Cabling and Jacks (ports)
The Davidson campus is wired with standard CAT5e and CAT6 cabling in all buildings. Both are capable of 1Gb/s for up to 100-meter lengths if the wiring and termination are in good condition.
Jacks are all 8-pin RJ45 connectors, even on the analog telephone jacks.
- The naming convention for jacks:
- Jacks are labeled by room number, followed by "-", followed by a letter designating the box or wall plate starting with "A" and moving through the alphabet, followed by the jack color. If there is only one box in the room, the "A" is dropped and it is simply "roomnumber-color". This is the TOP label. The bottom label usually denotes the room number of the network closet
- Color schemes for jacks:
- Grey, orange, and brown jacks are telephone jacks. These are connected to an old analog phone infrastructure and are not capable of being connected to the network. It is possible, in most cases, to move the cable from the analog phone system to the network, but this is a permanent move. An outside wiring vendor is hired and scheduled for this work and it does cost the college time and money. The infrastructure will determine if this is necessary and schedule the work. Once the work is completed, the jack will be relabeled with a color within the network range. The first analog phone connection in a box or wall plate is grey, followed by orange, followed by brown. Cisco VoIP phones cannot be connected to the analog telephone network.
- The first network connection in a box or plate is green, then red, then blue, then yellow, and so on. Please always connect to the first available connection. This makes organizing connections easier.
- Examples: (totally made up)
- 1039-A-red would be the first box in room 1039 (first floor) with the second data jack (read below for color information)
- B006A-F-blue would be the 6th box in room B006A (basement) with the 3rd data jack (notice that the "A" in "B006A" denotes part of the room name and not the jack name because it is before the "-"
- The top label on a jack faceplate denotes the box or faceplate name. The bottom label describes the network closet location (where the wires go).
Not all jacks ("ports") are activated by default. This saves the college millions of dollars in equipment costs by only providing the back-end gear to handle what is needed. It comes at the expense of some convenience, but port activations are usually handled relatively quickly. To activate a port we need the following information:
- The building this port is in. This is not as obvious as it may appear, so please include it.
- The complete jack label (TOP LABEL) which should include the room number, jack plate name, and port color.
- What VLAN (network) the port needs to go into (see logical network section)
- Baker B116-B-red needs to be activated on the employee network
- Chambers 3012-A-Yellow needs to be activated on the lab's network
- Wall 1C1B-A-green needs to be activated for an event that is being held. It is a public port in a hallway and the only require internet access. What network do you recommend?
- "Cunningham theater office, jack to the left when you enter the room, green, on labs"
- We typically don't enter the actual room to activate the port. This saves time because sometimes getting into the room is difficult if it is locked or frequently occupied. It saves a lot of time if we just go into the closet and activate the port by an accurate label. Also, please specify a room number, which is often easiest found on the label.
- "Joe Shmoe's office behind the bookcase"
- If you can't move the bookcase (or don't want to, no judgement here), you can probably derive the label by following the scheme above. If it is the only one in the room it is likely "roomnumber-green". If there is an A plate and you want the second plate, it will be called "roomnumber-B-color".
- 1045-B-green on employee"
- Even if the ticket is in someone's name, we can't assume the building. Many departments span multiple buildings.
- "Activate ITS-Jackson-142-Blue"
- Please specify a network or at least give clues as to what the connection is needed for. Is it a digital sign? card reader? employee computer? student workstation? lab? student worker who needs access to secure connections?
- "Chambers 3012-A-Yellow needs to be activated on the labs network"
- Looks like a good report, but the port is already active on the guest network. Make sure to note that to avoid confusion, such as "Chambers 3012-A-Yellow needs to be moved to the labs network."
Residence Hall port activation requests:
- for students, we typically ask what device the connection will be used for, just for records. We can ask that when we go activate it, or it could be done when the ticket comes in, either way is fine. Student port requests are done for the academic year. All student ports in residence halls are deactivated following graduation.
How long ports stay active:
- Ports for non-residential buildings stay active indefinitely or until that port is needed elsewhere. When we activate a port, we follow this process:
- Look for an available port on the switch in the VLAN requested. If one is available, patch it to fulfill the request.
- If an open port is not available, look for either an open port on the switch that could be converted to the needed VLAN or look for a port in the same VLAN that has no counters (see next point).
- Switches keep track of counters for every packet that crosses them. If a port has no counters, the port has not been used since the switch was powered on or the counters were last cleared. If we see a port that has gone unused for more than 8 months that is needed elsewhere, we may deactivate that port and use it elsewhere. We only do this if we are running out of room. It is in our best interest to keep these switches utilized to their maximum potential. Again, at the sacrifice of some convenience, the college saves tens or hundreds of thousands of dollars.
Zones and VLANs
Our network is divided into zones, which contain subdivisions called "VLAN's".The man things you need to know is below:
- For traffic to go from one zone (or VRF) to another, the traffic goes through the firewall for inspection. The inspection looks for malware, vulnerabilities, suspicious traffic, etc.
- Traffic going within the same zone but on different VLAN does not pass through the firewall, but may be subject to other, more primitive rules.
So here is the layout:
- Guest Zone - reserved for people, devices, and things we don't know and don't trust with access to our infrastructure. These connections mostly get an internet connection only. These connections can't get to banner, printers, other workstations, etc. The entire guest zone is limited in internet bandwidth as well, and unless an exception is specified, the entire zone can only consume 7% of our total internet bandwidth (subject to change). These connections are usually in publicly accessible locations or on devices that are used by vendors or outside parties.
- Guest - VLAN 11 -The only VLAN in Guest is aptly labeled "Guest"
- Student Zone - reserved for student-facing connections including labs. These connections typically get access to the internet and some basic campus services.
- Student VLAN 20- typically only used in residence halls or some student life areas. For the most part, these just grant an internet connection.
- Labs VLAN 21- used for computer labs, printers that students use, and ports that are not behind locked doors that need just a little more access to campus services than guest.
- Secure Zone - used for employees and secure devices. These ports need to be behind a locked door that an employee controls. Secure ports have access to banner and other sensitive systems.
- Employee VLAN 33 - Used for most employees, offices, and employee printers. Again, these need to be behind a locked door. VLAN 33
- Utilities VLAN 35- used for card-readers and some utilities that need access to look up 801 numbers, accounts, and personnel data. These are used in cooperation with physical plant, and are always behind locked doors. Also used for some security cameras.
- Isolation Zone - devices that don't need internet access and don't need to talk out to anything
- Wireless_AP VLAN 44 - Wireless access points can only talk to the wireless controller. From there, the controller relays traffic to its next step. This VLAN is also sometimes used for vending machines because they don't actually send traffic anywhere (a server checks in with them from time to time and initiates the connection. Note, that if someone unplugs a vending machine or a wireless access point, they will not gain internet service from that connection. This is very intentional! We don't want people denying service to others to hog the connection.
- Voice Zone - used for Voice over IP phones and phone equipment/servers.
- Voice VLAN 50 - This VLAN is "tagged" for most public facing ports, meaning that if a cisco phone is connected, it will operate on this VLAN, while any pass-through port on the phone will pass the normally configured VLAN (employee, labs, etc). If a port is active and a phone cannot register, put in a ticket and we can look at the port configuration.
- Things Zone - used for IoT (Internet of Things) devices and some assorted devices that we want to be wary about security with.
- Things (Doodads) VLAN 60 - used for energy management, fire alarms, HVAC controls, webcams, instrumentation, embedded devices, etc. These are often things that are do not regularly receive security patches or firmware updates to fix vulnerabilities. They may have insecure methods of access such as telnet, embedded web servers, clear-text logins, etc. Often vendors need to access these devices from off campus, so we implicitly carve a path for them and them only.
- Enterprise Zone - used for servers
- Money Zone - used for some cash registers, credit card readers, and PCI compliant things. Rarely ever used.
How to tell what VLAN an IP address is on (wired network only)
- Open a command prompt (terminal on MacOS and Linux, "cmd" at the run menu on windows)
- Find the IP address you're looking for ("ifconfig" will work on MacOS and most Linux, "ipconfig" will work on windows)
- Let's say you got 10.17.49.24 as your IP address. Make sure you're looking for the wired ethernet interface.
- in the command prompt or terminal (this command works on Mac, windows, and linux), type "nslookup 10.17.49.254 (notice how I took out the last section and replaced it with 254. This is called the gateway, or the final IP address in that subnet).
- It should return something like this:
This means that you are in the Baker building (BAK), in the South Closet (S), on the employee VLAN.
Let's try one more: You're looking for 10.36.158.60
- run "nslookup 10.36.158.254"
That tells us the IP is located in the Wall building (WAL), on the first floor (1) on the Labs network.