Talk:Infrastructure
From Interlock Rochester Wiki
Contents |
Network Project
I would like to take the lead on this. I want to ask at the next meeting what people's needs are for network(s) and bandwidth [I know personally I'd like to play with some high bandwidth VoIP stuff, so the more bandwidth we can afford the better, imo] and see if what we have outlined on the Infrastructure page meshes with what everyone else was thinking. ---- BW 20:20, 2 December 2009 (UTC)
Care to tag-team this? --Fvox13 14:05, 3 December 2009 (UTC)
Help is always appreciated, Carl mentioned wanting to help as well. ---- BW 15:04, 3 December 2009 (UTC)
Ben, looks like you've got a good handle on this. Nicely detailed proposals. Thanks for stepping up to lead this.
The chief thing that springs to mind with regard to the RFC1918 address space allocations is that consumer level devices, which I think it's safe to say we'll have on hand at one time or another, typically use at least two of those ranges preferentially. Apple Airport base stations tend to use addresses in the 10.0.0.0/8 range, and non-Apple devices often plop themselves down in the 192.168.0.0/16 range.
My suggestion, then, is to use 172.16.0.0/12 range for all of our private networks. That way, if something shows a 192.168.x.y or 10.x.y.z address, we'll know right away that it's coming from something other than our stuff.
In that light, I propose 172.20.x.y for the production network, partitioned further as you suggest (perhaps spacing things out by 10s in the third octet instead of by 1s, to give some room in between), 172.30.x.y for the warzone. The mnemonic I have in mind for this is that .20 is an "even" multiple of 10, even meaning "smooth" and smooth being what one wants from a production environment. In contrast, .30 is an "odd" multiple of 10, odd being exciting, unusual, or even dangerous, depending on one's perspective, but certainly what one would expect from a "warzone". In between these two we'd have 172.25.x.y, which would be the playground--not expected to be at all dangerous, but you must be this tall to enter this ride.
The 10.0.0.0/8 space is pretty big, even if Apple does use part of it. From what I recall and can tell from a quick search, they tend to use 10.0.1.x addresses. I think it might be a good convention to pick some portion of the 10.0.0.0/8 space and then to recommend that people use it for setting up their own independent test networks, eg, if they are building a private network on a single hardware host to use with a collection of virtual machines on that host. If their stuff stays on their own network, no big deal. If they screw up somehow and one of their devices ends up on our network, again, it'll be easy to tell because it is in this distinct 10.0.0.0 region. I think 10.100.0.0 would be easy to remember to use, and well away from Apple's use.
Within 192.168.0.0, I've seen use all over the range. Some devices I've had use 192.168.0.x range. Some 192.168.254.x. The Linksys NSLU2 "slugs" use 192.168.1.77. And those are just the ones I'm familiar with and can recall off the top of my head. So, I think we just leave this for use with those devices.
Anyway, that's my suggestion, based on my experience. You may have experience with devices that tend to default to 172.16.0.0 too, making this a less useful scheme, for instance.
Deejoe 16:07, 5 December 2009 (UTC)
Thanks much for the feedback Deejoe. I like your ideas. I don't know of any devices that are using the 172.x.x.x range by default so that all sounds good.
Also, Fvox13, good point about Cat6a. Lets shoot for Cat6 with the expectation that we will probably end up with a bunch of cat5e and limited cat6, which we'll probably want to use for core equipment that doesn't have other interconnects. ---- BW 00:37, 6 December 2009 (UTC)
I was looking at the subnetting layout and thought I'd chip in my two cents, for what it's worth. When addressing core devices (switches, routers, servers, and so on), I've found putting them on the subnet right before the broadcast more design-friendly. It makes writing ACLs much more easier and flexible, along with making adding new equipment to the core layer faster. Any thoughts on this? --BinaryMan
I have heard of doing that BinaryMan but I wasn't sure what the benefits were. ---- BW 14:37, 10 December 2009 (UTC)
Infrastructure Questions
See questions_for_felix, rather that duplicating content
Internet Access
Talking to John day about NFP discounts and possible packages for our building zone --Antitree 19:27, 3 December 2009 (UTC)
Fibertech: Metro Ethernet network ends 1/2 mile from our location. :-( :-( :-( They would have to run a fair amount of fiber to service us. Rather than hit us with $25 - $30K for a buildout cost, they would be able to spread the cost over the course of a 3 or 5 year term (and we wouldn't have to pay *all* of that cost!) Still waiting for official quote, but it does sound expensive. --Fvox13 22:00, 9 December 2009 (UTC)
Cogent: Offer off net service by way of subcontracted T3 / sonet lines. Still waiting for quote, but I don't think they're a valid option, since the Fibertech guy says that Fibertech would be the subcontractor (!) and then Cogent would have to mark it up further. --Fvox13 21:35, 9 December 2009 (UTC)
TW Telecom: Submitted a quote request. They offer Metro Ethernet as well. --Fvox13 21:35, 9 December 2009 (UTC)
Frontier: Submitted a quote request. They offer Metro Ethernet, as well as more traditional telco solutions like DS1, DS3, DSL, etc. --Fvox13 22:00, 9 December 2009 (UTC)
Meeting Frontier representative at the Space 12/11/2009 at 5pm. --Fvox13 15:57, 10 December 2009 (UTC)
American Fiber Systems: Submitted Quote Request --Fvox13 13:59, 10 December 2009 (UTC)
Netsville: Submitted Quote Request --Fvox13 13:59, 10 December 2009 (UTC)
Paetec: Submitted Quote request --Fvox13 13:59, 10 December 2009 (UTC)
Based on what I saw in the temp space, *somebody* has *something* running to our building... we just have to figure out who and what! This whole thing is ridiculous... it's like there's a power line running to our building and we call the power company and they're like "That's not our power line; you have to call somebody else except we don't know who". Uggghhhh.... why aren't fiber providers regulated the same as other utilities?!? --Fvox13 13:58, 10 December 2009 (UTC)
Service Suggestions
AirPort Express wireless AP (connected to stereo system for streaming music via AirTunes?) Can also act as a USB print server if we have a printer donated (USB is not the best option... we should consider an ethernet-enabled printer (maybe someone can donate?)) --Ben Woodruff 06:19, 2 December 2009 (UTC)
Production network should have a more robust AP... maybe a Meru or Cisco?
I agree, the problem is cost. I didn't see any mentions of a better AP on the donations page, so we may be stuck with what I've got for the time being. We will also probably want to offer guest wireless access at some point, through a different SSID, which will require an additional/different AP (the new Apple equipment can do it, but this one can't)
I have a Meru AP100 and a Cisco Aironet 1200 that I will be donating --Fvox13 18:23, 8 December 2009 (UTC)
Does anyone know of a "good" captive portal type system like start.rit.edu or BlueSocket? I want something that can register MAC addresses with a DHCP server if proper credentials are supplied (auth w/ LDAP). Bonus points if it has optional static IP registration for servers and host management (remember which MACs belong to which users) ---- BW 20:06, 8 December 2009 (UTC)
I'm against captive portals, (Looks like you sort of agree, the way you said '"good" captive portal'), but Monowall might work --Fvox13 20:52, 8 December 2009 (UTC)
You should be able to use something like PacketFence I would thing. That has an included registration system, so that the admin doesn't have to do as much. Here is a link to its Features
--Cmd3187 21:11, 8 December 2009 (UTC)
NoCatAuth was developed for open-ish or community wireless networks. Might fit the bill. --Berticus 21:24, 8 December 2009 (UTC)
I like the looks of pfSense and PacketFence. Does anyone want to take charge of setting up the LDAP server and RADIUS authentication? It's something I'd like to observe on. ---- BW 14:40, 10 December 2009 (UTC)
I can probably setup a freeradius instance pretty easily. Though I will need to learn how to integrate it against openLDAP, since I have usually just set it up against shadow. I'll setup a sample one at home as a VM for now. Any preferences as to what VM container I use? I currently can work with QEMU, VMWare, Xen, KVM and Solaris Zones. --Cmd3187 16:16, 11 December 2009 (UTC)
