Differences between revisions 1 and 48 (spanning 47 versions)
Revision 1 as of 2008-08-19 15:57:51
Size: 2783
Editor: LukeWilliams
Comment: have at it!
Revision 48 as of 2012-08-10 00:47:23
Size: 6984
Editor: DavidAdam
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
Routing and switching at UCC is done on three core switches and a linux-based router. There are eight VLANs hosted in the club, as well as additional four which are trunked in from ITS. Understanding UCC's network can be a bit challenging at first, but after some reading you'll find that it is actually very challenging, and give up. This article is a general overview of how it works.
<<TableOfContents>>
Line 4: Line 5:
There is a long piece of CAT5 running through the walls from the machine room to the Guild machine room in Cameron Hall (across from UWAnime). This plugs in to a 100M D-Link media converter, which leads to a similar media converter in the Guild comms room in the main Guild building. Our uplink is into an ITS managed switch called 'cruzob'. There is a CAT6 cable running straight up out of the Guild machine room, along the rafters and back down into the UCC machine room, terminated on a block on the North machine room wall. This plugs in to a 100M D-Link media converter, which leads to a similar media converter in the Guild comms room in the main Guild building.

In addition, there is a long piece of CAT5 (that was previously the primary uplink!) running through the walls from the machine room to the Guild machine room in Cameron Hall (across from UWAnime).

Our uplink is into an ITS managed switch called 'cruzob'. If you're looking for where the cable runs, it's possibly disguised as a network outlet cable in one of the other student clubrooms.

In the hope that we will one day have a gigabit uplink, the Guild machine room contains Sesame (as in open sesame, geddit?) a Cisco 3508XL with two 1000BaseT and two 1000BaseLX GBICs. It is currently plugged in via the old uplink cable. (Note that this switch cannot speak anything slower than gigabit.)
Line 6: Line 13:
The machine rooms contains three core switches and a router:
 * Olive, a 24-port Cisco Catalyst 2900 series switch.
 * Lorenzo, a 48-port Cisco Catalyst 2950 series with some dead ports and dual gigabit uplinks.
 * Curviceps, a 48-port HP Procurve with full gig ports.
 * Madako, a linux-based router running iptables.
These are all labeled and in the rack. There is also a patch panel for the clubroom wall-ports at the top of the rack.
The machine room contains three switches and a router:
 * [[Murasoi]], a linux-based router running iptables.
 * [[Bitumen]], a Cisco Catalyst 4507R running IOS which has 2 SupIV supervisor engines, 96 GigE ports and 12 GBIC slots.
 * Coconut, a Cisco Catalyst 2948G-GE-TX running CatOS which has 48 GigE ports and 4 SFP slots.
 * Curviceps, an HP ProCurve 1800-24G which has 24 GigE ports and 2 SFP slots.
These are all labeled and in the rack. There is also a patch panel for the clubroom wall-ports at the bottom of the right-most rack beneath Bitumen.
Line 13: Line 20:
There is CAT5 cabling run from a patch panel at the top of the rack to a number of wall ports throughout the room. Where not enough wall-ports are available, there are small 5-port unmanaged switches used to attach more devices to the network. There is CAT5 cabling run from a patch panel at the bottom of the rack to a number of wall ports throughout the room. Where not enough wall-ports are available, there are small 5-port unmanaged switches used to attach more devices to the network.
Line 15: Line 22:
See also: [[Network/SwitchConfiguration]]
Line 16: Line 24:
UCC uses seven VLANs internally for various purposes: UCC uses six VLANs internally for various purposes:
Line 21: Line 29:
 * VLAN 6: Wireless network.
 * VLAN 7: Printers.
 * VLAN
8: Netboot (Ubuntu port)
 * VLAN 6: Authenticated wireless network.
 * VLAN 8: Untrusted wireless network.
Line 26: Line 33:
 * VLAN 11: SNAP.
* VLAN 13: Our main uplink, provides us our internet connection and address space.
 * VLAN 102: Guild clubs. Not used by UCC, forwarded on to UniSFA.
 * VLAN 13: Our main uplink, provides us our internet connection and address space. This extends to the Faculty of Arts where we have colocated machines.
 * VLAN 102: Guild clubs. Not used by UCC, was forwarded on to UniSFA.
Line 30: Line 36:
Layer three at UCC is pretty nasty, and the firewall script alone probable deserves its own article. However, a brief summary of how it all works: Layer three at UCC is reasonably straightforward these days. A brief summary:
Line 33: Line 39:
 * 130.95.13.0/24 is the public address space for our AARNet connection. Incoming, non-peering traffic to these addresses is charged at 4c/mb. This range is routed to us via VLAN 13.
 * 203.24.97.249/29 is the public address space for our Silk connection. Traffic to and from these addresses is unmetered. This range is also routed to us via VLAN 13.
 * 10.13.13.0/24 is a private range used for network printers. These addresses reside on VLAN 7 and are not routed outside.
 * 10.203.13.0/24 is our address range on the Resnet (college) network. Routed via VLAN 13.
 * 172.26.42.96/27 is the range we use for PPTP.
 * 172.44.24.224/27 is the wireless network range.
 * 130.95.13.0/24 is the public address space for our AARNet connection. This range is routed to us via VLAN 13.
  * 130.95.13.0/26 is the machine room address range, internally routed on VLAN 2.
  * 130.95.13.64/26 is the clubroom address range, internally routed on VLAN 3.
 * 172.26.42.0/24 is for 'untrusted client machines' and is allocated to us by UWA and routed to us via VLAN 13. There is some history here, but these addresses are not routed outside the Uni. This subnet may be NATted to public IPs for external access.
  * 172.26.42.0/26 is for public wireless (unauthenticated clients).
  * 172.26.42.96/27 is the range we use for PPTP.
  * 172.26.42.128/26 is the loft network range.
  * 172.26.42.192/27 is the UCC wireless network range (for authenticated clients).
 * 192.168.13.x/24 is the uplink range, routed on VLAN 13 by UWA. Machines colocated in Arts also have addresses on this range.
 * 192.168.2.x is the management VLAN IP range. This is not allocated to us by UWA and not routed outside UCC.
=== Addressing scheme ===
Most of UCC's subnets use DHCP to assign addresses based on MAC address. Further details can be found at [[Network/Services#DHCP]].
=== Routing and Firewall ===
[[Murasoi]], the Linux router, is a beast of burden. See [[Network/Firewall]] for further information on the way it operates.
=== IPv6 ===

[[http://ipv6.he.net/certification/scoresheet.php?pass_name=accmurphy|{{http://ipv6.he.net/certification/make_badge.php?pass_name=accmurphy}}]]

UCC has 2405:3C00:1:4200::/56 (which is :4200:: to :42ff:: inclusive).

This is advertised by radvd on [[Murasoi]] which most machines autoconfigure from, however some machines have statically assigned addresses. There is a rudimentary IPv6 firewall. IPv6 traffic is free.

Many machine room systems have IPv6 address, which are statically assigned. These are available in DNS using the ipv6.ucc zone (e.g. martello.ipv6.ucc.asn.au), and usually in the main DNS entry. There is no reverse DNS delegation at this stage, so reverse DNS is UCC-only.

Mooneye's DNS record doesn't have an AAAA record, because we are scared of this breaking Things(tm).

IPv6 is routed to 2405:3C00:1:13::1 from [[Murasoi]].

Mail will be received over IPv6 if it is sent to [email protected] (or ipv6.ucc.gu.uwa.edu.au).

Subnets:
 * 2405:3C00:1:13::2/64 uplink (equivalent to 192.168.13.2, UWA VLAN 13)
 * 2405:3C00:1:4200::/64 machine room (VLAN 2)
 * 2405:3C00:1:4201::/64 clubroom (VLAN 3)
 * 2405:3C00:1:4203::/64 loft (VLAN 5)
 * 2405:3C00:1:4204::/64 wireless (VLAN 6)
 * 2405:3C00:1:4206::/64 public wireless (VLAN 8)
 * 2405:3C00:1:42A0::/59 PPTP VPN (each link gets a ::/64)

IPv6 link-local addresses are handed out by the PPTP/PPP daemon, and radvd is started for each link to hand out globally-routeable addresses - see [[http://lists.ucc.gu.uwa.edu.au/pipermail/tech/2010-July/003870.html|here]] (although the address ranges have changed slightly).

=== Multicast ===
UWA runs multicast in sparse PIM mode, and [[Murasoi]] runs pimd as noted [[http://lists.ucc.gu.uwa.edu.au/pipermail/ucc/2006-October/013668.html|here]]. Make sure pimd is only listening once per interface, otherwise things won't work quite right. Multicast traffic is also free.

== Higher Layers ==
HTTP goes through mussel or mooneye. HTTPS is served by mussel on secure.ucc.asn.au, however IMAPS, POPS and SMTPS are NATted by [[Murasoi]] to go to [[Motsugo]], since we're cheap and only have one SSL certificate.

There is a PPTP server running on [[Murasoi]], though SSH tends to be the most reliable protocol for tunneling about UWA.
== Configuration ==
Information on configuring the core switches can be found at [[Network/SwitchConfiguration]]. Information on configuring routing and firewalling can be found at [[Network/Firewall]].
== Monitoring ==
There are various monitoring packages installed, links to which can be found on MissionControl.

----
CategorySystemAdministration

Understanding UCC's network can be a bit challenging at first, but after some reading you'll find that it is actually very challenging, and give up. This article is a general overview of how it works.

Layer One

There is a CAT6 cable running straight up out of the Guild machine room, along the rafters and back down into the UCC machine room, terminated on a block on the North machine room wall. This plugs in to a 100M D-Link media converter, which leads to a similar media converter in the Guild comms room in the main Guild building.

In addition, there is a long piece of CAT5 (that was previously the primary uplink!) running through the walls from the machine room to the Guild machine room in Cameron Hall (across from UWAnime).

Our uplink is into an ITS managed switch called 'cruzob'. If you're looking for where the cable runs, it's possibly disguised as a network outlet cable in one of the other student clubrooms.

In the hope that we will one day have a gigabit uplink, the Guild machine room contains Sesame (as in open sesame, geddit?) a Cisco 3508XL with two 1000BaseT and two 1000BaseLX GBICs. It is currently plugged in via the old uplink cable. (Note that this switch cannot speak anything slower than gigabit.)

Machine Room

The machine room contains three switches and a router:

  • Murasoi, a linux-based router running iptables.

  • Bitumen, a Cisco Catalyst 4507R running IOS which has 2 SupIV supervisor engines, 96 GigE ports and 12 GBIC slots.

  • Coconut, a Cisco Catalyst 2948G-GE-TX running CatOS which has 48 GigE ports and 4 SFP slots.
  • Curviceps, an HP ProCurve 1800-24G which has 24 GigE ports and 2 SFP slots.

These are all labeled and in the rack. There is also a patch panel for the clubroom wall-ports at the bottom of the right-most rack beneath Bitumen.

Clubroom

There is CAT5 cabling run from a patch panel at the bottom of the rack to a number of wall ports throughout the room. Where not enough wall-ports are available, there are small 5-port unmanaged switches used to attach more devices to the network.

Layer Two

See also: Network/SwitchConfiguration

Internal VLANs

UCC uses six VLANs internally for various purposes:

  • VLAN 1: Network and server management.
  • VLAN 2: Machine room network.
  • VLAN 3: Clubroom network.
  • VLAN 5: Loft network (used for LANs).
  • VLAN 6: Authenticated wireless network.
  • VLAN 8: Untrusted wireless network.

External VLANs

ITS trunks to us the following VLANs:

  • VLAN 13: Our main uplink, provides us our internet connection and address space. This extends to the Faculty of Arts where we have colocated machines.
  • VLAN 102: Guild clubs. Not used by UCC, was forwarded on to UniSFA.

Layer Three

Layer three at UCC is reasonably straightforward these days. A brief summary:

Subnets

There are a number of IP ranges used at UCC for various things:

  • 130.95.13.0/24 is the public address space for our AARNet connection. This range is routed to us via VLAN 13.
    • 130.95.13.0/26 is the machine room address range, internally routed on VLAN 2.
    • 130.95.13.64/26 is the clubroom address range, internally routed on VLAN 3.
  • 172.26.42.0/24 is for 'untrusted client machines' and is allocated to us by UWA and routed to us via VLAN 13. There is some history here, but these addresses are not routed outside the Uni. This subnet may be NATted to public IPs for external access.
    • 172.26.42.0/26 is for public wireless (unauthenticated clients).
    • 172.26.42.96/27 is the range we use for PPTP.
    • 172.26.42.128/26 is the loft network range.
    • 172.26.42.192/27 is the UCC wireless network range (for authenticated clients).
  • 192.168.13.x/24 is the uplink range, routed on VLAN 13 by UWA. Machines colocated in Arts also have addresses on this range.
  • 192.168.2.x is the management VLAN IP range. This is not allocated to us by UWA and not routed outside UCC.

Addressing scheme

Most of UCC's subnets use DHCP to assign addresses based on MAC address. Further details can be found at Network/Services#DHCP.

Routing and Firewall

Murasoi, the Linux router, is a beast of burden. See Network/Firewall for further information on the way it operates.

IPv6

http://ipv6.he.net/certification/scoresheet.php?pass_name=accmurphy

UCC has 2405:3C00:1:4200::/56 (which is :4200:: to :42ff:: inclusive).

This is advertised by radvd on Murasoi which most machines autoconfigure from, however some machines have statically assigned addresses. There is a rudimentary IPv6 firewall. IPv6 traffic is free.

Many machine room systems have IPv6 address, which are statically assigned. These are available in DNS using the ipv6.ucc zone (e.g. martello.ipv6.ucc.asn.au), and usually in the main DNS entry. There is no reverse DNS delegation at this stage, so reverse DNS is UCC-only.

Mooneye's DNS record doesn't have an AAAA record, because we are scared of this breaking Things(tm).

IPv6 is routed to 2405:3C00:1:13::1 from Murasoi.

Mail will be received over IPv6 if it is sent to [email protected].ucc.asn.au (or ipv6.ucc.gu.uwa.edu.au).

Subnets:

  • 2405:3C00:1:13::2/64 uplink (equivalent to 192.168.13.2, UWA VLAN 13)
  • 2405:3C00:1:4200::/64 machine room (VLAN 2)
  • 2405:3C00:1:4201::/64 clubroom (VLAN 3)
  • 2405:3C00:1:4203::/64 loft (VLAN 5)
  • 2405:3C00:1:4204::/64 wireless (VLAN 6)
  • 2405:3C00:1:4206::/64 public wireless (VLAN 8)
  • 2405:3C00:1:42A0::/59 PPTP VPN (each link gets a ::/64)

IPv6 link-local addresses are handed out by the PPTP/PPP daemon, and radvd is started for each link to hand out globally-routeable addresses - see here (although the address ranges have changed slightly).

Multicast

UWA runs multicast in sparse PIM mode, and Murasoi runs pimd as noted here. Make sure pimd is only listening once per interface, otherwise things won't work quite right. Multicast traffic is also free.

Higher Layers

HTTP goes through mussel or mooneye. HTTPS is served by mussel on secure.ucc.asn.au, however IMAPS, POPS and SMTPS are NATted by Murasoi to go to Motsugo, since we're cheap and only have one SSL certificate.

There is a PPTP server running on Murasoi, though SSH tends to be the most reliable protocol for tunneling about UWA.

Configuration

Information on configuring the core switches can be found at Network/SwitchConfiguration. Information on configuring routing and firewalling can be found at Network/Firewall.

Monitoring

There are various monitoring packages installed, links to which can be found on MissionControl.


CategorySystemAdministration