Re: [WIRELESS-LAN] Mysterious Missing ARP Entry
Is the particular ssid being broadcast? Try a different wireless driver on the tablets. Are the tablets showing the issue across all ap's or just a specific model? ~Patrick On Sep 27, 2010, at 4:40 PM, Watters, John john.watt...@ua.edumailto:john.watt...@ua.edu wrote: I need some help with a strange new problem – a persistent missing ARP entry. We are a Cisco shop running WiSMs (6.0.199.4) with a mix of 1142s, 1131’s and a few older 1242 APs. This past Friday we got a report of 5 XP tablets that could not use the wireless network. These are 5 out of a group of 50 handheld tablets used in our hospital by the doctors for charting, etc. All of these are imaged and should be using the same image (and later reimaged to be sure). It turns out that that these five machines can use every SSID on campus except for one – their special one which uses WEP (no flames about WPA; we have tried to get them to move, but they are doctors and know more than anyone else). Further investigation has shown that these five machines never get an ARP entry built for their default gateway. They can talk to other machines on their subnet, but nothing outside. When a manual ARP entry is built for them, they are fine. This problem has persisted across reboots and reimaging of these five machines. Today we have received reports of other machines on campus who have similar symptoms (we have yet to actually see one of them). They lose connectivity on one SSID but are OK on all others. Has anyone else seen this? Can you give me a clue what to look for? Along with the MAC address strangeness, which we are seeing, this problem has made for a very interesting few days. Thanks for any help you can offer. -jcw image002.jpg John WattersThe University of Alabama: OIT 205-348-3992 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Mysterious Missing ARP Entry
Does the WEP ssid that is not working happen to be the radio's base BSSID? We have a similar issue with a different vendor and different device. I would say that you may need to end up performing a packet capture to see where the traffic is dropped. == Ryan Holland Network Engineer, Wireless Office of the Chief Information Officer The Ohio State University 614-292-9906 holland@osu.edumailto:holland@osu.edu On Sep 27, 2010, at 5:40 PM, Watters, John wrote: I need some help with a strange new problem – a persistent missing ARP entry. We are a Cisco shop running WiSMs (6.0.199.4) with a mix of 1142s, 1131’s and a few older 1242 APs. This past Friday we got a report of 5 XP tablets that could not use the wireless network. These are 5 out of a group of 50 handheld tablets used in our hospital by the doctors for charting, etc. All of these are imaged and should be using the same image (and later reimaged to be sure). It turns out that that these five machines can use every SSID on campus except for one – their special one which uses WEP (no flames about WPA; we have tried to get them to move, but they are doctors and know more than anyone else). Further investigation has shown that these five machines never get an ARP entry built for their default gateway. They can talk to other machines on their subnet, but nothing outside. When a manual ARP entry is built for them, they are fine. This problem has persisted across reboots and reimaging of these five machines. Today we have received reports of other machines on campus who have similar symptoms (we have yet to actually see one of them). They lose connectivity on one SSID but are OK on all others. Has anyone else seen this? Can you give me a clue what to look for? Along with the MAC address strangeness, which we are seeing, this problem has made for a very interesting few days. Thanks for any help you can offer. -jcw image002.jpg John WattersThe University of Alabama: OIT 205-348-3992 Spamhttps://antispam.osu.edu/b.php?i=1091954558m=2a1c192503dac=s Not spamhttps://antispam.osu.edu/b.php?i=1091954558m=2a1c192503dac=n Forget previous votehttps://antispam.osu.edu/b.php?i=1091954558m=2a1c192503dac=f ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Mysterious Missing ARP Entry
The SSID that fails is being broadcast. The issue persists across all APs and across WiSMs and even across 6506 switches (the ones with the WiSMs). Will look for a different NIC driver -- pretty sure they are running the latest version, will try for a level or two back. All tablets have the same drivers -- the 45 that are good and the 5 that are bad. -jcw - John Watters UA: OIT 205-348-3992 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Patrick Goggins Sent: Tuesday, September 28, 2010 6:52 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Mysterious Missing ARP Entry Is the particular ssid being broadcast? Try a different wireless driver on the tablets. Are the tablets showing the issue across all ap's or just a specific model? ~Patrick On Sep 27, 2010, at 4:40 PM, Watters, John john.watt...@ua.edumailto:john.watt...@ua.edu wrote: I need some help with a strange new problem - a persistent missing ARP entry. We are a Cisco shop running WiSMs (6.0.199.4) with a mix of 1142s, 1131's and a few older 1242 APs. This past Friday we got a report of 5 XP tablets that could not use the wireless network. These are 5 out of a group of 50 handheld tablets used in our hospital by the doctors for charting, etc. All of these are imaged and should be using the same image (and later reimaged to be sure). It turns out that that these five machines can use every SSID on campus except for one - their special one which uses WEP (no flames about WPA; we have tried to get them to move, but they are doctors and know more than anyone else). Further investigation has shown that these five machines never get an ARP entry built for their default gateway. They can talk to other machines on their subnet, but nothing outside. When a manual ARP entry is built for them, they are fine. This problem has persisted across reboots and reimaging of these five machines. Today we have received reports of other machines on campus who have similar symptoms (we have yet to actually see one of them). They lose connectivity on one SSID but are OK on all others. Has anyone else seen this? Can you give me a clue what to look for? Along with the MAC address strangeness, which we are seeing, this problem has made for a very interesting few days. Thanks for any help you can offer. -jcw image002.jpg John WattersThe University of Alabama: OIT 205-348-3992 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Mysterious Missing ARP Entry
No, it is not the base SSID. No ARP is being sent from the WiSM. Should the PC request the ARP or should it come unsolicited? The PC does not show any request for one. -jcw[cid:image001.jpg@01CB5EE5.62050910] - John WattersUA: OIT 205-348-3992 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Holland, Ryan C. Sent: Tuesday, September 28, 2010 8:05 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Mysterious Missing ARP Entry Does the WEP ssid that is not working happen to be the radio's base BSSID? We have a similar issue with a different vendor and different device. I would say that you may need to end up performing a packet capture to see where the traffic is dropped. == Ryan Holland Network Engineer, Wireless Office of the Chief Information Officer The Ohio State University 614-292-9906 holland@osu.edumailto:holland@osu.edu On Sep 27, 2010, at 5:40 PM, Watters, John wrote: I need some help with a strange new problem - a persistent missing ARP entry. We are a Cisco shop running WiSMs (6.0.199.4) with a mix of 1142s, 1131's and a few older 1242 APs. This past Friday we got a report of 5 XP tablets that could not use the wireless network. These are 5 out of a group of 50 handheld tablets used in our hospital by the doctors for charting, etc. All of these are imaged and should be using the same image (and later reimaged to be sure). It turns out that that these five machines can use every SSID on campus except for one - their special one which uses WEP (no flames about WPA; we have tried to get them to move, but they are doctors and know more than anyone else). Further investigation has shown that these five machines never get an ARP entry built for their default gateway. They can talk to other machines on their subnet, but nothing outside. When a manual ARP entry is built for them, they are fine. This problem has persisted across reboots and reimaging of these five machines. Today we have received reports of other machines on campus who have similar symptoms (we have yet to actually see one of them). They lose connectivity on one SSID but are OK on all others. Has anyone else seen this? Can you give me a clue what to look for? Along with the MAC address strangeness, which we are seeing, this problem has made for a very interesting few days. Thanks for any help you can offer. -jcw image002.jpg John WattersThe University of Alabama: OIT 205-348-3992 Spamhttps://antispam.osu.edu/b.php?i=1091954558m=2a1c192503dac=s Not spamhttps://antispam.osu.edu/b.php?i=1091954558m=2a1c192503dac=n Forget previous votehttps://antispam.osu.edu/b.php?i=1091954558m=2a1c192503dac=f ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. inline: image001.jpg
Re: [WIRELESS-LAN] Mysterious Missing ARP Entry
The PC should request an arp for the gateway. Do you have any arp filtering along the path? We had a case where some wireless array will drop arp request from windows vista computers. Disabled the arp filtering or arp broadcast restriction fixed the issue we had. Schilling On Tue, Sep 28, 2010 at 9:15 AM, Watters, John john.watt...@ua.edu wrote: No, it is not the base SSID. No ARP is being sent from the WiSM. Should the PC request the ARP or should it come unsolicited? The PC does not show any request for one. -jcw - John WattersUA: OIT 205-348-3992 -- *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: wireless-...@listserv.educause.edu] *On Behalf Of *Holland, Ryan C. *Sent:* Tuesday, September 28, 2010 8:05 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Mysterious Missing ARP Entry Does the WEP ssid that is not working happen to be the radio's base BSSID? We have a similar issue with a different vendor and different device. I would say that you may need to end up performing a packet capture to see where the traffic is dropped. == Ryan Holland Network Engineer, Wireless Office of the Chief Information Officer The Ohio State University 614-292-9906 holland@osu.edu On Sep 27, 2010, at 5:40 PM, Watters, John wrote: I need some help with a strange new problem – a persistent missing ARP entry. We are a Cisco shop running WiSMs (6.0.199.4) with a mix of 1142s, 1131’s and a few older 1242 APs. This past Friday we got a report of 5 XP tablets that could not use the wireless network. These are 5 out of a group of 50 handheld tablets used in our hospital by the doctors for charting, etc. All of these are imaged and should be using the same image (and later reimaged to be sure). It turns out that that these five machines can use every SSID on campus except for one – their special one which uses WEP (no flames about WPA; we have tried to get them to move, but they are doctors and know more than anyone else). Further investigation has shown that these five machines never get an ARP entry built for their default gateway. They can talk to other machines on their subnet, but nothing outside. When a manual ARP entry is built for them, they are fine. This problem has persisted across reboots and reimaging of these five machines. Today we have received reports of other machines on campus who have similar symptoms (we have yet to actually see one of them). They lose connectivity on one SSID but are OK on all others. Has anyone else seen this? Can you give me a clue what to look for? Along with the MAC address strangeness, which we are seeing, this problem has made for a very interesting few days. Thanks for any help you can offer. -jcw image002.jpg John WattersThe University of Alabama: OIT 205-348-3992 -- Spam https://antispam.osu.edu/b.php?i=1091954558m=2a1c192503dac=s Not spam https://antispam.osu.edu/b.php?i=1091954558m=2a1c192503dac=n Forget previous votehttps://antispam.osu.edu/b.php?i=1091954558m=2a1c192503dac=f ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. image001.jpg
Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
I'm seeing them here at the University of Minnesota as well. Thanks for the heads-up! I'll see what I can discover once I can get a hold of one of these clients. -- Andrew D. Clark Network Operations Engineer University of Minnesota, Networking/Telecom Services 2218 University Ave SE Minneapolis, MN 55414-3029 Phone: 612-626-4880 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
We tracked one down yesterday and it turned out to be a Windows Mobile phone running Android. Decidedly not a MAC.. :) -JEff On 9/28/10 10:44 AM, Andrew Clark wrote: I'm seeing them here at the University of Minnesota as well. Thanks for the heads-up! I'll see what I can discover once I can get a hold of one of these clients. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
you can also run android on a jailbroken iPhone, though I'd wonder why. /john On 9/28/10 9:11 AM, Jeff Wolfe wo...@ems.psu.edu apparently wrote: We tracked one down yesterday and it turned out to be a Windows Mobile phone running Android. Decidedly not a MAC.. :) -JEff On 9/28/10 10:44 AM, Andrew Clark wrote: I'm seeing them here at the University of Minnesota as well. Thanks for the heads-up! I'll see what I can discover once I can get a hold of one of these clients. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- John L Clarke III Sr Network Administrator Central New Mexico Community College 505 224 3012 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
One more piece of info on the 00:11:22:33:44:55 weirdness: We have a user registered in NetReg with MAC address 00:11:22:33:44:55, It is an Imac and was registered on our network in Parallels (browser reference is Windows NT 6.1). I wonder how many of these strange MAC addresses are generated by virtual environments? On Sep 28, 2010, at 11:11 AM, Jeff Wolfe wrote: We tracked one down yesterday and it turned out to be a Windows Mobile phone running Android. Decidedly not a MAC.. :) -JEff On 9/28/10 10:44 AM, Andrew Clark wrote: I'm seeing them here at the University of Minnesota as well. Thanks for the heads-up! I'll see what I can discover once I can get a hold of one of these clients. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
I've read anecdotal accounts that some NIC drivers default to 00:11:22:33:44:55 when an error occurs or when it's unable to determine/set the true Mac address, I didn't think that parallels would generate a fake nic though.. --- Justin Hao On Sep 28, 2010, at 2:39 PM, Hanset, Philippe C phan...@utk.edu wrote: One more piece of info on the 00:11:22:33:44:55 weirdness: We have a user registered in NetReg with MAC address 00:11:22:33:44:55, It is an Imac and was registered on our network in Parallels (browser reference is Windows NT 6.1). I wonder how many of these strange MAC addresses are generated by virtual environments? On Sep 28, 2010, at 11:11 AM, Jeff Wolfe wrote: We tracked one down yesterday and it turned out to be a Windows Mobile phone running Android. Decidedly not a MAC.. :) -JEff On 9/28/10 10:44 AM, Andrew Clark wrote: I'm seeing them here at the University of Minnesota as well. Thanks for the heads-up! I'll see what I can discover once I can get a hold of one of these clients. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Windows 7 64-bit WPA2 Connectivity Issues
Anyone experiencing any issues with Windows 7 64 bit machines staying connected to WPA2-AES enabled WLAN. Specifically the client associates and authenticates properly, is assigned an IP. Shortly afterwords client is repeatedly prompted to enter their credentials. Disabling the client wlan interface seems to mitigate this for some time, but symptoms return, and interrupt client while connected to wireless network. Running Cisco Lite weight ap's on WISM's, and stand alone controllers etc. Running 7.0.98.0 code. Not seeing issues with XP or Vista machines. Only common denominator so far has been 64 bit Windows 7 OS. Doesn't seem to matter if it's Enterprise or Home version. Thanks in advanced. David Wallace Network Design Engineer Kent State University Phone:330-672-0379 dwall...@kent.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
/20 or /21 flat campus wide L2 vlan for 802.1x/Mobility feasible?
I posted with a gmail account before, but there is no response. Now I am reposting w/ my edu account, and would really appreciate your opinion on this. Hi All, We are thinking of migrating our captive portal wireless network to dot1x mobility wireless network. Given that we will need one or two years to totally migrate to Aruba controller based wireless network. We have enough aruba controllers, but not enough aruba AP to replace all of the fat AP/Arrays. We are thinking of having a /20 or /21 flat campus wide layer 2 vlan for dot1x ssid supporting mobility. For legacy fat AP/array, we will just use the dot1x provided by the fat AP/array. For new thin aruba AP w/ GRE back to controllers, we will use the controller based aruba dot1x authentication. Big flat layer 2 vlan is an attractive option. Roaming between aruba AP will be handled as L2 mobility. Roaming between aruba AP and fat AP/array will just need to reauthenticate with dot1x. This way, user does not need to type in username/password as in captive portal while roaming around. The session may still break up while roaming between thin AP and fat AP/array even user might get the same DHCP address. Since we have to trunk the layer 2 vlan to everywhere there is a fat AP/array. This basically turns our routed core to bridged core for that VLAN. If there is a network storm in this VLAN, then all core routers thus all campus units will be affected. It would be a nightmare and disaster. Would you do a campus wide /20 /21 layer 2 user vlan on your campus? If you did it before, what's the lessons you learned over this approach? Could you think of any scenario that we might have a network loop causing network storm given that we are using different wireless vlan and wired vlan? Since wireless client can only associate with one AP, can we safely assume that loop between one AP to another AP thru wireless client is not possible? Thanks, Shiling Shiling Ding (850)645-6810 sd...@fsu.edu Network Specialist Information Technology Services Florida State University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Windows 7 64-bit WPA2 Connectivity Issues
Many of our windows 7 clients have this problem. We found a solution: in the Network Properties, go to the Security tab, there is a button named Advanced settings. Play with the check box of Specify authentication mode: some clients should check it, and others should uncheck it. Good luck! Yours, Linchuan Yang (Antony) Wireless Networking Analyst Network Assessment and Integration, IITS-Concordia University Tel: (514)848-2424 ext. 7664 _ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of WALLACE, DAVID Sent: September 28, 2010 4:34 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Windows 7 64-bit WPA2 Connectivity Issues Anyone experiencing any issues with Windows 7 64 bit machines staying connected to WPA2-AES enabled WLAN. Specifically the client associates and authenticates properly, is assigned an IP. Shortly afterwords client is repeatedly prompted to enter their credentials. Disabling the client wlan interface seems to mitigate this for some time, but symptoms return, and interrupt client while connected to wireless network. Running Cisco Lite weight ap's on WISM's, and stand alone controllers etc. Running 7.0.98.0 code. Not seeing issues with XP or Vista machines. Only common denominator so far has been 64 bit Windows 7 OS. Doesn't seem to matter if it's Enterprise or Home version. Thanks in advanced. David Wallace Network Design Engineer Kent State University Phone:330-672-0379 dwall...@kent.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] /20 or /21 flat campus wide L2 vlan for802.1x/Mobility feasible?
We use several /20 and /21 VLANs across each campus, with traffic generally routed only if it needs to reach another VLAN (or campus). We DON'T, at Aruba's recommendation, do that for our wireless services, instead deploying them in multiple /24s (several assigned to each SSID). If I recall correctly, the thinking was that broadcasting every DHCP and ARP request to every wireless client would leave little bandwidth for useful content. Breaking our wireless users up into /24 broadcast domains has apparently kept this from becoming an issue. We've had four broadcast storm issues with this architecture, none relating specifically to wireless: 1. A component failed inside one of our switches creating a network loop. Spanning tree is supposed to detect and block that, but our equipment vendor had recommended we turn it off on the theory that it was causing performance issues we had been experiencing. This was the classic loop = storm scenario that one rarely actually sees, thanks to spanning tree, except that the looping connection was a chip-level failure and not a mis-installed cable. 2. Lab staff discovered that re-imaging a lab full of computers with Ghost took half as long if they turned on the multicast option. Unfortunately, without multicast routing, the network was delivering that imaging traffic as a broadcast flood across the entire campus, taking out that VLAN. 3. Someone tried to use the Ettercap tool to sniff our switched network. It uses local broadcast (first octet of destination IP address = 0) to deliver intercepted packets to their original destination, and that flood took out the whole VLAN all across campus. 4. We had a NIC fail in a Mac, such that it could no longer cache ARP responses. Someone tried to print a document to a printer just across the room, and the broadcast ARP for every packet flooded that VLAN. We plan our next generation network deployment to use more routed granularity and not to extend user device VLANs further than a building or three. David Gillett, CISSP CCNP Sr. Security Engineer, Foothill-De Anza Community College District -Original Message- From: Ding, Shiling [mailto:sd...@fsu.edu] Sent: Tuesday, September 28, 2010 13:35 To: WIRELESS-LAN@listserv.educause.edu Subject: [WIRELESS-LAN] /20 or /21 flat campus wide L2 vlan for802.1x/Mobility feasible? I posted with a gmail account before, but there is no response. Now I am reposting w/ my edu account, and would really appreciate your opinion on this. Hi All, We are thinking of migrating our captive portal wireless network to dot1x mobility wireless network. Given that we will need one or two years to totally migrate to Aruba controller based wireless network. We have enough aruba controllers, but not enough aruba AP to replace all of the fat AP/Arrays. We are thinking of having a /20 or /21 flat campus wide layer 2 vlan for dot1x ssid supporting mobility. For legacy fat AP/array, we will just use the dot1x provided by the fat AP/array. For new thin aruba AP w/ GRE back to controllers, we will use the controller based aruba dot1x authentication. Big flat layer 2 vlan is an attractive option. Roaming between aruba AP will be handled as L2 mobility. Roaming between aruba AP and fat AP/array will just need to reauthenticate with dot1x. This way, user does not need to type in username/password as in captive portal while roaming around. The session may still break up while roaming between thin AP and fat AP/array even user might get the same DHCP address. Since we have to trunk the layer 2 vlan to everywhere there is a fat AP/array. This basically turns our routed core to bridged core for that VLAN. If there is a network storm in this VLAN, then all core routers thus all campus units will be affected. It would be a nightmare and disaster. Would you do a campus wide /20 /21 layer 2 user vlan on your campus? If you did it before, what's the lessons you learned over this approach? Could you think of any scenario that we might have a network loop causing network storm given that we are using different wireless vlan and wired vlan? Since wireless client can only associate with one AP, can we safely assume that loop between one AP to another AP thru wireless client is not possible? Thanks, Shiling Shiling Ding (850)645-6810 sd...@fsu.edu Network Specialist Information Technology Services Florida State University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] /20 or /21 flat campus wide L2 vlan for802.1x/Mobility feasible?
We have several wireless VLANs using /21s for each building, no issues so far. On 9/28/2010 4:21 PM, David Gillett wrote: We use several /20 and /21 VLANs across each campus, with traffic generally routed only if it needs to reach another VLAN (or campus). We DON'T, at Aruba's recommendation, do that for our wireless services, instead deploying them in multiple /24s (several assigned to each SSID). If I recall correctly, the thinking was that broadcasting every DHCP and ARP request to every wireless client would leave little bandwidth for useful content. Breaking our wireless users up into /24 broadcast domains has apparently kept this from becoming an issue. We've had four broadcast storm issues with this architecture, none relating specifically to wireless: 1. A component failed inside one of our switches creating a network loop. Spanning tree is supposed to detect and block that, but our equipment vendor had recommended we turn it off on the theory that it was causing performance issues we had been experiencing. This was the classic loop = storm scenario that one rarely actually sees, thanks to spanning tree, except that the looping connection was a chip-level failure and not a mis-installed cable. 2. Lab staff discovered that re-imaging a lab full of computers with Ghost took half as long if they turned on the multicast option. Unfortunately, without multicast routing, the network was delivering that imaging traffic as a broadcast flood across the entire campus, taking out that VLAN. 3. Someone tried to use the Ettercap tool to sniff our switched network. It uses local broadcast (first octet of destination IP address = 0) to deliver intercepted packets to their original destination, and that flood took out the whole VLAN all across campus. 4. We had a NIC fail in a Mac, such that it could no longer cache ARP responses. Someone tried to print a document to a printer just across the room, and the broadcast ARP for every packet flooded that VLAN. We plan our next generation network deployment to use more routed granularity and not to extend user device VLANs further than a building or three. David Gillett, CISSP CCNP Sr. Security Engineer, Foothill-De Anza Community College District -Original Message- From: Ding, Shiling [mailto:sd...@fsu.edu] Sent: Tuesday, September 28, 2010 13:35 To: WIRELESS-LAN@listserv.educause.edu Subject: [WIRELESS-LAN] /20 or /21 flat campus wide L2 vlan for802.1x/Mobility feasible? I posted with a gmail account before, but there is no response. Now I am reposting w/ my edu account, and would really appreciate your opinion on this. Hi All, We are thinking of migrating our captive portal wireless network to dot1x mobility wireless network. Given that we will need one or two years to totally migrate to Aruba controller based wireless network. We have enough aruba controllers, but not enough aruba AP to replace all of the fat AP/Arrays. We are thinking of having a /20 or /21 flat campus wide layer 2 vlan for dot1x ssid supporting mobility. For legacy fat AP/array, we will just use the dot1x provided by the fat AP/array. For new thin aruba AP w/ GRE back to controllers, we will use the controller based aruba dot1x authentication. Big flat layer 2 vlan is an attractive option. Roaming between aruba AP will be handled as L2 mobility. Roaming between aruba AP and fat AP/array will just need to reauthenticate with dot1x. This way, user does not need to type in username/password as in captive portal while roaming around. The session may still break up while roaming between thin AP and fat AP/array even user might get the same DHCP address. Since we have to trunk the layer 2 vlan to everywhere there is a fat AP/array. This basically turns our routed core to bridged core for that VLAN. If there is a network storm in this VLAN, then all core routers thus all campus units will be affected. It would be a nightmare and disaster. Would you do a campus wide /20 /21 layer 2 user vlan on your campus? If you did it before, what's the lessons you learned over this approach? Could you think of any scenario that we might have a network loop causing network storm given that we are using different wireless vlan and wired vlan? Since wireless client can only associate with one AP, can we safely assume that loop between one AP to another AP thru wireless client is not possible? Thanks, Shiling Shiling Ding (850)645-6810 sd...@fsu.edu Network Specialist Information Technology Services Florida State University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- Heath Barnhart, CCNA Network Administrator Information
Re: [WIRELESS-LAN] /20 or /21 flat campus wide L2 vlan for 802.1x/Mobility feasible?
Ding, A big flat network is only attractive until you have many users on it that destroy the quality of service. We ran a big flat network with over 4000 users and eventually moved away from it. You can live with the big flat network but you have to constantly filter new broadcasting protocols (mDNS etc...). Aruba has many elegant solutions to transition from Fat APs to controller based architecture. (there is a white paper somewhere about that. Any Aruba person on this list that could point to that doc?) I would point my old AP's to RADIUS servers for 802.1x, and point the Aruba 802.1x profiles to the same RADIUS servers (for the sake of Certificate consistency). Users will have a tendency to save a profile with stored login/password, that roaming should be fine. On the IP side, you could terminate the VLAN that is carried by your old APs on the Aruba controller and turn IP Mobility ON between that VLAN and the new VLANs that you assign to your new Aruba based wireless networks. We don't use IP Mobility these days, but we use extensively VLAN Pooling. Once your migration is completely done, you could move from IP Mobility to VLAN Pooling (if you still like that layer 2 roaming!) Also, don't forget to add one SSID for eduroam ;-) As I wrote ahead, contact your local Aruba team, they have more than one solution for this type of design. Best, Philippe Hanset Univ. of TN On Sep 28, 2010, at 4:34 PM, Ding, Shiling wrote: I posted with a gmail account before, but there is no response. Now I am reposting w/ my edu account, and would really appreciate your opinion on this. Hi All, We are thinking of migrating our captive portal wireless network to dot1x mobility wireless network. Given that we will need one or two years to totally migrate to Aruba controller based wireless network. We have enough aruba controllers, but not enough aruba AP to replace all of the fat AP/Arrays. We are thinking of having a /20 or /21 flat campus wide layer 2 vlan for dot1x ssid supporting mobility. For legacy fat AP/array, we will just use the dot1x provided by the fat AP/array. For new thin aruba AP w/ GRE back to controllers, we will use the controller based aruba dot1x authentication. Big flat layer 2 vlan is an attractive option. Roaming between aruba AP will be handled as L2 mobility. Roaming between aruba AP and fat AP/array will just need to reauthenticate with dot1x. This way, user does not need to type in username/password as in captive portal while roaming around. The session may still break up while roaming between thin AP and fat AP/array even user might get the same DHCP address. Since we have to trunk the layer 2 vlan to everywhere there is a fat AP/array. This basically turns our routed core to bridged core for that VLAN. If there is a network storm in this VLAN, then all core routers thus all campus units will be affected. It would be a nightmare and disaster. Would you do a campus wide /20 /21 layer 2 user vlan on your campus? If you did it before, what's the lessons you learned over this approach? Could you think of any scenario that we might have a network loop causing network storm given that we are using different wireless vlan and wired vlan? Since wireless client can only associate with one AP, can we safely assume that loop between one AP to another AP thru wireless client is not possible? Thanks, Shiling Shiling Ding (850)645-6810 sd...@fsu.edu Network Specialist Information Technology Services Florida State University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Windows 7 64-bit WPA2 Connectivity Issues
Have been running 64-bit 7 for months with no issues using WPA2-AES with PSKs. ~Patrick On Sep 28, 2010, at 3:48 PM, Linchuan Yang lichu...@alcor.concordia.camailto:lichu...@alcor.concordia.ca wrote: Many of our windows 7 clients have this problem. We found a solution: in the “Network Properties”, go to the “Security” tab, there is a button named “Advanced settings”. Play with the check box of “Specify authentication mode”: some clients should check it, and others should uncheck it. Good luck! Yours, Linchuan Yang (Antony) Wireless Networking Analyst Network Assessment and Integration, IITS-Concordia University Tel: (514)848-2424 ext. 7664 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of WALLACE, DAVID Sent: September 28, 2010 4:34 PM To: mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Windows 7 64-bit WPA2 Connectivity Issues Anyone experiencing any issues with Windows 7 64 bit machines staying connected to WPA2-AES enabled WLAN. Specifically the client associates and authenticates properly, is assigned an IP. Shortly afterwords client is repeatedly prompted to enter their credentials. Disabling the client wlan interface seems to mitigate this for some time, but symptoms return, and interrupt client while connected to wireless network. Running Cisco Lite weight ap’s on WISM’s, and stand alone controllers etc. Running 7.0.98.0 code. Not seeing issues with XP or Vista machines. Only common denominator so far has been 64 bit Windows 7 OS. Doesn’t seem to matter if it’s Enterprise or Home version. Thanks in advanced. David Wallace Network Design Engineer Kent State University Phone:330-672-0379 dwall...@kent.edumailto:dwall...@kent.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.