Front page
Silflay Hraka?

Bigwig is a systems administrator at a public university
Hrairoo is the proprietor of a quality used bookstore
Kehaar is the head web developer for a regional newspaper
Woundwort is a professor of counseling at a private university

The Hraka RSS feed

bigwig AT

Friends of Hraka
Daily Pundit
cut on the bias
Meryl Yourish
This Blog Is Full Of Crap
Winds of Change
A Small Victory
Silent Running
Dr. Weevil
Little Green Footballs
Fragments from Floyd
The Feces Flinging Monkey
Dean's World
Little Tiny Lies
The Redsugar Muse
Natalie Solent
From the Mrs.
The Anti-Idiotarian Rottweiler
On the Third Hand
Public Nuisance
Not a Fish
Electric Venom
Skippy, The Bush Kangaroo
Common Sense and Wonder
Neither Here Nor There
The Greatest Jeneration
Ipse Dixit
Blog On the Run
Redwood Dragon
Greeblie Blog
Have A Cuppa Tea
A Dog's Life
Iberian Notes
Midwest Conservative Journal
A Voyage to Arcturus
Trojan Horseshoes
In Context
The People's Republic of Seabrook
Country Store
Blog Critics
Chicago Boyz
Hippy Hill News
Kyle Still Free Press
The Devil's Excrement
The Fat Guy
War Liberal
Assume the Position
Balloon Juice
Iron Pen In A Velvet Glove
Freedom Lives
Where Worlds Collide
Knot by Numbers
How Appealing
South Knox Bubba
Heretical Ideas
The Kitchen Cabinet
Bo Cowgill
Raving Atheist
The Short Strange Trip
Shark Blog
Ron Bailey's Weblog
Cornfield Commentary
Northwest Notes
The Blog from the Core
The Talking Dog
WTF Is It Now??
Blue Streak
Smarter Harper's Index
nikita demosthenes
Bloviating Inanities
Sneakeasy's Joint
Ravenwood's Universe
The Eleven Day Empire
World Wide Rant
All American
The Rant
The Johnny Bacardi Show
The Head Heeb
Viking Pundit
Oscar Jr. Was Here
Just Some Poor Schmuck
Katy & Bruce Loebrich
But How's The Coffee?
Roscoe Ellis
Sasha Castel
Susskins Central Dispatch
Josh Heit
Aaron's Rantblog
As I was saying...
Blog O' Dob
Dr. Frank's Blogs Of War
Betsy's Page
A Knob for Brightness
Fresh Bilge
The Politburo Diktat
Drumwaster's rants
Curt's Page
The Razor
An Unsealed Room
The Legal Bean
Helloooo chapter two!
As I Was Saying...
SkeptiLog AGOG!
Tong family blog
Vox Beth
I was thinking
Judicious Asininity
This Woman's Work
Fragrant Lotus
Single Southern Guy
Jay Solo's Verbosity
Snooze Button Dreams
You Big Mouth, You!
From the Inside looking Out
Night of the Lepus
No Watermelons Allowed
From The Inside Looking Out
Lies, Damn Lies, and Statistics
Suburban Blight
The SmarterCop
Dog of Flanders
From Behind the Wall of Sleep
Beaker's Corner
Bad State of Gruntledness
Who Tends The Fires
Granny Rant
Elegance Against Ignorance
Say What?
Blown Fuse
Wait 'til Next Year
The Pryhills
The Whomping Willow
The National Debate
The Skeptician
Zach Everson
Geekward Ho
Life in New Orleans
Rotten Miracles
The Biomes Blog
See What You Share
Blog d’Elisson
Your Philosophy Sucks
Watauga Rambler
Socialized Medicine
Verging on Pertinence
Read My Lips
The Flannel Avenger
Butch Howard's WebLog
Castle Argghhh!
Andrew Hofer
Moron Abroad
White Pebble
Darn Floor
Pajama Pundits
Goddess Training 101
A & W

August 28, 2003

Periodically Scan For A Better Access Point Until You Kill The Network

If you would like to read a fairly technical explanation of how the combination of the UNC network's SecureFast VLAN and the Cisco Aironet wireless client embedded in almost every student laptop has conspired to degrade the UNC network, click on the "Continue reading" link below. The rest of you, which I would assume to be the vast majority, may go about your business.

From an explanatory email bu one of the UNC networking gurus to the UNC Support mailing list.


We utilize a network technology called SecureFast (originally from Cabletron, now Enterasys) that provided a VLAN mechanism prior to the standardization of 802.1Q for VLANs. We have every intention of migrating off of SecureFast and on to .1Q once ANY vendor has implemented features that we require and are available within SecureFast (such as "Penalty Box" and automatic source blocking) - they're not there yet. Right now, we're targetting (based on vendor
promises) sometime next year.

One of the aspects of how SecureFast works is that whenever a user connects to the network, the SecureFast network switch does the following (among other things):

(1) checks to make sure that hardware address is allowed to speak on that port (checks to see if that hardware address is in the Penalty Box; also, we restrict what port devices like the campus DNS servers, DHCP servers, etc. can speak on to prevent hardware address spoofing)

(2) notes the IP address of the device and asks every other switch on the network if someone else is out there with that IP address -- that allows the network "fabric" to have current information as to where any IP address is on the network at any time, as well as sends us traps if there are duplicate IP addresses on the network.

In terms of that latter component, a SecureFast switch needs an ACK from every other switch running SecureFast (primarily the building entrance switches and one or two key VLAN distribution switches in every building) before it can proceed with "registering" that user. There is a timeout mechanism involved, but it still needs to go through that process. If there are a LOT of these pending "New User/New Alias" retry messages out there on the network, the switch fabric starts getting bogged down in waiting for the processing of those and connections either start getting dropped or new connections don't get set up until those get resolved or timed out.

Now, what does this have to do with wireless (and returning students)? We have noted a "feature" on the Cisco Aironet wireless client (which is the dominant wireless client on campus and the one built in to the CCI laptops) that is enabled by default. This feature is as follows:

"Periodically Scan For A Better Access Point - Selecting this check box (default) causes the client to look for a better access point if its signal strength is less than the specified value after the specified time, and to switch associations if it finds one. For example, the default values of 50% and 20 seconds will cause the client adapter to begin monitoring the Signal Strength of the signal received from the Access Point that it is associated to 20 seconds after becoming
associated. It will then do this once per second, and if any of the samples are below the specified Signal Strength percentage (in this case 50%), the client adapter will then scan for a better Access Point."

Note that "once per second" comment.

The issue with engineering 802.11b wireless is that there are only 3 non-overlapping channels available for coverage areas -- meaning that if you want to cover an entire classroom building (such as Murphey or Greenlaw) and not have conflicting channels, you've got to spread out the access points to have a wide coverage area -- meaning you're likely to have a fair number of users in the 40-55% signal strength area, which would cause them to go into that "scan" mode.

Now, noting the Cisco client "feature" above and with what you now know about SecureFast operation, just think what several thousand wireless users spread across almost 300 wireless access points all changing switch location (because they keep associating with different access points) every 1-20 seconds can do to the switch fabric, let alone the impact on continuous wireless connectivity.

The "easy" fix is to disable that wireless setting on all of the Cisco clients across campus. The question, though, is how? As far as we can tell at this point, the only way to disable that is by going thru the Profile Manager in the Cisco Aironet Client Utility and editing the default profile -- problem is, most systems don't even have that utility.

We have asked Cisco to develop for us a small program that would automatically disable that feature -- we would then have to figure out how to push that out to all of the clients, but right now, we're trying to get that program as a first step.

In the meantime, we have lowered the SecureFast "new user message" timeouts and retries about as low as we can lower them. We would also ask all of you that manage desktops/notebooks with wireless clients if you can go in with the Aironet Client Utility and turn that "Scan for a Better Access Point" (or words to that effect) property off (found under the "RF Network" tab within the Profile Manager).


Posted by Bigwig at August 28, 2003 12:23 PM | TrackBack
First time visitor to House Hraka? Wondering if everything we produce could possibly be as brilliant/stupid/evil/pedantic/insipid/inspired as the post you just read? Check out the Hraka Essentials, the (mostly) reader-selected guide to Hraka's best posts, and decide for yourself.
Post a comment Note: Comments with more than two dashes per line will be blocked as spam.

Remember personal info?