University of Hamburg - to research, to teach, to educate and form, to homepage
RRZ
RRZ

Photo: UHH, RRZ/MCC

Information About the Network Concept

Configuration of the UHH Backbone

Over the past few years, the backbone of the communications network has been gradually expanded to improve both performance and reliability. To establish a high-performance Gigabit backbone, new nodes were added at the existing backbone access points:

  • Schlüterstr. 70 (RRZ),
  • Von-Melle-Park 5 (VMP),
  • Edmund-Siemers-Allee 1 (ESA),
  • Jungiusstr. 9 (Jungiusstr.),
  • Bundesstr. 55 (Geomatikum), and
  • Grindelallee 117 (Grindel)

, which are interconnected via single-mode fiber and 10 Gigabit Ethernet (10GE) in a ring. These access points (“core”) serve to provide connectivity to large buildings or building complexes. Thanks to the “Spanning Tree” algorithm at Layer 2 and the EIGRP (Enhanced Interior Gateway Routing Protocol) at Layer 3, if a system in the ring fails, the remaining areas can continue to be supplied via automatic switching to new routes. To further safeguard operations, an additional fiber-optic connection was established via a separate route from the RRZ to the ESA 1 backbone site.

Networking within the Building Area

Starting from the six backbone sites (Level 1) and the campus sites (Level 2) connected via feeder lines, such as Stellingen, Klein-Flottbek, and Physics (Bergedorf), the surrounding buildings and areas are connected to the network via Fast Ethernet or Gigabit Ethernet interfaces and the floor switches connected to them. In the new or already renovated buildings, the end devices are connected to these via fiber-optic or copper-based TP cabling.

Network Components

Modular and high-performance network components of the same type (Cisco Catalyst 6509) are used at all backbone sites to ensure the most efficient and smooth operation possible. In all cases, the existing systems are equipped with at least one SUP2T or SUP720 supervisor engine, a redundant power supply, and 10GE or GE cards. To further safeguard operations, an uninterruptible power supply (UPS) is operated at the sites to bridge power outages. Building or floor switches are connected to the 10GE and GE interfaces to supply the tertiary areas via fiber-optic connections (primary or secondary cabling).

IP Addresses

The UHH network is based on IPv4. It is a “Class B” network 134.100.0.0/16, which is currently divided into approximately 430 subnets, between which traffic is routed via IP routing. IP addresses are statically assigned to the systems and allocated via DHCP (see below). In principle, no private IP addresses and thus no Network Address Translation (NAT) are used. One reason for this is that, in the event of a “malfunction,” the blocklist management system blocks Internet access for all systems located “behind” the NAT system. Therefore, the operation of such NAT configurations within the UHH network is discouraged.

IP Routing and Switching

As a rule, subnets are uniquely assigned to specific units (e.g., departments) and are routed via the nearest core router. However, due to the spatial diversification of the departments (leasing and subleasing of buildings, construction of new buildings, outsourcing of third-party funded projects, interdisciplinary working groups, etc.) as well as the creation of cross-university special networks (administrative network, public network, etc.), it is becoming increasingly common for these subnets to no longer be locally concentrated but rather distributed across large parts of the UHH network, requiring them to be provided by the RRZ. This is implemented using standard VLAN switching. One or more subnets are concentrated on the core routers as “Switched Virtual Interfaces” (currently approx. 120) and routed. At the network layer, the data units of these subnets are implemented as “Virtual LANs” (VLANs) and can thus be distributed across the entire UHH network. This requires a modern network infrastructure that must not only be highly capable in terms of packet and data throughput but also necessitates switches that can be managed down to the connection level (tertiary level).

Basic Network Services

The “Domain Name System” (DNS), “Dynamic Host Configuration Protocol” (DHCP), and “Remote Authentication Dial-In User Service” (RADIUS) are essential for the operation of the UHH’s IP network.

DNS Service

The mapping of IP addresses to symbolic names via DNS is of such fundamental importance that this service is implemented on a highly available computer architecture (primary/backup model). The backup system monitors the availability of the primary DNS server and takes over fully automatically in the event of a service outage or during maintenance work, enabling maintenance of the computers and the DNS services running on them to be performed transparently to users. This transparency is achieved by using a shared virtual IP address on both the primary and backup systems. As a result, the requesting computers do not need to be aware of multiple alternative IP addresses.

DHCP Service

Due to the frequent replacement of devices caused by relocation or upgrades, a DHCP service is operated for end-device configuration. This ensures that local system administrators do not have to manually configure the complete IP network settings on all end devices; instead, the end devices are automatically assigned the valid information for their subnet upon startup. As a rule, static mappings of IP addresses to permanently installed end devices are entered. To this end, the assignment of MAC addresses to available IP addresses, as well as the selection of names for the IP addresses to be used, is delegated to the administrators of the individual departments. The DHCP and DNS configuration files are then generated fully automatically from the entered information and automatically updated on the servers after validation. This procedure is significantly less prone to errors than manual address configuration and has proven itself at the UHH for many years. The DHCP service is also designed to be redundant. In contrast to the primary/backup operating model of the DNS servers, the DHCP service is operated in an “automatic model.” This means that the DHCP instances function as active redundancy for one another and provide the service simultaneously when operating without errors. If one DHCP server fails, the other takes over service provision in a manner that is transparent to users. This is achieved through the constant synchronization of the DHCP databases of the two servers.

RADIUS

The third important service (RADIUS) is used to authenticate users during modem/ISDN and VPN dial-up as well as for access from the UHH’s “public network.” The user databases required for this are created fully automatically from the data in the user administration system. RADIUS, just like the DNS service, is installed according to the primary/backup model and is thus designed for high availability.

Network Management

Network management for the UHH network is carried out using several specialized tools. This decision to use a collection of multiple tools resulted from repeated dissatisfaction with the evaluation results of integrated network management solutions. The “all-in-one” tools tested to date failed to meet expectations due to their complexity, functional shortcomings, and, not least, security issues. Specialized tools are therefore used for network management in the areas of configuration, performance, and fault management