Reach 2010

advertisement
A 20-20 View of
Net Conversion
Or, How I Learned to Stop
Worrying and Love the Firewall.
General Conversion Strategy
• No stressful global “D-Day” cutover.
• Maximum flexibility through initial
application of DHCP addressing without
making any other changes to the network.
• Nearly all machines can be changed “on
the fly” once DHCP is in use.
• Critical servers need not be reconfigured
until most parts are already in place.
Analyzing your vlan/network
• To start the process, inventory your critical servers,
printers, and any other machine that serves to other
machines on some network port.
• Use netpeek https://network.uic.edu/bluestemcgi/netpeek/netpeek.cgi to look at your current vlan in
terms of IP and/or mac address.
• Communicate all important information through RT
tickets, so nothing is lost along the way.
• For each serving machine, we need the mac address, ip
address, and what service is running, i.e. web, ssh,
printer, fileserver, etc.
• We make your DHCP configuration from this information.
Changing to Private IPs
• This is done at the end of the process, so
local LAN connection to local servers is
not disrupted.
• Since nearly every machine uses DHCP,
you may not need to do anything. ACCC
flips the DHPC lease file to point at the
new private IPs, and new leases initialize.
• In practice on production networks, this
change has taken as little as 10 minutes or
less in the best cases with help from
leprechauns.
Changing Multi-IP to Single
mac address Servers
• Servers with multiple IPs to a single mac
or very odd machines that don’t support
DHCP are configured manually .
• If you have one of those rare servers that
needs manual configuration (usually SSL
webservers or perhaps AD servers) you
change that IP while we are changing the
lease file -- at the end.
DHCP Configuration
• Any server on any port (web, ssh, printer, fileserver,
etc.) gets a mac-based fixed lease in the DHCP
server.
• DHCP service is configured for a machine before it
is changed to DHCP – so it gets a lease and works
right away when you change the machine to using
DHCP.
• Machines can be changed over a period of days –
no need to stress out and do them all at once.
• Nearly all machines use “plain vanilla” DHCP, i.e. no
manual configuration whatsoever. (“Obtain IP
address automatically.”)
NAT: Network Address Translation
• A firewall maps your “inside” address to an
“outside” address using NAT.
• At first, before you convert to private IPs on the
inside, both addresses are the same.
• example: 128.248.100.12 = 128.248.100.12
• Later, after conversion to private IPs on the
inside, a private IP maps to a public IP to allow
the machine to connect off your LAN.
• example: 128.248.100.12 = 10.252.67.23
• Usually these mappings are dynamic and the
outside address can change over time.
Static NAT – connecting from off-net
• Static NAT is a firewall configuration that locks in an
outside “public” address, so you can reach the
serving machine from off-net. We configure these.
• You still use DHCP, no manual configuration.
• You will still need a fixed-mac DHCP lease for this
machine.
• The outside “public” address will not change over
time.
• You can fix a DNS name to this outside address.
Classes of machines
• Fixie+staticNAT: serves off-net on some port(s)
• Fixie only: serves only on local net. Example –
use ACCC System’s OpenVPN to your private
vlan to use RDP or ssh from home, but no
access from Interwebz rabble.
• No NAT! The user cannot access off your vlan.
• No fixie, but does do dynamic NAT – user gets a
random public IP from a pool to access off-net.
Hassles and Gotchas
• Some legacy routed networks are an
unbelievable mess. Here we at ACCC do some
careful preparatory “peeling apart” of the mess.
• Every large network presents certain unique
details. We handle them with remote preparation
and log in RT.
• Because we don’t do a D-Day cutover, we can
handle these issues together as they arise.
• In rare instances, we must change the public IP
space. In these cases, we create a conversion
wiki for sanity.
Conversion wiki example – new IP space
The Conversion: Flipping the Network
• Scenario: Machines already on DHCP, staticNAT
info on any serving machines is in and
configured.
• We pick a time and change the DHCP leases all
at once. This takes about two minutes.
Machines automatically get new leases and
begin to connect right away. Lunchtime is often
best as people are here to notice and fix any
issues.
• At the same time, the very few (if any) servers
needing manual configuration are changed by
the REACHer.
Immediately after the NetFlip
• It’s “noon-30” and it’s very easy to find the two
printers and four PCs that were never changed
to DHCP. Non-working and easy to fix.
• You can’t connect to a serving machine from off
the network – yes, that static NAT was forgotten!
Easy to add since we’re here to see it.
• How to find information on all this? netpeek!
Netpeek – fixie + staticNAT
Netpeek – fixie, no static NAT
Generic workstation: no fixie, no static NAT
Generic workstation: NAT changes
Why DNS has changed
• On new firewalled networks you never
delete an IP and you never need to find a
new “empty” one.
• All private and public IPs are preregistered
with generic entries so that machines
changed to DHCP are not filtered for being
unregistered.
Changing DNS with Qnet
• Need to register a new public address?
Update the generic DNS name to the
name of your choice:
• Generic name: 128.248.60.165 dhcp-60-165.comclient.uic.edu
• New name:
128.248.60.165 mascot.rrc.uic.edu
• Make a point of updating Device entries in
Qnet: mac address, room, building, bjack.
Change is OK
• We’ve done many thousands of machines
across a number of UIC colleges.
• We minimize stress by good preparation,
helpful tools and gradual change.
• After conversion we are able to further
secure networks due to built-in flexibility of
the design.
Download