Difference between revisions of "Infrastructure:Network Architecture"
imported>Echarlie (→Current setup) |
imported>Echarlie (→Limitations) |
||
Line 6: | Line 6: | ||
=== Limitations === | === Limitations === | ||
− | We | + | We are behind the ECE Whittemore NAT, which is on a single 100 Mbps CNS port. We have the following limitations: |
− | * Only one MAC address may appear on the port at a time (port security) | + | * All adjustments to ECE DNS must be made through Brandon |
+ | * IP addresses are difficult to claim, because they must be forwarded through the NAT, and ARP proxying must be configured by Brandon | ||
+ | * IPv6 is not supported behind the Whittemore NAT | ||
+ | |||
+ | Consequently, We must: | ||
+ | * Use an IPv6 tunnel if we want access to IPv6 addresses | ||
+ | * Keep all internal services (like NFS) on an internal network | ||
+ | |||
+ | <!--* Only one MAC address may appear on the port at a time (port security) | ||
* There is no prefix delegation for IPv6, so each address must be individually requested via NDP. | * There is no prefix delegation for IPv6, so each address must be individually requested via NDP. | ||
This means we must: | This means we must: | ||
* Use ARP proxying or 1-to-1 NAT for IPv4 | * Use ARP proxying or 1-to-1 NAT for IPv4 | ||
− | * Use an NDP proxy for IPv6 | + | * Use an NDP proxy for IPv6--> |
=== CVL setup(deprecated) === | === CVL setup(deprecated) === |
Revision as of 17:43, 22 March 2016
This is an attempt to document VTLUUG's overly complex networking setup. Apologies for the disorganization, this is mainly just a way to get everything in one place. --Mjh (talk) 21:43, 28 December 2014 (EST
Note: This is extraordinarily dated. Revisions are in progress, but currently, do not consider it to be remotely correct. --echarlie
Limitations
We are behind the ECE Whittemore NAT, which is on a single 100 Mbps CNS port. We have the following limitations:
- All adjustments to ECE DNS must be made through Brandon
- IP addresses are difficult to claim, because they must be forwarded through the NAT, and ARP proxying must be configured by Brandon
- IPv6 is not supported behind the Whittemore NAT
Consequently, We must:
- Use an IPv6 tunnel if we want access to IPv6 addresses
- Keep all internal services (like NFS) on an internal network
CVL setup(deprecated)
Hardware:
- "luugtemp" or "temp88191": a Poweredge 2650 with 2 NICs configured as an Ubuntu router
- 8-port Gigabit unmanaged switch
- 48-port 100 Mbps managed switch (attached to sunway)
Port security evasion:
- A bash script named "Nat" which presumably does 1-to-1 NAT
- NDP proxying via https://npd6.github.io/npd6/
- This is broken an misconfigured. It doesn't properly add routes.
IPs / networks:
- temp88191 is 10.0.0.1/8 and 128.173.88.191. It provides DHCP on our internal interface
- Sunway has static IPs setup (10.0.97.10 to 10.0.97.28)
- Rackable servers: joey (10.0.4.10) and phantomphreak (10.0.4.11)
- cyberdelia's IPv4 is luug0.ece.vt.edu
- Port 9001 <-> 10.0.1.3 (cerealkiller)
- Port 9030 <-> 10.0.1.3 (cerealkiller)
- wood's IPv4 is luug1.ece.vt.edu
- milton's IPv4 is luug2.ece.vt.edu
- luug3.ece.vt.edu is (in theory) used by westinghouse (sunway's head node)
- acidburn's IPv4 is luug.ece.vt.edu
- acidburn has iodine configured as a DNS tunnel (10.152.78.1/27)
- Other tenants of our router: mjh.ece.vt.edu and mirror.ece.vt.edu
- 10.99.0.2/24 appears to be statically assigned to wood's guests.
Cyberdelia VMs - assigned 10.0.1.1/24 (not actually a separate subnet):
- dhcp-host=52:54:00:14:df:c2,10.0.1.1 # "mail" (not yet configured)
- dhcp-host=52:54:00:68:81:33,10.0.1.2 # crashoverride 2.0
- dhcp-host=52:54:00:40:9a:55,10.0.1.3 # Cerealkiller 2.0
Desired Setup
This is what I'm hoping to migrate us to:
- OpenWrt (odhcpd has built-in NDP proxying)
- An internal network smaller than a /8 (room for expansion)
- IPsec (point-to-point and road warrior for users)
- Each VM host has a bridged ethernet port with a global IPv4 address and performs NAT to its VMs. Additional IPv4s are assigned as VMs as needed (e.g. milton and acidburn probably need their own)
- All internal IPv4 addresses are static leases assigned by temp88191 or set statically and documented somewhere; hypervisors do not have their own networks unnecessarily like wood currently does.
- Each device has a global IPv6 address