Network Design Office

One of the best ways to manage IP space is to use a DHCP server to hand out IP addresses to hosts on the network rather than hard code IPs for individual hosts. When contacting the NDO (ndo@uiuc.edu), please provide the following information when requesting additional IP space.

1. What is the subnet DNS name or gateway address of the IP space you are requesting to expand?
2. How many more IPs are you requesting?
3. Are you running a DHCP server?

If we cannot expand the existing subnet in place (due to pre-existing IP space allocation), we would have to move the entire subnet to a new bigger IP space. This could be time consuming if you are not running a DHCP server.

Alternatively, we could create a small subnet instead (either in private or public IP space) which gives you the option of placing your servers or printers/UPS' on a different subnet than your users, eliminating the risk of users stealing your server's IP address.

It depends on where they are moving from/to. If they are moving to a building that is fed off the same node as the one they are moving from, it is possible to extend the VLAN but there are several other factors to take into account, such as whether the move is temporary, whether the network is routed in the building or in the node, etc.

When contacting the NDO (ndo@uiuc.edu), please provide the subnet DNS name or gateway address of the network.

On-campus IP ranges:

These IP addresses are global unique addresses to UIUC campus and if placed in the right campus firewall category (and with the right system firewall and departmental firewall settings), can be accessed from anywhere.

• 128.174.0.0 / 16
• 130.126.0.0 / 16
• 192.17.0.0 / 16
• 64.22.176.0 / 20
• 72.36.64.0 / 18

In addition, the IP range 172.16.0.0 / 13 is used for internal purposes only. Systems in this IP range can be seen by other UIUCnet computers, and by computers on the NCSA network, but they cannot be reached by any computer that is not part of either UIUCnet or the NCSA network.

Private campus IP addresses:

The following IP addresses are unique only within the UIUC campus, and are not routed to off-campus.

• 172.20.0.0 /16

• 172.21.0.0 /16

• 172.22.0.0 /16

Private non-routed IP addresses:

These IP addresses are unique within a L2 network/broadcast domain (eg. within a building/floor/room). The use of these IP addresses is not regulated by the NDO.

• 192.168.0.0 /16

The Network Engineering group is trying to move to an all-routing core. For us to help facilitate that, we will need to stop tagging VLANs between nodes.

It's not a secret that we have had some mysterious problems with certain aspects of the core and we believe that many of them came about because of physical limitations of the hardware we purchased. The boxes we bought are great, but they are great at routing or great at switching, but not so great doing a lot of both switching and routing.

Moving to an all-routing core will help alleviate a lot of the congestion and lead to better stability. Many (if not all) well made applications/services/devices will work just fine communicating with each other across multiple subnets, so there should not be a need to have the VLAN extended.

Also, if your network grows too large (with a lot of active hosts), you will lose some of your bandwidth to chatter from broadcast. This is another reason to break up your large networks.

If you would like to discuss your specific needs, please contact the NDO at ndo@uiuc.edu.

A CER is a centralized and dedicated area where the cabling for each of the Ethernet jacks and access points in a building is aggregated into Ethernet switches. The Ethernet switches in a CER typically connect to the building demarcation switch via Gigabit Ethernet. Some buildings require multiple CERs depending on the density and distance of the cable runs.

Access to CERs are limited to authorized CITES personnel and the primary unit network administrator as identified in contact manager.

When a building contains multiple departments: Per the state auditors' recommendation, CITES will issue one key to the largest units primary network administrator. The administrator must be listed as primary contact in contact manager database, be employed full-time by the unit, and preferably located in the building. CITES DUS consultants do not meet these qualifications.

A network administrator will obtain a CER form by contacting CITES Network Design Office. The netadmin should complete the form with the authorized signatures and return it to the CITES Network Design Office.

Campus mail:

CITES Network Design Office
Attention: Network Design Office Manager
2120 DCL
1304 W. Springfield
MC 256

FAX:
(217) 333-4055

Upon receipt of the form, a key card will be issued in the name of the network administrator. The key card will be sent via campus mail or can be picked-up at 2120 Digital Computer Lab.

The authorized key holdershould take the key card to Physical Plant Facilities and Service key shop; they will issue one key to the authorized person listed on the key card.

Per the state auditors restrictions and security restrictions developed by HIPPA, CALEA, FSPA, etc., distributing multiple keys is not permissible. Authorized personnel are responsible for the physical security of the network. Unauthorized personnel shall not be given unsupervised access. It is the network administrator's responsibility to provide supervised access to personnel such as Facilities and Services for HVAC and or electrical maintenance and repairs.

Access during regular University business hours

Should you need emergency access to the CER during regular University business hours, you can always call the CITES Operations Center at 244-1000 and ask to have someone from Network Maintenance come over an open the room. That person will stay and supervise the activity in the CER at no charge.

Regular working hours are M-F 8:00a.m. - 5:00 p.m.

Access outside regular University business hours

We cannot offer this service for free outside regular working hours.

The charge for an after-hours Network Maintenance key-related visit is $100.

CERs are not intended for any other purpose except to house data networking peripherals and future technologies such as VOIP.

CER dimensions, cooling, electrical and equipment layouts are outlined by certified CITES personnel. When designing specifications for these rooms, analysis is based on network hardware heat dissipation, electrical output, current and future growth, rack layout, and physical security.

Devices such as servers and firewalls often exceed the specifications for these rooms and shall require separate space to house them. It is the unit's responsibility to find alternate space for non-CITES equipment.

These are the normal steps that happen in a Campus Funded Upgrade:

• Floor plans are given to the Department (usually to the Network Administrator) to mark up where and how many network jacks there should be. When that is completed, those drawings are given back to the CITES Plant Engineer to be engineered and digitized.

• The Plant Engineer locates cable paths and determines the best locations for CERs to meet the needs of cabling distances and room size requirements.
  

• The CER locations are obtained (if not already available) and Telecommunication Service Requests (TSR) are submitted for construction to begin.

• CERs will be constructed or built-out as necessary, or may stay the same. AC may be added if need.
  

• Electricians will come in and place the cable tray in the ceiling and run conduit. They may need to core-drill, which is usually pretty loud. They will also install wire molding for the new jack locations.

• Usually this is about the time that the NDO Designer will contact the Network Administrator about the needs of the building/departments. They will then continue to design the network, get the design approved, and order the new equipment.
  

• CIMS will come in after the electricians finish (or occasionally at the same time). They will be updating the fiber infrastructure and cabling. They will pull all of the cables to the new jack locations. They will terminate, label, and test the cables. When they finish they will have a floor plan that they will have hand written jack locations on, they will take this sheet to the Plant Engineer to be digitized. They will also get a copy of that information to the Assignments Group out at CIMS to be put into the Pinnacle Database.

• After the information is in the Pinnacle Database, the Network Designers will generate an Excel spreadsheet that that will need to be marked up by the Network Administrators. The Network Designer will also provide a copy of the new digitized floor plans (as-built's) to help the Network Administrator locate jacks that they would like to have activated. When the spreadsheet is marked up, it would be returned to the Network Designer, and then the Network Designer will configure the switches to meet the building's requirements.

• The locksmiths re-key the doors.

• Once the switches are configured and the doors are keyed, the NDO will install the switches in the CERs.

• CIMS will come out and use the spreadsheets to patch everything appropriately.

• Information is written to the switch port names to help identify which patch panel port that switch port is plugged into and what room that cable feeds.

• The NDO will inform you when it is safe to move over to the new equipment.

• Once off of the old network, CIMS will come and remove as much of the old system as they can.

• When the removal is complete, the upgrade is complete.

Equipment is generally paid for by University funds, even when ordered originally by the department.

Since Network Maintenance is familiar with the campus network and needs of the users, they are ideal candidates for knowing who will need a piece of network equipment that is removed. Sometimes parts from broken equipment can be used in production equipment that we can no longer get parts for. Also, network designers working on buildings may need equipment somewhere else. Since CITES is responsible for the network, we are tasked with keeping it maintained and running as efficiently as resources allow. This also allows for us to surplus older equipment more efficiently.

CITES is also responsible for the security of the campus network, and there are many reasons why equipment once on the network is not allowed any more. As new RFCs are drafted and approved, certain features of equipment or proprietary ways of behavior may have changed or have been standardized. Sometimes there are blatant security holes, device code is no longer produced or updated, or the equipment in general would be best replaced by updated equipment. In order to maintain security of the network, we remove those devices so they don't show up in normal distribution channels and get connected to the campus network. Network hubs, for example, send network traffic to all ports in the device. Not only is this using excessive bandwidth, it is a security risk because anyone attached to the device can listen to all the traffic on the subnet.

Maintenance contracts are expensive. For certain types of equipment, these costs can more than double on older equipment. Repair may be very expensive, and in some cases, cheaper to buy a new unit.

And lastly, older equipment generally draws more power. Replacing with newer will generally lower power consumption, heat loss, CER cooling capacity needs, and sometimes noise.

As stated in section 8 of the Interim Policy on Appropriate Use of Computers and Network Systems at The University of Illinois at Urbana-Champaign, any piece of network equipment connected to the campus network and/or backbone must be approved by the Network Design Office (NDO).

The link to the policy is http://www.admin.uiuc.edu/cam/CAM/viii/viii-1.1.html, and further clarification can be seen at http://www.cites.uiuc.edu/guidelines/network/sec8clarify.html.

The NDO periodically undergoes a switch bid for equipment we use when designing networks on campus. The bid is a combination of technical points awarded for device features, pricing, and long term costs associated with the device, such as maintenance or software contracts.

Whenever equipment goes out for bid, we work closely with Network Maintenance and Network Engineering to procure equipment that is compatible with existing equipment, reliable, and if possible, easy to maintain. Only devices that meet our specific needs and anticipated future needs at the time of bid are allowed to participate. Any device submitted for bid which passes a visual examination of features as described by the vendor through technical documents, web pages, emails, or product brochures must be received in-house for physical testing in a simulated campus environment before receiving final approval for purchase.

The same is true for any piece of equipment requested in use by a department or unit. If it is not on our approved list of equipment, the NDO must procure an evaluation unit which goes through the same rigorous testing procedure that any bid equipment does.

Please keep in mind that our list of approved equipment is ever changing. Equipment that we may have been installing only a year or two ago may no longer be approved for various reasons. This is why every new piece of equipment needs an approval, whether there is a similar currently installed piece of hardware or not.

The NDO is happy to evaluate and test any unit. This may be procured by the department and loaned to us for testing, or you may request that we ask for an evaluation unit ourselves. Please keep in mind that the normal timeframe for NDO requests five to six weeks, but network testing of equipment may take longer. We strongly suggest that you do not purchase equipment thinking it will be given an automatic approval. If this happens, we may deem the device not to be put on our network. This may become an unnecessary expense if you cannot return the device to the vendor and you cannot use it.

Technically, there is no reason why you wouldn't want to patch all jacks. However; economically this does not scale to the University's budget.

Campus funded upgrades provide enough network hardware switch ports for current active network devices plus a minimum 10% growth. If every jack in a building were patched there would be no open ports for any new jack additions.

In some cases this may require adding additional network hardware, racks, fiber, power, and extra cooling for the CER.

Everything you need to know should be answered at this website: http://www.cites.uiuc.edu/researchpark/index.html.

Once a request is received from a network admininstrator via email to ndo@uiuc.edu, the NDO manager assigns a designer to the request and creates a project ticket.

1. The requester receives a confirmation from NDO manager indicating the designer's name and project ticket number.

2. The designer will contact the requester and communicate via email or establish a meeting when detailed requirements are necessary.
   

3. When all details are agreed upon, the designer will document the network logical and pictorial layout and present to staff at our weekly design review meeting.

General time estimates:

• Simple VLAN requests are often completed within 24 -48 hours.

• If the VLAN does not exist in the building distribution switch, requests can take up to 5 days to complete.

• Off campus buildings that are not serviced with CITES fiber can take a minimum of 5-6 weeks, sometimes longer.

• Most requests take a minimum of 5-6 weeks to complete. Coordination with CITES DNS, Network Engineering, Network Maintenance, Plant Engineering, CIMS, and Security occur during this time frame. In addition, network hardware and miscellaneous peripherals are ordered.

• Requests that require electricians exceed the minimum completion date. CITES will submit information to electricians but does not control schedules outside of our unit.

• Complex requests such as campus funded upgrades, remodels, new buildings, etc. are coordinated by either a CITES project manager, Facilities & Services project manager or Captial Developement project manager. These projects can take several months or years to coordinate and complete.