Lincoln and I talked to Ryan Harden today to iron down an approach to putting Science DMZ into the UC server room. We think the current plan is a good one, and pretty flexible.
Currently we have a Cisco 6509 providing:
- uplink to campus for VLAN 624 (22.214.171.124/25). VLAN 624 passes up to campus.
- NAT for nodes on VLAN 101 (10.0.0.0/8). VLAN 101 does not pass the 6509.
Attached to the 6509 are:
- a Dell 8024 stack, with both VLANs (101 and 624) supported.
- a Dell 6248 stack, with both VLANs (101 and 624) supported.
- an assortment of worker nodes
The Juniper EX9208 is uplinked to the Science DMZ and then to the internet, but it does not yet carry any traffic.
In our final configuration, the Juniper will carry our upstream traffic to the SciDMZ
with VLAN 3524 (126.96.36.199/23). Attached to the Juniper:
- the 6509, with VLANs 101, 624, and 3524. The 6509 will route VLAN 624 traffic (188.8.131.52/25) to campus.
- the Dell 8024 stack, with VLANs 101, 624, and 3524
- the Dell 6248 stack, with VLANs 101, 624, and 3524
- a new single Dell 6248, with VLANs 101, 624, and 3524
So the Juniper will route to the Science DMZ, and the Cisco to campus. VLAN 101 will not traverse into either campus or the DMZ. VLAN 3524 will not traverse to campus. VLAN 624 will not traverse to the DMZ. The SPT cluster and other systems in our server room will remain on VLAN 624 and continue to use 184.108.40.206/25 addressing. We can continue using our 10/8 addressing as needed. We can migrate individual nodes from VLAN 624 to VLAN 3524 at our pleasure.
A single event will enable this: we'll move the uplinks from our 6248 and 8024 stacks from the 6509 to the 9208. This will briefly disrupt network activity but should not require a formal site downtime.
When we're ready to move the tier 2 to DMZ addressing, we'll need site downtime to move all of it.
Any nodes not capable of 9k frames will remain on private 10.0.0.0/8 addressing using VLAN 101 and MTU=1500. Others may move to public DMZ addressing and MTU=9000.
Up until the final act, we'll continue using NAT on the CIsco 6509 with a public IP on 128.135. When all moves are complete we'll move NAT from the 6509 to the 9208, with the NAT public address on 192.170.
Rough sketches of the transition are attached.
- 12 Nov 2013