Difference between revisions of "Infrastructure:Network Architecture"

TODO: change name to "Network Architecture" when we fix the wiki so this isn't confused Infrastructure:Network and move Historic section to and leave a link here

This is an attempt to document VTLUUG's overly complex networking setup. Apologies for the disorganization, this is mainly just a way to get everything in one place. --Mjh (talk) 21:43, 28 December 2014 (EST

Note: This is extraordinarily dated. Revisions are in progress, but currently, do not consider it to be remotely correct. --echarlie

Current

We currently have a ~1Gbit NI&S port in the ECE server attic

Hardware:

• "luug5" or "temp88191": a Poweredge 2650 with 2 NICs configured as an Ubuntu 14.04 router
• cyberdelia

Cyb has a private network for NFS on 10.99.0.0/24, and temp88191 does NDP proxying, static ARP using jkh's Nat script (see github), and hands out dhcp leases somewhere in 10.0.0.0/8

We have no other hardware in use

Historic

ECE Server Closet

Limitations

We are behind the ECE Whittemore NAT, which is on a single 100 Mbps CNS port. We have the following limitations:

• All adjustments to ECE DNS must be made through Brandon Russell
• IP addresses are difficult to claim, because they must be forwarded through the NAT
• IPv6 is not supported behind the Whittemore NAT

Consequently, We must:

• Use an IPv6 tunnel if we want access to IPv6 addresses
• Keep all internal services (like NFS) on an internal network

Desired Setup

This is what I'm hoping to migrate us to:

• OpenWrt (odhcpd has built-in NDP proxying) or pfSense Router
  • Partial: pfSense provides NATing on cyberdelia
• An internal network smaller than a /8 (room for expansion)
  • Done: 10.99.0.0/16
• IPsec (point-to-point and road warrior for users)
  • Can be done through openWRT or pfSense
• Each VM host has a bridged ethernet port with a global IPv4 address and performs NAT to its VMs. Additional IPv4s are assigned as VMs as needed (e.g. milton and acidburn probably need their own)
  • Done on cyberdelia
• All internal IPv4 addresses are static leases assigned by the router or set statically and documented somewhere; hypervisors do not have their own networks unnecessarily like wood currently does.
  • Internal network on cyberdelia has static IPs or long-term leases.
  • Cyberdelia still has too many internal networks, most of which are unnecessary.
• Each device has a global IPv6 address
  • Currently provided through tunnel

CVL setup (deprecated)

Hardware:

• "luugtemp" or "temp88191": a Poweredge 2650 with 2 NICs configured as an Ubuntu router
• 8-port Gigabit unmanaged switch
• 48-port 100 Mbps managed switch (attached to sunway)

Port security evasion:

• A bash script named "Nat" which presumably does 1-to-1 NAT
• NDP proxying via https://npd6.github.io/npd6/
  • This is broken an misconfigured. It doesn't properly add routes.

IPs / networks:

• temp88191 is 10.0.0.1/8 and 128.173.88.191. It provides DHCP on our internal interface
• Sunway has static IPs setup (10.0.97.10 to 10.0.97.28)
• Rackable servers: joey (10.0.4.10) and phantomphreak (10.0.4.11)
• cyberdelia's IPv4 is luug0.ece.vt.edu
  • Port 9001 <-> 10.0.1.3 (cerealkiller)
  • Port 9030 <-> 10.0.1.3 (cerealkiller)
• wood's IPv4 is luug1.ece.vt.edu
• milton's IPv4 is luug2.ece.vt.edu
• luug3.ece.vt.edu is (in theory) used by westinghouse (sunway's head node)
• acidburn's IPv4 is luug.ece.vt.edu
• acidburn has iodine configured as a DNS tunnel (10.152.78.1/27)
• Other tenants of our router: mjh.ece.vt.edu and mirror.ece.vt.edu
• 10.99.0.2/24 appears to be statically assigned to wood's guests.

Cyberdelia VMs - assigned 10.0.1.1/24 (not actually a separate subnet):

• dhcp-host=52:54:00:14:df:c2,10.0.1.1 # "mail" (not yet configured)
• dhcp-host=52:54:00:68:81:33,10.0.1.2 # crashoverride 2.0
• dhcp-host=52:54:00:40:9a:55,10.0.1.3 # Cerealkiller 2.0