The Need for Speed

- Posted in Education Technology by

This tech note explores the interplay between network and computing speed, applications, public money, vendors and the compulsion to stay current with technology in schools. In some refresh cycles, the applications are ahead of the network. In others, the networks are faster and more capable than needed for the available applications. At present, network technologies are faster than our needs.

enter image description here

Technology is subsidized and the subsidies drive the technology. In 1934 the Federal Communications Commission (FCC) was formed around the notion of Universal Service. The problem they were trying to solve was that telephony wasn't reaching rural communities because telephone companies had no incentive to invest and maintain long-haul lines with so few subscribers.

enter image description here

The FCC addressed the deficit by subsidizing telephony through fees assessed to carriers. These fees were passed along on users' communications bills. Telephone users in urban areas essentially paid for telephony in rural areas. The notion of Universal Service has a changed, but it still exists and this fee still appears on your phone bill today.

In 1996, the Universal Service Administration Company (USAC) was created and the Universal Service charter was expanded to provide telephony to schools and libraries, which eventually expanded to broadband data access, too. The modernization of E-Rate in 2015 added equipment to the eligible product list (category 2 funding).

enter image description here

There are currently four Universal Service initiatives:

  1. Connect America
  2. Lifeline, which extends communications into tribal lands
  3. Rural Health Care, which helps pay for communications to healthcare providers in remote areas
  4. E-Rate

E-Rate is administered by USAC as part of the reach for Universal Service. The current E-Rate cycle is a five-year allotment (2021-2025) of $167/student, with a funding floor of $25,000 for smaller schools.

enter image description here

The USAC E-Rate "contribution rate" is derived as the percentage of students receiving federally subsidized lunches (NSLP) within a range of 20 to 90%. One school might received 80% funding for their category 2 equipment and services whereas another school might get 30%, for example. Nationally, E-Rate is capped at $4.456 billion, annually.

At the height of the pandemic, the possibility that education had changed forever put pressure on IT initiatives and spending. Many districts already had devices, such as Chromebooks, for students. But, the pandemic forced remote learning several days a week. Not all households had or have a broadband connection.

enter image description here

E-Rate came under pressure to grow it's focus to include broadband access for students. The American Rescue Plan, March 2021, originally included $7.1B in emergency E-Rate funding for home Internet. This was revised downward to $3.2B. The funds were to come from the treasury instead of the USF (phone tariff). USAC already had the processes in place, so it was a natural vehicle for implementing the program.

Build Back Better, signed by president Biden in November 2021, included an additional $475M for laptops and tablets, $300M for an Emergency Connectivity Fund, $280M to fund pilot projects to boost broadband access in urban areas, plus a few other expenditures. This money was on top of money that hadn't been spent from the previous program. The new program was called the Emergency Broadband Benefit Program (EBB). This was replaced by the Affordable Connectivity Program (ACP) in December of 2021. It provides funds for broadband, computers and tablets to households 200% below Federal Poverty Guidelines. It is a long-term $14B program. The money is expected to run out by mid-2024.

There is money sloshing around. The effects of being out of the classroom for almost two years are still making themselves known. Where does this money go?

enter image description here

Schools deserve the help. Scholastic computing--schools are the most demanding environments of all (except maybe with the exception of warehouses). Schools have a dense wireless population that gets up and moves every 45 minutes. They're being hacked from within. A district regularly hits bit rates of 500 Mbit/S, provided they have the necessary Internet connection. The wireless and wired networking technology available today is more than schools currently need. But, schools are acquiring it anyway.

enter image description here

  • Equipment inadequacy
  • More demanding applications
  • Vendor end-of-support
  • Technology improvements
  • Available money
  • Competition


For universities and private schools, good networking has been a competitive issue.

enter image description here

Taking wireless specifically, in the late-2000s, wireless was a competitive issue for schools. Public schools weren't affected by it so much, except for a desire to serve their communities. However, our private school and university customers saw good Internet and good wireless as lifeblood issues.

Competing for students in both day-school and boarding schools required good connectivity to match the expectations of the parents paying the bills; they wanted to be able to Facetime their children. The kids cared even more; they wanted good Internet and if the school didn't have it, it was a bad school (in their minds). We had customers located in Western Connecticut and mid-state New York for whom good Internet and WiFi was student retention must-have.


Vendors can resell the same basic functionality, perhaps with an uplift, by ending support for older technology.

enter image description here

While technology is obsolescing your gear, manufacturers are forcing turnover in other ways, too: they retire devices with end-of-sale and end-of-support. They also replace whole product families. We’ve sold some customers three different lines of switches from the same manufacturer in the last ten years! The reason? The manufacturer abandoned existing lines, even though the products were great and would have had additional service life.


New applications can make older technologies obsolete at the same time the newer technologies make new applications possible and make older technologies obsolete...

enter image description here

I laugh to myself when I go into a school customer's MDF with a new switch, firewall or wireless controller and see the last two generations of the same kinds of devices in a pile, in a corner. We have customers who've left old generations of access points in the ceiling. While Moore's law has hit the wall for computing power, networking has kept improving. Even today, your school is likely to be a generation behind in terrestrial and wireless networking technology.

There's a feedback loop between applications and technologies that fuel both. For instance, a laptop from ten years ago doesn't have the horsepower to run all the Javascript advertisements forked over by any site you might visit. A room full of people Zooming requires a faultless wireless network and Internet connection. To keep up to the applications and for applications to exploit the network has required refresh--over and over!

In fifteen years, wired networks have gone from 100 Mbit/S to Gigabit to 10 Gigabit on pedestrian network equipment. Modern wireless--an engineering marvel--has squeezed amazing performance and density out of the spectrum and the classroom space. But, user devices haven't even caught up with the last big innovation, and the next one is already for sale.

Networks are getting ahead of applications. It’s time for new applications!

Demanding Applications

enter image description here

I had a friend and boss at United Technologies Research Center. He was a PhD mathematician working in a group that created fluid dynamics models for airfoils. His name was Bill Smith (not his real name; changed for this story). Bill was a good speaker and interested in all things computers. In the early 1990s, he became enthralled with video conferencing. The video compression algorithm in use at the time, pre-MPEG-1, was not all that efficient. This forced a trade-off between link cost and video quality. If you wanted a decent picture, you needed fast connections. Moreover, there weren't Internet aggregation sites. Most sites didn't have Internet connectivity to meet the requirements, anyway. Data had to be brought into a private hub site. At that time, ISDN infrastructure with bandwidths of T1 speeds--1.5 Mbit/S or better--was required. An dialup ISDN circuit cost over $1000/month—one for each end-point.

Video conferencing equipment was even more expensive on scale. A typical outfitted conference room required ten thousand dollars in cameras, encoders and decoders for a medium-quality video conference experience. The aggregation site could cost many tens of thousands. Under Bill's urging, United Technologies made an investment in video conferencing. This included installations in Pratt & Whitney, Sikorsky Aircraft, Carrier, Norden Technologies, UT automotive and the Research Center. Ironically, a number of these divisions was in the business of moving people from place to place; video conferencing was counter to the mission because of its potential to cut into business travel.

The installations worked, but they weren't used often. People had to travel to the local video conference room. Even if that was just across the building, a phone call could be just as good in many cases. Eventually, Bill got fired over the time and expense--and for making his bosses look foolish for supporting a very visible waste of money and effort.

Ready Money

Schools will acquire technologies that they would otherwise have to go without.

enter image description here

E-Rate drives acquisitions. It's use is entirely legitimate and even laudable. However, ready money causes market distortions. I think, for instance, about the case of the city of New London, near me on the southeast coast of Connecticut. New London has a 90% USAC contribution rate, which means that if they want to buy something that costs a dollar, they need to come up with 10 cents. In 2012, years before I'd even seen a 10 Gbit/S network, New London had one running throughout the city with the help of E-Rate funds, a sharp salesman and 10 cents from the taxpayers.

Public schools started building out their networks before E-Rate funds were available for Internet access. E-Rate money was available for telephony in the beginning, followed by some network access. In 2015, C2 E-Rate money could be applied to network infrastructure. We saw it as an opportunity. Manufacturers saw it as an opportunity. The race was on! Internet content of every sort was being developed anyway, but the market for educational products, video-on-demand and distance learning soared.

What the pandemic showed us:

It took 20 to 40 years to prove video conferencing was useful.

enter image description here

Bill's problem was that he was ahead of his time, and ahead of the technology as the COVID-19 boom in video conferencing demonstrated. The co-dependent feedback loops of technology enabling applications and applications requiring technology were very apparent during the pandemic. We had been building the network to support world-wide video conferencing all along. We just weren't aware of it until 2020.

Where is this all going? Maybe here?

enter image description here

I believe that, just as Bill Smith was ahead of his time with video conferencing, Meta and others are ahead of their time with VR. The infrastructure for the future of remote learning is being built now. 4K stereo 120 frame/sec graphics will burn up some of this bandwidth.

There is content for sale now for VR for the classroom. But, VR is not the classroom itself. Meta has created gathering spaces. There are some startups. It may seem impossible to us that someone could spend a whole day in virtual or augmented reality. I get sick playing Mario Kart! But kids will be able to do it. Meta is betting on it. According to recent data sent out in an email from Plume, the number of home VR headsets didn’t increase over 2022, but the data usage soared by 84%.


Looking at Connecticut, in the early 2000s, then-Governor Jodi Rell's pet project was the establishment of the Connecticut Education Network, or CEN. Public funds were spent on gigabit fiber rings (at $14K/linear mile) and multi-gigabit interconnectivity at the core of the network. Each of Connecticut's 169 towns received a 1-Gbit/S hand-off from the network. This was unheard-of Internet speed at the time.

I was working for CEN in 2004 when the first iteration of the network was essentially complete. It was a state job, and not well-defined. So, I took upon myself to reach out to school districts that hadn't yet connected. "But, we already have an Internet connection," they would say. Typically the existing connection was a T1 (1.5 Mbit/S) or so. The demands were modest. There was no wireless in schools in 2004 and little specific online content. I would explain: "but this is really fast." And it didn't cost anything at the time.

People didn't know why they needed it. Fast networking needed to be needed. And to be needed required applications that consumed bandwidth. And there really weren't any. But, there was money being thrown at the Internet and that money created markets that would have developed more slowly on their own.

Over the brief lifetime of the Internet in schools, the internal network, external bandwidth, available applications and subsidies have spurred each other on to increase the network technology in schools. We have customers with 20s of Gbit/S feeding network closets. There are no applications for it yet, but they will come.

-Kevin Dowd

Network Segmentation

- Posted in Aruba Network by

Last week, while we were exhibiting at the Connecticut Education Network conference, one particular subject came up with visitors to our booth a couple of times: network segmentation-the separation of school networks or VLANs according to their function. The topic was motivated partly by new requirements from insurance companies for increased internal network security.

You can picture a segmented network as one where the firewall is pulled into the core and sits between different internal network segments. In the case of a school district, segmentation could separate administrator VLANs from student VLANS, or separate the BoE from the high school, as examples.

Network segmentation isn't a new idea, but the appearance of a couple of technologies in equipment that school districts are likely to use, plus the performance of firewalls and processors, are making it easier to accomplish.

To explain these improvements, it might be good to start with what's wrong with trying to use last year's firewall and core switch to accomplish the job. Say that we have the following common configuration: a layer-3 core switch that interconnects traffic coming from each school, and possibly multiple VLANs from the schools, which is trunked back to the head-end of the network.

              :                    :
          --------             --------
          |  FW  |             |  FW  |
          --------             --------
             |                    |
         ----------    -or-       |     ----------     
         |        |               |     |        |
         |  core  |               |     |  core  |
         |        |               |     |        |
         ----------               |     ----------
              |                   |      |   |
              |                   +------+   |
          user VLAN                 user VLAN
              |                              |

A typical configuration is for the core switch to forward internal traffic internally and to forward Internet-bound traffic to the firewall. The two devices could be in series or sit side-by-side. If we wanted to to segment the internal network so that some VLANs were forced through the firewall, how would we do it? The problem is that the core switch has a layer-3 interface on each of the segments, and would usually route the traffic internally.

To force traffic to a firewall requires policy-based routing, including a collection of policy-based routing ACLs that say "if traffic is from VLANx and bound for VLANy, forward to firewall interface on the local VLAN." This overrides the core switch's IP routing. The firewall has a routing table as well, and it probably lists the switch as the correct next hop, so it would be inclined to send an ICMP redirect back to the switch that says "go forward it yourself." In short, we'd have to force the traffic to the firewall and have the firewall forward it back. It's doable, but not graceful.

Another alternative would be to have the firewall act as the core switch. In that case all traffic would have to traverse the firewall, including layer-2 traffic, multicast, everything. This would be ugly, if it were possible; not all firewalls will forward at layer-2. Those that can, can also filter at layer-2. We'll return to that in a moment.

Some of the switches that you might consider for a core switch today, including Aruba Networks' CX line of switches, feature multiple, separate Virtual Routing and Forwarding domains (VRFs). A VRF is a virtual switch instance with its own routing table and ARP cache. Two VRFs running inside one switch cannot see each other and cannot trade traffic unless explicitly forwarded. A core switch with multiple VRFs can seamlessly forward traffic to a firewall without policy-based routing. And, the firewall can forward it back from one VRF to another. This is a graceful way to ingest a firewall into the core--particularly at layer-3 boundaries.

What about performance? Commercial hardware-based firewalls often contain dedicated silicon for fast-path, stateful forwarding of packets. As long as you don't turn on UTM features between internal segments, including intrusion prevention, layer-7 inspection for viruses or content, a firewall in the core should be able to keep up. The UTM features slow a firewall down because the increase the involvement of the CPU. Perhaps these are features that you want between VRFs, in which case a more powerful firewall may be called-for.

So far, we have described a core and firewall combination that can separate internal layer-3 networks or groups of layer-3 networks that share a VRF. Firewall policies can be applied between VRFs--some traffic can pass and some can be denied. What happens when someone from the board of education goes to the middle school and wants to connect back to their desktop? Suddenly, the all-too-familiar swiss cheese of firewall special exceptions gets worse because the firewall is inside the core!

Again, talking about Aruba Networks, there is a capability called Dynamic Segmentation that makes it possible to extend a VLAN from one part of the organization to a switch port in another. The VLAN is encapsulated into a GRE tunnel and then presented as an access VLAN on the switch at the far end. Dynamic Segmentation uses an Aruba wireless controller to forward tunneled traffic to the remote switch in the same way that it dynamically selects and tunnels a VLAN for a wireless user. Combining Dynamic Segmentation with a segmented network makes it possible to secure a network against itself yet still allow for exceptions for administrators and staff.

I mentioned layer-2 filtering with a core firewall, above. Aruba (again) recently acquired a company called Pensando that makes custom silicon for securing flows deep in the core. It is now available in the Aruba CX 10000-series switch (that lists for over $50K...). We're going to have to wait for it to come to an affordable core switch in your district, but it will be possible some time in the future.

-Kevin Dowd

Success with 802.3bz

- Posted in Network Solution by

In 2016, the IEEE ratified a standard for pushing higher data rates over copper cabling. 802.3bz provides for 2.5 Gbit/S for 300 feet over Cat5e and 5 Gbit/S for 300 feet over Cat6. 802.3bz is available in commercial gear today. Cisco calls it mGig. Aruba calls it Smart Rate, and combines 802.3bz with optional 802.3bt, 60W Power-over-Ethernet.

Access points are really fast, now—particularly with 802.11ax. Even lower-end models are fast enough to outrun a gigabit connection. The problem can be addressed by running two, bonded 1-Gig connections to each AP. With 802.3bz, it may be possible to reuse the existing wiring and push it to 2.5 Gbit/S.

It works! We’ve been deploying a lot of it this past year. But, what about the cost? In order to push 2.5 Gbit/S (or 5 Gbit/S), you will need an access point that supports 802.2bz and a switch port that supports it, too. An 802.3bz deployment will save the cost of one network drop and one switch switch port for each AP, when compared with a bonded, 2 Gbit/S configuration. Assuming the same AP in either case, here are the relative costs:

enter image description here

What this says is that if you’re running two drops and using two switch ports, it will cost you just a little less to use 802.3bz. If you already have an existing network drop going to an access point, then it would be less expensive to run a second drop and consume another switch port. But who wants to do that! What a mess…

  • Kevin Dowd

Dynamic port configuration in Aruba OS-CX switches

- Posted in Aruba Network by

Aruba's OS-CX switches have the ability to profile devices connected to ports and dynamically assign roles and policies (ACLs) to those ports. The ACLs can include the usual stuff--filtering on source, destination and protocol. But, they can also include configuration parameters like VLAN assignment.

Here's a simple example that can be useful when deploying access points with bridged VLANs. In this example, the switch makes a profile of the connected device using LLDP (you can use CDP, too), parses the response and assigns a role to the port. The role has policies that assign VLANs.

To see how this would work, let’s say that we have an access point on port 1/1/10. Examining the LLDP query on the port, we get the following:

enter image description here

In our test for the presence of an AP, we will search the description for "IAP". To make the example a little more interesting, we will also skip any AP-305s we might find. The following are rules that will match our LLDP port access test. These are arranged like a sieve; the first pattern that matches wins.

 port-access lldp-group AP-lldp-group
      seq 10 ignore sys-desc 305
      seq 20 match sys-desc IAP

Next, we define the role and the policies that we want to associate with access points that match the above port-access tests. The block below says that the role is called "lldp-AP," and that the policies "create a trunk and allow VLANs 12,22,40 and 100, and make 100 be the native VLAN."

 port-access role lldp-AP                                                                                                                                                                   
     vlan trunk native 100                                                                                                                                                                  
     vlan trunk allowed 12,22,40,100               

This last section is the glue that pulls the port-access tests and the role assignment together. It says "if the device on port x matches AP-lldp-group tests then assign the role of lldp-AP."

 port-access device-profile AP-lldp-devprofile                                                                                                                                              
     associate role lldp-AP
     associate lldp-group AP-lldp-group

Dynamic profiling can be applied to other kinds of devices too, including printers, projectors and phones. When used in conjunction with Aruba Central or NetEdit, elements of the policies and port-access tests can be described using variables, such as this:

 port-access role lldp-AP                                                                                                                                                                   
     vlan trunk native %_native_VLAN%                                                                                                                                                                  
     vlan trunk allowed 

When used in conjunction with ClearPass and controllers, the ports can implement enhanced profiling, role assignment and dynamic segmentation whereby VLANs that don’t even exist on the switch can be tunneled from other parts of the organization.

Network Infrastructure is Changing

- Posted in Latest Technology by

Network Infrastructure is Changing

Last year's switches are very appliance-like. They're a narrow mixture of layer-2, layer-3 and Power-over-Ethernet features--just as they have been for about fifteen years. Switches you might buy this year will behave like last year's when you need them to; you can still program them individually at layer-2 or layer-3 using the command line. But, they're different.

As with phones, cars, televisions, and other electronics, network switches (and access points) have benefited from great increases in computing power. New devices run general purpose operating systems in lieu of embedded firmware. They're built upon supercomputer-speed hardware. So, in addition to switching and routing, they can do general-purpose computer-like stuff, and they can be extended in their capabilities.

Like what? The best-hyped new capability in network equipment is AI. This is the ability to leverage observations taken in the past and apply them to your network in the present. Moreover, it is the ability to pool and organize observations across many organizations' networks to increase the network's resilience for everyone. This includes giving the network the power to recognize issues and heal itself.

Switches are smarter in non-AI ways, too. We've had NAC for a long time (and barely used it). Now, you can program the switches to recognize and classify a device, such as a printer or AP, and assign it the appropriate VLANs and permissions--all by itself. Switches can often apply ACLs and bandwidth restrictions without the help of a central authentication server.

Switches needn't be configured onesy-twosy any longer. Consistency in configuration, visibility, resiliency can be managed for the whole LAN or WAN, all at once. This is possible from the local or cloud-based managers. Software-defined networking--once the stuff of expensive data center switches--is right beneath the surface on many of these devices. The ability to create arbitrary logical network architectures, to safely extend encrypted VLANs from far-away cores and the ability to secure it are available, if you want to use it.

Wireless has advanced remarkably, too. Controller-based and hive (virtual controller) wireless is being supplanted by WiFi networks in which every AP is its own controller. Consider that if every access point has a 2.5 or 5 Gbit/S interface of its own, then centralized operation and switching will to become a liability for larger deployments. In the latest paradigm, AI and central configuration services manage and update the network, but the traffic is bridged onto the LAN at wire speeds by the access point, cooperating with neighbors, but acting on its own behalf.

Three features of WiFi6 are going to make today's wireless networks unrecognizably fast, tomorrow--especially in dense deployments. The first is modulation techniques, particularly QAM-1024, that push wireless into the gigbait+ range with a reasonable number of antenna chains. BSS Coloring greatly increases the efficient use of crowded radio space. OFDMA, which allows the sharing of transmissions between clients, can provide greatly improved transmission-cycle efficiency. If that's not all enough, WiFi6E is out with new spectrum in the 6GHz range, included very wide channels (up to 320 MHz) for huge performance. Look back at some of out earlier communications to learn more about these capabilities.

Spanning Tree Protocol and Broadcast Storm

- Posted in Network Solution by

Problem we are trying to solve: repeat traffic over the same link, particularly broadcast storms. If a layer-2 network has a loop, the same traffic may be forwarded over the same physical network segment repeatedly until its time-to-live expires. Network loops can bring a network down by buying it in traffic.

A collection of switches can be organized into a spanning tree. A spanning tree is a concept from graph theory that describes paths to interconnect all nodes without creating cycles (or loops). So, for instance, nodes A, B,C and D can be interconnected in multiple ways, including:

enter image description here

The topology is a tree. Spanning tree protocols detect cycles (loops) by listening for Bridge Protocol Data Units (BPDUs), which are messages that start at a node designated as the root, and propagate through the tree. When a repeat BPDU is detected, a node makes a calculation about which is the best propagation link among the duplicates. The other, duplicate links are placed into a blocking state. By this mechanism, a spanning tree can be formed among arbitrarily interconnected nodes.

Spanning tree protocols have been used to create resiliency in networks; if one of multiple links goes down, spanning tree protocols may resurrect another. However, multi-path resilience built from link aggregation groups--multiple links cooperating as one--provide combined bandwidth and faster convergence, and are a better design.

Loop detection is a single-switch capability for detecting the interconnection of two or more ports through a another device that doesn't participate in spanning tree. Imagine, for example, two Ethernet ports in a classroom being looped through an unmanaged desktop switch; loop detection will shut down one of the ports.

-Kevin Dowd

What is EduRoam

- Posted in Education Technology by

What is EduRoam?

EduRoam or Education Roaming is a global wireless network access service developed for the international research and education community. It allows students, researchers and staff to obtain internet connectivity across campus. When visiting other participating institution, they can easily connect to the internet by opening their laptop and use their home institution credentials.

EduRoam uses the IEEE 802.1X protocol (WPA2-enterprise) and a system of interconnected RADIUS servers, with the main U.S. node operated by Internet2 in collaboration with the global Eduroam community.

Why do you need EduRoam?

We live in the world where WIFI access is a necessity in institutions, businesses or campuses. With Eduroam, this will make your venue more attractive for meetings or conferences as it allows participants to access network without assistance.

EduRoam is secured and can give an access to thousands of participating hotspots globally.

The cost of implementing and maintaining EduRoam is fair and acceptable. It can help reduce cost and workload for IT Department such as the need to supply temporary accounts to visiting users. Less work can mean less headaches for your IT or Administrative people.

The log-ins are secured which means that passwords are kept private at all times and misbehaving user can be always identified with the help of their home institution.

Overall, EduRoam makes it possible for visiting students, staff and researchers use their EduRoam credentials to access secured WIFI quickly and easily without (or at the most minimum) assistance and support.

How do you deploy EduRoam?

The basic process to set up EduRoam is as follows:

  • The school or school district registers with EduRoam and verifies identity and domain control.

  • Once registered they are given credentials to an administration page which allows them to associate their domain with an IP address for their RADIUS server. They are also given a pre-shared secret for their RADIUS server to authenticate to the EduRoam RADIUS servers.

  • The internal RADIUS server needs to handle three scenarios of clients authenticating on the EduRoam SSID. o A local user is attempting to authenticate - no need to involve EduRoam's RADIUS' servers.

    o An external EduRoam visitor is on-campus attempting to authenticate. Authentication is sent to EduRoam's RADIUS servers, expect return response.

    o A local user is visiting or "roaming" off-campus. Authentication attempt is received from EduRoam's RADIUS servers, need to authenticate and return response.

Who Ya Gonna Call?

- Posted in Network Solution by

Who ya gonna call?

When there's something bad and it doesn't look good. Who ya gonna call? You contact the manufacturer. Nothing gets resolved. This blog entry is about ten WiFi puzzles we've been invited into over the last year or so. I leave the names out. A few of them aren't even our regular customers.

Case 1: School A, no address disclosed, has a problem with Chromebooks using a shared PSK SSID. Some of the kids can get on. Some can't. All other devices seem to be fine. Diagnosis: the manufacturer's wireless intrusion prevention saw many different devices logging in with the same ID and password and shut them down, thinking that they were massing an attack. Resolution: Disable WIP for this case.

Case 2: School B, no certain address, most kids can't Zoom, can't stream. But some are fine. Diagnosis: school had installed a new LED lighting system over the summer. Non-802.11 communications or noise (makes no difference to the WiFi clients) spiked across the upper part of the 5 GHz spectrum at arbitrary times. Resolution: enable DFS channels and move 5 GHz traffic away from the lighting system.

enter image description here

Case 3: School C, address withheld, can't stream reliably, can't Zoom reliably--all devices affected. Short sessions 'appeared' to be okay. Diagnosis: another vendor had increased the basic WiFi rates and minimum negotiated rates too high. This caused clients to hang onto sessions that were unsustainable and led to high frame loss. Resolution: relax the basic and negotiated rates to make the network useful again. Raising rates is just voodoo, anyway; clients roam when RSSI gets low, not when there's no lower rate choice available.

Case 4: School D, location unknown, WiFi was no good on the second floor. Diagnosis: this was a small school with two floors in a crowded city environment. Resolution: enable band-steering for the 5GHz band and disable 2.4 GHz upstairs.

Case 5: School E, name changed for security, lost WiFi connectivity in some areas of the school every day at the same time. Diagnosis: a manufacturer update had enabled DFS channels. This school was on the glide path to a large airport. One particular 5 GHz channel was re-abandoned every day at the same time as a daily flight came in. Resolution: Disable DFS channels.

Case 6: School F, not the same address as the last one, lost WiFi connectivity every day at the same time. Diagnosis: inspection of AP logs showed that access points lost contact with their controller two or three times a day. Resolution: we found a loop in an MDF that caused a broadcast storm on the wired network. This caused the APs to lose contact with the controller. Not sure why nobody noticed everything else grinding to a halt...

Case 7: School G, address confidential, had 'spinning' WiFi in certain parts of the building. Diagnosis: during a renovation, builders were to remove all of the old access points (and pretty much everything else). They missed a few. When the renovations were complete, and the new switching was installed, the old APs found the controller and began advertising SSIDs. The problem was that these APs weren't supposed to exist, and the networks they were offering weren't trunked to them (these were bridged SSIDs; not tunneled). Students could connect at Layer-2, but that was it. Resolution: shutdown the old APs.

Case 8: School H, address also withheld, had student WiFi that was unable to reach the Internet for some, not all, students. Diagnosis: This was a small school. The wired LAN was bridged to the WiFi network (by design). One day, a teacher had plugged a consumer-grade WiFi router into the wired network. This router began handing out 192.168.0.x DHCP assignments to students as they joined the 10.x WiFi network. Resolution: Unplug the router.

Case 9: School J, address unknown, had bad WiFi in the auditorium. Diagnosis: the auditorium had an impossible number of interfering access points, all with omni-directional antennas. Resolution: shut some of them off and think about partitioning the space with directed coverage for wireless access.

Case 10: School K, wouldn't want me to disclose their address, had "bad WiFi". People "had to reboot," etc. Diagnosis: school had multiple, uncoordinated DHCP servers handing out overlapping network addresses from the same scope. Resolution: Really?! C'mon! Who ya gonna call?

What is Outdoor WIFI

- Posted in WAN/LAN by

enter image description hereWhat is Outdoor WiFi or Long-Range WiFi Network?

Outdoor WiFi are low-cost setups that can help improve your internet connection throughout your property; This set up gives you the ability to access a network from miles away - whether it’s to share the internet connection with another building or simply extend the WiFi signal outside.

To provide outdoor WIFI to an area adjacent a building, there are two approaches:

1) exterior, weatherproof, purpose-built access points, mounted on the outside of the building.

2) interior access points mated with exterior antennas. The AP is inside the building; the antenna is outside.

Often, you will choose an AP or antenna with a sector radiation pattern that directs coverage away from the building and out into an open space.

The AP or sector antenna might create a 30, 45, 60, 90, or 120 degree horizontal wedge. The narrower the antenna pattern, more concentrated the power from the transmitter. This concentration is expressed as the antenna's gain factor. An antenna with a narrow sector pattern can provide service for many miles over a smaller coverage area.

In the US, the effective radiated power output is limited to 100 milliwatts, by law. When you pair an antenna with an access point, you will have to program a gain factor for the antenna. This will be provided by the antenna manufacturer. The gain value tells the transmitter to reduce output power to remain within the law.

Antenna extension cables and connectors can cause losses between the transmitter and the antenna. With long antenna cables, you may have to reduce the programmable gain to make up for the losses. It is better to extend the Cat5e or Cat6 data cable that provides data and power to the access point than to extend the antenna leads.

When choosing a location for an exterior antenna or AP, it is best that there be line-of-sight between the antenna and the area to be covered. Trees and other structures will attenuate radio signals, particularly for the 5 GHz bands.

It is also very important that the near-field of the signal be unobstructed. Roof edges, building overhangs and corners can interfere with the radiation pattern.

Picture a pebble dropped into the water. Ripples will radiate evenly in all directions. Now, picture the same pebble dropped into water with rocks. The ripple pattern will be disturbed by the reflections from the obstructions. We want to avoid the same kind of reflections with WiFi.

To cover an open space with many access points, such as a quadrangle, it is better to mount the antennas high and aim them downward, toward the ground. This is the same approach that one would take if installing outdoor lighting, careful to light each area independently.

To provide WiFi to locations far away, a wireless bridge or mesh may be desired. An access point located on a building can create a back-haul link to a distant access point or access points.

When there is one access point at the far end of the back-haul link, we call this a point-to-point connection or bridge. When there are several, we call this point-to-multipoint or mesh. The distant access points may provide local service as if they were wired.

Often, with a dual-radio access point, one radio is used for the back-haul network. The other is used to provide WiFi access. Sometimes, you will use a high gain antenna for the back-haul radio and an omni-directional antenna for user WIFI. You may also let down a wired connection for a camera or switch.

There must be electrical power available at the far end of the link. This can be hard-wired AC power or provided by a power injector depending on the AP and the application. A typical access point plus camera installation will include two power injectors--one for the AP and one for the camera.

In an WiFi infrastructure, APs that form the bridge or mesh are managed by a wireless controller or cloud just as the campus APs are. Sometimes, instead, an inexpensive third-party bridge can be used to extend the campus network. Devices located at the far end, including access points, will not be aware of the third-party wireless bridge.

A typical bridge or mesh configuration will use a 5 GHz link for back-haul and 2.4 GHz for local service. The expected speed in a nearby, line-of-sight application is often just over 100 mbit/S.

Bridge and mesh products that use 24 GHz or 60 GHz radios are also available. These feature back-haul speeds that in the 1 gbit/S range. The wavelength of a 60 GHz signal is just 5mm, which is less than the width of a large raindrop or a snowflake. Because of this, 24 GHz and 60 GHz transmissions are subject to 'fade' or failure in rain, snow or fog. For this reason, 60 and 24 GHz bridges are often packaged with 5 GHz fall-back radios.

A bridge built from 900 MHz radios can penetrate trees and weather much better than a 5 GHz radio, but with much narrower channel width, measured in 100s of kbits/S.

Local outdoor coverage, bridges or meshed links--Atlantic has been providing commercial WiFi for 15 years. Call us for your next project. - Kevin Dowd

Bitcoin in 2021

- Posted in Latest Technology by

enter image description hereThere is a limit to the number of bitcoins--21 million in total, with about 2 million left to be mined. Presently, there are about 900 new bitcoins per day. As more are found, the hash target becomes increasing harder to hit and it becomes asymptotically harder to find additional bitcoins. It will be the year 2140 before the last one is finally found. There's investment and reward in the effort: Russia just took delivery of a 70 MW crypto mining farm. It is said that almost 65% of the cryptomining resources are in China. Bitcoin broke $50,000 on Tuesday. Elon Musk bought $1.3 billion in bitcoin a couple weeks ago, when it was already over $40,000. Projections are for $500,000 per bitcoin.

The US dollar has been the world's reserve currency for a century, even as the US has heaped on debt for wars and social programs. Other alternatives--the euro or the Yuan each have problems that continue to favor the dollar; the Euro zone is crumbly and has debts, too; China's currency has been tightly controlled by the government and there is a trust deficit for Chinese policy. This past year, with the United States' COVID 19 response, the US debt became larger than its economy. This makes the dollar just a little bit more risky as a reserve currency.

In January, it became illegal for you to personally trade in cryptocurrencies if you are a resident of Nigeria. The ban expands a list that includes China, Iran, Bolivia, Nepal, Bangladesh, Ecuador and Morocco. Cryptocurrency trading is still allowed in the US, but you are now required to indicate whether you have traded in cryptocurrencies on your tax return. The public argument against cryptocurrencies is that crypto is tender for criminal activities, and that it is difficult to track and tax. Alternative Central Bank Digital Currencies are likely to be introduced and sanctioned instead. They can be tracked. They will be centrally managed, unlike Bitcoin. They're digital fiat money. Bitcoin isn't.

Why do China, Russia, North Korea, (possibly) the United States want to be dabbling in Bitcoin? As is the case for you and me, there's a speculative upside. But there is also a possibility that Bitcoin will become a bona fide reserve currency--a place to park value. The prices will stabilize. Fiat currencies will weaken as money is converted into crypto. Like a game of musical chairs, when the music stops, some countries and individuals will have larger shares of the reserve currency. And if Bitcoin becomes that important, the effort spent gathering up Bitcoins today will affect the wealth of nations tomorrow.

Crypto trading rides on top of digital networks, and these are subject to tampering. I will address the network vulnerabilities for crypto trading in a future blog entry.

-Kevin Dowd

Page 1 of 2