Our approach has been to keep the APs within the Class C of the
building. We use Netreg to verify a user before they can actually get on
the net. We have, however, moved to a system called Ruckus due to it's
ability to work with a controller or to be autonomous. The system has 19
antennas of both a,b,g, and n in the 2.4 and 5 gHz range. Each antenna
can be separately vlanned and isolated. Another nice feature is that it
will mesh pretty painlessly for our use in campus-wide coverage.
We are planning to move to IPv6 and converting the entire wireless; this
will give us a more pinpoint control about where the user is and what
they are accessing since we will be able to track where they are on
campus because of the meshing.
Harry Rauch Sr. Network Analyst Eckerd College 4200 - 54th Ave S St.
Petersburg, FL 33711
On 6/10/11 7:39 AM, Osborne, Bruce W wrote:
John,
1.I believe most (all?) wireless systems can bridge at the AP. If you
are using 802.1X, you would need to find some way to whitelist the AP
traffic, though. I know that Aruba APs can run in bridged mode, but
you lose some features because all enforcement occurs within the
limited resources of the thin AP. It is generally preferred to tunnel
the traffic back to the controller, when possible.
2.Whether you can block clients talking to each other depends on your
wireless system. I know Aruba has a built-in firewall and you can
block this traffic. I believe Cisco depends on the network
infrastructure for firewalls. One challenge for the system is blocking
peers talking to the same AP.
3.Roaming between APS and between buildings is very dependent on your
wireless system. We here at Liberty University have not yet designed
our mobility approach. Our current focus is implementing 802.1X
(finally!) and replacing our NAC system.
Regards,
*Bruce Osborne*
/Wireless Network Engineer/
*IT Network Services*
*(434) 592-4229*
*LIBERTY UNIVERSITY*
/40 Years of Training Champions for Christ: 1971-2011/
*From:*John Kaftan [mailto:[email protected]]
*Sent:* Thursday, June 09, 2011 12:35 AM
*Subject:* Re: Wireless design
Can that system bridge at the AP? We are going to have a secure
network and an open one. The secure network will be configured with
802.1x and will just dump people on the local VLAN of the building.
Once we have the network fully secure we will be fine with this. I
like this for performance reasons. The APs just become secure hubs.
We will also make sure that no clients can talk to each other on these
networks. We will try to drive all users to the secure network. The
secure network will also be NAC enabled.
The open network will tunnel back to the controller and bridge there
which is required due to the captive portal.
The only possible snag here is roaming between buildings and between
802.1x APs. I have not tested and tweaked that yet.
John
----- Original Message -----
From: Mike King <[email protected]>
Date: Wednesday, June 8, 2011 9:29 pm
Subject: Re: [WIRELESS-LAN] Wireless design
To: [email protected]
> The real short answer is that it does not matter what the IP address
of the AP is, as long as it has good stable communications with the
controller.
> What I personally try to do is what you are proposing, put the
APs for each building/floor it's own subnet.
> Good luck
> Mike
> On Wed, Jun 8, 2011 at 6:54 PM, Entwistle, Bruce
<[email protected]
<javascript:main.compose('new','[email protected]')>> wrote:
> We will soon be migrating our wireless network from Cisco autonomous
1231 APs to a combination of Cisco 3502i along with some of the
existing 1231 APs converted to lightweight. As we prepare for this
we are looking at how to best architect the new network. The new
network will cover the entire campus which consists of approx 50
buildings, with each building having its' own VLAN.
> The initial idea was to install the APs so the IP address of the AP
would be a part of the local building VLAN. This is the IP the AP
would use to talk back to the controller. For user connections there
would be two VLANs created which would be accessed through a single
SSID. The users would then be dynamically assigned to one of the two
VLANs based on their logon credentials. Currently all users are
placed on the same VLAN after authentication, as our current
installation is not capable of dynamic VLAN assignment. There is
currently only a single SSID in place.
> I would be interested to know what other have done and how successful
it was.
> Thank you
> Bruce Entwistle
> Network Manager
> University of Redlands
> ********** Participation and subscription information for this
EDUCAUSE Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
> ********** Participation and subscription information for this
EDUCAUSE Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
********** Participation and subscription information for this
EDUCAUSE Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
********** Participation and subscription information for this
EDUCAUSE Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
