I guess I'll register as the odd man out in terms of our IP setup. We've got a single /24 block of external addresses with our ISP. We probably use about half of them as 1:1 NAT for websites, Exchange, etc. All campus traffic is NAT'ted and PAT'ted out a single public IP. Our internal space is a "one VLAN per building" setup with a /19 or so of internal addresses setup on the DHCP server scope options for each VLAN. Our lease times are set at eight days (because why not?)
We have a firewall/UTM from $LargeVendor that does DPI and App-control to shutdown P2P and other associated evils. Ever since we did that, the abuse letters have literally gone to zero. Our buildings are not spaced in such a way that inter-VLAN roaming would be possible anyway. Sent from a grassfire using smoke signals ________________________________ From: Coehoorn, Joel<mailto:jcoeho...@york.edu> Sent: 5/5/2015 5:13 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Roaming ? Do y’all have one vlan per building? We have four wireless vlan zones (North, South, East, West). Do you allow roaming over entire campus, per building or what? The buildings in each zone are strategically chosen to avoid roaming problems... we don't have much outdoor coverage, so it would be hard to roam between the zones anyway. North and South are academic/administrative buildings, East and West are residential. How large are youf DHCP pools? What is the pool expiration time? We use /21s with 8 day leases. However, it works out such that the vlans in each zone rarely have more active devices than you would with a /24. The larger address space and longer leases are so that clients generally have persistent IP addresses in each zone over time, even if they aren't actively using a lease. We do NAT everything, so maintaining address space for 4x our regular population isn't a problem. How do y’all find these abusers? We don't require any authentication to the wireless network. We want to be as welcoming to guests (especially alumni and admissions candidates) as possible. However, we do still track use based on IP only (hence the need for longer, persistent leases). This is a kind of double-blind strategy to avoid charges of favoritism in enforcement. Abuse is monitored at the internet gateway, using a product called Untangle NGFW. I can't say enough good things about that product, though we're a very small institution and it might not scale up for many others on this list. If/when abuse is detected, an enforcement determination is then made by the student development office... not by IT. Only after the enforcement determination is made will we cross reference the IP/mac across all four zones, and force all four IPs to a captive portal page on the NGFW that requires authentication. We also convert the leases to reservations, and move the macs to a policy group in the policy trees such that internet service is highly degraded if the user chooses to attempt something like setting a static IP, but will operate normally if we have a username associated with it. This process isn't as much work as it sounds like. The whole scheme was created initially because we haven't long had the ability to do vlan pools. We had to use zones to avoid everyone being in one big vlan, and each zone had exactly one vlan. We keep the scheme because it allows some natural isolation of residential traffic from the rest of the network. [http://www.york.edu/Portals/0/Images/Logo/YorkCollegeLogoSmall.jpg] Joel Coehoorn Director of Information Technology 402.363.5603 jcoeho...@york.edu<mailto:jcoeho...@york.edu> The mission of York College is to transform lives through Christ-centered education and to equip students for lifelong service to God, family, and society On Tue, May 5, 2015 at 10:19 AM, Legge, Jeffry <jgle...@radford.edu<mailto:jgle...@radford.edu>> wrote: Currently we allow roaming over our entire campus. Some buildings have their own vlan while others do not. Each year we have more devices and thus our DHCP pools are stressed. We are looking at changing our network design and giving each building their own vlan and larger DHCP pools. We currently have a class B IPV4 internet addresses and will move to NAT. When students are abusing copyright etc. we are given an IP address and asked to determine who is doing the abusing. As students roam they could end up with multiple IP addresses and Natting will complicate the ability to find these abusers I am curious about the following. ?? Do y’all have one vlan per building? How large are you DHCP pools? What is the pool expiration time? Do you allow roaming over entire campus, per building or what? How do y’all find these abusers? Any thoughts will be appreciated. -Jeff Legge Radford University 540-250-5224<tel:540-250-5224> ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
