We are a Cisco WiSM2 wireless shop - 2 HA clusters with around 800 APs on each. All private IP's (with 2 hour lease time), using NAT at the border (Juniper SRX 5800). We have a total student population of around 6,000, and a high water mark of around 9,500 devices on wireless at a given time.
Our network is MPLS with L3 VPN's/VRF's for students, staff/faculty, and visitors. We have 8 /22's (for a total of 8192 IPs) in a VLAN GROUP on each of the controllers, so that when radius returns a value of "staff" - the staff/faculty member will be assigned to the VLAN GROUP staff, which then consists of the 8 /20's. I believe the Cisco WiSM2's use a round-robin to load balance among the members of the VLAN GROUP (but I could be wrong on that). Our campus is fairly evenly split - the "north half" is on HA-1, while the "south half" is on HA-2. Roaming is allowed, but as we do not have 100% outdoor coverage, once they roam from building to building, they usually disassociate and reassociate. All our NAT logs are ported over to the Splunk system, as well as the DHCP logs. Very easy to correlate date/time stamp with public IP that gives us the private IP - that is then used to determine MAC address, which is then tied to a username (if possible). The student/staff/faculty is then emailed about the violation, and the MAC address is quarantined off the wired, or wireless network. Once they resolve the issue and talk with the OIT Security office, we unquarantine the system. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Legge, Jeffry Sent: Tuesday, May 05, 2015 10:19 AM To: [email protected] Subject: [WIRELESS-LAN] Roaming Currently we allow roaming over our entire campus. Some buildings have their own vlan while others do not. Each year we have more devices and thus our DHCP pools are stressed. We are looking at changing our network design and giving each building their own vlan and larger DHCP pools. We currently have a class B IPV4 internet addresses and will move to NAT. When students are abusing copyright etc. we are given an IP address and asked to determine who is doing the abusing. As students roam they could end up with multiple IP addresses and Natting will complicate the ability to find these abusers I am curious about the following. Do y'all have one vlan per building? How large are you DHCP pools? What is the pool expiration time? Do you allow roaming over entire campus, per building or what? How do y'all find these abusers? Any thoughts will be appreciated. -Jeff Legge Radford University 540-250-5224 !DSPAM:911,5548df8f232768008715014! ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at <http://www.educause.edu/groups/> http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
