Service Desk Knowledgebase: Networking: Difference between revisions

From Computer Laboratory System Administration
Jump to navigationJump to search
Line 73: Line 73:


A '''ValidTo''' date will be required which can be determined by:
A '''ValidTo''' date will be required which can be determined by:
* If someone has asked for a machine for a particular period, use that.
* If someone has asked for a machine for a '''particular period''', use that.
* If it's a '''new Lab machine''', its life expectancy - say '''5 years'''.
* If it's a '''new Lab machine''', its life expectancy - say '''5 years'''.
* If it's a '''private machine''', guess how long they'll be here - typically '''4 years for a PhD student'''.
* If it's a '''private machine''', guess how long they'll be here - typically '''4 years for a PhD student'''.

Revision as of 15:02, 30 March 2015


This is the Networking content page of the CL Wiki Service Desk Knowledgebase. Its purpose is to provide information to the Service Desk team on how to handle problems and requests about this CL service. If you are involved with the provision of this CL service please feel free to add to the knowledge about that it.

If CL staff need to tell the Service Desk team about problems with this service please email
sys-admin-aside@cl.cam.ac.uk.

Return to the Service Desk Knowledgebase SERVICE PORTFOLIO

Key Service Description & URLs

CL Customer Documentation

William Gates Building Floor Plans (inc. Room Codes):

Further CL Sys-Admin Resources

Underpinning Services

  • ??? - Any supporting or underpinning services

Customer-base for this Service

  • All staff and students of the Computer Laboratory

Costs

  • Free to all current staff and PhD students of the Computer Laboratory.

SLA

  • N/A

Service Desk Call Handling Procedure

  • RT tickets can be escalated to the net-admin team by changing the Queue to net-admin with the Owner set to Nobody & Status set to new. Tell the requestor:
    I am passing this request over to our Network Admin team who, I'm sure, will be in contact shortly.

Finding VLAN Info

The Networks Database lists VLANs and their address ranges. Clicking [Details] will reveal the netmask and the Router/Gateway's IP address which by convention is the first IP address in the range i.e. range_min.

Common examples are:

Dealing with a VPN request

See http://www.wiki.cl.cam.ac.uk/clwiki/SysInfo/HelpDesk/Networking/VPN_request

Request to add machine to department network

If it is a private laptop then get them to:
Please register the laptop on the DHCP request page https://dbwebserver.ad.cl.cam.ac.uk/SysAdminUser/DHCPRequest.aspx and request a connection on the appropriate VLAN.

Dealing with DHCP Registration

Piete Brooks (30/03/15)

DRAFT!

To find out which VLANs use DHCP consult ??? My model is that:

  • 'Lab Linux' (including servers) do not, BUT we abuse the mechanism for an IPv6 HACK.
  • Anything using Dynamic DHCP has to use DHCP!
  • Most 'non Lab Managed' VLANs use DHCP even if addresses are actually static.

Basically I think it's safest to do all VLANs.

The MAC address for the machine in question needs to be in the inventory

A ValidTo date will be required which can be determined by:

  • If someone has asked for a machine for a particular period, use that.
  • If it's a new Lab machine, its life expectancy - say 5 years.
  • If it's a private machine, guess how long they'll be here - typically 4 years for a PhD student.
  • If it's for an Internal or Under-Graduate, until the end of their use, so a month or so or end of the academic year respectively.


To add the MAC to the DHCP setup:

  1. Find the machine in the inventory and click on Details
  2. Click on the MAC address of the machine
  3. Then click [Select]
  4. Selected the required VLAN from the drop-down list underneath
    To add a new VLAN entry to this interface select the VLAN and click Add
    and click on [Add]
  5. Click on [Edit]
  6. Add a ValidTo date (the default is the same day!) and then click [Update]


The Pool should be dynamic and within half an hour or so the DHCP address should be available.

[NOTE: If it were static, you need to add the name and address to the DNS.]

Adding IP addresses & CNAMES to the DNS

[NOTE: The Windows domain uses truly dynamic DHCP so think hostname.ad.cl.cam.ac.uk rather than IP Address.]

1. Check that the person is entitled to what is being requested.

In the case of the DNS it is better to decide if the person is allowed rather than worry about the machine. (Obvious counter examples would be to change the main router etc.) In general UTOs are pretty much always trusted, with others request confirmation via their supervisors. Lookup CL Staff & Students You can also do a scan of the cl.data file for their past history (Go to laira, cd /anfs/glob/src/etc/named/src & view cl.data) - if they have multiple requests previously then trust them. If the requestor isn't the User or PersonResponsible of the emachine asking the actual User/PersonResponsible is an acceptable and safe approach. Inventory

2. Determine the IP address range that should be use for a given requested VLAN using Network settings. Copy & paste the first part of the address into something like Notepad to use in a search later. [NOTE: The number of addresses of a subnet defined by the mask or prefix can be calculated as 2 to the power of (address size - prefix) size, in which the address size is 32 for IPv4 (128 for IPv6). For example, in IPv4, a prefix size of /24 gives: 2(32-24) = 2(8) = 256 addresses.]

3. Make sure Pageant.EXE is running and has your private key by double clicking on CL.ppk or similar.

4. Use PuTTY and go to the CL's slogin-serv.cl.cam.ac.uk

5. Make the PuTTY window longer.

6. Type kinit & press [Enter]

7. Enter your CL Password for CRSid@AD.CL.CAM.AC.UK & press [Enter]

8. Type ssh -K laira & press [Enter] to go to the privileged machine laira

9. At the laira:~$ prompt use cd /anfs/glob/src/etc/named/src and [Enter]

10. Check-out the cl.data file with co -l cl.data and [Enter]

11. Use vi to edit the file with vi cl.data and [Enter]

Adding an IP Address:

  • Search for the start of the address range with something like /128.232.98.1 (which you hopefully kept from earlier!) and [Enter]
  • Ctrl+F to scroll Forward to the next available address in the range.
  • Down-arrow to start of line above where it should be.
  • Use Shift+A to enter --INSERT-- mode at the end of that line
  • Make an entry like:
 saluki1.dtg     IN      A       128.232.98.206
                 IN      TXT     "RT#94231"

(NOTE: the gaps are made using <Tab> not spaces) (NOTE: If an IP Address has more than one A hostname referring to it the others should have !F at the start of the hostname so there is only one hostname to reverse map back to.)

  • [Esc] out of INSERT mode
  • :wq and [Enter] to write the file and quit vi

Adding a CNAME:

  • Search for the machine name using something like /puppy38 and [Enter]
  • Down-arrow to start of line above where it should be.
  • Use Shift+A to enter --INSERT-- mode at the end of that line
  • Make an entry like:
 puppy38.dtg     IN      A       128.232.20.67
                 IN      TXT     "VM in husky cluster"   ; oc243 rt#88303
 acr31-containers.dtg IN CNAME   puppy38.dtg     ; oc243 rt#91603
 rscfl-freebsd.dtg IN    CNAME   puppy38.dtg     ; oc243 rt#94176

(NOTE: the gaps are made using <Tab> not spaces)

  • [Esc] out of INSERT mode
  • :wq and [Enter] to write the file and quit vi

GENERAL NOTES on vi

  • /string and [Enter] (search for the string)
  • : for command prompt
  • :1 to go to line 1
  • :wq and [Enter] is write & quit
  • :q! and [Enter] is quit without writing (if you mess up!)
  • :help and [Enter] for help
  • Arrow-keys scroll around text
  • Ctrl+F to page-Forward through text
  • Ctrl+B to page-Back through text
  • Shift+A to go into -- INSERT -- mode at end of line
  • i to go into -- INSERT -- mode at the cursor
  • Shift+R to enter -- REPLACE -- or "Overtype" mode
  • [Esc] escape out of -- INSERT -- & -- REPLACE -- mode
  • u undo last change
  • dd deletion (if pressed twice the object is the current line)

12. rcsdiff cl.data and [Enter] to check what changes have actually been made

13. Use ci -u cl.data and [Enter] to check-in and add a comment of the RT ticket number e.g. RT#94171 then [Enter] and exit with .[Enter]

14. Go up with cd .. and [Enter]

15. At the laira:named$ prompt use make install and [Enter]

16. You will see a lot of output ending in something like:

 < 128.232.20.59 puppy31.dtg.cl.cam.ac.uk puppy31.dtg dtw30-crunch0.dtg.cl.cam.ac.uk
 ---
 > 128.232.20.59 puppy31.dtg.cl.cam.ac.uk puppy31.dtg dtw30-crunch0.dtg.cl.cam.ac.uk 
 touch intermediate/hosts-st
 # ===== built derived files from sources =====
 
 
 # ====== install   on dns0 ======
 # install on meldreth.cl.cam.ac.uk/var/named/chroot/var/named/data/
 [sudo] password for CRSid:

at [sudo] password for CRSid: give your CL password & press [Enter]


17. You will eventually see something like:

 Answer:
 ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  45631
 ;; flags: qr ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
 ;; TSIG PSEUDOSECTION:
 
 
 
 local-ddns.             0       ANY     TSIG    hmac-sha256. 1422536243 300 32
 
 # sync tex.ac.uk
 # sync pgp.net
 # sync 2001.0630.0212.02
 # ====== ran /usr/sbin/dns-update ('nsdiff | nsupdate') on dns0 ======
 
 sudo cp -p intermediate/hosts /anfs/master/dist/all/etc/hosts-t
 sudo chown root /anfs/master/dist/all/etc/hosts-t
 sudo mv -f /anfs/master/dist/all/etc/hosts-t /anfs/master/dist/all/etc/hosts
 ls -ld /anfs/master/dist/all/etc/hosts
 -rw-r--r--. 1 root vrw10 199159 Jan 29 12:56 /anfs/master/dist/all/etc/hosts
 laira:named$
 

and be returned to a laira:named$ prompt.

18. Use exit and [Enter] to exit (and eventually close down PuTTY)

19. In RT Reply to the user and Resolve the ticket.

Procedure for Patching

Patch request <InventoryNumber> floorbox <FloorBoxNumber> VLAN <VLANnumber>

  1. Establish all details: InventoryNumber, FloorBox & PortNumber, VLAN required. Email come in with a title similar to the above to the HW-Admin RT queue. These tickets need to be passed to the Operators by placing on the Oper RT queue (owner as Nobody and Status as New)
  2. The operators then carry out the physically patching & documenting (see the Operator's Procedure for Patching).
  3. When the patching has been done and the ticket is returned to the sys-admin queue configure the switch port VLAN as per Updating VLANs in the Cisco switches.

Updating VLANs in the Cisco switches

Unused switch ports are set with the standard settings to enable a IP Phone to be plugged in without any configuration change. However, no other VLANs are enabled by default on the port.

Any other equipment that is attached will require a VLAN to be enabled on that port in addition to merely patching the port through to the floor box. (See Inventory,wiring, VLAN & Lookup.)

Login the connection in the database:-

  1. Having established the InventoryNumber, FloorBox & PortNumber, VLAN details above and with the RT Ticket number to hand go to wiring.
  2. Click Floor Box Details
  3. Put in the Box name (e.g. WC0E-042) and search (*) Box by pressing [Enter]
  4. Hopefully the port in question will be free - if so click [Add Connection]
  5. Put in the free Port: the Inventory Number of the machine which will be connected to it and a Note: of the RT#12345 number then click [Create]
  6. The [Trace] button for that port will now show the switch & "HOST" which it is connected to e.g.
    1393 CBL WC0E-HOST-075 <==>WC0E-SW2-075
    is HOST 75 (read as Port 75-48=27) on Switch WC0E-SW2 (which may actually be a stacked switch on switch WC0E-SW1 but you won't find that out until you try telneting to it and it fails - see below)



To enable/disable a VLAN on a switch port:-

  1. Make sure Pageant.EXE is running and has your private key by double clicking on CL.ppk or similar.
  2. Use PuTTY and go to the CL's slogin-serv.cl.cam.ac.uk
  3. Make the PuTTY window longer.
  4. Type kinit & press [Enter]
  5. Enter your CL Password for CRSid@AD.CL.CAM.AC.UK & press [Enter]
  6. ssh -K laira & press [Enter]
  7. Connect to the appropriate switch using telnet - the switches are named as wcname-swN.net.cl.cam.ac.uk (i.e. WC0E-SW2-90 -> wc0e-sw2.net HOST 90 or wc0e-sw1.net HOST 90 on a stacked switch). etc. e.g. telnet wc1ewc0e-sw1.net


NOTE: At this point in time our network upgrade is not complete, when it is all wiring closest will have, in effect, a single switch. Until then ports from HOST 1-48 will be on switch 1, HOST 48-96 on switch 2.

 HOST 1 to 48 are wcXX-sw1 ports Gi0/1 to Gi0/48  
 HOST 49 to 96 are wcXX-sw2 ports Gi0/1 to Gi0/48

Wiring closets have been upgraded to the newer switches which operate as a stack (example is wc0c). You can recognize these because there appears to be only one switch to log into and port names have three components. On these:

 HOST 1 to 48 are wcXX-sw1 ports GigabitEthernet1/0/1 to GigabitEthernet1/0/48  
 HOST 49 to 96 are wcXX-sw1 ports GigabitEthernet2/0/1 to GigabitEthernet2/0/48
  1. At the password prompt enter the access password.
  2. At the prompt wc0e-sw1.net> type enable then [Enter], and give the enable password.
  3. Look at the existing configuration for the show conf then [Enter], and page through by hitting the [Space-bar] until you see the configuration entry for the port you want to change - for HOST port 90 look for a line like interface GigabitEthernet0/42 on switch 2 or interface GigabitEthernet2/0/42 on a stacked switch 1 and verify what data VLAN is enabled on it.
  4. To add (or remove) a VLAN enter conf terminal and [Enter]
  5. At the next wc0e-sw1.net(config)# prompt select the interface you want to configure with interface gi0/42 or interface gi2/0/42 and [Enter]
  6. At the wc0e-sw1.net(config-if)# prompt add the required vlan with the command switchport access vlan 190 and [Enter],
    or
    to remove vlan 298 from a port use the command no switchport access vlan 190 and [Enter]
  7. At the wc0e-sw1.net(config-if)# prompt type exit and [Enter]
  8. At the next wc0e-sw1.net(config)# prompt type exit and [Enter]
  9. At the next wc0e-sw1.net# prompt type write and [Enter] you should see:
 Building configuration...
 [OK]
  1. Use show conf then [Enter] to check the configuration as detailed above, if all OK then exit and [Enter] the switch
  2. Then exit and [Enter] (and eventually close down PuTTY)
  3. Tell the user when the job has been completed.

Firewall

  • The Computer Lab actually doesn't have a firewall! There is only a set of access control lists which act as a firewall. With multiple VLANs it has never been clear where a firewall should be placed to be of use to us, so restriction are created using access control lists between VLANs.

Martyn Johnson (12/02/15) RT#94558 :

"I think this probably does have to remain a "back office" job. There are quite a few cases in which it would be possible to document a recipe, but more often than not there are "big picture" considerations which may mean that doing exactly what was asked for is not the ideal way to proceed, even if it doesn't directly conflict with policy. There are also a fair number of things that can go wrong during the implementation of a rule change which are not directly related to the task in hand. This alone seems sufficient reason for it not to be done without a certain depth of background knowledge of our networking. I think is it fairly clear that requestor in this case knows what he wants, and realises that it raises wider issues too. So I think it probably is a case for immediate escalation. There have been other cases in which people have just assumed there's a firewall issue without actually presenting sufficient to determine whether it really is. For example, some problems actually turn out to be an issue within the machine itself (typically Linux iptables). We might reasonably aspire to having the front desk do this kind of initial diagnosis, even though it is often non-trivial to work out what is going on."

Contacts

Primary

  • net-admin queue

Other

Availability

  • Monday:
  • Tuesday:
  • Wednesday:
  • Thursday:
  • Friday:
  • Saturday: Closed
  • Sunday: Closed

Hints, Tips & Known Issues

Title

Firstname Lastname (Date)

Info...

Categorising Keywords

  • Network Networking VPN Router