Jump to content.

Network Best Practices and Explanations

Device Registration

Role Aliases

System administrators or groups who connect many devices to the network are encouraged to use groups and role aliases instead of individuals' addresses when registering devices. For example, the Foo research group system administrators might register all their computers to an email alias foo-support. This makes it easier to keep contact information organized and up to date.

Local Email Addresses

When individuals register network devices, we encourage the use of an IRIS provided email address. This helps IRIS associate your full contact information with the device.

Printer Naming

Network attached printers are typically given fixed IP addresses and fixed DNS names. To make printers easy to find, IRIS recommends you follow the naming conventions outlined in the printing documentation during network registration.

Device Configuration

Configured Name

Please ensure the locally configured names on your device match the name you chose during network registration. This includes Windows and OSX system names and locally configured DNS hostnames. EECS maintains a single global namespace for registered hostnames across the IRIS network including DNS and Active Directory. For example, if your device's NetBIOS is inadvertently configured to match someone else's registered name, it can cause service disruptions for both devices.

DHCP

DHCP support is provided for all registered MAC addresses on the production networks. Using DHCP is the best way to configure all devices, even those with fixed IP addresses.

Network

MAC Address Authorization

IRIS hostmaster authorizes connections to the network and assigns IP addresses based on registered devices' MAC addresses. An example policy violation would include configuring a device to use an IP or MAC address assigned or registered to a different device. Connecting a device before the registration process is complete can cause disruptions.

Default per-device IP limits

Because IPv4 addresses are a limited resource, IRIS discourages using multiple IPs where alternative solutions exist; by default IRIS hostmaster will only provide one IP address per physical device. Hostmaster will request technical justification when a system administrator asks for additional IP addresses and evaluate needs on a case-by-case basis.

Typically, multiple IPs are requested for virtual machines (VM) or for HTTP virtual hosting. Though NAT is prohibited as a method for granting network access to additional physical devices, IRIS encourages local use of NAT and RFC 1918 private IP addresses for virtual machines; this is the best option when using VMs on desktops or laptops. Any webserver which restricts access to resources with passwords should use SSL to provide encrypted authentication. Unfortunately current SSL implementations only allow for one certificate per IP address/TCP port combination. Because of this limitation, we strongly suggest you host multiple projects as subdirectories on a single server rather than requesting additional hostnames.

Local Switches

In certain situations, it may be necessary to use an unmanaged network switch to connect more than one device to a single network port. Local switches are not recommended for servers or high-performance use, as they might introduce unreliability or performance bottlenecks. Scenarios where local switches are appropriate might include connecting multiple low-speed devices such as printers, desktops, or laptops. When multiple devices are using a local switch to share one network port, if one device causes disruptions requiring disconnection and is not swiftly unplugged, all devices will lose connectivity when the network port is deactivated.

Recommended models of switches are available for immediate purchase from IRIS at the helpdesk.

Network Use

Network testing, scanning and security experiments

Campus policies include specific exceptions to allow for security and network experiments, but require prior permission. As such, please contact IRIS before performing security experiments, network or device scanning, or network experiments. You should also make sure to have specific permission from any external sites involved in the experiments.

The campus System & Network Security group (SNS) and the campus Audit group expect IRIS staff to conduct both pro-active and reactive scans of the IRIS networks and devices.

File Sharing

Various representatives of the Motion Picture, Television show and Video Game industries actively monitor the network such as bit torrent trackers and eMule/eDonkey trackers for distribution of files in violation of copyright. When Copyright violations are detected by representatives of the intellectual property, the representatives typically either demand an immediate takedown or offer the ability to accept a cash buyout instead of legal action.

Example Policy Violations

The following lists include examples of policy violations which could result in the termination of a device's network access or the disabling of a network port.

Last updated: $Date: 2019/03/11 22:39:49 $

Services Status

Resolved