Difference between revisions of "Network"

From Nuclear Physics Group Documentation Pages
Jump to navigationJump to search
 
(11 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 +
= Network Diagram =
 +
 +
[[Image:network.png]]
 +
 
= Networking for the FARM =
 
= Networking for the FARM =
  
== Netgear Smart Switch ==
+
== Port Layout ==
We have mode GS724T (see [[General_Network_Configuration_Notes]]) <br>
+
 
Manual [http://kb.netgear.com/app/products/model/a_id/2453 Manual for GS724T (web pages) <br>
+
The port layout is given below. Note that the labels on the cables are currently NOT CORRECT! Numbering is top-left=1, top-right=2, bottom-left=3, bottom-right=4
The NPG switch is managed through [http://10.0.0.254 10.0.0.254] and has a gateway at 10.0.0.1. <br>
+
 
 +
Port 468 -- 1 = Endeavour,  2=x ,  3= Gourd,  4=x<br>
 +
Port 469 -- 1= Pumpkin,  2= Switch, 3= Taro, 4=Okra <br>
 +
Port 470 -- 1=Tang & Heisenber, 2=x, 3=MMS Archive2, Mark.Chutter@unh.edu, 4=x
 +
 
 +
== Netgear GS724T "Smart" Switch ==
 +
[http://kb.netgear.com/app/products/model/a_id/2453 Manual for GS724T (web pages)] <br>
 +
 
 +
The NPG switch is managed through the web interface at [http://10.0.0.254 10.0.0.254] and has a gateway at 10.0.0.1. <br>
 +
 
 
The switch has VLAN setup for nodes that are not on the UNH network.  
 
The switch has VLAN setup for nodes that are not on the UNH network.  
 +
The network switch has a VLAN setup with ports 23 and 24 "special" to the outside world. No systems should be plugged into these ports.
 +
The switch is plugged into a UPS.
 +
 +
The farm switch is set up as follows:
 +
* Standard NPG auth scheme + "sw" (it's switch.farm.physics.unh.edu).
 +
* Ports 1-22 members of VLAN id 1, the private farm network.
 +
* All 24 ports members of VLAN id 2, the unh network.
 +
* Normal, "untagged" ethernet frames into the switch will go into a default VLAN and exiting the switch, ethernet frames of that same default VLAN come out normal, "untagged".
 +
* The "default" VLAN for ports 1-22 is id 1, the farm network.
 +
* The "default" VLAN for ports 23 & 24 is id 2, the UNH network.
 +
* Thus port 24 should be connected to a wall jack, port 23 may be used as a spare UNH port, just as if it were a two port switch plugged into a wall jack.  All other hosts using the farm switch will see only the farm, unless they are configured for VLAN, in which case they see UNH as VLAN id 2.  All this just makes one physical network segment appear as several, with all the security benefits thereof.  (When properly implemented.)
 +
* We use an IEEE802.1Q VLAN.
 +
 +
For VLAN ID1, ports 1-22 should be marked "U" for untagged, and 23, 24 should be left blank.
 +
For VLAN ID2, ports 1-22 should be marked "T" for tagged, and 23, 24 should be marked "U" for untagged.
 +
In the VLAN PVID settings, ports 1-22 should be PVID 1, which means that traffic on those ports defaults to VLAN ID1. Ports 23 and 24 should be PVID 2.
 +
 +
 +
Currently, the only special port being used is port 24, hooked up to the UNH network wall jack.
 +
 +
One more thing: our Netgear "Smart Switch", doesn't live up to it's name.  The VLAN configuration for ports 23 and 24 must match.  This may be because 23 and 24 are the GBIC fiber modules, but it may be that other sets have this odd, undocumented requirement.  The thing works perfectly in operation, but gets easily confused during configuration.  Reconfigure at your peril.
 +
 +
== VLAN ==
 +
 +
'''This stopped working in 2014 due to UNH Network reconfigurations. It needs to be revisited.'''
 +
 +
The farm has more servers and workstations than there are ethernet jacks on the walls of the room (Dem309).  Therefore, two virtual LANs are set up so that all machines can make use of both the farm and UNH networks ([[VLAN#Additional Information|More Info]]).  Ports 1 through 22 on the switch default to the farm network.  Therefore, the majority of machines that are connected to the switch through device "eth0" will have access only to each other unless 1) they have an additional, physical connection to a wall jack, or 2) they are configured to use VLAN id 2, a.k.a. "eth0.2".
 +
 +
Here is an article on VLAN under Linux: [http://www.linuxjournal.com/article/7268 Linux Journal]
 +
 +
=== Software ===
 +
; /sbin/vconfig : Used to create virtual network devices, among other things. Creation is all we currently use it for.
 +
; /sbin/ifdown, /sbin/ifup : Used for shutting down and starting network interfaces. "Unfortunately, they, like far too many tools, assume a set naming scheme for ethernet family devices. (I might file a bug report if I get around to it:[[Aaron]])."  However, with aliases, devices can be referred to as "farm" and "unh" rather than "eth0" and "eth0.2".
 +
; /usr/bin/system-config-network : Fedora/Redhat GUI tool for configuring network devices, etc.  Much nicer than editing config files by hand, setting aliases is easy, and has ifup, ifdown functionality
 +
 +
=== Configuration Files ===
 +
From /usr/share/doc/initscripts-8.11.1/sysconfig.txt:
 +
  '''/etc/sysconfig/network-scripts/ifcfg-<interface-name> and
 +
  '''/etc/sysconfig/network-scripts/ifcfg-<interface-name>:<alias-name>:
 +
    The first defines an interface, and the second contains
 +
    only the parts of the definition that are different in a
 +
    "alias" (or alternative) interface.  For example, the
 +
    network numbers might be different, but everything else
 +
    might be the same, so only the network numbers would be
 +
    in the alias file, but all the device information would
 +
    be in the base ifcfg file.
 +
In-depth details here: [[Ifcfg_files_details]], but the key is to make sure that eth0.2's configuration has <code>VLAN=yes</code> in it.  This is necessary for automatic creation of the virtual device at boot time.  Details on how each machine is configured for the network can be found under [[Servers and Workstations]].
 +
 +
==UNH Network==
  
The Endeavour rack has a GS748TS, which is managed through [http://10.0.0.253 10.0.0.253]. Currently nothing fancy setup here yet.
+
Something to remember about the UNH network is that their firewall limits access to certain ports in some cases. For example, it isn't possible to print to [[jalapeno]] or (at least in my experience) send e-mail using smtp if you're connected to the wireless network, but it works fine if you're connected to the wired network. This is not something we can change using out firewall settings, and it would likely require a bit of red tape in order to get UNH to open up a port for one of our servers.  
== Other info ==
 
  
[[General_Network_Configuration_Notes]]
+
==Additional Network Notes==
 +
*The Endeavour rack has a GS748TS, which is managed through [http://10.0.0.253 10.0.0.253]. Currently nothing fancy setup here yet.
 +
*[[rdate server]]  -- quick one on how to get a node to serve up time for rdate use.
 +
*The [[Common Wisdom]] page contains some useful notes about our network setup.

Latest revision as of 14:39, 2 March 2015

Network Diagram

Network.png

Networking for the FARM

Port Layout

The port layout is given below. Note that the labels on the cables are currently NOT CORRECT! Numbering is top-left=1, top-right=2, bottom-left=3, bottom-right=4

Port 468 -- 1 = Endeavour, 2=x , 3= Gourd, 4=x
Port 469 -- 1= Pumpkin, 2= Switch, 3= Taro, 4=Okra
Port 470 -- 1=Tang & Heisenber, 2=x, 3=MMS Archive2, Mark.Chutter@unh.edu, 4=x

Netgear GS724T "Smart" Switch

Manual for GS724T (web pages)

The NPG switch is managed through the web interface at 10.0.0.254 and has a gateway at 10.0.0.1.

The switch has VLAN setup for nodes that are not on the UNH network. The network switch has a VLAN setup with ports 23 and 24 "special" to the outside world. No systems should be plugged into these ports. The switch is plugged into a UPS.

The farm switch is set up as follows:

  • Standard NPG auth scheme + "sw" (it's switch.farm.physics.unh.edu).
  • Ports 1-22 members of VLAN id 1, the private farm network.
  • All 24 ports members of VLAN id 2, the unh network.
  • Normal, "untagged" ethernet frames into the switch will go into a default VLAN and exiting the switch, ethernet frames of that same default VLAN come out normal, "untagged".
  • The "default" VLAN for ports 1-22 is id 1, the farm network.
  • The "default" VLAN for ports 23 & 24 is id 2, the UNH network.
  • Thus port 24 should be connected to a wall jack, port 23 may be used as a spare UNH port, just as if it were a two port switch plugged into a wall jack. All other hosts using the farm switch will see only the farm, unless they are configured for VLAN, in which case they see UNH as VLAN id 2. All this just makes one physical network segment appear as several, with all the security benefits thereof. (When properly implemented.)
  • We use an IEEE802.1Q VLAN.

For VLAN ID1, ports 1-22 should be marked "U" for untagged, and 23, 24 should be left blank. For VLAN ID2, ports 1-22 should be marked "T" for tagged, and 23, 24 should be marked "U" for untagged. In the VLAN PVID settings, ports 1-22 should be PVID 1, which means that traffic on those ports defaults to VLAN ID1. Ports 23 and 24 should be PVID 2.


Currently, the only special port being used is port 24, hooked up to the UNH network wall jack.

One more thing: our Netgear "Smart Switch", doesn't live up to it's name. The VLAN configuration for ports 23 and 24 must match. This may be because 23 and 24 are the GBIC fiber modules, but it may be that other sets have this odd, undocumented requirement. The thing works perfectly in operation, but gets easily confused during configuration. Reconfigure at your peril.

VLAN

This stopped working in 2014 due to UNH Network reconfigurations. It needs to be revisited.

The farm has more servers and workstations than there are ethernet jacks on the walls of the room (Dem309). Therefore, two virtual LANs are set up so that all machines can make use of both the farm and UNH networks (More Info). Ports 1 through 22 on the switch default to the farm network. Therefore, the majority of machines that are connected to the switch through device "eth0" will have access only to each other unless 1) they have an additional, physical connection to a wall jack, or 2) they are configured to use VLAN id 2, a.k.a. "eth0.2".

Here is an article on VLAN under Linux: Linux Journal

Software

/sbin/vconfig
Used to create virtual network devices, among other things. Creation is all we currently use it for.
/sbin/ifdown, /sbin/ifup
Used for shutting down and starting network interfaces. "Unfortunately, they, like far too many tools, assume a set naming scheme for ethernet family devices. (I might file a bug report if I get around to it:Aaron)." However, with aliases, devices can be referred to as "farm" and "unh" rather than "eth0" and "eth0.2".
/usr/bin/system-config-network
Fedora/Redhat GUI tool for configuring network devices, etc. Much nicer than editing config files by hand, setting aliases is easy, and has ifup, ifdown functionality

Configuration Files

From /usr/share/doc/initscripts-8.11.1/sysconfig.txt:

 /etc/sysconfig/network-scripts/ifcfg-<interface-name> and
 /etc/sysconfig/network-scripts/ifcfg-<interface-name>:<alias-name>:
   The first defines an interface, and the second contains
   only the parts of the definition that are different in a
   "alias" (or alternative) interface.  For example, the
   network numbers might be different, but everything else
   might be the same, so only the network numbers would be
   in the alias file, but all the device information would
   be in the base ifcfg file.

In-depth details here: Ifcfg_files_details, but the key is to make sure that eth0.2's configuration has VLAN=yes in it. This is necessary for automatic creation of the virtual device at boot time. Details on how each machine is configured for the network can be found under Servers and Workstations.

UNH Network

Something to remember about the UNH network is that their firewall limits access to certain ports in some cases. For example, it isn't possible to print to jalapeno or (at least in my experience) send e-mail using smtp if you're connected to the wireless network, but it works fine if you're connected to the wired network. This is not something we can change using out firewall settings, and it would likely require a bit of red tape in order to get UNH to open up a port for one of our servers.

Additional Network Notes

  • The Endeavour rack has a GS748TS, which is managed through 10.0.0.253. Currently nothing fancy setup here yet.
  • rdate server -- quick one on how to get a node to serve up time for rdate use.
  • The Common Wisdom page contains some useful notes about our network setup.