We use several /20 and /21 VLANs across each campus, with traffic generally routed only if it needs to reach another VLAN (or campus).
We DON'T, at Aruba's recommendation, do that for our wireless services, instead deploying them in multiple /24s (several assigned to each SSID). If I recall correctly, the thinking was that broadcasting every DHCP and ARP request to every wireless client would leave little bandwidth for useful content. Breaking our wireless users up into /24 broadcast domains has apparently kept this from becoming an issue. We've had four "broadcast storm" issues with this architecture, none relating specifically to wireless: 1. A component failed inside one of our switches creating a network loop. Spanning tree is supposed to detect and block that, but our equipment vendor had recommended we turn it off on the theory that it was causing performance issues we had been experiencing. This was the classic loop => storm scenario that one rarely actually sees, thanks to spanning tree, except that the looping connection was a chip-level failure and not a mis-installed cable. 2. Lab staff discovered that re-imaging a lab full of computers with Ghost took half as long if they turned on the "multicast" option. Unfortunately, without multicast routing, the network was delivering that imaging traffic as a broadcast flood across the entire campus, taking out that VLAN. 3. Someone tried to use the "Ettercap" tool to sniff our switched network. It uses "local broadcast" (first octet of destination IP address = 0) to deliver intercepted packets to their original destination, and that flood took out the whole VLAN all across campus. 4. We had a NIC fail in a Mac, such that it could no longer cache ARP responses. Someone tried to print a document to a printer just across the room, and the broadcast ARP for every packet flooded that VLAN. We plan our next generation network deployment to use more routed granularity and not to extend user device VLANs further than a building or three. David Gillett, CISSP CCNP Sr. Security Engineer, Foothill-De Anza Community College District -----Original Message----- From: Ding, Shiling [mailto:[email protected]] Sent: Tuesday, September 28, 2010 13:35 To: [email protected] Subject: [WIRELESS-LAN] /20 or /21 flat campus wide L2 vlan for802.1x/Mobility feasible? I posted with a gmail account before, but there is no response. Now I am reposting w/ my edu account, and would really appreciate your opinion on this. Hi All, We are thinking of migrating our captive portal wireless network to dot1x mobility wireless network. Given that we will need one or two years to totally migrate to Aruba controller based wireless network. We have enough aruba controllers, but not enough aruba AP to replace all of the fat AP/Arrays. We are thinking of having a /20 or /21 flat campus wide layer 2 vlan for dot1x ssid supporting mobility. For legacy fat AP/array, we will just use the dot1x provided by the fat AP/array. For new thin aruba AP w/ GRE back to controllers, we will use the controller based aruba dot1x authentication. Big flat layer 2 vlan is an attractive option. Roaming between aruba AP will be handled as L2 mobility. Roaming between aruba AP and fat AP/array will just need to reauthenticate with dot1x. This way, user does not need to type in username/password as in captive portal while roaming around. The session may still break up while roaming between thin AP and fat AP/array even user might get the same DHCP address. Since we have to trunk the layer 2 vlan to everywhere there is a fat AP/array. This basically turns our routed core to bridged core for that VLAN. If there is a network storm in this VLAN, then all core routers thus all campus units will be affected. It would be a nightmare and disaster. Would you do a campus wide /20 /21 layer 2 user vlan on your campus? If you did it before, what's the lessons you learned over this approach? Could you think of any scenario that we might have a network loop causing network storm given that we are using different wireless vlan and wired vlan? Since wireless client can only associate with one AP, can we safely assume that loop between one AP to another AP thru wireless client is not possible? Thanks, Shiling ******************************** Shiling Ding (850)645-6810 [email protected] Network Specialist Information Technology Services Florida State University ******************************** ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
