Service Desk Knowledgebase: Networking: Difference between revisions
(34 intermediate revisions by 6 users not shown) | |||
Line 82: | Line 82: | ||
# Find the machine in the [https://dbwebserver.ad.cl.cam.ac.uk/SCG/Equipment/Inventory.aspx inventory] and click on '''Details''' | # Find the machine in the [https://dbwebserver.ad.cl.cam.ac.uk/SCG/Equipment/Inventory.aspx inventory] and click on '''Details''' | ||
# Click on the '''MAC''' address of the machine | # Click on the '''MAC''' address of the machine | ||
# If there is already an entry for the VLAN you may need to update it to make it valid by changing the end data ('''[Select]''' then '''[Edit]''' | |||
# Then click '''[Select]''' | # Then click '''[Select]''' | ||
# Selected the required VLAN from the drop-down list underneath<br />'''To add a new VLAN entry to this interface select the VLAN and click Add'''<br /> and click on '''[Add]''' | # Selected the required VLAN from the drop-down list underneath<br />'''To add a new VLAN entry to this interface select the VLAN and click Add'''<br /> and click on '''[Add]''' | ||
Line 90: | Line 91: | ||
The '''Pool''' should be '''dynamic''' and within half an hour or so the DHCP address should be available. | The '''Pool''' should be '''dynamic''' and within half an hour or so the DHCP address should be available. | ||
[NOTE: | [NOTE: Only windows machines are added to the AD and this is done when they are installed.] | ||
[NOTE: If it were static, you need to add the name and address to the DNS.] | |||
===Adding an IPv6 AAAA record for a machine=== | |||
AAAA records are automatically added for any machine on an IPv6 enabled VLAN when it has a current DHCP record for the VLAN. | |||
For Linux machines on the managed VLAN (398) this will not normally be set up. | |||
To add the MAC to the DHCP setup: | |||
# Find the machine in the [https://dbwebserver.ad.cl.cam.ac.uk/SCG/Equipment/Inventory.aspx inventory] and click on '''Details''' | |||
# Click on the '''MAC''' address of the machine | |||
# Then click '''[Select]''' | |||
# Selected the required VLAN from the drop-down list underneath<br />'''To add a new VLAN entry to this interface select the VLAN and click Add'''<br /> and click on '''[Add]''' | |||
# Click on '''[Edit]''' | |||
# Add a '''ValidTo''' date (the default is the same day!) and then click '''[Update]''' | |||
The AAAA record will be generated on the next DNS update which can be pushed on an omnipotent machine | |||
cd /anfs/glob/src/etc/named | |||
make install | |||
===Adding IP addresses & CNAMES to the DNS=== | ===Adding IP addresses & CNAMES to the DNS=== | ||
[NOTE: The Windows domain uses '''truly dynamic DHCP''' so think '''hostname.ad.cl.cam.ac.uk''' rather than IP Address.] | [NOTE: The Windows domain uses '''truly dynamic DHCP''' so think '''''hostname''.ad.cl.cam.ac.uk''' rather than IP Address.] | ||
1. Check that the person is entitled to what is being requested | 1. '''''Check that the person is entitled to what is being requested:''''' | ||
In the case of the DNS it is better to decide if the person is allowed rather than worry about the machine. (Obvious counter examples would be to change the main router etc.) | In the case of the DNS it is better to decide if the person is allowed rather than worry about the machine. (Obvious counter examples would be to change the main router etc.) | ||
Line 109: | Line 123: | ||
You can also do a scan of the cl.data file for their past history (Go to '''laira''', '''cd /anfs/glob/src/etc/named/src''' & '''view cl.data''') - if they have multiple requests previously then trust them. If the requestor isn't the User or PersonResponsible of the emachine asking the actual User/PersonResponsible is an acceptable and safe approach. [https://dbwebserver.ad.cl.cam.ac.uk/SCG/Equipment/Inventory.aspx Inventory] | You can also do a scan of the cl.data file for their past history (Go to '''laira''', '''cd /anfs/glob/src/etc/named/src''' & '''view cl.data''') - if they have multiple requests previously then trust them. If the requestor isn't the User or PersonResponsible of the emachine asking the actual User/PersonResponsible is an acceptable and safe approach. [https://dbwebserver.ad.cl.cam.ac.uk/SCG/Equipment/Inventory.aspx Inventory] | ||
2. | 2. If adding an IP address: determine the [http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation IP address range] that should be use for a given requested VLAN using [https://dbwebserver.ad.cl.cam.ac.uk/SCG/Networks/Networks.aspx Network settings]. '''Copy & paste''' the first part of the address into something like Notepad to use in a search later. [NOTE: The number of addresses of a subnet defined by the mask or prefix can be calculated as 2 to the power of (address size - prefix) size, in which the address size is 32 for IPv4 (128 for IPv6). For example, in IPv4, a prefix size of /24 gives: 2<sup>(32-24)</sup> = 2<sup>(8)</sup> = 256 addresses.] | ||
3. Make sure Pageant.EXE is running and has your private key by double clicking on '''CL.ppk''' or similar. | 3. Make sure Pageant.EXE is running and has your private key by double clicking on '''CL.ppk''' or similar. | ||
Line 126: | Line 140: | ||
10. Check-out the cl.data file with '''co -l cl.data''' and '''[Enter]''' | 10. Check-out the cl.data file with '''co -l cl.data''' and '''[Enter]''' | ||
10a. If you receive a message that 'writable cl.data exists' use rlog -L -h src/cl.data to find out who has locked it. E.g: | |||
laira:/global/src/etc/named: rlog -L -h src/cl.data | |||
11. Use vi to edit the file with '''vi cl.data''' and '''[Enter]''' | 11. Use vi to edit the file with '''vi cl.data''' and '''[Enter]''' | ||
'''Adding an IP Address:''' | '''Adding an IP Address:''' | ||
* Search for the start of the address range with something like '''/128.232.98.1''' (which you hopefully kept from earlier!) and '''[Enter]''' | * Search for the start of the address range with something like '''/128.232.98.1''' (which you hopefully kept from earlier!) or the VLAN like '''/vlan 296''' and '''[Enter]''' | ||
* '''Ctrl+F''' to scroll '''F'''orward to the next available address in the range. | * '''Ctrl+F''' to scroll '''F'''orward to the next available address in the range. | ||
* '''Down-arrow''' to start of line above where it should be. | * '''Down-arrow''' to start of line above where it should be. | ||
Line 143: | Line 160: | ||
'''Adding a CNAME:''' | '''Adding a CNAME:''' | ||
* | |||
* '''Down-arrow''' to start of line above where it should be. | * You need to start by searching for the CNAME you are being asked to deal with rather than its target. If you are being asked to change or delete it, you obviously need to find it. If you are being asked to add a new one, you first need to make sure that it is NOT already there (though we can normally trust that the DTG will have checked that). | ||
* For a '''deletion''', you find the line and remove it. | |||
* For a '''change''', you find the line and change it. | |||
For an addition, having established that it really isn't there already, you need to find the big block of puppy CNAMEs (e.g. by searching for the comment string "CNAMEs for puppy machines". Then you would add the new line, ideally in the correct alphabetic position but that is not absolutely essential (and somebody can always re-sort them later). The line you add is the same as it always was - the only difference is that the ones for the "puppy" machines are all in one place rather than scattered all over. I have reformatted the entries into neat columns so it should be fairly obvious what to add. | |||
* '''Down-arrow''' to the start of the line above where it should be. | |||
* Use '''Shift+A''' to enter '''--INSERT--''' mode at the end of that line | * Use '''Shift+A''' to enter '''--INSERT--''' mode at the end of that line | ||
* Make an entry like: | * Make an entry like: | ||
Line 178: | Line 203: | ||
14. Go up with '''cd ..''' and '''[Enter]''' | 14. Go up with '''cd ..''' and '''[Enter]''' | ||
15. At the '''laira:named$''' prompt use '''make install''' and '''[Enter]''' | 15. At the '''rjt58@laira:/anfs/glob/src/etc/named$ ''' prompt use '''make install''' and '''[Enter]''' | ||
16. You will see a lot of output ending in something like: | 16. You will see a lot of output ending in something like: | ||
Line 216: | Line 241: | ||
-rw-r--r--. 1 root vrw10 199159 Jan 29 12:56 /anfs/master/dist/all/etc/hosts | -rw-r--r--. 1 root vrw10 199159 Jan 29 12:56 /anfs/master/dist/all/etc/hosts | ||
laira:named$ | laira:named$ | ||
and | and then return to a '''laira:named$''' prompt. | ||
FINALLY to check it has been correctly added to the DNS: | |||
sandy:~: host poodle.dtg.cl.cam.ac.uk | |||
poodle.dtg.cl.cam.ac.uk has address 128.232.20.136 | |||
sandy:~: | |||
This proves that it's actually in the DNS. | |||
18. Use '''exit''' and '''[Enter]''' to exit (and eventually close down PuTTY) | 18. Use '''exit''' and '''[Enter]''' to exit (and eventually close down PuTTY) | ||
19. In RT '''Reply''' to the user and '''Resolve''' the ticket. | 19. In RT '''Reply''' to the user with something like: | ||
Hello ''' The Requester name ''', | |||
The ''' CNAME : kibana.dtg -> puppy47.dtg''' is now created and should be ready for your use. | |||
Please contact me if there is anything else required. | |||
Kind regards | |||
Rob | |||
and then '''Resolve''' the ticket. | |||
===Procedure for Patching=== | ===Procedure for Patching=== | ||
If you wish to request a connection please go to our web forms page (https://dbwebserver.ad.cl.cam.ac.uk/SysAdminUser/) and select "Request a network connection" (https://dbwebserver.ad.cl.cam.ac.uk/SysAdminUser/DHCPRequest.aspx) and fill in the details requested. | |||
====Patch request <InventoryNumber> floorbox <FloorBoxNumber> [https://dbwebserver.ad.cl.cam.ac.uk/SCG/Networks/Networks.aspx VLAN] <VLANnumber>==== | ====Patch request <InventoryNumber> floorbox <FloorBoxNumber> [https://dbwebserver.ad.cl.cam.ac.uk/SCG/Networks/Networks.aspx VLAN] <VLANnumber>==== | ||
# Establish all details: InventoryNumber, FloorBox & PortNumber, [https://dbwebserver.ad.cl.cam.ac.uk/SCG/Networks/Networks.aspx VLAN] required. Email come in with a title similar to the above to the '''HW-Admin''' RT queue. These tickets need to be passed to the Operators by placing on the '''Oper''' RT '''queue''' ('''owner''' as '''Nobody''' and '''Status''' as '''New''') | # Establish all details: InventoryNumber, FloorBox & PortNumber, [https://dbwebserver.ad.cl.cam.ac.uk/SCG/Networks/Networks.aspx VLAN] required. Email come in with a title similar to the above to the '''HW-Admin''' RT queue. | ||
Do this by replying the requester such as: | |||
We need the '''inventory number''' of the '''machine''' and '''floor box''' details and also which '''VLAN''' | |||
do you want to connect it to? If the machine does not have a lab inventory please register it at | |||
https://dbwebserver.ad.cl.cam.ac.uk/sysadminuser/RegisterNewMachine.aspx?return=DHCPRequest2 | |||
and please let me know when you have done this. | |||
These tickets need to be passed to the Operators by placing on the '''Oper''' RT '''queue''' ('''owner''' as '''Nobody''' and '''Status''' as '''New''') | |||
# The operators then carry out the physically patching & documenting (see the Operator's [https://wiki.cam.ac.uk/cl-sys-admin/Service_Desk_Knowledgebase:_Operator_Tasks#Procedure_for_Patching Procedure for Patching]). | # The operators then carry out the physically patching & documenting (see the Operator's [https://wiki.cam.ac.uk/cl-sys-admin/Service_Desk_Knowledgebase:_Operator_Tasks#Procedure_for_Patching Procedure for Patching]). | ||
# When the patching has been done and the ticket is returned to the '''sys-admin''' queue configure the switch port VLAN as per [https://wiki.cam.ac.uk/cl-sys-admin/Service_Desk_Knowledgebase:_Networking#Updating_VLANs_in_the_Cisco_switches Updating VLANs in the Cisco switches]. | # When the patching has been done and the ticket is returned to the '''sys-admin''' queue configure the switch port VLAN as per [https://wiki.cam.ac.uk/cl-sys-admin/Service_Desk_Knowledgebase:_Networking#Updating_VLANs_in_the_Cisco_switches Updating VLANs in the Cisco switches]. | ||
Line 254: | Line 308: | ||
# Enter your CL Password for '''CRSid@AD.CL.CAM.AC.UK''' & press '''[Enter]''' | # Enter your CL Password for '''CRSid@AD.CL.CAM.AC.UK''' & press '''[Enter]''' | ||
# '''ssh -K laira''' & press '''[Enter]''' | # '''ssh -K laira''' & press '''[Enter]''' | ||
# Connect to the appropriate switch using telnet - the switches are named as wcname-swN.net.cl.cam.ac.uk (i.e. '''WC0E-SW2-90''' -> '''wc0e-sw2.net HOST 90''' or '''wc0e-sw1.net HOST 90''' on a stacked switch). etc. e.g.<br /> '''telnet <font color="red">''' | # Connect to the appropriate switch using telnet - the switches are named as wcname-swN.net.cl.cam.ac.uk (i.e. '''WC0E-SW2-90''' -> '''wc0e-sw2.net HOST 90''' or '''wc0e-sw1.net HOST 90''' on a stacked switch). etc. e.g.<br /> '''telnet <font color="red">'''wc0e-sw1.net</font>''' | ||
'''NOTE:''' At this point in time our network upgrade is not complete, when it is all wiring closest will have, in effect, a single switch. Until then ports from HOST 1-48 will be on switch 1, HOST | '''NOTE:''' At this point in time our network upgrade is not complete, when it is all wiring closest will have, in effect, a single switch. Until then ports from HOST 1-48 will be on switch 1, HOST 49-96 on switch 2. | ||
HOST '''1 to 48''' are wcXX-'''sw1''' ports '''Gi0/1''' to '''Gi0/48''' | HOST '''1 to 48''' are wcXX-'''sw1''' ports '''Gi0/1''' to '''Gi0/48''' | ||
HOST '''49 to 96''' are wcXX-'''sw2''' ports '''Gi0/1''' to '''Gi0/48''' | HOST '''49 to 96''' are wcXX-'''sw2''' ports '''Gi0/1''' to '''Gi0/48''' | ||
Line 284: | Line 338: | ||
channel-group 1 mode active | channel-group 1 mode active | ||
! | ! | ||
''[NOTE: If you get a rare '''nvram error''' doing below escalate the RT ticket to the '''backoffice''' queue]'' | |||
# At the password prompt enter the access password. | # At the password prompt enter the access password. | ||
# At the prompt '''wc0e-sw1.net>''' type '''enable''' then '''[Enter]''', and give the enable password. | # At the prompt '''wc0e-sw1.net>''' type '''enable''' then '''[Enter]''', and give the enable password. | ||
# Look at the existing configuration for the '''show conf''' then '''[Enter]''', and page through by hitting the '''[Space-bar]''' until you see the configuration entry for the port you want to change - for HOST port 90 look for a line like '''interface GigabitEthernet0/42''' on switch 2 or '''interface GigabitEthernet2/0/42''' on a stacked switch 1 and verify what data VLAN is enabled on it. | # Look at the existing configuration for the '''show conf''' then '''[Enter]''', and page through by hitting the '''[Space-bar]''' until you see the configuration entry for the port you want to change - for HOST port 90 look for a line like '''interface GigabitEthernet0/42''' on switch 2 or '''interface GigabitEthernet2/0/42''' on a stacked switch 1 and verify what data VLAN is enabled on it. Take a copy of that port's current configuration to paste into the RT ticket "for the record". | ||
# To add (or remove) a VLAN enter '''conf terminal''' and '''[Enter]''' | # To add (or remove) a VLAN enter '''conf terminal''' and '''[Enter]''' | ||
# At the next '''wc0e-sw1.net(config)#''' prompt select the interface you want to configure with '''interface gi0/42''' or '''interface gi2/0/42''' and '''[Enter]''' | # At the next '''wc0e-sw1.net(config)#''' prompt select the interface you want to configure with either the command '''interface gi0/42''' or '''interface gi2/0/42''' and '''[Enter]''' | ||
# At the '''wc0e-sw1.net(config-if)#''' prompt add the required vlan with the command '''switchport access vlan 190''' and '''[Enter]''', <br />''or''<br /> to remove vlan 298 from a port use the command '''no switchport access vlan 298''' and '''[Enter]''' | # At the '''wc0e-sw1.net(config-if)#''' prompt add the required vlan with the command '''switchport access vlan 190''' and '''[Enter]''', <br />''or''<br /> to remove vlan 298 from a port use the command '''no switchport access vlan 298''' and '''[Enter]''' | ||
# At the '''wc0e-sw1.net(config-if)#''' prompt type '''exit''' and '''[Enter]''' | # At the '''wc0e-sw1.net(config-if)#''' prompt type '''exit''' and '''[Enter]''' | ||
Line 296: | Line 352: | ||
Building configuration... | Building configuration... | ||
[OK] | [OK] | ||
# Use '''show conf''' then '''[Enter]''' to check the configuration as detailed above, if all OK then '''exit''' and '''[Enter]''' the switch | # Use '''show conf''' then '''[Enter]''' to check the configuration as detailed above, take a copy of that port's new configuration to paste into the RT ticket "for the record", if all OK then '''exit''' and '''[Enter]''' the switch | ||
# Then '''exit''' and '''[Enter]''' (and eventually close down PuTTY) | # Then '''exit''' and '''[Enter]''' out of '''laira''' (and eventually close down PuTTY) | ||
# | # Then '''exit''' and '''[Enter]''' out of slogin service (and close down PuTTY) | ||
# The RT ticket should have the old and the new port configuration details pasted in as a '''comment''' "for the record" | |||
# '''Reply''' to the user telling them the job has been completed [NOTE: The switchport status is not updated quickly, it is pulled from the switch rather than queried when asked for.] and then '''resolve''' the RT ticket. | |||
===Sorting out BMC Access=== | ===Sorting out BMC Access=== | ||
Line 305: | Line 363: | ||
===Firewall=== | ===Firewall=== | ||
* The Computer Lab actually doesn't have a firewall! There is only a set of access control lists which act as a firewall. With multiple VLANs it has never been clear where a firewall should be placed to be of use to us, so restriction are created using [http://www.wiki.cl.cam.ac.uk/clwiki/SysInfo/CiscoBlocks access control lists between VLANs]. | * The Computer Lab actually doesn't have a firewall! There is only a set of access control lists which act as a firewall. With multiple VLANs it has never been clear where a firewall should be placed to be of use to us, so restriction are created using [http://www.wiki.cl.cam.ac.uk/clwiki/SysInfo/CiscoBlocks access control lists between VLANs]. Modifications to this are a backoffice task so change the queue to '''BackOffice''' and notify a network administrator (Chris Hadley or Martyn Johnson). | ||
== Contacts == | == Contacts == | ||
Line 330: | Line 384: | ||
==Hints, Tips & Known Issues== | ==Hints, Tips & Known Issues== | ||
=== | ===DHCP allocations to Managed machines=== | ||
[http://www.lookup.cam.ac.uk/person/ | [http://www.lookup.cam.ac.uk/person/iwm21 Ian Mackey] (23/4/2015) | ||
>iwm21: ... as a managed MAC, can we suggest the user hard-codes the IP address? | |||
gt19:...The managed MAC VLAN hands out static addresses. Those are from the DNS, the fix here is to add an entry for | |||
this machine to the cl.data file - an example of a machine configured in this way is saissac (my laptop). | |||
Most of our VLANs do not use dynamic DHCP addresses so in most cases you need to add an address to the DNS when a | |||
new machine is added to the VLAN. | |||
The DHCP pool is truly dynamic so if a machine gets an IP address allocation error it is best to look at the ''cl.data'' file (DHCP information) for the machine's MAC address. | |||
---- | |||
==Categorising Keywords== | ==Categorising Keywords== | ||
* Network Networking VPN Router | * Network Networking VPN Router |
Latest revision as of 08:11, 6 January 2016
This is the Networking content page of the CL Wiki Service Desk Knowledgebase. Its purpose is to provide information to the Service Desk team on how to handle problems and requests about this CL service. If you are involved with the provision of this CL service please feel free to add to the knowledge about that it.
If CL staff need to tell the Service Desk team about problems with this service please email
sys-admin-aside@cl.cam.ac.uk.
Return to the Service Desk Knowledgebase SERVICE PORTFOLIO
Key Service Description & URLs
- The CL network
- Computer Laboratory News (Twitter use @UC_CL_SysAdm)
CL Customer Documentation
William Gates Building Floor Plans (inc. Room Codes):
- Ground floor (G)
- First floor (F)
- Second floor (S)
- Find a room
Further CL Sys-Admin Resources
- http://www.wiki.cl.cam.ac.uk/clwiki/SysInfo/HelpDesk/Networking - Networking
- http://www.wiki.cl.cam.ac.uk/clwiki/SysInfo/HelpDesk/Networking/VPN_request - Dealing with a VPN request
- https://dbwebserver.ad.cl.cam.ac.uk/SCG/Wiring2/Wiring.aspx - wiring
- http://netdisco.net.cl.cam.ac.uk/ - NetDisco Management tool (must be accessed from a Computer Lab machine e.g. ts01.ad.cl.cam.ac.uk with username=guest password=guest)
Underpinning Services
- ??? - Any supporting or underpinning services
Customer-base for this Service
- All staff and students of the Computer Laboratory
Costs
- Free to all current staff and PhD students of the Computer Laboratory.
SLA
- N/A
Service Desk Call Handling Procedure
- RT tickets can be escalated to the net-admin team by changing the Queue to net-admin with the Owner set to Nobody & Status set to new. Tell the requestor:
I am passing this request over to our Network Admin team who, I'm sure, will be in contact shortly.
Finding VLAN Info
The Networks Database lists VLANs and their address ranges. Clicking [Details] will reveal the netmask and the Router/Gateway's IP address which by convention is the first IP address in the range i.e. range_min.
Common examples are:
- Tag 298 = Managed Windows (AD delegated machines) 128.232.28.0/22
- Tag 398 = Managed Linux 128.232.64.0/20
- Tag 498 = Managed Macs 128.232.56.0/22
- Tag 105 = DMZ (with no Windows machines in it) 128.232.98.0/24
- Tag 190 = Virtually outside (Uses DHCP with known MAC addresses) 128.232.110.0/24
Dealing with a VPN request
See http://www.wiki.cl.cam.ac.uk/clwiki/SysInfo/HelpDesk/Networking/VPN_request
Request to add machine to department network
If it is a private laptop then get them to:
Please register the laptop on the DHCP request page https://dbwebserver.ad.cl.cam.ac.uk/SysAdminUser/DHCPRequest.aspx and request a connection on the appropriate VLAN.
Dealing with DHCP Registration
Piete Brooks (30/03/15)
DRAFT!
To find out which VLANs use DHCP consult ??? My model is that:
- 'Lab Linux' (including servers) do not, BUT we abuse the mechanism for an IPv6 HACK.
- Anything using Dynamic DHCP has to use DHCP!
- Most 'non Lab Managed' VLANs use DHCP even if addresses are actually static.
Basically I think it's safest to do all VLANs.
The MAC address for the machine in question needs to be in the inventory
A ValidTo date will be required which can be determined by:
- If someone has asked for a machine for a particular period, use that.
- If it's a new Lab machine, its life expectancy - say 5 years.
- If it's a private machine, guess how long they'll be here - typically 4 years for a PhD student.
- If it's for an Internal or Under-Graduate, until the end of their use, so a month or so or end of the academic year respectively.
To add the MAC to the DHCP setup:
- Find the machine in the inventory and click on Details
- Click on the MAC address of the machine
- If there is already an entry for the VLAN you may need to update it to make it valid by changing the end data ([Select] then [Edit]
- Then click [Select]
- Selected the required VLAN from the drop-down list underneath
To add a new VLAN entry to this interface select the VLAN and click Add
and click on [Add] - Click on [Edit]
- Add a ValidTo date (the default is the same day!) and then click [Update]
The Pool should be dynamic and within half an hour or so the DHCP address should be available.
[NOTE: Only windows machines are added to the AD and this is done when they are installed.]
[NOTE: If it were static, you need to add the name and address to the DNS.]
Adding an IPv6 AAAA record for a machine
AAAA records are automatically added for any machine on an IPv6 enabled VLAN when it has a current DHCP record for the VLAN.
For Linux machines on the managed VLAN (398) this will not normally be set up.
To add the MAC to the DHCP setup:
- Find the machine in the inventory and click on Details
- Click on the MAC address of the machine
- Then click [Select]
- Selected the required VLAN from the drop-down list underneath
To add a new VLAN entry to this interface select the VLAN and click Add
and click on [Add] - Click on [Edit]
- Add a ValidTo date (the default is the same day!) and then click [Update]
The AAAA record will be generated on the next DNS update which can be pushed on an omnipotent machine
cd /anfs/glob/src/etc/named make install
Adding IP addresses & CNAMES to the DNS
[NOTE: The Windows domain uses truly dynamic DHCP so think hostname.ad.cl.cam.ac.uk rather than IP Address.]
1. Check that the person is entitled to what is being requested:
In the case of the DNS it is better to decide if the person is allowed rather than worry about the machine. (Obvious counter examples would be to change the main router etc.) In general UTOs are pretty much always trusted, with others request confirmation via their supervisors. Lookup CL Staff & Students You can also do a scan of the cl.data file for their past history (Go to laira, cd /anfs/glob/src/etc/named/src & view cl.data) - if they have multiple requests previously then trust them. If the requestor isn't the User or PersonResponsible of the emachine asking the actual User/PersonResponsible is an acceptable and safe approach. Inventory
2. If adding an IP address: determine the IP address range that should be use for a given requested VLAN using Network settings. Copy & paste the first part of the address into something like Notepad to use in a search later. [NOTE: The number of addresses of a subnet defined by the mask or prefix can be calculated as 2 to the power of (address size - prefix) size, in which the address size is 32 for IPv4 (128 for IPv6). For example, in IPv4, a prefix size of /24 gives: 2(32-24) = 2(8) = 256 addresses.]
3. Make sure Pageant.EXE is running and has your private key by double clicking on CL.ppk or similar.
4. Use PuTTY and go to the CL's slogin-serv.cl.cam.ac.uk
5. Make the PuTTY window longer.
6. Type kinit & press [Enter]
7. Enter your CL Password for CRSid@AD.CL.CAM.AC.UK & press [Enter]
8. Type ssh -K laira & press [Enter] to go to the privileged machine laira
9. At the laira:~$ prompt use cd /anfs/glob/src/etc/named/src and [Enter]
10. Check-out the cl.data file with co -l cl.data and [Enter]
10a. If you receive a message that 'writable cl.data exists' use rlog -L -h src/cl.data to find out who has locked it. E.g:
laira:/global/src/etc/named: rlog -L -h src/cl.data
11. Use vi to edit the file with vi cl.data and [Enter]
Adding an IP Address:
- Search for the start of the address range with something like /128.232.98.1 (which you hopefully kept from earlier!) or the VLAN like /vlan 296 and [Enter]
- Ctrl+F to scroll Forward to the next available address in the range.
- Down-arrow to start of line above where it should be.
- Use Shift+A to enter --INSERT-- mode at the end of that line
- Make an entry like:
saluki1.dtg IN A 128.232.98.206 IN TXT "RT#94231"
(NOTE: the gaps are made using <Tab> not spaces) (NOTE: If an IP Address has more than one A hostname referring to it the others should have !F at the start of the hostname so there is only one hostname to reverse map back to.)
- [Esc] out of INSERT mode
- :wq and [Enter] to write the file and quit vi
Adding a CNAME:
- You need to start by searching for the CNAME you are being asked to deal with rather than its target. If you are being asked to change or delete it, you obviously need to find it. If you are being asked to add a new one, you first need to make sure that it is NOT already there (though we can normally trust that the DTG will have checked that).
- For a deletion, you find the line and remove it.
- For a change, you find the line and change it.
For an addition, having established that it really isn't there already, you need to find the big block of puppy CNAMEs (e.g. by searching for the comment string "CNAMEs for puppy machines". Then you would add the new line, ideally in the correct alphabetic position but that is not absolutely essential (and somebody can always re-sort them later). The line you add is the same as it always was - the only difference is that the ones for the "puppy" machines are all in one place rather than scattered all over. I have reformatted the entries into neat columns so it should be fairly obvious what to add.
- Down-arrow to the start of the line above where it should be.
- Use Shift+A to enter --INSERT-- mode at the end of that line
- Make an entry like:
puppy38.dtg IN A 128.232.20.67 IN TXT "VM in husky cluster" ; oc243 rt#88303 acr31-containers.dtg IN CNAME puppy38.dtg ; oc243 rt#91603 rscfl-freebsd.dtg IN CNAME puppy38.dtg ; oc243 rt#94176
(NOTE: the gaps are made using <Tab> not spaces)
- [Esc] out of INSERT mode
- :wq and [Enter] to write the file and quit vi
GENERAL NOTES on vi
- /string and [Enter] (search for the string)
- : for command prompt
- :1 to go to line 1
- :wq and [Enter] is write & quit
- :q! and [Enter] is quit without writing (if you mess up!)
- :help and [Enter] for help
- Arrow-keys scroll around text
- Ctrl+F to page-Forward through text
- Ctrl+B to page-Back through text
- Shift+A to go into -- INSERT -- mode at end of line
- i to go into -- INSERT -- mode at the cursor
- Shift+R to enter -- REPLACE -- or "Overtype" mode
- [Esc] escape out of -- INSERT -- & -- REPLACE -- mode
- u undo last change
- dd deletion (if pressed twice the object is the current line)
12. rcsdiff cl.data and [Enter] to check what changes have actually been made
13. Use ci -u cl.data and [Enter] to check-in and add a comment of the RT ticket number e.g. RT#94171 then [Enter] and exit with .[Enter]
14. Go up with cd .. and [Enter]
15. At the rjt58@laira:/anfs/glob/src/etc/named$ prompt use make install and [Enter]
16. You will see a lot of output ending in something like:
< 128.232.20.59 puppy31.dtg.cl.cam.ac.uk puppy31.dtg dtw30-crunch0.dtg.cl.cam.ac.uk --- > 128.232.20.59 puppy31.dtg.cl.cam.ac.uk puppy31.dtg dtw30-crunch0.dtg.cl.cam.ac.uk touch intermediate/hosts-st # ===== built derived files from sources ===== # ====== install on dns0 ====== # install on meldreth.cl.cam.ac.uk/var/named/chroot/var/named/data/ [sudo] password for CRSid:
at [sudo] password for CRSid: give your CL password & press [Enter]
17. You will eventually see something like:
Answer: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 45631 ;; flags: qr ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 ;; TSIG PSEUDOSECTION: local-ddns. 0 ANY TSIG hmac-sha256. 1422536243 300 32 # sync tex.ac.uk # sync pgp.net # sync 2001.0630.0212.02 # ====== ran /usr/sbin/dns-update ('nsdiff | nsupdate') on dns0 ====== sudo cp -p intermediate/hosts /anfs/master/dist/all/etc/hosts-t sudo chown root /anfs/master/dist/all/etc/hosts-t sudo mv -f /anfs/master/dist/all/etc/hosts-t /anfs/master/dist/all/etc/hosts ls -ld /anfs/master/dist/all/etc/hosts -rw-r--r--. 1 root vrw10 199159 Jan 29 12:56 /anfs/master/dist/all/etc/hosts laira:named$
and then return to a laira:named$ prompt.
FINALLY to check it has been correctly added to the DNS:
sandy:~: host poodle.dtg.cl.cam.ac.uk poodle.dtg.cl.cam.ac.uk has address 128.232.20.136 sandy:~:
This proves that it's actually in the DNS.
18. Use exit and [Enter] to exit (and eventually close down PuTTY)
19. In RT Reply to the user with something like:
Hello The Requester name , The CNAME : kibana.dtg -> puppy47.dtg is now created and should be ready for your use. Please contact me if there is anything else required. Kind regards Rob
and then Resolve the ticket.
Procedure for Patching
If you wish to request a connection please go to our web forms page (https://dbwebserver.ad.cl.cam.ac.uk/SysAdminUser/) and select "Request a network connection" (https://dbwebserver.ad.cl.cam.ac.uk/SysAdminUser/DHCPRequest.aspx) and fill in the details requested.
Patch request <InventoryNumber> floorbox <FloorBoxNumber> VLAN <VLANnumber>
- Establish all details: InventoryNumber, FloorBox & PortNumber, VLAN required. Email come in with a title similar to the above to the HW-Admin RT queue.
Do this by replying the requester such as:
We need the inventory number of the machine and floor box details and also which VLAN do you want to connect it to? If the machine does not have a lab inventory please register it at https://dbwebserver.ad.cl.cam.ac.uk/sysadminuser/RegisterNewMachine.aspx?return=DHCPRequest2 and please let me know when you have done this.
These tickets need to be passed to the Operators by placing on the Oper RT queue (owner as Nobody and Status as New)
- The operators then carry out the physically patching & documenting (see the Operator's Procedure for Patching).
- When the patching has been done and the ticket is returned to the sys-admin queue configure the switch port VLAN as per Updating VLANs in the Cisco switches.
Updating VLANs in the Cisco switches
Unused switch ports are set with the standard settings to enable a IP Phone to be plugged in without any configuration change. However, no other VLANs are enabled by default on the port.
Any other equipment that is attached will require a VLAN to be enabled on that port in addition to merely patching the port through to the floor box. (See Inventory,wiring, VLAN & Lookup.)
Login the connection in the database:-
- Having established the InventoryNumber, FloorBox & PortNumber, VLAN details above and with the RT Ticket number to hand go to wiring.
- Click Floor Box Details
- Put in the Box name (e.g. WC0E-042) and search (*) Box by pressing [Enter]
- Hopefully the port in question will be free - if so click [Add Connection]
- Put in the free Port: the Inventory Number of the machine which will be connected to it and a Note: of the RT#12345 number then click [Create]
- The [Trace] button for that port will now show the switch & "HOST" which it is connected to e.g.
1393 CBL WC0E-HOST-075 <==>WC0E-SW2-075
is HOST 75 (read as Port 75-48=27) on Switch WC0E-SW2 (which may actually be a stacked switch on switch WC0E-SW1 but you won't find that out until you try telneting to it and it fails - see below)
To enable/disable a VLAN on a switch port:-
- Make sure Pageant.EXE is running and has your private key by double clicking on CL.ppk or similar.
- Use PuTTY and go to the CL's slogin-serv.cl.cam.ac.uk
- Make the PuTTY window longer.
- Type kinit & press [Enter]
- Enter your CL Password for CRSid@AD.CL.CAM.AC.UK & press [Enter]
- ssh -K laira & press [Enter]
- Connect to the appropriate switch using telnet - the switches are named as wcname-swN.net.cl.cam.ac.uk (i.e. WC0E-SW2-90 -> wc0e-sw2.net HOST 90 or wc0e-sw1.net HOST 90 on a stacked switch). etc. e.g.
telnet wc0e-sw1.net
NOTE: At this point in time our network upgrade is not complete, when it is all wiring closest will have, in effect, a single switch. Until then ports from HOST 1-48 will be on switch 1, HOST 49-96 on switch 2.
HOST 1 to 48 are wcXX-sw1 ports Gi0/1 to Gi0/48 HOST 49 to 96 are wcXX-sw2 ports Gi0/1 to Gi0/48
Wiring closets have been upgraded to the newer switches which operate as a stack (example is wc0c). You can recognize these because there appears to be only one switch to log into and port names have three components. On these:
HOST 1 to 48 are wcXX-sw1 ports GigabitEthernet1/0/1 to GigabitEthernet1/0/48 HOST 49 to 96 are wcXX-sw1 ports GigabitEthernet2/0/1 to GigabitEthernet2/0/48
Note that the following are links not ports so they don't get counted in the 48+48 numbering scheme:
! interface GigabitEthernet1/0/49 switchport trunk allowed vlan 1-473,478-4094 switchport mode trunk srr-queue bandwidth share 1 30 35 5 priority-queue out mls qos trust dscp ! interface GigabitEthernet1/0/50 ! interface TenGigabitEthernet1/0/1 switchport trunk allowed vlan 1-473,478-4094 switchport mode trunk srr-queue bandwidth share 1 30 35 5 priority-queue out mls qos trust dscp channel-group 1 mode active !
[NOTE: If you get a rare nvram error doing below escalate the RT ticket to the backoffice queue]
- At the password prompt enter the access password.
- At the prompt wc0e-sw1.net> type enable then [Enter], and give the enable password.
- Look at the existing configuration for the show conf then [Enter], and page through by hitting the [Space-bar] until you see the configuration entry for the port you want to change - for HOST port 90 look for a line like interface GigabitEthernet0/42 on switch 2 or interface GigabitEthernet2/0/42 on a stacked switch 1 and verify what data VLAN is enabled on it. Take a copy of that port's current configuration to paste into the RT ticket "for the record".
- To add (or remove) a VLAN enter conf terminal and [Enter]
- At the next wc0e-sw1.net(config)# prompt select the interface you want to configure with either the command interface gi0/42 or interface gi2/0/42 and [Enter]
- At the wc0e-sw1.net(config-if)# prompt add the required vlan with the command switchport access vlan 190 and [Enter],
or
to remove vlan 298 from a port use the command no switchport access vlan 298 and [Enter] - At the wc0e-sw1.net(config-if)# prompt type exit and [Enter]
- At the next wc0e-sw1.net(config)# prompt type exit and [Enter]
- At the next wc0e-sw1.net# prompt type write and [Enter] you should see:
Building configuration... [OK]
- Use show conf then [Enter] to check the configuration as detailed above, take a copy of that port's new configuration to paste into the RT ticket "for the record", if all OK then exit and [Enter] the switch
- Then exit and [Enter] out of laira (and eventually close down PuTTY)
- Then exit and [Enter] out of slogin service (and close down PuTTY)
- The RT ticket should have the old and the new port configuration details pasted in as a comment "for the record"
- Reply to the user telling them the job has been completed [NOTE: The switchport status is not updated quickly, it is pulled from the switch rather than queried when asked for.] and then resolve the RT ticket.
Sorting out BMC Access
See BMC ACL - when up if present
Firewall
- The Computer Lab actually doesn't have a firewall! There is only a set of access control lists which act as a firewall. With multiple VLANs it has never been clear where a firewall should be placed to be of use to us, so restriction are created using access control lists between VLANs. Modifications to this are a backoffice task so change the queue to BackOffice and notify a network administrator (Chris Hadley or Martyn Johnson).
Contacts
Primary
- net-admin queue
Other
Availability
- Monday:
- Tuesday:
- Wednesday:
- Thursday:
- Friday:
- Saturday: Closed
- Sunday: Closed
Hints, Tips & Known Issues
DHCP allocations to Managed machines
Ian Mackey (23/4/2015)
>iwm21: ... as a managed MAC, can we suggest the user hard-codes the IP address? gt19:...The managed MAC VLAN hands out static addresses. Those are from the DNS, the fix here is to add an entry for this machine to the cl.data file - an example of a machine configured in this way is saissac (my laptop). Most of our VLANs do not use dynamic DHCP addresses so in most cases you need to add an address to the DNS when a new machine is added to the VLAN.
The DHCP pool is truly dynamic so if a machine gets an IP address allocation error it is best to look at the cl.data file (DHCP information) for the machine's MAC address.
Categorising Keywords
- Network Networking VPN Router