For IT Pros:
CITES Networking has implemented an extensive series of improvements and updates, and more improvements will be implemented in 2013.
CITES Networking is pleased to announce that we have made many improvements and updates to our campus network and we will be implementing many more in 2013.
- We've updated our networking infrastructure in buildings across campus.
- We've tested NAT on our wireless networks and will roll it out soon, followed by work on multicast and IPv6.
- We're continually looking at ways to improve our network's backbone and firewalls. Within the next two years, we're planning a campus network backbone refresh that will make it possible to add 100 Gbps Ethernet in the future. and would like your input.
- We've already implemented several updates that are available now, including:
- A new set of firewall-bypass options that will make it easier to connect to NCSA, UIS, and UIC from the Urbana campus
- Global Server Load Balancing across the three campuses
- Improvements to our high-speed research networks to make them faster and better interconnected.
- We've removed all Cross Node VLANs (with the help of IT pros across campus).
- We're moving routing to the buildings in order to provide redundancy for uplinks and make CAM partitions smaller for the Node routers.
- We're adding CER Telemetry to buildings, which will enable them to monitor their use of air conditioning, security doors, and power use.
Our new Needs Based Deployment model will allow for 20% immediate growth. We'll have stock readily available to install, and won't need to wait for parts to come in. This means there will no longer be a need to keep ports that aren't connected. We'll plan to place large orders to save money.
The CITES Operations Center has IT Pro support available 24 hours a day, 7 days a week. Call 244-1000 or email firstname.lastname@example.org.
When calling after hours, please help us by including:
- Who you are (e.g.: "I am an IT Pro for Department / Building _____")
- The scope of the problem (e.g.: "I'm reporting a widespread building outage")
- A specific request for On-Call support (e.g.: "Please page the On-Call support person")
Specifying the need to page the On-Call Support team will help the Champaign Telephone Company representatives who answer after-hours calls know what to do to expedite your request.
Network Address Translation, more commonly known as NAT, will be used for wireless in the near future. This will free up 14,000 IP addresses and will allow for the creation of several new large IP blocks. We've done some small testing deployments and it is working well.
If you have Private IP subnets on campus and would like to use NAT, we can work with you to get that set up. We are not converting the entire campus to NAT, we are only looking at things like wireless, where we can gain back multiple large IP blocks.
Next spring, we will be testing the use of Multicast on wireless, enabling the use of Bonjour on Apple products. If the testing goes well, AirPlay and AirPrint will become options for some devices (although the device list on wireless is likely to be very large).
After we've gotten NAT and Multicast off of the ground, we'll be working on rolling out IPv6 for wireless.
During Winter Break 2012-2013, we'll be releasing a new way to put multi-user wireless devices on the network if they can't easily join the AD. This will be especially useful for departmentally shared mobile equipment like tablets and robots, which can be used by several different users over the course of one day. We are currently testing this new option with a few groups on campus.
In order to permit multi-user devices to authenticate to IllinoisNet Wireless, we're going to move the primary AD login for wireless from the UIUC domain to UOFI.
Within the UOFI domain, we'll use a department AD group called "<Department name or acronym>-devices" so you can add these devices yourselves. (You'll need to tell us the exact group name a device should be added to when you submit your request form.)
The format for each device user account name will be "device-1234ab5678cd" (where the info after "device-" is the MAC address of the device in lower case letters).
Please keep in mind:
- General purpose devices will still require you to track who has the device & when.
- Only devices whose MAC addresses and account names match will be able to authenticate (and they'll still need a password.)
- This wireless connection method is only meant for devices that *don't* belong to a single user.
Our current backbone went into service the summer of 2008. We are planning a refresh of the backbone hardware in the next two years. Technologies that we plan to look into include 100 Gbps Ethernet, Software Defined Networking (SDN) such as Open Flow, and MPLS for increased flexibility in the backbone. We need your feedback on upcoming research projects or other things you are planning that might impact our backbone design choices.
Global Server Load Balancing (GSLB)
Global Server Load Balancing (GSLB) allows you to direct your service traffic to multiple servers in different locations. It works by changing the DNS response that your customers get based on your settings and the health of your servers. The servers can be on the same network or different networks, and even in different cities. The most common usees are for load balancing between hardware at two different locations or providing the IP address of a backup server when the primary is down. The GSLB offering is highly redundant with hardware in Chicago on that AN network and Urbana on the Urbana Network. Contact CITES Networking if you are interested in using this service.
We've made it so that traffic to and from NCSA and the Administrative Network now bypasses the firewalls, so that both networks behave as if they were part of the Urbana campus. This change doesn't affect traffic to and from the Internet, but allows traffic to or from those nets to work with all of campus, including traffic for Private IP addresses. We still have netflow data for this traffic, but it is not inspected.
We've also added new firewall groups that allow your hosts to be open to UIS and UIC while still being protected from the rest of the Internet. For more information, see Firewall Service Plan Details.
We are also adding port 8443 to all of the "Mostly Closed" firewall groups in January.
How will the IPv6 roll-out affect my firewall ranges?
All of the firewall groups apply to IPv6 as well as IPv4. Unlike IPv4, IPv6 addresses are often chosen automatically by the computer, and many systems have more than one IPv6 address. This makes it nearly impossible to divide up the 65,000 IP addresses into 5 or 6 firewall groupings like we do with IPv4 and make sure that each host has the same firewall group for IPv4 and IPv6.
In order to solve this problem, you can only have one IPv6 firewall group per network, and it will need to match your single IPv4 firewall group for that network. To help you transition from multiple firewall groups to a single group per network and still move forward with the IPv6 deployment, as a transition strategy, you can have a single IPv6 group on a network that has multiple IPv4 groups, as long as the IPv6 group is the same as the most restrictive group you currently have.
CITES Networking has made great strides to improve two of the University's most important research networking resources: research networking and the Intercampus Communications Network (ICCN).
CARNE: Campus Advanced Research Network Environment
CARNE is a recent joint project with NCSA that facilitates maximum flexibility for research endeavors requiring high bandwidth, low latency, or passive security while protecting the integrity of the production network.
Leaving campus, CARNE has a separate exit point connecting our researchers to Internet2. Currently, this is a dedicated 10G path. By the end of December it will be a 100G path to Internet2. In early summer, a secondary 100G path will be available to other research networks via the OmniPOP. Currently on campus, the campus cluster is connected to CARNE at 10G. As research project needs are identified, CARNE will be built out across campus with either physically or logically separated paths.
Our ICCN has been running for a few years. This is our link to the other U of I campuses, the commodity Internet, and other research institutions. It is a 40 channel DWDM network that is now capable of 100G speeds. We have a number of peerings including other school's regional networks, such as WiscNet, groups like CIC, and bandwidth saving services such as Akamai.
Currently we have 4 x 1G waves, 7 x 10G waves, and 1 x 100G wave lit up. The primary ring is 915 km around, with a latency to go all the way around of about 5 ms. We've recently added a new lateral which connects Urbana to Peoria via Bloomington. This allows us to peer with ISU and a few other groups in that part of the state.