Difference between revisions of "BXadmin:Network"

From CCGB
Jump to: navigation, search
 
(26 intermediate revisions by 2 users not shown)
Line 1: Line 1:
= L3 =
+
There is discussion of network changes related to adding new subnets for Galaxy at [[bxa:Network/Galaxy]] which should be relevant should you need to add a new subnet.
== 128.118.200.0/23, 2610:8:7800:14::/64 ==
+
 
* VLAN 100 (BX-WIRED)
+
= Layer 2 =
 +
Current network diagram in DIA format is located at /afs/bx.psu.edu/admin/documents/bx_network-l2-<DATE>.dia
 +
 
 +
When updating, be sure to work on a copy, and update the date in the box in the upper left-hand corner.
 +
 
 +
[[File:Bx network-l2-2011-10-20.png]]
 +
 
 +
= Layer 3 =
 +
== VLAN 1 | MANAGEMENT | 10.1.1.0 /24, 2610:8:7800:25:: /64 ==
 +
* VLAN: 1 (MANAGEMENT)
 +
* Netmask: 255.255.255.0
 +
* Broadcast: 10.1.1.255
 +
* Gateway: 10.1.1.1
 +
* DNS: *.net.bx.psu.edu
 +
 
 +
Switches, IPMI interfaces, ESXi management, etc.
 +
 
 +
== VLAN 230 | PRINTERS | 10.1.2.0 /24, 2610:8:7800:2a:: /64 ==
 +
* VLAN: 230 (PRINTERS)
 +
* Netmask: 255.255.255.0
 +
* Broadcast: 10.1.2.255
 +
* Gateway: 10.1.2.1
 +
* Usable IPs: .1 - .254
 +
* Client IPs: 253
 +
* DNS: *.printers.bx.psu.edu
 +
 
 +
Printers or other non-management-type devices.
 +
 
 +
== VLAN 200 | PERSEPHONE | 10.1.4.0 /24, 2610:8:7800:2b:: /64 ==
 +
* VLAN: 200 (PERSEPHONE)
 +
* Netmask: 255.255.255.0
 +
* Broadcast: 10.1.4.255
 +
* Gateway: 10.1.4.1
 +
* DNS: *.persephone.bx.psu.edu
 +
 
 +
Persephone cluster.
 +
 
 +
== VLAN 250 | UNAUTH | 10.1.5.0 /24 ==
 +
* VLAN: 250 (UNAUTH)
 +
* Netmask: 255.255.255.0
 +
* Broadcast: 10.1.5.255
 +
* Gateway: 10.1.5.1
 +
* DNS: *.unauth.bx.psu.edu
 +
 
 +
Radius dumps unauthorized ports in this VLAN. DNS blackhole.
 +
 
 +
== VLAN 260 | QUARANTINE | 10.1.6.0 /24 ==
 +
* VLAN: 260 (QUARANTINE)
 +
* Netmask: 255.255.255.0
 +
* Broadcast: 10.1.6.255
 +
* Gateway: 10.1.6.1
 +
* DNS: *.quarantine.bx.psu.edu
 +
 
 +
Radius dumps quanrantined MACs and users in this VLAN. DNS blackhole.
 +
 
 +
== VLAN 210 | LINNE | 192.168.2.0 /24 ==
 +
* VLAN: 210 (LINNE)
 +
* Netmask: 255.255.255.0
 +
* Broadcast: 192.168.2.255
 +
* Gateway: 192.168.2.253
 +
* DNS: *.linne.bx.psu.edu
 +
 
 +
linne cluster
 +
 
 +
== VLAN 220 | GALAXY | 192.168.4.0 /24, 2610:8:7800:2c:: /64 ==
 +
* VLAN: 220 (GALAXY)
 +
* Netmask: 255.255.255.0
 +
* Broadcast: 192.168.4.255
 +
* Gateway: 192.168.2.254
 +
* DNS: *.g2.bx.psu.edu
 +
 
 +
old galaxy private network
 +
 
 +
== VLAN 270 | GALAXY_PRIVATE | 172.18.2.0 /24 ==
 +
* VLAN: 270 (GALAXY_PRIVATE)
 +
* Netmask: 255.255.255.0
 +
* Broadcast: 172.18.2.255
 +
* Gateway: 172.18.2.1
 +
* DNS: *.g2.bx.psu.edu
 +
 
 +
Galaxy private addresses.  These addresses are registered with TNS and are on the IPv4 Contacts List.
 +
 
 +
== VLAN 100 | BX-WIRED | 128.118.200.0 /23, 2610:8:7800:14:: /64 ==
 +
* VLAN: 100 (BX-WIRED)
 
* Netmask: 255.255.254.0
 
* Netmask: 255.255.254.0
 
* Broadcast: 128.118.201.255
 
* Broadcast: 128.118.201.255
Line 8: Line 91:
 
Centrally managed machines. Machines that we have root on and/or control with cfengine.
 
Centrally managed machines. Machines that we have root on and/or control with cfengine.
  
== 128.118.202.0/27 ==
+
== VLAN 110 | DOT1X | 128.118.202.128 /25, 2610:8:7800:28:: /64 ==
* NAT pool
+
* VLAN: 110 (DOT1X)
* Usable IPs: .1 - .30 (with .31 being the broadcast, but not used for NAT)
+
* Netmask: 255.255.255.128
* DNS: nat-128-118-202-N.bx.psu.edu
+
* Broadcast: 128.118.202.255
 +
* Gateway: 128.118.202.129
 +
* DNS: dot1x-128-118-202-N.bx.psu.edu
 +
 
 +
=== PAT Address | 128.118.202.254 ===
 +
PAT = Port Address Translation. This is similar to how SNAT works with iptables. A single public ip. This is preferred to just straight NAT, which on the ASA is one-to-one with a set translation expiration time. After the global IP range is used up, further outbound connections are dropped. A single PAT address supports up to 65,536 outbound connections (TCP sessions).
  
 
NAT config on ASA:
 
NAT config on ASA:
<pre>global (Outside) 1 128.118.202.1-128.118.202.30
+
<pre>global (Outside) 1 128.118.202.254
 
nat (Bioinformatics) 1 192.168.2.0 255.255.255.0
 
nat (Bioinformatics) 1 192.168.2.0 255.255.255.0
 
nat (Bioinformatics) 1 192.168.4.0 255.255.255.0
 
nat (Bioinformatics) 1 192.168.4.0 255.255.255.0
Line 20: Line 108:
 
</pre>
 
</pre>
  
== 128.118.202.32/28 ==
+
Dynamically assigned with DHCP. 802.1x EAP-TTLS-PAP username/password login.
* VLAN 110, GUEST
+
 
* Visitor/guest network
+
== VLAN 120 | UNMANAGED | 128.118.202.0 /25, 2610:8:7800:29:: /64 ==
* Netmask: 255.255.255.240
+
* VLAN: 120 (UNMANAGED)
* Broadcast: 128.118.202.47
+
* Netmask: 255.255.255.128
* Gateway: 128.118.202.33
+
* Broadcast: 128.118.202.127
* Usable IPs: .33 - .46
+
* Gateway: 128.118.202.1
 +
* DNS: custom or 128-118-202-N.bx.psu.edu
 +
 
 +
Statically assgined with DHCP based on MAC. Radius attributes defined in LDAP for the DHCP host entry.
 +
 
 +
 
 +
== VLAN 130 | GUEST | ? ==
 +
* VLAN: 130 (GUEST)
 
* DNS: guest-128-118-202-N.bx.psu.edu
 
* DNS: guest-128-118-202-N.bx.psu.edu
  
DHCP entries static in LDAP. Web authorization form to allow changing of the MAC address, restricted to PIs and other persons of repute. These entries will be periodically expired.
+
DHCP entries static in LDAP. Web authorization form to allow changing of the MAC address, restricted to PIs and other persons of repute. These entries will be periodically expired. Or, tie into EDUROAM somehow?
  
== 128.118.202.
+
Not sure what addresses GUEST will use, or if it will be NAT'd.
  
 +
== VLAN 140 | GALAXY_PUBLIC | 128.118.79.224 /27 ==
 +
* VLAN: 140 (BX-WIRED)
 +
* Netmask: 255.255.255.224
 +
* Broadcast: 128.118.79.255
 +
* Gateway: 128.118.79.225
  
= L2 =
+
Galaxy public addresses.  This network can route on the XSEDE network via switch-dell-powerconnect-1.
Current network diagram in DIA format is located at /afs/bx.psu.edu/admin/documents/bx_network-l2-<DATE>.dia
+
 
 +
== VLAN 500 | RCC_P2P | 10.128.255.240/29 ==
 +
* VLAN: 500 (RCC_P2P)
 +
* Netmask 255.255.255.248
 +
Point to point with RCC.
 +
 
 +
switch-dell-powerconnect-1:
 +
<pre>interface vlan 500
 +
name "RCC_P2P"
 +
routing
 +
ip address 10.128.255.241 255.255.255.248
 +
exit
 +
</pre>
 +
 
 +
VLAN 500 is untagged on access port 1/xg1
 +
 
 +
== VLAN 510 | CISCO_DELL_P2P | 10.1.7.0/29 ==
 +
* VLAN: 510 (CISCO_DELL_P2P)
 +
* Netmask 255.255.255.248
 +
 
 +
cisco vlan 510 : 10.1.7.1
 +
dell vlan 510 : 10.1.7.2
 +
 
 +
= Spanning Tree =
 +
 
 +
We are using MSTP, with a single region.
 +
 
 +
'''Configuration Name:''' MST
 +
 
 +
== MSTI 0 (IST) ==
 +
* MANAGEMENT
 +
* Root: switch-cisco-3750-1
 +
* Mapped VLANs: 1
 +
 
 +
== MSTI 1 ==
 +
* BX-WIRED, DOT1X, UNMANAGED
 +
* Root: switch-cisco-3750-1
 +
* Mapped VLANs: 100, 110, 120
 +
 
 +
== MSTI 2 ==
 +
* PRINTERS, UNAUTH, QUARANTINE
 +
* Root: switch-cisco-3750-1
 +
* Mapped VLANs: 230, 250, 260
 +
 
 +
== MSTI 3 ==
 +
* PERSEPHONE, LINNE
 +
* Root: switch-hp-procurve-7
 +
* Mapped VLANs: 200, 210
 +
 
 +
== MSTI 4 ==
 +
* GALAXY
 +
* Root: switch-dell-powerconnect-1
 +
* Mapped VLANs: 220
  
When updating, be sure to work on a copy, and update the date in the box in the upper left-hand corner.
+
== MSTI 5 ==
 +
* CISCO_DELL_P2P
 +
* Root: switch-dell-powerconnect-1
 +
* Mapped VLANs: 510
  
[[File:Bx network-l2-2010-26-02.png]]
+
== MSTI 6 ==
 +
* DELL_RCC
 +
* Root: switch-dell-powerconnect-1
 +
* Mapped VLANs: 500

Latest revision as of 16:14, 21 February 2012

There is discussion of network changes related to adding new subnets for Galaxy at bxa:Network/Galaxy which should be relevant should you need to add a new subnet.

Layer 2

Current network diagram in DIA format is located at /afs/bx.psu.edu/admin/documents/bx_network-l2-<DATE>.dia

When updating, be sure to work on a copy, and update the date in the box in the upper left-hand corner.

Bx network-l2-2011-10-20.png

Layer 3

VLAN 1 | MANAGEMENT | 10.1.1.0 /24, 2610:8:7800:25:: /64

  • VLAN: 1 (MANAGEMENT)
  • Netmask: 255.255.255.0
  • Broadcast: 10.1.1.255
  • Gateway: 10.1.1.1
  • DNS: *.net.bx.psu.edu

Switches, IPMI interfaces, ESXi management, etc.

VLAN 230 | PRINTERS | 10.1.2.0 /24, 2610:8:7800:2a:: /64

  • VLAN: 230 (PRINTERS)
  • Netmask: 255.255.255.0
  • Broadcast: 10.1.2.255
  • Gateway: 10.1.2.1
  • Usable IPs: .1 - .254
  • Client IPs: 253
  • DNS: *.printers.bx.psu.edu

Printers or other non-management-type devices.

VLAN 200 | PERSEPHONE | 10.1.4.0 /24, 2610:8:7800:2b:: /64

  • VLAN: 200 (PERSEPHONE)
  • Netmask: 255.255.255.0
  • Broadcast: 10.1.4.255
  • Gateway: 10.1.4.1
  • DNS: *.persephone.bx.psu.edu

Persephone cluster.

VLAN 250 | UNAUTH | 10.1.5.0 /24

  • VLAN: 250 (UNAUTH)
  • Netmask: 255.255.255.0
  • Broadcast: 10.1.5.255
  • Gateway: 10.1.5.1
  • DNS: *.unauth.bx.psu.edu

Radius dumps unauthorized ports in this VLAN. DNS blackhole.

VLAN 260 | QUARANTINE | 10.1.6.0 /24

  • VLAN: 260 (QUARANTINE)
  • Netmask: 255.255.255.0
  • Broadcast: 10.1.6.255
  • Gateway: 10.1.6.1
  • DNS: *.quarantine.bx.psu.edu

Radius dumps quanrantined MACs and users in this VLAN. DNS blackhole.

VLAN 210 | LINNE | 192.168.2.0 /24

  • VLAN: 210 (LINNE)
  • Netmask: 255.255.255.0
  • Broadcast: 192.168.2.255
  • Gateway: 192.168.2.253
  • DNS: *.linne.bx.psu.edu

linne cluster

VLAN 220 | GALAXY | 192.168.4.0 /24, 2610:8:7800:2c:: /64

  • VLAN: 220 (GALAXY)
  • Netmask: 255.255.255.0
  • Broadcast: 192.168.4.255
  • Gateway: 192.168.2.254
  • DNS: *.g2.bx.psu.edu

old galaxy private network

VLAN 270 | GALAXY_PRIVATE | 172.18.2.0 /24

  • VLAN: 270 (GALAXY_PRIVATE)
  • Netmask: 255.255.255.0
  • Broadcast: 172.18.2.255
  • Gateway: 172.18.2.1
  • DNS: *.g2.bx.psu.edu

Galaxy private addresses. These addresses are registered with TNS and are on the IPv4 Contacts List.

VLAN 100 | BX-WIRED | 128.118.200.0 /23, 2610:8:7800:14:: /64

  • VLAN: 100 (BX-WIRED)
  • Netmask: 255.255.254.0
  • Broadcast: 128.118.201.255
  • Gateway: 128.118.200.1, 2610:8:7800:14::1

Centrally managed machines. Machines that we have root on and/or control with cfengine.

VLAN 110 | DOT1X | 128.118.202.128 /25, 2610:8:7800:28:: /64

  • VLAN: 110 (DOT1X)
  • Netmask: 255.255.255.128
  • Broadcast: 128.118.202.255
  • Gateway: 128.118.202.129
  • DNS: dot1x-128-118-202-N.bx.psu.edu

PAT Address | 128.118.202.254

PAT = Port Address Translation. This is similar to how SNAT works with iptables. A single public ip. This is preferred to just straight NAT, which on the ASA is one-to-one with a set translation expiration time. After the global IP range is used up, further outbound connections are dropped. A single PAT address supports up to 65,536 outbound connections (TCP sessions).

NAT config on ASA:

global (Outside) 1 128.118.202.254
nat (Bioinformatics) 1 192.168.2.0 255.255.255.0
nat (Bioinformatics) 1 192.168.4.0 255.255.255.0
nat (Bioinformatics) 1 10.1.0.0 255.255.0.0

Dynamically assigned with DHCP. 802.1x EAP-TTLS-PAP username/password login.

VLAN 120 | UNMANAGED | 128.118.202.0 /25, 2610:8:7800:29:: /64

  • VLAN: 120 (UNMANAGED)
  • Netmask: 255.255.255.128
  • Broadcast: 128.118.202.127
  • Gateway: 128.118.202.1
  • DNS: custom or 128-118-202-N.bx.psu.edu

Statically assgined with DHCP based on MAC. Radius attributes defined in LDAP for the DHCP host entry.


VLAN 130 | GUEST | ?

  • VLAN: 130 (GUEST)
  • DNS: guest-128-118-202-N.bx.psu.edu

DHCP entries static in LDAP. Web authorization form to allow changing of the MAC address, restricted to PIs and other persons of repute. These entries will be periodically expired. Or, tie into EDUROAM somehow?

Not sure what addresses GUEST will use, or if it will be NAT'd.

VLAN 140 | GALAXY_PUBLIC | 128.118.79.224 /27

  • VLAN: 140 (BX-WIRED)
  • Netmask: 255.255.255.224
  • Broadcast: 128.118.79.255
  • Gateway: 128.118.79.225

Galaxy public addresses. This network can route on the XSEDE network via switch-dell-powerconnect-1.

VLAN 500 | RCC_P2P | 10.128.255.240/29

  • VLAN: 500 (RCC_P2P)
  • Netmask 255.255.255.248

Point to point with RCC.

switch-dell-powerconnect-1:

interface vlan 500
name "RCC_P2P"
routing
ip address 10.128.255.241 255.255.255.248
exit

VLAN 500 is untagged on access port 1/xg1

VLAN 510 | CISCO_DELL_P2P | 10.1.7.0/29

  • VLAN: 510 (CISCO_DELL_P2P)
  • Netmask 255.255.255.248

cisco vlan 510 : 10.1.7.1 dell vlan 510 : 10.1.7.2

Spanning Tree

We are using MSTP, with a single region.

Configuration Name: MST

MSTI 0 (IST)

  • MANAGEMENT
  • Root: switch-cisco-3750-1
  • Mapped VLANs: 1

MSTI 1

  • BX-WIRED, DOT1X, UNMANAGED
  • Root: switch-cisco-3750-1
  • Mapped VLANs: 100, 110, 120

MSTI 2

  • PRINTERS, UNAUTH, QUARANTINE
  • Root: switch-cisco-3750-1
  • Mapped VLANs: 230, 250, 260

MSTI 3

  • PERSEPHONE, LINNE
  • Root: switch-hp-procurve-7
  • Mapped VLANs: 200, 210

MSTI 4

  • GALAXY
  • Root: switch-dell-powerconnect-1
  • Mapped VLANs: 220

MSTI 5

  • CISCO_DELL_P2P
  • Root: switch-dell-powerconnect-1
  • Mapped VLANs: 510

MSTI 6

  • DELL_RCC
  • Root: switch-dell-powerconnect-1
  • Mapped VLANs: 500