We keep our APs on separate vlan/ip space and users on subnets that are
"wireless traffic" only.
If there are issues with a particular user I know from ip address right away if
they are wired or wireless.
Plus having the wired and wireless users share the same IP space allows them to
"poke around" and cause havoc on each other.
Many of our wired user vlans are behind firewalls and VRFs which can be
troublesome to troubleshoot if APs are down of can't tunnel back to the
controller and since I don't have access to the firewalls (diff team) I'd
rather not have to traverse them.
Ken Connell
Intermediate Network Engineer
Computer & Communication Services
Ryerson University
350 Victoria St
RM AB50
Toronto, Ont
M5B 2K3
416-979-5000 x6709
-----Original Message-----
From: Craig Simons <craigsim...@sfu.ca>
Sender: The EDUCAUSE Wireless Issues Constituent Group Listserv
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Thu, 09 Jun 2011 14:30:50
To: <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Reply-to: Craig Simons <craigsim...@sfu.ca>
Subject: Re: [WIRELESS-LAN] Wireless design
Bruce,
For administrative reasons, we find it very helpful to have all our wireless
users contained to "wireless only" IP ranges. This way, we can configure our
IPS/IDS sensors, packet inspectors, etc to keep a more suspicious eye on
wireless users (ie unmanaged, potentially dirty laptops) . We also don't have
to worry about ensuring there are enough free IP addresses in each particular
location to handle any potential transient surges (like during a large
conference for example).
Regards,
Craig
SFU SIMON FRASER UNIVERSITY
Network Services
Craig Simons
Network and Systems Administrator
Phone: 778-782-8036
Cell: 604-649-7977
Email: craigsim...@sfu.ca
Twitter: simonscraig
----- Original Message -----
From: "Mike King" <m...@mpking.com>
To: WIRELESS-LAN@listserv.educause.edu
Sent: Wednesday, 8 June, 2011 18:15:06
Subject: Re: [WIRELESS-LAN] Wireless design
The real short answer is that it does not matter what the IP address of the AP
is, as long as it has good stable communications with the controller.
What I personally try to do is what you are proposing, put the APs for each
building/floor it's own subnet.
Good luck
Mike
On Wed, Jun 8, 2011 at 6:54 PM, Entwistle, Bruce < bruce_entwis...@redlands.edu
> wrote:
We will soon be migrating our wireless network from Cisco autonomous 1231 APs
to a combination of Cisco 3502i along with some of the existing 1231 APs
converted to lightweight. As we prepare for this we are looking at how to best
architect the new network. The new network will cover the entire campus which
consists of approx 50 buildings, with each building having its’ own VLAN.
The initial idea was to install the APs so the IP address of the AP would be a
part of the local building VLAN. This is the IP the AP would use to talk back
to the controller. For user connections there would be two VLANs created which
would be accessed through a single SSID. The users would then be dynamically
assigned to one of the two VLANs based on their logon credentials. Currently
all users are placed on the same VLAN after authentication, as our current
installation is not capable of dynamic VLAN assignment. There is currently only
a single SSID in place.
I would be interested to know what other have done and how successful it was.
Thank you
Bruce Entwistle
Network Manager
University of Redlands
********** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/ .
********** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
