Network Administration Guidelines

Contents

Document ownership
Definitions
Campus network design overview
Network administration
Faculty activities
Equipment Funding
Separation of user and server room subnets and equipment
Non-IST-approved network equipment
Server room network equipment
Conditions for UPS installation
Port density on equipment
Link aggregation outside of a server room
Locations without Wi-Fi (signal) coverage
Unmanaged switches
Personal routers
Temporary networks for events
Switch/Router Upgrades
Requests for custom ‘user network’ configurations
Request for custom ‘user subnet’
Linked Documents
 

Document ownership

The Director, Technology Integrated Services, IST has the responsibility for maintaining this document and providing guidance and advice on its implementation.  IST-TIS Networks services is the group implementing these guidelines and is hence forth referred to as network services.

Definitions

  • VRRP – virtual router redundancy protocol
  • LACP – link aggregation control protocol
  • LAG – link aggregation group using a protocol such as LACP
  • L3 – layer 3 (network layer) - routing
  • L2  - layer 2 (data link layer) – switching
  • VLAN – virtual local area network, a broadcast domain that is partitioned and isolated at L2
  • TR – telecommunication room (network closet)
  • AP – access point (wireless / Wi-Fi)
  • ACL – access control list
  • Managed – equipment with a network accessible user interface used to configure the device
  • VPN – virtual private network
  • SSH – secure shell

Campus network design overview

  • Routers are interconnected with L3 links only
  • Exception for VRRP design provided that:
    • Switches beneath each router are connected to both routers.
    • Spanning tree is properly designed and configured
  • VLANs cannot cross layer 3 boundaries (subnets from building A cannot be used in building B)
  • Campus subnets are protected by the distribution firewall
  • Common use public IP and private IP subnets are implemented for each building
  • Dedicated user subnets are assigned only if specific access control restrictions need to be applied on it
  • Access control lists are used only when a subnet needs protection from other on-campus networks

Network administration

IST has the overall responsibility of network management in all areas of campus (excluding equipment used exclusively in research), including:

  • Complete architecture, design, and interoperability of network technical infrastructure
  • Network management includes:
    • Network device configuration
    • Monitoring
    • Repair/replacement of failed equipment
    • Installation, maintenance, and removal of network cabling and related components
    • Troubleshooting
    • Hardware acquisition and ownership for general use network equipment
  • Maintenance will be performed in accordance to the TIS Core Service Level Expectations [1]

Faculty activities

The following service provisioning activities can be performed by faculty/departmental IT staff, to support local activities as efficiently as possible:

  • Creation, deletion, and maintenance of domain names for end user devices (through the IST provided software package)
  • Setting/changing of switch port speeds, duplexes, comments, and access VLANs (through the IST provided software package)
  • Patching cables in non-ZANI (Zero Administration Network Infrastructure) TR’s

Faculty/departmental IT staff can also request read-only SSH access to local routers and switches for diagnostic and troubleshooting purposes in the event that the IST provided software package does not provide adequate functionality. 

All work should be done in compliance with the Guidelines on use of Waterloo Computing and Network Resources [2] and the Telecommunication Room (TR) guideline. [3]

Equipment Funding

IST is responsible for funding equipment in the following cases:

  • Incremental expansion
  • Periodic equipment refresh during a campus wide network upgrade initiative subject to:
    • Time and material charges for network drops
    • Funding for new buildings and major renovations will continue to be funded through building project accounts
    • Equipment, maintenance, and external internet service costs for residence networks paid by Housing
  • Funding for faculty Data Center and Server room equipment continues to be funded by faculty support groups

University Colleges are responsible for funding equipment:

  • All equipment purchases
  • All installation costs

Connectivity of unofficial remote campuses:

  • For access to the main campus centralized resources (ex: telephone, Wi-Fi, shared drives) the following items must be true
    • Network services will coordinate the connectivity setup and recommend the service level
    • All fees (installation/support/monthly) associated with connectivity are paid for by the group setting up the new off campus location
    • The group setting up the new off campus location must provide an account before any purchases are made
  • A campus is deemed ‘unofficial’ if it is not identified on the uWaterloo website campus list. [4]

Connectivity of official off campus campuses

  • The list of official off campus campuses can be found on the uWaterloo website campus list [4]
  • Network services determines the appropriate service level
  • Network services pays for the service

Connectivity to main campus (all cases):

  • Build times for connectivity to campus can be six (6) months or longer depending on permits and approvals (these wait times are from the ISP vendor / city)
  • Network services controls all network equipment
  • Network services specifies the equipment to be purchased
  • Network services purchases the equipment on the provided account
  • Network services will order the required services for connectivity

Service level above our standard:

Groups wishing to exceed the level of centrally funded network infrastructure, increase capacity, or expand services should consult the Director, Technology Integrated Services, IST, as early as possible in the annual budget planning cycle.   Upon review of project objectives and requirements, IST will develop a design, including topology and bill of materials, and amount of central funding which can be provided.   IST will oversee procurement of equipment, perform device configuration and installation, and add to existing monitoring processes.

The funding of the equipment must be approved by network services as outlined in the document ‘Augmenting IST Funding and Services’ policy. [5]

Funding Summary:

Case / Situation

Paid by network services

Equipment for new buildings and large renovations

No

Residence equipment

No

Residence internet service

No

New network drops

No

Server Room equipment

No

Connectivity to/at unofficial campus

No

Connectivity to/at official campus

Yes

Incremental expansion for user access network equipment

Yes

Periodic refresh for user access network equipment

Yes

Isolated and specific upgrades

To be discussed

Separation of user and server room subnets and equipment

  • Servers must not be in the same subnets as user equipment.  
  • Servers should not be connected to the same network hardware as user equipment.

Non-IST-approved network equipment

  • Managed network equipment must not be attached to the campus network with anything other than a management port or a single access VLAN unless previously approved by network services.
  • Exceptions on Wi-Fi access points for research can be made following the wireless access point approval process. [6]

Server room network equipment

  • Faculty IT groups can have their ‘own’ server room network equipment installed and configured to participate in routing or switching with the campus network and be made available in the campus network management software under the following conditions:
    • Network hardware must be the standard network services recommended equipment
    • Network hardware must be approved by network services before purchase
    • Network hardware must be configured and managed by network services
    • Network hardware equipment purchase is paid for by the faculty
    • The configuration must follow the campus network design
    • The network hardware must not be connected to an Network services managed UPS without network services approval
    • Network services will not manage UPS’s for server room network equipment
    • Network services may not have spare equipment if the part numbers used are not standard equipment deployed across campus; in this situation the faculty IT group should stock spare hardware or accept the risk that the IST substitute may not be equivalent in the event of a failure
  • Equipment that connects to the campus network via a single access VLAN and subnet is treated as an end user device by network services.

Conditions for UPS installation

Installing UPS’s in all closets is not sustainable.  Network services installs UPS equipment to support building ‘user’ router and switch hardware only.  No other equipment should be connected to the UPS.  Installation is done and batteries are maintained if the below requirements are met.

  • The equipment is the building router for the user networks
    OR
  • The equipment is an aggregation switch with VOIP phones on switches below it
    OR
  • The equipment is an access switch with VOIP phones connected to it

Port density on equipment

Network services does not install 24 port network switches.

  • Existing 24 port switches are left in place until network expansion occurs
  • When network expansion renders a 24 port switch insufficient it will be replaced with a ‘like’ 48 port model.  (if its interfaces are 10/100, the replacement will be 10/100)
  • No new/previously-used 24 port switches will be installed

Network services installs either 48 port switches or chassis based switches.

The decision to use a chassis based switch is made with following considerations:

  • The physical area in the TR can support a chassis
  • The power in the TR can support a chassis
  • There is a minimum requirement (including expansion capacity) for three 48 port switches to be installed

Link aggregation outside of a server room

Network services will configure aggregate links for end user devices on an aggregation switch if there is sufficient port density room for expansion.  An aggregation switch is a switch that connects multiple switches and does not directly connect users.

Requirements for device link aggregation on an aggregation switch or building router:

  • The device that will connect to the aggregated ports must have long periods (multiple hours a day) of 80% + utilization on its existing network connection
    AND
  • The clients accessing the aggregated device should be on switches connected to this aggregation switch
    AND
  • The uplinks of the aggregation switch towards the router or client switches should be 10G or 10G capable or it must be possible to setup link aggregation on the configured switches uplink.

Locations without Wi-Fi (signal) coverage

Network services will install an additional AP when a location with Wi-Fi (signal) coverage does not meet the campus standard and the signal cannot be improved using the existing infrastructure.

Wi-Fi Coverage requirements:

  • The location is indoors
    AND
  • The location is an public/academic/office/research space
    AND
  • If the location is a non-public space it should have either 2.4Ghz or 5Ghz signal of at least -70dbm as measured by the network services tool set
    OR
  • If the location is a public space it should have both 2.4Ghz AND 5Ghz signal of at least -70dbm as measured by the network services tool set

Unmanaged switches

  • Unmanaged switches are allowed to be connect to the network outside of TR’s
  • Ports connected to an unmanaged switch are subject to ISS disabling for security reasons
  • Network services initial troubleshooting step may be to remove the unmanaged switch

Personal Routers

  • Private routers are allowed to be connected to the network outside of TR’s
  • Routers will be treated as an end host
    • They will receive one IP address
    • They will not participate or exchange routes with campus infrastructure
  • A router disrupting DNS or DHCP for other clients will be disconnected
  • Wi-Fi must be disabled unless a specific approval was obtained after following the wireless AP approval process.  [6]

Temporary networks for events

Network services can configure special wireless networks for events.  If an event is being held on campus with a period of one week or less network services can generate an event password which can be used to log into the captive portal once associated to the SSID ‘uw-wifi-setup-no-encryption’.   Attendees must register on the portal with the password one time per device for each event.

If an event requires Wi-Fi-device to Wi-Fi-device connectivity this can also be setup using the SSID ‘uw-event’ and a pre-shared-key for a period of one week or less.  This SSID will be limited to specific locations on campus.  Event organizers are responsible for any and all traffic on their event's wireless network and are expected to be available to assist in the identification and/or removal of any network device violating University of Waterloo computing policy. Repeated violations may result in the removal of network services for an event and/or the revocation of wireless network services for the organizer.

Network services can provide temporary ‘dynamic’ (no need to register the device) wired network access for events with the following requirements:

  • The defined period of the event must be no more than 1 week
  • The requestor must provide at least one week in advance the network jack label information

The requestor is responsible for securely taping/placing any network cabling and unmanaged switches so that they do not create safety or security hazards.

Switch/Router Upgrades

Network services will upgrade routers and switches during equipment refreshes.  Network services may also upgrade a network router or switch or line card if monitoring shows that there are:

  • daily high utilization (80% or above) on uplinks for the majority of the day and port aggregation cannot be used
  • daily high utilization (80% or above) on a majority of access ports for the majority of the day

Upgrades not meeting IST requirements can be requested if funding is provided by the requestor and is approved by Network services as outlined in the document ‘Augmenting IST Funding and Services’ policy. [5]

Upgrades purchased with faculty supplied funds are treated and controlled the same as those purchased with Network services funds and no preferential treatment is provided beyond the initial deployment:

  • The network equipment is treated the same as all other building network equipment
    AND
  • Network services will connect ports and utilize the switch as needed for network expansion
    AND
  • The equipment must meet the standard of network services

Requests for custom ‘user network’ configurations

Non-standard configurations on equipment must be deemed scalable and supportable across campus by network services before they are implemented.  If you have a specific problem network services can discuss possible solutions with you.

This applies to:

  • Temporary equipment installations
  • Unused features being enabled for a single device

Request for custom ‘user subnet’

Network services deploys common user subnets in all locations.  Users within a building will only be separated from users in the same building through the use of another subnet and VLAN in the following situation:

  • An ACL is required to protect the users from other users on our campus
  • Network services must be provided with exactly what traffic will be allowed into and out of the subnet in order to create the ACL

Linked Documents

  1. https://uwaterloo.ca/information-systems-technology/about/organizational-structure/technology-integrated-services-tis/technology-integrated-services-core-service-level
  2. https://uwaterloo.ca/information-systems-technology/about/policies-standards-and-guidelines/campus-network/guidelines-use-waterloo-computing-and-network-resources
  3. https://uwaterloo.ca/information-systems-technology/about/organizational-structure/technology-integrated-services-tis/network-services-resources/telecommunication-room-tr-guideline
  4. https://uwaterloo.ca/about/how-find-us/campuses
  5. https://uwaterloo.ca/information-systems-technology/sites/ca.information-systems-technology/files/uploads/files/augmentingistnetworkservices.pdf
  6. https://uwaterloo.ca/information-systems-technology/about/organizational-structure/technology-integrated-services-tis/network-services-resources/wireless-access-point-ap-approval-process