http://www.interlockroc.org/wiki/Infrastructure <-- If you are interested in working on any of these projects please feel free to add yourself to the project members list. Also if anyone wants to take the lead on power or environmental that'd be cool.
 Network Project
I would like to take the lead on this. I want to ask at the next meeting what people's needs are for network(s) and bandwidth [I know personally I'd like to play with some high bandwidth VoIP stuff, so the more bandwidth we can afford the better, imo] and see if what we have outlined on the Infrastructure page meshes with what everyone else was thinking. ---- BW 20:20, 2 December 2009 (UTC)
Care to tag-team this? --Fvox13 14:05, 3 December 2009 (UTC)
Help is always appreciated, Carl mentioned wanting to help as well. ---- BW 15:04, 3 December 2009 (UTC)
Ben, looks like you've got a good handle on this. Nicely detailed proposals. Thanks for stepping up to lead this.
The chief thing that springs to mind with regard to the RFC1918 address space allocations is that consumer level devices, which I think it's safe to say we'll have on hand at one time or another, typically use at least two of those ranges preferentially. Apple Airport base stations tend to use addresses in the 10.0.0.0/8 range, and non-Apple devices often plop themselves down in the 192.168.0.0/16 range.
My suggestion, then, is to use 172.16.0.0/12 range for all of our private networks. That way, if something shows a 192.168.x.y or 10.x.y.z address, we'll know right away that it's coming from something other than our stuff.
In that light, I propose 172.20.x.y for the production network, partitioned further as you suggest (perhaps spacing things out by 10s in the third octet instead of by 1s, to give some room in between), 172.30.x.y for the warzone. The mnemonic I have in mind for this is that .20 is an "even" multiple of 10, even meaning "smooth" and smooth being what one wants from a production environment. In contrast, .30 is an "odd" multiple of 10, odd being exciting, unusual, or even dangerous, depending on one's perspective, but certainly what one would expect from a "warzone". In between these two we'd have 172.25.x.y, which would be the playground--not expected to be at all dangerous, but you must be this tall to enter this ride.
The 10.0.0.0/8 space is pretty big, even if Apple does use part of it. From what I recall and can tell from a quick search, they tend to use 10.0.1.x addresses. I think it might be a good convention to pick some portion of the 10.0.0.0/8 space and then to recommend that people use it for setting up their own independent test networks, eg, if they are building a private network on a single hardware host to use with a collection of virtual machines on that host. If their stuff stays on their own network, no big deal. If they screw up somehow and one of their devices ends up on our network, again, it'll be easy to tell because it is in this distinct 10.0.0.0 region. I think 10.100.0.0 would be easy to remember to use, and well away from Apple's use.
Within 192.168.0.0, I've seen use all over the range. Some devices I've had use 192.168.0.x range. Some 192.168.254.x. The Linksys NSLU2 "slugs" use 192.168.1.77. And those are just the ones I'm familiar with and can recall off the top of my head. So, I think we just leave this for use with those devices.
Anyway, that's my suggestion, based on my experience. You may have experience with devices that tend to default to 172.16.0.0 too, making this a less useful scheme, for instance.
Deejoe 16:07, 5 December 2009 (UTC)
Thanks much for the feedback Deejoe. I like your ideas. I don't know of any devices that are using the 172.x.x.x range by default so that all sounds good.
Also, Fvox13, good point about Cat6a. Lets shoot for Cat6 with the expectation that we will probably end up with a bunch of cat5e and limited cat6, which we'll probably want to use for core equipment that doesn't have other interconnects. ---- BW 00:37, 6 December 2009 (UTC)
I was looking at the subnetting layout and thought I'd chip in my two cents, for what it's worth. When addressing core devices (switches, routers, servers, and so on), I've found putting them on the subnet right before the broadcast more design-friendly. It makes writing ACLs much more easier and flexible, along with making adding new equipment to the core layer faster. Any thoughts on this? --BinaryMan
I have heard of doing that BinaryMan but I wasn't sure what the benefits were. ---- BW 14:37, 10 December 2009 (UTC)
If it is needed, I have both an 8-port and a 4-port KVM. Both are PS2/Serial/Video. The 4 port also has AT keyboard. These are electrical not mechanical switches.
I have a network capable laserprinter in storage, but I cant get to it right now. It is an Apple LaserWriter 8500 with duplexer and 11x17" tray. It hasn't been powered on in a few years and I can't remember what state it is in, though it is complete. IGadget 03:32, 8 January 2010 (UTC)
 Infrastructure Questions
See questions_for_felix, rather that duplicating content
 Internet Access
 Time Warner Cable
Per your request-we can provide bandwidth Tier of 5mbps/384Kbps at the following rate: 1 year $88.20 2 year $84.00 3 year $79.95 Install fee of $75.00
We can offer 5Mbps/768 Kbps: 1 year $140.70 2 year $133.85 3 year $126.95 Install fee of $75.00
Total Cost(1 yr): $163.20
Talking to John day about NFP discounts and possible packages for our building zone --Antitree 19:27, 3 December 2009 (UTC)
Going to present our options tomorrow night. --Fvox13 18:29, 14 December 2009 (UTC)
 Service Suggestions
AirPort Express wireless AP (connected to stereo system for streaming music via AirTunes?) Can also act as a USB print server if we have a printer donated (USB is not the best option... we should consider an ethernet-enabled printer (maybe someone can donate?)) --Ben Woodruff 06:19, 2 December 2009 (UTC)
Production network should have a more robust AP... maybe a Meru or Cisco?
I agree, the problem is cost. I didn't see any mentions of a better AP on the donations page, so we may be stuck with what I've got for the time being. We will also probably want to offer guest wireless access at some point, through a different SSID, which will require an additional/different AP (the new Apple equipment can do it, but this one can't)
Does anyone know of a "good" captive portal type system like start.rit.edu or BlueSocket? I want something that can register MAC addresses with a DHCP server if proper credentials are supplied (auth w/ LDAP). Bonus points if it has optional static IP registration for servers and host management (remember which MACs belong to which users) ---- BW 20:06, 8 December 2009 (UTC)
You should be able to use something like PacketFence I would thing. That has an included registration system, so that the admin doesn't have to do as much. Here is a link to its Features
--Cmd3187 21:11, 8 December 2009 (UTC)
I like the looks of pfSense and PacketFence. Does anyone want to take charge of setting up the LDAP server and RADIUS authentication? It's something I'd like to observe on. ---- BW 14:40, 10 December 2009 (UTC)
I can probably setup a freeradius instance pretty easily. Though I will need to learn how to integrate it against openLDAP, since I have usually just set it up against shadow. I'll setup a sample one at home as a VM for now. Any preferences as to what VM container I use? I currently can work with QEMU, VMWare, Xen, KVM and Solaris Zones. --Cmd3187 16:16, 11 December 2009 (UTC)
I think VMWare is sort of the de facto option. As long as we can eventually convert it in to a VMWare image eventually that'd be cool. But whatever works. ---- BW 17:51, 11 December 2009 (UTC)
On one of the systems it would probably be a good idea to setup SVN linked back into LDAP for group and project code storage.IGadget 03:35, 8 January 2010 (UTC)
Another good thing would be a ticket tracking system for users to make requests of whatever IT staff there is. That way there can be a track of who resolved what problem, how and when. I've used and admin'd a RT(http://bestpractical.com/rt/) for that purpose in the past. It integrates with LDAP for the password as well to help with Single sign-on. you can also create local accounts allowing for people who may not have network logins to submit requests. IGadget 04:44, 8 January 2010 (UTC)