RE: [WIRELESS-LAN] Rogue AP's

[David Gillett]

  I actually use a handful of NetGear 614v6's in this fashion as
cheap temporary APs for special events.  At $40 apiece, it's not 
a huge tragedy if one gets lost.
  I have a similar unit from "AirLink 101", which I cannot use
in the same way, precisely because turning off the built-in DHPC
server doesn't work.  On the NetGears, it works fine.  (I only
ever put these on the VLAN screened by our BlueSocket captive
portal.)

  The NetGears *do* try to get the current time via NTP back to a
server run by NetGear, so it's easy to watch for *that* traffic and 
so detect any others that show up unexpectedly

David Gillett


> -Original Message-
> From: Frank Bulk [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, April 12, 2007 2:10 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [WIRELESS-LAN] Rogue AP's
> 
> Right, but if they do that the AP will be responding to DHCP 
> requests, and
> *that* will be something that can be found.
> 
> Frank
> 
> -Original Message-
> From: Bruce Curtis [mailto:[EMAIL PROTECTED]
> Sent: Thursday, April 12, 2007 2:55 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [WIRELESS-LAN] Rogue AP's
> 
> On Apr 12, 2007, at 1:21 PM, Frank Bulk wrote:
> 
> >
> >
> > FB> Bridge APs, as mentioned earlier, can be nearly invisible.   
> > Fortunately, they aren't very popular in retail stores.
> 
> 
>It's usually easy to use the NAT-box/AP combos as a Bridge 
> AP.  If students understand how they work and don't simply 
> follow the instructions that come with the units they can use 
> a NAT-box/AP as a Bridge AP.
> 
> ---
> Bruce Curtis [EMAIL PROTECTED]
> Certified NetAnalyst II701-231-8527
> North Dakota State University
> 
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> 
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Rogue AP's

[Emerson Parker]

Couple of comments / questions..
 
If you have a valid AP that is capable of scanning other channels for
rogues, it can take 5-7 minutes to find the rogue if there is minimal
traffic on the device.  This is a simple factor of the scan interval and
channel dwell time.  
 
FB> It would frighten me if it actually took a WLAN infrastructure
vendor 5-7 minutes to find a rogue AP, even if their 'sensor' was an AP
acting in both modes.  Most of the WIDPS vendors identified rogues in
seconds, with Network Chemistry and AirTight generally being the
fastest.  AirMagnet can have a several-minute delay depending on when
the sensor submits it's batch to the server. 
 
>>> If there is no traffic on the AP, you cant guarantee that the AP is
on the LAN.  You will see the AP "immediately" but you cannot make a
positive determination that it's connected until there is traffic.
That's all I'm saying.  In mixed mode, you can only stay off channel for
brief amount of time.
 
 
 These scanning intervals are generally configurable. For instance, you
can configure scanning to occur every x seconds and for x amount of
milliseconds.  Vendors should have the ability to not go off-channel and
stop scanning if there is certain types of traffic present on the APs
set channel (extended ACL, VoIP, gold queue, etc). 
 
FB> It would be ideal if WLAN customers didn't have to worry about it.
Most of the time defaults are OK.  It's true that time-sensitive
wireless traffic can be affected by the scan settings, and WLAN vendors
are doing a better job of mitigating and working around that, but it's
still not perfect.
 
>>>Defaults are usually good but I do like control..
 
Finding a rogue:
 
so lets say an AP that is serving clients is on channel 1 and during the
scan interval, they found a rogue on channel 13 (people try to hide
rogues on international channels).
 
What do you want the AP to do?  If you disassociate clients attached to
the rogue over the air, this takes time away from the users being served
on channel 1.  A rogue AP can act as a DoS attack on valid APs.  The
valid AP is spending all of its time deauthing and not serving clients.
 
This to should be a configurable option.  killing rogues at the expense
of valid clients, or kill the rogues during your scan interval.  If a
rogue comes up on channel 1, the AP can easily kill the rogue and
continue serving its clients but that is rarely the case!
 
Dedicated rogue killers:
 
if you have a few dedicated AP acting as rogue killers, then you can
happily kill rogues all day and do all kinds of other kool stuff.  A
rogue killer AP only needs to hear and txmit at the 1-2mbps range to
kill rogues over vast distances so you can spread them out thin. 
 
FB> At the end of the day, if you want best in class capabilities you
need to set asides units to act solely as sensor or air monitors. 
 
LAN based rogue killing:
 
Some Wireless infrastructure can kill rogues from the LAN by looking at
MAC forwarding tables and shutting down ports on a switch.  Some vendors
will do an ARP-poison attack  in conjunction with what is going on out
in the air.. 
 
FB> Bridge APs, as mentioned earlier, can be nearly invisible.
Fortunately, they aren't very popular in retail stores.  
 
 What do you mean by bridge APs?  Something that is NATting?  (Those
can be detected pretty easily actually... )
 
conclusion:  If you have some dedicated resources (APs) to kill rogues,
do it.



From: ktaillon [mailto:[EMAIL PROTECTED] 
Sent: Thursday, April 12, 2007 11:54 AM
To: [EMAIL PROTECTED]
Subject: Re: [WIRELESS-LAN] Rogue AP's


Will you be using the Containment option in the WCS? Or hunting down the
units and removing them from the Network. Could someone point out some
of the pro's and con's to using containment..
 



From: Lee H Badman [mailto:[EMAIL PROTECTED] 
Sent: Thursday, April 12, 2007 11:40 AM
To: [EMAIL PROTECTED]
Subject: Re: [WIRELESS-LAN] Rogue AP's


With wireless rolling out on a much larger scale on our campus, we are
revising our policy and attitude to be a bit more restrictive in both
philosophy and practice when it comes to UNCOORDINATED rogues... We are
also taking a stab at coordinating not just APs, but also ANY wireless
system- classroom response systems, wireless AV, etc.- trying to keep
the environment somewhat under control as more wireless technologies
hit. Not always restrictive per se, but more coordinated.
 
Lee H. Badman
Wireless/Network Engineer
KC2IYK, CWNA/CWSP
Information Technology and Services
Syracuse University
315 443-3003


From: M. Sjulstad [mailto:[EMAIL PROTECTED] 
Sent: Thursday, April 12, 2007 11:32 AM
To: [EMAIL PROTECTED]
Subject: Re: [WIRELESS-LAN] Rogue AP's
 
We too have the policy of no rogues, but I admit I don't go looking for
them.  I know we have them, probably a lot more than I know of, but as
long as they aren't causing problems, I don't really care.   Worst
thin

RE: [WIRELESS-LAN] Rogue AP's

[David Gillett]

  Our AUP revolves around a core principle that users are prohibited from
interfering with the intended purpose of resources.  So we tend to assume
that unauthorized use of wi-fi spectrum is, sooner or later, going to
conflict with authorized use.
 
  Backing that up are two lesser elements:  We do not yet have 802.1X
deployed, so (unsecured) rogues are often jacked into ports on trusted
VLANs, and we generally don't allow people to plug "network equipment" into
our network without clearing it with the Networks team first.
 
  The upshot is that if we find a rogue, it's cut off from the network.  And
if it's not in a private office, it can be retrieved from the campus police
lost-and-found (first offence; we will have recorded the serial number and
MAC address, and have asked the police to record the identity of anyone so
retrieving a device).
 
David Gillett
 


  _  

From: Brian J David [mailto:[EMAIL PROTECTED] 
Sent: Thursday, April 12, 2007 7:34 AM
To: [EMAIL PROTECTED]
Subject: [WIRELESS-LAN] Rogue AP's



I just wanted to here from other schools on what they are doing about
Rogues. Is your policy not to allow them but don't do too much to prevent
them. 

Do you let the dorms be the wild wild west? Or are you actively finding them
and removing them through one means or another. We are an Aruba networks
shop

and have some great capabilities for Rogue detection and prevention and
wanted to get a feel what other schools process is concerning them. Also any
horror stories that you would like to share?

 

Brian J David

Network Systems Engineer

Boston College

 

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Rogue AP's

[Frank Bulk]

Right, but if they do that the AP will be responding to DHCP requests, and
*that* will be something that can be found.

Frank

-Original Message-
From: Bruce Curtis [mailto:[EMAIL PROTECTED] 
Sent: Thursday, April 12, 2007 2:55 PM
To: [EMAIL PROTECTED]
Subject: Re: [WIRELESS-LAN] Rogue AP's

On Apr 12, 2007, at 1:21 PM, Frank Bulk wrote:

>
>
> FB> Bridge APs, as mentioned earlier, can be nearly invisible.   
> Fortunately, they aren't very popular in retail stores.


   It's usually easy to use the NAT-box/AP combos as a Bridge AP.  If  
students understand how they work and don't simply follow the  
instructions that come with the units they can use a NAT-box/AP as a  
Bridge AP.

---
Bruce Curtis [EMAIL PROTECTED]
Certified NetAnalyst II701-231-8527
North Dakota State University

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Rogue AP's

[Bruce Curtis]

On Apr 12, 2007, at 1:21 PM, Frank Bulk wrote:




FB> Bridge APs, as mentioned earlier, can be nearly invisible.   
Fortunately, they aren't very popular in retail stores.



  It's usually easy to use the NAT-box/AP combos as a Bridge AP.  If  
students understand how they work and don't simply follow the  
instructions that come with the units they can use a NAT-box/AP as a  
Bridge AP.


---
Bruce Curtis [EMAIL PROTECTED]
Certified NetAnalyst II701-231-8527
North Dakota State University

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Re : microcell vs virtual cell

[Frank Bulk]

Thanks for your posting.
 
The packet traces of both Cisco and Meru are downloadable here:
http://i.cmpnet.com/NetworkComputing/design06/downloads/mobile/captures.zip
 
A couple of months ago I exported the traces into a text file, extracted the
duration value, and built histograms of them and compared them between Cisco
and Meru.  While there were differences, nothing really jumped out at me.  I
also spent some time reading the 802.11-1999 specification and dug in to the
duration value descriptions.  There's not a static calculation to derive the
duration value -- there are dynamic things going on in the air that will
feed into the AP assigning it a certain value.  I don't think it's possible
to take the trace file and say that the values should have been definitively
this, that, or another.  The Meru values didn't seem grossly off-base.
 
Russ' example test case about co-locating three microcell APs on different,
non-overlapping channels and comparing that to three virtual cell APs on the
same channel will likely prove that the microcells will win in that
scenario.  What Meru and Extricom are saying (and even Xirrus) is that
performance drop due to co-channel interference of neighboring APs in a
microcell configuration is bad enough that you're almost reducing it to a
single-channel configuration, but with all the additional backoffs and
retries.  I don't think we should under-estimate the negative effect of
co-channel interference in micro-cell architectures where there are high
throughput and wireless QoS demands.  Again, it won't be an issue with in
low-volume wireless networks, but I think it will be exacerbated as your
students drive the traffic volumes up.
 
Frank

  _  

From: Russ Leathe [mailto:[EMAIL PROTECTED] 
Sent: Thursday, April 12, 2007 9:54 AM
To: [EMAIL PROTECTED]
Subject: [WIRELESS-LAN] Re : microcell vs virtual cell


Hi Everyone,
 
Just wanted to weigh in on this conversation.
 
We went through this same process at Gordon College about 4 years ago.  We
looked at Meru, Trapeze, AirSpace and Aruba.  During this process, there
were no independent studies or analysis of anyone's product.
 
Gordon College pilot's any new technology.  Our pilots run between 30-60
days.  
 
We also rely on analysis by Network Computing, Gartner and Tolly.
Typically, they do a very good, non-bias, review of products and technology.
 
Next we look at the company and the amount of $$ they spend on R&D, patent
ownership and whether or not them have engineers or a presence on standards
committee's. It's the standards that really catch my eye.  Hopefully, if
they conform, than I have positioned myself and the institution for the
future.  If not, then the trouble begins.
 
Needless to say, we chose Alcatel/Aruba.  They conform to standards.  So
far, we have rolled out WifiVOIP, Multicast (video/audio), wifi VPN,
seamless roaming.  It all works.  
 
I read the article regarding Network Computing analysis of CISCO vs. Meru.
Honestly, they did a very thorough job.   What I got out of the article was
that indeed Meru was/is tweaking the 802.11 duration value.  To me, this is
a red flag.  This means they are not conforming to standards.  Has Meru
responded to Network World or their customers?  Seems to me if this wasn't
true, there would be lawsuits or at least a rebuttal.  Here's one of the
engineers e-mail address, [EMAIL PROTECTED]  I would contact him and ask the
question.
 
Anyway, let's get back to testing or piloting technology.
 
By virtual cell vs traditional micro-cell WiFi I assume you are talking
about having multiple access points advertise the same BSSID on the same
channel. Virtual cell appears to clients as a single access point. In this
definition virtual cell would result in more clients contending for the
given channel within a larger coverage area.

Contention in WiFi is generally managed by CSMA/CA (collision avoidance). CA
is used instead of CD (collision detection) because clients are sometimes
not within range of other clients. You can create virtual-contention to go
with the virtual-cells by tweaking access point timers to be shorter than
client timers, but the single channel or access point bandwidth is fixed. 

You raise a very good question about the data/analysis since the number of
vendors promoting such concepts is very limited. 

Place 3 micro-cell access points on 3 different channels in a coverage area.
Associate 3 clients 1 per access point. Measure. Place 3 virtual-cell access
points on same channel in same coverage area.

Associate 3 clients. Measure. 

Be sure to take bi-directional measurements with simultaneous TX/RX to
experience the half-duplex nature of WiFi radio. I am confident you will
push more packets over 3 channels than 1. Be sure to power-off the system
you are not testing. Shorting timers or counters by one system can adversely
impact other client and access point devices even with only background
traffic.

There is 3rd party vendor/bake-off documenting the result

RE: [WIRELESS-LAN] Rogue AP's

[Frank Bulk]

Comments in-line.
 
Frank

  _  

From: Emerson Parker [mailto:[EMAIL PROTECTED] 
Sent: Thursday, April 12, 2007 11:20 AM
To: [EMAIL PROTECTED]
Subject: Re: [WIRELESS-LAN] Rogue AP's


Rogue containment does have some drawbacks in performance under certain
scenarios..
 
Rogue scanning:
 
If you have a valid AP that is capable of scanning other channels for
rogues, it can take 5-7 minutes to find the rogue if there is minimal
traffic on the device.  This is a simple factor of the scan interval and
channel dwell time.  
 
FB> It would frighten me if it actually took a WLAN infrastructure vendor
5-7 minutes to find a rogue AP, even if their 'sensor' was an AP acting in
both modes.  Most of the WIDPS vendors identified rogues in seconds, with
Network Chemistry and AirTight generally being the fastest.  AirMagnet can
have a several-minute delay depending on when the sensor submits it's batch
to the server.
 
 These scanning intervals are generally configurable. For instance, you can
configure scanning to occur every x seconds and for x amount of
milliseconds.  Vendors should have the ability to not go off-channel and
stop scanning if there is certain types of traffic present on the APs set
channel (extended ACL, VoIP, gold queue, etc). 
 
FB> It would be ideal if WLAN customers didn't have to worry about it.  Most
of the time defaults are OK.  It's true that time-sensitive wireless traffic
can be affected by the scan settings, and WLAN vendors are doing a better
job of mitigating and working around that, but it's still not perfect.
 
Finding a rogue:
 
so lets say an AP that is serving clients is on channel 1 and during the
scan interval, they found a rogue on channel 13 (people try to hide rogues
on international channels).
 
What do you want the AP to do?  If you disassociate clients attached to the
rogue over the air, this takes time away from the users being served on
channel 1.  A rogue AP can act as a DoS attack on valid APs.  The valid AP
is spending all of its time deauthing and not serving clients.
 
This to should be a configurable option.  killing rogues at the expense of
valid clients, or kill the rogues during your scan interval.  If a rogue
comes up on channel 1, the AP can easily kill the rogue and continue serving
its clients but that is rarely the case!
 
Dedicated rogue killers:
 
if you have a few dedicated AP acting as rogue killers, then you can happily
kill rogues all day and do all kinds of other kool stuff.  A rogue killer AP
only needs to hear and txmit at the 1-2mbps range to kill rogues over vast
distances so you can spread them out thin. 
 
FB> At the end of the day, if you want best in class capabilities you need
to set asides units to act solely as sensor or air monitors. 
 
LAN based rogue killing:
 
Some Wireless infrastructure can kill rogues from the LAN by looking at MAC
forwarding tables and shutting down ports on a switch.  Some vendors will do
an ARP-poison attack  in conjunction with what is going on out in the air.. 
 
FB> Bridge APs, as mentioned earlier, can be nearly invisible.  Fortunately,
they aren't very popular in retail stores. 
 
conclusion:  If you have some dedicated resources (APs) to kill rogues, do
it.

  _  

From: ktaillon [mailto:[EMAIL PROTECTED] 
Sent: Thursday, April 12, 2007 11:54 AM
To: [EMAIL PROTECTED]
Subject: Re: [WIRELESS-LAN] Rogue AP's


Will you be using the Containment option in the WCS? Or hunting down the
units and removing them from the Network. Could someone point out some of
the pro's and con's to using containment..
 

  _  

From: Lee H Badman [mailto:[EMAIL PROTECTED] 
Sent: Thursday, April 12, 2007 11:40 AM
To: [EMAIL PROTECTED]
Subject: Re: [WIRELESS-LAN] Rogue AP's


With wireless rolling out on a much larger scale on our campus, we are
revising our policy and attitude to be a bit more restrictive in both
philosophy and practice when it comes to UNCOORDINATED rogues. We are also
taking a stab at coordinating not just APs, but also ANY wireless system-
classroom response systems, wireless AV, etc.- trying to keep the
environment somewhat under control as more wireless technologies hit. Not
always restrictive per se, but more coordinated.
 
Lee H. Badman
Wireless/Network Engineer
KC2IYK, CWNA/CWSP
Information Technology and Services
Syracuse University
315 443-3003
  _  

From: M. Sjulstad [mailto:[EMAIL PROTECTED] 
Sent: Thursday, April 12, 2007 11:32 AM
To: [EMAIL PROTECTED]
Subject: Re: [WIRELESS-LAN] Rogue AP's
 
We too have the policy of no rogues, but I admit I don't go looking for
them.  I know we have them, probably a lot more than I know of, but as long
as they aren't causing problems, I don't really care.   Worst things I've
seen are mis-configured APs that want to be a DHCP server and try handing
out IPs on the wired side.
 
Mike
 
 
_
M. Sjulstad
Network/Electronics Engineer - IIT Dept.
St. Olaf College
Northfield, MN  55057
_
1-507-786-3835
[EMAIL PROTECTED]
w

RE: [WIRELESS-LAN] Rogue AP's

[Frank Bulk]

Not all rogues are created equal.  There are those that on your network that
are communicating with clients, those that are on your network but not
communicating with clients (passive), those that are disconnected from the
network, and neighbors.  I discuss this more here:
http://www.networkcomputing.com/channels/wireless/showArticle.jhtml?articleI
D=189400826
 &pgno=6
 
I wish I could give a blanket statement and say that all the WIDPS vendors
are grading them on this type of scale, but they're not.  But they are
becoming more sophisticated (and careful) in how they classify and
categorize them.
 
Regards,
 
Frank

  _  

From: Lee H Badman [mailto:[EMAIL PROTECTED] 
Sent: Thursday, April 12, 2007 11:08 AM
To: [EMAIL PROTECTED]
Subject: Re: [WIRELESS-LAN] Rogue AP's


For us, containment is a bit risky- we are surrounded by hospitals,
residences, etc- their devices can show up as rogues. Would be bad to
contain these. We're relying on a lot of communication/cooperation and
growing a new culture as we go- which is actually gaining traction. For
students, we ask them to remove, if they don't- ports can get shut down. But
where we have 100% wireless, we are seeing far fewer rogues. And anything we
do has CIO sponsorship, and is being well-communicated to all.
 
Lee
  _  

From: ktaillon [mailto:[EMAIL PROTECTED] 
Sent: Thursday, April 12, 2007 11:54 AM
To: [EMAIL PROTECTED]
Subject: Re: [WIRELESS-LAN] Rogue AP's
 
Will you be using the Containment option in the WCS? Or hunting down the
units and removing them from the Network. Could someone point out some of
the pro's and con's to using containment..
 
 
  _  

From: Lee H Badman [mailto:[EMAIL PROTECTED] 
Sent: Thursday, April 12, 2007 11:40 AM
To: [EMAIL PROTECTED]
Subject: Re: [WIRELESS-LAN] Rogue AP's
With wireless rolling out on a much larger scale on our campus, we are
revising our policy and attitude to be a bit more restrictive in both
philosophy and practice when it comes to UNCOORDINATED rogues. We are also
taking a stab at coordinating not just APs, but also ANY wireless system-
classroom response systems, wireless AV, etc.- trying to keep the
environment somewhat under control as more wireless technologies hit. Not
always restrictive per se, but more coordinated.
 
Lee H. Badman
Wireless/Network Engineer
KC2IYK, CWNA/CWSP
Information Technology and Services
Syracuse University
315 443-3003
  _  

From: M. Sjulstad [mailto:[EMAIL PROTECTED] 
Sent: Thursday, April 12, 2007 11:32 AM
To: [EMAIL PROTECTED]
Subject: Re: [WIRELESS-LAN] Rogue AP's
 
We too have the policy of no rogues, but I admit I don't go looking for
them.  I know we have them, probably a lot more than I know of, but as long
as they aren't causing problems, I don't really care.   Worst things I've
seen are mis-configured APs that want to be a DHCP server and try handing
out IPs on the wired side.
 
Mike
 
 
_
M. Sjulstad
Network/Electronics Engineer - IIT Dept.
St. Olaf College
Northfield, MN  55057
_
1-507-786-3835
[EMAIL PROTECTED]
www.stolaf.edu/people/sjulstad



 
On Apr 12, 2007, at 9:33 AM, Brian J David wrote:



I just wanted to here from other schools on what they are doing about
Rogues. Is your policy not to allow them but don't do too much to prevent
them.
Do you let the dorms be the wild wild west? Or are you actively finding them
and removing them through one means or another. We are an Aruba networks
shop
and have some great capabilities for Rogue detection and prevention and
wanted to get a feel what other schools process is concerning them. Also any
horror stories that you would like to share?
 
Brian J David
Network Systems Engineer
Boston College
 
** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
 
** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. ** Participation and subscription
information for this EDUCAUSE Constituent Group discussion list can be found
at http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. ** Participation and subscription
information for this EDUCAUSE Constituent Group discussion list can be found
at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Rogue AP's

[Chris Gauthier]

At this point, PCC doesn't have a "policy" but we do try to shut down 
wireless and educate the users.  Being a community college, we do not 
have dorms or residence facilities for students.  This means our APs 
come from staff and faculty members.  We are on a districtwide wireless 
rollout plan (contingent, as always, on funding) and most of the rogue 
AP's we find are in areas not yet served by wireless.


My personal philosophy is to shut them down immediately so we can 
protect the network and then engage in a dialogue with the "offending" 
user(s) to determine what their needs are and see how PCC's Technology 
Solution Services department (which I am a part of) can meet their needs 
through the currently available means.  The management does not sanction 
non-approved network devices (aka consumer devices) to enhance network 
connectivity.


This is a great topic that I was just thinking of last night as I shut 
down an AP.  Another question to add is how people handle printers with 
both wired and wireless connectivity that seem to always have their 
wireless turned on on Ch. 11 with that pesky SSID "hpsetup".  We disable 
them and educate the users because they've caused interference problems 
in the past.  What do you do?


Chris Gauthier, CCNA
Network Administration Team
Portland Community College
Portland, Oregon

"For once you have tasted flight you will walk the earth with your eyes turned 
skywards, for there you have been and there you will long to return."
--Leonardo da Vinci



Brian J David wrote:


I just wanted to here from other schools on what they are doing about 
Rogues. Is your policy not to allow them but don't do too much to 
prevent them.


Do you let the dorms be the wild wild west? Or are you actively 
finding them and removing them through one means or another. We are an 
Aruba networks shop


and have some great capabilities for Rogue detection and prevention 
and wanted to get a feel what other schools process is concerning 
them. Also any horror stories that you would like to share?


 


/*/Brian J David/*/

/*/Network Systems Engineer/*/

/*/Boston/*//*/ College/*/

 

** Participation and subscription information for this 
EDUCAUSE Constituent Group discussion list can be found at 
http://www.educause.edu/groups/. 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Rogue AP's

[Emerson Parker]

This is a big point.  In order to be certain about rogues, you need to
be able to see traffic on the LAN as well as over the AIR (mac
addresses).   Rogue sensors / detectors need to be in all of the public
facing VLANs (either trunked or sitting in them natively).  That way
rogues are APs that are actually plugged into your LAN and not the
neighbor next door.
 
 
-Emerson



From: Lee H Badman [mailto:[EMAIL PROTECTED] 
Sent: Thursday, April 12, 2007 12:08 PM
To: [EMAIL PROTECTED]
Subject: Re: [WIRELESS-LAN] Rogue AP's


For us, containment is a bit risky- we are surrounded by hospitals,
residences, etc- their devices can show up as rogues. Would be bad to
contain these. We're relying on a lot of communication/cooperation and
growing a new culture as we go- which is actually gaining traction. For
students, we ask them to remove, if they don't- ports can get shut down.
But where we have 100% wireless, we are seeing far fewer rogues. And
anything we do has CIO sponsorship, and is being well-communicated to
all.
 
Lee


From: ktaillon [mailto:[EMAIL PROTECTED] 
Sent: Thursday, April 12, 2007 11:54 AM
To: [EMAIL PROTECTED]
Subject: Re: [WIRELESS-LAN] Rogue AP's
 
Will you be using the Containment option in the WCS? Or hunting down the
units and removing them from the Network. Could someone point out some
of the pro's and con's to using containment..
 
 


From: Lee H Badman [mailto:[EMAIL PROTECTED] 
Sent: Thursday, April 12, 2007 11:40 AM
To: [EMAIL PROTECTED]
Subject: Re: [WIRELESS-LAN] Rogue AP's
With wireless rolling out on a much larger scale on our campus, we are
revising our policy and attitude to be a bit more restrictive in both
philosophy and practice when it comes to UNCOORDINATED rogues... We are
also taking a stab at coordinating not just APs, but also ANY wireless
system- classroom response systems, wireless AV, etc.- trying to keep
the environment somewhat under control as more wireless technologies
hit. Not always restrictive per se, but more coordinated.
 
Lee H. Badman
Wireless/Network Engineer
KC2IYK, CWNA/CWSP
Information Technology and Services
Syracuse University
315 443-3003


From: M. Sjulstad [mailto:[EMAIL PROTECTED] 
Sent: Thursday, April 12, 2007 11:32 AM
To: [EMAIL PROTECTED]
Subject: Re: [WIRELESS-LAN] Rogue AP's
 
We too have the policy of no rogues, but I admit I don't go looking for
them.  I know we have them, probably a lot more than I know of, but as
long as they aren't causing problems, I don't really care.   Worst
things I've seen are mis-configured APs that want to be a DHCP server
and try handing out IPs on the wired side.
 
Mike
 
 
_
M. Sjulstad
Network/Electronics Engineer - IIT Dept.
St. Olaf College
Northfield, MN  55057
_
1-507-786-3835
[EMAIL PROTECTED]
www.stolaf.edu/people/sjulstad



 
On Apr 12, 2007, at 9:33 AM, Brian J David wrote:



I just wanted to here from other schools on what they are doing about
Rogues. Is your policy not to allow them but don't do too much to
prevent them.
Do you let the dorms be the wild wild west? Or are you actively finding
them and removing them through one means or another. We are an Aruba
networks shop
and have some great capabilities for Rogue detection and prevention and
wanted to get a feel what other schools process is concerning them. Also
any horror stories that you would like to share?
 
Brian J David
Network Systems Engineer
Boston College
 
** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
 
** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. ** Participation and
subscription information for this EDUCAUSE Constituent Group discussion
list can be found at http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. ** Participation and
subscription information for this EDUCAUSE Constituent Group discussion
list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Rogue AP's

[Emerson Parker]

Rogue containment does have some drawbacks in performance under certain
scenarios..
 
Rogue scanning:
 
If you have a valid AP that is capable of scanning other channels for
rogues, it can take 5-7 minutes to find the rogue if there is minimal
traffic on the device.  This is a simple factor of the scan interval and
channel dwell time. 
 
 These scanning intervals are generally configurable. For instance, you
can configure scanning to occur every x seconds and for x amount of
milliseconds.  Vendors should have the ability to not go off-channel and
stop scanning if there is certain types of traffic present on the APs
set channel (extended ACL, VoIP, gold queue, etc).
 
Finding a rogue:
 
so lets say an AP that is serving clients is on channel 1 and during the
scan interval, they found a rogue on channel 13 (people try to hide
rogues on international channels).
 
What do you want the AP to do?  If you disassociate clients attached to
the rogue over the air, this takes time away from the users being served
on channel 1.  A rogue AP can act as a DoS attack on valid APs.  The
valid AP is spending all of its time deauthing and not serving clients.
 
This to should be a configurable option.  killing rogues at the expense
of valid clients, or kill the rogues during your scan interval.  If a
rogue comes up on channel 1, the AP can easily kill the rogue and
continue serving its clients but that is rarely the case!
 
Dedicated rogue killers:
 
if you have a few dedicated AP acting as rogue killers, then you can
happily kill rogues all day and do all kinds of other kool stuff.  A
rogue killer AP only needs to hear and txmit at the 1-2mbps range to
kill rogues over vast distances so you can spread them out thin.
 
LAN based rogue killing:
 
Some Wireless infrastructure can kill rogues from the LAN by looking at
MAC forwarding tables and shutting down ports on a switch.  Some vendors
will do an ARP-poison attack  in conjunction with what is going on out
in the air..
 
conclusion:  If you have some dedicated resources (APs) to kill rogues,
do it.



From: ktaillon [mailto:[EMAIL PROTECTED] 
Sent: Thursday, April 12, 2007 11:54 AM
To: [EMAIL PROTECTED]
Subject: Re: [WIRELESS-LAN] Rogue AP's


Will you be using the Containment option in the WCS? Or hunting down the
units and removing them from the Network. Could someone point out some
of the pro's and con's to using containment..
 



From: Lee H Badman [mailto:[EMAIL PROTECTED] 
Sent: Thursday, April 12, 2007 11:40 AM
To: [EMAIL PROTECTED]
Subject: Re: [WIRELESS-LAN] Rogue AP's


With wireless rolling out on a much larger scale on our campus, we are
revising our policy and attitude to be a bit more restrictive in both
philosophy and practice when it comes to UNCOORDINATED rogues... We are
also taking a stab at coordinating not just APs, but also ANY wireless
system- classroom response systems, wireless AV, etc.- trying to keep
the environment somewhat under control as more wireless technologies
hit. Not always restrictive per se, but more coordinated.
 
Lee H. Badman
Wireless/Network Engineer
KC2IYK, CWNA/CWSP
Information Technology and Services
Syracuse University
315 443-3003


From: M. Sjulstad [mailto:[EMAIL PROTECTED] 
Sent: Thursday, April 12, 2007 11:32 AM
To: [EMAIL PROTECTED]
Subject: Re: [WIRELESS-LAN] Rogue AP's
 
We too have the policy of no rogues, but I admit I don't go looking for
them.  I know we have them, probably a lot more than I know of, but as
long as they aren't causing problems, I don't really care.   Worst
things I've seen are mis-configured APs that want to be a DHCP server
and try handing out IPs on the wired side.
 
Mike
 
 
_
M. Sjulstad
Network/Electronics Engineer - IIT Dept.
St. Olaf College
Northfield, MN  55057
_
1-507-786-3835
[EMAIL PROTECTED]
www.stolaf.edu/people/sjulstad



 
On Apr 12, 2007, at 9:33 AM, Brian J David wrote:



I just wanted to here from other schools on what they are doing about
Rogues. Is your policy not to allow them but don't do too much to
prevent them.
Do you let the dorms be the wild wild west? Or are you actively finding
them and removing them through one means or another. We are an Aruba
networks shop
and have some great capabilities for Rogue detection and prevention and
wanted to get a feel what other schools process is concerning them. Also
any horror stories that you would like to share?
 
Brian J David
Network Systems Engineer
Boston College
 
** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
 
** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. ** Participation and
subscription information for this EDUCAUSE Constituent Group discussion
list can be found 

RE: [WIRELESS-LAN] Rogue AP's

[Lee H Badman]

For us, containment is a bit risky- we are surrounded by hospitals,
residences, etc- their devices can show up as rogues. Would be bad to
contain these. We're relying on a lot of communication/cooperation and
growing a new culture as we go- which is actually gaining traction. For
students, we ask them to remove, if they don't- ports can get shut down.
But where we have 100% wireless, we are seeing far fewer rogues. And
anything we do has CIO sponsorship, and is being well-communicated to
all.
 
Lee


From: ktaillon [mailto:[EMAIL PROTECTED] 
Sent: Thursday, April 12, 2007 11:54 AM
To: [EMAIL PROTECTED]
Subject: Re: [WIRELESS-LAN] Rogue AP's
 
Will you be using the Containment option in the WCS? Or hunting down the
units and removing them from the Network. Could someone point out some
of the pro's and con's to using containment..
 
 


From: Lee H Badman [mailto:[EMAIL PROTECTED] 
Sent: Thursday, April 12, 2007 11:40 AM
To: [EMAIL PROTECTED]
Subject: Re: [WIRELESS-LAN] Rogue AP's
With wireless rolling out on a much larger scale on our campus, we are
revising our policy and attitude to be a bit more restrictive in both
philosophy and practice when it comes to UNCOORDINATED rogues... We are
also taking a stab at coordinating not just APs, but also ANY wireless
system- classroom response systems, wireless AV, etc.- trying to keep
the environment somewhat under control as more wireless technologies
hit. Not always restrictive per se, but more coordinated.
 
Lee H. Badman
Wireless/Network Engineer
KC2IYK, CWNA/CWSP
Information Technology and Services
Syracuse University
315 443-3003


From: M. Sjulstad [mailto:[EMAIL PROTECTED] 
Sent: Thursday, April 12, 2007 11:32 AM
To: [EMAIL PROTECTED]
Subject: Re: [WIRELESS-LAN] Rogue AP's
 
We too have the policy of no rogues, but I admit I don't go looking for
them.  I know we have them, probably a lot more than I know of, but as
long as they aren't causing problems, I don't really care.   Worst
things I've seen are mis-configured APs that want to be a DHCP server
and try handing out IPs on the wired side.
 
Mike
 
 
_
M. Sjulstad
Network/Electronics Engineer - IIT Dept.
St. Olaf College
Northfield, MN  55057
_
1-507-786-3835
[EMAIL PROTECTED]
www.stolaf.edu/people/sjulstad



 
On Apr 12, 2007, at 9:33 AM, Brian J David wrote:



I just wanted to here from other schools on what they are doing about
Rogues. Is your policy not to allow them but don't do too much to
prevent them.
Do you let the dorms be the wild wild west? Or are you actively finding
them and removing them through one means or another. We are an Aruba
networks shop
and have some great capabilities for Rogue detection and prevention and
wanted to get a feel what other schools process is concerning them. Also
any horror stories that you would like to share?
 
Brian J David
Network Systems Engineer
Boston College
 
** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
 
** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. ** Participation and
subscription information for this EDUCAUSE Constituent Group discussion
list can be found at http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Rogue AP's

[ktaillon]

Will you be using the Containment option in the WCS? Or hunting down the
units and removing them from the Network. Could someone point out some of
the pro's and con's to using containment..
 

  _  

From: Lee H Badman [mailto:[EMAIL PROTECTED] 
Sent: Thursday, April 12, 2007 11:40 AM
To: [EMAIL PROTECTED]
Subject: Re: [WIRELESS-LAN] Rogue AP's


With wireless rolling out on a much larger scale on our campus, we are
revising our policy and attitude to be a bit more restrictive in both
philosophy and practice when it comes to UNCOORDINATED rogues. We are also
taking a stab at coordinating not just APs, but also ANY wireless system-
classroom response systems, wireless AV, etc.- trying to keep the
environment somewhat under control as more wireless technologies hit. Not
always restrictive per se, but more coordinated.
 
Lee H. Badman
Wireless/Network Engineer
KC2IYK, CWNA/CWSP
Information Technology and Services
Syracuse University
315 443-3003
  _  

From: M. Sjulstad [mailto:[EMAIL PROTECTED] 
Sent: Thursday, April 12, 2007 11:32 AM
To: [EMAIL PROTECTED]
Subject: Re: [WIRELESS-LAN] Rogue AP's
 
We too have the policy of no rogues, but I admit I don't go looking for
them.  I know we have them, probably a lot more than I know of, but as long
as they aren't causing problems, I don't really care.   Worst things I've
seen are mis-configured APs that want to be a DHCP server and try handing
out IPs on the wired side.
 
Mike
 
 
_
M. Sjulstad
Network/Electronics Engineer - IIT Dept.
St. Olaf College
Northfield, MN  55057
_
1-507-786-3835
[EMAIL PROTECTED]
www.stolaf.edu/people/sjulstad



 
On Apr 12, 2007, at 9:33 AM, Brian J David wrote:



I just wanted to here from other schools on what they are doing about
Rogues. Is your policy not to allow them but don't do too much to prevent
them.
Do you let the dorms be the wild wild west? Or are you actively finding them
and removing them through one means or another. We are an Aruba networks
shop
and have some great capabilities for Rogue detection and prevention and
wanted to get a feel what other schools process is concerning them. Also any
horror stories that you would like to share?
 
Brian J David
Network Systems Engineer
Boston College
 
** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
 
** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. ** Participation and subscription
information for this EDUCAUSE Constituent Group discussion list can be found
at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Rogue AP's

[Scholz, Greg]

We do not look for rogues but we have CCA in place in the dorms.  CCA
has a feature where it is aware of any L3 device between the client and
the server so if they have a "broadband wireless router" (the most
common since they are <$50 at best buy) CCA can find and fail their
login.  IF they have a true "AP" (eg wireless bridge - seem to be much
less common) then it is not detectible and would function.  But even in
that case anyone using that "rogue wireless" would look to the network
like any other client run up against CCA and have to be authenticated
and scanned anyway.

 

So in short...any rogue wireless in our dorms will either not function,
be found, or is not a security issue.

 

 

 _

Thank you,

Gregory R. Scholz

Director of Telecommunications

Information Technology Group

Keene State College

(603)358-2070

 

--Lead, follow, or get out of the way.

  (author unknown)

 



From: M. Sjulstad [mailto:[EMAIL PROTECTED] 
Sent: Thursday, April 12, 2007 11:32 AM
To: [EMAIL PROTECTED]
Subject: Re: [WIRELESS-LAN] Rogue AP's

 

We too have the policy of no rogues, but I admit I don't go looking for
them.  I know we have them, probably a lot more than I know of, but as
long as they aren't causing problems, I don't really care.   Worst
things I've seen are mis-configured APs that want to be a DHCP server
and try handing out IPs on the wired side.

 

Mike

 

 

_

M. Sjulstad

Network/Electronics Engineer - IIT Dept.

St. Olaf College

Northfield, MN  55057

_

1-507-786-3835

[EMAIL PROTECTED]

www.stolaf.edu/people/sjulstad





 

On Apr 12, 2007, at 9:33 AM, Brian J David wrote:





I just wanted to here from other schools on what they are doing about
Rogues. Is your policy not to allow them but don't do too much to
prevent them.

Do you let the dorms be the wild wild west? Or are you actively finding
them and removing them through one means or another. We are an Aruba
networks shop

and have some great capabilities for Rogue detection and prevention and
wanted to get a feel what other schools process is concerning them. Also
any horror stories that you would like to share?

 

Brian J David

Network Systems Engineer

Boston College

 

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.

 

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Rogue AP's

[Lee H Badman]

With wireless rolling out on a much larger scale on our campus, we are
revising our policy and attitude to be a bit more restrictive in both
philosophy and practice when it comes to UNCOORDINATED rogues... We are
also taking a stab at coordinating not just APs, but also ANY wireless
system- classroom response systems, wireless AV, etc.- trying to keep
the environment somewhat under control as more wireless technologies
hit. Not always restrictive per se, but more coordinated.
 
Lee H. Badman
Wireless/Network Engineer
KC2IYK, CWNA/CWSP
Information Technology and Services
Syracuse University
315 443-3003


From: M. Sjulstad [mailto:[EMAIL PROTECTED] 
Sent: Thursday, April 12, 2007 11:32 AM
To: [EMAIL PROTECTED]
Subject: Re: [WIRELESS-LAN] Rogue AP's
 
We too have the policy of no rogues, but I admit I don't go looking for
them.  I know we have them, probably a lot more than I know of, but as
long as they aren't causing problems, I don't really care.   Worst
things I've seen are mis-configured APs that want to be a DHCP server
and try handing out IPs on the wired side.
 
Mike
 
 
_
M. Sjulstad
Network/Electronics Engineer - IIT Dept.
St. Olaf College
Northfield, MN  55057
_
1-507-786-3835
[EMAIL PROTECTED]
www.stolaf.edu/people/sjulstad



 
On Apr 12, 2007, at 9:33 AM, Brian J David wrote:



I just wanted to here from other schools on what they are doing about
Rogues. Is your policy not to allow them but don't do too much to
prevent them.
Do you let the dorms be the wild wild west? Or are you actively finding
them and removing them through one means or another. We are an Aruba
networks shop
and have some great capabilities for Rogue detection and prevention and
wanted to get a feel what other schools process is concerning them. Also
any horror stories that you would like to share?
 
Brian J David
Network Systems Engineer
Boston College
 
** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
 
** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Re : microcell vs virtual cell

[Steve Fletty]

Russ Leathe wrote:
 
Needless to say, we chose Alcatel/Aruba.  They conform to standards.  So 
far, we have rolled out WifiVOIP, Multicast (video/audio), wifi VPN, 
seamless roaming.  It all works. 


Thanks for your comments.

How large a deployment do you have? Also, what density, APs per square 
foot, do you have for VOIP?


There is 3rd party vendor/bake-off documenting the results but you have 
indicated that you do not consider it.


Is this the Network Computing Meru/Cisco bakeoff article you're 
referring to?


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Rogue AP's

[M. Sjulstad]

We too have the policy of no rogues, but I admit I don't go looking  
for them.  I know we have them, probably a lot more than I know of,  
but as long as they aren't causing problems, I don't really care.
Worst things I've seen are mis-configured APs that want to be a DHCP  
server and try handing out IPs on the wired side.


Mike


_
M. Sjulstad
Network/Electronics Engineer - IIT Dept.
St. Olaf College
Northfield, MN  55057
_
1-507-786-3835
[EMAIL PROTECTED]
www.stolaf.edu/people/sjulstad


On Apr 12, 2007, at 9:33 AM, Brian J David wrote:

I just wanted to here from other schools on what they are doing  
about Rogues. Is your policy not to allow them but don’t do too  
much to prevent them.


Do you let the dorms be the wild wild west? Or are you actively  
finding them and removing them through one means or another. We are  
an Aruba networks shop


and have some great capabilities for Rogue detection and prevention  
and wanted to get a feel what other schools process is concerning  
them. Also any horror stories that you would like to share?




Brian J David

Network Systems Engineer

Boston College



** Participation and subscription information for this  
EDUCAUSE Constituent Group discussion list can be found at http:// 
www.educause.edu/groups/.



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] microcell vs virtual cell

[Frank Bulk]

TDMA will not be happening with 802.11 anything, I'm sorry to say.  WMM-SA
was the closest to that and was canned.

Although I don't believe the 802.11n draft precludes it, the reality is we
won't see much if any 2.4 GHz channel bonding in enterprise products.  I
believe 802.11n will drive the use e of the 5 GHz range, a good thing as it
tends to have a slightly shorter propagation pattern than 2.4 GHz (good for
minimizing co-channel interference) and there's a lot more of it available.

Frank

-Original Message-
From: Philippe Hanset [mailto:[EMAIL PROTECTED] 
Sent: Sunday, April 08, 2007 9:41 AM
To: [EMAIL PROTECTED]
Subject: Re: [WIRELESS-LAN] microcell vs virtual cell

One interesting aspect of the virtual cell may come with
802.11n. To get the throughput intended, 802.11n might do channel binding.
So, in ISM 2.4 Ghz, with less channels to play, some sort of TDMA will
come handy!

--
Philippe Hanset
University of Tennessee, Knoxville
--

On Fri, 6 Apr 2007, Michael Griego wrote:

> Where virtual cell deployments really shine is in a couple of ways:
>
> 1. By timing the transmissions of both the APs and the clients, they
> cut *way* down on the number of collisions and retransmits.  This
> alone is what causes the throughput of a normal AP to completely tank
> after 20-30 users.  So, by cutting down on the amount of waisted air
> created by the random backoffs and the collisions themselves, you
> gain quite a bit of usable throughput and the ability to reliably
> support more than 20 users (since the available spectrum can be
> equally divided without the clients fighting like a bunch of siblings).
>
> 2. By moving to an almost TDMA approach, 802.11g clients get better
> performance when 802.11b clients are sharing the cell than they would
> with traditional APs (at least this is true for Meru).  This is
> because the AP will give each client the same amount of air*time*
> instead of the same number of frames, allowing the 802.11g client to
> transmit more data before again having to wait on another client.
>
> 3. Most people don't realize (or it just doesn't dawn on them) that
> you *can* run all 3 channels in a virtual cell deployment.  You do
> have to install more APs to support this configuration, but, by doing
> this, you get 3 virtual cells spanning your campus and all of the
> available bandwidth that goes along with it (which, for the reasons
> listed above, is more than you would get using a traditional 3
> channel deployment, making your actual aggregate available throughput
> much closer to the 162Mbps theoretical max for 2.4GHz usage).
>
> One of the other nice benefits of virtual cell deployments is the
> lack of client-initiated roaming.  This is especially useful for
> cutting down roam times when the WLAN is 802.1x authenticated (and it
> doesn't require PMK).  Since, even though the client has moved his
> association to a new physical AP, he's still talking on the same
> channel and to the same BSSID, he has no clue that he has roamed and
> his session state has been seamlessly moved by the controller.
>
> I'd be happy to discuss (offline) our Meru system with anyone who'd
> like to ask questions.
>
> --Mike
>
> On Apr 6, 2007, at 3:30 PM, Ringgold, Clint wrote:
>
> > I am interested in the findings as well.  My concern is the actual
> > throughput.  It would seem to me that a virtual 3 ap setup would be
> > 54MB
> > while in a microcell it would be 162MBPotential.
> >
> > I hope I'm wrong and or can get clarification.
> >
> >
> >
> > -Original Message-
> > From: Scholz, Greg [mailto:[EMAIL PROTECTED]
> > Sent: Friday, April 06, 2007 3:59 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: [WIRELESS-LAN] microcell vs virtual cell
> >
> > I am also interested in anything you find.
> >
> >
> > -Original Message-
> > From: Steve Fletty [mailto:[EMAIL PROTECTED]
> > Sent: Friday, April 06, 2007 3:33 PM
> > To: [EMAIL PROTECTED]
> > Subject: [WIRELESS-LAN] microcell vs virtual cell
> >
> > Is there any scholarly or technical data/analyis of the single-channel
> > virtual cell architecture vs the traditional micro-cell WIFI
> > achitecture?
> >
> > I don't want to hear from vendors. I don't want bake-off results or
> > vendor white papers. I'd like to know if there's any hard science
> > comparing the two contrasting schemes.
> >
> > --
> > Steve Fletty
> > Network Design Engineer
> > University of Minnesota
> >
> > **
> > Participation and subscription information for this EDUCAUSE
> > Constituent
> > Group discussion list can be found at http://www.educause.edu/groups/.
> >
> > **
> > Participation and subscription information for this EDUCAUSE
> > Constituent
> > Group discussion list can be found at http://www.educause.edu/groups/.
> >
> > **
> > Participation and subscription information for this EDUCAUSE
> > Constituent Group discussion list can be found at http://
> > www.educ

Re : microcell vs virtual cell

[Russ Leathe]

Hi Everyone,
 
Just wanted to weigh in on this conversation.
 
We went through this same process at Gordon College about 4 years ago.
We looked at Meru, Trapeze, AirSpace and Aruba.  During this process,
there were no independent studies or analysis of anyone's product.
 
Gordon College pilot's any new technology.  Our pilots run between 30-60
days.  
 
We also rely on analysis by Network Computing, Gartner and Tolly.
Typically, they do a very good, non-bias, review of products and
technology.
 
Next we look at the company and the amount of $$ they spend on R&D,
patent ownership and whether or not them have engineers or a presence on
standards committee's. It's the standards that really catch my eye.
Hopefully, if they conform, than I have positioned myself and the
institution for the future.  If not, then the trouble begins.
 
Needless to say, we chose Alcatel/Aruba.  They conform to standards.  So
far, we have rolled out WifiVOIP, Multicast (video/audio), wifi VPN,
seamless roaming.  It all works.  
 
I read the article regarding Network Computing analysis of CISCO vs.
Meru.  Honestly, they did a very thorough job.   What I got out of the
article was that indeed Meru was/is tweaking the 802.11 duration value.
To me, this is a red flag.  This means they are not conforming to
standards.  Has Meru responded to Network World or their customers?
Seems to me if this wasn't true, there would be lawsuits or at least a
rebuttal.  Here's one of the engineers e-mail address, [EMAIL PROTECTED]
I would contact him and ask the question.
 
Anyway, let's get back to testing or piloting technology.
 
By virtual cell vs traditional micro-cell WiFi I assume you are talking
about having multiple access points advertise the same BSSID on the same
channel. Virtual cell appears to clients as a single access point. In
this definition virtual cell would result in more clients contending for
the given channel within a larger coverage area.

Contention in WiFi is generally managed by CSMA/CA (collision
avoidance). CA is used instead of CD (collision detection) because
clients are sometimes not within range of other clients. You can create
virtual-contention to go with the virtual-cells by tweaking access point
timers to be shorter than client timers, but the single channel or
access point bandwidth is fixed. 

You raise a very good question about the data/analysis since the number
of vendors promoting such concepts is very limited. 

Place 3 micro-cell access points on 3 different channels in a coverage
area. Associate 3 clients 1 per access point. Measure. Place 3
virtual-cell access points on same channel in same coverage area.

Associate 3 clients. Measure. 

Be sure to take bi-directional measurements with simultaneous TX/RX to
experience the half-duplex nature of WiFi radio. I am confident you will
push more packets over 3 channels than 1. Be sure to power-off the
system you are not testing. Shorting timers or counters by one system
can adversely impact other client and access point devices even with
only background traffic.

There is 3rd party vendor/bake-off documenting the results but you have
indicated that you do not consider it. 

All the best

 

Russ Leathe

Director of Networking

Gordon College

Wenham, MA

 

 

 

 
 
 
 
 
 ~ Russ
 
 
 
 
 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.


signature2.gif
Description: signature2.gif

Rogue AP's

[Brian J David]

I just wanted to here from other schools on what they are doing about
Rogues. Is your policy not to allow them but don't do too much to prevent
them. 

Do you let the dorms be the wild wild west? Or are you actively finding them
and removing them through one means or another. We are an Aruba networks
shop

and have some great capabilities for Rogue detection and prevention and
wanted to get a feel what other schools process is concerning them. Also any
horror stories that you would like to share?

 

Brian J David

Network Systems Engineer

Boston College

 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.