Network Connection in the NDPF

The configuration files and the source to the generated ACLs is in subversion at https://ndpfsvn.nikhef.nl/repos/ndpf/nl.nikhef.ndpf.config/routers/. Use your farm username and password (if you're authorized to begin with, i.e. are a member of the NDPFAdministrators directory group to get access, or check out from SVN using ssh.

To view actual bandwidth usage, Cricket graphs are available at http://www.dutchgrid.nl/ndpf/cricket/grapher.cgi (or on salado, the network management host, if you are within the Nikhef domain).

The high-level overview was drawn by Tristan at Nikhef network.

VLAN Identification and network naming

Colour coding: red is in use on deel, green is in use on nikgrid, and thus yellow is in use on both ...

Subnet allocations

Network Management System

A dedicated system is used to control the routers and the management switch. It has three ethe interfaces: eth0 connects it to the Nikhef guestnet (as salado.nikhef.nl) and should always be reachable, even if the deel and nikopn routers themselves are messed up. It's second interface (eth1) is connected to deel as a tagged interconnect, and links it to the public-sec network (as schoffel.nikhef.nl) as well as the ipmi network (as salado.ipmi.nikhef.nl, i.e., 172.20.1.255). The third interface actually connects the management blades of deel and nikopn, and can be used to control sw-mngt-01 (the 10/100 switch in c14). It has the address 192.168.254.4/24, where on that network deel is 192.168.254.1, nikopn is 192.168.254.2, and sw-mngt-01 is 192.168.254.254. Logging from this box is sent to boes.nikhef.nl, whose IP address is statically configured in /etc/hosts. Note that boes MUST be on a directly connected network to remain secure. It also has the MAC address of boes hardwires in /etc/ethers.

A copy of the cricket installation, configuration and data as of Oct 24, 2008, is available at (hefnet):/global/ices/grid/nikhef/network.

Setting and applying ACLs

The ACLs on deel and nikopn can only be inbound, and should eb applied to all physical and virtual interfaces in a consistent way in order to be effective. Since deel contains many different kinds of networks, it is logically easier to think of the protected to be applied to the outbound direction, i.e. what kind of traffic you allow to flow towards a particular subnet, instead of thinkging aboutn the traffic allowed inbound. However, the outbound ACLs you would need to implement the logical idea are not supported on the BigIron-RX series hardware. Similarly, access-policy-groups cannot be used.

To offset this limitation, a translation utility (tr-acl) has been built to convert logical access control rules in a set of inbound-only ACLs to be used on the foundry. It converts a high-level description of all connected subnets and the list of access controls to be applied in a set of inbound ALCs, one for each subnet. To work in this way, you:

1. write or update the high-level description. The one used for deel and nikopn is in the private SVN "ndpf" repository (ndpf/nl.nikhef.ndpf.config/router/ruleset.in or ruleset-nikopn.in). Make sure to commit and log changes
2. run the tr-acl command: tr-acl ruleset.in > /tftpboot/deel-acl
3. load the new ACLs in the router: cop tftp run 192.168.254.4 deel-acl
4. apply them to the interfaces: conf t and ip rebind-acl all
5. check to make sure that the CAM has not been exhausted and all ACLs actually have been applied. There should be no errors if you give the command: sho log

Example ruleset

The ruleset language looks an awful lot like the foundry syntax, but defines a couple of new constructs like subnetwork definitions, fixed pre- and post-fixes, and simple (non-recursive!) macros. For example

! ruleset for new deel router
!
interface interconnect
 connects 192.16.186.164/30
 connects 0.0.0.0/0
 excludes 192.16.186.192/26
 excludes 192.16.186.128/30
 excludes 194.171.96.0/21
 excludes 145.100.9.44/30
 excludes 172.16.0.0/12
 excludes 239.0.0.0/8
 excludes 0.0.0.0/32
 ! ban forged source IPs from entering
 ! do this once we configure IPs on our own VLANs
 prepend deny ip 194.171.96.0/21 any
 prepend deny ip 192.16.186.192/26 any
 end
! macro definitions
stanza permit-webserver
 permit tcp $src $dest eq http
 permit tcp $src $dest eq ssl
 end
!
! actual rules start here
ruleset
 !
 ! always allow established connections but filter localdomain
 permit tcp any any established
 deny ip 127.0.0.0/8 any
 deny ip any 127.0.0.0/8
 !
 ! HTTP and SSL servers on gridsrv are accessible from anywhere
 $permit-webserver(src=any,dest=194.171.96.64/28)
 !
 ! and deny all other traffic
 deny ip any any
!
end

Deel

Module 3 (rx-bi-10g-4-port)

Module 6 (rx-bi-1g-24-port-copper)

ports 13-24 reserved for the public-sec to-be VLAN

Module 7 (rx-bi-1g-24-port-fiber)

Module 10 (rx-bi-1g-24-port-copper)

Module 13 (rx-bi-1g-24-port-copper)

Module 16 (rx-bi-1g-48-port-copper)

Do not use PPRC4 (ports 37-48) until a firmware fix has been provided by FN

NikOPN

Module 1 (rx-bi-10g-4-port)

Module 2 (rx-bi-1g-48-port-copper)

Module 7 (rx-bi-10g-4-port)

sw-public-grid-01

sw-public-sec-01

sw-mngt-01