Thursday, August 25, 2011

SCVi Summer 2011 Wireless Project

Overview Of The Project

Wireless devices are now an important part of the learning environment. Students make use of laptop computers, iPods, iPads, and  Netbooks in their learning at our school. In summer 2011, we decided to increase our wireless usage by adding 30 school owned iPads and about 70 new Netbooks.  We also greatly increased the number of school-issued teacher and staff laptop computers and increased our school enrollment from around 500 to over 750.  This warranted a substantial improvement in our wireless network.

What We Started With

For the first three years of Operation, SCVi had a total of 4 wireless access points. These were located throughout the building, but the largest concentration was upstairs in the south wing. This document shows these as "Old AP" and are represented by the blue circles. It also shows some places we were considering adding new AP's for a more optimal coverage and these are marked as Meraki AP's because that is the first vendor we looked at. 


All access points were Cisco Aironet 1200's which we felt could service about 20 users each before we started to see significant performance issues.  With this many access points, we could service about 80 simultaneous users, which meant the school wireless network would come to a crawl by mid morning.

Wireless Research

We started investigating vendors for our wireless upgrade. We knew we wanted to go to Wireless N technology which would give our access points greater speed, greater range, and more concurrent users. We started looking at different vendors. The following table shows some of the vendors we talked with.

Vendor
Option
Hardware Included
Recurring
Cost ( per year)
Notable Features
Meraki / IMT
New Access Points Only
Meraki MR16 Cloud Managed AP
Mandatory Fee For Cloud Controller Access. Pay per AP.
  • Cloud controller ONLY.
  • Cloud controller has an annual fee per access point
  • Great features on the cloud controller and overall very polished product.  Would be nice for multiple sites.
Meraki / IMT
New Access Points + New Router
Mandatory Fee For Cloud Controller Access. Pay per AP. + License Fee for Router.
  • Router has two inputs and automatic failover.
  • Router will not act as the controller, you still need to pay for a cloud controller.
Aerohive / Altaware
New Access Points Only

Aerohive AP-120
Mandatory Fee For Cloud Controller Access. Pay per AP.
  • Cloud controler.
  • Cloud controller has an annual fee per access point, but fee is less than Meraki. 
  • You can buy a controller for in-house control, but is very expensive.
Blue Socket / Intuitive Networks
New Access Points Only
Optional Support Only.
  • Controller is in-house. No cloud needed. 
  • Was the only vendor that provided us with a Demo access point. This was very nice. 
  • We were able to get a single access point up and running using their cloud controller without too much trouble.
Blue Socket /CDW
New Access Points Only
Blue Socket 1800 Access Points
Optional Support

Aruba / CDW
New Access Points Only

Aruba AP-15 Acces Points
Optional Support
Aruba / CDW
New Access Points + Aruba
Controller
Optional Support
  • Controller required for more than 16 ap's. Could buy controller later.
  • I like their tutorial videos
  • If using the controller, you can no longer use Aruba Instant so you have to pay $100 per AP licensing fee.
DLink /
110 Technology
New Access Points Only
DLink DAP2553
-
  • Cheapest possible solution and still a huge upgrade from what we have now.
DLink /
110 Technology
New Access Points Only
DLink DAP2590
-
  • Plenum rated version of the DAP2553. Put above ceiling.
DLink /
110 Technology
New Access Points Only
Dlink DAP 2555
Mandatory Fee For Cloud Controller Access. Pay per AP.
  • This is DLink's Cloud solution Cloud based solution. Fee is $100 per access point.
  • If we want cloud controlled, this is the cheapest.
DLink / Computer1
New Access Points + Controller
Optional Warranty
  • Most robust hardware solution. Scales to 64 access points.
  • Includes a 24 port switch - Nice.
  • Best overall value of Hardware for $$

We decided to go with Aruba for these reasons:
  • The solution scales nicely. You can start with Aruba Instant, then go to Aruba with a controller or cloud based as you get larger.
  • Good tutorials and videos on web site.
  • Software looks polished and is easy to use. 
  • We got a really good quote. 

Implementing The Access Points

Our old access points had three separate SSID's.  Each had different routing to different VLAN's.  All three were open, but only one broadcast the SSID.  Here is an overview of the config from one of our Cisco access points.



Each of the access points is routed to a separate network with different filtering in Open DNS. This allows us to filter the content for teachers separately than the content from the student population.  Since the SSID's of the old access points were not very descriptive, we decided to change them.


Old SSIDs Security New SSIDs New SecurityVLAN Purpose IP Domain Internet Supplier
Stars Open SCVi-Learner Open Student usage 172.168.128.xx, 172.168.129.xx Fireline Broadband 10Mbit
Ambassadors Open - Hidden SSID SCVi-Facilitator WPA2 - Password Protected Teacher, Admin, and Staff usage 172.168.12.xx Telepacific 10Mbit
guru Open - Hidden SSID SCVi-Admin WPA2- Password Protected Network Administration by IT Staff 192.168.250.xx Telepacific 10Mbit

When the Aruba access points arrived, we started setting them up.  Configuration is pretty easy. You plug in the first access point and connect to it with a computer. You then navigate a web browser to http://instant.arubnetworks.com and use a web page to configure the device. Here is how the network configuration for the above SSIDs looked in the Aruba software.


The Learning Really Begins

As soon as we plugged in the access point, it became evident that our old Cisco Catalyst 3550 was not going to be able to power the new Aruba AP's. The AP's would cycle on and off but never started up. For the first AP, we simply constructed a external power supply to get started and worked with it plugged into the 3550. This worked for one AP, but this was not going to work for the rest of the network.

In order to power the new AP's properly, we purchased a DLink DGS-3100-40 managed POE switch.  This powered the AP's nicely, but after a few days of trying to get it to work, we realized the configuration was going to take some learning.  We needed to get the VLAN's used by the AP's to properly propagate through the new switch.  Otherwise, we could only get them working on the administration network.  It was time to call in some help!

We were able to get some expertise from Earl Rolley who helped design our original network.  He helped work out a lot of our configuration problems with our Cisco equipment. However, after plenty if tinkering, we still were not able to get the DLink switch up and running. So, we are running off the old switch and using POE Power injectors.  Still, we have learned a lot. Some highlights of the config are as follows.
  • We replicated all of the VLAN's from the cisco hardware on the DLink switch and configured it to tag the ports for these VLAN's.
  • Any switch on the Cisco hardware that fed the Dlink Switch or an Access Point must be set to mode "trunk".  (See cisco commands below.)
  • The drop to POE#3 Kindergarten had significant configuration problems that I simply didn't understand. Earl figured them out and set things correctly. 
  • What Cisco calls "Trunking" and DLink calls "Trunking" are totally different things. When Cisco configures a port to "Trunk" that means it's meant to feed another switch. However, in DLink, it is port aggregation. 
  • We enabled Spanning Trees on the DLink switch, but still not sure if that was the right thing to do. 
  • Since we use VLAN 250 as our admin VLAN; To talk to the Dlink switch as an admin plugged into a port, configure all the VLANs to be off except 250.
Understanding Switch Ports and VLANs
Virtual LANs allow different ports on a switch to be configured to talk to different networks. Our old access points were plugged into ports 1-4 on POE switch #2.  We actually were set up to talk to them on 8 total ports. This document shows how things are configured. For the new DLink switch, we plugged it into the Gigabit Ethernet port on SW1 and configured the port to trunk.


    Learned Some Cisco Commands

    There were several cisco commands I learned while configuring the switches. These commands can be performed by logging into the switch using telnet or ssh.

    Command TypeWhat it does
    show vlan Read Shows the VLAN's configured on the device
    show run Read Shows the entire switch config as currently running
    show ip dhcp server Read
    show ip dhcp server statistics Read
    show interfaces Read show the interfaces on the device
    show version Read shows software version, but more importantly, shows Uptime
    show power inline Read shows POE status on POE switches/td>
    show interface status Read show status of each interface.
    show startup-config Read
    show cdp neighbor Read Show who is connected to a port. (Handy!) Must be in switchport mode.
    show run interface fastethernet 0/1 Read
    show run interface fa 0/46 Read Notice that you can abbreviate the word fastethernet
    show run interface gig 0/1 Read
    config - Puts you into configuration mode so you can change settings.
    interface fastethernet 0/6 -
    switchport access vlan 250 Write Adds the port to VLAN 250
    no switchport access vlan 128 Write Removes VLAN 128 from a port
    switchport mode access Write Tells a port to auto-detect for Trunk or VLAN mode.
    switchport mode trunk Write Change the switchport to TRUNK mode
    switchport trunk encapsulation dot1q Write Change port mode to 802.1q (Allows TRUNK mode)
    do show run interface fastEthernet 0/48 Read When in config mode, you can use "do" to run the regular Read commands
    write Write Set's the configuration to be saved for next time the switch reboots

    Using the above comamnds, we were able to learn some really useful things. For instance to see what VLANs are available on a particular port, you can use the "show vlan" command.


    SCVI-POE-SW2#show vlan
    VLAN Name                             Status    Ports
    ---- -------------------------------- --------- -------------------------------
    1    default                          active    
    2    gateway_network                  active    
    4    VLAN0004                         active    
    12   VLAN0012                         active    
    20   network_printers                 active    
    30   teacher_network                  active    
    40   student_network                  active    
    50   VoIP_phone_network               active    Fa0/9, Fa0/10, Fa0/11, Fa0/12, Fa0/13, Fa0/14, Fa0/15, Fa0/16
                                                    Fa0/17, Fa0/18, Fa0/19, Fa0/20, Fa0/21, Fa0/22, Fa0/23, Fa0/24
    60   office_administration_network    active    
    128  VLAN0128                         active    
    250  network_administration_network   active    Fa0/5, Fa0/6, Fa0/7, Fa0/8, Fa0/9, Fa0/10, Fa0/11, Fa0/12, Fa0/13, Fa0/14
                                                    Fa0/15, Fa0/16, Fa0/17, Fa0/18, Fa0/19, Fa0/20, Fa0/21, Fa0/22 Fa0/23, Fa0/24



    This is the typical config for a "Trunk" port on the cisco switch. i.e. Ports that power either an Access Point, or a Phone. (The phones are a Trunk device)

    description NetworkAdministration
    switchport access vlan 250
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 250
    switchport mode trunk
    switchport voice vlan 50
    mls qos trust dscp
    priority-queue out
    spanning-tree portfast
    
    Here is a config from the "Student" ports on the POE switch that feeds high school.

    switchport access vlan 128
     switchport mode access
     switchport voice vlan 50
     power inline never
     spanning-tree portfast
    

    Network Overview - For Technical Parents

    Since our school relies heavily on parent volunteers, We have documented our entire network here.  This is to help future parents understand how we are configured.


    2 comments:

    1. Currently reading Wikipedia on Virtual LANs. Not sure what the current problem is for your DLINK switch or if this is the place you'd like to discuss it. Or should that happen via email?

      ReplyDelete

    If you would like to reach out to the author directly, please email mschnitt@gmail.com