On Fri, Oct 10, 2003 at 01:08:54PM -0400, Philippe Hanset wrote: > Chris, > > that's an interesting concept, that BYOW > (Bring Your Own WIFI) > > #Did it create itself over time because the campus never decided > on a centralized deployment?
Pretty much. > #How do you learn about popping APs? > ARP discoveries, Driving around with WIFI-Sniffers, > A policy about WIFI on campus? Yes. :) We have some security guys who walk around with a big antenna on a stick connected to a little palmtop running Kismet or NetworkStumbler or somesuch. Our central IT department provides services to departments, however. We are not the central "authority", per. se., so we have to work *with* departments to solve problems. We don't have any form of jurisdiction outside of our own networks. (Some departments contract with us to provide their infrastructure, others do not.) > # How do you accomplish roaming, channel management (or interferences > management) > ? Cooperation. We have a single SSID we use for the campus wireless network. We try to discourage people from using that name unless their APs are connected to our firewall system. As for roaming, we try to make the vLANs use for wireless as large as possible. The upside is that we increase the roaming area, but there are several down sides: - We have Cisco 1900's at the edge, and they have a CAM table limit of about 1000 MAC addresses *total*. The 1900 sees every wireless client MAC address, so we have to watch the limits (or move the APs to a different kind of switch). - The firewall is at the border between the wireless vLAN and the campus network. That means that unauthenticated clients still have access to the entire vLAN. (This is one reason that we augment the service with a VPN service.) This is why I would like to have APs that do GRE or IPSec tunnelling. In either case, the actual traffic would pass through the outdated infrastructure (we're doing an upgrade to our wired net) without being "seen". Another thing we've looked at is using something like a Soekris box (www.soekris.com) or a mini-ITX with multiple LAN ports to segment the wireless vLANs and push the access control further toward the APs. That would allow us to use cheaper APs, move control toward the center, etc., but it would also bypass some of the problems with our architecture. We can also bridge the vLANs together at the central server. > # Do you charge a special fee for Wireless VLAN or you leave it free > as an incentive for people to report their APs? We charge a fee for installing our network jacks in departmental space (we call it "Etherjack service"). That's the only fee for connecting up. Some departments have chosen to build their own firewall and use the software we built. That's okay too, since it provides the users with the same look-and-feel. The only downside is is that they're on a separate vLAN, but there are ways to fix that too. Chris -)----- -- Christopher R. Hertel -)----- University of Minnesota [EMAIL PROTECTED] Networking and Telecommunications Services "Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/.
