We have several wireless VLANs using /21s for each building, no issues
so far.
On 9/28/2010 4:21 PM, David Gillett wrote:
We use several /20 and /21 VLANs across each campus, with traffic
generally routed only if it needs to reach another VLAN (or campus).
We DON'T, at Aruba's recommendation, do that for our wireless services,
instead deploying them in multiple /24s (several assigned to each SSID). If
I recall correctly, the thinking was that broadcasting every DHCP and ARP
request to every wireless client would leave little bandwidth for useful
content. Breaking our wireless users up into /24 broadcast domains has
apparently kept this from becoming an issue.
We've had four "broadcast storm" issues with this architecture, none
relating specifically to wireless:
1. A component failed inside one of our switches creating a network loop.
Spanning tree is supposed to detect and block that, but our equipment vendor
had recommended we turn it off on the theory that it was causing performance
issues we had been experiencing. This was the classic loop => storm
scenario that one rarely actually sees, thanks to spanning tree, except that
the looping connection was a chip-level failure and not a mis-installed
cable.
2. Lab staff discovered that re-imaging a lab full of computers with Ghost
took half as long if they turned on the "multicast" option. Unfortunately,
without multicast routing, the network was delivering that imaging traffic
as a broadcast flood across the entire campus, taking out that VLAN.
3. Someone tried to use the "Ettercap" tool to sniff our switched network.
It uses "local broadcast" (first octet of destination IP address = 0) to
deliver intercepted packets to their original destination, and that flood
took out the whole VLAN all across campus.
4. We had a NIC fail in a Mac, such that it could no longer cache ARP
responses. Someone tried to print a document to a printer just across the
room, and the broadcast ARP for every packet flooded that VLAN.
We plan our next generation network deployment to use more routed
granularity and not to extend user device VLANs further than a building or
three.
David Gillett, CISSP CCNP
Sr. Security Engineer, Foothill-De Anza Community College District
-----Original Message-----
From: Ding, Shiling [mailto:sd...@fsu.edu]
Sent: Tuesday, September 28, 2010 13:35
To: WIRELESS-LAN@listserv.educause.edu
Subject: [WIRELESS-LAN] /20 or /21 flat campus wide L2 vlan
for802.1x/Mobility feasible?
I posted with a gmail account before, but there is no response. Now I am
reposting w/ my edu account, and would really appreciate your opinion on
this.
Hi All,
We are thinking of migrating our captive portal wireless network to dot1x
mobility wireless network.
Given that we will need one or two years to totally migrate to Aruba
controller based wireless network. We have enough aruba controllers, but not
enough aruba AP to replace all of the fat AP/Arrays. We are thinking of
having a /20 or /21 flat campus wide layer 2 vlan for dot1x ssid supporting
mobility. For legacy fat AP/array, we will just use the dot1x provided by
the fat AP/array. For new thin aruba AP w/ GRE back to controllers, we will
use the controller based aruba dot1x authentication.
Big flat layer 2 vlan is an attractive option. Roaming between aruba AP will
be handled as L2 mobility. Roaming between aruba AP and fat AP/array will
just need to reauthenticate with dot1x. This way, user does not need to
type in username/password as in captive portal while roaming around. The
session may still break up while roaming between thin AP and fat AP/array
even user might get the same DHCP address.
Since we have to trunk the layer 2 vlan to everywhere there is a fat
AP/array. This basically turns our routed core to bridged core for that
VLAN. If there is a network storm in this VLAN, then all core routers thus
all campus units will be affected. It would be a nightmare and disaster.
Would you do a campus wide /20 /21 layer 2 user vlan on your campus?
If you did it before, what's the lessons you learned over this approach?
Could you think of any scenario that we might have a network loop causing
network storm given that we are using different wireless vlan and wired
vlan?
Since wireless client can only associate with one AP, can we safely assume
that loop between one AP to another AP thru wireless client is not possible?
Thanks,
Shiling
********************************
Shiling Ding
(850)645-6810
sd...@fsu.edu
Network Specialist
Information Technology Services
Florida State University
********************************
**********
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
--
Heath Barnhart, CCNA
Network Administrator
Information Systems and Services
Washburn University
Topeka, KS 66621
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
