200 likes | 320 Views
A 20-20 View of Net Conversion. Or, How I Learned to Stop Worrying and Love the Firewall. General Conversion Strategy. No stressful global “D-Day” cutover. Maximum flexibility through initial application of DHCP addressing without making any other changes to the network.
E N D
A 20-20 View of Net Conversion Or, How I Learned to Stop Worrying and Love the Firewall.
General Conversion Strategy • No stressful global “D-Day” cutover. • Maximum flexibility through initial application of DHCP addressing without making any other changes to the network. • Nearly all machines can be changed “on the fly” once DHCP is in use. • Critical servers need not be reconfigured until most parts are already in place.
Analyzing your vlan/network • To start the process, inventory your critical servers, printers, and any other machine that serves to other machines on some network port. • Use netpeek https://network.uic.edu/bluestem-cgi/netpeek/netpeek.cgi to look at your current vlan in terms of IP and/or mac address. • Communicate all important information through RT tickets, so nothing is lost along the way. • For each serving machine, we need the mac address, ip address, and what service is running, i.e. web, ssh, printer, fileserver, etc. • We make your DHCP configuration from this information.
Changing to Private IPs • This is done at the end of the process, so local LAN connection to local servers is not disrupted. • Since nearly every machine uses DHCP, you may not need to do anything. ACCC flips the DHPC lease file to point at the new private IPs, and new leases initialize. • In practice on production networks, this change has taken as little as 10 minutes or less in the best cases with help from leprechauns.
Changing Multi-IP to Single mac address Servers • Servers with multiple IPs to a single mac or very odd machines that don’t support DHCP are configured manually . • If you have one of those rare servers that needs manual configuration (usually SSL webservers or perhaps AD servers) you change that IP while we are changing the lease file -- at the end.
DHCP Configuration • Any server on any port (web, ssh, printer, fileserver, etc.) gets a mac-based fixed lease in the DHCP server. • DHCP service is configured for a machine before it is changed to DHCP – so it gets a lease and works right away when you change the machine to using DHCP. • Machines can be changed over a period of days – no need to stress out and do them all at once. • Nearly all machines use “plain vanilla” DHCP, i.e. no manual configuration whatsoever. (“Obtain IP address automatically.”)
NAT: Network Address Translation • A firewall maps your “inside” address to an “outside” address using NAT. • At first, before you convert to private IPs on the inside, both addresses are the same. • example: 128.248.100.12 = 128.248.100.12 • Later, after conversion to private IPs on the inside, a private IP maps to a public IP to allow the machine to connect off your LAN. • example: 128.248.100.12 = 10.252.67.23 • Usually these mappings are dynamic and the outside address can change over time.
Static NAT – connecting from off-net • Static NAT is a firewall configuration that locks in an outside “public” address, so you can reach the serving machine from off-net. We configure these. • You still use DHCP, no manual configuration. • You will still need a fixed-mac DHCP lease for this machine. • The outside “public” address will not change over time. • You can fix a DNS name to this outside address.
Classes of machines • Fixie+staticNAT: serves off-net on some port(s) • Fixie only: serves only on local net. Example – use ACCC System’s OpenVPN to your private vlan to use RDP or ssh from home, but no access from Interwebz rabble. • No NAT! The user cannot access off your vlan. • No fixie, but does do dynamic NAT – user gets a random public IP from a pool to access off-net.
Hassles and Gotchas • Some legacy routed networks are an unbelievable mess. Here we at ACCC do some careful preparatory “peeling apart” of the mess. • Every large network presents certain unique details. We handle them with remote preparation and log in RT. • Because we don’t do a D-Day cutover, we can handle these issues together as they arise. • In rare instances, we must change the public IP space. In these cases, we create a conversion wiki for sanity.
The Conversion: Flipping the Network • Scenario: Machines already on DHCP, staticNAT info on any serving machines is in and configured. • We pick a time and change the DHCP leases all at once. This takes about two minutes. Machines automatically get new leases and begin to connect right away. Lunchtime is often best as people are here to notice and fix any issues. • At the same time, the very few (if any) servers needing manual configuration are changed by the REACHer.
Immediately after the NetFlip • It’s “noon-30” and it’s very easy to find the two printers and four PCs that were never changed to DHCP. Non-working and easy to fix. • You can’t connect to a serving machine from off the network – yes, that static NAT was forgotten! Easy to add since we’re here to see it. • How to find information on all this? netpeek!
Why DNS has changed • On new firewalled networks you never delete an IP and you never need to find a new “empty” one. • All private and public IPs are preregistered with generic entries so that machines changed to DHCP are not filtered for being unregistered.
Changing DNS with Qnet • Need to register a new public address? Update the generic DNS name to the name of your choice: • Generic name: 128.248.60.165 dhcp-60-165.comclient.uic.edu • New name: 128.248.60.165 mascot.rrc.uic.edu • Make a point of updating Device entries in Qnet: mac address, room, building, bjack.
Change is OK • We’ve done many thousands of machines across a number of UIC colleges. • We minimize stress by good preparation, helpful tools and gradual change. • After conversion we are able to further secure networks due to built-in flexibility of the design.