Check out http://www.miragenetworks.com. We use their CounterPoint appliance to safeguard our wireless subnets (it works for wired too). THERE IS NO P2P ON WIRELESS ANYMORE. :) When you see one source hit 400+ targets trying P2P, it feels good to know that they have been stopped before you even notice it.
This box essentially looks at all the traffic, checks it for rule violations as you define (source or target IPs, packet count, port ranges, even custom rules for packet matching down to the bit level of each packet), and if the violations exceed the threshold you define, an action of your choice is taken. For us, if the user sends 10 packets of P2P traffic in 60 second, the user is removed from the network (cloaked) until the offending activity ceases and remains stopped for a period of 10 minutes. (We trap for Gnutella, BitTorrent, iTunes/MyTunes, and Blubster.) By the way, this is an OUT OF BAND solution. In essence, the box uses sneaky trickery to electronically prevent the user from communicating; they are not disconnected from the network, but they are slowed to virtually no bandwidth, and the only node they can talk to is the CP appliance, which then ignores them. :) It does much more, but let me say that we have been very happy with the product, and extremely happy with the vendor. We had some implementation issues (Cisco bug!) and we had more support from them during that time than you usually find, including 1 or 2 days a week with two people on site working on the problem, and the design engineers on the phone. VERY IMPORTANT: You need to inform the user community that wireless cannot be used for certain types of activities. We have a web page that lists known applications we do not allow over wireless that will get you cloaked. And I mean the whole user community; our faculty and staff are the worst offenders sometimes. Feel free to ask me questions, I'll also share our rep's name and contact info if you'd like. Michael Landry Quinnipiac University -----Original Message----- From: Flagg, Martin D. [mailto:[EMAIL PROTECTED] Sent: Friday, November 11, 2005 9:20 AM Subject: Wireless in dorms, a seat of the pants approach? I have been a little embarrassed to express our wireless deployment strategies because I took an approach many will disagree with. We had very limited budget and have even less personal. We started about three years ago and initially were able to buy a limited amount of access points. I deployed Cisco 1200b's , Cisco ACS, LEAP and required Cisco NICs. I placed the AP's manly in academic buildings trying to get the best coverage we could. We are a small school of less then 1500 total students, so I was not worried about home many users per AP (usually it was one or two). Amazingly, by using external directional antenna's, I was able to provide coverage to about 70% of the Academic and staff buildings. The next year we deployed more Access points, Cisco 1200 G's this time. We started filling in the gaps not worrying about dorms. We added support for PEAP. This year we added the dorms, my stated plan was to cover the Dorm common areas but I was fairly sure I could cover most (80-90%) of the dorm rooms. All our dorms have one 100 MB /bed anyways. My survey techniques involved my best guess as where to put access points and was highly influenced by where I could steal a 100 MB connection for the AP. Our staff (being only me when it comes to the network) did not have time to do a survey or any in-depth testing. It was seat of the pants all the way. A professional survey would have been great but I figured for the cost of one, I could buy allot more access points. We also have started upgrading our old 1200b's to 1200G's. We also moved wireless to CCA. I am using less directional antennas now and realize I will soon have to worry more about channel over lap and power. Next year I am planning on buying a central management solution to help me to deal with power and channel overlap issues. Any Suggestions? We did it on the cheap both in time and $$ commitment, and it works using no real frequency planning. However, I would never consider using it as the only method for dorms. The kids now expect wireless but I draw the line at expecting wireless to work with P2P downloading. If I have problems with P2P wireless, I plan on using CCA to block P2P. My next big fear is XBOX 360 and what it will do to wireless? Martin D. Flagg Network Engineer/Administrator Hiram College - If you lend someone $20, and never see that person again, it was probably worth it. -----Original Message----- From: Dave Molta [mailto:[EMAIL PROTECTED] Sent: Thursday, November 10, 2005 4:35 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless-only Dorms? It's fairly easy to understand how the scheduling capabilities of Meru allow it to maximize throughput and minimize latency using a single channel throughout a building, but I still wonder about the aggregate capacity when compared to a more traditional and well-implemented overlapping cell design that leverages all available spectrum. As long as your primary goal is coverage rather than capacity, this is an excellent solution, but the whole discussion of resnet wireless is more of a capacity issue and I'm guessing that low-latency roaming won't be a big issue in the short term since resnet users are more nomadic than mobile. Meru has been doing some interesting work with multi-radio AP's that should allow them to enhance overall system capacity but I don't think any of those products are available today. dm > -----Original Message----- > From: Phil Raymond [mailto:[EMAIL PROTECTED] > Sent: Thursday, November 10, 2005 10:41 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] Wireless-only Dorms? > > Interesting discussion ongoing... > > I work to remain agnostic in regards to WLAN vendors, but I do > consider Meru a leader in developing/enabling 802.11 technologies. > Frank is correct in that they use the NAV to holdoff data clients > while voice handsets gain airtime access (even tho they don't know > it). This combined with their holistic view of the network and flat > channel architecture (enables very fast roaming) certainly has its > advantages. > Until 802.11e/r becomes prevalent in handsets these mechanisms will > serve its purpose because don't forget - > 802.11 was never made to handle voice clients. But that will change > over the next 2-3 years as cellular mechanisms are adopted into the > WLAN via IEEE 802.11k/v, etc. > > -----Original Message----- > From: Frank Bulk [mailto:[EMAIL PROTECTED] > Sent: Thursday, November 10, 2005 9:18 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] Wireless-only Dorms? > > Meru does not use PCF, but does use virtual carrier sense as their > main mechanism to control access to the medium. > > Frank > > -----Original Message----- > From: Michael Griego [mailto:[EMAIL PROTECTED] > Sent: Wednesday, November 09, 2005 11:47 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] Wireless-only Dorms? > > All of the issues listed here are great examples of the complex nature > of designing an 802.11 environment with such stringent requirements. > With only 3 channels, even if you plan very carefully and precisely > control the output power of your APs, you're going to get channel > overlap. This will further reduce your capacity due to the inherent > collisions/retransmissions. > Especially when you factor in the client devices. A client device > transmitting on a channel will force any other device operating on the > same channel that can hear it (APs included if > course) to wait on it to complete its transmission before it can > commence. > So, you have to realize that, even though 2 APs may not be able to > hear each other, a client card between them that can hear both of them > will tie up available bandwidth on BOTH APs while it is transmitting. > Further complicating matters is a situation where two clients > connected to two different APs on the same channel can hear each other > but not both APs. > In > such a circumstance, client 1 and the AP 2 (the AP client 2 is > connected) > may transmit simultaneously. When this happens the signals will > interfere with each other upon reaching client 2, causing client 2 to > be unable to decode the packet, forcing AP 2 to retransmit the packet. > > Complicated indeed! Guaranteeing signal strengh and bandwidth > alotments is extremely difficult. And, this totally ignores the > problems inherent with outside interference or the fact that the > environment (bookshelves, > etc) change on a regular basis, possibly forcing you to revisit your > ever-so-finely-tuned RF plan. Interestingly enough, all these issues > are also extremely relevant if you're interested in looking to deploy > any sort of VoIP/WiFi (VoFi). > > I'd suggest that, if you're truly interested in providing > coverage/bandwidth that takes a lot of these issues into account, you > might want to take a look at the Meru Virtual AP architecture. The > controllers in these systems keep track of every 802.11 device each AP > can here and employ a pretty darn impressive scheduling algorithm for > getting the most out of the available channel capacity. Not only > that, but they actually control when clients are allowed to transmit, > further removing unknowns from the RF use equations and improving > channel usage and capacity. I believe they do this using the PCF, or > Point Coordination Function, in the 802.11 spec... I've not seen any > other wireless switch system that makes use of it near to the level > that the Meru system does. > It's pretty cool. We're in the process of deploying Meru as our > second generation wireless overlay here at UTD, mainly to decrease the > need for complex channel planning, individual AP configuration, and to > support a future VoFi implementation. > > --Mike > > > Phil Raymond wrote: > > If someone forced me to assign a rule of thumb at this high > level, I > > would assign a conservative data rate of 1 Mbps to each > student as a > > requirement. For an 802.11g ONLY network running at the > highest data > > rate (aka strongest signal) using enterprise class AP's > (data thruput > > does vary between AP vendors, be careful here), you should > expect to > > get 15-20 Mbps of upper layer thruput per AP. That would > yield 15-20 > > students per AP. For 802.11a, this will probably hold. For 802.11g, > > due to the limit of 3 channels, you will get an overall > reduction in > > capacity due to shared bandwidth between AP's in a densely > deployed AP > > > environment. > > > > Also, this assumes that you design the network for the > highest signal > > strength - a very important point. In most instances this won't be > > possible due to the environment. Thus I would reduce the available > > bandwidth by 33% and say that 10Mbps is available. > > > > Hence I would go with the low end of 10Mbps available per AP. > > > > To take this to a lower level of analysis, I would want to > know what > > applications the students would be running. Perhaps you use the > > analogy of a low end DSL connection that provides 768Kbps > downlink and > > > 128kbps uplink. Then you stick with the 1 Mbps/student and > assume it > > supports most if not all applications they will use. You might also > > consider a swag at peak operating times (evenings) and > assume ~50% of > > the available students are online (simple queuing theory > assumption). > > Then you could say that a single AP would cover minimally > 20 students. > > > There is my rule of thumb at this high level. I would consider it > > conservative if you design the network properly. > > > > In a typical dorm with a lot of walls (and bookcases...), you will > > probably find that your coverage requirements and capacity > > requirements will be in alignment (and thus balanced). What > I mean by > > that is that you will find that in order to provide a good > signal in a > > > dorm environment you will need to place a denser AP > deployment (due to > > > the thick walls, etc.). This means that as a consequence > your capacity > > > will also be increased due to the denser deployment. > > > > Other factors not considered here are the use of client cards. > > Performance between different manufacturers (you get what > you pay for) > > > will vary. Some cards will be noisy and interfere, others will have > > higher SNR requirements, etc. > > > > Hope this helps and not confuses - as I said, it is not a trivial > > subject. > > > > -----Original Message----- > > From: Larry Press [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, November 09, 2005 9:51 AM > > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > > Subject: Re: [WIRELESS-LAN] Wireless-only Dorms? > > > > Phil Raymond wrote: > > > > > >> The initial design needs to consider coverage AND capacity. > >> > > > > Phil (and others), > > > > Have you got a rule of thumb for the number of students per > G access > > point in a college dorm? > > > > Larry Press > > > > ********** > > Participation and subscription information for this EDUCAUSE > > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > > > ********** > > Participation and subscription information for this EDUCAUSE > Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > > > > ********** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ********** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ********** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
