XP Sp3 + forcing tcip metric on lan

[dandirk]

I have been having some network issues with laptops on our lan. In certain instances laptops will be docked but still attempt to use the wireless connection to login etc even when a wired connection is available.

What makes this worse is wireless will sometimes connect to a non-work/supported wireless and the client will not be able to login, never mind the performance drop...

Doing some research I figure I only have 2 options.

1. Have users disable wireless (ummm these are users we are talking about, the higher the pay grade the greater the trouble... our CIO is the worst, insisting her itunes is for business yet we don't support any apple products)... All this music magically appeared on my work laptop... it was magic cause it was apple lol.

2. Manually configure the LAN nic Metric.

As per http://support.microsoft.com/kb/894564. Doing "cmd.exe route print" commands I have found that sometimes the wireless and lan interface receive the same metric (20 = 20Mbps to 200Mbps) if automatically assigned by XP. This makes sense given the glitches we see.

So this looks like our solution, either force LAN nics to use a lower metric or force wireless nics to use a higher metric.

I have been testing forcing LAN to metric of 10. Seems to work pretty good, if the lan is disconnected the metrics drops... If plugged in, the metrics reappear and the traffic switches over OK both ways.

Has anyone done this, or foresee any problems with mannually setting the LAN metric to 10?

 

[HenryBravo]

Instead of changing metrics to fix your immediate problem, you should deal with the inherent security risk being created in your scenario. If you've got laptops connecting to 2 networks at the same time (your corporate LAN and a foreign wireless network) then your internal network can potentially be exposed to the foreign network, bridged through the laptop if it were to be compromised, which of course is a network security risk. You would never want a dual-NIC PC on your network with one NIC connected to your LAN and the other NIC connected via a cable through the ceiling or wall to another company's network. The scenario you're describing is of course the same thing. You have no idea what type of security is in place on the foreign network. For example, one of your company's laptops could potentially get infected or compromised via the foreign connection, and since this laptop is also connected to your internal LAN, now you've got a compromised machine on your network. A network security model is only as good as its weakest link.

If I were you, I would just configure the laptops so they can't automatically connect to the wireless networks you designate (your own wireless network and any foreign/unsupported networks within range). You can remove these wireless network(s) from the Preferred Networks list on each laptop, so they won't automatically try to connect. And you will need to uncheck the "Automatically connect to non-preferred networks" option as well. This will remove the burden of responsibility from the administrator (you). The users would then have to manually connect to these networks, which shifts the responsibility to them if anything were to happen. I imagine these changes can be pushed out via domain policy, but I'm a network engineer not a desktop support guy.

 

[dandirk]

I understand your point but one of the networks in question is our own wireless network. We know of the security on the network (WPA2 AES AD credentialed). This issues causes performance issues by using wireless instead of available faster wire speed...

The other is a business partner in which we have point to point VPN tunnels for app/intranet access and use our own VPN for network file access. Access and use is already there, so security is moot. Well moot enough for us...

We only allow these 2 networks to auto-connect.

Not allowing auto-connect is not an option. "To difficult" to quote those that get paid more then me.

We use the intel proset utility which is more flexible in some regards and more restrictive in others (long story but can't go to WZC). Basically Intel does have an option to disable wireless when wire is available... but found this randomly works.

Thanks for the input!