Network Administration Guidelines
Campus network design overview
Separation of user and server room subnets and equipment
Non-IST-approved network equipment
Server room network equipment
Conditions for UPS installation
Port density on equipment
Link aggregation outside of a server room
Locations without Wi-Fi (signal) coverage
Temporary networks for events
Requests for custom ‘user network’ configurations
Request for custom ‘user subnet’
Requests for DNS delegation
The Director, Technology Integrated Services, IST has the responsibility for maintaining this document and providing guidance and advice on its implementation. IST-TIS Networks services is the group implementing these guidelines and is hence forth referred to as network services.
- VRRP – virtual router redundancy protocol
- LACP – link aggregation control protocol
- LAG – link aggregation group using a protocol such as LACP
- L3 – layer 3 (network layer) - routing
- L2 - layer 2 (data link layer) – switching
- VLAN – virtual local area network, a broadcast domain that is partitioned and isolated at L2
- TR – telecommunication room (network closet)
- AP – access point (wireless / Wi-Fi)
- ACL – access control list
- Managed – equipment with a network accessible user interface used to configure the device
- VPN – virtual private network
- SSH – secure shell
- Routers are interconnected with L3 links only
- Exception for VRRP design provided that:
- Switches beneath each router are connected to both routers.
- Spanning tree is properly designed and configured
- VLANs cannot cross layer 3 boundaries (subnets from building A cannot be used in building B)
- Campus subnets are protected by the distribution firewall
- Common use public IP and private IP subnets are implemented for each building
- Dedicated user subnets are assigned only if specific access control restrictions need to be applied on it
- Access control lists are used only when a subnet needs protection from other on-campus networks
IST has the overall responsibility of network management in all areas of campus (excluding equipment used exclusively in research), including:
- Complete architecture, design, and interoperability of network technical infrastructure
- Network management includes:
- Network device configuration
- Repair/replacement of failed equipment
- Installation, maintenance, and removal of network cabling and related components
- Hardware acquisition and ownership for general use network equipment
- Maintenance will be performed in accordance to the TIS Core Service Level Expectations 
The following service provisioning activities can be performed by faculty/departmental IT staff, to support local activities as efficiently as possible:
- Creation, deletion, and maintenance of domain names for end user devices (through the IST provided software package)
- Setting/changing of switch port speeds, duplexes, comments, and access VLANs (through the IST provided software package)
- Patching cables in non-ZANI (Zero Administration Network Infrastructure) TR’s
Faculty/departmental IT staff can also request read-only SSH access to local routers and switches for diagnostic and troubleshooting purposes in the event that the IST provided software package does not provide adequate functionality.
IST is responsible for funding equipment in the following cases:
- Incremental expansion
- Periodic equipment refresh during a campus wide network upgrade initiative subject to:
- Time and material charges for network drops
- Funding for new buildings and major renovations will continue to be funded through building project accounts
- Equipment, maintenance, and external Internet service costs for residence networks paid by Housing
- Funding for faculty Data Center and Server room equipment continues to be funded by faculty support groups
Affiliated and Federated Institutions of Waterloo are responsible for funding equipment:
- All equipment purchases
- All installation costs
Connectivity of unofficial remote campuses:
- For access to the main campus centralized resources (ex: telephone, Wi-Fi, shared drives) the following items must be true
- Network services will coordinate the connectivity setup and recommend the service level
- All fees (installation/support/monthly) associated with connectivity are paid for by the group setting up the new off campus location
- The group setting up the new off campus location must provide an account before any purchases are made
- A campus is deemed ‘unofficial’ if it is not identified on the uWaterloo website campus list. 
Connectivity of official off campus campuses
- The list of official off campus campuses can be found on the uWaterloo website campus list 
- Network services determines the appropriate service level
- Network services pays for the service
Connectivity to main campus (all cases):
- Build times for connectivity to campus can be six (6) months or longer depending on permits and approvals (these wait times are from the ISP vendor / city)
- Network services controls all network equipment
- Network services specifies the equipment to be purchased
- Network services purchases the equipment on the provided account
- Network services will order the required services for connectivity
Service level above our standard:
Groups wishing to exceed the IST standard should make a request in writing via the RT system with their new requirements that exceed the standard design, the technical data detailing the new requirement and any data that shows the current equipment cannot meet the need.
The decision on exceeding the standards will be based on the provided data. If the request to exceed the standards of the equipment deployed by network services is approved, the full costs of equipment within the TR and between TR’s will be paid for by network services. Any costs associated with connecting devices to the new equipment will remain with the requestor.
The manager of network services will make a decision to implement the design modification or deny it (with an explanation). The decision is based on ensuring that solutions can scale, are supportable, inter operate with our currently deployed equipment, and are driven by technical requirements or data showing the current equipment is failing to provide the required service.
If the request is denied, the requestor can escalate the request to the director of TIS for review.
If the request is denied, the requestor can escalate the request to the CIO for review.
If the equipment is approved and existing budget does not exist, a budget request will be made to fund the equipment in the next budget cycle. If the requesting person/group wishes to provide funding in order to have the equipment installed now, this is possible, but it should be understood that the equipment is not owned by or for the exclusive use of said group. (Other faculty/ group / IST equipment may at some point be connected to the equipment.)
The funding of the equipment must be approved by network services as outlined in the document ‘Augmenting IST Funding and Services’ policy. 
Case / Situation
Paid by network services
Equipment for new buildings and large renovations
Residence Internet service
New network drops
Server Room equipment
Connectivity to/at unofficial campus
Connectivity to/at official campus
Incremental expansion for user access network equipment
Periodic refresh for user access network equipment
Isolated and specific upgrades
To be discussed
- Servers must not be in the same subnets as user equipment.
- Servers should not be connected to the same network hardware as user equipment.
- Managed network equipment must not be attached to the campus network with anything other than a management port or a single access VLAN unless previously approved by network services.
- Exceptions on Wi-Fi access points for research can be made following the wireless access point approval process. 
- Faculty IT groups can have their ‘own’ server room network equipment installed and configured to participate in routing or switching with the campus network and be made available in the campus network management software under the following conditions:
- Network hardware must be the standard network services recommended equipment
- Network hardware must be approved by network services before purchase
- Network hardware must be configured and managed by network services
- Network hardware equipment purchase is paid for by the faculty
- The configuration must follow the campus network design
- The network hardware must not be connected to an Network services managed UPS without network services approval
- Network services will not manage UPS’s for server room network equipment
- Network services may not have spare equipment if the part numbers used are not standard equipment deployed across campus; in this situation the faculty IT group should stock spare hardware or accept the risk that the IST substitute may not be equivalent in the event of a failure
- Equipment that connects to the campus network via a single access VLAN and subnet is treated as an end user device by network services.
Installing UPS’s in all closets is not sustainable. Network services installs UPS equipment to support building ‘user’ router and switch hardware only. No other equipment should be connected to the UPS. Installation is done and batteries are maintained if the below requirements are met.
- The equipment is the building router for the user networks
- The equipment is an aggregation switch with VOIP phones on switches below it
- The equipment is an access switch with VOIP phones connected to it
Network services does not install 24 port network switches.
- Existing 24 port switches are left in place until network expansion occurs
- When network expansion renders a 24 port switch insufficient it will be replaced with a ‘like’ 48 port model. (if its interfaces are 10/100, the replacement will be 10/100)
- No new/previously-used 24 port switches will be installed
Network services installs either 48 port switches or chassis based switches.
The decision to use a chassis based switch is made with following considerations:
- The physical area in the TR can support a chassis
- The power in the TR can support a chassis
- There is a minimum requirement (including expansion capacity) for three 48 port switches to be installed
Network services will configure aggregate links for end user devices on an aggregation switch if there is sufficient port density room for expansion. An aggregation switch is a switch that connects multiple switches and does not directly connect users.
Requirements for device link aggregation on an aggregation switch or building router:
- The device that will connect to the aggregated ports must have long periods (multiple hours a day) of 80% + utilization on its existing network connection
- The clients accessing the aggregated device should be on switches connected to this aggregation switch
- The uplinks of the aggregation switch towards the router or client switches should be 10G or 10G capable or it must be possible to setup link aggregation on the configured switches uplink.
Network services will install an additional AP when a location with Wi-Fi (signal) coverage does not meet the campus standard and the signal cannot be improved using the existing infrastructure.
Wi-Fi Coverage requirements:
- The location is indoors
- The location is an public/academic/office/research space
- If the location is a non-public space it should have either 2.4Ghz or 5Ghz signal of at least -70dbm as measured by the network services tool set
- If the location is a public space it should have both 2.4Ghz AND 5Ghz signal of at least -70dbm as measured by the network services tool set
- Unmanaged switches are allowed to be connect to the network outside of TR’s
- Ports connected to an unmanaged switch are subject to ISS disabling for security reasons
- Network services initial troubleshooting step may be to remove the unmanaged switch
- Private routers are allowed to be connected to the network outside of TR’s
- Routers will be treated as an end host
- They will receive one IP address
- They will not participate or exchange routes with campus infrastructure
- A router disrupting DNS or DHCP for other clients will be disconnected
- Wi-Fi must be disabled unless a specific approval was obtained after following the wireless AP approval process. 
Network services can configure special wireless networks for events. If an event is being held on campus with a period of one week or less network services can generate an event password which can be used to log into the captive portal once associated to the SSID ‘uw-wifi-setup-no-encryption’. Attendees must register on the portal with the password one time per device for each event.
If an event requires Wi-Fi-device to Wi-Fi-device connectivity this can also be setup using the SSID ‘uw-event’ and a pre-shared-key for a period of one week or less. This SSID will be limited to specific locations on campus. Event organizers are responsible for any and all traffic on their event's wireless network and are expected to be available to assist in the identification and/or removal of any network device violating University of Waterloo computing policy. Repeated violations may result in the removal of network services for an event and/or the revocation of wireless network services for the organizer.
Network services can provide temporary ‘dynamic’ (no need to register the device) wired network access for events with the following requirements:
- The defined period of the event must be no more than 1 week
- The requestor must provide at least one week in advance the network jack label information
The requestor is responsible for securely taping/placing any network cabling and unmanaged switches so that they do not create safety or security hazards.
Network services will upgrade routers and switches during equipment refreshes. Network services may also upgrade a network router or switch or line card if monitoring shows that there are:
- daily high utilization (80% or above) on uplinks for the majority of the day and port aggregation cannot be used
- daily high utilization (80% or above) on a majority of access ports for the majority of the day
Upgrades not meeting IST requirements can be requested if funding is provided by the requestor and is approved by Network services as outlined in the document ‘Augmenting IST Funding and Services’ policy. 
Upgrades purchased with faculty supplied funds are treated and controlled the same as those purchased with Network services funds and no preferential treatment is provided beyond the initial deployment:
- The network equipment is treated the same as all other building network equipment
- Network services will connect ports and utilize the switch as needed for network expansion
- The equipment must meet the standard of network services
Non-standard configurations on equipment must be deemed scalable and supportable across campus by network services before they are implemented. If you have a specific problem network services can discuss possible solutions with you.
This applies to:
- Temporary equipment installations
- Unused features being enabled for a single device
Network services deploys common user subnets in all locations. Users within a building will only be separated from users in the same building through the use of another subnet and VLAN in the following situation:
- An ACL is required to protect the users from other users on our campus
- Network services must be provided with exactly what traffic will be allowed into and out of the subnet in order to create the ACL
DNS is a centrally managed service. Faculties have access to create, delete, and maintain domain names for end user devices through the IST provided software package. If an exceptional situation warrants DNS delegation, please contact IST's Director Technology Integrated Services. The Director may grant delegation depending on the technical requirements. IST reserves the right to rescind delegation if the name servers adversely impact the operation of campus DNS, or are not securely maintained.