Best Practices and Explanations
Device Registration
ROLE ALIASES
System administrators or groups who connect many devices to the network are encouraged to use groups and role aliases instead of individuals’ addresses when registering devices. For example, the Foo research group system administrators might register all their computers to an email alias foo-support. This makes it easier to keep contact information organized and up to date.
LOCAL EMAIL ADDRESSES
When individuals register network devices, we encourage the use of an IRIS provided email address. This helps IRIS associate your full contact information with the device.
PRINTER NAMING
Network attached printers are typically given fixed IP addresses and fixed DNS names. To make printers easy to find, IRIS recommends you follow the naming conventions outlined in the printing documentation during network registration.
Device Configuration
CONFIGURED NAME
Please ensure the locally configured names on your device match the name you chose during network registration. This includes Windows and OSX system names and locally configured DNS hostnames. EECS maintains a single global namespace for registered hostnames across the IRIS network including DNS and Active Directory. For example, if your device’s NetBIOS is inadvertently configured to match someone else’s registered name, it can cause service disruptions for both devices.
DHCP
DHCP support is provided for all registered MAC addresses on the production networks. Using DHCP is the best way to configure all devices, even those with fixed IP addresses.
Network
MAC ADDRESS AUTHORIZATION
IRIS DNS administrators authorizes connections to the network and assign IP addresses based on registered devices’ MAC addresses. An example policy violation would include configuring a device to use an IP or MAC address assigned or registered to a different device. Connecting a device before the registration process is complete can cause disruptions.
DEFAULT PER-DEVICE IP LIMITS
Because IPv4 addresses are a limited resource, IRIS discourages using multiple IPs where alternative solutions exist; by default the IRIS DNS administrator will only provide one IP address per physical device. The DNS administrator will request technical justification when a system administrator asks for additional IP addresses and evaluate needs on a case-by-case basis.
Typically, multiple IPs are requested for virtual machines (VM) or for HTTP virtual hosting. Though NAT is prohibited as a method for granting network access to additional physical devices, IRIS encourages local use of NAT and RFC 1918 private IP addresses for virtual machines; this is the best option when using VMs on desktops or laptops. Any webserver which restricts access to resources with passwords should use SSL to provide encrypted authentication. Unfortunately current SSL implementations only allow for one certificate per IP address/TCP port combination. Because of this limitation, we strongly suggest you host multiple projects as subdirectories on a single server rather than requesting additional hostnames.
LOCAL SWITCHES
In certain situations, it may be necessary to use an unmanaged network switch to connect more than one device to a single network port. Local switches are not recommended for servers or high-performance use, as they might introduce unreliability or performance bottlenecks. Scenarios where local switches are appropriate might include connecting multiple low-speed devices such as printers, desktops, or laptops. When multiple devices are using a local switch to share one network port, if one device causes disruptions requiring disconnection and is not swiftly unplugged, all devices will lose connectivity when the network port is deactivated.
Recommended models of switches are available for immediate purchase from IRIS at the helpdesk.
RECOMMENDED SWITCHES
- NetGear GS105 5-port Gigabit Unmanaged Ethernet Switch
- NetGear GS108 8-port Gigabit Unmanaged Ethernet Switch
- Allied Telesis GS910/5 5-port Unmanaged Gigabit Ethernet Switch (loop protection MUST be disabled via “L/P DIS” switch)
- Allied Telesis GS910/8 8-port Unmanaged Gigabit Ethernet Switch (loop protection MUST be disabled via “L/P DIS” switch)
- (please email help@eecs.berkeley.edu if any of the links above have broken)
Network Use
NETWORK TESTING, SCANNING AND SECURITY EXPERIMENTS
Campus policies include specific exceptions to allow for security and network experiments, but require prior permission. As such, please contact IRIS before performing security experiments, network or device scanning, or network experiments. You should also make sure to have specific permission from any external sites involved in the experiments.
The campus System & Network Security group (SNS) and the campus Audit group expect IRIS staff to conduct both pro-active and reactive scans of the IRIS networks and devices.
FILE SHARING
Various representatives of the Motion Picture, Television show and Video Game industries actively monitor the network such as bit torrent trackers and eMule/eDonkey trackers for distribution of files in violation of copyright. When Copyright violations are detected by representatives of the intellectual property, the representatives typically either demand an immediate takedown or offer the ability to accept a cash buyout instead of legal action.
Example Policy Violations
The following lists include examples of policy violations which could result in the termination of a device’s network access or the disabling of a network port.
- Unplugging someone else’s network cable without their permission.
- Incorrect use of IP addresses or incorrect registration information:
- Configuring an unregistered MAC address to use an IRIS IP address
- Spoofing a MAC address
- Using an IP address leased by DHCP to a different device
- Using a static IP address assigned to a different MAC address or device
Last updated: $Date: 2012/10/16 19:50:22 $