Service Desk Knowledgebase: Networking: Difference between revisions

From Computer Laboratory System Administration
Jump to navigationJump to search
 
(34 intermediate revisions by 6 users not shown)
Line 82: Line 82:
# Find the machine in the [https://dbwebserver.ad.cl.cam.ac.uk/SCG/Equipment/Inventory.aspx inventory] and click on '''Details'''
# Find the machine in the [https://dbwebserver.ad.cl.cam.ac.uk/SCG/Equipment/Inventory.aspx inventory] and click on '''Details'''
# Click on the '''MAC''' address of the machine
# Click on the '''MAC''' address of the machine
# If there is already an entry for the VLAN you may need to update it to make it valid by changing the end data ('''[Select]''' then '''[Edit]'''
# Then click '''[Select]'''
# Then click '''[Select]'''
# Selected the required VLAN from the drop-down list underneath<br />'''To add a new VLAN entry to this interface select the VLAN and click Add'''<br /> and click on '''[Add]'''
# Selected the required VLAN from the drop-down list underneath<br />'''To add a new VLAN entry to this interface select the VLAN and click Add'''<br /> and click on '''[Add]'''
Line 90: Line 91:
The '''Pool''' should be '''dynamic''' and within half an hour or so the DHCP address should be available.
The '''Pool''' should be '''dynamic''' and within half an hour or so the DHCP address should be available.


[NOTE: If it were static, you need to add the name and address to the DNS.<br />
[NOTE: Only windows machines are added to the AD and this is done when they are installed.]


>iwm21: ... as a managed MAC, can we suggest the user hard-codes the IP address?
[NOTE: If it were static, you need to add the name and address to the DNS.]
GT:...The managed MAC VLAN hands out static addresses. Those are from the DNS, the fix here is to add an entry for
 
this machine to the cl.data file - an example of a machine configured in this way is saissac (my laptop).
===Adding an IPv6 AAAA record for a machine===
 
Most of our VLANs do not use dynamic DHCP addresses so in most cases you need to add an address to the DNS when a
AAAA records are automatically added for any machine on an IPv6 enabled VLAN when it has a current DHCP record for the VLAN.
  new machine is added to the VLAN.
 
]
For Linux machines on the managed VLAN (398) this will not normally be set up.
 
To add the MAC to the DHCP setup:
# Find the machine in the [https://dbwebserver.ad.cl.cam.ac.uk/SCG/Equipment/Inventory.aspx inventory] and click on '''Details'''
# Click on the '''MAC''' address of the machine
# Then click '''[Select]'''
# Selected the required VLAN from the drop-down list underneath<br />'''To add a new VLAN entry to this interface select the VLAN and click Add'''<br /> and click on '''[Add]'''
# Click on '''[Edit]'''
# Add a '''ValidTo''' date (the default is the same day!) and then click '''[Update]'''
 
 
The AAAA record will be generated on the next DNS update which can be pushed on an omnipotent machine
  cd /anfs/glob/src/etc/named
make install


===Adding IP addresses & CNAMES to the DNS===
===Adding IP addresses & CNAMES to the DNS===
[NOTE: The Windows domain uses '''truly dynamic DHCP''' so think '''hostname.ad.cl.cam.ac.uk''' rather than IP Address.]
[NOTE: The Windows domain uses '''truly dynamic DHCP''' so think '''''hostname''.ad.cl.cam.ac.uk''' rather than IP Address.]


1. Check that the person is entitled to what is being requested.
1. '''''Check that the person is entitled to what is being requested:'''''


In the case of the DNS it is better to decide if the person is allowed rather than worry about the machine.  (Obvious counter examples would be to change the main router etc.)   
In the case of the DNS it is better to decide if the person is allowed rather than worry about the machine.  (Obvious counter examples would be to change the main router etc.)   
Line 109: Line 123:
You can also do a scan of the cl.data file for their past history (Go to '''laira''', '''cd /anfs/glob/src/etc/named/src''' & '''view cl.data''')  - if they have multiple requests previously then trust them.  If the requestor isn't the User or PersonResponsible of the emachine asking the actual User/PersonResponsible is an acceptable and safe approach. [https://dbwebserver.ad.cl.cam.ac.uk/SCG/Equipment/Inventory.aspx Inventory]
You can also do a scan of the cl.data file for their past history (Go to '''laira''', '''cd /anfs/glob/src/etc/named/src''' & '''view cl.data''')  - if they have multiple requests previously then trust them.  If the requestor isn't the User or PersonResponsible of the emachine asking the actual User/PersonResponsible is an acceptable and safe approach. [https://dbwebserver.ad.cl.cam.ac.uk/SCG/Equipment/Inventory.aspx Inventory]


2. Determine the [http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation IP address range] that should be use for a given requested VLAN using [https://dbwebserver.ad.cl.cam.ac.uk/SCG/Networks/Networks.aspx Network settings].  '''Copy & paste''' the first part of the address into something like Notepad to use in a search later. [NOTE: The number of addresses of a subnet defined by the mask or prefix can be calculated as 2 to the power of (address size - prefix) size, in which the address size is 32 for IPv4 (128 for IPv6). For example, in IPv4, a prefix size of /24 gives: 2<sup>(32-24)</sup> = 2<sup>(8)</sup> = 256 addresses.]
2. If adding an IP address: determine the [http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation IP address range] that should be use for a given requested VLAN using [https://dbwebserver.ad.cl.cam.ac.uk/SCG/Networks/Networks.aspx Network settings].  '''Copy & paste''' the first part of the address into something like Notepad to use in a search later. [NOTE: The number of addresses of a subnet defined by the mask or prefix can be calculated as 2 to the power of (address size - prefix) size, in which the address size is 32 for IPv4 (128 for IPv6). For example, in IPv4, a prefix size of /24 gives: 2<sup>(32-24)</sup> = 2<sup>(8)</sup> = 256 addresses.]


3. Make sure Pageant.EXE is running and has your private key by double clicking on '''CL.ppk''' or similar.
3. Make sure Pageant.EXE is running and has your private key by double clicking on '''CL.ppk''' or similar.
Line 126: Line 140:


10. Check-out the cl.data file with '''co -l cl.data''' and '''[Enter]'''
10. Check-out the cl.data file with '''co -l cl.data''' and '''[Enter]'''
10a. If you receive a message that 'writable cl.data exists' use rlog -L -h src/cl.data to find out who has locked it.  E.g:
  laira:/global/src/etc/named: rlog -L -h src/cl.data


11. Use vi to edit the file with '''vi cl.data''' and '''[Enter]'''
11. Use vi to edit the file with '''vi cl.data''' and '''[Enter]'''


'''Adding an IP Address:'''
'''Adding an IP Address:'''
* Search for the start of the address range with something like  '''/128.232.98.1''' (which you hopefully kept from earlier!) and '''[Enter]'''
* Search for the start of the address range with something like  '''/128.232.98.1''' (which you hopefully kept from earlier!) or the VLAN like '''/vlan 296''' and '''[Enter]'''
* '''Ctrl+F''' to scroll '''F'''orward to the next available address in the range.
* '''Ctrl+F''' to scroll '''F'''orward to the next available address in the range.
* '''Down-arrow''' to start of line above where it should be.
* '''Down-arrow''' to start of line above where it should be.
Line 143: Line 160:


'''Adding a CNAME:'''
'''Adding a CNAME:'''
* Search for the machine name using something like '''/puppy38''' and '''[Enter]'''
 
* '''Down-arrow''' to start of line above where it should be.
* You need to start by searching for the CNAME you are being asked to deal with rather than its target.  If you are being asked to change or delete it, you obviously need to find it.  If you are being asked to add a new one, you first need to make sure that it is NOT already there (though we can normally trust that the DTG will have checked that).
 
* For a '''deletion''', you find the line and remove it.
 
* For a '''change''', you find the line and change it.
 
For an addition, having established that it really isn't there already, you need to find the big block of puppy CNAMEs (e.g. by searching for the comment string "CNAMEs for puppy machines". Then you would add the new line, ideally in the correct alphabetic position but that is not absolutely essential (and somebody can always re-sort them later). The line you add is the same as it always was - the only difference is that the ones for the "puppy" machines are all in one place rather than scattered all over. I have reformatted the entries into neat columns so it should be fairly obvious what to add.
 
* '''Down-arrow''' to the start of the line above where it should be.
* Use '''Shift+A''' to enter '''--INSERT--''' mode  at the end of that line
* Use '''Shift+A''' to enter '''--INSERT--''' mode  at the end of that line
* Make an entry like:
* Make an entry like:
Line 178: Line 203:
14. Go up with '''cd ..''' and '''[Enter]'''
14. Go up with '''cd ..''' and '''[Enter]'''


15. At the '''laira:named$''' prompt use '''make install''' and '''[Enter]'''
15. At the '''rjt58@laira:/anfs/glob/src/etc/named$ ''' prompt use '''make install''' and '''[Enter]'''


16. You will see a lot of output ending in something like:
16. You will see a lot of output ending in something like:
Line 216: Line 241:
   -rw-r--r--. 1 root vrw10 199159 Jan 29 12:56 /anfs/master/dist/all/etc/hosts
   -rw-r--r--. 1 root vrw10 199159 Jan 29 12:56 /anfs/master/dist/all/etc/hosts
   laira:named$
   laira:named$
 
 
and be returned to a '''laira:named$''' prompt.
and then return to a '''laira:named$''' prompt.
 
FINALLY to check it has been correctly added to the DNS:
 
 
  sandy:~: host poodle.dtg.cl.cam.ac.uk
  poodle.dtg.cl.cam.ac.uk has address 128.232.20.136
  sandy:~:
 
This proves that it's actually in the DNS.
 


18. Use '''exit''' and '''[Enter]''' to exit (and eventually close down PuTTY)
18. Use '''exit''' and '''[Enter]''' to exit (and eventually close down PuTTY)


19. In RT '''Reply''' to the user and '''Resolve''' the ticket.
19. In RT '''Reply''' to the user with something like:
 
  Hello ''' The Requester name ''',
  The ''' CNAME : kibana.dtg -> puppy47.dtg''' is now created and should be ready for your use.
  Please contact me if there is anything else required.
  Kind regards
  Rob
 
 
and then '''Resolve''' the ticket.


===Procedure for Patching===
===Procedure for Patching===
If you wish to request a connection please go to our web forms page (https://dbwebserver.ad.cl.cam.ac.uk/SysAdminUser/) and select "Request a network connection" (https://dbwebserver.ad.cl.cam.ac.uk/SysAdminUser/DHCPRequest.aspx) and fill in the details requested.


====Patch request <InventoryNumber> floorbox <FloorBoxNumber> [https://dbwebserver.ad.cl.cam.ac.uk/SCG/Networks/Networks.aspx VLAN] <VLANnumber>====
====Patch request <InventoryNumber> floorbox <FloorBoxNumber> [https://dbwebserver.ad.cl.cam.ac.uk/SCG/Networks/Networks.aspx VLAN] <VLANnumber>====


# Establish all details: InventoryNumber, FloorBox & PortNumber, [https://dbwebserver.ad.cl.cam.ac.uk/SCG/Networks/Networks.aspx VLAN] required. Email come in with a title similar to the above to the '''HW-Admin''' RT queue.  These tickets need to be passed to the Operators by placing on the '''Oper''' RT '''queue''' ('''owner''' as '''Nobody''' and '''Status''' as '''New''')
# Establish all details: InventoryNumber, FloorBox & PortNumber, [https://dbwebserver.ad.cl.cam.ac.uk/SCG/Networks/Networks.aspx VLAN] required. Email come in with a title similar to the above to the '''HW-Admin''' RT queue.   
Do this by replying the requester such as:
 
  We need the '''inventory number''' of the '''machine''' and '''floor box''' details and also which '''VLAN'''
  do you want to connect it to? If the machine does not have a lab inventory please register it at
  https://dbwebserver.ad.cl.cam.ac.uk/sysadminuser/RegisterNewMachine.aspx?return=DHCPRequest2
  and please let me know when you have done this.
 
These tickets need to be passed to the Operators by placing on the '''Oper''' RT '''queue''' ('''owner''' as '''Nobody''' and '''Status''' as '''New''')
# The operators then carry out the physically patching & documenting (see the Operator's [https://wiki.cam.ac.uk/cl-sys-admin/Service_Desk_Knowledgebase:_Operator_Tasks#Procedure_for_Patching Procedure for Patching]).
# The operators then carry out the physically patching & documenting (see the Operator's [https://wiki.cam.ac.uk/cl-sys-admin/Service_Desk_Knowledgebase:_Operator_Tasks#Procedure_for_Patching Procedure for Patching]).
# When the patching has been done and the ticket is returned to the '''sys-admin''' queue configure the switch port VLAN as per [https://wiki.cam.ac.uk/cl-sys-admin/Service_Desk_Knowledgebase:_Networking#Updating_VLANs_in_the_Cisco_switches Updating VLANs in the Cisco switches].
# When the patching has been done and the ticket is returned to the '''sys-admin''' queue configure the switch port VLAN as per [https://wiki.cam.ac.uk/cl-sys-admin/Service_Desk_Knowledgebase:_Networking#Updating_VLANs_in_the_Cisco_switches Updating VLANs in the Cisco switches].
Line 254: Line 308:
# Enter your CL Password for '''CRSid@AD.CL.CAM.AC.UK''' & press '''[Enter]'''
# Enter your CL Password for '''CRSid@AD.CL.CAM.AC.UK''' & press '''[Enter]'''
# '''ssh -K laira''' & press '''[Enter]'''
# '''ssh -K laira''' & press '''[Enter]'''
# Connect to the appropriate switch using telnet - the switches are named as wcname-swN.net.cl.cam.ac.uk (i.e. '''WC0E-SW2-90''' -> '''wc0e-sw2.net HOST 90''' or '''wc0e-sw1.net HOST 90''' on a stacked switch).  etc. e.g.<br /> '''telnet <font color="red">'''wc1ewc0e-sw1.net</font>'''
# Connect to the appropriate switch using telnet - the switches are named as wcname-swN.net.cl.cam.ac.uk (i.e. '''WC0E-SW2-90''' -> '''wc0e-sw2.net HOST 90''' or '''wc0e-sw1.net HOST 90''' on a stacked switch).  etc. e.g.<br /> '''telnet <font color="red">'''wc0e-sw1.net</font>'''




'''NOTE:''' At this point in time our network upgrade is not complete, when it is all wiring closest will have, in effect, a single switch.  Until then ports from HOST 1-48 will be on switch 1, HOST 48-96 on switch 2.  
'''NOTE:''' At this point in time our network upgrade is not complete, when it is all wiring closest will have, in effect, a single switch.  Until then ports from HOST 1-48 will be on switch 1, HOST 49-96 on switch 2.  
   HOST '''1 to 48''' are wcXX-'''sw1''' ports '''Gi0/1''' to '''Gi0/48'''   
   HOST '''1 to 48''' are wcXX-'''sw1''' ports '''Gi0/1''' to '''Gi0/48'''   
   HOST '''49 to 96''' are wcXX-'''sw2''' ports '''Gi0/1''' to '''Gi0/48'''
   HOST '''49 to 96''' are wcXX-'''sw2''' ports '''Gi0/1''' to '''Gi0/48'''
Line 284: Line 338:
   channel-group 1 mode active
   channel-group 1 mode active
   !
   !
''[NOTE: If you get a rare '''nvram error''' doing below escalate the RT ticket to the '''backoffice''' queue]''


# At the password prompt enter the access password.
# At the password prompt enter the access password.
# At the prompt '''wc0e-sw1.net>''' type '''enable''' then '''[Enter]''', and give the enable password.
# At the prompt '''wc0e-sw1.net>''' type '''enable''' then '''[Enter]''', and give the enable password.
# Look at the existing configuration for the '''show conf''' then '''[Enter]''', and page through by hitting the '''[Space-bar]''' until you see the configuration entry for the port you want to change - for HOST port 90 look for a line like '''interface GigabitEthernet0/42''' on switch 2 or '''interface GigabitEthernet2/0/42''' on a stacked switch 1 and verify what data VLAN is enabled on it.
# Look at the existing configuration for the '''show conf''' then '''[Enter]''', and page through by hitting the '''[Space-bar]''' until you see the configuration entry for the port you want to change - for HOST port 90 look for a line like '''interface GigabitEthernet0/42''' on switch 2 or '''interface GigabitEthernet2/0/42''' on a stacked switch 1 and verify what data VLAN is enabled on it.  Take a copy of that port's current configuration to paste into the RT ticket "for the record".
# To add (or remove) a VLAN enter '''conf terminal''' and '''[Enter]'''
# To add (or remove) a VLAN enter '''conf terminal''' and '''[Enter]'''
# At the next '''wc0e-sw1.net(config)#''' prompt select the interface you want to configure with '''interface gi0/42''' or '''interface gi2/0/42''' and '''[Enter]'''
# At the next '''wc0e-sw1.net(config)#''' prompt select the interface you want to configure with either the command  '''interface gi0/42''' or '''interface gi2/0/42''' and '''[Enter]'''
# At the '''wc0e-sw1.net(config-if)#''' prompt add the required vlan with the command '''switchport access vlan 190''' and '''[Enter]''', <br />''or''<br /> to remove vlan 298 from a port use the command '''no switchport access vlan 298''' and '''[Enter]'''
# At the '''wc0e-sw1.net(config-if)#''' prompt add the required vlan with the command '''switchport access vlan 190''' and '''[Enter]''', <br />''or''<br /> to remove vlan 298 from a port use the command '''no switchport access vlan 298''' and '''[Enter]'''
# At the '''wc0e-sw1.net(config-if)#''' prompt type '''exit''' and '''[Enter]'''
# At the '''wc0e-sw1.net(config-if)#''' prompt type '''exit''' and '''[Enter]'''
Line 296: Line 352:
   Building configuration...
   Building configuration...
   [OK]
   [OK]
# Use '''show conf''' then '''[Enter]''' to check the configuration as detailed above, if all OK then '''exit''' and '''[Enter]''' the switch
# Use '''show conf''' then '''[Enter]''' to check the configuration as detailed above, take a copy of that port's new configuration to paste into the RT ticket "for the record", if all OK then '''exit''' and '''[Enter]''' the switch
# Then  '''exit''' and '''[Enter]''' (and eventually close down PuTTY)
# Then  '''exit''' and '''[Enter]''' out of '''laira''' (and eventually close down PuTTY)
# Tell the user when the job has been completed.
# Then  '''exit''' and '''[Enter]''' out of slogin service (and close down PuTTY)
# The RT ticket should have the old and the new port configuration details pasted in as a '''comment''' "for the record"
# '''Reply''' to the user telling them  the job has been completed [NOTE: The switchport status is not updated quickly, it is pulled from the switch rather than queried when asked for.] and then '''resolve''' the RT ticket.


===Sorting out BMC Access===
===Sorting out BMC Access===
Line 305: Line 363:
===Firewall===
===Firewall===


* The Computer Lab actually doesn't have a firewall!  There is only a set of access control lists which act as a firewall.  With multiple VLANs it has never been clear where a firewall should be placed to be of use to us, so restriction are created using [http://www.wiki.cl.cam.ac.uk/clwiki/SysInfo/CiscoBlocks access control lists between VLANs].
* The Computer Lab actually doesn't have a firewall!  There is only a set of access control lists which act as a firewall.  With multiple VLANs it has never been clear where a firewall should be placed to be of use to us, so restriction are created using [http://www.wiki.cl.cam.ac.uk/clwiki/SysInfo/CiscoBlocks access control lists between VLANs]. Modifications to this are a backoffice task so change the queue to '''BackOffice''' and notify a network administrator (Chris Hadley or Martyn Johnson).
 
[http://www.lookup.cam.ac.uk/person/crsid/maj1 Martyn Johnson] (12/02/15) [https://rt.cl.cam.ac.uk/Ticket/Display.html?id=94558 RT#94558] :
 
"I think this probably does have to remain a "back office" job. There are quite a few cases in which it would be possible to document a recipe, but more often than not there are "big picture" considerations which may mean that doing exactly what was asked for is not the ideal way to proceed, even if it doesn't directly conflict with policy.  There are also a fair number of things that can go wrong during the implementation of a rule change which are not directly related to the task in hand. This alone seems sufficient reason for it not to be done without a certain depth of background knowledge of our networking. I think is it fairly clear that requestor in this case knows what he wants, and realises that it raises wider issues too. So I think it probably is a case for immediate escalation. There have been other cases in which people have just assumed there's a firewall issue without actually presenting sufficient to determine whether it really is. For example, some problems actually turn out to be an issue within the machine itself (typically Linux iptables). We might reasonably aspire to having the front desk do this kind of initial diagnosis, even though it is often non-trivial to work out what is going on."


== Contacts ==
== Contacts ==
Line 330: Line 384:


==Hints, Tips & Known Issues==
==Hints, Tips & Known Issues==
===Title===  
===DHCP allocations to Managed machines===  
[http://www.lookup.cam.ac.uk/person/CRSid Firstname Lastname] (Date)
[http://www.lookup.cam.ac.uk/person/iwm21 Ian Mackey] (23/4/2015)
 
>iwm21: ... as a managed MAC, can we suggest the user hard-codes the IP address?
gt19:...The managed MAC VLAN hands out static addresses. Those are from the DNS, the fix here is to add an entry for
this machine to the cl.data file - an example of a machine configured in this way is saissac (my laptop).
Most of our VLANs do not use dynamic DHCP addresses so in most cases you need to add an address to the DNS when a
new machine is added to the VLAN.
 
The DHCP pool is truly dynamic so if a machine gets an IP address allocation error it is best to look at the ''cl.data'' file (DHCP information) for the machine's MAC address.


Info...
----


==Categorising Keywords==
==Categorising Keywords==
* Network Networking VPN Router
* Network Networking VPN Router

Latest revision as of 08:11, 6 January 2016


This is the Networking content page of the CL Wiki Service Desk Knowledgebase. Its purpose is to provide information to the Service Desk team on how to handle problems and requests about this CL service. If you are involved with the provision of this CL service please feel free to add to the knowledge about that it.

If CL staff need to tell the Service Desk team about problems with this service please email
sys-admin-aside@cl.cam.ac.uk.

Return to the Service Desk Knowledgebase SERVICE PORTFOLIO

Key Service Description & URLs

CL Customer Documentation

William Gates Building Floor Plans (inc. Room Codes):

Further CL Sys-Admin Resources

Underpinning Services

  • ??? - Any supporting or underpinning services

Customer-base for this Service

  • All staff and students of the Computer Laboratory

Costs

  • Free to all current staff and PhD students of the Computer Laboratory.

SLA

  • N/A

Service Desk Call Handling Procedure

  • RT tickets can be escalated to the net-admin team by changing the Queue to net-admin with the Owner set to Nobody & Status set to new. Tell the requestor:
    I am passing this request over to our Network Admin team who, I'm sure, will be in contact shortly.

Finding VLAN Info

The Networks Database lists VLANs and their address ranges. Clicking [Details] will reveal the netmask and the Router/Gateway's IP address which by convention is the first IP address in the range i.e. range_min.

Common examples are:

Dealing with a VPN request

See http://www.wiki.cl.cam.ac.uk/clwiki/SysInfo/HelpDesk/Networking/VPN_request

Request to add machine to department network

If it is a private laptop then get them to:
Please register the laptop on the DHCP request page https://dbwebserver.ad.cl.cam.ac.uk/SysAdminUser/DHCPRequest.aspx and request a connection on the appropriate VLAN.

Dealing with DHCP Registration

Piete Brooks (30/03/15)

DRAFT!

To find out which VLANs use DHCP consult ??? My model is that:

  • 'Lab Linux' (including servers) do not, BUT we abuse the mechanism for an IPv6 HACK.
  • Anything using Dynamic DHCP has to use DHCP!
  • Most 'non Lab Managed' VLANs use DHCP even if addresses are actually static.

Basically I think it's safest to do all VLANs.

The MAC address for the machine in question needs to be in the inventory

A ValidTo date will be required which can be determined by:

  • If someone has asked for a machine for a particular period, use that.
  • If it's a new Lab machine, its life expectancy - say 5 years.
  • If it's a private machine, guess how long they'll be here - typically 4 years for a PhD student.
  • If it's for an Internal or Under-Graduate, until the end of their use, so a month or so or end of the academic year respectively.


To add the MAC to the DHCP setup:

  1. Find the machine in the inventory and click on Details
  2. Click on the MAC address of the machine
  3. If there is already an entry for the VLAN you may need to update it to make it valid by changing the end data ([Select] then [Edit]
  4. Then click [Select]
  5. Selected the required VLAN from the drop-down list underneath
    To add a new VLAN entry to this interface select the VLAN and click Add
    and click on [Add]
  6. Click on [Edit]
  7. Add a ValidTo date (the default is the same day!) and then click [Update]


The Pool should be dynamic and within half an hour or so the DHCP address should be available.

[NOTE: Only windows machines are added to the AD and this is done when they are installed.]

[NOTE: If it were static, you need to add the name and address to the DNS.]

Adding an IPv6 AAAA record for a machine

AAAA records are automatically added for any machine on an IPv6 enabled VLAN when it has a current DHCP record for the VLAN.

For Linux machines on the managed VLAN (398) this will not normally be set up.

To add the MAC to the DHCP setup:

  1. Find the machine in the inventory and click on Details
  2. Click on the MAC address of the machine
  3. Then click [Select]
  4. Selected the required VLAN from the drop-down list underneath
    To add a new VLAN entry to this interface select the VLAN and click Add
    and click on [Add]
  5. Click on [Edit]
  6. Add a ValidTo date (the default is the same day!) and then click [Update]


The AAAA record will be generated on the next DNS update which can be pushed on an omnipotent machine

cd /anfs/glob/src/etc/named
make install

Adding IP addresses & CNAMES to the DNS

[NOTE: The Windows domain uses truly dynamic DHCP so think hostname.ad.cl.cam.ac.uk rather than IP Address.]

1. Check that the person is entitled to what is being requested:

In the case of the DNS it is better to decide if the person is allowed rather than worry about the machine. (Obvious counter examples would be to change the main router etc.) In general UTOs are pretty much always trusted, with others request confirmation via their supervisors. Lookup CL Staff & Students You can also do a scan of the cl.data file for their past history (Go to laira, cd /anfs/glob/src/etc/named/src & view cl.data) - if they have multiple requests previously then trust them. If the requestor isn't the User or PersonResponsible of the emachine asking the actual User/PersonResponsible is an acceptable and safe approach. Inventory

2. If adding an IP address: determine the IP address range that should be use for a given requested VLAN using Network settings. Copy & paste the first part of the address into something like Notepad to use in a search later. [NOTE: The number of addresses of a subnet defined by the mask or prefix can be calculated as 2 to the power of (address size - prefix) size, in which the address size is 32 for IPv4 (128 for IPv6). For example, in IPv4, a prefix size of /24 gives: 2(32-24) = 2(8) = 256 addresses.]

3. Make sure Pageant.EXE is running and has your private key by double clicking on CL.ppk or similar.

4. Use PuTTY and go to the CL's slogin-serv.cl.cam.ac.uk

5. Make the PuTTY window longer.

6. Type kinit & press [Enter]

7. Enter your CL Password for CRSid@AD.CL.CAM.AC.UK & press [Enter]

8. Type ssh -K laira & press [Enter] to go to the privileged machine laira

9. At the laira:~$ prompt use cd /anfs/glob/src/etc/named/src and [Enter]

10. Check-out the cl.data file with co -l cl.data and [Enter]

10a. If you receive a message that 'writable cl.data exists' use rlog -L -h src/cl.data to find out who has locked it. E.g:

 laira:/global/src/etc/named: rlog -L -h src/cl.data 

11. Use vi to edit the file with vi cl.data and [Enter]

Adding an IP Address:

  • Search for the start of the address range with something like /128.232.98.1 (which you hopefully kept from earlier!) or the VLAN like /vlan 296 and [Enter]
  • Ctrl+F to scroll Forward to the next available address in the range.
  • Down-arrow to start of line above where it should be.
  • Use Shift+A to enter --INSERT-- mode at the end of that line
  • Make an entry like:
 saluki1.dtg     IN      A       128.232.98.206
                 IN      TXT     "RT#94231"

(NOTE: the gaps are made using <Tab> not spaces) (NOTE: If an IP Address has more than one A hostname referring to it the others should have !F at the start of the hostname so there is only one hostname to reverse map back to.)

  • [Esc] out of INSERT mode
  • :wq and [Enter] to write the file and quit vi

Adding a CNAME:

  • You need to start by searching for the CNAME you are being asked to deal with rather than its target. If you are being asked to change or delete it, you obviously need to find it. If you are being asked to add a new one, you first need to make sure that it is NOT already there (though we can normally trust that the DTG will have checked that).
  • For a deletion, you find the line and remove it.
  • For a change, you find the line and change it.

For an addition, having established that it really isn't there already, you need to find the big block of puppy CNAMEs (e.g. by searching for the comment string "CNAMEs for puppy machines". Then you would add the new line, ideally in the correct alphabetic position but that is not absolutely essential (and somebody can always re-sort them later). The line you add is the same as it always was - the only difference is that the ones for the "puppy" machines are all in one place rather than scattered all over. I have reformatted the entries into neat columns so it should be fairly obvious what to add.

  • Down-arrow to the start of the line above where it should be.
  • Use Shift+A to enter --INSERT-- mode at the end of that line
  • Make an entry like:
 puppy38.dtg     IN      A       128.232.20.67
                 IN      TXT     "VM in husky cluster"   ; oc243 rt#88303
 acr31-containers.dtg IN CNAME   puppy38.dtg     ; oc243 rt#91603
 rscfl-freebsd.dtg IN    CNAME   puppy38.dtg     ; oc243 rt#94176

(NOTE: the gaps are made using <Tab> not spaces)

  • [Esc] out of INSERT mode
  • :wq and [Enter] to write the file and quit vi

GENERAL NOTES on vi

  • /string and [Enter] (search for the string)
  • : for command prompt
  • :1 to go to line 1
  • :wq and [Enter] is write & quit
  • :q! and [Enter] is quit without writing (if you mess up!)
  • :help and [Enter] for help
  • Arrow-keys scroll around text
  • Ctrl+F to page-Forward through text
  • Ctrl+B to page-Back through text
  • Shift+A to go into -- INSERT -- mode at end of line
  • i to go into -- INSERT -- mode at the cursor
  • Shift+R to enter -- REPLACE -- or "Overtype" mode
  • [Esc] escape out of -- INSERT -- & -- REPLACE -- mode
  • u undo last change
  • dd deletion (if pressed twice the object is the current line)

12. rcsdiff cl.data and [Enter] to check what changes have actually been made

13. Use ci -u cl.data and [Enter] to check-in and add a comment of the RT ticket number e.g. RT#94171 then [Enter] and exit with .[Enter]

14. Go up with cd .. and [Enter]

15. At the rjt58@laira:/anfs/glob/src/etc/named$ prompt use make install and [Enter]

16. You will see a lot of output ending in something like:

 < 128.232.20.59 puppy31.dtg.cl.cam.ac.uk puppy31.dtg dtw30-crunch0.dtg.cl.cam.ac.uk
 ---
 > 128.232.20.59 puppy31.dtg.cl.cam.ac.uk puppy31.dtg dtw30-crunch0.dtg.cl.cam.ac.uk 
 touch intermediate/hosts-st
 # ===== built derived files from sources =====
 
 
 # ====== install   on dns0 ======
 # install on meldreth.cl.cam.ac.uk/var/named/chroot/var/named/data/
 [sudo] password for CRSid:

at [sudo] password for CRSid: give your CL password & press [Enter]


17. You will eventually see something like:

 Answer:
 ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  45631
 ;; flags: qr ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
 ;; TSIG PSEUDOSECTION:
 
 
 
 local-ddns.             0       ANY     TSIG    hmac-sha256. 1422536243 300 32
 
 # sync tex.ac.uk
 # sync pgp.net
 # sync 2001.0630.0212.02
 # ====== ran /usr/sbin/dns-update ('nsdiff | nsupdate') on dns0 ======
 
 sudo cp -p intermediate/hosts /anfs/master/dist/all/etc/hosts-t
 sudo chown root /anfs/master/dist/all/etc/hosts-t
 sudo mv -f /anfs/master/dist/all/etc/hosts-t /anfs/master/dist/all/etc/hosts
 ls -ld /anfs/master/dist/all/etc/hosts
 -rw-r--r--. 1 root vrw10 199159 Jan 29 12:56 /anfs/master/dist/all/etc/hosts
 laira:named$

and then return to a laira:named$ prompt.

FINALLY to check it has been correctly added to the DNS:


  sandy:~: host poodle.dtg.cl.cam.ac.uk
  poodle.dtg.cl.cam.ac.uk has address 128.232.20.136
  sandy:~: 

This proves that it's actually in the DNS.


18. Use exit and [Enter] to exit (and eventually close down PuTTY)

19. In RT Reply to the user with something like:

 Hello  The Requester name ,
 The  CNAME : kibana.dtg -> puppy47.dtg is now created and should be ready for your use.
 Please contact me if there is anything else required.
 Kind regards
 Rob


and then Resolve the ticket.

Procedure for Patching

If you wish to request a connection please go to our web forms page (https://dbwebserver.ad.cl.cam.ac.uk/SysAdminUser/) and select "Request a network connection" (https://dbwebserver.ad.cl.cam.ac.uk/SysAdminUser/DHCPRequest.aspx) and fill in the details requested.

Patch request <InventoryNumber> floorbox <FloorBoxNumber> VLAN <VLANnumber>

  1. Establish all details: InventoryNumber, FloorBox & PortNumber, VLAN required. Email come in with a title similar to the above to the HW-Admin RT queue.

Do this by replying the requester such as:

 We need the inventory number of the machine and floor box details and also which VLAN 
 do you want to connect it to? If the machine does not have a lab inventory please register it at
 https://dbwebserver.ad.cl.cam.ac.uk/sysadminuser/RegisterNewMachine.aspx?return=DHCPRequest2
 and please let me know when you have done this.

These tickets need to be passed to the Operators by placing on the Oper RT queue (owner as Nobody and Status as New)

  1. The operators then carry out the physically patching & documenting (see the Operator's Procedure for Patching).
  2. When the patching has been done and the ticket is returned to the sys-admin queue configure the switch port VLAN as per Updating VLANs in the Cisco switches.

Updating VLANs in the Cisco switches

Unused switch ports are set with the standard settings to enable a IP Phone to be plugged in without any configuration change. However, no other VLANs are enabled by default on the port.

Any other equipment that is attached will require a VLAN to be enabled on that port in addition to merely patching the port through to the floor box. (See Inventory,wiring, VLAN & Lookup.)

Login the connection in the database:-

  1. Having established the InventoryNumber, FloorBox & PortNumber, VLAN details above and with the RT Ticket number to hand go to wiring.
  2. Click Floor Box Details
  3. Put in the Box name (e.g. WC0E-042) and search (*) Box by pressing [Enter]
  4. Hopefully the port in question will be free - if so click [Add Connection]
  5. Put in the free Port: the Inventory Number of the machine which will be connected to it and a Note: of the RT#12345 number then click [Create]
  6. The [Trace] button for that port will now show the switch & "HOST" which it is connected to e.g.
    1393 CBL WC0E-HOST-075 <==>WC0E-SW2-075
    is HOST 75 (read as Port 75-48=27) on Switch WC0E-SW2 (which may actually be a stacked switch on switch WC0E-SW1 but you won't find that out until you try telneting to it and it fails - see below)



To enable/disable a VLAN on a switch port:-

  1. Make sure Pageant.EXE is running and has your private key by double clicking on CL.ppk or similar.
  2. Use PuTTY and go to the CL's slogin-serv.cl.cam.ac.uk
  3. Make the PuTTY window longer.
  4. Type kinit & press [Enter]
  5. Enter your CL Password for CRSid@AD.CL.CAM.AC.UK & press [Enter]
  6. ssh -K laira & press [Enter]
  7. Connect to the appropriate switch using telnet - the switches are named as wcname-swN.net.cl.cam.ac.uk (i.e. WC0E-SW2-90 -> wc0e-sw2.net HOST 90 or wc0e-sw1.net HOST 90 on a stacked switch). etc. e.g.
    telnet wc0e-sw1.net


NOTE: At this point in time our network upgrade is not complete, when it is all wiring closest will have, in effect, a single switch. Until then ports from HOST 1-48 will be on switch 1, HOST 49-96 on switch 2.

 HOST 1 to 48 are wcXX-sw1 ports Gi0/1 to Gi0/48  
 HOST 49 to 96 are wcXX-sw2 ports Gi0/1 to Gi0/48

Wiring closets have been upgraded to the newer switches which operate as a stack (example is wc0c). You can recognize these because there appears to be only one switch to log into and port names have three components. On these:

 HOST 1 to 48 are wcXX-sw1 ports GigabitEthernet1/0/1 to GigabitEthernet1/0/48  
 HOST 49 to 96 are wcXX-sw1 ports GigabitEthernet2/0/1 to GigabitEthernet2/0/48

Note that the following are links not ports so they don't get counted in the 48+48 numbering scheme:

 !
 interface GigabitEthernet1/0/49
  switchport trunk allowed vlan 1-473,478-4094
  switchport mode trunk
  srr-queue bandwidth share 1 30 35 5
  priority-queue out
  mls qos trust dscp
 !
 interface GigabitEthernet1/0/50
 !
 interface TenGigabitEthernet1/0/1
  switchport trunk allowed vlan 1-473,478-4094
  switchport mode trunk
  srr-queue bandwidth share 1 30 35 5
  priority-queue out
  mls qos trust dscp
  channel-group 1 mode active
 !

[NOTE: If you get a rare nvram error doing below escalate the RT ticket to the backoffice queue]

  1. At the password prompt enter the access password.
  2. At the prompt wc0e-sw1.net> type enable then [Enter], and give the enable password.
  3. Look at the existing configuration for the show conf then [Enter], and page through by hitting the [Space-bar] until you see the configuration entry for the port you want to change - for HOST port 90 look for a line like interface GigabitEthernet0/42 on switch 2 or interface GigabitEthernet2/0/42 on a stacked switch 1 and verify what data VLAN is enabled on it. Take a copy of that port's current configuration to paste into the RT ticket "for the record".
  4. To add (or remove) a VLAN enter conf terminal and [Enter]
  5. At the next wc0e-sw1.net(config)# prompt select the interface you want to configure with either the command interface gi0/42 or interface gi2/0/42 and [Enter]
  6. At the wc0e-sw1.net(config-if)# prompt add the required vlan with the command switchport access vlan 190 and [Enter],
    or
    to remove vlan 298 from a port use the command no switchport access vlan 298 and [Enter]
  7. At the wc0e-sw1.net(config-if)# prompt type exit and [Enter]
  8. At the next wc0e-sw1.net(config)# prompt type exit and [Enter]
  9. At the next wc0e-sw1.net# prompt type write and [Enter] you should see:
 Building configuration...
 [OK]
  1. Use show conf then [Enter] to check the configuration as detailed above, take a copy of that port's new configuration to paste into the RT ticket "for the record", if all OK then exit and [Enter] the switch
  2. Then exit and [Enter] out of laira (and eventually close down PuTTY)
  3. Then exit and [Enter] out of slogin service (and close down PuTTY)
  4. The RT ticket should have the old and the new port configuration details pasted in as a comment "for the record"
  5. Reply to the user telling them the job has been completed [NOTE: The switchport status is not updated quickly, it is pulled from the switch rather than queried when asked for.] and then resolve the RT ticket.

Sorting out BMC Access

See BMC ACL - when up if present

Firewall

  • The Computer Lab actually doesn't have a firewall! There is only a set of access control lists which act as a firewall. With multiple VLANs it has never been clear where a firewall should be placed to be of use to us, so restriction are created using access control lists between VLANs. Modifications to this are a backoffice task so change the queue to BackOffice and notify a network administrator (Chris Hadley or Martyn Johnson).

Contacts

Primary

  • net-admin queue

Other

Availability

  • Monday:
  • Tuesday:
  • Wednesday:
  • Thursday:
  • Friday:
  • Saturday: Closed
  • Sunday: Closed

Hints, Tips & Known Issues

DHCP allocations to Managed machines

Ian Mackey (23/4/2015)

>iwm21: ... as a managed MAC, can we suggest the user hard-codes the IP address?
gt19:...The managed MAC VLAN hands out static addresses. Those are from the DNS, the fix here is to add an entry for 
this machine to the cl.data file - an example of a machine configured in this way is saissac (my laptop).

Most of our VLANs do not use dynamic DHCP addresses so in most cases you need to add an address to the DNS when a 
new machine is added to the VLAN.

The DHCP pool is truly dynamic so if a machine gets an IP address allocation error it is best to look at the cl.data file (DHCP information) for the machine's MAC address.


Categorising Keywords

  • Network Networking VPN Router