Good morning - We do not have this problem. We use RFC 1918 private address space, and NAT (PAT). Traffic is logged through our firewall, so we can account for any nefarious activity (Ya know, DMCA.)
I'm not sure I'm trying to start a big discussion as to the pros and cons of PAT, but I'm just suggesting that it's a solution that should not be overlooked. Our larger problem in this area had to do with our NAC. Bradford licenses their system based on number of registered users. And the skyrocketing of devices meant that we had to expand our license. And this translated into real dollars. Time to look hard at 802.1x once again! - Pete Hoffswell - Network Manager pete.hoffsw...@davenport.edu http://www.davenport.edu 616-732-1101 On Thu, Mar 8, 2012 at 9:09 AM, Street, Chad A <cstr...@emory.edu> wrote: > We do not use Aruba for DHCP. In general we use the wireless gear to > provide wireless -- all other services are offloaded to more robust > enterprise systems. > > The aruba system looks at dhcp and html to figure out what kind of device > it is, so it can tell the difference between an ipod and an iphone as they > have different 'html' signatures -- even if they are both running IOS5. > Trying to do this in dhcp without the aid of the aruba gear would be ... > very time consuming. > > > The aruba gear can leverage the 'fingerprinting' information and allow you > to assign device types to a particular vlan. Then you can modify that > vlan's dhcp settings to provide a lower lease time. You can take this a > step further and assign the smartphones to a unique role which can give > you flexibility on ACLs and bandwidth contracts. > > > > > On 3/7/12 2:14 PM, "Ken Connell" <kconn...@ryerson.ca> wrote: > > >Chad.... > > > >Who is your DHCP server ? Aruba ? > >I was wondering how you push them to a diff scope ? > > > > > >Ken Connell > >Intermediate Network Engineer > >Computer & Communication Services > >Ryerson University > >350 Victoria St > >RM AB50 > >Toronto, Ont > >M5B 2K3 > >416-979-5000 x6709 > > > >----- Original Message ----- > >From: "Street, Chad A" <cstr...@emory.edu> > >Date: Wednesday, March 7, 2012 1:24 pm > >Subject: Re: [WIRELESS-LAN] School blocks Wi-Fi access to smartphones to > >address IP usage issues > >To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > > > > > >> You do not have to pay extra for the device type identification; > >>however, > >> you do need to be on the 6.x code levels. With the device > >>fingerprinting, > >> you can easily push all the smartphones to a unique dhcp scope with > >>very > >> low lease times. > >> > >> Chad Street - Emory > >> > >> > >> On 3/7/12 12:57 PM, "Pham, Loc" <loc.p...@ucsfmedctr.org> wrote: > >> > >> > Marcelo, > >> > The Aruba feature that allow fingerprint on the devices, do you > >> have to > >> >pay extra for it to be functional ? > >> > > >> > I hope our Cisco BU is listening ;-))) > >> > > >> >Regards, > >> > > >> >Loc Pham, CCIE > >> >office 415-353-4492 > >> >IT Enterprise Security & Services > >> >UCSF Medical Center > >> > > >> >-----Original Message----- > >> >From: The EDUCAUSE Wireless Issues Constituent Group Listserv > >> >[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Marcelo Lew > >> >Sent: Thursday, February 02, 2012 10:17 AM > >> >To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > >> >Subject: Re: [WIRELESS-LAN] School blocks Wi-Fi access to > >> smartphones to > >> >address IP usage issues > >> > > >> >Smartphones were killing us this quarter. While we only have > >>3500-3800 > >> >concurrent daily users, we have about 6500 devices connected. Most > >> of > >> >these extra 3000 devices were smartphones that come online for less > >> than > >> >a minute, and then go idle again. With our 30m DHCP renew times, we > >> were > >> >exhausting our 5500 public IP pool for our main SSID. Instead of > >>moving > >> >to private space (which most likely we will in the near future), we > >> added > >> >6 more class c subnets. We are now NOT running out of IPs, at least > >> for > >> >a short while. We also thought of making the DHCP lease times very > >> short > >> >(like 5 minutes), but our DHCP admin is uncertain what issues might > >> arise > >> >from this. Another option we are thinking about, the new Aruba code > >> >allows fingerprinting devices before they are placed on a subnet, so > >> we > >> >could put all smartphones in specific subnets with short lease > >> times, and > >> >leave the rest of the devices (pads, netbook, notebooks, etc) on > >>regular > >> >subnets with average DHCP lease times. > >> > > >> >Marcelo Lew > >> >Wireless Enterprise Administrator > >> >University Technology Services > >> >University of Denver > >> >Desk: (303) 871-6523 > >> >Cell: (303) 669-4217 > >> >Fax: (303) 871-5900 > >> >Email: m...@du.edu > >> > > >> > > >> > > >> >-----Original Message----- > >> >From: The EDUCAUSE Wireless Issues Constituent Group Listserv > >> >[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jonn Martell > >> >Sent: Thursday, February 02, 2012 9:22 AM > >> >To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > >> >Subject: Re: [WIRELESS-LAN] School blocks Wi-Fi access to > >> smartphones to > >> >address IP usage issues > >> > > >> >I agree, the school newspaper only shows it from a user's perspective. > >> > "The smartphones are shutting down the network" while it's more "the > >> >network has run out of public address space and the use of private > >> >address space on this network is _______ " > >> > > >> >We all know the major flaw in using private address space is logging > >> and > >> >tracking but there are solutions to this. Shutting down access (by > >> MAC > >> >block ID?) would not be one of mine. > >> > > >> >Jonn Martell, speaking as a network instructor and Director but not > >> on > >> >behalf of the Universities I work at.... > >> > > >> >On Thu, Feb 2, 2012 at 8:00 AM, Frank Bulk <frnk...@iname.com> wrote: > >> >> http://www.vsuspectator.com/2012/02/02/outage-linked-to-usage/ > >> >> > >> >> Looks like VSU had to make some hard choices and is blocking Wi-Fi > >> >> access by smartphones. Not sure why they couldn't add another RFC > >> >> 1918 block, but I'm sure there's more going on than the school paper > >> >>shared. > >> >> > >> >> Frank > >> >> > >> >> ********** > >> >> Participation and subscription information for this EDUCAUSE > >> >>Constituent Group discussion list can be found at > >> >>http://www.educause.edu/groups/. > >> > > >> > > >> > > >> >-- > >> >-- > >> > > >> >********** > >> >Participation and subscription information for this EDUCAUSE > >>Constituent > >> >Group discussion list can be found at http://www.educause.edu/groups/ > . > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> >. > >> >********** > >> >Participation and subscription information for this EDUCAUSE > >>Constituent > >> >Group discussion list can be found at http://www.educause.edu/groups/ > . > >> > > >> >********** > >> >Participation and subscription information for this EDUCAUSE > >>Constituent > >> >Group discussion list can be found at http://www.educause.edu/groups/ > . > >> > >> > >> ________________________________ > >> > >> This e-mail message (including any attachments) is for the sole use of > >> the intended recipient(s) and may contain confidential and privileged > >> information. If the reader of this message is not the intended > >> recipient, you are hereby notified that any dissemination, distribution > >> or copying of this message (including any attachments) is strictly > >> prohibited. > >> > >> If you have received this message in error, please contact > >> the sender by reply e-mail message and destroy all copies of the > >> original message (including attachments). > >> > >> ********** > >> Participation and subscription information for this EDUCAUSE > >> Constituent Group discussion list can be found at > >>http://www.educause.edu/groups/. > >> > > > >********** > >Participation and subscription information for this EDUCAUSE Constituent > >Group discussion list can be found at http://www.educause.edu/groups/. > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
