We use several separate subnets for wireless clients and use some RADIUS custom hooks (We use a combination of RADIATOR and SBR) to dynamically assign clients to the subnets.
Our AP's themselves our addressed using RFC1918 space on a separate VLAN routed out each routing hub. -Neil -- Neil Johnson Network Engineer The University of Iowa Phone: 319 384-0938 Fax: 319 335-2951 Mobile: 319 540-2081 E-Mail: neil-john...@uiowa.edu From: Lee H Badman <lhbad...@syr.edu<mailto:lhbad...@syr.edu>> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Date: Fri, 10 Jun 2011 12:27:48 -0400 To: <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] Wireless design Just to chime in the topic of restricting traffic- bear in mind that applications like Facetime and synching things like Documents to Go between iPads and PCs do get impacted by what my seem like otherwise good segregation methodology. This can be the source of much consternation. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W Sent: Friday, June 10, 2011 7:39 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Wireless design John, 1. I believe most (all?) wireless systems can bridge at the AP. If you are using 802.1X, you would need to find some way to whitelist the AP traffic, though. I know that Aruba APs can run in bridged mode, but you lose some features because all enforcement occurs within the limited resources of the thin AP. It is generally preferred to tunnel the traffic back to the controller, when possible. 2. Whether you can block clients talking to each other depends on your wireless system. I know Aruba has a built-in firewall and you can block this traffic. I believe Cisco depends on the network infrastructure for firewalls. One challenge for the system is blocking peers talking to the same AP. 3. Roaming between APS and between buildings is very dependent on your wireless system. We here at Liberty University have not yet designed our mobility approach. Our current focus is implementing 802.1X (finally!) and replacing our NAC system. Regards, Bruce Osborne Wireless Network Engineer IT Network Services (434) 592-4229 LIBERTY UNIVERSITY 40 Years of Training Champions for Christ: 1971-2011 From: John Kaftan [mailto:jkaf...@utica.edu] Sent: Thursday, June 09, 2011 12:35 AM Subject: Re: Wireless design Can that system bridge at the AP? We are going to have a secure network and an open one. The secure network will be configured with 802.1x and will just dump people on the local VLAN of the building. Once we have the network fully secure we will be fine with this. I like this for performance reasons. The APs just become secure hubs. We will also make sure that no clients can talk to each other on thesenetworks. We will try to drive all users to the secure network. The secure network will also be NAC enabled. The open network will tunnel back to the controller and bridge there which is required due to the captive portal. The only possible snag here is roaming between buildings and between 802.1xAPs. I have not tested and tweaked that yet. John ----- Original Message ----- From: Mike King <m...@mpking.com<mailto:m...@mpking.com>> Date: Wednesday, June 8, 2011 9:29 pm Subject: Re: [WIRELESS-LAN] Wireless design To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > The real short answer is that it does not matter what the IP address of the > AP is, as long as it has good stable communications with the controller. > What I personally try to do is what you are proposing, put the APs for each > building/floor it's own subnet. > Good luck > Mike > On Wed, Jun 8, 2011 at 6:54 PM, Entwistle, Bruce > <bruce_entwis...@redlands.edu<javascript:main.compose('new','t=bruce_entwis...@redlands.edu')>> > wrote: > We will soon be migrating our wireless network from Cisco autonomous 1231 APs > to a combination of Cisco 3502i along with some of the existing 1231 APs > converted to lightweight. As we prepare for this we are looking at how to > best architect the new network. The new network will cover theentire > campus which consists of approx 50 buildings, with each building having its’ > own VLAN. > The initial idea was to install the APs so the IP address of the AP would be > a part of the local building VLAN. This is the IP the AP would use to talk > back to the controller. For user connections there would be two VLANs > created which would be accessed through a single SSID. The users would then > be dynamically assigned to one of the two VLANs based on their logon > credentials. Currently all users are placed on the same VLAN after > authentication, as our current installation is not capable of dynamic VLAN > assignment. There is currently only a single SSID in place. > I would be interested to know what other have done and how successful it was. > Thank you > Bruce Entwistle > Network Manager > University of Redlands > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ________________________________ No virus found in this message. Checked by AVG - www.avg.com<http://www.avg.com> Version: 10.0.1382 / Virus Database: 1513/3691 - Release Date: 06/09/11 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.