RE: Wireless in Dorms
That will not work with the gateway providing the address NATing it. On Cisco, bpdu-guard will block this, though. Bruce Osborne Network Engineer – Wireless Team IT Network Services (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Ian McDonald [mailto:i...@st-andrews.ac.uk] Sent: Thursday, October 16, 2014 12:00 PM Subject: Re: Wireless in Dorms Dhcp snooping? From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Benedick, Jason Sent: 16 October 2014 16:45 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless in Dorms That would work if the student plugs into one of the LAN switch ports on the wireless router (when they do a lot of times that causes problems with rogue DHCP servers), but we more often see them plugging it into the internet port so we only see 1 MAC/IP address. This also wouldn’t solve the slew of broadcasting WiFi devices we’re seeing this year such as Rokus, Chromecasts, printers, gaming headsets, etc. Thanks, Jason R. Benedick IT Generalist Thaddeus Stevens College of Technology Office: (717) 391-6957 Cell: (717) 587-9065 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Justin Pederson Sent: Thursday, October 16, 2014 11:27 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless in Dorms From a technical standpoint, why not just use port security on you wired networks to only allow 1 MAC address at a time. There should be no rouge APs and the students could still use the wireless and wired networks. I have been rolling this around in my head for a little while now. The only thing you should have to cover is cellular tethering, but from my experience, most of these devices don't have much power behind the radio. On Thu, Oct 16, 2014 at 9:13 AM, Ian McDonald i...@st-andrews.ac.ukmailto:i...@st-andrews.ac.uk wrote: Breach of your written policy prohibiting such things isn’t a disciplinary matter? And can’t be fixed with your disciplinary system? From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of T. Shayne Ghere Sent: 16 October 2014 16:11 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Wireless in Dorms Good morning. Let me say first off, we’re nearly a complete Cisco shop other than our Firewalls right now. We are running 3 – Cisco 5508 Wireless Lan Controllers and Cisco WCS. The AP’s in the Dorm’s and Greek houses are all 1142N AP’s and have been spaced accordingly by Cisco and by us during the introduction of wireless in the Dorms, Greeks and Single housing. We are having a heck of a time with all the interference that the students bring with them making our wireless nearly unusable. I know this topic has come up in the past, but this year is one of the worst we’ve seen, and the students are getting restless. We have the ability to quarantine rogue Wireless clients, however according to a recent Court case against a large Hotel Chain, it was decided that on an open free wireless spectrum, we would be breaking the law in jamming it. How have you addressed this issue? I’m about ready to ask upper management to remove the AP’s in all the Dorm buildings and let the students bring their own AP’s if they want wireless. Has anyone resorted to this? Thanks for your input Shayne ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- Thanks, Justin Pederson IT Network Coordinator Casper College (307)268-2481 [http://i47.photobucket.com/albums/f181/wrenchp/CCNP_med.jpg?t=1402930230] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. *This electronic communication from TSCT is confidential and intended solely for use by the individual to whom it is addressed. If you are not the named recipient do not forward, propagate or replicate this e-mail. Please notify the sender immediately by e-mail if you have received this message by mistake and remove from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action dependent upon the contents of this email or attachment is strictly prohibited.*
Re: [WIRELESS-LAN] Wireless in Dorms
I've never known a NAT gateway to send BPDUs out of its WAN port, and so I've never seen BPDU guard work in this scenario. When these home gateways first came out, the cable ISPs only allowed one computer to be used on their service. So, the gateways are very good at emulating a single computer. The detection is going to be very iffy, and require a lot of human interaction. Largely speaking, the devices don't look any different than some Linux box... if you can even tell the OS. Such is my experience, anyhow. -- Hunter Fuller Network Engineer VBRH M-9B +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Systems and Infrastructure I am part of the UAH Safe Zone LGBTQIA support network: http://www.uah.edu/student-affairs/safe-zone On Mon, Oct 20, 2014 at 6:52 AM, Osborne, Bruce W (Network Services) bosbo...@liberty.edu wrote: That will not work with the gateway providing the address NATing it. On Cisco, bpdu-guard will block this, though. *Bruce Osborne* *Network Engineer – Wireless Team* *IT Network Services* *(434) 592-4229 %28434%29%20592-4229* *LIBERTY UNIVERSITY* *Training Champions for Christ since 1971* *From:* Ian McDonald [mailto:i...@st-andrews.ac.uk] *Sent:* Thursday, October 16, 2014 12:00 PM *Subject:* Re: Wireless in Dorms Dhcp snooping? *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [ mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Benedick, Jason *Sent:* 16 October 2014 16:45 *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Wireless in Dorms That would work if the student plugs into one of the LAN switch ports on the wireless router (when they do a lot of times that causes problems with rogue DHCP servers), but we more often see them plugging it into the internet port so we only see 1 MAC/IP address. This also wouldn’t solve the slew of broadcasting WiFi devices we’re seeing this year such as Rokus, Chromecasts, printers, gaming headsets, etc. Thanks, Jason R. Benedick IT Generalist Thaddeus Stevens College of Technology Office: (717) 391-6957 Cell: (717) 587-9065 *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [ mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Justin Pederson *Sent:* Thursday, October 16, 2014 11:27 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Wireless in Dorms From a technical standpoint, why not just use port security on you wired networks to only allow 1 MAC address at a time. There should be no rouge APs and the students could still use the wireless and wired networks. I have been rolling this around in my head for a little while now. The only thing you should have to cover is cellular tethering, but from my experience, most of these devices don't have much power behind the radio. On Thu, Oct 16, 2014 at 9:13 AM, Ian McDonald i...@st-andrews.ac.uk wrote: Breach of your written policy prohibiting such things isn’t a disciplinary matter? And can’t be fixed with your disciplinary system? *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *T. Shayne Ghere *Sent:* 16 October 2014 16:11 *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* [WIRELESS-LAN] Wireless in Dorms Good morning. Let me say first off, we’re nearly a complete Cisco shop other than our Firewalls right now. We are running 3 – Cisco 5508 Wireless Lan Controllers and Cisco WCS. The AP’s in the Dorm’s and Greek houses are all 1142N AP’s and have been spaced accordingly by Cisco and by us during the introduction of wireless in the Dorms, Greeks and Single housing. We are having a heck of a time with all the interference that the students bring with them making our wireless nearly unusable. I know this topic has come up in the past, but this year is one of the worst we’ve seen, and the students are getting restless. We have the ability to quarantine rogue Wireless clients, however according to a recent Court case against a large Hotel Chain, it was decided that on an open free wireless spectrum, we would be breaking the law in jamming it. How have you addressed this issue? I’m about ready to ask upper management to remove the AP’s in all the Dorm buildings and let the students bring their own AP’s if they want wireless. Has anyone resorted to this? Thanks for your input Shayne ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- Thanks, Justin Pederson IT Network Coordinator Casper College (307)268-2481 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at
RE: [WIRELESS-LAN] Wireless in Dorms
I posted something very similar a month or so ago. I feel your pain – as a small school with limited manpower, we have the same issue. So far I haven’t seen a good answer – we quickly got rid of all of the wireless routers, but there are so many devices that do not plug into the network that interfere. Trying to locate all of them is more time than we have. Pushing things into 5GHz seems like a temporary solution as, has already been mentioned, things will being utilizing that spectrum as well. 802.11ad will introduce new spectrum, but I feel like the fox constantly on the run from the hounds. Thomas Carter Network and Operations Manager Austin College 903-813-2564 [cid:image001.gif@01CFEC40.905A1AC0] From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of T. Shayne Ghere Sent: Thursday, October 16, 2014 10:29 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless in Dorms Our policy states if a device interferes with our network, then we reserve the right to have that device removed. The problem is that the WCS and Controllers are seeing over 712 devices. We can triangulate the “area” the device might be, but that would be going door to door. We don’t have the man power to spend that much time searching for them. Quite a few are wireless printers and mobile hotspots, but they usually get turned off when they aren’t in use. By sending a DoS attack to the device doesn’t solve the wireless interference that it’s causing, but only degrades the service the 2-3 AP’s are providing to other students. We have a Dorm/Greek/Singles living area of around 3,000 students and covers acres of land. I’ve seen some schools putting an AP in each room, some removing all wireless out of the dorms and others fighting the same battle I am. At what point to you just deal with it and say “yeah our wireless sucks because the students didn’t listen when they went through orientation.” On the Academic side we have very very few rogues and the Wireless is rock solid. Upper administration just doesn’t get it, I think, but we’re left to deal with it. There are two of us that maintain everything network related and no student help. It’s becoming a 24/7/365 work schedule, and we’re getting burned out fast. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Ian McDonald Sent: Thursday, October 16, 2014 10:13 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless in Dorms Breach of your written policy prohibiting such things isn’t a disciplinary matter? And can’t be fixed with your disciplinary system? From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of T. Shayne Ghere Sent: 16 October 2014 16:11 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Wireless in Dorms Good morning. Let me say first off, we’re nearly a complete Cisco shop other than our Firewalls right now. We are running 3 – Cisco 5508 Wireless Lan Controllers and Cisco WCS. The AP’s in the Dorm’s and Greek houses are all 1142N AP’s and have been spaced accordingly by Cisco and by us during the introduction of wireless in the Dorms, Greeks and Single housing. We are having a heck of a time with all the interference that the students bring with them making our wireless nearly unusable. I know this topic has come up in the past, but this year is one of the worst we’ve seen, and the students are getting restless. We have the ability to quarantine rogue Wireless clients, however according to a recent Court case against a large Hotel Chain, it was decided that on an open free wireless spectrum, we would be breaking the law in jamming it. How have you addressed this issue? I’m about ready to ask upper management to remove the AP’s in all the Dorm buildings and let the students bring their own AP’s if they want wireless. Has anyone resorted to this? Thanks for your input Shayne ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Wireless in Dorms
To me, wireless printers are absolutely the worst offenders. If they could be eliminated, the rest may be manageable. In one version of the dorm world I envision, I’d do something like this: 1. Develop a per dorm central printing solution that was free (as long as it wasn’t abused), effective, and easy. Then, I’d pass a “no printers allowed” policy but sell it hard as “no printers needed” 2. Per dorm, create a consumer-gadget friendly PSK network that only has Internet access. There’d be MAC registration, and this WLAN would be shared with the per-dorm wired network that students also have access to. We’d campaign the heck out of how hard we’re trying to “be like home” and emphasize the need for good citizenship (with a reminder that bad behavior is trackable) 3. The secure WLAN would also be available, and would be required for access to campus resources Or put another way- try to identify all of the reasons the offending devices are there to begin with, and flex the standard “secure campus WLAN model” to accommodate/eliminate as many of the offending devices as possible with friendlier networking. Patrolling and removal isn’t cost effective, and leads to mutual bad feelings. Not sure how this would all work in the real world, but I contemplate more each semester. -Lee Lee Badman Wireless/Network Architect ITS, Syracuse University 315.443.3003 (Blog: http://wirednot.wordpress.com) From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Thomas Carter Sent: Monday, October 20, 2014 9:37 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless in Dorms I posted something very similar a month or so ago. I feel your pain – as a small school with limited manpower, we have the same issue. So far I haven’t seen a good answer – we quickly got rid of all of the wireless routers, but there are so many devices that do not plug into the network that interfere. Trying to locate all of them is more time than we have. Pushing things into 5GHz seems like a temporary solution as, has already been mentioned, things will being utilizing that spectrum as well. 802.11ad will introduce new spectrum, but I feel like the fox constantly on the run from the hounds. Thomas Carter Network and Operations Manager Austin College 903-813-2564 [AusColl_Logo_Email] From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of T. Shayne Ghere Sent: Thursday, October 16, 2014 10:29 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless in Dorms Our policy states if a device interferes with our network, then we reserve the right to have that device removed. The problem is that the WCS and Controllers are seeing over 712 devices. We can triangulate the “area” the device might be, but that would be going door to door. We don’t have the man power to spend that much time searching for them. Quite a few are wireless printers and mobile hotspots, but they usually get turned off when they aren’t in use. By sending a DoS attack to the device doesn’t solve the wireless interference that it’s causing, but only degrades the service the 2-3 AP’s are providing to other students. We have a Dorm/Greek/Singles living area of around 3,000 students and covers acres of land. I’ve seen some schools putting an AP in each room, some removing all wireless out of the dorms and others fighting the same battle I am. At what point to you just deal with it and say “yeah our wireless sucks because the students didn’t listen when they went through orientation.” On the Academic side we have very very few rogues and the Wireless is rock solid. Upper administration just doesn’t get it, I think, but we’re left to deal with it. There are two of us that maintain everything network related and no student help. It’s becoming a 24/7/365 work schedule, and we’re getting burned out fast. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Ian McDonald Sent: Thursday, October 16, 2014 10:13 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless in Dorms Breach of your written policy prohibiting such things isn’t a disciplinary matter? And can’t be fixed with your disciplinary system? From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of T. Shayne Ghere Sent: 16 October 2014 16:11 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Wireless in Dorms Good morning. Let me say first off, we’re nearly a complete Cisco shop other than our Firewalls right now. We are running 3 – Cisco 5508 Wireless Lan
RE: [WIRELESS-LAN] Wireless in Dorms
1) We have this. We have printers in labs on every other floor of residence halls. We even have a web-based solution where students can print directly to the printer from their personal PCs without messing with drivers, etc. We discourage personal printers, yet students (or their parents) still think they “need” their own printer. 2) I’d extend this by trying to encourage stationary devices off of wireless and on to wired. This is something I’m trying to work on; every dorm room has 2 wired ports. I’m beginning to encourage students to move gaming devices, Apple TVs, Rokus, etc to use the wired ports as they will give the best performance / viewing / gaming experience. My frustration stems from the importance now placed on wireless and our relatively (relative to the wired world) limited amount of control over the clients, spectrum, and environment. We’ve had complaints about academics being affected because a student couldn’t get good wireless signal in their favorite study spot in the library. Thomas Carter Network and Operations Manager Austin College 903-813-2564 [cid:image001.gif@01CFEC56.F5EEBC40] From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman Sent: Monday, October 20, 2014 10:11 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless in Dorms To me, wireless printers are absolutely the worst offenders. If they could be eliminated, the rest may be manageable. In one version of the dorm world I envision, I’d do something like this: 1. Develop a per dorm central printing solution that was free (as long as it wasn’t abused), effective, and easy. Then, I’d pass a “no printers allowed” policy but sell it hard as “no printers needed” 2. Per dorm, create a consumer-gadget friendly PSK network that only has Internet access. There’d be MAC registration, and this WLAN would be shared with the per-dorm wired network that students also have access to. We’d campaign the heck out of how hard we’re trying to “be like home” and emphasize the need for good citizenship (with a reminder that bad behavior is trackable) 3. The secure WLAN would also be available, and would be required for access to campus resources Or put another way- try to identify all of the reasons the offending devices are there to begin with, and flex the standard “secure campus WLAN model” to accommodate/eliminate as many of the offending devices as possible with friendlier networking. Patrolling and removal isn’t cost effective, and leads to mutual bad feelings. Not sure how this would all work in the real world, but I contemplate more each semester. -Lee Lee Badman Wireless/Network Architect ITS, Syracuse University 315.443.3003 (Blog: http://wirednot.wordpress.com) From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Thomas Carter Sent: Monday, October 20, 2014 9:37 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless in Dorms I posted something very similar a month or so ago. I feel your pain – as a small school with limited manpower, we have the same issue. So far I haven’t seen a good answer – we quickly got rid of all of the wireless routers, but there are so many devices that do not plug into the network that interfere. Trying to locate all of them is more time than we have. Pushing things into 5GHz seems like a temporary solution as, has already been mentioned, things will being utilizing that spectrum as well. 802.11ad will introduce new spectrum, but I feel like the fox constantly on the run from the hounds. Thomas Carter Network and Operations Manager Austin College 903-813-2564 [cid:image001.gif@01CFEC56.F5EEBC40] From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of T. Shayne Ghere Sent: Thursday, October 16, 2014 10:29 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless in Dorms Our policy states if a device interferes with our network, then we reserve the right to have that device removed. The problem is that the WCS and Controllers are seeing over 712 devices. We can triangulate the “area” the device might be, but that would be going door to door. We don’t have the man power to spend that much time searching for them. Quite a few are wireless printers and mobile hotspots, but they usually get turned off when they aren’t in use. By sending a DoS attack to the device doesn’t solve the wireless interference that it’s causing, but only degrades the service the 2-3 AP’s are providing to other students. We have a Dorm/Greek/Singles living area of around 3,000 students and covers acres of land. I’ve seen some schools putting an AP in each room, some removing all
