Re: [WIRELESS-LAN] AppleTV/ Campus WLAN
The only real issue will be the HD content streaming depending upon the available bandwidth for students. Also they will also need to be whitelisted in most NAC/NPS environments. ~Patrick On Oct 7, 2010, at 8:18 AM, Lee H Badman lhbad...@syr.edumailto:lhbad...@syr.edu wrote: Apple has dropped prices on their AppleTV, and we’re wondering if it will end meaning anything in the grand scheme from the WLAN support perspective. The unit itself can get network connectivity via Ethernet or wireless (probably not Enterprise security, but I don’t know that), and users can control it from their network-connected iPhone or iPad. Has anyone found these devices to be of concern? -Lee Badman ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Apple and wireless connectivity issues?
Ditto. ~Patrick On Oct 7, 2010, at 10:00 AM, Reynolds, Walter wa...@umich.edu wrote: We have found that many of these are fixed by disabling IPv6 on the Airport interface for the client. --- Walter Reynolds Principal Systems Security Development Engineer ITS Communications Systems and Data Centers University of Michigan (734) 615-9438 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Johnson, Neil M Sent: Thursday, October 07, 2010 10:33 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Apple and wireless connectivity issues? We also see lots of problems with Macs being unable to obtain DHCP addresses properly eventually ending up with a self-assigned IP address. Attempts to engage Apple have not been helpful. -Neil -- Neil Johnson Network Engineer Information Technology Services The University of Iowa Work: 319 384-0938 Mobile: 319 540-2081 Fax: 319 355-2618 E-mail: neil-john...@uiowa.edu -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Chris Brezil Sent: Thursday, October 07, 2010 8:28 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Apple and wireless connectivity issues? Over the summer we upgraded our wireless infrastructure from all autonomous Cisco access points to a managed Aruba wireless environment. Since the start of the semester we have had issues come up that we have been addressing, but we are now encountering something that we never faced before - it seems more and more that the majority of new issues we are dealing come from Apple laptops and mobile devices. We have heard of some of the larger reported issues about Apple, such as the DHCP issues with the original iPad iOS. We have also done some of our own research on this and see Apple mentioned numerous times in regards to wireless connectivity issues, but we don't know if we are seeing this because this is what we are looking for or if because it is the reality of the situation. An example of this type of issue is that a student applied Apple updates to her computer last Friday and then could not get an IP address afterwards on our wireless network, though she could still use her wireless router at home. Calling Apple about this resulted in them telling us that if the computer can connect in one place but not another that it is our problem and not an issue with the laptop, even though many other Apple computers with the same version of the OS could connect to our network. We continue to troubleshoot and look to see if there is something that is about our wireless network configuration that is causing problems. However, we would like to see if others have experienced similar types of issues on their campuses. Do you see a preponderance of wireless issues over time relating to Apple products? If this has been the case for you, were you successfully able to address issues with Apple? Did you have to go back to your wireless vendor to fix these issues? Does this sound like something unique to our experience here? We look forward to hearing what others have experienced. Regards, Chris Brezil Assistant Vice President/IT The New School ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless Bakeoff
Did you end up using Xirrus in your low density locations as well? ~Patrick On Oct 4, 2010, at 12:03 PM, Clark, Joseph K clar...@cofc.edumailto:clar...@cofc.edu wrote: We recently, within 2 years, went through a similar test. We included AeroHive and Xirrus in our list along with Meru, Cisco and Aruba. We ended up choosing Xirrus and we have been happy with the decision. If you would like more information let me know. Thanks, Joseph Clark Senior Network Engineer Department of IT College of Charleston Charleston, SC 29424-0001 o:843.953.3846 c:843.425.4291 e:clar...@cofc.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Huels, Chris Sent: Monday, October 04, 2010 12:35 PM To: mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Wireless Bakeoff All, Currently Washington University uses Meru for wireless. In order to migrate to 802.11n, we will have to replace all of the access points and look at replacing the controllers to accommodate the throughput. This has given us the opportunity to go back and assess other vendors that offer enterprise wireless solutions. The vendors that we are looking into are Meru, Aruba, and Cisco. I would like to get input from this group on some pros and cons of each, or are there other vendors that have been working well? Any input would be helpful. Thanks Chris ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Mysterious Missing ARP Entry
Is the particular ssid being broadcast? Try a different wireless driver on the tablets. Are the tablets showing the issue across all ap's or just a specific model? ~Patrick On Sep 27, 2010, at 4:40 PM, Watters, John john.watt...@ua.edumailto:john.watt...@ua.edu wrote: I need some help with a strange new problem – a persistent missing ARP entry. We are a Cisco shop running WiSMs (6.0.199.4) with a mix of 1142s, 1131’s and a few older 1242 APs. This past Friday we got a report of 5 XP tablets that could not use the wireless network. These are 5 out of a group of 50 handheld tablets used in our hospital by the doctors for charting, etc. All of these are imaged and should be using the same image (and later reimaged to be sure). It turns out that that these five machines can use every SSID on campus except for one – their special one which uses WEP (no flames about WPA; we have tried to get them to move, but they are doctors and know more than anyone else). Further investigation has shown that these five machines never get an ARP entry built for their default gateway. They can talk to other machines on their subnet, but nothing outside. When a manual ARP entry is built for them, they are fine. This problem has persisted across reboots and reimaging of these five machines. Today we have received reports of other machines on campus who have similar symptoms (we have yet to actually see one of them). They lose connectivity on one SSID but are OK on all others. Has anyone else seen this? Can you give me a clue what to look for? Along with the MAC address strangeness, which we are seeing, this problem has made for a very interesting few days. Thanks for any help you can offer. -jcw image002.jpg John WattersThe University of Alabama: OIT 205-348-3992 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Windows 7 64-bit WPA2 Connectivity Issues
Have been running 64-bit 7 for months with no issues using WPA2-AES with PSKs. ~Patrick On Sep 28, 2010, at 3:48 PM, Linchuan Yang lichu...@alcor.concordia.camailto:lichu...@alcor.concordia.ca wrote: Many of our windows 7 clients have this problem. We found a solution: in the “Network Properties”, go to the “Security” tab, there is a button named “Advanced settings”. Play with the check box of “Specify authentication mode”: some clients should check it, and others should uncheck it. Good luck! Yours, Linchuan Yang (Antony) Wireless Networking Analyst Network Assessment and Integration, IITS-Concordia University Tel: (514)848-2424 ext. 7664 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of WALLACE, DAVID Sent: September 28, 2010 4:34 PM To: mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Windows 7 64-bit WPA2 Connectivity Issues Anyone experiencing any issues with Windows 7 64 bit machines staying connected to WPA2-AES enabled WLAN. Specifically the client associates and authenticates properly, is assigned an IP. Shortly afterwords client is repeatedly prompted to enter their credentials. Disabling the client wlan interface seems to mitigate this for some time, but symptoms return, and interrupt client while connected to wireless network. Running Cisco Lite weight ap’s on WISM’s, and stand alone controllers etc. Running 7.0.98.0 code. Not seeing issues with XP or Vista machines. Only common denominator so far has been 64 bit Windows 7 OS. Doesn’t seem to matter if it’s Enterprise or Home version. Thanks in advanced. David Wallace Network Design Engineer Kent State University Phone:330-672-0379 dwall...@kent.edumailto:dwall...@kent.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] List Guidelines reminder
Agreed, most are one-time communications but every once and awhile there will be repeated additions to their spam lists which require some further remediation. ~Patrick From: The EDUCAUSE Wireless Issues Constituent Group Listserv [wireless-...@listserv.educause.edu] On Behalf Of Jeffrey Sessler [j...@scrippscollege.edu] Sent: Thursday, August 12, 2010 6:26 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] List Guidelines reminder What I'm tired of is being subscribed to vendor communications shortly after I post here. I'll unsubscribe, and then after a new post/reply, I'm suddenly added to their marketing lists again. It tells me that while vendors may not be posting here, they are mining the lists for email contacts. Jeff Peter P Morrissey 08/12/10 9:57 AM Thank you Philippe! I'm surprised we even let vendors on the list. Have we ever considered limiting it to .edu's? Pete M. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Philippe Hanset Sent: Thursday, August 12, 2010 12:55 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] List Guidelines reminder All, Having education affiliated people asking questions about vendors on the list is part of the purpose of this medium. Having vendors doing the same is not. please read the guidelines of the listserv at: http://www.educause.edu/Community/ConstituentandDiscussionGroups/ConstituentandDiscussionGroupP/892 Thank you for your understanding. Regards, Philippe Hanset Wireless-LAN Constituent Group leader ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Meraki?
While we didn't have the chance to do as in-depth in testing we also looked at Meraki but ended up going with Aruba. The Aruba solution for us was cheaper, offers more features (the vlan tunneling and bridging options), and ended up being more secure with regards to packet captures. Patrick Goggins Network Administrator Carroll University -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Ethan Sommer Sent: Wednesday, August 11, 2010 2:45 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Meraki? We tried out Meraki, and wound up going with Aruba. Meraki Pros: * MUCH easier to use. * Possibly better coverage? * The Aruba 105 ceiling mount design is really annoying. With meraki you can just hang them on the wall with screws. * Their techs (once you convince them you actually have a problem) can go into your system and diagnose and fix the problem for you. * There is no controller to purchase, so the cost scales linearly with the number of APs. (the 65th ap isn't $10k) Meraki Cons: * We saw about a 40-50% increase in throughput using Aruba close to the access points. (I could transfer about 11MBytes/second over 5Ghz N with Meraki vs 19MBytes/second with Aruba.) * We found it a bit creepy that their techs could do packet captures of our network. * The user interface is so simple it often hides parameters we'd like to be able to tweek (or at least try tweeking.) For example, their sales people said it only did 802.11G on the 2.4ghz band, but it actually did 802.11N. We wanted to try turning it to 802.11G only and see if what the sales guy said about 802.11G and 802.11N interoperating was true, but there isn't a way to do that. I suspect that having N turned on was the better setting, but being who I am, I wanted to test it. * Each AP is more expensive than an Aruba AP-105. Depending on how your budgets work, it might actually be easier to have a big up front cost and lower incremental costs. * The ability to tunnel the traffic back to our server room and deal with the VLANs there was a handy Aruba feature. With Meraki, you have to tag the VLANs all the way out to the AP. Ethan On 08/11/2010 11:19 AM, Marcelo Lew wrote: I was wondering if somebody on the list is using (or considered) using the Meraki System? Marcelo Lew Wireless Enterprise Administrator University Technology Services University of Denver Desk: (303) 871-6523 Cell: (303) 669-4217 Fax: (303) 871-5900 Email: m...@du.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- Ethan Sommer Associate Director of Core Services Gustavus Technology Services somm...@gustavus.edu 507-933-7042 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] blocking broadcast/multicast?
From what we've seen the large amount of connections from a small number of users have either been virus/bot or p2p in nature with one case being a legitimate download manager. ~Patrick On Jul 2, 2010, at 12:35 PM, Holland, Stephen s.holl...@neu.edumailto:s.holl...@neu.edu wrote: Ryan, You are correct that we are running M3's today. However, when we originally used the filter it was with the Sup2 cards. We were getting unexplained CPU spikes and we could not determine why. One of the recommendations by Aruba was to create the following filter and apply to our secure and non-secure roles: ip access-list eth DenyIPv6 deny 0x86dd permit any If anybody is following this thread and wants to try this APPLY THE FILTER TO THE LOCAL CONTROLLERS AND MASTER FIRST….Then apply filter to the appropriate roles. If you don't do it in this order the controller will not associate the role with the filter correctly and it will not work. When we applied we saw CPU go down and not up but that was our experience. In regards to the CPU spikes we found users in the initial captive portal role who had 300 - 400 sessions open with the controller. When we blacklisted the user the CPU went back down. We never found out who the users were so we could not determine why they created so many sessions. We did however limit the number of sessions on the initial role to 50 (need enough sessions for DHCP, Portal and other things required to make the portal page operate) and the problem went away. Stephen Holland Network Engineer Northeastern University From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Ryan Holland Sent: Wednesday, June 30, 2010 5:09 PM To: mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] blocking broadcast/multicast? Stephen, Ha! I'm assuming you're running the M3 supervisor cards. We're using SUP-IIs, and they get taxed easily. == Ryan Holland Network Engineer, Wireless Office of the Chief Information Officer The Ohio State University 614-292-9906 mailto:holland@osu.edu holland@osu.edumailto:holland@osu.edu On Jun 30, 2010, at 4:31 PM, Holland, Stephen wrote: Ryan, Believe it or not the filter does not dent the controller CPU in the least. Aruba was the one who recommended the filter to cut down CPU usage. All of our controllers running under 1% on all CPU's. BTW: I like the last name! We could be brothers……….. Thanks Stephen Holland Network Engineer Northeastern University From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Ryan Holland Sent: Wednesday, June 30, 2010 2:08 PM To: mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] blocking broadcast/multicast? Stephen, Blocking IPv6 via the policy enforcement firewall can add an incredible amount of processing on the controller, as each and every frame must be inspected. If you do not support v6 on wireless, it is much more efficient to just turn it off. You said vlan pooling, so I assume you have Aruba. Issue the following: no ipv6 enable == Ryan Holland Network Engineer, Wireless Office of the Chief Information Officer The Ohio State University 614-292-9906 mailto:holland@osu.edu holland@osu.edumailto:holland@osu.edu On Jun 30, 2010, at 1:59 PM, Holland, Stephen wrote: We found that IPv6 broadcast traffic contributed significantly to our wireless broadcast traffic. Since we don't support IPv6 on the wireless network we blocked the ethertype for IPv6 on our wireless controllers. Also, running vlan pooling with /23's. On a different topic related to bcast/mcast. Our wireless controllers connect to a pair of 4948 switches which then connect to Cisco routers which provide the vlans for wireless users. We use HSRP for redundancy. We realized there is no need to send the mcast traffic for HSRP out to the vlans which support our wireless users. As long as the routers see each other's HSRP updates it does not make sense to forward them to the wireless network. We created a filter to block the HSRP updates on the 4948 switches and applied it in the outbound direction toward the wireless controllers. For some reason the filter did not work. Doing some testing we found the filter is working because it drops updates if we apply it in the inbound direction. Does anybody know the filter would not work in the outbound direction?. Thanks Stephen Holland Network Engineer Northeastern University From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Marcelo Lew Sent: Wednesday, June 30, 2010 10:05 AM To: mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
RE: [WIRELESS-LAN] NAC -Posture Assessment
See below Patrick Goggins Network Administrator Carroll University From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Manoj Abeysekera Sent: Friday, April 09, 2010 9:35 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] NAC -Posture Assessment Hello Everyone, I think we may have discussed this before but I want to do a quick poll and see where is everyone with their NAC implementation and specifically Posture Assessment in your university. So, my questions are; 1. Have you implemented the Posture Assessment in your campus including all Dorms and Administrative buildings? All dorms, wireless campus-wide, and communal wired ports in academic buildings 2. Do you think the investment is worthy and provide enough value for your investment? Yes, at least for students otherwise a large enough portion will run un-patched and with the same 90-day trial antivirus from years ago. 3. Do you think complications involved with Posture Assessment and collateral risk it bring (as a campus wide outage thanks to NAC hardware) outweigh the individual virus or malware problems that your support staff have to deal with? Yes. It depends on implementation if an outage to the system will cause service disruption to users (Inline vs 802.1x vs DHCP enforcement methods). Thanks again for your help. Manoj -- P. Manoj Abeysekera, CWNA, ACMA Network Engineer American University 4200 Wisconsin Ave, NW Washington DC. 20016 202-885-2702 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: HP MSM317
We looked at deploying these in some of the cement-block style dorms to increase the port count per room and add wireless to the dorms but opted not to. 1) The devices are 10/100 and 802.11b/g only, long-term we are looking to move to gigabit or faster campus-wide and the migration to 802.11n 2) Being POE for our purposes requires purchasing all new switches in the dorms to support them 3) During testing we noticed these devices reboot if there is disruption on the management vlan between the device and controller... Firmware upgrading a building uplink switch would result in the devices causing an extended out as they would reboot and reload their configuration after the building uplink switch was already back up. 4) These are surface-mount devicesthey will stick out of the wall around 1 which for in the dorms gives that much extra room for furniture (at least what is here) to easily hit the devices. 5) Scaling up after looking at implementing a couple hundred of these devices you need to factor in licensing on the controller and potentially multiple controllers. 6) The MSM back-end works well as a basic NAC but provides no posture assessment/enforcement. Patrick Goggins Network Administrator Carroll University From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of William Emmel Sent: Friday, April 09, 2010 8:59 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] HP MSM317 Just curious if anyone has any experience with the HP ProCurve MSM317 Access device that they could share. Apparently they are being deployed by Marriot hotels and could be a good fit for student residence halls. Thanks. Bill William F. Emmel Director of Network and Communications Services St. John's University, Queens, New York Office 1-718-990-2007 Mobile 1-516-647-7624 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Aruba vs HP vs Meraki
I believe this would fall under the built-in theft deterrent feature. Patrick Goggins Network Administrator Carroll University -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Johnson, Bruce T. Sent: Monday, April 12, 2010 8:04 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Aruba vs HP vs Meraki I'd bring the 1250 to a bar fight. It's more Medieval. Bruce T. Johnson | Partners Healthcare | Network Engineering 617.726.9662 | Pager: 31633 | bjohns...@partners.org -Original Message- From: Jeffrey Sessler [j...@scrippscollege.edu] Received: 4/11/10 10:27 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU [wireless-...@listserv.educause.edu] Subject: Re: [WIRELESS-LAN] Aruba vs HP vs Meraki And as Lee is swinging the 1142s, the song Eye of the Tiger would be playing, along with a slow-motion montage of various IT highlights from his career. :) Jeff Mike King m...@mpking.com 4/11/2010 5:46 PM On Sun, Apr 11, 2010 at 8:30 PM, Lee H Badman lhbad...@syr.edu wrote: If I have to take an AP to a bar fight, I'd want a Cisco to swing around, simply based on heft. Based on that line, I had two images pop in my mind: The first one was Lee Swinging two 1142n (one in each hand) like a ninja. Two was Cisco new Marketing campaign. If I have to take an AP to a bar fight, I'd want a Cisco ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. The information in this e-mail is intended only for the person to whom it is addressed. If you believe this e-mail was sent to you in error and the e-mail contains patient information, please contact the Partners Compliance HelpLine at http://www.partners.org/complianceline . If the e-mail was sent to you in error but does not contain patient information, please contact the sender and properly dispose of the e-mail.
RE: Aruba vs HP vs Meraki
HP can be decentralized (depending on the model) or controller-based but requires a large number of controllers to scale well. While Aruba does have extra licensing fees some of them can be skipped with the newer licensing model and others passed on if you have an existing NAC/NPS solution which works well for you environment. How is your organization with regards to cloud services in general? If per policy other services were turned down by the organization Meraki might not be an option as wireless configuration is in the cloud. What features are you looking to implement on the access points? For example, we are using ethertype filters at the AP level to block IPv6 which during tests earlier this year HP would not offer but Cisco and 3Com did. When running encryption on your network if certain encrypted SSID's are available campus-wide is this installation a forklift replaced? If not, the new equipment may need to support whatever the existing encryption settings are as different vendors have slight variation on implementation of the standards. If using 802.1x and it is a mixed vendor environment thoroughly test the functionality, we have seen some limitation when running cross-vendor with multiple MAC addresses on a single switch port or access points tying in correctly with different NAC solutions. ~Patrick From: The EDUCAUSE Wireless Issues Constituent Group Listserv [wireless-...@listserv.educause.edu] On Behalf Of Mike Hydra [mhy...@2fast4wireless.com] Sent: Friday, April 02, 2010 4:01 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Aruba vs HP vs Meraki What I personally find interesting is the wide choice not from a manufacturing point of view but more from a Wi-Fi technology point of view. Aruba – Controller based (aka controller based) All data goes through the controller, centralized architecture. HP – decentralized (Controller in not directly essential) Data path is separated from the management path. Meraki – Cloud computing Centralized Cloud, not having to own controller hardware inside your own network. All three very different solutions. I’m looking forward to follow this email threat with the comments, thanks for sharing. I would recommend writing down a proof of concept and invite the vendors of your choice. In this way you’ve tested your requirement (out of your proof on concept) therefore convinced around the solution you buy is the right one. Good luck... Mike Hydra Cell: +31 6 29 07 18 96 Tel: +31 252 62 61 20 Fax: +31 252 68 88 37 E-mail: mhy...@2fast4wireless.comUrlBlockedError.aspx Skype: Flying-Wireless-Dutchman Web: www.2fast4wireless.com From: Peter P Morrissey ppmor...@syr.eduUrlBlockedError.aspx Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUUrlBlockedError.aspx Date: Fri, 2 Apr 2010 22:47:26 +0200 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUUrlBlockedError.aspx Subject: Re: Aruba vs HP vs Meraki OK, so I'll ask. Why did you eliminate Cisco already? Pete M. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Ethan Sommer Sent: Friday, April 02, 2010 2:21 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUUrlBlockedError.aspx Subject: [WIRELESS-LAN] Aruba vs HP vs Meraki We are considering replacing our 200+ AP wireless infrastructure with a controller based 802.11n system. I believe we have narrowed it down to Aruba, HP Procurve (we use HP switch gear), and Meraki. I have two questions: 1. Are there any hidden costs we should watch out for with any of these (particularly Aruba.) Will we hit major costs other than the up front cost for the APs and the controllers? 2. I know a lot of schools are very happily using Aruba, but I haven't heard of any schools using HP and very few using Meraki. Are there any schools who have gone with Aruba and regretted it? If so, why? Are there any schools out there using HP Procurve (formerly Colubrius) or Merkai? What do you think of them? Did you have any surprises after you deployed? Ethan -- Ethan Sommer Associate Director of Core Services 507-933-7042 somm...@gustavus.eduUrlBlockedError.aspx ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. The information in this e-mail is confidential and may be legally privileged. If you have received this e-mail in error, please reply to its sender indicating received in error in the subject line, then delete the e-mail and destroy any copies of it. If you are not its intended recipient, any disclosure,
Cisco Bridging Issue
We have a pair of Cisco 1242AG's that we're trying to bridge together. Our layout would be as follows: The root building has a switch connected to the first 1242 would be bridged to the second 1242 using the A radio. At the remote building (about 300 feet away, but no way to run wire to it), the second 1242AG would be installed with the b/g radio setup for client access. Ideally we would like to do this and support multiple tagged VLans (Management, and two other VLans for a pair of SSID's), but would will settle for a single VLan if need be. We've been able to find documents to create bridges with 1300's and 1400's, but haven't found anything to help us when trying to do it using two 1242's. I tried following the closest document from Cisco that I can find (http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008058f53e.shtml) and it sort of works, but the client-bridge AP continuously says Warning: INterface Dot1Radio1, cannot associate: EAP authenticating. While the root-bridge keeps flipping between RADIUS Server xx.xx.xx.xx is not responding and then RADIUS Server xx.xx.xx.xx has returned. Both access points show the other end of the bridge link if we look at the Associations, but the state is reporting Association processing. We're welcome any ideas. Both access points are identical and were started with a reset to factory defaults. Model: Air-AP1242AG-A-K9 System Software: 12.3(8)JA Bootloader: 12.3(7)JA Patrick Goggins Network Administrator Carroll University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Cisco Bridging Issue
Reconfigured it again and the bridge link is stable, still working on the client access issue. Patrick Goggins Network Administrator Carroll University From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman Sent: Thursday, March 04, 2010 10:53 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Cisco Bridging Issue Have you tried to accomplish simple bridging first- no client access? We have a number of 1240s running as bridges reliably and with no issues. But we don't do client access at the same time on the same hardware. That's not saying that it can't be done, but a good first step might be to just get the bridges to the point where simple reliable point-to-point bridging is happening, and then bring in the client access piece (or just add a different AP at the end for client access). We do push multiple VLANs across our P=P bridge links. Lee H. Badman Wireless/Network Engineer Information Technology and Services Adjunct Instructor, iSchool Syracuse University 315 443-3003 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Patrick Goggins Sent: Thursday, March 04, 2010 11:45 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Cisco Bridging Issue We have a pair of Cisco 1242AG's that we're trying to bridge together. Our layout would be as follows: The root building has a switch connected to the first 1242 would be bridged to the second 1242 using the A radio. At the remote building (about 300 feet away, but no way to run wire to it), the second 1242AG would be installed with the b/g radio setup for client access. Ideally we would like to do this and support multiple tagged VLans (Management, and two other VLans for a pair of SSID's), but would will settle for a single VLan if need be. We've been able to find documents to create bridges with 1300's and 1400's, but haven't found anything to help us when trying to do it using two 1242's. I tried following the closest document from Cisco that I can find (http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008058f53e.shtml) and it sort of works, but the client-bridge AP continuously says Warning: INterface Dot1Radio1, cannot associate: EAP authenticating. While the root-bridge keeps flipping between RADIUS Server xx.xx.xx.xx is not responding and then RADIUS Server xx.xx.xx.xx has returned. Both access points show the other end of the bridge link if we look at the Associations, but the state is reporting Association processing. We're welcome any ideas. Both access points are identical and were started with a reset to factory defaults. Model: Air-AP1242AG-A-K9 System Software: 12.3(8)JA Bootloader: 12.3(7)JA Patrick Goggins Network Administrator Carroll University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Private IP space for wireless users- anyone?
We've been using /21's for a couple of years on the wireless and /20's on the wired side for a couple of years now without any real problems. The only feature we've been using on the access points to prevent some of the non-required traffic has been applying ether-type filters to block IPv6, Appletalk, and IPX when we can. We looked at using /22's on the wired side for the residence halls a couple years ago but found a number of games required all clients to be in the same broadcast domain. Patrick Goggins Network Administrator Carroll University From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jim Glassford Sent: Monday, March 01, 2010 3:18 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Private IP space for wireless users- anyone? Hi Aaron, I asked about this in April 2008 right before we did our first /21 and had replies of sites using /20s without problems. As David said, if using cisco wlc, the default behaviour is to block broadcast and multicast traffic from being sent out the WLAN to other wireless client devices. Other vendors may have similar, we have had no problem with /21 on wireless. We do not do this on any wired LAN, just the controller based lwap and now capwap wireless. thanks! jim On 3/1/2010 3:58 PM, Aaron S. Thompson wrote: I'm surprised at the use of such large broadcast domains, 4094 or even 2046 available hosts? We have found domains that large could bring necessary broadcast load on your network gear and client load of having to respond to all the broadcast traffic. Once we identified these potential problems we began deploying /24's. We are using the private address space allocation with PAT. Any other thoughts on broadcast domains? Do others treat the wireless different from the LAN? - Aaron Thompson Network Services Manager Network and Telecommunications Berklee College of Music 1140 Boylston Street, MS-186 NETT Boston, MA 02215-3693 617.747.8656 athomp...@berklee.edumailto:athomp...@berklee.edu www.berklee.eduhttp://www.berklee.edu/ On Mar 1, 2010, at 3:15 PM, David Wang wrote: James, if you using cisco wlc, the default behaviour is to block broadcast and multicast traffic from being sent out the WLAN to other wireless client devices. We are using multiple /21 private IPs with NAT. David Wang Networking and Security Services, CCS University of Guelph 519-824-4120 ext 52046 On 2009-12-16, at 10:04 AM, Jamie Savage wrote: Ken, /20 subnets?.I've always been concerned about such a large broadcast domain.iewe've not gone larger than /22. Have you done any special tweaking to facilitate the /20s or have they just worked fine as is? .thx...J James Savage York University Senior Communications Tech. 108 Steacie Building jsav...@yorku.camailto:jsav...@yorku.ca4700 Keele Street ph: 416-736-2100 ext. 22605Toronto, Ontario fax: 416-736-5830M3J 1P3, CANADA From:Ken LeCompte lecom...@nbcs.rutgers.edumailto:lecom...@nbcs.rutgers.edu To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Date:12/16/2009 08:11 AM Subject:Re: [WIRELESS-LAN] Private IP space for wireless users- anyone? Sent by:The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU We are doing NAT/PAT at the edge with a firewall module in a 6500 for our 5000 peak logged in users. We use four /20's to break up those users across our wireless controllers. The wireless users are also not the only ones being NATed at that firewall module. All of the dorm wired users are NATed there too. Thanks. Ken -- Ken LeCompte - Telecommunications Analyst Rutgers University Office of Information Technology Campus Computing Services - Central Systems and Services Office ~ (732) 445-4823 On Dec 15, 2009, at 6:36 AM, Lee H Badman wrote: Thanks for all of the responses- I wonder if anyone with a peak usage like ours is doing NAT- almost 6500 clients? -Lee From: The EDUCAUSE Wireless Issues Constituent Group Listserv [wireless-...@listserv.educause.edumailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU ] On Behalf Of Jason Appah [jason.ap...@oit.edumailto:jason.ap...@oit.edu] Sent: Monday, December 14, 2009 11:03 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Private IP space for wireless users- anyone? Yes, that is what we do. I just wondered how big if a bear it would be to track pat in a university wireless environment. In a second related note, we recently changed our NAT timeout from 3 to 2 hours as we were beginning to run out of 1 to 1 NAT ranges Sent from
Re: [WIRELESS-LAN] Private IP space for wireless users- anyone?
The only problem we ran into were a couple of websites blocking us because to the it would look like a DOS attack. After contacting the sites and notifying them that the single ip they were seeing was just the public ip for the NAT network. ~Patrick Sent from my iPhone On Dec 15, 2009, at 5:36 AM, Lee H Badman lhbad...@syr.edu wrote: Thanks for all of the responses- I wonder if anyone with a peak usage like ours is doing NAT- almost 6500 clients? -Lee From: The EDUCAUSE Wireless Issues Constituent Group Listserv [wireless-...@listserv.educause.edu] On Behalf Of Jason Appah [jason.ap...@oit.edu] Sent: Monday, December 14, 2009 11:03 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Private IP space for wireless users- anyone? Yes, that is what we do. I just wondered how big if a bear it would be to track pat in a university wireless environment. In a second related note, we recently changed our NAT timeout from 3 to 2 hours as we were beginning to run out of 1 to 1 NAT ranges Sent from my iPhone Jason Appah Systems Administrator Oregon Tech On Dec 14, 2009, at 6:33 PM, Phil Trivilino p...@stlawu.edu wrote: We do 1to1 dynamic NAT on the ASA firewall and log all the translations to a syslog server. Easy to get the private ip from the log given the time and global ip. It is all we've seen the need for to this point. Phil On Dec 14, 2009, at 8:55 PM, Lee H Badman wrote: Wondering how many other schools are using private IP space for wireless users, how you accomplish the NAT, and what mechanisms you use for user tracking for the private-public mappings for forensic/ investigatory purposes. Thanks- Lee ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
