Sorry, if it wasn't clear, in the previous email, when I said The goal being to maximize coverage while minimizing the number of associated mobile devices and at the same time, minimizing the utilized frequency space.
I meant minimize the number of associated mobile devices /to any one AP/. -MS On Sat, Apr 6, 2013 at 10:09 PM, Matt Simmons <[email protected] > wrote: > >how large do you need to be fore this to break? I've done this at > conferences with over 2000 people, 40 APs across a large hotel. >There were > no signs of problems. I'm interested to learn what problems to look for. > > > Consider the case of a campus-type installation where a single company has > multiple buildings, and mobile users that roam between them. > > A conference is a different horse altogether. You've got a shared physical > medium (air) and only a relatively few frequencies to deal with. > > The ideal wireless distribution at a conference is an absolutely enormous > number of very low-powered devices, each of which transmits on a frequency > that doesn't overlap on its neighboring devices. The goal being to maximize > coverage while minimizing the number of associated mobile devices and at > the same time, minimizing the utilized frequency space. > > Since very few people have enough resources to buy or acquire the number > of APs you need, what you need to do is get as many people onto 5ghz as > possible, and then use the smallest frequency-width you can. I believe > that's 20mhz, and there are 9(?) usable (non-overlapping) channels in the > 5ghz range that 'N' supports. > > If any of this is new material, then spend some time here: > > http://blog.serverfault.com/2011/12/12/a-studied-approach-at-wifi-part-1/ > http://blog.serverfault.com/2012/01/05/a-studied-approach-at-wifi-part-2/ > > Peter Grace's articles on wifi at Stack Exchange are great. He goes into > the perfect amount of detail. > > --Matt > > > > On Sat, Apr 6, 2013 at 8:37 PM, David Lang <[email protected]> wrote: > >> On Sat, 6 Apr 2013, Frank Bulk wrote: >> >> Yes, an SMB doesn't normally doesn't worry about L3 boundaries. If only >>> have a few hundred clients in an area you could very well operate >>> comfortable with a /23 in one L2 broadcast domain. >>> >>> Your approach of bridging resolves L3 boundary concerns and allows for >>> retaining of the Wi-Fi client's IP as they go from AP to AP, but that >>> doesn't work in large environments. >>> >> >> how large do you need to be fore this to break? I've done this at >> conferences with over 2000 people, 40 APs across a large hotel. There were >> no signs of problems. I'm interested to learn what problems to look for. >> >> I used a /17 each for 2.4GHz and 5GHz, but it's pretty easy to go larger >> as needed. When you get to where a /8 isn't large enough, then you need to >> split (or go to IPv6 + NAT64 if the devices can support it) >> >> >> And what hasn't been mentioned is that >>> in some environments certain classes or groups of people or devices are >>> kept >>> on separate L3 boundaries even through they're using the same SSID. >>> >> >> that can be done on the DHCP server can't it? With it issuing different >> IP ranges depending on the device type or known MAC addresses (associating >> MAC addresses with individuals) >> >> I don't understand how you would group _people_ on different L3 >> boundries, by the time you can get to the point where you can authenticate >> someone, they are already connected with an IP address. >> >> >> I'd invite you to read the archives of EDUCAUSE's WIRELESS-LAN listserv >>> to >>> get a flavor of their challenges. >>> >> >> Thanks, I'll look around there. >> >> >> David Lang >> >> Frank >>> >>> -----Original Message----- >>> From: David Lang [mailto:[email protected]] >>> Sent: Saturday, April 06, 2013 7:07 PM >>> To: Matt Simmons >>> Cc: Frank Bulk; LOPSA Tech >>> Subject: Re: [lopsa-tech] Wifi >>> >>> You would need to be rather large to need to cross L3 boundries. >>> >>> I advocate putting the APs on a separate network from your other traffic, >>> and >>> having the APs act as bridges. That way users can move from AP to AP and >>> there's >>> no need to tunnel traffic anywhere, once it gets on the wired network you >>> are >>> good. >>> >>> Yes, at some scale this won't work, but how big an area do you need to >>> have >>> before this breaks? >>> >>> David Lang >>> >>> >>> On Sat, 6 Apr 2013, Matt Simmons wrote: >>> >>> The problem comes when they cross L3 boundaries. Enterprise wireless >>>> infrastructures (or campus-wide installations) do tunneling of the >>>> >>> device's >>> >>>> traffic back to the original AP they authenticated to, all with seamless >>>> handoff. >>>> >>>> --Matt >>>> >>>> >>>> >>>> On Sat, Apr 6, 2013 at 7:50 PM, David Lang <[email protected]> wrote: >>>> >>>> why does the movement of users matter much? Users can roam between >>>>> different APs with the same SSID with a VPN just fine. >>>>> >>>>> Also, why do you say 'low traffic volumes'? if you are encrypting the >>>>> data, it's going to cost to encrypt it even if you do it at the wifi >>>>> >>>> level >>> >>>> instead of the VPN level. >>>>> >>>>> you can configure VPNs so that they are connected all the time as well, >>>>> but any plan to push things down or run scheduled tasks from a central >>>>> point to portable devices needs to deal with the idea that the devices >>>>> >>>> may >>> >>>> not have connectivity (they may not even be turned on) >>>>> >>>>> always-connected and authenticated don't work well together, so how do >>>>> >>>> you >>> >>>> have Radius authenticated Wifi and still have systems connected without >>>>> >>>> the >>> >>>> user being logged in? >>>>> >>>>> David Lang >>>>> >>>>> >>>>> On Sat, 6 Apr 2013, Frank Bulk wrote: >>>>> >>>>> >>>>> In an environment when the Wi-Fi clients don't move around much, the >>>>>> >>>>> Wi-Fi >>> >>>> clients are all devices with VPN-capable, and traffic volumes are low, >>>>>> VPNs >>>>>> may work, but in most organizations, and especially higher-ed, WPA2 >>>>>> with >>>>>> AES >>>>>> based on RADIUS authentication is the BCP. Most organizations want >>>>>> machine-authentication, so that even while the end-user is not logged >>>>>> in >>>>>> policies can be applied and pushed down, scheduled tasks can run, etc. >>>>>> >>>>>> Frank >>>>>> >>>>>> -----Original Message----- >>>>>> From: David Lang [mailto:[email protected]] >>>>>> Sent: Saturday, April 06, 2013 2:56 PM >>>>>> To: Frank Bulk >>>>>> Cc: [email protected] >>>>>> Subject: RE: [lopsa-tech] Wifi >>>>>> >>>>>> On Sat, 6 Apr 2013, Frank Bulk wrote: >>>>>> >>>>>> Hmm, I want to access my organization's resources over Wi-Fi -- why >>>>>> >>>>> treat >>> >>>> >>>>>>> it >>>>>> >>>>>> as untrusted? The security with WPA2 using AES is more than >>>>>>> >>>>>> sufficient. >>> >>>> >>>>>>> >>>>>> That same statement was made about WEP and WPA. It may be true, it may >>>>>> >>>>> not >>> >>>> be >>>>>> true (they don't have a good track record here). It may depend on the >>>>>> attacker >>>>>> never having been able to extract data from a laptop of someone who >>>>>> has >>>>>> been >>>>>> >>>>>> authorized to use the network (is WPA2 really secure if an attacker >>>>>> has >>>>>> been >>>>>> >>>>>> able to read keys off of someone's machine?) >>>>>> >>>>>> Your users need to be using VPN software anyway when working from >>>>>> other >>>>>> networks, so adding WPA and it's management is additional work that >>>>>> you >>>>>> don't >>>>>> have to do. >>>>>> >>>>>> It's a lot easier to change your VPN software if needed >>>>>> >>>>>> VPN software gives you additional tools for authentication of your >>>>>> users >>>>>> (things >>>>>> like hardware tokens for example) >>>>>> >>>>>> In short, I see VPNs as something you are doing anyway, are more >>>>>> >>>>> flexible, >>> >>>> and more trustworthy. >>>>>> >>>>>> David Lang >>>>>> >>>>>> Frank >>>>>> >>>>>>> >>>>>>> -----Original Message----- >>>>>>> From: [email protected] [mailto:tech-bounces@lists.** >>>>>>> lopsa.org <[email protected]>**] >>>>>>> >>>>>>> On >>>>>> >>>>>> Behalf Of David Lang >>>>>>> Sent: Saturday, April 06, 2013 12:34 AM >>>>>>> To: Brian Gold >>>>>>> Cc: [email protected] >>>>>>> Subject: Re: [lopsa-tech] Wifi >>>>>>> >>>>>>> On Fri, 5 Apr 2013, Brian Gold wrote: >>>>>>> >>>>>>> We've been using Cisco WCS controllers and APs here at $employer, >>>>>>> but >>>>>>> >>>>>>>> for >>>>>>>> >>>>>>>> a >>>>>>> >>>>>>> smaller scale I've been very happy with Ubiquity APs and >>>>>>>> controllers. >>>>>>>> >>>>>>> I >>> >>>> would HIGHLY recommend setting up radius authentication if you have >>>>>>>> a centralized ldap system (Active Directory, OpenLDAP, etc). >>>>>>>> >>>>>>>> >>>>>>> I would actually go the opposite direction. >>>>>>> >>>>>>> Your Wifi is an untrusted network that can be sniffed and attacked by >>>>>>> >>>>>>> anyone >>>>>> >>>>>> in >>>>>>> the area. So don't let it connect directly to your internal network. >>>>>>> >>>>>>> Consider it a guest network, just like a hotel network, and have all >>>>>>> >>>>>> your >>> >>>> users >>>>>>> connect to your company resources through a VPN, just like they would >>>>>>> from >>>>>>> home >>>>>>> or a hotel. >>>>>>> >>>>>>> Then you can consider if you want to have the network locked down so >>>>>>> >>>>>> that >>> >>>> >>>>>>> it >>>>>> >>>>>> can >>>>>>> only be used for VPN traffic, or if you really do want it to be a >>>>>>> guest >>>>>>> network, >>>>>>> able to reach the Intenet (for at least some things) >>>>>>> >>>>>>> David Lang >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> ______________________________****_________________ >>>>>> >>>>> Tech mailing list >>>>> [email protected] >>>>> >>>>> >>>>> https://lists.lopsa.org/cgi-****bin/mailman/listinfo/tech<https://lists.lopsa.org/cgi-**bin/mailman/listinfo/tech> >>> <http**s://lists.lopsa <https://lists.lopsa>. >>> org/cgi-bin/mailman/listinfo/**tech> >>> >>>> This list provided by the League of Professional System Administrators >>>>> http://lopsa.org/ >>>>> >>>>> >>>> >>>> >>>> >>>> >>> >>> >>> > > > -- > LITTLE GIRL: But which cookie will you eat FIRST? > COOKIE MONSTER: Me think you have misconception of cookie-eating process. > -- LITTLE GIRL: But which cookie will you eat FIRST? COOKIE MONSTER: Me think you have misconception of cookie-eating process.
_______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
