Networking

From UGCS
(Difference between revisions)
Jump to: navigation, search
(IP Allocations)
(UGCS hosted machines in Winnett netblock)
 
(37 intermediate revisions by 5 users not shown)
Line 1: Line 1:
Please, do not fill this up with our speculation from Planning.
+
==Physical Equipment==
This table is meant for hard current IPs and final IPs and other network configuration relevant to the current status of the build.
+
Our main switch (connected to the IMSS 1Gbit uplink) is a Juiper EX2200.  This switch is brand-new as of April 2010 and <i>screams</i>.  The core servers, shellservers, mortals, and lenin are connected to this switch.  It provides a DHCP safe haven for demeter (and our servers through RADIUS on charon) while allowing Winnett DHCP for other machines.  We have a Cisco 2970 connected via two LACP links to the Juniper switch for additional gigabit ports (currently filled with hosted machines).  We will be setting up a Cisco 2950 with a similar gigabit trunk lines for the hosted racks once we move them to where we want them.
 +
 
 +
===Juniper Switch===
 +
* Juniper EX2200
 +
* Name: mercury
 +
* IP: 192.168.2.5, accessible from charon only
  
 
==Static IPs in UGCS==
 
==Static IPs in UGCS==
Within UGCS, we get only part of the subnet, and the gateway isn't in that part. As a result, the following wonky config snippet is recommended by Maurer (and Liz, the bridging will work fine with this config)Note the MTU - because we use VLANs, we have 4 less bytes to work with.
+
We don't actually have a netblock, we just have 64 ip'sSo you configure your machine like any other in the Winnett netblock, with netmask 255.255.255.0 and gateway 131.215.176.254.  A sample Debian interfaces file:
 +
iface eth0 inet static
 +
    address 131.215.176.xxx
 +
    netmask 255.255.255.0
 +
    gateway 131.215.176.254
  
  allow-hotplug eth0
+
==Firewall==
  iface eth0 inet static
+
Each machine does its own firewall through iptables. Cfengine installs a series of scripts in /etc/networking/if.[up,down].d that loads/saves the iptables configuration, so you can make changes knowing they will be preserved across a reboot.
  address 131.215.176.num
+
  broadcast 131.215.176.127
+
  netmask 255.255.255.192
+
  mtu 1496
+
  # Route the Gateway
+
  post-up route add 131.215.176.254 eth0
+
  post-up route add default gw 131.215.176.254
+
  
==VLANs==
 
* Vlan 1: default (outside world/ITS) - 131.215.176.0/26 131.215.176.128/25
 
* Vlan 2: management - 192.168.0.0/24
 
* Vlan 3: core servers - 131.215.176.65-131.215.176.85
 
* Vlan 4: shell servers - 131.215.176.96-131.215.176.125
 
* Vlan 5: hosted servers - 131.215.176.86-131.215.176.95
 
  
All Vlans except for management fall within the same basic subnet; traffic can be routed without use of a gateway and thus subnetting is not required.  However, traffic is passed between Vlans by a transparent bridge which performs packet filtering using IPTables and Snort in order to segregate traffic (for example, not allowing DHCP server responses to cross from Vlan 1 to inside or outward from Vlans 3-5 to Vlan 1).  There is no access to Vlan2 except from the bridge itself.  The bridge has IP 131.215.176.126
+
==IPv4 Allocations==
 
+
All servers must be registered with the bridge in order to receive a UGCS-internal Vlan assignment using VMPS and therefore a DHCP allocation from the UGCS DNS server; otherwise, they will be on Vlan 1 and be on the main Winnett network and get a DHCP address from the Winnett pool.
+
 
+
==Network Security==
+
Charon bridges the VLAN's, so any traffic that flows across a vlan barrier is subject to firewall rules.  By default, coreserver ports are filtered, and shellserver ports are open.
+
 
+
Charon also runs snort, but nothing is done with the alerts yet.  Its rules are auto-updated daily from bleedingthreats.net.
+
 
+
==IP Allocations==
+
 
kabta: 131.215.172.59
 
kabta: 131.215.172.59
  
* 64: Netblock
+
* 64: none
 
* 65-75: Coreserver
 
* 65-75: Coreserver
** 64 netblock.ugcs.caltech.edu.
+
** 65 hermes
** 65 hermes.ugcs.caltech.edu.
+
** 66 demeter
** 66 demeter.ugcs.caltech.edu.
+
** 67 apollo
** 67 apollo.ugcs.caltech.edu.
+
** 68 athena
** 68 athena.ugcs.caltech.edu.
+
** 69 persephone
** 69 persephone.ugcs.caltech.edu
+
** 70 hera
** 70 hera.ugcs.caltech.edu.
+
** 71 poseidon
** 71 poseidon.ugcs.caltech.edu.
+
** 72 zeus
** 72 zeus.ugcs.caltech.edu.
+
** 73 hestia
** 73 hestia.ugcs.caltech.edu.
+
** 74 hephaestus
** 74 hephaestus.ugcs.caltech.edu.
+
** 75 dionysus
** 75 dionysus.ugcs.caltech.edu.
+
** 76 nfs
** 76 nfs.ugcs.caltech.edu ( Failover NFS server between athena and hestia )
+
** 77 ( currently unused )
* 75-85: Hosted servers that will be moved
+
** 78 fo ( testing IP for failover stuff )
** 77 salamander.ugcs.caltech.edu. (owned by Blacker IMSS) (DNS for salamander.caltech.edu points to UGCS-176-77.caltech.edu)
+
** 79 ( currently unused )
** 78 fo.ugcs.caltech.edu - Testing IP for failover stuff
+
** 80 doldnut (owned by devteam/Jon Dama, this will be moved)
** 79 lenin.ugcs.caltech.edu. (owned by Dabney IMSS)
+
** 81 afs-c ( AFS database server, currently hermes)
** 80 doldnut.ugcs.caltech.edu. (owned by devteam/Jon Dama)
+
** 82 afsmail ( AFS file server that houses mail partitions, currently hermes)
* 86-105: Hosted servers  
+
 
** 86 averyfs.ugcs.caltech.edu. (Owned by Avery IMSS)
+
* 86-105: Hosted servers (future hosted machines should go in the Winnett netblock; email hostmaster@caltech.edu)
** 87 bsi-la.ugcs.caltech.edu. (owned by Bo Adler)
+
** 86 averyfs (owned by Avery IMSS)
** 88 New lenin
+
** 87 bsi-la (owned by Bo Adler)
 +
** 88 lenin (owned by Dabney comptrollers)
 
** 89 donut (owned by Devteam)
 
** 89 donut (owned by Devteam)
** 90 New salamander
+
** 90 metatron (owned by Matt Maurer)
** 91 white.caltech.edu (owned by Mike White)
+
** 91 white (owned by Mike White)
** 92 philemon.gelide.org (owned by Jon Dama)
+
** 92 philemon (owned by Jon Dama)
** 93 daisy.ugcs.caltech.edu (Elizabeth Fong)
+
** 93 daisy (owned by Elizabeth Fong)
** 94 fenris.ugcs.caltech.edu (Jay Conrod's machine)
+
** 94 ballroom (Ballroom dance club)
** 95 hiro.ugcs.caltech.edu ( Silas's machine )
+
** 95 hiro (owned by Silas Bennet)
** 97 pandora.ugcs.caltech.edu ( Owned by Blacker IMSS)
+
** 98 azkaban (owned by Eugeniu Plamadeala, username eugeniu)
** 98 azkaban.ugcs.caltech.edu ( Owned by Eugeniu Plamadeala, username eugeniu)
+
** 99 goose (owned by Suresh Sitaula, username suresh)
** 99 (owned by Keegan McAllister, username keegan)
+
** 100 kukulza (owned by Patrick Xia, username patrick)
 +
** 101 eternity (owned by Alex Roper, username alexr)
 +
** 102 vitamin-s (owned by David DiCato)
 +
** 103 (name not known yet) (owned by Pat Cahalan)
 +
** 104 heartofgold (owned by Alex Rasmussen, username adr)
 
* 105-124: Shellserver
 
* 105-124: Shellserver
 
** 105 lara.ugcs.caltech.edu.
 
** 105 lara.ugcs.caltech.edu.
 
** 106 styx.ugcs.caltech.edu.
 
** 106 styx.ugcs.caltech.edu.
** 107 minthe.ugcs.caltech.edu.
+
** 107 minthe.ugcs.caltech.edu. (i5 machine)
 
** 108 lethe.ugcs.caltech.edu.
 
** 108 lethe.ugcs.caltech.edu.
 
** 109 calliope.ugcs.caltech.edu.
 
** 109 calliope.ugcs.caltech.edu.
Line 79: Line 71:
 
** 113 melpomene.ugcs.caltech.edu.
 
** 113 melpomene.ugcs.caltech.edu.
 
** 114 polyhymnia.ugcs.caltech.edu.
 
** 114 polyhymnia.ugcs.caltech.edu.
** 115 terpsichore.ugcs.caltech.edu.
+
** 115 terpsichore.ugcs.caltech.edu. (i5 machine)
 
** 116 thalia.ugcs.caltech.edu.
 
** 116 thalia.ugcs.caltech.edu.
 
** 117 urania.ugcs.caltech.edu.
 
** 117 urania.ugcs.caltech.edu.
Line 88: Line 80:
 
* 125: printer
 
* 125: printer
 
* 126: charon
 
* 126: charon
* 127: broadcast
+
 
 +
===UGCS hosted machines in Winnett netblock===
 +
* 60: beryllium (owned by Chris Kennelly, username ckennelly)
 +
* 61: titanic (owned by Blacker IMSS)
 +
*  3: durandal (owned by Chris Whelan, username whelan)
 +
 
 +
==IPv6 Allocations==
 +
* Caltech may be rolling out IPv6 later in 2010.  We've mentioned to them that we'd be interested in trying it.
 +
 
 +
[[Category:Sysadmin_Documentation]]

Latest revision as of 14:21, 13 June 2011

Contents

Physical Equipment

Our main switch (connected to the IMSS 1Gbit uplink) is a Juiper EX2200. This switch is brand-new as of April 2010 and screams. The core servers, shellservers, mortals, and lenin are connected to this switch. It provides a DHCP safe haven for demeter (and our servers through RADIUS on charon) while allowing Winnett DHCP for other machines. We have a Cisco 2970 connected via two LACP links to the Juniper switch for additional gigabit ports (currently filled with hosted machines). We will be setting up a Cisco 2950 with a similar gigabit trunk lines for the hosted racks once we move them to where we want them.

Juniper Switch

  • Juniper EX2200
  • Name: mercury
  • IP: 192.168.2.5, accessible from charon only

Static IPs in UGCS

We don't actually have a netblock, we just have 64 ip's. So you configure your machine like any other in the Winnett netblock, with netmask 255.255.255.0 and gateway 131.215.176.254. A sample Debian interfaces file: 

iface eth0 inet static
    address 131.215.176.xxx
    netmask 255.255.255.0
    gateway 131.215.176.254

Firewall

Each machine does its own firewall through iptables. Cfengine installs a series of scripts in /etc/networking/if.[up,down].d that loads/saves the iptables configuration, so you can make changes knowing they will be preserved across a reboot.


IPv4 Allocations

kabta: 131.215.172.59

  • 64: none
  • 65-75: Coreserver
    • 65 hermes
    • 66 demeter
    • 67 apollo
    • 68 athena
    • 69 persephone
    • 70 hera
    • 71 poseidon
    • 72 zeus
    • 73 hestia
    • 74 hephaestus
    • 75 dionysus
    • 76 nfs
    • 77 ( currently unused )
    • 78 fo ( testing IP for failover stuff )
    • 79 ( currently unused )
    • 80 doldnut (owned by devteam/Jon Dama, this will be moved)
    • 81 afs-c ( AFS database server, currently hermes)
    • 82 afsmail ( AFS file server that houses mail partitions, currently hermes)
  • 86-105: Hosted servers (future hosted machines should go in the Winnett netblock; email hostmaster@caltech.edu)
    • 86 averyfs (owned by Avery IMSS)
    • 87 bsi-la (owned by Bo Adler)
    • 88 lenin (owned by Dabney comptrollers)
    • 89 donut (owned by Devteam)
    • 90 metatron (owned by Matt Maurer)
    • 91 white (owned by Mike White)
    • 92 philemon (owned by Jon Dama)
    • 93 daisy (owned by Elizabeth Fong)
    • 94 ballroom (Ballroom dance club)
    • 95 hiro (owned by Silas Bennet)
    • 98 azkaban (owned by Eugeniu Plamadeala, username eugeniu)
    • 99 goose (owned by Suresh Sitaula, username suresh)
    • 100 kukulza (owned by Patrick Xia, username patrick)
    • 101 eternity (owned by Alex Roper, username alexr)
    • 102 vitamin-s (owned by David DiCato)
    • 103 (name not known yet) (owned by Pat Cahalan)
    • 104 heartofgold (owned by Alex Rasmussen, username adr)
  • 105-124: Shellserver
    • 105 lara.ugcs.caltech.edu.
    • 106 styx.ugcs.caltech.edu.
    • 107 minthe.ugcs.caltech.edu. (i5 machine)
    • 108 lethe.ugcs.caltech.edu.
    • 109 calliope.ugcs.caltech.edu.
    • 110 clio.ugcs.caltech.edu.
    • 111 achilles.ugcs.caltech.edu (mortal)
    • 112 helen.ugcs.caltech.edu (mortal)
    • 113 melpomene.ugcs.caltech.edu.
    • 114 polyhymnia.ugcs.caltech.edu.
    • 115 terpsichore.ugcs.caltech.edu. (i5 machine)
    • 116 thalia.ugcs.caltech.edu.
    • 117 urania.ugcs.caltech.edu.
    • 118 jason.ugcs.caltech.edu (mortal)
    • 119 midas.ugcs.caltech.edu (mortal)
    • 120 medusa.ugcs.caltech.edu (mortal)
    • 121 dictys.ugcs.caltech.edu (mortal)
  • 125: printer
  • 126: charon

UGCS hosted machines in Winnett netblock

  • 60: beryllium (owned by Chris Kennelly, username ckennelly)
  • 61: titanic (owned by Blacker IMSS)
  • 3: durandal (owned by Chris Whelan, username whelan)

IPv6 Allocations

  • Caltech may be rolling out IPv6 later in 2010. We've mentioned to them that we'd be interested in trying it.
Retrieved from "http://www.ugcs.caltech.edu/wiki/Networking"
Personal tools