Service Desk Knowledgebase: Networking: Difference between revisions
Line 93: | Line 93: | ||
>iwm21: ... as a managed MAC, can we suggest the user hard-codes the IP address? | >iwm21: ... as a managed MAC, can we suggest the user hard-codes the IP address? | ||
GT:...The managed MAC VLAN hands out static addresses. Those are from the DNS, the fix here is to add an entry for this machine | GT:...The managed MAC VLAN hands out static addresses. Those are from the DNS, the fix here is to add an entry for | ||
this machine to the cl.data file - an example of a machine configured in this way is saissac (my laptop). | |||
Most of our VLANs do not use dynamic DHCP addresses so in most cases you need to add an address to the DNS when a new machine | Most of our VLANs do not use dynamic DHCP addresses so in most cases you need to add an address to the DNS when a | ||
new machine is added to the VLAN. | |||
] | ] | ||
Revision as of 11:54, 23 April 2015
This is the Networking content page of the CL Wiki Service Desk Knowledgebase. Its purpose is to provide information to the Service Desk team on how to handle problems and requests about this CL service. If you are involved with the provision of this CL service please feel free to add to the knowledge about that it.
If CL staff need to tell the Service Desk team about problems with this service please email
sys-admin-aside@cl.cam.ac.uk.
Return to the Service Desk Knowledgebase SERVICE PORTFOLIO
Key Service Description & URLs
- The CL network
- Computer Laboratory News (Twitter use @UC_CL_SysAdm)
CL Customer Documentation
William Gates Building Floor Plans (inc. Room Codes):
- Ground floor (G)
- First floor (F)
- Second floor (S)
- Find a room
Further CL Sys-Admin Resources
- http://www.wiki.cl.cam.ac.uk/clwiki/SysInfo/HelpDesk/Networking - Networking
- http://www.wiki.cl.cam.ac.uk/clwiki/SysInfo/HelpDesk/Networking/VPN_request - Dealing with a VPN request
- https://dbwebserver.ad.cl.cam.ac.uk/SCG/Wiring2/Wiring.aspx - wiring
- http://netdisco.net.cl.cam.ac.uk/ - NetDisco Management tool (must be accessed from a Computer Lab machine e.g. ts01.ad.cl.cam.ac.uk with username=guest password=guest)
Underpinning Services
- ??? - Any supporting or underpinning services
Customer-base for this Service
- All staff and students of the Computer Laboratory
Costs
- Free to all current staff and PhD students of the Computer Laboratory.
SLA
- N/A
Service Desk Call Handling Procedure
- RT tickets can be escalated to the net-admin team by changing the Queue to net-admin with the Owner set to Nobody & Status set to new. Tell the requestor:
I am passing this request over to our Network Admin team who, I'm sure, will be in contact shortly.
Finding VLAN Info
The Networks Database lists VLANs and their address ranges. Clicking [Details] will reveal the netmask and the Router/Gateway's IP address which by convention is the first IP address in the range i.e. range_min.
Common examples are:
- Tag 298 = Managed Windows (AD delegated machines) 128.232.28.0/22
- Tag 398 = Managed Linux 128.232.64.0/20
- Tag 498 = Managed Macs 128.232.56.0/22
- Tag 105 = DMZ (with no Windows machines in it) 128.232.98.0/24
- Tag 190 = Virtually outside (Uses DHCP with known MAC addresses) 128.232.110.0/24
Dealing with a VPN request
See http://www.wiki.cl.cam.ac.uk/clwiki/SysInfo/HelpDesk/Networking/VPN_request
Request to add machine to department network
If it is a private laptop then get them to:
Please register the laptop on the DHCP request page https://dbwebserver.ad.cl.cam.ac.uk/SysAdminUser/DHCPRequest.aspx and request a connection on the appropriate VLAN.
Dealing with DHCP Registration
Piete Brooks (30/03/15)
DRAFT!
To find out which VLANs use DHCP consult ??? My model is that:
- 'Lab Linux' (including servers) do not, BUT we abuse the mechanism for an IPv6 HACK.
- Anything using Dynamic DHCP has to use DHCP!
- Most 'non Lab Managed' VLANs use DHCP even if addresses are actually static.
Basically I think it's safest to do all VLANs.
The MAC address for the machine in question needs to be in the inventory
A ValidTo date will be required which can be determined by:
- If someone has asked for a machine for a particular period, use that.
- If it's a new Lab machine, its life expectancy - say 5 years.
- If it's a private machine, guess how long they'll be here - typically 4 years for a PhD student.
- If it's for an Internal or Under-Graduate, until the end of their use, so a month or so or end of the academic year respectively.
To add the MAC to the DHCP setup:
- Find the machine in the inventory and click on Details
- Click on the MAC address of the machine
- Then click [Select]
- Selected the required VLAN from the drop-down list underneath
To add a new VLAN entry to this interface select the VLAN and click Add
and click on [Add] - Click on [Edit]
- Add a ValidTo date (the default is the same day!) and then click [Update]
The Pool should be dynamic and within half an hour or so the DHCP address should be available.
[NOTE: If it were static, you need to add the name and address to the DNS.
>iwm21: ... as a managed MAC, can we suggest the user hard-codes the IP address? GT:...The managed MAC VLAN hands out static addresses. Those are from the DNS, the fix here is to add an entry for this machine to the cl.data file - an example of a machine configured in this way is saissac (my laptop). Most of our VLANs do not use dynamic DHCP addresses so in most cases you need to add an address to the DNS when a new machine is added to the VLAN.
]
Adding IP addresses & CNAMES to the DNS
[NOTE: The Windows domain uses truly dynamic DHCP so think hostname.ad.cl.cam.ac.uk rather than IP Address.]
1. Check that the person is entitled to what is being requested.
In the case of the DNS it is better to decide if the person is allowed rather than worry about the machine. (Obvious counter examples would be to change the main router etc.) In general UTOs are pretty much always trusted, with others request confirmation via their supervisors. Lookup CL Staff & Students You can also do a scan of the cl.data file for their past history (Go to laira, cd /anfs/glob/src/etc/named/src & view cl.data) - if they have multiple requests previously then trust them. If the requestor isn't the User or PersonResponsible of the emachine asking the actual User/PersonResponsible is an acceptable and safe approach. Inventory
2. Determine the IP address range that should be use for a given requested VLAN using Network settings. Copy & paste the first part of the address into something like Notepad to use in a search later. [NOTE: The number of addresses of a subnet defined by the mask or prefix can be calculated as 2 to the power of (address size - prefix) size, in which the address size is 32 for IPv4 (128 for IPv6). For example, in IPv4, a prefix size of /24 gives: 2(32-24) = 2(8) = 256 addresses.]
3. Make sure Pageant.EXE is running and has your private key by double clicking on CL.ppk or similar.
4. Use PuTTY and go to the CL's slogin-serv.cl.cam.ac.uk
5. Make the PuTTY window longer.
6. Type kinit & press [Enter]
7. Enter your CL Password for CRSid@AD.CL.CAM.AC.UK & press [Enter]
8. Type ssh -K laira & press [Enter] to go to the privileged machine laira
9. At the laira:~$ prompt use cd /anfs/glob/src/etc/named/src and [Enter]
10. Check-out the cl.data file with co -l cl.data and [Enter]
11. Use vi to edit the file with vi cl.data and [Enter]
Adding an IP Address:
- Search for the start of the address range with something like /128.232.98.1 (which you hopefully kept from earlier!) and [Enter]
- Ctrl+F to scroll Forward to the next available address in the range.
- Down-arrow to start of line above where it should be.
- Use Shift+A to enter --INSERT-- mode at the end of that line
- Make an entry like:
saluki1.dtg IN A 128.232.98.206 IN TXT "RT#94231"
(NOTE: the gaps are made using <Tab> not spaces) (NOTE: If an IP Address has more than one A hostname referring to it the others should have !F at the start of the hostname so there is only one hostname to reverse map back to.)
- [Esc] out of INSERT mode
- :wq and [Enter] to write the file and quit vi
Adding a CNAME:
- Search for the machine name using something like /puppy38 and [Enter]
- Down-arrow to start of line above where it should be.
- Use Shift+A to enter --INSERT-- mode at the end of that line
- Make an entry like:
puppy38.dtg IN A 128.232.20.67 IN TXT "VM in husky cluster" ; oc243 rt#88303 acr31-containers.dtg IN CNAME puppy38.dtg ; oc243 rt#91603 rscfl-freebsd.dtg IN CNAME puppy38.dtg ; oc243 rt#94176
(NOTE: the gaps are made using <Tab> not spaces)
- [Esc] out of INSERT mode
- :wq and [Enter] to write the file and quit vi
GENERAL NOTES on vi
- /string and [Enter] (search for the string)
- : for command prompt
- :1 to go to line 1
- :wq and [Enter] is write & quit
- :q! and [Enter] is quit without writing (if you mess up!)
- :help and [Enter] for help
- Arrow-keys scroll around text
- Ctrl+F to page-Forward through text
- Ctrl+B to page-Back through text
- Shift+A to go into -- INSERT -- mode at end of line
- i to go into -- INSERT -- mode at the cursor
- Shift+R to enter -- REPLACE -- or "Overtype" mode
- [Esc] escape out of -- INSERT -- & -- REPLACE -- mode
- u undo last change
- dd deletion (if pressed twice the object is the current line)
12. rcsdiff cl.data and [Enter] to check what changes have actually been made
13. Use ci -u cl.data and [Enter] to check-in and add a comment of the RT ticket number e.g. RT#94171 then [Enter] and exit with .[Enter]
14. Go up with cd .. and [Enter]
15. At the laira:named$ prompt use make install and [Enter]
16. You will see a lot of output ending in something like:
< 128.232.20.59 puppy31.dtg.cl.cam.ac.uk puppy31.dtg dtw30-crunch0.dtg.cl.cam.ac.uk --- > 128.232.20.59 puppy31.dtg.cl.cam.ac.uk puppy31.dtg dtw30-crunch0.dtg.cl.cam.ac.uk touch intermediate/hosts-st # ===== built derived files from sources ===== # ====== install on dns0 ====== # install on meldreth.cl.cam.ac.uk/var/named/chroot/var/named/data/ [sudo] password for CRSid:
at [sudo] password for CRSid: give your CL password & press [Enter]
17. You will eventually see something like:
Answer: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 45631 ;; flags: qr ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 ;; TSIG PSEUDOSECTION: local-ddns. 0 ANY TSIG hmac-sha256. 1422536243 300 32 # sync tex.ac.uk # sync pgp.net # sync 2001.0630.0212.02 # ====== ran /usr/sbin/dns-update ('nsdiff | nsupdate') on dns0 ====== sudo cp -p intermediate/hosts /anfs/master/dist/all/etc/hosts-t sudo chown root /anfs/master/dist/all/etc/hosts-t sudo mv -f /anfs/master/dist/all/etc/hosts-t /anfs/master/dist/all/etc/hosts ls -ld /anfs/master/dist/all/etc/hosts -rw-r--r--. 1 root vrw10 199159 Jan 29 12:56 /anfs/master/dist/all/etc/hosts laira:named$
and be returned to a laira:named$ prompt.
18. Use exit and [Enter] to exit (and eventually close down PuTTY)
19. In RT Reply to the user and Resolve the ticket.
Procedure for Patching
Patch request <InventoryNumber> floorbox <FloorBoxNumber> VLAN <VLANnumber>
- Establish all details: InventoryNumber, FloorBox & PortNumber, VLAN required. Email come in with a title similar to the above to the HW-Admin RT queue. These tickets need to be passed to the Operators by placing on the Oper RT queue (owner as Nobody and Status as New)
- The operators then carry out the physically patching & documenting (see the Operator's Procedure for Patching).
- When the patching has been done and the ticket is returned to the sys-admin queue configure the switch port VLAN as per Updating VLANs in the Cisco switches.
Updating VLANs in the Cisco switches
Unused switch ports are set with the standard settings to enable a IP Phone to be plugged in without any configuration change. However, no other VLANs are enabled by default on the port.
Any other equipment that is attached will require a VLAN to be enabled on that port in addition to merely patching the port through to the floor box. (See Inventory,wiring, VLAN & Lookup.)
Login the connection in the database:-
- Having established the InventoryNumber, FloorBox & PortNumber, VLAN details above and with the RT Ticket number to hand go to wiring.
- Click Floor Box Details
- Put in the Box name (e.g. WC0E-042) and search (*) Box by pressing [Enter]
- Hopefully the port in question will be free - if so click [Add Connection]
- Put in the free Port: the Inventory Number of the machine which will be connected to it and a Note: of the RT#12345 number then click [Create]
- The [Trace] button for that port will now show the switch & "HOST" which it is connected to e.g.
1393 CBL WC0E-HOST-075 <==>WC0E-SW2-075
is HOST 75 (read as Port 75-48=27) on Switch WC0E-SW2 (which may actually be a stacked switch on switch WC0E-SW1 but you won't find that out until you try telneting to it and it fails - see below)
To enable/disable a VLAN on a switch port:-
- Make sure Pageant.EXE is running and has your private key by double clicking on CL.ppk or similar.
- Use PuTTY and go to the CL's slogin-serv.cl.cam.ac.uk
- Make the PuTTY window longer.
- Type kinit & press [Enter]
- Enter your CL Password for CRSid@AD.CL.CAM.AC.UK & press [Enter]
- ssh -K laira & press [Enter]
- Connect to the appropriate switch using telnet - the switches are named as wcname-swN.net.cl.cam.ac.uk (i.e. WC0E-SW2-90 -> wc0e-sw2.net HOST 90 or wc0e-sw1.net HOST 90 on a stacked switch). etc. e.g.
telnet wc1ewc0e-sw1.net
NOTE: At this point in time our network upgrade is not complete, when it is all wiring closest will have, in effect, a single switch. Until then ports from HOST 1-48 will be on switch 1, HOST 48-96 on switch 2.
HOST 1 to 48 are wcXX-sw1 ports Gi0/1 to Gi0/48 HOST 49 to 96 are wcXX-sw2 ports Gi0/1 to Gi0/48
Wiring closets have been upgraded to the newer switches which operate as a stack (example is wc0c). You can recognize these because there appears to be only one switch to log into and port names have three components. On these:
HOST 1 to 48 are wcXX-sw1 ports GigabitEthernet1/0/1 to GigabitEthernet1/0/48 HOST 49 to 96 are wcXX-sw1 ports GigabitEthernet2/0/1 to GigabitEthernet2/0/48
Note that the following are links not ports so they don't get counted in the 48+48 numbering scheme:
! interface GigabitEthernet1/0/49 switchport trunk allowed vlan 1-473,478-4094 switchport mode trunk srr-queue bandwidth share 1 30 35 5 priority-queue out mls qos trust dscp ! interface GigabitEthernet1/0/50 ! interface TenGigabitEthernet1/0/1 switchport trunk allowed vlan 1-473,478-4094 switchport mode trunk srr-queue bandwidth share 1 30 35 5 priority-queue out mls qos trust dscp channel-group 1 mode active !
- At the password prompt enter the access password.
- At the prompt wc0e-sw1.net> type enable then [Enter], and give the enable password.
- Look at the existing configuration for the show conf then [Enter], and page through by hitting the [Space-bar] until you see the configuration entry for the port you want to change - for HOST port 90 look for a line like interface GigabitEthernet0/42 on switch 2 or interface GigabitEthernet2/0/42 on a stacked switch 1 and verify what data VLAN is enabled on it.
- To add (or remove) a VLAN enter conf terminal and [Enter]
- At the next wc0e-sw1.net(config)# prompt select the interface you want to configure with interface gi0/42 or interface gi2/0/42 and [Enter]
- At the wc0e-sw1.net(config-if)# prompt add the required vlan with the command switchport access vlan 190 and [Enter],
or
to remove vlan 298 from a port use the command no switchport access vlan 298 and [Enter] - At the wc0e-sw1.net(config-if)# prompt type exit and [Enter]
- At the next wc0e-sw1.net(config)# prompt type exit and [Enter]
- At the next wc0e-sw1.net# prompt type write and [Enter] you should see:
Building configuration... [OK]
- Use show conf then [Enter] to check the configuration as detailed above, if all OK then exit and [Enter] the switch
- Then exit and [Enter] (and eventually close down PuTTY)
- Tell the user when the job has been completed.
Sorting out BMC Access
See BMC ACL - when up if present
Firewall
- The Computer Lab actually doesn't have a firewall! There is only a set of access control lists which act as a firewall. With multiple VLANs it has never been clear where a firewall should be placed to be of use to us, so restriction are created using access control lists between VLANs.
Martyn Johnson (12/02/15) RT#94558 :
"I think this probably does have to remain a "back office" job. There are quite a few cases in which it would be possible to document a recipe, but more often than not there are "big picture" considerations which may mean that doing exactly what was asked for is not the ideal way to proceed, even if it doesn't directly conflict with policy. There are also a fair number of things that can go wrong during the implementation of a rule change which are not directly related to the task in hand. This alone seems sufficient reason for it not to be done without a certain depth of background knowledge of our networking. I think is it fairly clear that requestor in this case knows what he wants, and realises that it raises wider issues too. So I think it probably is a case for immediate escalation. There have been other cases in which people have just assumed there's a firewall issue without actually presenting sufficient to determine whether it really is. For example, some problems actually turn out to be an issue within the machine itself (typically Linux iptables). We might reasonably aspire to having the front desk do this kind of initial diagnosis, even though it is often non-trivial to work out what is going on."
Contacts
Primary
- net-admin queue
Other
Availability
- Monday:
- Tuesday:
- Wednesday:
- Thursday:
- Friday:
- Saturday: Closed
- Sunday: Closed
Hints, Tips & Known Issues
Title
Firstname Lastname (Date)
Info...
Categorising Keywords
- Network Networking VPN Router