>how large do you need to be fore this to break? I've done this at conferences with over 2000 people, 40 APs across a large hotel. >There were no signs of problems. I'm interested to learn what problems to look for.
Consider the case of a campus-type installation where a single company has multiple buildings, and mobile users that roam between them. A conference is a different horse altogether. You've got a shared physical medium (air) and only a relatively few frequencies to deal with. The ideal wireless distribution at a conference is an absolutely enormous number of very low-powered devices, each of which transmits on a frequency that doesn't overlap on its neighboring devices. The goal being to maximize coverage while minimizing the number of associated mobile devices and at the same time, minimizing the utilized frequency space. Since very few people have enough resources to buy or acquire the number of APs you need, what you need to do is get as many people onto 5ghz as possible, and then use the smallest frequency-width you can. I believe that's 20mhz, and there are 9(?) usable (non-overlapping) channels in the 5ghz range that 'N' supports. If any of this is new material, then spend some time here: http://blog.serverfault.com/2011/12/12/a-studied-approach-at-wifi-part-1/ http://blog.serverfault.com/2012/01/05/a-studied-approach-at-wifi-part-2/ Peter Grace's articles on wifi at Stack Exchange are great. He goes into the perfect amount of detail. --Matt On Sat, Apr 6, 2013 at 8:37 PM, David Lang <[email protected]> wrote: > On Sat, 6 Apr 2013, Frank Bulk wrote: > > Yes, an SMB doesn't normally doesn't worry about L3 boundaries. If only >> have a few hundred clients in an area you could very well operate >> comfortable with a /23 in one L2 broadcast domain. >> >> Your approach of bridging resolves L3 boundary concerns and allows for >> retaining of the Wi-Fi client's IP as they go from AP to AP, but that >> doesn't work in large environments. >> > > how large do you need to be fore this to break? I've done this at > conferences with over 2000 people, 40 APs across a large hotel. There were > no signs of problems. I'm interested to learn what problems to look for. > > I used a /17 each for 2.4GHz and 5GHz, but it's pretty easy to go larger > as needed. When you get to where a /8 isn't large enough, then you need to > split (or go to IPv6 + NAT64 if the devices can support it) > > > And what hasn't been mentioned is that >> in some environments certain classes or groups of people or devices are >> kept >> on separate L3 boundaries even through they're using the same SSID. >> > > that can be done on the DHCP server can't it? With it issuing different IP > ranges depending on the device type or known MAC addresses (associating MAC > addresses with individuals) > > I don't understand how you would group _people_ on different L3 boundries, > by the time you can get to the point where you can authenticate someone, > they are already connected with an IP address. > > > I'd invite you to read the archives of EDUCAUSE's WIRELESS-LAN listserv to >> get a flavor of their challenges. >> > > Thanks, I'll look around there. > > > David Lang > > Frank >> >> -----Original Message----- >> From: David Lang [mailto:[email protected]] >> Sent: Saturday, April 06, 2013 7:07 PM >> To: Matt Simmons >> Cc: Frank Bulk; LOPSA Tech >> Subject: Re: [lopsa-tech] Wifi >> >> You would need to be rather large to need to cross L3 boundries. >> >> I advocate putting the APs on a separate network from your other traffic, >> and >> having the APs act as bridges. That way users can move from AP to AP and >> there's >> no need to tunnel traffic anywhere, once it gets on the wired network you >> are >> good. >> >> Yes, at some scale this won't work, but how big an area do you need to >> have >> before this breaks? >> >> David Lang >> >> >> On Sat, 6 Apr 2013, Matt Simmons wrote: >> >> The problem comes when they cross L3 boundaries. Enterprise wireless >>> infrastructures (or campus-wide installations) do tunneling of the >>> >> device's >> >>> traffic back to the original AP they authenticated to, all with seamless >>> handoff. >>> >>> --Matt >>> >>> >>> >>> On Sat, Apr 6, 2013 at 7:50 PM, David Lang <[email protected]> wrote: >>> >>> why does the movement of users matter much? Users can roam between >>>> different APs with the same SSID with a VPN just fine. >>>> >>>> Also, why do you say 'low traffic volumes'? if you are encrypting the >>>> data, it's going to cost to encrypt it even if you do it at the wifi >>>> >>> level >> >>> instead of the VPN level. >>>> >>>> you can configure VPNs so that they are connected all the time as well, >>>> but any plan to push things down or run scheduled tasks from a central >>>> point to portable devices needs to deal with the idea that the devices >>>> >>> may >> >>> not have connectivity (they may not even be turned on) >>>> >>>> always-connected and authenticated don't work well together, so how do >>>> >>> you >> >>> have Radius authenticated Wifi and still have systems connected without >>>> >>> the >> >>> user being logged in? >>>> >>>> David Lang >>>> >>>> >>>> On Sat, 6 Apr 2013, Frank Bulk wrote: >>>> >>>> >>>> In an environment when the Wi-Fi clients don't move around much, the >>>>> >>>> Wi-Fi >> >>> clients are all devices with VPN-capable, and traffic volumes are low, >>>>> VPNs >>>>> may work, but in most organizations, and especially higher-ed, WPA2 >>>>> with >>>>> AES >>>>> based on RADIUS authentication is the BCP. Most organizations want >>>>> machine-authentication, so that even while the end-user is not logged >>>>> in >>>>> policies can be applied and pushed down, scheduled tasks can run, etc. >>>>> >>>>> Frank >>>>> >>>>> -----Original Message----- >>>>> From: David Lang [mailto:[email protected]] >>>>> Sent: Saturday, April 06, 2013 2:56 PM >>>>> To: Frank Bulk >>>>> Cc: [email protected] >>>>> Subject: RE: [lopsa-tech] Wifi >>>>> >>>>> On Sat, 6 Apr 2013, Frank Bulk wrote: >>>>> >>>>> Hmm, I want to access my organization's resources over Wi-Fi -- why >>>>> >>>> treat >> >>> >>>>>> it >>>>> >>>>> as untrusted? The security with WPA2 using AES is more than >>>>>> >>>>> sufficient. >> >>> >>>>>> >>>>> That same statement was made about WEP and WPA. It may be true, it may >>>>> >>>> not >> >>> be >>>>> true (they don't have a good track record here). It may depend on the >>>>> attacker >>>>> never having been able to extract data from a laptop of someone who has >>>>> been >>>>> >>>>> authorized to use the network (is WPA2 really secure if an attacker has >>>>> been >>>>> >>>>> able to read keys off of someone's machine?) >>>>> >>>>> Your users need to be using VPN software anyway when working from other >>>>> networks, so adding WPA and it's management is additional work that you >>>>> don't >>>>> have to do. >>>>> >>>>> It's a lot easier to change your VPN software if needed >>>>> >>>>> VPN software gives you additional tools for authentication of your >>>>> users >>>>> (things >>>>> like hardware tokens for example) >>>>> >>>>> In short, I see VPNs as something you are doing anyway, are more >>>>> >>>> flexible, >> >>> and more trustworthy. >>>>> >>>>> David Lang >>>>> >>>>> Frank >>>>> >>>>>> >>>>>> -----Original Message----- >>>>>> From: [email protected] [mailto:tech-bounces@lists.** >>>>>> lopsa.org <[email protected]>**] >>>>>> >>>>>> On >>>>> >>>>> Behalf Of David Lang >>>>>> Sent: Saturday, April 06, 2013 12:34 AM >>>>>> To: Brian Gold >>>>>> Cc: [email protected] >>>>>> Subject: Re: [lopsa-tech] Wifi >>>>>> >>>>>> On Fri, 5 Apr 2013, Brian Gold wrote: >>>>>> >>>>>> We've been using Cisco WCS controllers and APs here at $employer, but >>>>>> >>>>>>> for >>>>>>> >>>>>>> a >>>>>> >>>>>> smaller scale I've been very happy with Ubiquity APs and controllers. >>>>>>> >>>>>> I >> >>> would HIGHLY recommend setting up radius authentication if you have >>>>>>> a centralized ldap system (Active Directory, OpenLDAP, etc). >>>>>>> >>>>>>> >>>>>> I would actually go the opposite direction. >>>>>> >>>>>> Your Wifi is an untrusted network that can be sniffed and attacked by >>>>>> >>>>>> anyone >>>>> >>>>> in >>>>>> the area. So don't let it connect directly to your internal network. >>>>>> >>>>>> Consider it a guest network, just like a hotel network, and have all >>>>>> >>>>> your >> >>> users >>>>>> connect to your company resources through a VPN, just like they would >>>>>> from >>>>>> home >>>>>> or a hotel. >>>>>> >>>>>> Then you can consider if you want to have the network locked down so >>>>>> >>>>> that >> >>> >>>>>> it >>>>> >>>>> can >>>>>> only be used for VPN traffic, or if you really do want it to be a >>>>>> guest >>>>>> network, >>>>>> able to reach the Intenet (for at least some things) >>>>>> >>>>>> David Lang >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> ______________________________****_________________ >>>>> >>>> Tech mailing list >>>> [email protected] >>>> >>>> >>>> https://lists.lopsa.org/cgi-****bin/mailman/listinfo/tech<https://lists.lopsa.org/cgi-**bin/mailman/listinfo/tech> >> <http**s://lists.lopsa <https://lists.lopsa>. >> org/cgi-bin/mailman/listinfo/**tech> >> >>> This list provided by the League of Professional System Administrators >>>> http://lopsa.org/ >>>> >>>> >>> >>> >>> >>> >> >> >> -- LITTLE GIRL: But which cookie will you eat FIRST? COOKIE MONSTER: Me think you have misconception of cookie-eating process.
_______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
