Re: [WISPA] l2tp tunnels for AP mobility
On Sat, 20 Sep 2008, Rogelio wrote: I would encourage you to seriously test one out before you balk at the price. Hit me offline, and I'll give you my cell phone. I can tell you more about these little doodads than you'll ever care to know! What about standards compliance? Are they compatible with 802.11x? -- *Butch Evans*Professional Network Consultation * *Network Engineering*MikroTik RouterOS * *573-276-2879 *ImageStream * *http://www.butchevans.com/ *StarOS and MORE * *http://blog.butchevans.com/*Wired or wireless Networks* *Mikrotik Certified Consultant *Professional Technical Trainer* WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] l2tp tunnels for AP mobility
Butch Evans wrote: What about standards compliance? Are they compatible with 802.11x? Neither 802.1x or 802.11 compliance is a problem on BelAir gear (not completely sure which one you meant) http://www.belairnetworks.com/resources/ I've got access to manuals (that aren't available publicly), if you'd like for me to shoot you those offline. WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] l2tp tunnels for AP mobility
It's easy if your AP's support multiple SSID and VLAN tagging per SSID. We have 10 VLAN/SSID combinations for various agencies such as Fire, Sherrif, local PD, nearby city PD, city inspectors, etc. These VLAN's run over our Canopy network to our headend and show up on individual ports on our core switch. Works very well. __ Jerry Richardson airCloud Communications -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rogelio Sent: Friday, September 19, 2008 9:03 PM To: WISPA General List Subject: [WISPA] l2tp tunnels for AP mobility I'm planning out a very large wifi rollout for a cable company, and I'm looking to use L2TP tunnels in order to flatten the entire network so that there is mobility options with some mission critical stuff that runs on one SSID. Anyone else have any advice when doing this? I've got Cisco routers and switches in between my remote access points and local DHCP / RADIUS boxes that (in theory) allow for this to happen seamlessly, but am looking for any gotchas that others may have had. WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] l2tp tunnels for AP mobility
On Fri, 19 Sep 2008, Rogelio wrote: So, I have about 50 access points in various remote places, and when people connect to one SSID at each of those, they will be L2TP tunneled back to my local network where I can authenticate them via RADIUS and give them an address via DHCP. I understand now. What kind of AP is it? When the workers leave one site and cruise on over to another site, they will connect to the same SSID (different access point, of course) and L2TP tunnel back to the same RADIUS / DHCP server that they did at the previous site. Do the end users do the L2TP tunnel or are you wanting the AP/router to do this? There are several ways to accomplish this, depending on the capabilities of the clients, APs or routers in the middle. -- *Butch Evans*Professional Network Consultation * *Network Engineering*MikroTik RouterOS * *573-276-2879 *ImageStream * *http://www.butchevans.com/ *StarOS and MORE * *http://blog.butchevans.com/*Wired or wireless Networks* *Mikrotik Certified Consultant *Professional Technical Trainer* WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] l2tp tunnels for AP mobility
Jerry Richardson wrote: It's easy if your AP's support multiple SSID and VLAN tagging per SSID. We have 10 VLAN/SSID combinations for various agencies such as Fire, Sherrif, local PD, nearby city PD, city inspectors, etc. These VLAN's run over our Canopy network to our headend and show up on individual ports on our core switch. Works very well. Yeah, I can support up to 16 SSIDs and way more VLANs than I'll ever need. Someone else suggested putting all the unauthorized SSID traffic on one VLAN, and then when they authenticate to RADIUS, switching them over to another VLAN. You do anything like this? WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] l2tp tunnels for AP mobility
Butch Evans wrote: I understand now. What kind of AP is it? BelAir BA100s (dual radios) and BA200s (quad radios), some of which are meshed together. Many of the BA200 units will have ethernet or fiber egress. Do the end users do the L2TP tunnel or are you wanting the AP/router to do this? There are several ways to accomplish this, depending on the capabilities of the clients, APs or routers in the middle. The AP/routers will take care of everything in a manner that is completely transparent to the users. I'm concerned less about how to do it (I could go through the motions with the Cisco gear in between) and am more interested in hearing other's experiences, tips, and best practices. What I do here on this project, I would ideally like to replicate for a project I'm working on in Africa. WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] l2tp tunnels for AP mobility
Butch Evans wrote: I understand now. What kind of AP is it? BelAir BA100s (dual radios) and BA200s (quad radios), some of which are meshed together. Many of the BA200 units will have ethernet or fiber egress. Do the end users do the L2TP tunnel or are you wanting the AP/router to do this? There are several ways to accomplish this, depending on the capabilities of the clients, APs or routers in the middle. The AP/routers will take care of everything in a manner that is completely transparent to the users. I'm concerned less about how to do it (I could go through the motions with the Cisco gear in between) and am more interested in hearing other's experiences, tips, and best practices. What I do here on this project, I would ideally like to replicate for a project I'm working on in Africa. WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] l2tp tunnels for AP mobility
On Sat, 20 Sep 2008, Rogelio wrote: BelAir BA100s (dual radios) and BA200s (quad radios), some of which are meshed together. Many of the BA200 units will have ethernet or fiber egress. Ok. No specific experience with those, but of the type of network you are building, I do have experience. The AP/routers will take care of everything in a manner that is completely transparent to the users. This is most certainly the easiest method. I'm concerned less about how to do it (I could go through the motions with the Cisco gear in between) and am more interested in hearing other's experiences, tips, and best practices. Well, without knowing more about the network, it's hard to give any real advice, but you are familiar with the design parameters that make a good network. You may think about DHCP Relay, too. This would make it so the network does not have to be flat, unless there are other factors that require it. In the deployments I've done with similar designs, most are running fine, still. There is one instance where the original design needs to be redone because the parameters I was given were WAY under what they ended up with. I was given a total number of hosts to be 50 and they now are running with 360+ hosts. YIKES! Either way, I have used VLAN for this type of thing, L2TP and even (only once) EoIP. All 3 do what we needed to do, so the design choice you mention should hold up well. My only advice is to watch the number of hosts that will sit on a bridged segment, ESPECIALLY the wireless portion of that segment. Wireless is not always as forgiving or bad network design choices as hard wired ethernet. :-) -- *Butch Evans*Professional Network Consultation * *Network Engineering*MikroTik RouterOS * *573-276-2879 *ImageStream * *http://www.butchevans.com/ *StarOS and MORE * *http://blog.butchevans.com/*Wired or wireless Networks* *Mikrotik Certified Consultant *Professional Technical Trainer* WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] l2tp tunnels for AP mobility
Butch Evans wrote: In the deployments I've done with similar designs, most are running fine, still. There is one instance where the original design needs to be redone because the parameters I was given were WAY under what they ended up with. I was given a total number of hosts to be 50 and they now are running with 360+ hosts. YIKES! Either way, I have used VLAN for this type of thing, L2TP and even (only once) EoIP. All 3 do what we needed to do, so the design choice you mention should hold up well. Not a problem on the BelAir units. There are two cool features on the BelAir units that I use to filter out crap traffic at the layer two level. (a) secure port mode: once enabled, prevents wireless clients associated with different APs from communicating with each other (b) wireless bridging: once disabled, wireless clients on an AP cannot talk to other wireless clients on that same AP (they can only go OUT to the Internet). When I want everything ona big flat network and don't want to properly VLAN everything, then I just (a) enable secure port mode and (b) disable wireless bridging. The commands for each are as follows: (a)/interface/wifi-n-1/setssidssid_index secure-port enabled (b)/interface/wifi-n-1/setssidssid_index wireless-bridge disabled I know BelAir admins who have *giant* flat networks out there (seriously, like 10x bigger than any of my networks) with just these two settings, and they can take enormous layer 2 traffic pounding in broadcast traffic without missing a beat. If, however, I'm just itching to VLAN tag everything I might consider doing something like the following: (1) on my router, associate IP addresses with these VLAN tags. These, of course, will be separate broadcast domains: e.g. VLAN 1: 192.168.1.0/24 VLAN 2: 192.168.2.0/24 VLAN 3: 192.168.3.0/24 (2) assign two SSID to every BelAir AP, one hidden and one visible (3) on whatever arbitrary groups of hidden SSID tags for each BelAir access point, I assign a VLAN ID tag e.g. AP1-AP5: CityWifi (hidden) - VLAN 1 AP6-AP10: CityWifi (hidden) - VLAN 2 Etc, etc (4) And on *all* the visible roaming ones, I assign ONE VLAN tag. AP1-AP10: CityWifi-roaming (shown) - VLAN 3 Step (3) ensures that broadcast traffic (say those who are connected via Ruckus) only affects the VLAN assigned to that group of APs; step (4) assures that people running around the neighborhood don't lose connectivity (i.e. their IP address doesn't change, even when they switch from AP to AP, they keep their same 192.168.3.0/24 address). Planning out these steps are more time intensive than just writing those other two commands on the BelAir units. However, they really give you a lot more flexibility and control on your network, which you may want at a later time... My only advice is to watch the number of hosts that will sit on a bridged segment, ESPECIALLY the wireless portion of that segment. Wireless is not always as forgiving or bad network design choices as hard wired ethernet. :-) Do you have these features on other wireless solutions that you deal with? WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] l2tp tunnels for AP mobility
On Sat, 20 Sep 2008, Rogelio wrote: Do you have these features on other wireless solutions that you deal with? In many ways, Mikrotik can do some of the same thing. It's a matter of proper design in both wireless configuration and firewall (even on the bridge). Much of this functionality can be configured using various tunneling technologies in MT as well. Most of the real work in MT is left to the administrator in terms of proper configuration and design. To me, adding some little bit of complexity is a good tradeoff for configurability (two words that are almost always mutually exclusive in the gear we all use). The specific featureset you mention looks very complete. What is the cost on an AP? Is it standard 802.11a/b/g clients? I am always looking for good solutions like this. -- *Butch Evans*Professional Network Consultation * *Network Engineering*MikroTik RouterOS * *573-276-2879 *ImageStream * *http://www.butchevans.com/ *StarOS and MORE * *http://blog.butchevans.com/*Wired or wireless Networks* *Mikrotik Certified Consultant *Professional Technical Trainer* WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] l2tp tunnels for AP mobility
Butch Evans wrote: In many ways, Mikrotik can do some of the same thing. It's a matter of proper design in both wireless configuration and firewall (even on the bridge). Much of this functionality can be configured using various tunneling technologies in MT as well. Most of the real work in MT is left to the administrator in terms of proper configuration and design. To me, adding some little bit of complexity is a good tradeoff for configurability (two words that are almost always mutually exclusive in the gear we all use). The specific featureset you mention looks very complete. What is the cost on an AP? Is it standard 802.11a/b/g clients? I am always looking for good solutions like this. The access points are quite expensive: ~$5K retail for dual radio and ~$10K retail for quad radios. That alone turns a lot of people off the product, for better or worse. I can speak from experience that these radios are extremely durable (NEMA 4x) and high performing (very sensitive and modulate at low RSSI levels). I was just out with some of the field Wayport guys, and their heat maps on the radio I brought (with a 6 dbi antenna) blew their mind. A few weeks ago, I covered 200+ hotel rooms in Orlando, FL(6 Mbps of goodput through the windows) with one strategically placed AP outside with the same 6 dbi antenna. This last week, I covered 90% of a long wing with one access point in a camp that I tested in the Arctic circle. Others I work with claim that they are 7 dB better than Cisco, but I have yet to confirm. I can, however, confirm that I've gotten a continuous ping on as low as -83 dBm. Now when I test, I look for around -75 dBm for the average casual web surfer. If I get that, I'm cool. I just have to laugh at the Cisco docs that say that you gotta have (if I remember right) -60 dBm. I would encourage you to seriously test one out before you balk at the price. Hit me offline, and I'll give you my cell phone. I can tell you more about these little doodads than you'll ever care to know! WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] l2tp tunnels for AP mobility
On Fri, 19 Sep 2008, Rogelio wrote: I'm planning out a very large wifi rollout for a cable company, and I'm looking to use L2TP tunnels in order to flatten the entire network so that there is mobility options with some mission critical stuff that runs on one SSID. Anyone else have any advice when doing this? I've got Cisco routers and switches in between my remote access points and local DHCP / RADIUS boxes that (in theory) allow for this to happen seamlessly, but am looking for any gotchas that others may have had. perhaps I'm missing something, but what does the tunnel have to do with the single SSID? Maybe that's not what you meant, but I'm stuck with trying to figure out how they're related. :-( What is the this that you are looking for advice on? -- *Butch Evans*Professional Network Consultation * *Network Engineering*MikroTik RouterOS * *573-276-2879 *ImageStream * *http://www.butchevans.com/ *StarOS and MORE * *http://blog.butchevans.com/*Wired or wireless Networks* *Mikrotik Certified Consultant *Professional Technical Trainer* WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] l2tp tunnels for AP mobility
Butch Evans wrote: perhaps I'm missing something, but what does the tunnel have to do with the single SSID? Maybe that's not what you meant, but I'm stuck with trying to figure out how they're related. :-( What is the this that you are looking for advice on? So, I have about 50 access points in various remote places, and when people connect to one SSID at each of those, they will be L2TP tunneled back to my local network where I can authenticate them via RADIUS and give them an address via DHCP. When the workers leave one site and cruise on over to another site, they will connect to the same SSID (different access point, of course) and L2TP tunnel back to the same RADIUS / DHCP server that they did at the previous site. WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/