CS network ACL summary


work in progress -- please send comments to trg

We've requested a summary (with regular ongoing updates and maintenance) of the ACLs applied to our networks by the constituency routers for our area. See our ST#90052, which refers to the IST RT UW-RT #302304 (which you probably won't be able to read). These are both stalled indefinitely (as of 2014-2-28).

In the interim, here is an informal and likely incomplete summary:

client networks

  • outbound unrestricted
  • off-campus inbound restricted, other that stateful return traffic
  • networks affected:

IP adressesSorted ascending Router Vlan
129.97.84.0/24 dc-cs2 84
129.97.168.0/24 dc-cs2 168
129.97.169.0/24 dc-cs2 169
129.97.170.0/23 dc-cs2 170

Each of the above networks is restricted to "outbound" traffic only, with a couple of exceptions. The ACL is stateful with respect to established TCP connections -- ie the traffic that comes back as the result of an outbound TCP connection is allowed. The exceptions which allow inbound traffic are for:

  • ssh
  • RDP
  • ident
For details, see the dc-cs2 configuration definition of the ACL set "170_client-untrust"

infrastructure LOM/IPMI networks

  • outbound unrestricted (notwithstanding private IP limitations)
  • off-campus inbound restricted
  • intra-campus inbound restricted
  • networks affected:

IP adressesSorted ascending Router Vlan
10.0.152.0/24 dc-cs2 525
10.0.153.0/24 cs-rt-dc-2303a 525
10.0.154.0/24 cs-rt-mc-3015a 525
10.0.155.0/24 cs-rt-m3-3101 525
10.15.2.0/24 dc-cs2 802
10.15.3.0/24 mc-cs2 806
10.15.16.0/24 dc-cs2 816
10.15.18.0/24 dc-cs2 812
10.15.28.0/24 mc-cs2 810

Each of the above networks can be reached only from the following networks/hosts:

IP adressesSorted ascending Comment
10.15.152.4/32 Host: asgard.cscf.uwaterloo.ca
129.97.15.0/24 CSCF network
172.19.15.0/24 CSCF trusted UW-Intranet network -- not implement yet at of 2014-3-6
172.19.4.229/32 Host: cscf.cs.uwaterloo.ca

research LOM/IPMI

As at 2014-3-6, there is one dedicated research LOM network, namely 172.19.96.0/24. It is completely unrestricted. It it proposed to expand this to three separate network, as follows:

Network vlan Comment
172.19.96.0/24 1896 existing network, unrestricted access
172.19.97.0/24 1894 high-restricted LOMs, just from vlan 15 and cscf.cs.uwaterloo.ca; same as the infrastructure LOMs
172.19.98.0/24 1895 moderately-restricted, allows various client networks within CS, as follows:
129.97.7.0/24 research servers
129.97.15.0/24 CSCF staff network
129.97.26.0/24 research servers
129.97.84.0/24 client workstations
129.97.105.0/24 Shoshin research group
129.97.114.0/24 CGL research group
129.97.167.128/25 CS public servers (contains linux.cs) (vlan dc:421)
129.97.168.0/24 client workstations
129.97.169.0/24 client workstations
129.97.170.0/23 client workstations
129.97.173.192/26 CSG research group (vlan dc:1732)
129.97.186.0/24 PLG research group
172.19.15.0/24 CSCF Staff network -- future

teaching-lab networks

  • outbound unstricted
  • off-campus inbound restricted (except for stateful TCP)
  • some intra-campus inbound restricted, eg wireless and ResNet unless otherwise noted

IP adressesSorted ascending Router Vlan Comment
129.97.51.0/24 mc-cs2 51 Mac labs in MC
129.97.173.64/26 mc-cs2 424 ugsters, allows ssh, RDP, ident; allows wireless

infrastructure general-purpose networks

tbd

Topic revision: r6 - 2014-03-06 - TrevorGrove
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback