Networking

From UGCS
(Difference between revisions)
Jump to: navigation, search
(UGCS hosted machines in Winnett netblock)
 
(16 intermediate revisions by 3 users not shown)
Line 1: Line 1:
==Static IPs in UGCS==
+
==Physical Equipment==
Note the MTU - because we use VLANs, we have 4 less bytes to work with.
+
Our main switch (connected to the IMSS 1Gbit uplink) is a Juiper EX2200.  This switch is brand-new as of April 2010 and <i>screams</i>.  The core servers, shellservers, mortals, and lenin are connected to this switch.  It provides a DHCP safe haven for demeter (and our servers through RADIUS on charon) while allowing Winnett DHCP for other machines.  We have a Cisco 2970 connected via two LACP links to the Juniper switch for additional gigabit ports (currently filled with hosted machines).  We will be setting up a Cisco 2950 with a similar gigabit trunk lines for the hosted racks once we move them to where we want them.
  
  allow-hotplug eth0
+
===Juniper Switch===
  iface eth0 inet static
+
* Juniper EX2200
  address 131.215.176.num
+
* Name: mercury
  broadcast 131.215.176.127
+
* IP: 192.168.2.5, accessible from charon only
  netmask 255.255.255.192
+
  gateway 131.215.176.126
+
  mtu 1496
+
  
==VLANs==
+
==Static IPs in UGCS==
* Vlan 1: default (outside world/ITS) - 131.215.176.0/26 131.215.176.128/25
+
We don't actually have a netblock, we just have 64 ip's. So you configure your machine like any other in the Winnett netblock, with netmask 255.255.255.0 and gateway 131.215.176.254.  A sample Debian interfaces file:
* Vlan 2: management - 192.168.1.0/24
+
iface eth0 inet static
* Vlan 3: core servers - 131.215.176.65-131.215.176.85
+
    address 131.215.176.xxx
* Vlan 4: shell servers - 131.215.176.96-131.215.176.125
+
    netmask 255.255.255.0
* Vlan 5: hosted servers - 131.215.176.86-131.215.176.95
+
    gateway 131.215.176.254
  
All Vlans except for management fall within the same basic subnet; traffic can be routed without use of a gateway and thus subnetting is not requiredHowever, traffic is passed between Vlans by a transparent bridge which performs packet filtering using IPTables and Snort in order to segregate traffic (for example, not allowing DHCP server responses to cross from Vlan 1 to inside or outward from Vlans 3-5 to Vlan 1). There is no access to Vlan2 except from the bridge itself.  The bridge has IP 131.215.176.126
+
==Firewall==
 +
Each machine does its own firewall through iptablesCfengine installs a series of scripts in /etc/networking/if.[up,down].d that loads/saves the iptables configuration, so you can make changes knowing they will be preserved across a reboot.
  
All servers must be registered with the bridge in order to receive a UGCS-internal Vlan assignment using VMPS and therefore a DHCP allocation from the UGCS DNS server; otherwise, they will be on Vlan 1 and be on the main Winnett network and get a DHCP address from the Winnett pool.
 
 
==Network Security==
 
Charon bridges the VLAN's, so any traffic that flows across a vlan barrier is subject to firewall rules.  By default, coreserver ports are filtered, and shellserver ports are open.
 
 
Charon also runs snort, but nothing is done with the alerts yet.  Its rules are auto-updated daily from bleedingthreats.net.
 
 
If you need to block a host, add it to the "for" loop in charon:/usr/local/sbin/blocked_machines.  This script is called from bridge_forward, so make sure to re-run it after you updated blocked_machines.
 
  
 
==IPv4 Allocations==
 
==IPv4 Allocations==
 
kabta: 131.215.172.59
 
kabta: 131.215.172.59
  
* 64: Netblock
+
* 64: none
 
* 65-75: Coreserver
 
* 65-75: Coreserver
** 64 netblock.ugcs.caltech.edu.
+
** 65 hermes
** 65 hermes.ugcs.caltech.edu.
+
** 66 demeter
** 66 demeter.ugcs.caltech.edu.
+
** 67 apollo
** 67 apollo.ugcs.caltech.edu.
+
** 68 athena
** 68 athena.ugcs.caltech.edu.
+
** 69 persephone
** 69 persephone.ugcs.caltech.edu
+
** 70 hera
** 70 hera.ugcs.caltech.edu.
+
** 71 poseidon
** 71 poseidon.ugcs.caltech.edu.
+
** 72 zeus
** 72 zeus.ugcs.caltech.edu.
+
** 73 hestia
** 73 hestia.ugcs.caltech.edu.
+
** 74 hephaestus
** 74 hephaestus.ugcs.caltech.edu.
+
** 75 dionysus
** 75 dionysus.ugcs.caltech.edu.
+
** 76 nfs
** 76 nfs.ugcs.caltech.edu ( Failover NFS server between athena and hestia )
+
** 77 ( currently unused )
* 75-85: Hosted servers that will be moved
+
** 78 fo ( testing IP for failover stuff )
** 78 fo.ugcs.caltech.edu - Testing IP for failover stuff
+
** 79 ( currently unused )
** 80 doldnut.ugcs.caltech.edu. (owned by devteam/Jon Dama)
+
** 80 doldnut (owned by devteam/Jon Dama, this will be moved)
** 81: afs-a.ugcs.caltech.edu: AFS database server (current zeus uses this IP)
+
** 81 afs-c ( AFS database server, currently hermes)
** 82: afsmail.ugcs.caltech.edu: AFS file server that houses mail partitions (currently failover between hermes and athena)
+
** 82 afsmail ( AFS file server that houses mail partitions, currently hermes)
* 86-105: Hosted servers  
+
 
** 86 averyfs.ugcs.caltech.edu. (Owned by Avery IMSS)
+
* 86-105: Hosted servers (future hosted machines should go in the Winnett netblock; email hostmaster@caltech.edu)
** 87 bsi-la.ugcs.caltech.edu. (owned by Bo Adler)
+
** 86 averyfs (owned by Avery IMSS)
 +
** 87 bsi-la (owned by Bo Adler)
 
** 88 lenin (owned by Dabney comptrollers)
 
** 88 lenin (owned by Dabney comptrollers)
 
** 89 donut (owned by Devteam)
 
** 89 donut (owned by Devteam)
 
** 90 metatron (owned by Matt Maurer)
 
** 90 metatron (owned by Matt Maurer)
** 91 white.caltech.edu (owned by Mike White)
+
** 91 white (owned by Mike White)
** 92 philemon.gelide.org (owned by Jon Dama)
+
** 92 philemon (owned by Jon Dama)
** 93 daisy.ugcs.caltech.edu (Elizabeth Fong)
+
** 93 daisy (owned by Elizabeth Fong)
** 94 ballroom (Ballroom dance club)
+
** 94 ballroom (Ballroom dance club)
** 95 hiro.ugcs.caltech.edu ( Silas's machine )
+
** 95 hiro (owned by Silas Bennet)
** 98 azkaban.ugcs.caltech.edu ( Owned by Eugeniu Plamadeala, username eugeniu)
+
** 98 azkaban (owned by Eugeniu Plamadeala, username eugeniu)
** 99 fisheye.ugcs.caltech.edu (owned by Keegan McAllister, username keegan)
+
** 99 goose (owned by Suresh Sitaula, username suresh)
** 100 kukulza.ugcs.caltech.edu (Patrick Xia, username patrick)
+
** 100 kukulza (owned by Patrick Xia, username patrick)
** 101 eternity.ugcs.caltech.edu (Alex Roper, username alexr)
+
** 101 eternity (owned by Alex Roper, username alexr)
** 102 vitamin-s.ugcs.caltech.edu (owned by David DiCato)
+
** 102 vitamin-s (owned by David DiCato)
** 103 (name not known yet) ( owned by Pat Cahalan )
+
** 103 (name not known yet) (owned by Pat Cahalan)
** 104 (name not known yet) ( owned by Alex Rasmussen )
+
** 104 heartofgold (owned by Alex Rasmussen, username adr)
 
* 105-124: Shellserver
 
* 105-124: Shellserver
 
** 105 lara.ugcs.caltech.edu.
 
** 105 lara.ugcs.caltech.edu.
 
** 106 styx.ugcs.caltech.edu.
 
** 106 styx.ugcs.caltech.edu.
** 107 minthe.ugcs.caltech.edu.
+
** 107 minthe.ugcs.caltech.edu. (i5 machine)
 
** 108 lethe.ugcs.caltech.edu.
 
** 108 lethe.ugcs.caltech.edu.
** 109 calliope.ugcs.caltech.edu. (mortal)
+
** 109 calliope.ugcs.caltech.edu.
 
** 110 clio.ugcs.caltech.edu.
 
** 110 clio.ugcs.caltech.edu.
 
** 111 achilles.ugcs.caltech.edu (mortal)
 
** 111 achilles.ugcs.caltech.edu (mortal)
Line 80: Line 71:
 
** 113 melpomene.ugcs.caltech.edu.
 
** 113 melpomene.ugcs.caltech.edu.
 
** 114 polyhymnia.ugcs.caltech.edu.
 
** 114 polyhymnia.ugcs.caltech.edu.
** 115 terpsichore.ugcs.caltech.edu.
+
** 115 terpsichore.ugcs.caltech.edu. (i5 machine)
 
** 116 thalia.ugcs.caltech.edu.
 
** 116 thalia.ugcs.caltech.edu.
 
** 117 urania.ugcs.caltech.edu.
 
** 117 urania.ugcs.caltech.edu.
** 118 jason.ugcs.caltech.edu (mortal, currently used for testing)
+
** 118 jason.ugcs.caltech.edu (mortal)
 
** 119 midas.ugcs.caltech.edu (mortal)  
 
** 119 midas.ugcs.caltech.edu (mortal)  
 
** 120 medusa.ugcs.caltech.edu (mortal)
 
** 120 medusa.ugcs.caltech.edu (mortal)
** 121 dictys.ugcs.caltech.edu (mortal, currently used for testing)
+
** 121 dictys.ugcs.caltech.edu (mortal)
 
* 125: printer
 
* 125: printer
 
* 126: charon
 
* 126: charon
* 127: broadcast
+
 
 +
===UGCS hosted machines in Winnett netblock===
 +
* 60: beryllium (owned by Chris Kennelly, username ckennelly)
 +
* 61: titanic (owned by Blacker IMSS)
 +
*  3: durandal (owned by Chris Whelan, username whelan)
  
 
==IPv6 Allocations==
 
==IPv6 Allocations==
* We should get some (independent of Caltech even), if at all remotely possible.
+
* Caltech may be rolling out IPv6 later in 2010.  We've mentioned to them that we'd be interested in trying it.
  
==See also==
 
* [[Cisco switches]]
 
 
[[Category:Sysadmin_Documentation]]
 
[[Category:Sysadmin_Documentation]]

Latest revision as of 14:21, 13 June 2011

Contents

Physical Equipment

Our main switch (connected to the IMSS 1Gbit uplink) is a Juiper EX2200. This switch is brand-new as of April 2010 and screams. The core servers, shellservers, mortals, and lenin are connected to this switch. It provides a DHCP safe haven for demeter (and our servers through RADIUS on charon) while allowing Winnett DHCP for other machines. We have a Cisco 2970 connected via two LACP links to the Juniper switch for additional gigabit ports (currently filled with hosted machines). We will be setting up a Cisco 2950 with a similar gigabit trunk lines for the hosted racks once we move them to where we want them.

Juniper Switch

  • Juniper EX2200
  • Name: mercury
  • IP: 192.168.2.5, accessible from charon only

Static IPs in UGCS

We don't actually have a netblock, we just have 64 ip's. So you configure your machine like any other in the Winnett netblock, with netmask 255.255.255.0 and gateway 131.215.176.254. A sample Debian interfaces file: 

iface eth0 inet static
    address 131.215.176.xxx
    netmask 255.255.255.0
    gateway 131.215.176.254

Firewall

Each machine does its own firewall through iptables. Cfengine installs a series of scripts in /etc/networking/if.[up,down].d that loads/saves the iptables configuration, so you can make changes knowing they will be preserved across a reboot.


IPv4 Allocations

kabta: 131.215.172.59

  • 64: none
  • 65-75: Coreserver
    • 65 hermes
    • 66 demeter
    • 67 apollo
    • 68 athena
    • 69 persephone
    • 70 hera
    • 71 poseidon
    • 72 zeus
    • 73 hestia
    • 74 hephaestus
    • 75 dionysus
    • 76 nfs
    • 77 ( currently unused )
    • 78 fo ( testing IP for failover stuff )
    • 79 ( currently unused )
    • 80 doldnut (owned by devteam/Jon Dama, this will be moved)
    • 81 afs-c ( AFS database server, currently hermes)
    • 82 afsmail ( AFS file server that houses mail partitions, currently hermes)
  • 86-105: Hosted servers (future hosted machines should go in the Winnett netblock; email hostmaster@caltech.edu)
    • 86 averyfs (owned by Avery IMSS)
    • 87 bsi-la (owned by Bo Adler)
    • 88 lenin (owned by Dabney comptrollers)
    • 89 donut (owned by Devteam)
    • 90 metatron (owned by Matt Maurer)
    • 91 white (owned by Mike White)
    • 92 philemon (owned by Jon Dama)
    • 93 daisy (owned by Elizabeth Fong)
    • 94 ballroom (Ballroom dance club)
    • 95 hiro (owned by Silas Bennet)
    • 98 azkaban (owned by Eugeniu Plamadeala, username eugeniu)
    • 99 goose (owned by Suresh Sitaula, username suresh)
    • 100 kukulza (owned by Patrick Xia, username patrick)
    • 101 eternity (owned by Alex Roper, username alexr)
    • 102 vitamin-s (owned by David DiCato)
    • 103 (name not known yet) (owned by Pat Cahalan)
    • 104 heartofgold (owned by Alex Rasmussen, username adr)
  • 105-124: Shellserver
    • 105 lara.ugcs.caltech.edu.
    • 106 styx.ugcs.caltech.edu.
    • 107 minthe.ugcs.caltech.edu. (i5 machine)
    • 108 lethe.ugcs.caltech.edu.
    • 109 calliope.ugcs.caltech.edu.
    • 110 clio.ugcs.caltech.edu.
    • 111 achilles.ugcs.caltech.edu (mortal)
    • 112 helen.ugcs.caltech.edu (mortal)
    • 113 melpomene.ugcs.caltech.edu.
    • 114 polyhymnia.ugcs.caltech.edu.
    • 115 terpsichore.ugcs.caltech.edu. (i5 machine)
    • 116 thalia.ugcs.caltech.edu.
    • 117 urania.ugcs.caltech.edu.
    • 118 jason.ugcs.caltech.edu (mortal)
    • 119 midas.ugcs.caltech.edu (mortal)
    • 120 medusa.ugcs.caltech.edu (mortal)
    • 121 dictys.ugcs.caltech.edu (mortal)
  • 125: printer
  • 126: charon

UGCS hosted machines in Winnett netblock

  • 60: beryllium (owned by Chris Kennelly, username ckennelly)
  • 61: titanic (owned by Blacker IMSS)
  • 3: durandal (owned by Chris Whelan, username whelan)

IPv6 Allocations

  • Caltech may be rolling out IPv6 later in 2010. We've mentioned to them that we'd be interested in trying it.
Retrieved from "http://www.ugcs.caltech.edu/wiki/Networking"
Personal tools