Differences between revisions 3 and 33 (spanning 30 versions)
Revision 3 as of 2008-08-19 16:06:23
Size: 2790
Editor: LukeWilliams
Comment:
Revision 33 as of 2010-07-15 21:17:51
Size: 6503
Editor: humpback
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
Understanding UCC's network can be a bit challenging at first, but after a bit of reading you'll find that it is actually very challenging, and give up. Here is an overview of how it all works: Understanding UCC's network can be a bit challenging at first, but after some reading you'll find that it is actually very challenging, and give up. This article is a general overview of how it works.
<<TableOfContents>>
Line 4: Line 5:
There is a long piece of CAT5 running through the walls from the machine room to the Guild machine room in Cameron Hall (across from UWAnime). This plugs in to a 100M D-Link media converter, which leads to a similar media converter in the Guild comms room in the main Guild building. Our uplink is into an ITS managed switch called 'cruzob'. There is a long piece of CAT5 running through the walls from the machine room to the Guild machine room in Cameron Hall (across from UWAnime). This plugs in to a 100M D-Link media converter, which leads to a similar media converter in the Guild comms room in the main Guild building. Our uplink is into an ITS managed switch called 'cruzob'. If you're looking for where the cable runs, it's possibly disguised as a network outlet cable in one of the other student clubrooms.
Line 6: Line 7:
The machine rooms contains three core switches and a router:
 * Olive, a 24-port Cisco Catalyst 2900 series switch.
 * Lorenzo, a 48-port Cisco Catalyst 2950 series with some dead ports and dual gigabit uplinks.
 * Curviceps, a 48-port HP Procurve with full gig ports.
The machine room contains two switches and a router:
Line 11: Line 9:
 * Coconut, a Cisco Catalyst 2948G-GE-TX running CatOS which has 48 GigE ports and 4 SFP slots.
 * Olive, a Cisco Catalyst 2924 XL running IOS which has 24 FastEthernet ports.
Line 22: Line 22:
 * VLAN 7: Printers.  * VLAN 7: Printers. (currently largely unused)
Line 30: Line 30:
Layer three at UCC is pretty nasty, and the firewall script alone probable deserves its own article. However, a brief summary of how it all works: Layer three at UCC is pretty nasty, and the firewall script alone probably deserves its own article. However, a brief summary of how it all works:
Line 34: Line 34:
  * 130.95.13.0/26 is the machine room address range, internally routed on VLAN 2.
  * 130.95.13.64/26 is the clubroom address range, internally routed on VLAN 3.
Line 37: Line 39:
 * 172.26.42.96/27 is the range we use for PPTP.
 * 172.44.24.224/27 is the wireless network range.
 * 172.26.42.0/24 is for 'untrusted client machines' - there is some history here, but they are never routed outside the Uni (unless NAT is involved, which it is).
  * 172.26.42.8/29 is the Ubuntu Port (netboot install) network.
  * 172.26.42.96/27 is the range we use for PPTP.
  * 172.26.42.128/26 is the loft network range.
  * 172.26.42.192/27 is the 'ugg' wireless network range
  * 172.26.24.224/27 is used by Flying for the 'ucc' wireless network, currently unavailable.
 * 10.11.0.0/24 on the SNAP vlan (10.11.0.0/16 in total) is not leased out by the central SNAP dhcp server, so some IPs in this range can be taken for services. Currently 10.11.0.13 is the UCC SNAP SSH forward (which ends up at martello) and .11 is used by evil.
=== Addressing scheme ===
Most of UCC's subnets use DHCP to assign addresses based on MAC address. Further details can be found at [[Network/Services#DHCP]].
=== Routing and Firewall ===
Madako, the Linux router, is a beast of burden. See [[Network/Firewall]] for further information on the way it operates.
=== IPv6 ===
UCC has 2001:388:7094:4080::/58 (which is :4080:: to :40bf:: inclusive). This used to go over a tunnel to AARNET's Sydney tunnel broker, but UWA now peers native IPv6 to AARNET. This makes the connection a fair bit faster and more reliable.

This is advertised by radvd on madako which most machines autoconfigure from, however some machines have statically assigned addresses. There is a rudimentary IPv6 firewall. IPv6 traffic is free.

Many machine room systems have IPv6 address, which are statically assigned. These are available in DNS using the ipv6.ucc zone (e.g. martello.ipv6.ucc.asn.au). There is no reverse DNS at this stage, although the delegation from AARNET to UWA exists.

IPv6 is routed to 2001:388:7094:1::1 from Madako.

Subnets:
 * 2001:388:7094:1::2/64 uplink (equivalent to 192.168.13.2, UWA VLAN 13)
 * 2001:388:7094:4080::/64 machine room (VLAN 2)
 * 2001:388:7094:4081::/64 clubroom (VLAN 3)
 * 2001:388:7094:4083::/64 loft (VLAN 5)
 * 2001:388:7094:4084::/64 wireless (VLAN 6)

IPv6 link-local addresses are handed out by the PPTP/PPP daemon, and radvd is started for each link to hand out globally-routeable addresses - see [[http://lists.ucc.gu.uwa.edu.au/pipermail/tech/2010-July/003870.html|here]].

=== Multicast ===
UWA runs multicast in sparse PIM mode, and madako runs pimd as noted [[http://lists.ucc.gu.uwa.edu.au/pipermail/ucc/2006-October/013668.html|here]]. Make sure pimd is only listening once per interface, otherwise things won't work quite right. Multicast traffic is also free.

== Higher Layers ==
All HTTP goes through mooneye, and is proxied to various other machines for processing, primarily mussel. HTTPS is served by mussel on secure.ucc.asn.au, however IMAPS, POPS and SMTPS are NATted by madako to go to mooneye, since we're cheap and only have one SSL certificate.

Lots of port 80 traffic somehow gets slurped up by a cacheboy http proxy maintained by [AHC].

There is sometimes a PPTP server running on madako, though SSH tends to be the most reliable protocol for tunneling about UWA.
== Configuration ==
Information on configuring the core switches can be found at [[Network/SwitchConfiguration]]. Information on configuring routing and firewalling can be found at [[Network/Firewall]].
== Monitoring ==
There are various monitoring packages installed, links to which can be found on MissionControl.

----
CategorySystemAdministration

Understanding UCC's network can be a bit challenging at first, but after some reading you'll find that it is actually very challenging, and give up. This article is a general overview of how it works.

Layer One

There is a long piece of CAT5 running through the walls from the machine room to the Guild machine room in Cameron Hall (across from UWAnime). This plugs in to a 100M D-Link media converter, which leads to a similar media converter in the Guild comms room in the main Guild building. Our uplink is into an ITS managed switch called 'cruzob'. If you're looking for where the cable runs, it's possibly disguised as a network outlet cable in one of the other student clubrooms.

Machine Room

The machine room contains two switches and a router:

  • Madako, a linux-based router running iptables.
  • Coconut, a Cisco Catalyst 2948G-GE-TX running CatOS which has 48 GigE ports and 4 SFP slots.
  • Olive, a Cisco Catalyst 2924 XL running IOS which has 24 FastEthernet ports.

These are all labeled and in the rack. There is also a patch panel for the clubroom wall-ports at the top of the rack.

Clubroom

There is CAT5 cabling run from a patch panel at the top of the rack to a number of wall ports throughout the room. Where not enough wall-ports are available, there are small 5-port unmanaged switches used to attach more devices to the network.

Layer Two

Internal VLANs

UCC uses seven VLANs internally for various purposes:

  • VLAN 1: Network and server management.
  • VLAN 2: Machine room network.
  • VLAN 3: Clubroom network.
  • VLAN 5: Loft network (used for LANs).
  • VLAN 6: Wireless network.
  • VLAN 7: Printers. (currently largely unused)
  • VLAN 8: Netboot (Ubuntu port)

External VLANs

ITS trunks to us the following VLANs:

  • VLAN 11: SNAP.
  • VLAN 13: Our main uplink, provides us our internet connection and address space.
  • VLAN 102: Guild clubs. Not used by UCC, forwarded on to UniSFA.

Layer Three

Layer three at UCC is pretty nasty, and the firewall script alone probably deserves its own article. However, a brief summary of how it all works:

Subnets

There are a number of IP ranges used at UCC for various things:

  • 130.95.13.0/24 is the public address space for our AARNet connection. Incoming, non-peering traffic to these addresses is charged at 4c/mb. This range is routed to us via VLAN 13.
    • 130.95.13.0/26 is the machine room address range, internally routed on VLAN 2.
    • 130.95.13.64/26 is the clubroom address range, internally routed on VLAN 3.
  • 203.24.97.249/29 is the public address space for our Silk connection. Traffic to and from these addresses is unmetered. This range is also routed to us via VLAN 13.
  • 10.13.13.0/24 is a private range used for network printers. These addresses reside on VLAN 7 and are not routed outside.
  • 10.203.13.0/24 is our address range on the Resnet (college) network. Routed via VLAN 13.
  • 172.26.42.0/24 is for 'untrusted client machines' - there is some history here, but they are never routed outside the Uni (unless NAT is involved, which it is).
    • 172.26.42.8/29 is the Ubuntu Port (netboot install) network.
    • 172.26.42.96/27 is the range we use for PPTP.
    • 172.26.42.128/26 is the loft network range.
    • 172.26.42.192/27 is the 'ugg' wireless network range
    • 172.26.24.224/27 is used by Flying for the 'ucc' wireless network, currently unavailable.
  • 10.11.0.0/24 on the SNAP vlan (10.11.0.0/16 in total) is not leased out by the central SNAP dhcp server, so some IPs in this range can be taken for services. Currently 10.11.0.13 is the UCC SNAP SSH forward (which ends up at martello) and .11 is used by evil.

Addressing scheme

Most of UCC's subnets use DHCP to assign addresses based on MAC address. Further details can be found at Network/Services#DHCP.

Routing and Firewall

Madako, the Linux router, is a beast of burden. See Network/Firewall for further information on the way it operates.

IPv6

UCC has 2001:388:7094:4080::/58 (which is :4080:: to :40bf:: inclusive). This used to go over a tunnel to AARNET's Sydney tunnel broker, but UWA now peers native IPv6 to AARNET. This makes the connection a fair bit faster and more reliable.

This is advertised by radvd on madako which most machines autoconfigure from, however some machines have statically assigned addresses. There is a rudimentary IPv6 firewall. IPv6 traffic is free.

Many machine room systems have IPv6 address, which are statically assigned. These are available in DNS using the ipv6.ucc zone (e.g. martello.ipv6.ucc.asn.au). There is no reverse DNS at this stage, although the delegation from AARNET to UWA exists.

IPv6 is routed to 2001:388:7094:1::1 from Madako.

Subnets:

  • 2001:388:7094:1::2/64 uplink (equivalent to 192.168.13.2, UWA VLAN 13)
  • 2001:388:7094:4080::/64 machine room (VLAN 2)
  • 2001:388:7094:4081::/64 clubroom (VLAN 3)
  • 2001:388:7094:4083::/64 loft (VLAN 5)
  • 2001:388:7094:4084::/64 wireless (VLAN 6)

IPv6 link-local addresses are handed out by the PPTP/PPP daemon, and radvd is started for each link to hand out globally-routeable addresses - see here.

Multicast

UWA runs multicast in sparse PIM mode, and madako runs pimd as noted here. Make sure pimd is only listening once per interface, otherwise things won't work quite right. Multicast traffic is also free.

Higher Layers

All HTTP goes through mooneye, and is proxied to various other machines for processing, primarily mussel. HTTPS is served by mussel on secure.ucc.asn.au, however IMAPS, POPS and SMTPS are NATted by madako to go to mooneye, since we're cheap and only have one SSL certificate.

Lots of port 80 traffic somehow gets slurped up by a cacheboy http proxy maintained by [AHC].

There is sometimes a PPTP server running on madako, though SSH tends to be the most reliable protocol for tunneling about UWA.

Configuration

Information on configuring the core switches can be found at Network/SwitchConfiguration. Information on configuring routing and firewalling can be found at Network/Firewall.

Monitoring

There are various monitoring packages installed, links to which can be found on MissionControl.


CategorySystemAdministration