Difference between revisions of "447 Networking"

From London Hackspace Wiki
Jump to: navigation, search
(2nd, 1U patch panel)
m (Kraptv moved page Networking to 447 Networking without leaving a redirect)
 
(26 intermediate revisions by 6 users not shown)
Line 17: Line 17:
 
For v6 we've got 2001:8b0:856:1::/64, we also get 2001:8b0:1111:1111::617a on the ppp link to boole.
 
For v6 we've got 2001:8b0:856:1::/64, we also get 2001:8b0:1111:1111::617a on the ppp link to boole.
  
Internally, we're on the chaosvpn range 172.31.24.0/23 (172.31.24.1-172.31.25.255)
+
Internally, we're on the chaosvpn range 172.31.24.0/23 (172.31.24.1-172.31.25.255) N.B: The network is ''not'' connected to the ChaosVPN at this time.
  
 
<graphviz>
 
<graphviz>
Line 35: Line 35:
 
== DNS ==
 
== DNS ==
  
boole runs bind as a nameserver and unbound as a caching resolver, they run on different ip's, it has to be done this way to make DNSSEC work.
+
[[Boole]] runs BIND as a nameserver and unbound as a caching resolver, they run on different IP addresses, it has to be done this way to make DNSSEC work.
  
The dhcp server pokes hostnames that the dhcp clients send it into dns under '''dhcp.lan.london.hackspace.org.uk'''. The default search path is '''lan.london.hackspace.org.uk''', so if you want to lookup a hostname for a machine that is a dhcp client, e.g. '''fish''' then you'd lookup '''fish.dhcp''', this avoids problems with dhcp clients asking to be '''wpad''' etc...
+
The DHCP server registers hostnames that the DHCP clients send it into dns under '''dhcp.lan.london.hackspace.org.uk'''. The default search path is '''lan.london.hackspace.org.uk''', so if a client wants to lookup a hostname for a machine that is a DHCP client, e.g. '''fish''' then it would lookup '''fish.dhcp''', this configuration avoids problems with DHCP clients asking to be '''wpad''' etc...
  
machines with static ip's are just under '''lan.london.hackspace.org.uk''', so you can go straight to '''babbage''', '''tesla''', etc...
+
Machines with static IP addresses use the subdomain '''lan.london.hackspace.org.uk''', so you can go straight to hosts '''chomsky''', '''tesla''', etc...
  
to flush the unbound cache run (as root, on boole):
+
To flush the unbound cache run (with root privileges, on [[boole]]):
  
 
  unbound-control flush_zone dhcp.lan.london.hackspace.org.uk
 
  unbound-control flush_zone dhcp.lan.london.hackspace.org.uk
 
  unbound-control flush_zone rev.lan.london.hackspace.org.uk
 
  unbound-control flush_zone rev.lan.london.hackspace.org.uk
 
  unbound-control flush_zone lan.london.hackspace.org.uk
 
  unbound-control flush_zone lan.london.hackspace.org.uk
 +
 +
== TLS ==
 +
 +
We don't run our own CA. Certs come from a mix of Startcom, Geotrust and Lets Encrypt. We'd like to migrate all the StartCom certs to Lets Encrypt. We use TLSA records tho they are mostly useful for email.
 +
 +
There is a list of our certificates here [[Networking/TLSCerts]]
  
 
== WiFi ==
 
== WiFi ==
Line 51: Line 57:
 
We have 6 Cisco 3502 Access points, current deployment:
 
We have 6 Cisco 3502 Access points, current deployment:
  
* AP1 - office/quiet room - now mounted properly, thanks [[User:Sully]]!
+
* AP1 - office/quiet room - now mounted properly, thanks [[User:Sully|Sully]]!
 
* AP2 - classroom ceiling.
 
* AP2 - classroom ceiling.
* AP3 -  
+
* AP3 - Radio Shack
* AP4 -  
+
* AP4 - Biohackers
* AP5 -  
+
* AP5 - ?
 
* AP6 - spare
 
* AP6 - spare
  
Due to a new version of ios the accesspoints won't let you log in if you present them with loads of ssh pubkeys. To force ssh to use a password use:
+
Due to a new version of Cisco ios the accesspoints won't let you log in if you present them with loads of ssh pubkeys. To force ssh to use a password use:
  
 
  ssh -o "PreferredAuthentications password" root@ap1
 
  ssh -o "PreferredAuthentications password" root@ap1
  
We also have a WNDR3700v2 running OpenWRT, it run the LondonHackspace2 SSID (same password as LondonHackspace), see [[Networking/WifiProblems]] for more details. It's on top of the white Ikea shelves outside the classroom.
+
We have 3 SSID's:
 +
 
 +
* LondonHackspace - Standard WPA2 auth, the password can be found on notices stuck on the walls of most rooms
 +
* LondonHackspace-5Ghz - As above but 5Ghz only
 +
* spacenet - part of the [https://spacefed.net/wiki/index.php/SpaceFED SpaceFED] Federated inter-hackerspace wifi network, You'll need to setup [[LDAP]] account to use it.
 +
 
 +
<s>We also have a Netgear WNDR3700v2 running OpenWRT, it runs the LondonHackspace2 SSID (same password as LondonHackspace), see [[Networking/WifiProblems|Wifi Problems]] for more details. It's on top of [[tesla]] or near it.</s> decommissioned a while back iirc.
  
 
== Layer 2 ==
 
== Layer 2 ==
Line 80: Line 92:
 
[[Equipment/Cisco1]] is in the basement rack, [[Equipment/Cisco2]] is in the quietroom rack
 
[[Equipment/Cisco1]] is in the basement rack, [[Equipment/Cisco2]] is in the quietroom rack
  
Also in the rack in the quiet room is a 12 port poe injector. It only does 100Mbit and seems to confuse auto-negotiation so cisco2 has had ports 1-5 configured with _speed 100_. Those first 5 ports are plugged into ports 1-5 of the poe injector, at the moment we are only using ports 1 and 2 for ap1 and ap2.
+
Also in the rack in the quiet room is a 12(?) port POE injector. Those first 5 ports are plugged into ports 1-5 of the poe injector, at the moment we are using ports 1 and 2 for ap1 and ap2, we also supply poe to backdoorbot, the main room camera, the classroom camera, and the socket in the cleaning cupboard. See [[Networking/POE]]
  
 
=== todo ===
 
=== todo ===
  
==== quiet room rack ====
+
See ''[[Networking Todo]]''.
 
 
* <s>upgrade ios on the switches</s>
 
* <s>ra guard if we can, or</s> use one of the linux things on boole.
 
* <s>2nd 2 port trunk to go down to the basement rack</s>
 
* <s>2nd patch panel</s>
 
* <s>terminate the 2 cables to outside the classroom</s>
 
* <s>terminate the 4 cables to the basement</s> - thanks Aden.
 
* finish ground floor wireing
 
** classroom east and south walls
 
** main room south wall
 
* fit everything into the rack
 
* <s>reattach doors and walls</s> - I don't think the door will ever fit
 
** maybe try sound proof tiles on the walls?
 
* print out the patch panel port destinations and stick to the inside of the door and the wall under the rack
 
* <s>test port 3 on the 4 cables going to the basement</s>
 
 
 
==== basement rack ====
 
 
 
* <s>rack power</s>
 
* <s>attempt to recalibrate ups</s>
 
* <s>ups in rack</s>
 
* <s>patch panel in rack</s>
 
* <s>terminate 4 cables from quiet room</s>
 
* <s>3com switch in rack</s>
 
* <s>config a 2nd 2 port trunk on a switch in the quiet room</s>
 
* <s>link everything together</s>
 
* Get remote access to the pdu sorted out
 
* graph the PDU power usage
 
* graph the UPS state
 
* print out the patch panel port destinations and stick on the wall by the rack
 
 
 
==== boole ====
 
 
 
* <s>Get more a&a details when it happens -? for the bandwidth usage?</s>
 
* v6 all the things. (since our ip range will change we have to fix all the dns as well)
 
* fiddle with dns, can we tell unbound to not cache the local zones?
 
* upgrade so we can get a 3.8 kernel, then patch with bufferbloat stuff
 
 
 
==== wifi ====
 
 
 
* <s>spacenet</s>
 
* reduce transmit power?
 
* we may be getting a WLC :)
 
 
 
==== Pretty things ====
 
 
 
* <s>Get the bandwidth meter working again</s>
 
  
== physical layer cat5e wireing ==
+
== Physical Layer CAT5E Wiring ==
  
 
=== Ground Floor ===
 
=== Ground Floor ===
  
==== double patch panel ====
+
==== Double Patch Panel ====
  
 
*  1 -  2 office near window
 
*  1 -  2 office near window
Line 146: Line 111:
 
* 15 - 16 left of roller door
 
* 15 - 16 left of roller door
 
* 17 - 18 rear wall of lobby
 
* 17 - 18 rear wall of lobby
 +
* 19 - 20 '''Basement''' on far wall near hose reel and phone dist boards. '''Basement'''
 +
* 21 - 22 '''Basement''' on wall on outside of lift plant room in metal workshop '''Basement'''
 +
* 23 - 24 '''Basement''' biohack lab on far wall. '''Basement'''
 +
* 25 - 26 '''Basement''' near fire hose pumps hidden behind the storage shelves '''Basement'''
 
* 27 - 28 office under cab
 
* 27 - 28 office under cab
 
* 29 - office under cab
 
* 29 - office under cab
Line 151: Line 120:
 
* 37,38 - doorbot
 
* 37,38 - doorbot
 
* 39,40 - near door in office
 
* 39,40 - near door in office
* 41,42 - classroom roof, 42 used for ap2
+
* 41,42 - classroom roof, 42 used for ap2, 41 used for classroom camera
* 43 - '''A''' outside classroom (classroom end not terminated)
+
* 43 - behind the beast
* 44 - '''B''' outside classroom (classroom end not terminated)
+
* 44 - in the cleaning cupboard.
 
+
* 45 - 'Q17' in the 3d printing area
4 spaces left on the double patch panel!
+
* 46 - 'Q18' in the 3d printing area
 +
* 47 - 48 corner of the electronics area on the west wall.
  
 
==== 2nd, 1U patch panel ====
 
==== 2nd, 1U patch panel ====
  
 
* 1-4 to ports 1-4 on patch panel in the basement rack, 1&2 used as a 2 port trunk to the [[cisco1]] in the basement rack. port 3 free, port 4 patches to port 17 upstairs, which is frontdoorbot.
 
* 1-4 to ports 1-4 on patch panel in the basement rack, 1&2 used as a 2 port trunk to the [[cisco1]] in the basement rack. port 3 free, port 4 patches to port 17 upstairs, which is frontdoorbot.
 +
* 5,6 & 7,8: to double sockets above the lobby for doorbots and friends
 +
* 9,10: double socket on the south wall in the corner where the classroom wall meets the south wall (on the outside of the classroom)
 +
* 11,12,13,14: quad socket behind teslaish
 +
* 15,16: double socket behind the printers.
 +
* 17,18: double socket on middle pillar
 +
* 19,20: double socket opposite kitchen for vending machine.
 +
 +
=== Basement ===
  
=== basement ===
+
N.B. Some of the ports in the quiet room rack go down to sockets in the basement, see ports 19-26 above.
  
==== 1U panel in basement rack ====
+
==== Upper 1U panel in basement rack ====
  
 
# to 1 on 1U panel upstairs, half of trunk to cisco1)
 
# to 1 on 1U panel upstairs, half of trunk to cisco1)
Line 171: Line 149:
 
# Biolab
 
# Biolab
 
# Biolab
 
# Biolab
# Cable tray near door, unterminated, yellow cable.
+
# Cable tray near door, terminated to socket near lift
 
# Cable tray near door, used by the PTZ workshop webcam
 
# Cable tray near door, used by the PTZ workshop webcam
 
# Modem Area, Black - used for the phone
 
# Modem Area, Black - used for the phone
Line 177: Line 155:
 
# Modem Area, Yellow - used for the link to A&A
 
# Modem Area, Yellow - used for the link to A&A
 
# Modem Area, Blue
 
# Modem Area, Blue
# Machine Shop, unterminated, black
+
# Machine Tool Area, in dual socket
# Machine Shop, rj45 plug, red boot, used for the 3-in-1 acnode
+
# Machine Tool Area, rj45 plug, red boot, used for the 3-in-1 acnode
# Machine Shop, rj45 plug, yellow boot
+
# Machine Tool Area, rj45 plug, yellow boot
# Machine Shop, unterminated, blue
+
# Machine Tool Area, in dual socket
 
# Cable tray by Etch station/pcb work area, RJ45 plug, green boot.
 
# Cable tray by Etch station/pcb work area, RJ45 plug, green boot.
#
+
# Brewbot/gimp closet (?)
#
+
# Brewbot/gimp closet (?)
 
#
 
#
 
#
 
#
Line 190: Line 168:
 
#
 
#
  
==== To be added ====
+
==== Lower 1U panel in basement rack ====
  
===== Quiet room =====
+
* 1-4 are patched to the gigabit switch
 +
* 5-8 are patched to the 100Mbit PoE switch.
 +
* On the sockets the ports are labeled 2-number (e.g. 2-3 ) to distinguish them from the other sockets.
  
* 1 x double socket and a quad - maybe not if we put shelving up.
+
# Robotics area by the Staubli table
 
+
# Robotics area by the Staubli table
===== South Wall Outside the Classroom =====
+
# Robotics area desk
 
+
# Robotics area desk
* quad socket by tesla
+
# Wood shop back wall
* quad socket by the table next to tesla
+
# Wood shop back wall
 
+
# Wood shop right hand wall (wall shared with metal shop)
Both above serve tesla + babbage + printers + other bits
+
# Wood shop right hand wall (wall shared with metal shop)
 
+
#
* dual socket on the east side of the electronics bench
+
#
* and another on the west side
+
#
 
+
#
* dual socket somewhere by the door for future doorbot + other bits <- maybe a quad here?
+
#
 
+
#
All the above to go over new trunking, 14 cables.
+
#
 
+
#
===== Classroom =====
+
#
 
+
#
* <s>sockets on north and west walls</s> done!
+
#
* East wall: 4 x double socket
+
#
* South wall 3 double sockets
+
#
 
+
#
all 7 double sockets above to be fed from the trunking on the south side of the horizontal pillar thing along the ceiling == 14 cables, maybe too much to fit?
+
#
 
+
#
=== Basement ===
 
 
 
* 19 - 20 on far wall near hose reel and phone dist boards.
 
* 21 - 22 on wall on outside of lift plant room
 
* 23 - 24 biohack basement on far wall.
 
* 25 - 26 near fire hose pumps hidden behind the desk/counter
 
 
 
==== To be added ====
 
 
 
* 1 x double socket near biohackers door for ac node/doorbot
 
* 2 x double socket in each workshop for acnode
 
* ?
 
 
 
=== Total new sockets on the ground floor cabinet ===
 
 
 
4 between ground and basement
 
14 in the classroom
 
14 along south wall
 
--
 
32
 
 
 
= 28 new ports needed (4 spare on the existing panels).
 
 
 
_or_
 
 
 
5 doubles in the classroom
 
1 quad by tesla and babbage
 
1 double by tesla and babbage
 
1 quad by the door?
 
 
 
= 20
 
+ 4 to the basement.
 
  
 
[[Category:Premises]]
 
[[Category:Premises]]
 
[[Category:Infrastructure]]
 
[[Category:Infrastructure]]

Latest revision as of 17:59, 8 May 2018

There is a 48 port patch panel in the cab in the office upstairs, of which 29 ports are used.

The Cab has 7 free U, we need 2 for the switches and 1 for Boole leaving 4...

N.B. new plans depend on working out what we need for new classrooms etc.

Our ISP

80/20 FTTC, 1Tb bandwidth/mo with Zen, see speedtest or [1]

We've got a native IPv6-only ADSL connection (150Gb/month) thanks to Andrews & Arnold!

IP's

We have a /29 : 82.69.229.0/29, all are aliased on lo on boole, see /etc/iptable/rules for forwarding details.

For v6 we've got 2001:8b0:856:1::/64, we also get 2001:8b0:1111:1111::617a on the ppp link to boole.

Internally, we're on the chaosvpn range 172.31.24.0/23 (172.31.24.1-172.31.25.255) N.B: The network is not connected to the ChaosVPN at this time.

<graphviz> digraph network {

"Zen Interweb" -> Boole "A&A Interweb" -> Boole

Boole -> "Cisco1" "Cisco1" -> "Cisco2" "Cisco1" -> "Babbage" "Cisco2" -> "AP 1" "Cisco2" -> "AP 2" } </graphviz>

DNS

Boole runs BIND as a nameserver and unbound as a caching resolver, they run on different IP addresses, it has to be done this way to make DNSSEC work.

The DHCP server registers hostnames that the DHCP clients send it into dns under dhcp.lan.london.hackspace.org.uk. The default search path is lan.london.hackspace.org.uk, so if a client wants to lookup a hostname for a machine that is a DHCP client, e.g. fish then it would lookup fish.dhcp, this configuration avoids problems with DHCP clients asking to be wpad etc...

Machines with static IP addresses use the subdomain lan.london.hackspace.org.uk, so you can go straight to hosts chomsky, tesla, etc...

To flush the unbound cache run (with root privileges, on boole):

unbound-control flush_zone dhcp.lan.london.hackspace.org.uk
unbound-control flush_zone rev.lan.london.hackspace.org.uk
unbound-control flush_zone lan.london.hackspace.org.uk

TLS

We don't run our own CA. Certs come from a mix of Startcom, Geotrust and Lets Encrypt. We'd like to migrate all the StartCom certs to Lets Encrypt. We use TLSA records tho they are mostly useful for email.

There is a list of our certificates here Networking/TLSCerts

WiFi

We have 6 Cisco 3502 Access points, current deployment:

  • AP1 - office/quiet room - now mounted properly, thanks Sully!
  • AP2 - classroom ceiling.
  • AP3 - Radio Shack
  • AP4 - Biohackers
  • AP5 - ?
  • AP6 - spare

Due to a new version of Cisco ios the accesspoints won't let you log in if you present them with loads of ssh pubkeys. To force ssh to use a password use:

ssh -o "PreferredAuthentications password" root@ap1

We have 3 SSID's:

  • LondonHackspace - Standard WPA2 auth, the password can be found on notices stuck on the walls of most rooms
  • LondonHackspace-5Ghz - As above but 5Ghz only
  • spacenet - part of the SpaceFED Federated inter-hackerspace wifi network, You'll need to setup LDAP account to use it.

We also have a Netgear WNDR3700v2 running OpenWRT, it runs the LondonHackspace2 SSID (same password as LondonHackspace), see Wifi Problems for more details. It's on top of tesla or near it. decommissioned a while back iirc.

Layer 2

For Zen (ipv4)

The phone line with FTTC on it comes into the basement by the BT DP boxes, there is a Huawei EchoLife HG612 there which presents it as a PPPOE session, that is patched by port 10 to eth1 (n.b. labeled ETH2 on boole's case) on boole.

For A&A (ipv6)

The phone line with FTTC on it comes into the basement by the BT DP boxes, there is a Huawei something there which presents it as a PPPOE session, that is patched by port 11 to eth2 (n.b. labeled ETH3 on boole's case) on boole.

Local Network

The rest of the network is connected to eth0 (labeled ETH1 on booles case) on boole via the cisco1 switch. There is a 2 port trunk configured on both the cisco switches to connect them.

Equipment/Cisco1 is in the basement rack, Equipment/Cisco2 is in the quietroom rack

Also in the rack in the quiet room is a 12(?) port POE injector. Those first 5 ports are plugged into ports 1-5 of the poe injector, at the moment we are using ports 1 and 2 for ap1 and ap2, we also supply poe to backdoorbot, the main room camera, the classroom camera, and the socket in the cleaning cupboard. See Networking/POE

todo

See Networking Todo.

Physical Layer CAT5E Wiring

Ground Floor

Double Patch Panel

  • 1 - 2 office near window
  • 3 - 4 office under cab
  • 5 office under cab - single socket
  • 6,7,8,9,10,11,12 - classroom
  • 13 - 14 pillar near shower
  • 15 - 16 left of roller door
  • 17 - 18 rear wall of lobby
  • 19 - 20 Basement on far wall near hose reel and phone dist boards. Basement
  • 21 - 22 Basement on wall on outside of lift plant room in metal workshop Basement
  • 23 - 24 Basement biohack lab on far wall. Basement
  • 25 - 26 Basement near fire hose pumps hidden behind the storage shelves Basement
  • 27 - 28 office under cab
  • 29 - office under cab
  • 30-36 - classroom
  • 37,38 - doorbot
  • 39,40 - near door in office
  • 41,42 - classroom roof, 42 used for ap2, 41 used for classroom camera
  • 43 - behind the beast
  • 44 - in the cleaning cupboard.
  • 45 - 'Q17' in the 3d printing area
  • 46 - 'Q18' in the 3d printing area
  • 47 - 48 corner of the electronics area on the west wall.

2nd, 1U patch panel

  • 1-4 to ports 1-4 on patch panel in the basement rack, 1&2 used as a 2 port trunk to the cisco1 in the basement rack. port 3 free, port 4 patches to port 17 upstairs, which is frontdoorbot.
  • 5,6 & 7,8: to double sockets above the lobby for doorbots and friends
  • 9,10: double socket on the south wall in the corner where the classroom wall meets the south wall (on the outside of the classroom)
  • 11,12,13,14: quad socket behind teslaish
  • 15,16: double socket behind the printers.
  • 17,18: double socket on middle pillar
  • 19,20: double socket opposite kitchen for vending machine.

Basement

N.B. Some of the ports in the quiet room rack go down to sockets in the basement, see ports 19-26 above.

Upper 1U panel in basement rack

  1. to 1 on 1U panel upstairs, half of trunk to cisco1)
  2. to 2 on 1U panel upstairs, half of trunk to cisco1)
  3. to 3 on 1U panel upstairs, pppoe line to boole
  4. to 4 on 1U panel upstairs, pppoe line to boole
  5. Biolab
  6. Biolab
  7. Cable tray near door, terminated to socket near lift
  8. Cable tray near door, used by the PTZ workshop webcam
  9. Modem Area, Black - used for the phone
  10. Modem Area, Red - used for the link to Zen
  11. Modem Area, Yellow - used for the link to A&A
  12. Modem Area, Blue
  13. Machine Tool Area, in dual socket
  14. Machine Tool Area, rj45 plug, red boot, used for the 3-in-1 acnode
  15. Machine Tool Area, rj45 plug, yellow boot
  16. Machine Tool Area, in dual socket
  17. Cable tray by Etch station/pcb work area, RJ45 plug, green boot.
  18. Brewbot/gimp closet (?)
  19. Brewbot/gimp closet (?)

Lower 1U panel in basement rack

  • 1-4 are patched to the gigabit switch
  • 5-8 are patched to the 100Mbit PoE switch.
  • On the sockets the ports are labeled 2-number (e.g. 2-3 ) to distinguish them from the other sockets.
  1. Robotics area by the Staubli table
  2. Robotics area by the Staubli table
  3. Robotics area desk
  4. Robotics area desk
  5. Wood shop back wall
  6. Wood shop back wall
  7. Wood shop right hand wall (wall shared with metal shop)
  8. Wood shop right hand wall (wall shared with metal shop)