Networking

From UGCS

(Difference between revisions)

Latest revision as of 14:21, 13 June 2011

Physical Equipment

Our main switch (connected to the IMSS 1Gbit uplink) is a Juiper EX2200. This switch is brand-new as of April 2010 and screams. The core servers, shellservers, mortals, and lenin are connected to this switch. It provides a DHCP safe haven for demeter (and our servers through RADIUS on charon) while allowing Winnett DHCP for other machines. We have a Cisco 2970 connected via two LACP links to the Juniper switch for additional gigabit ports (currently filled with hosted machines). We will be setting up a Cisco 2950 with a similar gigabit trunk lines for the hosted racks once we move them to where we want them.

Juniper Switch

Juniper EX2200
Name: mercury
IP: 192.168.2.5, accessible from charon only

Static IPs in UGCS

We don't actually have a netblock, we just have 64 ip's. So you configure your machine like any other in the Winnett netblock, with netmask 255.255.255.0 and gateway 131.215.176.254. A sample Debian interfaces file:

iface eth0 inet static
    address 131.215.176.xxx
    netmask 255.255.255.0
    gateway 131.215.176.254

Firewall

Each machine does its own firewall through iptables. Cfengine installs a series of scripts in /etc/networking/if.[up,down].d that loads/saves the iptables configuration, so you can make changes knowing they will be preserved across a reboot.

IPv4 Allocations

kabta: 131.215.172.59

64: none
65-75: Coreserver
- 65 hermes
- 66 demeter
- 67 apollo
- 68 athena
- 69 persephone
- 70 hera
- 71 poseidon
- 72 zeus
- 73 hestia
- 74 hephaestus
- 75 dionysus
- 76 nfs
- 77 ( currently unused )
- 78 fo ( testing IP for failover stuff )
- 79 ( currently unused )
- 80 doldnut (owned by devteam/Jon Dama, this will be moved)
- 81 afs-c ( AFS database server, currently hermes)
- 82 afsmail ( AFS file server that houses mail partitions, currently hermes)

86-105: Hosted servers (future hosted machines should go in the Winnett netblock; email hostmaster@caltech.edu)
- 86 averyfs (owned by Avery IMSS)
- 87 bsi-la (owned by Bo Adler)
- 88 lenin (owned by Dabney comptrollers)
- 89 donut (owned by Devteam)
- 90 metatron (owned by Matt Maurer)
- 91 white (owned by Mike White)
- 92 philemon (owned by Jon Dama)
- 93 daisy (owned by Elizabeth Fong)
- 94 ballroom (Ballroom dance club)
- 95 hiro (owned by Silas Bennet)
- 98 azkaban (owned by Eugeniu Plamadeala, username eugeniu)
- 99 goose (owned by Suresh Sitaula, username suresh)
- 100 kukulza (owned by Patrick Xia, username patrick)
- 101 eternity (owned by Alex Roper, username alexr)
- 102 vitamin-s (owned by David DiCato)
- 103 (name not known yet) (owned by Pat Cahalan)
- 104 heartofgold (owned by Alex Rasmussen, username adr)
105-124: Shellserver
- 105 lara.ugcs.caltech.edu.
- 106 styx.ugcs.caltech.edu.
- 107 minthe.ugcs.caltech.edu. (i5 machine)
- 108 lethe.ugcs.caltech.edu.
- 109 calliope.ugcs.caltech.edu.
- 110 clio.ugcs.caltech.edu.
- 111 achilles.ugcs.caltech.edu (mortal)
- 112 helen.ugcs.caltech.edu (mortal)
- 113 melpomene.ugcs.caltech.edu.
- 114 polyhymnia.ugcs.caltech.edu.
- 115 terpsichore.ugcs.caltech.edu. (i5 machine)
- 116 thalia.ugcs.caltech.edu.
- 117 urania.ugcs.caltech.edu.
- 118 jason.ugcs.caltech.edu (mortal)
- 119 midas.ugcs.caltech.edu (mortal)
- 120 medusa.ugcs.caltech.edu (mortal)
- 121 dictys.ugcs.caltech.edu (mortal)
125: printer
126: charon

UGCS hosted machines in Winnett netblock

60: beryllium (owned by Chris Kennelly, username ckennelly)
61: titanic (owned by Blacker IMSS)
3: durandal (owned by Chris Whelan, username whelan)

IPv6 Allocations

Caltech may be rolling out IPv6 later in 2010. We've mentioned to them that we'd be interested in trying it.

Networking

Latest revision as of 14:21, 13 June 2011

Contents

Physical Equipment

Juniper Switch

Static IPs in UGCS

Firewall

IPv4 Allocations

UGCS hosted machines in Winnett netblock

IPv6 Allocations

Views

Personal tools

Navigation

Search

Toolbox

@@ Line 1: / Line 1: @@
-Please, do not fill this up with our speculation from Planning.
+==Physical Equipment==
-This table is meant for hard current IPs and final IPs and other network configuration relevant to the current status of the build.
+Our main switch (connected to the IMSS 1Gbit uplink) is a Juiper EX2200.  This switch is brand-new as of April 2010 and <i>screams</i>.  The core servers, shellservers, mortals, and lenin are connected to this switch.  It provides a DHCP safe haven for demeter (and our servers through RADIUS on charon) while allowing Winnett DHCP for other machines.  We have a Cisco 2970 connected via two LACP links to the Juniper switch for additional gigabit ports (currently filled with hosted machines).  We will be setting up a Cisco 2950 with a similar gigabit trunk lines for the hosted racks once we move them to where we want them.
+===Juniper Switch===
+* Juniper EX2200
+* Name: mercury
+* IP: 192.168.2.5, accessible from charon only
 ==Static IPs in UGCS==
-Within UGCS, we get only part of the subnet, and the gateway isn't in that part. As a result, the following wonky config snippet is recommended by Maurer (and Liz, the bridging will work fine with this config).  Note the MTU - because we use VLANs, we have 4 less bytes to work with.
+We don't actually have a netblock, we just have 64 ip's.  So you configure your machine like any other in the Winnett netblock, with netmask 255.255.255.0 and gateway 131.215.176.254.  A sample Debian interfaces file:
+ iface eth0 inet static
+     address 131.215.176.xxx
+     netmask 255.255.255.0
+     gateway 131.215.176.254
-  allow-hotplug eth0
+==Firewall==
-  iface eth0 inet static
+Each machine does its own firewall through iptables.  Cfengine installs a series of scripts in /etc/networking/if.[up,down].d that loads/saves the iptables configuration, so you can make changes knowing they will be preserved across a reboot.
-  address 131.215.176.num
-  broadcast 131.215.176.127
-  netmask 255.255.255.192
-  mtu 1496
-  # Route the Gateway
-  post-up route add 131.215.176.254 eth0
-  post-up route add default gw 131.215.176.254
-==VLANs==
-* Vlan 1: default (outside world/ITS) - 131.215.176.0/26 131.215.176.128/25
-* Vlan 2: management - 192.168.0.0/24
-* Vlan 3: core servers - 131.215.176.65-131.215.176.85
-* Vlan 4: shell servers - 131.215.176.96-131.215.176.125
-* Vlan 5: hosted servers - 131.215.176.86-131.215.176.95
-All Vlans except for management fall within the same basic subnet; traffic can be routed without use of a gateway and thus subnetting is not required.  However, traffic is passed between Vlans by a transparent bridge which performs packet filtering using IPTables and Snort in order to segregate traffic (for example, not allowing DHCP server responses to cross from Vlan 1 to inside or outward from Vlans 3-5 to Vlan 1).  There is no access to Vlan2 except from the bridge itself.  The bridge has IP 131.215.176.126
+==IPv4 Allocations==
+kabta: 131.215.172.59
-All servers must be registered with the bridge in order to receive a UGCS-internal Vlan assignment using VMPS and therefore a DHCP allocation from the UGCS DNS server; otherwise, they will be on Vlan 1 and be on the main Winnett network and get a DHCP address from the Winnett pool.
+* 64: none
-==IP Allocations==
-* 64: Netblock
 * 65-75: Coreserver
-** 64 netblock.ugcs.caltech.edu.
+** 65 hermes
-** 65 hermes.ugcs.caltech.edu.
+** 66 demeter
-** 66 demeter.ugcs.caltech.edu.
+** 67 apollo
-** 67 apollo.ugcs.caltech.edu.
+** 68 athena
-** 68 athena.ugcs.caltech.edu.
+** 69 persephone
-** 69 persephone.ugcs.caltech.edu
+** 70 hera
-** 70 hera.ugcs.caltech.edu.
+** 71 poseidon
-** 71 poseidon.ugcs.caltech.edu.
+** 72 zeus
-** 72 zeus.ugcs.caltech.edu.
+** 73 hestia
-** 73 hestia.ugcs.caltech.edu.
+** 74 hephaestus
-** 74 hephaestus.ugcs.caltech.edu.
+** 75 dionysus
-** 75 dionysus.ugcs.caltech.edu.
+** 76 nfs
+** 77 ( currently unused )
+** 78 fo ( testing IP for failover stuff )
+** 79 ( currently unused )
+** 80 doldnut (owned by devteam/Jon Dama, this will be moved)
+** 81 afs-c ( AFS database server, currently hermes)
+** 82 afsmail ( AFS file server that houses mail partitions, currently hermes)
-* 75-85: Hosted servers that will be moved
+* 86-105: Hosted servers (future hosted machines should go in the Winnett netblock; email hostmaster@caltech.edu)
-** 77 salamander.ugcs.caltech.edu. (DNS for salamander.caltech.edu points to UGCS-176-77.caltech.edu)
+** 86 averyfs (owned by Avery IMSS)
-** 79 lenin.ugcs.caltech.edu.
+** 87 bsi-la (owned by Bo Adler)
-** 80 doldnut.ugcs.caltech.edu.
+** 88 lenin (owned by Dabney comptrollers)
-** 81 clubs.ugcs.caltech.edu. (not in use anymore)
+** 89 donut (owned by Devteam)
+** 90 metatron (owned by Matt Maurer)
-* 86-95: Hosted servers
+** 91 white (owned by Mike White)
-** 86 averyfs.ugcs.caltech.edu.
+** 92 philemon (owned by Jon Dama)
-** 87 bsi-la.ugcs.caltech.edu.
+** 93 daisy (owned by Elizabeth Fong)
-** 88 New lenin
+** 94 ballroom (Ballroom dance club)
-** 89 donut
+** 95 hiro (owned by Silas Bennet)
-** 90 New salamander
+** 98 azkaban (owned by Eugeniu Plamadeala, username eugeniu)
-** 91 white.caltech.edu
+** 99 goose (owned by Suresh Sitaula, username suresh)
-** 92 philemon.gelide.org
+** 100 kukulza (owned by Patrick Xia, username patrick)
-** 93 daisy.ugcs.caltech.edu (Elizabeth Fong)
+** 101 eternity (owned by Alex Roper, username alexr)
-** 94 Jay Conrod's machine
+** 102 vitamin-s (owned by David DiCato)
-** 95 Silas's machine (hiro.ugcs.caltech.edu)
+** 103 (name not known yet) (owned by Pat Cahalan)
-* 96-124: Shellserver
+** 104 heartofgold (owned by Alex Rasmussen, username adr)
+* 105-124: Shellserver
 ** 105 lara.ugcs.caltech.edu.
 ** 106 styx.ugcs.caltech.edu.
-** 107 minthe.ugcs.caltech.edu.
+** 107 minthe.ugcs.caltech.edu. (i5 machine)
 ** 108 lethe.ugcs.caltech.edu.
 ** 109 calliope.ugcs.caltech.edu.
 ** 110 clio.ugcs.caltech.edu.
-** 111 erato.ugcs.caltech.edu. (down)
+** 111 achilles.ugcs.caltech.edu (mortal)
-** 112 euterpe.ugcs.caltech.edu. (down)
+** 112 helen.ugcs.caltech.edu (mortal)
 ** 113 melpomene.ugcs.caltech.edu.
 ** 114 polyhymnia.ugcs.caltech.edu.
-** 115 terpsichore.ugcs.caltech.edu.
+** 115 terpsichore.ugcs.caltech.edu. (i5 machine)
 ** 116 thalia.ugcs.caltech.edu.
 ** 117 urania.ugcs.caltech.edu.
+** 118 jason.ugcs.caltech.edu (mortal)
+** 119 midas.ugcs.caltech.edu (mortal)
+** 120 medusa.ugcs.caltech.edu (mortal)
+** 121 dictys.ugcs.caltech.edu (mortal)
 * 125: printer
 * 126: charon
-* 127: broadcast
-==Old IP Allocations==
+===UGCS hosted machines in Winnett netblock===
-{|
+* 60: beryllium (owned by Chris Kennelly, username ckennelly)
-! Current !! Permanent
+* 61: titanic (owned by Blacker IMSS)
-|-valign="top"
+*  3: durandal (owned by Chris Whelan, username whelan)
-|
-* 64 - network ID
+==IPv6 Allocations==
-** 65 switch
+* Caltech may be rolling out IPv6 later in 2010.  We've mentioned to them that we'd be interested in trying it.
-* 66-70 - key NFS/domain servers (steals)
-** 66 purchase
-** 67 envy
-** 68 barter
-** 69 beg
-** 70 steal
-* 71 shekel (down)
-* 72 jnumquam (down)
-* 73 gir (down)
-* 74 frankenpuke (refusing SSH, ping-responsive)
-* 75-82 - third-party hosting
-** 75 coconut (blacker)
-** 76 kinakuta (keegan)
-** 77 salamander (blacker)
-** 78 donut2 (ascit development server)
-** 79 lenin (dabney)
-** 80 donut (ascit)
-** 81 clubs (ascit)
-** 82 <nameunknown> (Jon Dama)
-* 83 oldbagel (ascit, jail running on donut)
-* 84 mandrake (down)
-* 85 eat (non-NFS gentoo)
-* 86 turbine (jeremy)
-* 87-93 - usable space for testing
-** 87 kryten (kpu)
-** 88 apollo
-** 89 athena
-** 90 demeter
-** 91 <usable>
-** 92 <usable>
-** 93 <usable>
-* 94-104 - pukes
-** 94 chunder
-** 95 retch
-** 96 yak
-** 97 regurgitate
-** 98 hork (down)
-** 99 barf
-** 100 upchuck
-** 101 hurl
-** 102 spew
-** 103 vomit (down)
-** 104 heave
-* 105-107 - itaniums
-** 105 woglinde (down)
-** 106 flosshilde (non-NFS gentoo)
-** 107 wellgunde (down)
-* 108-125 - currencies
-** 108 schilling
-** 109 seniti
-** 110 groat (down)
-** 111 pfennig (down)
-** 112 quetzal (down)
-** 113 cruzeiro (down)
-** 114 zloty
-** 115 baht
-** 116 ngwee
-** 117 mark
-** 118 lira
-** 119 lek (down)
-** 120 krone (down)
-** 121 euro (down)
-** 122 dinar
-** 123 riyal
-** 124 bolivar
-** 125 drachma (down)
-* 126 printer (not in use)
-* 127 <broadcast>
-|
-* 64 - Network ID
-* 65-85: UGCS core servers
-** 65 - hermes (mail)
-** 66 - demeter (netboot/dhcp, dns)
-** 67 - apollo (fileserver, AFS master)
-** 68 - athena (fileserver)
-** 69 - persephone (backup)
-** 70 - hera (kerberos/LDAP backup)
-** 71 - poseidon (subversion, postgresql, mysql, webserver)
-** 72 - zeus (kerberos/LDAP master)
-** 73 - hestia (netboot NFS)
-** 74 - hephaestus (build)
-** 75-85 - <open>
-* 86-95 - hosting of third-party servers (can be expanded downwards)
-** 86 - donut
-** 87 - coconut
-** 88 - turbine
-** 89 - salamander
-** 90 - bagel
-** 91 - kinakuta (keegan)
-** 92 - kryten (kpu)
-** 93 - lenin (dabney)
-** 94 - lily (elizabeth)
-** 95 - [in progress] Silas Bennett
-* 96-125 - clients
-** 96-105 - old generation login clients (pukes)
-*** 96 yak
-*** 97 regurgitate
-*** 98 frankenpuke
-*** 99 barf
-*** 100 upchuck
-*** 101 hurl
-*** 102 spew
-*** 103 vomit
-*** 104 heave
-** 105-110 - new generation X clients (naiads)
-** 111-124 - new generation shell servers (muses)
-** 125 - printer
-* 126 - charon (VLAN bridging, snort, VMPS vlan assignment)
-* 127 - broadcast
-|}
-==TODO==
+[[Category:Sysadmin_Documentation]]
-Set up port restrictions on all servers.