Sunday, February 08, 2004

Residence Networking

There is lots of crap to write about resnet. At the top of my head at the moment is that I've worked out how to MAC lock machines to IPs.

I'm not sure this is a good idea, but you do it like this:

egrep -v -e ^# -e ^$ db.RESIDENCE | perl -ne '@a = split /\s+/; $a[4] =~ s/(..)(?!$)/$1:/g; $a[4] =~ s/^#.+/any/; print "add 666 deny ip from not $a[0] to any mac $a[4] any\n"'

which makes rules like

add 666 deny ip from not 146.231.153.159 to any mac 00:a0:cc:d0:14:c5 any add 666 deny ip from not 146.231.153.160 to any mac 00:0c:76:6e:60:0b any

I need a box that can handle lots (like ~1500) firewall rules. I'll also have to do some clever (probably per subnet) skipto stuff to make it more efficient. It'll have to be a P4 with a decent amount of memory in it. Jacot says we can talk on Monday - he has money for it.

I also want a 1000Base-SX NIC in it, because I feel sorry for the poor buggers sharing 100Mbps uplink to the rest of campus (and inter res!). I predict slowness, etc. John says I'm scaremongering.

So the question remains ... is this a good idea? It has advantages - like it raises the barrier to entry for crap causing to people who can work out how to change MAC addresses, and can work out a valid MAC/IP combination. This'll probably make my life simpler, and will increase the reliability of the network. On the downside, it is like a shitty thing to do to people. I'll probably have to do it anyway though.

On a different note, I've now found a way to get more than 10 interfaces on worm to work properly. There is patch to isc-dhpd3 that fixes this. Thanks to Barry for pointing me in the right direction. This means that the original resnet subnetting plan (which I'll write about some other time) can continute now. I still need to move wardens anyway ...

20040215

I got a quote from Rectron and from Pinnacle today for the new resnet firewall. It looks like I'll be able to order it before the end of the week, which will improve perceived perfomance from students on resnet. It also means MAC locking will become a reality, since that's one one the ways the budget was justified.

On another note. Why can't people go visit the people they're told to. I don't like being bugged about resnet at 8am as I walk into my office - before I even unlock the door nogal.

posted by guy at: 00:00 SAST | path: /systems | permanent link

June 2010 (1)
August 2008 (1)
July 2008 (1)
May 2008 (2)
October 2007 (2)
September 2007 (1)
April 2007 (2)
November 2006 (1)
October 2006 (2)
September 2006 (3)
July 2006 (1)
June 2006 (1)
March 2006 (2)
December 2005 (1)
November 2005 (1)
October 2005 (3)
September 2005 (1)
August 2005 (3)
July 2005 (4)
June 2005 (1)
May 2005 (6)
April 2005 (4)
March 2005 (5)
February 2005 (2)
January 2005 (4)
November 2004 (5)
October 2004 (3)
September 2004 (10)
August 2004 (5)
July 2004 (12)
June 2004 (6)
February 2004 (7)
January 2004 (16)