Netsupport is responsible for the server room routers, the inter-rack connections and usually the top-of-rack switches.
For the IP-layer there are several different options on how to setup the network.
Currently the top-of-rack switches are usually connected with dual 1 Gbit/s connections to the server room routers (BMC-hall-routers). If there is a need for higher network connectivity please discuss with Netsupport.
Securing the management networks
Management ports for IPMI, LoM, RAID-controllers, dedicated NAS, etc are quite hard to get secure. In particular IPMI may use side-band management LAN connection. And some management controllers run their own operating system, complete with their own security problems and default passwords... This all means that the management ports has to be protected not only from the outside but maybe also from other management ports if they are located on the same network in order for an attacker not to jump between compromised systems over the management network.
Keeping every management controller on its own VLAN of course solves this, but it use too many VLANs and is too hard to manage.
On the BMC-IT management network in the server room (called BMC-hall-IPMI) we are using pricate VLAN (protected ports) feature in the switches to protect the management controllers from talking to each other. This is a RFC1918 network and incoming traffic there is restricted to the workstations meant for this management.
Good Option one - your own network
Tis option is good if you have a lot of servers in the server room, perhaps your own rack with equipment.
The users of the server room may, if needed, order their own VLAN and subnet. This VLAN will only be available in the BMC server room. Contact and discuss this with Netsupport.
BMC-IT will for their own servers (that BMC-IT do system administration for) have two VLANs, one network for the servers and one for the management.
Good Option two - the shared networks
This option is good if you need to put a single server or perhaps a small number of servers in the server room.
There are two shared network, currently (2016-09-15) Vlan956 Public_servers_ACLed or Vlan962 Public_servers_open, which is meant for shared usage in the BMC server room, for activity that do not require their own VLAN.
Please note that neither of these two networks have DHCP-servers activated. Neither static DHCP or dynamic DHCP. You need to set static IP on the server without using the DHCP-server.
The BMC-hall function at the IT-division (UUIT) and BMC is responsible for allocating IP-ranges in this network.
The normal procedure at the university is that the ones managing a network also is responsible for managing router filter (via Netsupport), perimeter firewall (via Security and safety division), DNS and DHCP (via IPAM or UUIT/Domainmaster).
But in this network the IP-ranges have been allocated to different users in different parts of the university organisation. Each individual system administrator using the different IP-ranges is responsible for their own activity in the IP-ranges they have been allocated. This responsibility includes managing changes in the router filter and the perimeter firewall. And manage DNS and DHCP via UUIT/Domainmaster.
Bad Option three - the BMC network
It is possible, but Not Recommended to attach equipment to the VLANs in BMC in the server room. The switch in one of the BMC-IT racks is connected with a single 10 Gbit/s to the campus router in BMC (BMC-campus-router). Discuss this with BMC-IT. Responsible for that VLAN is the Local IT for that VLAN (which may or may not be BMC-IT).
The only reasons we have seen for this is for example when handling old equipment with IP-related access control or using Bonjour-based services on Mac which work best over a single VLAN/Subnet.
It is very important to not connect equipment to both the BMC-router and the BMC-hall-routers at the same time since this may lead to STP-renegotiation which will mess up the network. Don't do this.
Bad Option four - dedicated network for a specific VLAN
It is possible, but Not Recommended to use dedicated network to connect to a VLAN somewhere else in the university (or SLU) too. This is only meant for shorter periods during for example migration from one server room to an other. Discuss this with UUIT/Netsupport. This configuration is only meant for a limited amount of time during a migration.
This is bad in several ways:
- Less availability. The network will depend on not only the server room functioning (power, cooling) but also the network in the other end (power, router, switches) where the dedicated connection terminate.
- Complicated network. The stranger the network is setup the harder it is to maintain in the long run.
- Limited amount of fiber. The university has a limited amount of dedicated fiber. New fiber between campuses is quite expensive.
- Risk of network loops There is a risk of STP-renegotiation when connecting network from different routers together. This may leader to longer or shorter total network outages.
It is very important to not connect equipment to both other routers and the BMC-hall-routers at the same time since this may lead to STP-renegotiation which will mess up the network. Don't do this.