CS network ACL summary

work in progress -- please send comments to trg

We've requested a summary (with regular ongoing updates and maintenance) of the ACLs applied to our networks by the constituency routers for our area. See our ST#90052, which refers to the IST RT UW-RT #302304 (which you probably won't be able to read). These are both stalled indefinitely (as of 2014-2-28).

In the interim, here is an informal and likely incomplete summary:

client networks

  • outbound unrestricted
  • off-campus inbound restricted, other that stateful return traffic
  • networks affected:

IP adressesSorted ascending Router Vlan dc-cs2 84 dc-cs2 168 dc-cs2 169 dc-cs2 170

Each of the above networks is restricted to "outbound" traffic only, with a couple of exceptions. The ACL is stateful with respect to established TCP connections -- ie the traffic that comes back as the result of an outbound TCP connection is allowed. The exceptions which allow inbound traffic are for:

  • ssh
  • RDP
  • ident
For details, see the dc-cs2 configuration definition of the ACL set "170_client-untrust"

infrastructure LOM/IPMI networks

  • outbound unrestricted (notwithstanding private IP limitations)
  • off-campus inbound restricted
  • intra-campus inbound restricted
  • networks affected:

IP adressesSorted ascending Router Vlan dc-cs2 525 cs-rt-dc-2303a 525 cs-rt-mc-3015a 525 cs-rt-m3-3101 525 dc-cs2 802 mc-cs2 806 dc-cs2 816 dc-cs2 812 mc-cs2 810

Each of the above networks can be reached only from the following networks/hosts:

IP adressesSorted ascending Comment Host: asgard.cscf.uwaterloo.ca CSCF network CSCF trusted UW-Intranet network -- not implement yet at of 2014-3-6 Host: cscf.cs.uwaterloo.ca

research LOM/IPMI

As at 2014-3-6, there is one dedicated research LOM network, namely It is completely unrestricted. It it proposed to expand this to three separate network, as follows:

Network vlan Comment 1896 existing network, unrestricted access 1894 high-restricted LOMs, just from vlan 15 and cscf.cs.uwaterloo.ca; same as the infrastructure LOMs 1895 moderately-restricted, allows various client networks within CS, as follows: research servers CSCF staff network research servers client workstations Shoshin research group CGL research group CS public servers (contains linux.cs) (vlan dc:421) client workstations client workstations client workstations CSG research group (vlan dc:1732) PLG research group CSCF Staff network -- future

teaching-lab networks

  • outbound unstricted
  • off-campus inbound restricted (except for stateful TCP)
  • some intra-campus inbound restricted, eg wireless and ResNet unless otherwise noted

IP adressesSorted ascending Router Vlan Comment mc-cs2 51 Mac labs in MC mc-cs2 424 ugsters, allows ssh, RDP, ident; allows wireless

infrastructure general-purpose networks


Edit | Attach | Watch | Print version | History: r6 < r5 < r4 < r3 < r2 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r6 - 2014-03-06 - TrevorGrove
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback