CS network ACL summary (THIS PAGE NEEDS UPDATING)
work in progress -- please send comments to trg
We've requested a summary (with regular ongoing updates and maintenance) of the ACLs applied to our networks by the constituency routers for our area. See our
ST#90052, which refers to the IST RT
UW-RT #302304
(which you probably won't be able to read). These are both stalled indefinitely (as of 2014-2-28).
In the interim, here is an informal and likely incomplete summary:
client networks
- outbound unrestricted
- off-campus inbound restricted, other that stateful return traffic
- networks affected:
IP adresses |
Router |
Vlan |
| 129.97.84.0/24 |
dc-cs2 |
84 |
| 129.97.168.0/24 |
dc-cs2 |
168 |
| 129.97.169.0/24 |
dc-cs2 |
169 |
| 129.97.170.0/23 |
dc-cs2 |
170 |
Each of the above networks is restricted to "outbound" traffic only, with a couple of exceptions. The ACL is stateful with respect to established TCP connections -- ie the traffic that comes back as the result of an outbound TCP connection is allowed. The exceptions which allow inbound traffic are for:
For details, see the dc-cs2 configuration definition of the ACL set "170_client-untrust"
infrastructure LOM/IPMI networks
- outbound unrestricted (notwithstanding private IP limitations)
- off-campus inbound restricted
- intra-campus inbound restricted
- networks affected:
| IP adresses |
Router |
Vlan |
| 10.0.152.0/24 |
dc-cs2 |
525 |
| 10.0.153.0/24 |
cs-rt-dc-2303a |
525 |
| 10.0.154.0/24 |
cs-rt-mc-3015a |
525 |
| 10.0.155.0/24 |
cs-rt-m3-3101 |
525 |
| 10.15.2.0/24 |
dc-cs2 |
802 |
| 10.15.3.0/24 |
mc-cs2 |
806 |
| 10.15.16.0/24 |
dc-cs2 |
816 |
| 10.15.18.0/24 |
dc-cs2 |
812 |
| 10.15.28.0/24 |
mc-cs2 |
810 |
Each of the above networks can be reached only from the following networks/hosts:
| IP adresses |
Comment |
| 10.15.152.4/32 |
Host: asgard.cscf.uwaterloo.ca |
| 129.97.15.0/24 |
CSCF network |
| 172.19.15.0/24 |
CSCF trusted UW-Intranet network -- not implement yet at of 2014-3-6 |
| 172.19.4.229/32 |
Host: cscf.cs.uwaterloo.ca |
research LOM/IPMI
As at 2014-3-6, there is one dedicated research LOM network, namely 172.19.96.0/24. It is completely unrestricted. It it proposed to expand this to three separate network, as follows:
| Network |
vlan |
Comment |
| 172.19.96.0/24 |
1896 |
existing network, unrestricted access |
| 172.19.97.0/24 |
1894 |
high-restricted LOMs, just from vlan 15 and cscf.cs.uwaterloo.ca; same as the infrastructure LOMs |
| 172.19.98.0/24 |
1895 |
moderately-restricted, allows various client networks within CS, as follows: |
| 129.97.7.0/24 |
research servers |
| 129.97.15.0/24 |
CSCF staff network |
| 129.97.26.0/24 |
research servers |
| 129.97.84.0/24 |
client workstations |
| 129.97.105.0/24 |
Shoshin research group |
| 129.97.114.0/24 |
CGL research group |
| 129.97.167.128/25 |
CS public servers (contains linux.cs) (vlan dc:421) |
| 129.97.168.0/24 |
client workstations |
| 129.97.169.0/24 |
client workstations |
| 129.97.170.0/23 |
client workstations |
| 129.97.173.192/26 |
CSG research group (vlan dc:1732) |
| 129.97.186.0/24 |
PLG research group |
| 172.19.15.0/24 |
CSCF Staff network -- future |
teaching-lab networks
- outbound unstricted
- off-campus inbound restricted (except for stateful TCP)
- some intra-campus inbound restricted, eg wireless and ResNet unless otherwise noted
| IP adresses |
Router |
Vlan |
Comment |
| 129.97.51.0/24 |
mc-cs2 |
51 |
Mac labs in MC |
| 129.97.173.64/26 |
mc-cs2 |
424 |
ugsters, allows ssh, RDP, ident; allows wireless |
infrastructure general-purpose networks
tbd
Copyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.