Network administration guidelines

Document ownership

The Director, Technology Integrated Services, IST has the responsibility for maintaining this document and providing guidance and advice on its implementation. IST-TIS Networks services is the group implementing these guidelines and is hence forth referred to as network services.

Definitions

VRRP – virtual router redundancy protocol
LACP – link aggregation control protocol
LAG – link aggregation group using a protocol such as LACP
L3 – layer 3 (network layer) - routing
L2 - layer 2 (data link layer) – switching
VLAN – virtual local area network, a broadcast domain that is partitioned and isolated at L2
TR – telecommunication room (network closet)
AP – access point (wireless / Wi-Fi)
ACL – access control list
Managed – equipment with a network accessible user interface used to configure the device
VPN – virtual private network
SSH – secure shell

Campus network design overview

Routers are interconnected with L3 links only
Exception for VRRP design provided that:
- Switches beneath each router are connected to both routers.
- Spanning tree is properly designed and configured
VLANs cannot cross layer 3 boundaries (subnets from building A cannot be used in building B)
Campus subnets are protected by the distribution firewall
Common use public IP and private IP subnets are implemented for each building
Dedicated user subnets are assigned only if specific access control restrictions need to be applied on it
Access control lists are used only when a subnet needs protection from other on-campus networks

Network administration

IST has the overall responsibility of network management in all areas of campus (excluding equipment used exclusively in research), including:

Complete architecture, design, and interoperability of network technical infrastructure
Network management includes:
- Network device configuration
- Monitoring
- Repair/replacement of failed equipment
- Installation, maintenance, and removal of network cabling and related components
- Troubleshooting
- Hardware acquisition and ownership for general use network equipment
Maintenance will be performed in accordance to the TIS Core Service Level Expectations [1]

Faculty activities

The following service provisioning activities can be performed by faculty/departmental IT staff, to support local activities as efficiently as possible:

Creation, deletion, and maintenance of domain names for end user devices (through the IST provided software package)
Setting/changing of switch port speeds, duplexes, comments, and access VLANs (through the IST provided software package)
Patching cables in TR’s following TR Guidelines

All work should be done in compliance with the Guidelines on use of Waterloo Computing and Network Resources [2] and the Telecommunication Room (TR) guideline. [3] Reference document Network Administration [4]

Equipment funding

IST is responsible for funding equipment in the following cases:

Incremental expansion
Periodic equipment refresh during a campus wide network upgrade initiative subject to:
- Time and material charges for network drops
- Funding for new buildings and major renovations will continue to be funded through building project accounts
- Equipment, maintenance, and external Internet service costs for residence networks paid by Housing
Funding for faculty Data Center and Server room equipment continues to be funded by faculty support groups

Affiliated and Federated Institutions of Waterloo are responsible for funding equipment:

All equipment purchases
All installation costs

Connectivity of unofficial remote campuses:

For access to the main campus centralized resources (ex: telephone, Wi-Fi, shared drives) the following items must be true
- Network services will coordinate the connectivity setup and recommend the service level
- All fees (installation/support/monthly) associated with connectivity are paid for by the group setting up the new off campus location
- The group setting up the new off campus location must provide an account before any purchases are made
A campus is deemed ‘unofficial’ if it is not identified on the uWaterloo website campus list. [5]

Connectivity of official remote campuses

The floor space must be primarily lecture rooms, project areas, and/or labs, for teaching purposes, and/or common areas, and be generally accessible by students.
If the use of such space is ended (e.g. lease cancelled, space becomes inactive) before the end of the term for network connectivity, the department, school or faculty is responsible for paying early cancellations fees.
If the purpose of the space changes from the primarily teaching function as described above, the department, school or faculty is responsible for ongoing fees and/or early cancellations fees.
Any one time installation costs are covered by the department, school, or faculty.
Changes in campus locations listed at this site will affect charges going forward from the date both IST and the department, school, or faculty are made aware of the change.[5]

Connectivity to main campus (all cases):

Build times for connectivity to campus can be six (6) months or longer depending on permits and approvals (these wait times are from the ISP vendor / city)
Network services controls all network equipment
Network services specifies the equipment to be purchased
Network services purchases the equipment on the provided account
Network services will order the required services for connectivity

Service level above our standard:

Groups wishing to exceed the IST standard should make a request in writing via the RT system with their new requirements that exceed the standard design, the technical data detailing the new requirement and any data that shows the current equipment cannot meet the need.

The decision on exceeding the standards will be based on the provided data. If the request to exceed the standards of the equipment deployed by network services is approved, the full costs of equipment within the TR and between TR’s will be paid for by network services. Any costs associated with connecting devices to the new equipment will remain with the requestor.

The manager of network services will make a decision to implement the design modification or deny it (with an explanation). The decision is based on ensuring that solutions can scale, are supportable, inter operate with our currently deployed equipment, and are driven by technical requirements or data showing the current equipment is failing to provide the required service.

If the request is denied, the requestor can escalate the request to the director of TIS for review.

If the request is denied, the requestor can escalate the request to the CIO for review.

If the equipment is approved and existing budget does not exist, a budget request will be made to fund the equipment in the next budget cycle. If the requesting person/group wishes to provide funding in order to have the equipment installed now, this is possible, but it should be understood that the equipment is not owned by or for the exclusive use of said group. (Other faculty/ group / IST equipment may at some point be connected to the equipment.)

The funding of the equipment must be approved by network services as outlined in the document ‘Augmenting IST Funding and Services’ policy. [6]

Funding summary:

Case / Situation	Paid by network services
Equipment for new buildings and major renovations	No
Residence equipment	No
Residence Internet service	No
New network cabling and materials	No
Server Room equipment	No
Connectivity to/at unofficial campus	No
Connectivity to/at official campus	Yes
Incremental expansion for user access network equipment	Yes
Periodic refresh for user access network equipment	Yes
Isolated and specific upgrades	To be discussed

Separation of user and server room subnets and equipment

Servers must not be in the same subnets as user equipment.
Servers should not be connected to the same network hardware as user equipment if they require any special considerations before network maintenance

Non-IST-approved network equipment

Managed network equipment must not be attached to the campus network with anything other than a management port or a single access VLAN unless previously approved by network services.
Exceptions on Wi-Fi access points for research can be made following the wireless access point approval process. [7]

Server room network equipment

Faculty IT groups can have their ‘own’ server room network equipment installed and configured to participate in routing or switching with the campus network and be made available in the campus network management software under the following conditions:
- Network hardware must be the standard network services recommended equipment
- Network hardware must be approved by network services before purchase
- Network hardware must be configured and managed by network services
- Network hardware equipment purchase is paid for by the faculty
- The configuration must follow the campus network design
- The network hardware must not be connected to an Network services managed UPS without network services approval
- Network services will not manage UPS’s for server room network equipment
- Network services may not have spare equipment if the part numbers used are not standard equipment deployed across campus; in this situation the faculty IT group should stock spare hardware or accept the risk that the IST substitute may not be equivalent in the event of a failure

Equipment that connects to the campus network via a single access VLAN and subnet is treated as an end user device by network services.

Conditions for UPS installation

Installing UPS’s in all closets is not sustainable. Network services installs UPS equipment to support building ‘user’ router and switch hardware only. No other equipment should be connected to the UPS. Installation is done and batteries are maintained if the below requirements are met.

The equipment is the building router for the user networks
OR
The equipment is an aggregation switch with VOIP phones on switches below it
OR
The equipment supports VoIP services at a an official off campus campus [5]

Port density on equipment

Network services does not install 24 port network switches.

Existing 24 port switches are left in place until network expansion occurs
When network expansion renders a 24 port switch insufficient it will be replaced with a ‘like’ 48 port model. (if its interfaces are 10/100, the replacement will be 10/100)
No new/previously-used 24 port switches will be installed

Network services installs either 48 port switches or chassis based switches.

The decision to use a chassis based switch is made with following considerations:

The physical area in the TR can support a chassis
The power in the TR can support a chassis
There is a minimum requirement (including expansion capacity) for three 48 port switches to be installed

Link aggregation outside of a server room

Network services will configure aggregate links for end user devices on an aggregation switch if there is sufficient port density room for expansion. An aggregation switch is a switch that connects multiple switches and does not directly connect users.

Requirements for device link aggregation on an aggregation switch or building router:

The device that will connect to the aggregated ports must have long periods (multiple hours a day) of 80% + utilization on its existing network connection
AND
The clients accessing the aggregated device should be on switches connected to this aggregation switch
AND
The uplinks of the aggregation switch towards the router or client switches should be 10G or 10G capable or it must be possible to setup link aggregation on the configured switches uplink.

Locations without Wi-Fi (signal) coverage

Network services will install an additional AP when a location with Wi-Fi (signal) coverage does not meet the campus standard and the signal cannot be improved using the existing infrastructure.

Wi-Fi Coverage requirements:

The location is indoors
AND

The location is an public/academic/office/research space
AND

If the location is a non-public space it should have either 2.4Ghz or 5Ghz signal of at least -70dbm as measured by the network services tool set
OR

If the location is a public space it should have both 2.4Ghz AND 5Ghz signal of at least -70dbm as measured by the network services tool set

Unmanaged switches

Unmanaged switches are allowed to be connected to the network outside of TR’s
Ports connected to an unmanaged switch are subject to ISS disabling for security reasons
Network services initial troubleshooting step may be to remove the unmanaged switch

Personal Routers

Private routers are allowed to be connected to the network outside of TR’s
Routers will be treated as an end host
- They will receive one IP address
- They will not participate or exchange routes with campus infrastructure
A router disrupting DNS or DHCP for other clients will be disconnected
Wi-Fi must be disabled unless a specific approval was obtained after following the wireless AP approval process. [7]

Temporary networks for events

Network services can configure special wireless networks for events. If an event is being held on campus with a period of one week or less network services can generate an event password which can be used to log into the captive portal once associated to the SSID ‘uw-wifi-setup-no-encryption’. Attendees must register on the portal with the password one time per device for each event.

If an event requires Wi-Fi-device to Wi-Fi-device connectivity this can also be setup using the SSID ‘uw-event’ and a pre-shared-key for a period of one week or less. This SSID will be limited to specific locations on campus. Event organizers are responsible for any and all traffic on their event's wireless network and are expected to be available to assist in the identification and/or removal of any network device violating University of Waterloo computing policy. Repeated violations may result in the removal of network services for an event and/or the revocation of wireless network services for the organizer.

Network services can provide temporary ‘dynamic’ (no need to register the device) wired network access for events with the following requirements:

The defined period of the event must be no more than 1 week
The requestor must provide at least one week in advance the network jack label information

The requestor is responsible for securely taping/placing any network cabling and unmanaged switches so that they do not create safety or security hazards.

Switch/Router Upgrades

Network services will upgrade routers and switches during equipment refreshes. Network services may also upgrade a network router or switch or line card if monitoring shows that there are:

daily high utilization (80% or above) on uplinks for the majority of the day and port aggregation cannot be used
daily high utilization (80% or above) on a majority of access ports for the majority of the day

Upgrades not meeting IST requirements can be requested if funding is provided by the requestor and is approved by Network services as outlined in the document ‘Augmenting IST Funding and Services’ policy. [6]

Upgrades purchased with faculty supplied funds are treated and controlled the same as those purchased with Network services funds and no preferential treatment is provided beyond the initial deployment:

The network equipment is treated the same as all other building network equipment
AND
Network services will connect ports and utilize the switch as needed for network expansion
AND
The equipment must meet the standard of network services

Requests for custom ‘user network’ configurations

Non-standard configurations on equipment must be deemed scalable and supportable across campus by network services before they are implemented. If you have a specific problem network services can discuss possible solutions with you.

This applies to:

Temporary equipment installations
Unused features being enabled for a single device

Request for custom ‘user subnet’

Network services deploys common user subnets in all locations. Users within a building will only be separated from users in the same building through the use of another subnet and VLAN in the following situation:

An ACL is required to protect the users from other users on our campus
Network services must be provided with exactly what traffic will be allowed into and out of the subnet in order to create the ACL

Requests for DNS delegation

DNS is a centrally managed service. Faculties have access to create, delete, and maintain domain names for end user devices through the IST provided software package. If an exceptional situation warrants DNS delegation, please contact IST's Director Technology Integrated Services. The Director may grant delegation depending on the technical requirements. IST reserves the right to rescind delegation if the name servers adversely impact the operation of campus DNS, or are not securely maintained.