This Page is nearly obsolete and needs rewritting to remove references to the decommissioned "Maintain" application, decommissioning of the CS localized firewall and document the redesign of Intranet (private IPv4) network usage to support ACL's replacing the firewall rules where possible.

Network design philosophy and basic schema

Our basic network philosophy is to try to exploit locality at layer-2 and to use layer-3 routing wherever possible. We try to allocate networks within a single building at layer-2 and route between buildings with a /30 Point-to-Point (P2P) layer-3 Vlan as much as possible. To support Network Storage devices, all server rooms are full mesh contected by 10 Gb P2P OSPF links with the Master Server Room in each building containing that Buildings Aggregation Switch. Some networks are large (/23) and some are small (e.g. /26 for smaller research groups. Not considering security, the tradeoff of small versus large is generally one of whether or not we can tolerate the broadcast traffic. Some protocols are "broadcast noisy" and so we probably don't want any general-use networks larger than /23. We might consider a /22 client network. but that's about it (a /22 is ~1000 hosts -- that can add up to a lot of broadcasting, especially if Samba/CIFS/Windows is present).

Using smaller layer-2 networks has the potential to allow better security design with the firewall. Small broadcast domains are isolated from each other and thus can be more secure for some classes of compromise -- at least, we can say that smaller networks don't leak broadcast traffic and compromised system can't see other non-local hosts at layer-2. That's the basic idea, at least -- it doesn't alway work out that way because many classes of compromise go beyond the local network.

CSCF has three basic ranges of network presently (as of Spring 2010):

Maintain zone name Address space Usage Threat
cs-inet 129.97.0.0/16 Internet addresses; routable to the world High
cs-campus 172.19.0.0/16 UW-Intranet; routable only within the UW Autonomous System Medium
cs-private 10.0.0.0/8 CS-Intranet; routable only within the CS OSPF area 4 Lowest

"Maintain" refers to the IST "Maintain" web application, which is used to record and manage UW network allocations. When choosing a "Maintain" zone for a new host, the question to ask is: "What level of threat does it need to be exposed to?".

See the current network assignments for specific usage details.

Internet ("Maintain" zone cs-inet)

As of 2012-01-01, CSCF managed the following Internet networks: 129.97.{7, 15, 26, 51, 59 (as a pair of /25s), 74, 75, 78, 79, 84, 134, 152, 168, 169, 173 (split into smaller networks)).0/24, and 129.97.170.0/23.

Notes:

  • we're trying to allocate 129.97.152.0/24 so that in can be split into two /25s some day. In particular:
    1. the lower half 129.97.152.0/25 is for systems in MC and DC 2303a
      1. 129.97.152.96/27 (ie 32 addresses from 129.97.152.96 129.97.152.127) for Solaris servers
    2. the upper half 129.97.152.128/25 is for systems in DC and M3
  • 129.97.15.0/24 exists in both buildings and likely won't be building-specific for the foreseeable future.
  • the client-only networks 129.97.(82,168,169).0/24 and 129.97.170.0/23 are DC-only, because that's where all the clients are
  • 51-network is in both buildings on the firewalls
  • 59-network is in both buildings on the firewalls
  • 74- and 75-network are legacy non-firewall networks in DC only
  • 78- and 79-network are legacy non-firewall networks in both buildings
  • 134-network is for CS undergrad-student organizations and is (should be) MC only
  • 173-network is subdivided for research groups and is DC only (non-firewall)
  • 7- and 26-network are firewalled research-server networks and are DC only
Some research groups within the School of Computer Science have their own networks, which they manage:
  • Shoshin (129.97.105), routed via 129.97.7.9 on the firewall
  • Graphics Lab (129.97.114),
  • PLG (129.97.186).

UW-Intranet ("Maintain" zone cs-campus)

We have allocated to us the entire /16 network 172.19.0.0, which we carve up into various smaller networks, as follows:

Network Usage Maintain DNS setup
172.19.0.0/20 non-firewalled networks various, see below
172.19.16.0/20 firewall zone 0 (CSCF systems) as a /20
172.19.32.0/20 firewall zone 1 (CS servers) as a collection of /24s
172.19.48.0/20 firewall zone 2 (thin clients) as a /20
172.19.64.0/20 firewall zone 3 (teaching lab workstations) as a /20
172.19.80.0/20 firewall zone 4 (office workstations) as a /20
172.19.96.0/20 firewall zone 5 (research computers) as a collection of /24s
172.19.112.0/20 unallocated as a /20
172.19.128.0/20 unallocated as a /20
172.19.144.0/20 unallocated undefined
172.19.152.0/24 unallocated DC 3558 server room
172.19.153.0/24 unallocated DC 2303a server room
172.19.154.0/24 unallocated MC 3015 server room
172.19.155.0/24 unallocated M3 3101 server room
172.19.160.0/20 unallocated undefined
172.19.176.0/20 unallocated undefined
172.19.192.0/20 unallocated undefined
172.19.208.0/20 unallocated undefined
172.19.224.0/20 unallocated undefined
172.19.240.0/20 unallocated undefined

172.19.0.0/20 usage

Within the network 172.19.0.0/20, the allocation is as follows:

Network Usage
172.19.0.0/24 unused
172.19.1.{0,4,8,12,...,252}/30 OSPF point to point links (64 2-usable-nodes per network)
172.19.2.0/24 some sort of legacy management network
172.19.3.0/24 unused
172.19.4.{0,16,32,48,...112}/28 block of eight 16-host (14 usable) networks
172.19.4.128/25 unused
172.19.5.{0,8,16,24,,,,120}/29 16 6-node small networks
172.19.5.128/25 for IST wireless access points
172.19.6.0/24 unused
172.19.7.0/24 unused
172.19.8.0/24 unused
172.19.9.0/24 unused
172.19.10.0/24 for use in MC
172.19.11.0/24 for use in MC
172.19.12.0/24 for use in DC
172.19.13.0/24 for use in DC
172.19.14.0/24 for use in DC
172.19.15.0/24 for use in DC

172.19.32.0/20 usage -- Firewall zone 1

Within the network 172.19.32.0/20, the allocation is as follows:

Network Usage
172.19.32.0/24 campus-only servers in DC
172.19.33.0/24 printers in DC
172.19.34.0/25 VM hosts in DC
172.19.34.128/25 VM hosts in MC
172.19.47.0/24 campus-only servers in MC
remainder undefined

172.19.96.0/20 usage -- Firewall zone 5

Within the network 172.19.96.0/20, the allocation is as follows:

Network Usage
172.19.96.0 to 172.19.96.? used for management ports and ilom
remainder undefined

CS-Intranet ("Maintain" zone cs-private)

We use the network 10.0.0.0/8 for devices that need no reach outside CS. This network was originally divided up as follows:

Network Usage
10.15.0.0/20 non-firewalled networks
10.15.16.0/20 various LOM networks
10.15.32.0/20 unallocated
10.15.48.0/20 thin clients in DC (48 and up) and MC (63 and down)
10.15.64.0/20 various teaching/lab usage
10.15.80.0/20 unallocated
10.15.96.0/20 device management of research computers
10.15.112.0/20 unallocated
10.15.128.0/20 unallocated
10.15.144.0/20 unallocated
10.15.160.0/20 unallocated
10.15.176.0/20 unallocated
10.15.192.0/20 unallocated
10.15.208.0/20 unallocated
10.15.224.0/20 unallocated
10.15.240.0/20 unallocated

The specific network allocations are recorded in the VLAN summary table.

Host numbering within networks

Within a network, certain addresses are reserved for standard usage, as follows:

  • 0 address: reserved for the network name
    • naming convention: subnet-name .net.uwaterloo.ca
    • eg: 10.15.18.0 is dc-lom.net.uwaterloo.ca
  • 1 and 2 addresses: reserved for route-points for the network
    • naming convention: devicesubnet-name.uwaterloo.ca
    • eg: 10.15.18.1 is dc-cs2-dc-lom.uwaterloo.ca and 10.15.18.2 is dc-cs1-dc-lom.uwaterloo.ca
  • 3 to 9 addresses: reserved for other networking devices, eg DHCP and DNS servers or caches
  • 10 and above: available for general allocation
Note that these addresses are relative to the subnet base. For a /24 network that starts at 0, the above addresses are literal. But for a /25 network that begins at address 128, the relative translation would be:

  • .128 network name
  • .129 and .130 for routing
  • .131 to .137 reserved for networking devices
  • .138 and above are available for use
Topic revision: r23 - 2014-07-31 - DaveGawley
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback