Bruce, We install our APs in the same subnet as our users (for reasons mentioned by others as well: it seems that rogue detection works better on the wire side that way), but with private IP addresses. The gateway as two subnets (one primary and one secondary). Primary is for users, secondary is for APs and switches. Since our APs do DHCP, we have a rule in our DHCP server that hands specific leases to our APs based on the OUI of our AP vendor. That way we don't consume publicly addressable IP addresses for 2500 APs!
This said in the near future the concept of locating APs in the user subnet (when I mention subnet , I mean the layer two domain, not the strict IP subnet), will become difficult since we plan to have something like 3-5 user's subnets per building (based on the of user classification that we end up with). When it comes to Wireless users subnets, we completely rely on GRE tunnels that go back to the controllers and we do the Aruba VLAN pooling for each SSID. The MAC address based SSID doesn't let users access sensitive apps, the 802.1x SSID does. In the future, we plan to go to a more Role based networking approach, where user's Attributes decide what they can do more than IP addresses. (IP addresses will always be involved of course, but in a more dynamic way) Best, Philippe Hanset Univ. of TN www.eduroamus.org<http://www.eduroamus.org> On Jun 8, 2011, at 6:54 PM, Entwistle, Bruce wrote: We will soon be migrating our wireless network from Cisco autonomous 1231 APs to a combination of Cisco 3502i along with some of the existing 1231 APs converted to lightweight. As we prepare for this we are looking at how to best architect the new network. The new network will cover the entire campus which consists of approx 50 buildings, with each building having its’ own VLAN. The initial idea was to install the APs so the IP address of the AP would be a part of the local building VLAN. This is the IP the AP would use to talk back to the controller. For user connections there would be two VLANs created which would be accessed through a single SSID. The users would then be dynamically assigned to one of the two VLANs based on their logon credentials. Currently all users are placed on the same VLAN after authentication, as our current installation is not capable of dynamic VLAN assignment. There is currently only a single SSID in place. I would be interested to know what other have done and how successful it was. Thank you Bruce Entwistle Network Manager University of Redlands ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
