribed to
> the ResNet-L mailing list.
>
> To subscribe, unsubscribe or search the archives, go to
> http://LISTSERV.ND.EDU/archives/resnet-l.html___________________________________________________
>
> ___________________________________________________ You are subscribed to
> the ResNet-L mailing list.
>
> To subscribe, unsubscribe or search the archives, go to
> http://LISTSERV.ND.EDU/archives/resnet-l.html___________________________________________________
> ___________________________________________________ You are subscribed to
> the ResNet-L mailing list.
>
> To subscribe, unsubscribe or search the archives, go to
> http://LISTSERV.ND.EDU/archives/resnet-l.html___________________________________________________
> ___________________________________________________ You are subscribed to
> the ResNet-L mailing list.
>
> To subscribe, unsubscribe or search the archives, go to
> http://LISTSERV.ND.EDU/archives/resnet-l.html___________________________________________________
>
> This email and any attachments may contain confidential and proprietary
> information of Blackboard that is for the sole use of the intended
> recipient. If you are not the intended recipient, disclosure, copying,
> re-distribution or other use of any of this information is strictly
> prohibited. Please immediately notify the sender and delete this
> transmission if you received this email in error.
> ___________________________________________________ You are subscribed to
> the ResNet-L mailing list.
>
> To subscribe, unsubscribe or search the archives, go to
> http://LISTSERV.ND.EDU/archives/resnet-l.html___________________________________________________
>
> ___________________________________________________
> You are subscribed to the ResNet-L mailing list.
>
> To subscribe, unsubscribe or search the archives, go to
> http://LISTSERV.ND.EDU/archives/resnet-l.html
> ___________________________________________________
>
> ___________________________________________________
> You are subscribed to the ResNet-L mailing list.
>
> To subscribe, unsubscribe or search the archives,
> go to http://LISTSERV.ND.EDU/archives/resnet-l.html
> ___________________________________________________
>
--
Joe Roth
Networking Group
Binghamton University
Ph. 607-777-7528
Fax 607-777-4009
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--bcaec554da9c81797404bf35ad7a
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div>Sheila,</div><div><br></div><div>I am sure that we are probably runnin=
g some of the same model Cisco switches as you - we have used the 3750G-12S=
fiber switch for years and just replaced some of them with 3560E-12D's=
, however we have never used the flood block feature, but we have seen issu=
es with unicast floods caused by network configuration. Have them take a lo=
ok at the ARP timeout on the router(s) and the aging time on the mac addres=
s tables on the switches. I am not sure about the size of your network, but=
are any of the mac address tables on the switches filling up? This can cau=
se erratic behavior. I am not sure if they have ever looked at changing the=
SDM templates on any of the switches, but here is a guide on that=A0<a hre=
f=3D"http://www.cisco.com/en/US/products/hw/switches/ps5023/products_tech_n=
ote09186a00801e7bb9.shtml">http://www.cisco.com/en/US/products/hw/switches/=
ps5023/products_tech_note09186a00801e7bb9.shtml</a>, it can help optimize t=
he switches depending on how they are using them.</div>
<div><br></div><div>HTH, these erratic types of problems are usually the ha=
rdest to solve IMO.....</div><div><br><div class=3D"gmail_quote">
On Thu, May 3, 2012 at 1:49 PM, Crowe, Sheila <span dir=3D"ltr"><<a href=
=3D"mailto:sheila@montana.edu" target=3D"_blank">sheila@montana.edu</a>>=
</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .=
8ex;border-left:1px #ccc solid;padding-left:1ex">
I'm sure that we have done packet captures, Adam...would it help to see=
those?<br>
<br>
Ryan, I'm not sure what you mean by subnets bigger than "/24."=
; =A0(I'm gonna read the Eric Leahy paper at lunch). =A0I'm learnin=
g a little about networking along the way, aren't I?<br>
<br>
My plan for the responses from the RESNET-L is to combine the suggestions a=
nd questions and present them to the network guy for analysis and answers.<=
br>
<br>
Keep them coming! =A0And thank you very much for sharing your expertise wit=
h me.<br>
<div><br>
Sheila Crowe<br>
Montana State University<br>
<br>
</div><div>-----Original Message-----<br>
From: Resnet Forum [mailto:<a href=3D"mailto:RESNET-L@LISTSERV.ND.EDU" targ=
et=3D"_blank">RESNET-L@LISTSERV.ND.EDU</a>] On Behalf Of Brock, Adam<br>
Sent: Wednesday, May 02, 2012 9:24 PM<br>
To: <a href=3D"mailto:RESNET-L@LISTSERV.ND.EDU" target=3D"_blank">RESNET-L@=
LISTSERV.ND.EDU</a><br>
Subject: Re: SOHO WiFi routers and residential networking<br>
<br>
</div><div>Also, did anyone try getting a packet capture of the unicast tra=
ffic, or was that just a theory?<br>
Sent from my Brockberry.<br>
________________________________<br>
From: Ryan Dorman <<a href=3D"mailto:Ryan.Dorman@blackboard.com" target=
=3D"_blank">Ryan.Dorman@blackboard.com</a>><br>
Sender: Resnet Forum <<a href=3D"mailto:RESNET-L@LISTSERV.ND.EDU" target=
=3D"_blank">RESNET-L@LISTSERV.ND.EDU</a>><br>
Date: Wed, 2 May 2012 21:33:01 -0500<br>
To: <a href=3D"mailto:RESNET-L@LISTSERV.ND.EDU" target=3D"_blank">RESNET-L@=
LISTSERV.ND.EDU</a><<a href=3D"mailto:RESNET-L@LISTSERV.ND.EDU" target=
=3D"_blank">RESNET-L@LISTSERV.ND.EDU</a>><br>
ReplyTo: Resnet Forum <<a href=3D"mailto:RESNET-L@LISTSERV.ND.EDU" targe=
t=3D"_blank">RESNET-L@LISTSERV.ND.EDU</a>><br>
Subject: Re: [RESNET-L] SOHO WiFi routers and residential networking<br>
<br>
My questions, slightly re-phrased:<br>
<br>
1. =A0 =A0 =A0 For those of you who have a similar network, do you utilize =
either Storm Control or flood blocking? =A0Why do you use one rather than t=
he other?<br>
<br>
</div>a. =A0 =A0 =A0 We used storm control in the dorms back in my day (ha =
ha ha)... it was one of our bandaid procedures for sasser/blaster (hence wh=
y I did not describe it as the good old days). =A0It has advantage of deali=
ng with multiple types of traffic, not just Unicast.<br>
<div><br>
b. =A0 =A0 =A0This is a good article explaining the differences <a href=3D"=
http://ericleahy.com/?p=3D611" target=3D"_blank">http://ericleahy.com/?p=3D=
611</a><br>
<br>
<br>
<br>
2. =A0 =A0 =A0 Do you use some other measure to deal with unicast packet fl=
oods?<br>
<br>
a. =A0 =A0 =A0 No<br>
<br>
<br>
3. =A0 =A0 =A0 Considering the physical environment (single wired jacks), w=
hat do you feel is best practice when it comes to stopping unicast packet f=
loods?<br>
<br>
a. =A0 =A0 =A0 There are a couple things I would look at here more from a d=
esign perspective then a flood protection angle<br>
<br>
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 i. =A0 =A0 =A0How big a=
re your subnets? =A0If they are huge (bigger then /24) you're going to =
start running up against broadcast issues.<br>
<br>
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 ii. =A0 =A0 =A0Have you con=
sidered Private VLAN's? =A0Might help limit outages to a smaller group =
of people<br>
<br>
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0iii. =A0 =A0 =A0Do you limit=
the number of MAC addresses on a single port?<br>
<br>
<br>
</div>It surprises me that you are seeing unicast flooding like this.. in c=
ampus environments, and even in datacenters I have found that that is relat=
ively rare. =A0Granted, I don't work in in reshalls anymore and the nat=
ure of that traffic is different then here in sell-out world :) but I'd=
be interested to see traces of who is flooding who and from what process e=
tc etc...<br>
<div><br>
Ryan Dorman<br>
Director, Enterprise Technology Strategy Blackboard Inc.<br>
<br>
O: <a href=3D"tel:202.463.4860%20x2618" value=3D"+12024634860" target=3D"_b=
lank">202.463.4860 x2618</a><br>
M: <a href=3D"tel:202.370.7889" value=3D"+12023707889" target=3D"_blank">20=
2.370.7889</a><br>
<br>
From: Resnet Forum [mailto:<a href=3D"mailto:RESNET-L@LISTSERV.ND.EDU" targ=
et=3D"_blank">RESNET-L@LISTSERV.ND.EDU</a>] On Behalf Of Crowe, Sheila<br>
Sent: Tuesday, May 01, 2012 2:15 PM<br>
To: <a href=3D"mailto:RESNET-L@LISTSERV.ND.EDU" target=3D"_blank">RESNET-L@=
LISTSERV.ND.EDU</a><br>
Subject: Re: SOHO WiFi routers and residential networking<br>
<br>
Thank you to Rand, Bruce and my hero, Adam Brock.<br>
<br>
</div>A bit more detailed information to help all the Cisco network guru ty=
pes help me. =A0To recap...<br>
<div><div><br>
We have 2 housing areas: =A0residence halls and family and graduate apartme=
nts. =A0Both areas have Cisco 2960 layer 2 switches and Cisco 3750 fiber sw=
itches. =A0In the residence halls we have one wired port per pillow and alm=
ost ubiquitous wireless coverage via Aruba APs and a single controller. =A0=
ResNet is charged as part of the room and board in the residence halls.<br>
<br>
We don't provide wireless coverage in family and graduate housing. =A0O=
ur family housing area was wired about 13 years ago and provided only one w=
ired jack per apartment; because of that, virtually every customer in famil=
y housing uses a soho wireless router. =A0Prior to our upgrade in June, we =
were using 3Com fiber switches and Cisco 2960 layer 2 switches, When we upg=
raded this section of our network (from 3Com fiber switches to Cisco 3750s)=
, we immediately had a BIG problem with our network dropping in family hous=
ing; no problems in the res halls. =A0Backwards soho routers were not the p=
roblem because we use DHCP snooping. Prior to the upgrade, our network ran =
like a scalded cat in FGH. =A0It was ultimately decided that the problem wa=
s caused by the larger concentration of SOHO wireless routers in that area =
producing unicast packet floods. =A0Our team has discovered that Cisco swit=
ches have a feature called flood blocking that will block unicast and multi=
cast floods at the switchpor!<br>
=A0t level. =A0We are deploying this slowly. =A0I am told that it is NOT Ci=
sco's Storm Control.<br>
<br>
My questions, slightly re-phrased:<br>
<br>
1. =A0 =A0 =A0 For those of you who have a similar network, do you utilize =
either Storm Control or flood blocking? =A0Why do you use one rather than t=
he other?<br>
<br>
<br>
2. =A0 =A0 =A0 Do you use some other measure to deal with unicast packet fl=
oods?<br>
<br>
<br>
3. =A0 =A0 =A0 Considering the physical environment (single wired jacks), w=
hat do you feel is best practice when it comes to stopping unicast packet f=
loods?<br>
<br>
<br>
If you need more detail from me, please ask. =A0Any information or feedback=
is appreciated. =A0If you prefer, please feel free to contact me off-list.=
<br>
<br>
Thank you!<br>
Sheila Crowe<br>
MSU ResNet<br>
<a href=3D"mailto:sheila@montana.edu" target=3D"_blank">sheila@montana.edu<=
/a><mailto:<a href=3D"mailto:sheila@montana.edu" target=3D"_blank">sheil=
a@montana.edu</a>><br>
<br>
<br>
From: Resnet Forum [mailto:<a href=3D"mailto:RESNET-L@LISTSERV.ND.EDU" targ=
et=3D"_blank">RESNET-L@LISTSERV.ND.EDU</a>]<mailto:[mailto:<a href=3D"ma=
ilto:RESNET-L@LISTSERV.ND.EDU" target=3D"_blank">RESNET-L@LISTSERV.ND.EDU</=
a>]> On Behalf Of Osborne, Bruce W<br>
Sent: Tuesday, May 01, 2012 5:48 AM<br>
To: <a href=3D"mailto:RESNET-L@LISTSERV.ND.EDU" target=3D"_blank">RESNET-L@=
LISTSERV.ND.EDU</a><mailto:<a href=3D"mailto:RESNET-L@LISTSERV.ND.EDU" t=
arget=3D"_blank">RESNET-L@LISTSERV.ND.EDU</a>><br>
Subject: Re: SOHO WiFi routers and residential networking<br>
<br>
That is only the port part of the configuration. There are some global sett=
ings too.<br>
<br>
Also, your switch uplink or the switch port with the DHCP server needs to b=
e trusted for this to function correctly. The three processes used here are=
"ARP inspection", "DHCO snooping", and "IP source=
guard". The features can vary, depending on your model of switch.<br>
<br>
Here is one example of Cisco's documentation. This one is for 3550 swit=
ches. <a href=3D"http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/=
software/release/12.2_25_see/configuration/guide/swdhcp82.html" target=3D"_=
blank">http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/r=
elease/12.2_25_see/configuration/guide/swdhcp82.html</a><br>
<br>
<br>
Bruce Osborne<br>
Network Engineer<br>
IT Network Services<br>
<br>
<a href=3D"tel:%28434%29%20592-4229" value=3D"+14345924229" target=3D"_blan=
k">(434) 592-4229</a><br>
<br>
LIBERTY UNIVERSITY<br>
Training Champions for Christ since 1971<br>
<br>
From: Hall, Rand [mailto:<a href=3D"mailto:hallr@MERRIMACK.EDU" target=3D"_=
blank">hallr@MERRIMACK.EDU</a>]<mailto:[mailto:<a href=3D"mailto:hallr@M=
ERRIMACK.EDU" target=3D"_blank">hallr@MERRIMACK.EDU</a>]><br>
Sent: Monday, April 30, 2012 12:39 PM<br>
Subject: Re: SOHO WiFi routers and residential networking<br>
<br>
Sheila,<br>
<br>
Good luck blocking rogues. :-) Your best bet is to hold to your commitment =
to providing service to the jack. To that you can add some basic best pract=
ice suggestions to people who want to try using a wireless router or bridge=
(enable encryption, negotiate channel selection with neighbors, etc).<br>
<br>
Your network folks will want to turn on DHCP Snooping. Sometimes a resident=
will plug a router in "backwards" and offer up DHCP leases to th=
eir neighbors--not a pretty sight. If they are new to Cisco they might appr=
eciate a sample interface config for some ideas. Feel free to share:<br>
<br>
=A0switchport access vlan xx<br>
=A0switchport mode access<br>
=A0switchport protected<br>
=A0switchport port-security maximum 6<br>
=A0switchport port-security<br>
=A0switchport port-security aging time 1<br>
=A0switchport port-security violation restrict =A0switchport port-security =
aging type inactivity =A0ip arp inspection limit rate 15 burst interval 10 =
=A0storm-control broadcast level pps 50 10 =A0storm-control multicast level=
pps 50 10 =A0spanning-tree portfast =A0spanning-tree bpduguard enable =A0i=
p verify source =A0ip dhcp snooping limit rate 10<br>
<br>
<br>
Rand<br>
<br>
Rand P. Hall<br>
Director, Network Services =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 askIT!<br>
Merrimack College<br>
<a href=3D"tel:978-837-3532" value=3D"+19788373532" target=3D"_blank">978-8=
37-3532</a><tel:<a href=3D"tel:978-837-3532" value=3D"+19788373532" targ=
et=3D"_blank">978-837-3532</a>><br>
<a href=3D"mailto:rand.hall@merrimack.edu" target=3D"_blank">rand.hall@merr=
imack.edu</a><mailto:<a href=3D"mailto:rand.hall@merrimack.edu" target=
=3D"_blank">rand.hall@merrimack.edu</a>><br>
<br>
If I had an hour to save the world, I would spend 59 minutes defining the p=
roblem and one minute finding solutions. - Einstein<br>
<br>
On Fri, Apr 27, 2012 at 1:48 PM, Crowe, Sheila <<a href=3D"mailto:sheila=
@montana.edu" target=3D"_blank">sheila@montana.edu</a><mailto:<a href=3D=
"mailto:sheila@montana.edu" target=3D"_blank">sheila@montana.edu</a>>>=
; wrote:<br>
In early March, I participated in a thread started by Jeannie Abney about w=
hat other schools' polices are for residents bringing personal wireless=
routers onto your network. =A0I added some questions pertaining to single =
family apartments (vs. residence halls) and got some great feedback. =A0I w=
ould like to take it a step further and ask some more questions based on th=
e type of network that we have.<br>
<br>
We have a Cisco network, a core at the origin of the commodity internet pip=
e, and a subnet for each of our buildings (really areas). =A0In the residen=
ce halls we have a large Aruba wireless network installed so that every bui=
lding is blanketed for secure wireless internet access. =A0 In the residenc=
e halls, ResNet is charged out to every resident regardless of whether they=
use it or not.<br>
<br>
We do not provide ubiquitous wireless coverage in family housing because Re=
sNet is an opt-in service. Additionally, our family housing area was wired =
about 13 years ago and only provided one wired jack per apartment. As I'=
;m sure you can imagine, virtually every customer in family housing has a s=
oho wireless router. =A0When we upgraded this section of our network (from =
3Com switches to Cisco), we immediately had a BIG problem with our network =
dropping constantly. =A0It was ultimately decided that it was the SOHO wire=
less routers causing the problem; namely, unicast packet floods through our=
Cisco switch ports. Only recently it was discovered that Cisco switches ha=
ve a feature that will block unicast and multicast floods. =A0We are deploy=
ing this slowly.<br>
<br>
Now for the questions. For those of you who have a similar network, do you =
employ this Cisco feature or do you simply block all "rogue" wire=
less connections? =A0Or do you have another measure in place to deal with t=
he unicast packet floods? =A0Also, do your network engineers consider this =
a stopgap measure ("band-aid") to deal with residences where you =
do not offer WiFi?<br>
<br>
Please do share all of the details about this issue (or non-issue) on your =
network as you know them. =A0And thanks a million!<br>
<br>
Sheila Crowe<br>
Montana State University ResNet<br>
<a href=3D"tel:406.994.4230" value=3D"+14069944230" target=3D"_blank">406.9=
94.4230</a><tel:<a href=3D"tel:406.994.4230" value=3D"+14069944230" targ=
et=3D"_blank">406.994.4230</a>><br>
<a href=3D"tel:406.209.7243" value=3D"+14062097243" target=3D"_blank">406.2=
09.7243</a><tel:<a href=3D"tel:406.209.7243" value=3D"+14062097243" targ=
et=3D"_blank">406.209.7243</a>><br>
<br>
P.S. I'm hoping to see all of you at the 2012 Student Technology Confer=
ence at Claremont Colleges!<br>
<br>
___________________________________________________ You are subscribed to t=
he ResNet-L mailing list.<br>
<br>
To subscribe, unsubscribe or search the archives, go to <a href=3D"http://L=
ISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_blank">http://LISTSERV.ND=
.EDU/archives/resnet-l.html</a> ___________________________________________=
________<br>
<br>
___________________________________________________ You are subscribed to t=
he ResNet-L mailing list.<br>
<br>
To subscribe, unsubscribe or search the archives, go to <a href=3D"http://L=
ISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_blank">http://LISTSERV.ND=
.EDU/archives/resnet-l.html</a> ___________________________________________=
________<br>
___________________________________________________ You are subscribed to t=
he ResNet-L mailing list.<br>
<br>
To subscribe, unsubscribe or search the archives, go to <a href=3D"http://L=
ISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_blank">http://LISTSERV.ND=
.EDU/archives/resnet-l.html</a> ___________________________________________=
________<br>
___________________________________________________ You are subscribed to t=
he ResNet-L mailing list.<br>
<br>
To subscribe, unsubscribe or search the archives, go to <a href=3D"http://L=
ISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_blank">http://LISTSERV.ND=
.EDU/archives/resnet-l.html</a> ___________________________________________=
________<br>
<br>
This email and any attachments may contain confidential and proprietary inf=
ormation of Blackboard that is for the sole use of the intended recipient. =
If you are not the intended recipient, disclosure, copying, re-distribution=
or other use of any of this information is strictly prohibited. Please imm=
ediately notify the sender and delete this transmission if you received thi=
s email in error.<br>
___________________________________________________ You are subscribed to t=
he ResNet-L mailing list.<br>
<br>
To subscribe, unsubscribe or search the archives, go to <a href=3D"http://L=
ISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_blank">http://LISTSERV.ND=
.EDU/archives/resnet-l.html</a> ___________________________________________=
________<br>
<br>
___________________________________________________<br>
You are subscribed to the ResNet-L mailing list.<br>
<br>
To subscribe, unsubscribe or search the archives, go to <a href=3D"http://L=
ISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_blank">http://LISTSERV.ND=
.EDU/archives/resnet-l.html</a><br>
___________________________________________________<br>
<br>
___________________________________________________<br>
You are subscribed to the ResNet-L mailing list.<br>
<br>
To subscribe, unsubscribe or search the archives,<br>
go to <a href=3D"http://LISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_=
blank">http://LISTSERV.ND.EDU/archives/resnet-l.html</a><br>
___________________________________________________<br>
</div></div></blockquote></div><br><br clear=3D"all"><div><br></div>-- <br>=
Joe Roth<br>Networking Group<br>Binghamton University<br>Ph. <a href=3D"tel=
:607-777-7528" value=3D"+16077777528" target=3D"_blank">607-777-7528</a><br=
>Fax <a href=3D"tel:607-777-4009" value=3D"+16077774009" target=3D"_blank">=
607-777-4009</a><br>
</div>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--bcaec554da9c81797404bf35ad7a--
