DNS Standards

This page contains information about implementation details related to the campus domain registration policy.

Introduction

This document describes the standard as set forth by Technology Services pertaining to the governance and rules of the Domain Name System (DNS) Service at the University of Illinois, Urbana-Champaign campus.

EDUCAUSE and the American Registry for Internet Numbers (ARIN) have delegated second level domains and IP address blocks (respectively) to Technology Services, acting on the authority of the University of Illinois at Urbana-Champaign, with the agreement that DNS service will be properly maintained and configured.

Technology Services provides DNS service to the Urbana-Champaign campus and controls allocation, management and delegation of these zones.

Terminology

American Registry for Internet Numbers (ARIN): An organization that allocates IP address space to the University of Illinois at Urbana-Champaign.
Delegation: handing over authority for a portion of the DNS namespace (thereby establishing a new zone)
Domain: a logical subtree of the hierarchical DNS namespace, headed by a domain name such as illinois.edu or example.com
Domain Name: a string of labels separated by dots which identifies an entity on the Internet. Examples: illinois.edu, example.com, www.techservices.illinois.edu.
Domain Name System (DNS): A method of translating a readable name to an Internet Protocol (IP) address.
EDUCAUSE: Grants .edu domains and offers resources for the advancement of higher education to the education community.
FQDN (Fully Qualified Domain Name): The full entry in DNS for a machine, e.g. host.unit.illinois.edu.
Hostmgr (pronounced “host manager”): role within Technology Services who handles campus DNS change requests
Hostname: A domain name given to a network-attached device.
IP Address: A number to identify a device on a network.
IP Address space/block: A group of IP Addresses.
Subdomain: a logical subset (subtree) of another domain, named by prepending one or more additional labels. Examples: unit.illinois.edu and foo.unit.illinois.edu are both subdomains of illinois.edu.  Note that a subdomain does not necessarily require a separate zone.
Subnet: A subset of an IP address space.
Time to live (TTL): The amount of time the authoritative nameserver caches a record when queried by a caching server.
Third-level name: a domain name consisting of three labels.  Example: unit.illinois.edu.
Zone: a portion of DNS namespace delegated to and configured in a particular set of authoritative name servers.  All subdomains of the apex name are part of the zone unless delegated again to form a new zone.

Roles, obligations, and resources

Units DNS requests and maintenance are processed via the unit’s IT professional for network support (aka network admin).
The IT professional for network support is designated by the unit head in agreement with Technology Services.

To identify your network admin, please contact the Technology Services Help Desk.

The primary contact for DNS for Technology Services is hostmgr at illinois.edu.

General usage of DNS

The use of any domain name or IP address space that is managed by or associated with the University of Illinois at Urbana-Champaign must conform to the policy on Appropriate Use of Computers and Network Systems, which includes a prohibition on use of network resources for commercial or profit-making purposes or other purposes that interfere with the mission of the University.

Inter-unit DNS entries

Units wishing to create pointers from a domain they control to another unit (for example, cs.illinois.edu hostnames pointing into Beckman Institute subnets) should do so in cooperation with Technology Services. Technology Services will set up a discussion so that both groups are aware of the request and can coordinate the use of the new DNS entries.

External domain entries

Units should create and maintain their entries in cooperation with hostmanager, either via delegation or using the self-service management interface. Please see the section on non-.edu domains.

Reverse DNS (in-addr.arpa)

All hosts must have PTR records. This rule is enforced to help the campus be in compliance with industry best practice. As numerous services use PTR records, it can cause considerable problems to users if an IP does not have a matching PTR record.

Time-To-Live (TTL) recommendations

The Time-To-Live (TTL) DNS parameter is used to control how long DNS resolvers cache a DNS record. Setting a TTL value too low reduces the efficiency of caching and increases DNS server traffic/load. Setting a TTL too high means that DNS changes may not be recognized in a timely manner.

The campus standard for TTL records is 1 hour (3600 seconds). Contact hostmgr for changes to a domain’s TTL. TTL changes to individual records can be done by IT Professionals with appropriate access to the record in the IPAM appliance web interface.

Assignment of domains and subdomains

Acceptable Name Guidelines

Units requesting a new third-level name (e.g. xyz.illinois.edu) must meet the following guidelines from the Office of Strategic Communications and Marketing for acceptable domain names. (Pre-existing domains are ‘grandfathered’ under prior guidelines.)

  • The domain name can only contain the characters (a-z), -, and (0-9), which complies with the preferred name syntax guidelines in RFC 1035 (Section 2.3.1)
  • In general, avoid acronyms and initialisms unless they are universally recognized. For example, creativeservices.illinois.edu not cs.illinois.edu (which could be confused with Computer Science.)
  • Supportive of brand – the domain name should not be contrary to the Illinois brand. The UIUC initialism should not be used in newly created domain names.
  • Appropriateness – Language which could be considered derogatory, offensive, or misleading should be avoided.
  • Respectful of scope and role – Third-level campus domain names should reflect high-level organizations in the university (colleges, departments, inter-departmental organizations,) or campus-wide services (www, campusrec, careercenter). Since third-level names apply at the campus level, the requesting unit must have the authority to represent the organization or service indicated or implied by the name. For example, research.illinois.edu could only be requested by a unit on campus that speaks for all research at the campus level.

Name requests which violate these guidelines must be justified and go through an approval process.

Non-.edu domains

Domains outside the .edu namespace (.org, .net, etc) both incur cost and require the approval of the Office of Strategic Communications and Marketing. The following requirements apply in addition to the normal considerations for domain creations:

  • Must be registered through Technology Services.
  • Department/Unit pays registration, renewal, and/or transfer fees equal to the amount that Technology Services pays the registrar, plus $10 per year to Technology Services.
  • Changes to the domain must be kept to a minimum. There may be an additional fee for excessive changes to the domain. Typical traffic would be an initial set up and a few changes per year.

Approval / escalation process

Technology Services works with the Office of Strategic Communications and Marketing to obtain approval for new domain requests.

Approval Process
Unit Network Admin for host or subdomain assignments under an assigned domain, ie: hostname.unit.illinois.edu
Technology Services screens based on existing registrations, and technical and security concerns
Office of Strategic Communications and Marketing final ruling

Third-level subdomains of illinois.edu

Every third-level subdomain of illinois.edu MUST have a corresponding Domain model in Contacts Database, which must be kept up to date by the responsible department/unit.

Third-level subdomains can be implemented in one of two ways.

Separate zone

A third-level subdomain may be created as a separate DNS zone, which will be made available for self-service management via the IPAM web interface (and may contain an arbitrary number of fourth-level records).

This option has one significant drawback (resulting from an inherent technical limitation of DNS): if mysubdomain.illinois.edu is a separate DNS zone, then there cannot be a CNAME record at mysubdomain.illinois.edu.  In practice, this typically rules out web hosting solutions that do not offer static IP addresses.

Records in the illinois.edu zone

Alternatively, a third-level subdomain of illinois.edu may be registered as a CNAME record in the second-level illinois.edu zone, and accompanied by a small number of fourth-level subdomains (each of which may be either an additional CNAME record or a separate zone).  For example:

  • mysubdomain.illinois.edu  (CNAME record in the illinois.edu zone)
  • www.mysubdomain.illinois.edu  (CNAME record in the illinois.edu zone)
  • etc.mysubdomain.illinois.edu  (separate zone with self-service management)
  • name3.mysubdomain.illinois.edu  (either CNAME record or separate zone)
  • name4.mysubdomain.illinois.edu  (either CNAME record or separate zone)

Changes to CNAME records in the illinois.edu zone must be made by request to Hostmgr, but fourth-level zones will be made available for self-service management via the IPAM web interface (and may contain an arbitrary number of fifth-level records).

Consider placing records that don’t have specific name requirements (including e.g. dev/test records) underneath a single fourth-level zone.

This option provides somewhat more flexibility for web hosting solutions (since the target of the CNAME record is another domain name, which does not need to resolve to a static IP address).  It is also more lightweight, and therefore generally preferable for new subdomains which do not require a large number of fourth-level records.

Requirements for Third Level Domain Requests

The domain name must follow the Acceptable Name Guidelines and all policies outlined in this standard. The person or group making the request must have a university affiliation (registered organization, staff, faculty, student) and the request should be routed through the unit’s Network Admin.

Requested third-level domains must not already exist and must not be reserved for future use. Contact Hostmanager to check domain availability.

There is no charge for approved third-level subdomains of illinois.edu.

The domain request must include:

  • the desired domain name
  • a description of the name and purpose
  • contact information (considerations for hosted vs. delegated)
  • organization codes

See Requesting DNS Domains to start the domain registration request.

After approval, Technology Services will process the request and setup access to the domain through the IPAM web interface, or delegate it to the unit’s servers if requested (see below.) Domain requests will be acknowledged within one business day and processed within 5 business days.

Hosts and domains beyond the third level

Domain names beyond the third level are administered by the unit responsible for the third-level subdomain, subject to the following criteria:

  • The names follow the acceptable name guidelines
  • The length of any fully qualified domain name does not exceed 255 characters.

Note that separate DNS zones beyond the third level are usually not necessary unless the third level is registered as a CNAME or the fourth level requires delegation.  For example, you can use IPAM to create records named foo.bar.mysubdomain.illinois.edu inside a third-level zone mysubdomain.illinois.edu even though there is no fourth-level zone bar.mysubdomain.illinois.eduFrom the perspective of a DNS client, the end result is the same; the only practical difference is how things look when you log in to manage them in IPAM (i.e. whether you navigate into a separate Zone to look at all the “bar” records, or whether they are displayed in the third-level zone alongside everything else).

Implementation of changes / requests

  • Changes submitted via the IPAM appliance web interface will take effect immediately.
  • Requests emailed directly to Hostmanager will be hand processed as time allows. Upon completion, Hostmanager will send a completion email to the requestor. We ask that you give your request a full 24 hours for processing and activation.
  • Requests that have a sensitive time-line, either during regular business hours or outside of them, should be emailed to host manager and clearly communicated in the body of the email the desired time of activation. We ask that you coordinate all time sensitive requests a full 24 hours in advance.
  • Requests to modify TTLs
    The campus standard TTL is set at the domain level and inherited by all records of that domain. The campus standard is 1 hour. This duration can be lowered to help propagate changes to high profile machines (i.e Mail servers, Web servers, etc..) to external nameservers. TTL changes to individual records can be done by IT Professionals with appropriate access to the record in the IPAM appliance web interface; if a TTL change is needed for a record you do not have access to, please contact hostmgr.

Delegation of domains to unit-managed DNS servers

Units may request Technology Services to delegate management of the domain to unit-managed DNS servers. Delegated domains must follow other standards and practices in this document, but are served from unit-managed servers.

Definition of delegation

“Administrative responsibility over any zone may be divided, thereby creating additional zones. Authority is said to be delegated for a portion of the old space, usually in form of sub-domains, to another nameserver and administrative entity.”Wikipedia entry for DNS

Delegation is appropriate when the unit:

  • wishes to use its own tools and servers for managing its DNS records,
  • has business requirements that are not met by Technology Services DNS tools,
  • has technical integration requirements (such as Active Directory dynamic DNS)

What can be delegated?

  • unit third-level domains (e.g. unit.illinois.edu)
  • non-university domains (e.g. .org domains registered to the unit)
  • reverse IP lookup zones (PTR zones, e.g. 100.168.192.IN-ADDR.ARPA).
    • The DNS architecture requires having 256 address blocks for reverse lookup delegation. Units with less than a 256 address subnet cannot have reverse DNS delegated.

Delegation considerations

In a delegated DNS environment, the unit’s DNS servers are the primary responders to queries to delegated domains.

Because your DNS servers are the authoritative “holders” of your domain information, they should be well-managed and highly available.

Technology Services must have contact information on file for the DNS server administrators.

DNS outages often appear as full network outages, which harm the functionality and image of the university and your unit. The Internet takes DNS seriously and so do we.

DNS servers need to be in the Fully Open firewall group to provide DNS responses to off-campus requests.

Technology Services needs to know if you are using a Windows Active Directory domain controller as the DNS server.

Recommended values for DNS delegations

Technology Services recommends that nameservers for delegated zones be configured with the following values. Note that Technology Services does not prohibit DNS administrators from making other choices, so long as the configuration still complies with the official requirements of delegation (as set forth in the delegation agreement).

Recommended values

SOA values

  • Refresh: 1 hour. Exception: If departmental name servers cannot send NOTIFYs to Technology Services name servers, please contact hostmgr to determine an appropriate value.
  • Retry: 15 mins
  • Expiry: 2 to 4 weeks
  • Minimum: 15 mins

TIP: Don’t forget that when modifying a high-profile record (e.g. for a public-facing webserver) it is a good idea to reduce the individual record TTL in advance of making the change (e.g. to a value of 1-5 minutes), and to restore it afterward to the default setting.

Firewall groups for true Delegations

Departmental name servers for true delegations MUST be placed in the Fully Open firewall group to allow udp/53 and tcp/53 from any host (including off campus).

Firewall groups for primary/secondary pseudo-delegations

Any departmental name servers which advertise themselves in an NS RRset SHOULD allow udp/53 and tcp/53 from any host (including off campus).

“Hidden primary” departmental name servers which only participate in primary/secondary pseudo-delegations and are not listed in any NS records MAY allow udp/53 and tcp/53 traffic from off campus but are not required to do so.

Recursion

All departmental name servers must either disable recursion and use the campus resolver (IPv4:130.126.2.131) or restrict recursion to only known hosts.

Delegation request process

Send an email to hostmgr with the required information.

  • domains and zones to be delegated
  • DNS server names and IP addresses
  • Contact information for the zones
  • Reason for delegation

Domain lifecycle

Changes to domains

  • Domain removal
    If you no longer are in need of a domain associated to you, email Hostmanager. Once the requested date of removal is met, the domain will no longer resolve and (for non-.edu domains) billing will cease.
  • Transfers within the University
    If you no longer are in need of a domain and another department or unit would like to be associated with that domain, please contact Hostmanager. Hostmanager will coordinate between both departments to reach an agreement.

DNS technical considerations

Campus resolver IP address

The DNS resolver address for campus is 130.126.2.131.

IPAM Documentation

Welcome! This space (go.illinois.edu/ipam) contains detailed technical documentation for IT Professionals regarding the IP Address Management (IPAM) service.

Information for everyday computer users is available at Networking, DNS Basics.

Use the sidebar on the right to navigate.

Quick links:

What’s New

See IPAM News Blog for the latest news regarding the IPAM service.  Use the “subscribe” link at the bottom if you would like to receive notifications of new posts.

Contact Us

General questions or support requests regarding the IPAM service should be directed to Illinois IPAM Hostmgr at hostmgr@illinois.edu (pronounced “host manager”).

Documentation Overview

DNS Standards provides general information and guidelines about the use of DNS on campus.

Requesting DNS Domains explains how to obtain a new domain.

DHCP Standards provides general information and guidelines about the use of DHCP on campus.

Requesting DHCP for Networks explains how to enable autoconfiguration for your network, and provides a conceptual overview of the different behaviors.

Using IPAM explains how to manage DNS and DHCP configuration for your existing networks and authoritative zones using IPAM Grid Manager.

Other Tools contains related information which may be helpful to IPAM users.

Known Issues describes known problems or limitations of IPAM which may be relevant to IT Professional customers.

Requesting DNS Domains

Requesting New DNS Domains

Your group or organization is not limited to the domains that the University already has defined. We are able to host additional domains that fit the University mission, subject to the rules and requirements described in DNS Standards.

Use the Domain Request Form to request either an .edu subdomain (sample.illinois.edu or sample.uillinois.edu) or a new non-.edu domain (.org, .com, etc) for which you have a University-related need.

Naming Guidelines

Consult the Acceptable Name Guidelines to assist you in picking out names that conform to University policy.

To see if a non-.edu domain you want is available (prior to submitting your request), you can go to the Network Solutions home page and search for it.

Please do not attempt to actually purchase the domain from Network Solutions or any other domain granting institution. The University host manager must be involved in the requesting of the domain in order for our DNS servers to provide the service.

Transferring an Existing Domain

To transfer an existing non-.edu domain to University ownership from another registrar:

  1. Contact the domain owner, and ask them to unlock the domain for transfer and provide you with the transfer authorization code.
    • If the domain is close to expiration, also consider renewing it with the current registrar now to ensure it will not expire before the transfer completes.
  2. Once you have the code, complete the Domain Request Form.  Note that you will need to provide:
    • the transfer authorization code
    • is the domain currently in active use, or is a lengthy disruption in service acceptable?

      If the domain is in active use, we will work with you to perform a seamless migration which ensures that live DNS queries for the domain continue to resolve without interruption, and with consistent answers, at all times during the transfer process.

      If you indicate that a lengthy disruption in service is acceptable because nothing actively depends on this domain right now, we can follow a simpler process which involves less work for both you and us.

  3. For seamless migrations, Technology Services will work with you to import the domain’s current zone data into our nameservers, and then ask you to update the NS records with the current registrar.

    It is important to migrate all of your domain’s DNS records (not just the address record for your website) unless you are certain that you don’t need them anymore.

    Once you have provided the current zone data, do not make any further changes to your DNS records until we confirm that it is safe to do so.

  4. To process your order, an authorization email will then be sent to the the current Administrative Contact of Record (as identified by WHOIS). The Administrative Contact must authorize the transfer within 14 days of receipt of the email. Once our registrar receives this authorization, your request will be submitted to the registry to finalize the transfer.
  5. If for some reason your transfer fails, we will notify you and work with you to retry the transfer. Common reasons why registrars will reject a transfer include:
  • Domain name is within 60 days of initial registration
  • Domain name is within 60 days of a previous transfer
  • No response/negative response to transfer authorization request to current Administrative Contact of RecordIf the transfer still does not succeed after all reasonable efforts have been made, Technology Services will provide at least 7 days notice before removing the zone from our nameservers, to allow you time to update your NS records again.

Please note: the transfer process can take up to two weeks from the time we initiate the transfer.

For other questions about transfers, please email hostmgr.

Automatic Renewals

Non-.edu DNS domains registered through Technology Services are automatically renewed by the registrar 60-90 days before they are scheduled to expire.

The Primary and Administrative contacts listed for the domain in Contacts Database will receive a notification email prior to each auto-renewal, but will NOT need to respond affirmatively in order for the auto-renewal to proceed (this eliminates unnecessary workflow steps for you and for us, and reduces the risk that a domain registration will unintentionally be allowed to lapse).

If you no longer wish to renew a non-.edu domain, please inform hostmgr at least 91 DAYS PRIOR TO ITS EXPIRATION DATE (or sooner if that deadline would fall on a non-business day) to ensure that the change can be processed before the next auto-renewal occurs.  Choose one of the following options:

  • Disable renewal but keep the domain in service until it expires.
  • Deactivate the domain immediately.

Note that removal requests should come from a Primary contact if possible (otherwise we will attempt to reconfirm with a Primary contact).

By choosing to disable renewal but keep the domain in service, you accept full responsibility for any disruption that may occur when the domain expires.  You will NOT receive any further notification from Technology Services when this is about to happen.  As a best practice, we recommend leaving automatic renewal enabled until you are actually finished using the domain.

Q: For how many years at a time will a non-.edu domain be renewed?
A: Each domain will automatically renew for the same duration as its current term, i.e. a domain most recently purchased or renewed for 3 years will auto-renew for 3 years.  If you wish to adjust this cadence, you can contact hostmgr to request a one-time manual renewal for a new term of 1, 2, 3, or 5 years (which will immediately extend the current expiration date by that amount).

Q: Which CFOP will be billed for the renewal fee?
A: Each non-.edu domain has a CFOP on file which is billed $10 per year plus renewal fees equal to the amount that Technology Services pays the registrar (as specified in DNS Standards).  Contact hostmgr if you wish to change the CFOP to which your domain is billed.

Managing DNS for your Domains

Once your domain has been created, you can use IPAM to create and modify most types of DNS records; see Using IPAM for detailed instructions.

Other Information

DNS Basics (KB#47914) is written for a general audience, and briefly explains what a DNS server is used for and which IP addresses are used for the campus DNS servers.  Note that most users will not ever need to change their computers’ DNS settings.

DNS Standards contains information about implementation details related to the campus domain registration policy.

Virtual Alias Records

Introduction

A traditional CNAME record (see also Stand-alone CNAME Records) defines a static, explicit alias in the DNS, with the oft-lamented technical limitation that a CNAME record cannot be placed at the apex of a zone (e.g. example.com).

Virtual Alias records are a non-standard but increasingly common DNS feature specifically designed to work around that limitation while still accomplishing a similar goal.

When we configure a virtual A Alias record in IPAM, our authoritative nameservers periodically query other nameservers to find the current A record(s) of the desired target name (e.g. abc123.cloudfront.net), and synthesize corresponding A record(s) for the alias name (e.g. example.com).  The result is a dynamic, transparent alias:

  1. IPAM authoritative nameserver receives a query matching the virtual alias:  example.com. IN A?
  2. IPAM authoritative nameserver sends a query for the target name: abc123.cloudfront.net. IN A?

  3. IPAM authoritative nameserver receives this response for the target name:

    abc123.cloudfront.net. 60 IN A 198.51.100.17
    abc123.cloudfront.net. 60 IN A 198.51.100.18
  4. IPAM authoritative nameserver returns this synthesized response for the virtual alias name:

    example.com. 60 IN A 198.51.100.17
    example.com. 60 IN A 198.51.100.18

The intermediate response is cached according to its TTL (time-to-live) value, so any further identical queries received by the same IPAM authoritative nameserver within the next 60s will skip steps 2 and 3, and return the same synthesized records with a lower remaining TTL.  Each individual IPAM authoritative nameserver maintains its own independent cache.

When the external nameserver’s response for the target name changes, IPAM’s response for the virtual alias name will also change (once the old response expires from cache).

If no A records are found for the target name, then IPAM will return zero A records for the virtual alias name.

This virtual A Alias record is only used to answer A record queries, but we could additionally and independently configure a virtual AAAA Alias record to answer AAAA record queries.

Key differences vs CNAME records

  • A CNAME record affects query behavior for all record types, but each virtual Alias record applies to only one record type (e.g. only A records, or only AAAA records).  This enables virtual Alias records to coexist with records of other types, which is why they can be placed at a zone apex while a CNAME record cannot.
  • Virtual Alias records are transparent (invisible) to clients, ultimately yielding the same query response as an equivalent set of static records:

    example.com.  IN A  198.51.100.17
    example.com.  IN A  198.51.100.18

    whereas CNAME records are explicitly returned and must be interpreted by the client:

    www.example.com.        IN CNAME  abc123.cloudfront.net.
    abc123.cloudfront.net.  IN A      198.51.100.17
    abc123.cloudfront.net.  IN A      198.51.100.18

    In this case only the CNAME record comes from our IPAM authoritative nameserver; the client’s recursive resolver combines that with A records from some other authoritative nameserver to form the sample response shown.

Best practice: use a CNAME record if you can.  Use virtual Alias records when you need aliasing behavior but it’s not technically possible to use a CNAME record.  See also Limitations below.

Limitations

Virtual Alias records cannot coexist in IPAM with other records of the same type (i.e. you cannot define both a virtual A Alias and a stand-alone A record for the same name).  There is no “fallback” functionality.

Virtual Alias records can be difficult to troubleshoot, since the external behavior of their target names might change unpredictably. 

CloudFront in particular tends to return a wide variety of different answers for the same target name at any given moment (not just over time), so it is entirely reasonable and expected for each individual IPAM authoritative nameserver to return a different answer for the virtual alias name (each corresponding to the response that particular nameserver most recently got from CloudFront), and for none of those answers to match a separate test query for the CloudFront target name.

Virtual Alias records cannot be used in DNSSEC signed zones.

We don’t use DNSSEC signed zones as this time, but plan to do so in the future.

At this time, we are offering virtual Alias records only for the zone apex of a second-level non-.edu domain (e.g. example.com), not for .edu subdomains.

(Note however that third-level .edu subdomains can be registered as a third-level CNAME record in the illinois.edu zone instead.)

Configuring virtual Alias records

Unfortunately we are not able to offer self-service configuration of virtual Alias records within IPAM at this time.  Changes should be made by request to hostmgr; be sure to include

  • fully qualified domain name (FQDN) for the virtual alias
  • which record type(s) should be aliased
  • the target FQDN

Virtual Alias records vs DNS Traffic Control

Virtual Alias records and DNS Traffic Control both involve synthesized responses, but they are aimed at different use cases.

Consider using DNS Traffic Control if your service has a stable set of eligible target IP addresses, but some of them might be unhealthy from time to time.

Consider using a Virtual Alias record if your service has a stable target DNS name, but the set of IP addresses that name might resolve to is unpredictable (and it’s not possible to use a CNAME record).

DHCP Ranges (Dynamic Pools)

This page contains information about configuring DHCP Ranges (Dynamic Pools) and DHCP options.

Introduction

A DHCP Range provides a pool of IP addresses that can be assigned interchangeably to any eligible DHCP client.

To configure an individual IP address for use exclusively by a single DHCP client, see DHCP Fixed Addresses or Adding DHCP to a Host Record.

The instructions below assume that you are working in DHCP View (see Getting Started with IPAM). Some DHCP configuration tasks can also be performed from IPAM View, but the exact sequence of steps may differ.

Creating A New IPv4 DHCP Range

To create a new DHCP Range:

  1. Open the Network in which you want to add a new range (see Getting Started with IPAM).
  2. Click the dropdown arrow next to the Add (+) icon above the table in the main workspace, then choose “Range”.
  3. Click “Next” at the bottom of the dialog window.
  4. Enter the desired Start (first) and End (last) IP addresses for the range.

    Make sure the range will be large enough to comply with Range Size Guidelines.

  5. Optionally enter an internal display name and/or a comment.
  6. Click “Next”.

  7. Important: for “Served by”, choose “IPv4 DHCP Failover Association” and then click the “Select Association” button to automatically select “DHCP-A” which is the only failover association available.

    Do NOT select “Grid Member”.  Although a DHCP Range served by a single Grid Member may appear at first glance to function correctly, this configuration is unsupported because it does not properly utilize the redundancy provided by DHCP Failover.

  8. Click “Save & Close” at the bottom of the dialog window.

Editing a Range

To edit an existing Range:

  1. Navigate to the Range you want to edit (e.g. by opening its Network in DHCP View, see Getting Started with IPAM).
  2. Select the checkbox for the Range object and click the Edit (notepad) icon above the table.  This opens the Edit dialog box.
  3. Be sure to enable Advanced Mode for the dialog.
  4. Make any desired changes (see subsections below).
  5. Click “Save & Close”.

Setting DHCP Options

See DHCP Standards for the option values that will automatically apply unless you choose to override them.

To configure additional DHCP options:

  1. Choose the “IPv4 DHCP Options” subscreen in the Edit dialog.
  2. Scroll down to the “Custom DHCP Options” section at the bottom.
  3. Add your new option in the last row:
    1. First field:
      • Choose a custom vendor option space if you wish to set a vendor-specific option which will be automatically encapsulated inside option 43 (see RFC 2132 Section 8.4) when replying to clients with the appropriate vendor class identifier (option 60).
      • Otherwise, choose “DHCP” to set a standard DHCP option.
    2. Second field: choose which option to set.  Option names are not standardized and may vary by implementation, so check the numeric option code (displayed in parentheses) to be sure you have the right one.

      If you need to set a custom DHCP option or vendor-specific option that is not yet defined in Grid Manager (i.e. does not appear in the drop-down lists), please contact hostmgr@illinois.edu.
    3. Third field: type the desired value.  The format of this value depends on the type defined for the option; see DHCP Option Data Types in the vendor documentation.
  4. To add another option, click the + button.

To configure BOOTP/PXE settings:

  1. Choose the “IPv4 BOOTP/PXE” subscreen in the Edit dialog (requires Advanced Mode).
    Click the Override button next to the setting you wish to override, and enter a new value.

    Hint: most PXE clients require values for Next Server and Boot File (which respectively populate the “siaddr” and “file” protocol fields defined by RFC 2131); please note that these settings are not the same thing as options 66 and 67. Clients utilizing the Boot Server (“sname” protocol field) setting are much less common in our experience.

If you need to enter a value that contains backslash characters, they should be doubled, e.g. foo\\bar instead of foo\bar.

Exclusion Ranges

To exclude certain addresses within a DHCP Range from being dynamically assigned to clients:

  1. Choose the “Exclusion Ranges” subscreen in the Edit dialog (requires Advanced Mode).
  2. To add a new exclusion range:
    1. Click the Add (+) icon above the table to create a new row.
    2. Click the empty “Start Address” field in the new table row that appears, and type the first address to be excluded.
    3. Click the “End Address” field and type the last address in the range to be excluded. To exclude only a single IP address, enter the same value for Start Address and End Address.
  3. To remove an exclusion range:
    1. Select the checkbox to the left of the exclusion range to be deleted.
    2. Click the Delete (trash can) icon above the table.

Email Alerts

By default, the DHCP servers will automatically alert you by email whenever the current utilization of one of your DHCP Ranges exceeds 95% (and again when it drops back below 85%), with a maximum of one email alert per Range per day.  The recipient list for these emails is automatically populated (at the Network level) based on the network contacts listed in Contacts Database.

You may wish to add the following addresses to your email address book and/or safe senders list to ensure that DHCP utilization warnings are not filtered as spam:

  • no-reply@dhcp-a1.techservices.illinois.edu
  • no-reply@dhcp-a2.techservices.illinois.edu

sample message
From: <no-reply@dhcp-a1.techservices.illinois.edu>
Subject: DHCP high threshold crossed:

Message: DHCP high threshold crossed:
  Member: 192.17.2.10
  Network: 172.21.195.0/28/default
  Range: 172.21.195.7/172.21.195.14///default
  High Trigger Mark: 95%
  High Reset Mark: 85%
  Current Usage: 100%
  Active Leases: 5
  Available Leases: 0
  Total Addresses: 5

Reporting: DHCP
Node: 192.17.2.10
Time: Mon Mar  7 15:01:49 2018


Network Name: 0210-citesdhcp-net

Utilization graphs: 
https://ipam-tools.techservices.illinois.edu/dhcpmon/view.fcgi?subnet=0210-citesdhcp-net

Help: https://netwiki.techservices.illinois.edu/public/home/ipamdocs/using-ipam/dhcp-ranges-dynamic-pools/#Email_Alerts

You can customize the behavior of Email Alerts for this Range by choosing the “IPv4 DHCP Thresholds” subscreen in the Edit dialog (requires Advanced Mode).

  • To adjust the threshold values (or disable notifications altogether) for this Range, click the Override button for the “DHCP Thresholds” area.

    • Be sure to check both “Enable DHCP Thresholds” and “Enable Email Warnings” if you do still want to receive notifications.  Do NOT check “Enable SNMP Warnings”.

      screenshot

    • Note that actual utilization must be strictly greater than the High Trigger Mark (or strictly less than the Low Trigger Mark) in order to trigger an alert.

      Hint: do NOT set High Trigger Mark to 100. If you only want notifications when the range is completely full, set High Trigger Mark to 99.

  • To manually specify the list of email addresses which will receive threshold alert notifications for this Range (overriding the default recipient list for the Network), click the Override button for the “Email Addresses” area and populate the table as desired.
  • To return either area to its default behavior, click the corresponding “Inherit” button.

Restricting Access to a Range

By default, IP addresses in a DHCP Range can be dynamically allocated to any client machine that is connected to the appropriate network. To restrict the use of a DHCP Range to specific clients:

  1. Create a new MAC Address Filter and populate it with the desired MAC addresses (see MAC Address Filters), OR identify a suitable existing MAC Address Filter.

    You can use the same MAC Address Filter to restrict access to multiple DHCP Ranges.
  2. Choose the “Filters” subscreen in the Edit dialog for the Range (requires Advanced Mode).
  3. Click the Add (+) icon for the Class Filter List table, and select your MAC Address Filter.
    • By default the filter will be added with Action “Grant Lease”, meaning that clients matching this MAC Address Filter will be permitted (and clients not matching any MAC Address Filter listed in the Class Filter List will be denied).
    • If instead you want to deny leases to MACs matching this filter, click on “Grant Lease” and it will become a drop-down, then choose “Deny Lease” instead.

To return to the default behavior of permitting all clients, simply remove all Filters from the Class Filter List.

Advanced note: some use cases may involve adding an IPv4 Option Filter to the Class Filter List instead.  If a Class Filter List contains more than one type of filter (e.g. one or more MAC Address Filters AND one or more IPv4 Option Filters), then clients will be checked against the criteria for each filter type separately, and must satisfy them all in order to receive a lease.

Using Multiple DHCP Ranges

Best practice: avoid using more than one DHCP Range on the same network, unless each is intended for a different (non-overlapping) set of clients.

In most cases, you will want to create only one DHCP Range per network. If your network has a discontinuous collection of IP addresses which should be assigned interchangeably, it is better to create one large DHCP Range with Exclusions then to create several small DHCP Ranges which are otherwise identical, because Email Alerts apply individually to each Range.

It may make sense to create multiple DHCP Ranges if each one is intended to be used by a different (non-overlapping) set of clients.  If this is your goal, make sure that you associate at least one Filter with each Range.

Hint: if you configure one DHCP Range with action “Grant Lease” for a particular Filter, and a second DHCP Range with action “Deny Lease” for the same Filter, then any clients matching that Filter will be placed in the first range and all other clients will be placed in the second range.

Placing Fixed Addresses inside a DHCP Range

Best practice: avoid placing Fixed Addresses (or DHCP-enabled Hosts) inside a DHCP Range.

If you configure a Fixed Address (or DHCP-enabled Host) for an IP address that resides within a DHCP Range, it will function correctly (i.e. the IP in question will not be allocated to any other client).  However, the fixed address will be counted in the utilization statistics for the DHCP Range, which can be confusing and misleading – especially in the context of Email Alerts.

The simplest way to avoid confusion is to separate the IP addresses used for dynamic vs fixed allocations so they don’t overlap, but this may not be feasible if your net is full of legacy devices that can’t be easily moved.  In that scenario, your choices include:

  • Configure Exclusion Ranges for all IPs used by fixed addresses, so that they will not be counted as part of the Range.  This works well, but increases complexity (if you ever remove the fixed address, you must also remember to remove the exclusion before the IP will become dynamically assignable again).
  • Accept that your utilization statistics will be inaccurate, and consider adjusting Email Alert thresholds for a better practical outcome (e.g. if utilization currently hovers between 95-99%, increase High Trigger Mark to 99 so that you’ll still receive a notification if it ever hits 100%).
  • Decide that email alerts on this Range aren’t worth the trouble, and disable them.  (But be careful: this means new dynamic clients will just silently fail to get a lease if none is available, and you won’t have any indication why).

Reserved Ranges

If you set “Served by” to “None (Reserved Range)” instead of “IPv4 DHCP Failover Association”, then your range will be a Reserved Range rather than a DHCP Range.

Reserved Ranges provide no DHCP functionality; they are simply a way to label a group of addresses within the IPAM system (with the additional proviso that Reserved Ranges and DHCP Ranges can never overlap). See vendor documentation for more information about Reserved Ranges.

Note that addresses within Reserved Ranges will be counted (along with DHCP Ranges) in the DHCP Utilization statistics for the entire net, which can be confusing.  Workaround: Edit the Reserved Range and check “Disable for DHCP”.

Stand-alone DNS Records

This page contains information about creating and managing stand-alone DNS records.

Introduction

We use the term “stand-alone” to refer to any standard DNS record type (A, AAAA, CNAME, MX, SRV, TXT, etc) which does not have special proprietary behavior in Grid Manager.  There are many different types of stand-alone records, but the steps for managing them are very similar; we will discuss a few of the most common ones.

This page does not contain many screenshots, but some of the screenshots from the Host Records page may also be helpful here.

Stand-alone A Records

An address (A) record maps a fully-qualified domain name to a single IPv4 address:

www.example.com. IN A 198.51.100.17

Publishing multiple A records for the same name is legal and results in “round-robin DNS” behavior.

Best practice: use stand-alone A records only when you need an A record with no matching PTR (see below for further discussion). If you want a matching pair of A and PTR records, create a Host Record instead.

To create a stand-alone A record (with no matching PTR):

  1. Open the DNS Zone in which you want to create the new record (see Getting Started with IPAM).
  2. Click the dropdown arrow next to the Add (+) icon above the table in the main workspace, then choose “Record” and finally “A Record”.

  3. If necessary, click the “Select Zone” button and choose the zone which will contain the desired fully-qualified domain name (e.g. to create “myrecord.sandbox.illinois.edu”, you would select the zone “sandbox.illinois.edu”).

  4. Type the leading portion of the Name (e.g. “myrecord“) into the text box to the left of the selected zone name, so that both pieces together form the desired fully-qualified domain name.
    • You may leave this text box empty to create a record with the same name as the zone itself (e.g. “sandbox.illinois.edu”).
    • You may type e.g. “foo.bar” in the text box to create a record named “foo.bar.sandbox.illinois.edu” even if there is no zone “bar.sandbox.illinois.edu”.
    • You may type “*” or e.g. “*.bar” in the text box to create a record with a wildcard domain name (see RFC 4592).
  5. Enter the target IP Address to which your A record should resolve.
  6. Important: UNCHECK “Create associated PTR record”

    If you do want a matching PTR, you should Cancel this operation and create a Host Record instead.  Leaving this box checked creates a stand-alone A record and a separate stand-alone PTR record, which is undesirable because they can easily get out of sync in the future.
  7. Click “Save & Close”.

AAAA records are exactly like A records, but they target IPv6 addresses instead of IPv4 addresses.

www.example.com. IN AAAA 2001:db8::17

When should I use stand-alone A records?

Use stand-alone A (and AAAA) records when you do not want a matching PTR record.

Common reasons for this include:

  • the IP address already has a PTR record pointing to a different fully-qualified domain name

  • the IP address belongs to a network whose reverse-mapping DNS is not managed in IPAM

Otherwise, it is preferable to use Host Records (which automatically manifest as matching pairs of A/AAAA and PTR records).

Note that it is best practice to avoid creating multiple PTR records for the same IP address.  While not technically an error, this may cause problems for software which expects reverse lookups to return a single name (an expectation subtly encouraged by language such as “primary” and “the host name” in https://tools.ietf.org/html/rfc1035#section-3.5).

When you want several fully-qualified domain names (FQDNs) to resolve to the same IP address, the recommended best practice is:

  1. Create a Host Record for the FQDN that you consider to be primary.
  2. Where possible, implement each additional FQDN as a Host Alias or stand-alone CNAME record pointing to the primary FQDN.
  3. Create a stand-alone A record with no PTR for each additional FQDN which cannot be implemented as a CNAME record.

Example: Host Record for server17.mysubdomain.illinois.edu, stand-alone CNAME records (pointing to server17.mysubdomain.illinois.edu) for www.mysubdomain.illinois.edu and www.example.com, and stand-alone A records (pointing to the same IP as the Host Record) for mysubdomain.illinois.edu and example.com (which cannot be implemented as CNAME records since each resides at the apex of a zone).

MX Records

A mail exchanger (MX) record indicates the fully-qualified domain name of a mail server which can accept incoming email messages for a domain:

illinois.edu. IN MX 10 incoming-relays.illinois.edu.

Note that successful use of this record also entails resolving A (and/or AAAA) records for the mail server name.

To create an MX record:

  1. Open the DNS Zone in which you want to create the new record (see Getting Started with IPAM).
  2. Click the dropdown arrow next to the Add (+) icon above the table in the main workspace, then choose “Record” and finally “MX Record”.

  3. If necessary, click the “Select Zone” button and choose the zone which will contain the desired fully-qualified domain name (e.g. to create “myrecord.sandbox.illinois.edu”, you would select the zone “sandbox.illinois.edu”).

  4. Type the leading portion of the Mail Destination (e.g. “myrecord“) into the text box to the left of the selected zone name, so that both pieces together form the desired fully-qualified domain name.
    • You may leave this text box empty to create a record with the same name as the zone itself (e.g. “sandbox.illinois.edu”).
    • You may type e.g. “foo.bar” in the text box to create a record named “foo.bar.sandbox.illinois.edu” even if there is no zone “bar.sandbox.illinois.edu”.
  5. In the “Mail Exchanger” field, enter the target fully-qualified domain name of the mail server to which the MX record should point.

    Per RFC 2181, the target of an MX record MUST NOT be an (explicit) alias (i.e. a Host Alias or CNAME record).  You are responsible for following this rule; it is not enforced automatically.
  6. In the Preference field, enter a priority value for this record. (10 is selected by default)

  7. Click “Save & Close”.

Stand-alone CNAME Records

A CNAME record defines a static, explicit alias in the DNS which affects query behavior for all record types:

www.illinois.edu. IN CNAME illinois.edu.
  • Query: www.illinois.edu. IN A?
    Answer:

    www.illinois.edu. IN CNAME illinois.edu.
    illinois.edu.     IN A     192.17.172.3
  • Query: www.illinois.edu. IN MX?
    Answer:

    www.illinois.edu. IN CNAME illinois.edu.
    illinois.edu.     IN MX    10 incoming-relays.illinois.edu.

Common points of confusion:

  • This CNAME record helps your browser find the IP address of a web server for www.illinois.edu.  It does not tell your browser to redirect HTTP requests for http://www.illinois.edu/ to a different URL (only the web server itself can do that).
  • A CNAME record cannot coexist with other records (e.g. no other records are permitted at www.illinois.edu)

    RFC 1034: “If a CNAME RR is present at a node, no other data should be present; this ensures that the data for a canonical name and its aliases cannot be different.”

    A few special record types for DNSSEC are exempted by later RFCs.

  • A CNAME record cannot be placed at the apex of a zone (e.g. illinois.edu).

    This follows from the previous point, because the apex of a zone is required to have NS and SOA records.

  • CNAME stands for “canonical name”, but that term (correctly applied) refers to the target name, not the alias name.  Best practice: use the terms “alias” and “target” to avoid confusion.

To create a stand-alone CNAME record:

  1. Open the DNS Zone in which you want to create the new record (see Getting Started with IPAM).
  2. Click the dropdown arrow next to the Add (+) icon above the table in the main workspace, then choose “Record” and finally “CNAME Record”.

  3. If necessary, click the “Select Zone” button and choose the zone which will contain the desired fully-qualified domain name of the alias (e.g. to create “myalias.sandbox.illinois.edu”, you would select the zone “sandbox.illinois.edu”).

  4. Type the leading portion of the Alias name (e.g. “myalias“) into the text box to the left of the selected zone name, so that both pieces together form the desired fully-qualified domain name.
    • You may type e.g. “foo.bar” in the text box to create a record named “foo.bar.sandbox.illinois.edu” even if there is no zone “bar.sandbox.illinois.edu”.
    • You may type “*” or e.g. “*.bar” in the text box to create a record with a wildcard domain name (see RFC 4592).
  5. In the “Canonical Name” field, enter the target fully-qualified domain name to which the alias should point. 

    The target of a CNAME record should not be another (explicit) alias.  So-called “CNAME chains” are not technically an error, but create inefficient behavior and are discouraged as a bad practice (see RFC 1034 sections 3.6.2 and 5.2.2).

  6. Click “Save & Close”.

When should I use stand-alone CNAME records?

A Host Alias is functionally equivalent to a stand-alone CNAME record pointing to the Host’s primary FQDN, but carries trade-offs with respect to ease of future maintenance.  Which option is preferable depends on the situation.

Advantages of using a Host Alias:

  • A Host Alias will automatically be kept up to date if you change the Host’s primary Name, whereas a stand-alone CNAME record will be left “dangling” if the target Host record is renamed or deleted.

Advantages of using a stand-alone CNAME record:

  • Modifying an existing stand-alone CNAME record to point to a different target is a simple one-step operation.  The corresponding process for a Host Alias requires editing the old Host (to remove the Host Alias) and then editing the new Host (to add the Host Alias).
  • If a Host Alias resides in a different zone (from the primary Name of the Host) which is not managed by the same set of people, the disparity in permissions may impede self-service changes to the record (possibly requiring an escalation to hostmgr).  A stand-alone CNAME record presents no such problem; it is governed by the permissions on the zone containing the alias name, while any target record(s) are governed by the permissions of the zone containing the target fully-qualified domain name.

    Best practice: always use a stand-alone CNAME record in the case where the desired alias name and the canonical (target) name reside in different zones which may not be managed by the same set of people.

Stand-alone PTR Records

A PTR record is a pointer to another fully-qualified domain name.  PTR records (unlike CNAME records) are simple data; they do not alter DNS behavior, may coexist with other records, and have no inherent special meaning.  Their significance is understood by convention from where they are placed in the namespace (e.g. “17.100.51.198.in-addr.arpa” is understood to represent the IPv4 address 198.51.100.17).

PTR records are most commonly used for reverse-mapping DNS (i.e. mapping from an IP address to a fully-qualified domain name).  In general, you should never create a stand-alone PTR record in IPAM for this purpose; instead, create a Host Record which will automatically manifest as matching pairs of A (or AAAA) and PTR records.

The rare exception to this rule occurs when you specifically need a PTR record for reverse-mapping DNS to point to a fully-qualified domain name whose forward-mapping zone is not managed in IPAM.

If you do need to manage stand-alone PTR records for reverse-mapping DNS, just Open the Network in IPAM View (see Getting Started with IPAM); it is not necessary to navigate the arpa zones.

Stand-alone PTR records in forward-mapping DNS zones (used infrequently for other purposes such as DNS-SD) are not a special case, and can be managed just like the other types of stand-alone records described on this page.

Editing Stand-alone DNS Records

  1. Navigate to the record you want to edit (see Getting Started with IPAM).
  2. Select the checkbox for the record and click the Edit (notepad) icon above the table. This opens the Edit dialog box.
  3. Make any desired changes.
  4. Click “Save & Close”.

Deleting Stand-alone DNS Records

  1. Navigate to the record you want to delete (see Getting Started with IPAM).
  2. Select the checkbox for the record (making sure no other checkboxes are selected), and click the Delete (trash can) icon above the table.
  3. If you’re sure, click “Yes” when the confirmation dialog appears.

Networking Public Home

This is the home page for the Networking Public wiki space, which is viewable by the general public.

sysLocation Format

Example:

r:2110A b:0210 c:c p:F71871 f:2 ra:2 z:5 ru:4 N:DCL #comment

Tools:

Semantics

Key

Priority

Description of Value

R

room

3 ⭐️

room “number” (actually string) where the device’s CER resides

B

building

1 ✅ 🔴

number of building where the device’s CER resides

C

cer

2 ✅ 🔴

string designator code (unique within building) of CER where the device is installed

P

pas

4 ✅

Property Accounting Sticker code for device

F

floor

number of building floor on which the device’s CER resides

RA

rack

5 ✅

number of rack (unique within CER) in which device is installed

Z

z

6 ✅

height (in rack units) at which the device is installed within the rack, with z:1 indicating the bottom position.

RU

ru

number of rack units the device occupies

N

nice

7

“nice name” by which CITES Networking refers to the building (not the official F&S building name)

✅: sysLocation is the authoritative source for this data
🔴: required for E-911
⭐️: not authoritative, but critically important to humans

Notes

Room is not authoritative, as it can logically be derived from building and cer (plus a table of information about known CERs). However, it is critically important to humans that the room value in sysLocation be present and correct, so that network support personnel responding to a page can easily track down a device using only the information from its saved config.

Note that cer is not derivable; there are some cases where a single room can contain more than one CER.

Floor is not authoritative, nor particularly important to humans reading sysLocation, and should probably be phased out over time.

Ru is actually a property of a device’s model (rather than of an individual device), could be derived from sysObjectID plus a table of known information about device models, and should probably be phased out over time.

Nice is a friendly nickname for a building which is made up internally by CITES Networking; it should never be treated as “authoritative” nor exposed externally, but its presence in sysLocation is useful to humans, and it is desirable that its value (for a given building) be consistent across devices.

Priority

We have discovered empirically that some devices limit the number of characters in the sysLocation field (e.g. to 48), and may silently fail to store a longer value.

When updating sysLocation for a device:

  1. Always double-check after setting sysLocation to verify that the desired value was in fact successfully stored!
  2. If the desired sysLocation string is too long for the device to accept, choose which fields to include based on the priority ordering given in the table.

Syntax

Unique prefixes of keys are permitted, with “r:” and “rm:” also signifying Room.

Keys and values are separated by ‘:‘, optionally surrounded by white space.

Empty values are permitted.

Key/Value pairs are separated by white space.

sysLocation may end with a comment, after white space followed by ‘#‘.

sysLocation may be all comment (no Key/Value pairs at all) if it begins with ‘#‘ or white space followed by ‘#‘.

The Nice value is case sensitive, may contain white space, may not contain ‘#‘ or ‘:‘, and must be last (if it is included).

All other Keys and Values are case insensitive, may not contain white space, may not contain ‘#‘, and may appear in any order.

Any excess white space may be removed from Nice values and from comments when parsing sysLocation.

World IPv6 Day – Urbana campus information

World IPv6 Day

What is World IPv6 Day?

World IPv6 Day is a 24-hour chance for service providers to test out IPv6 and see how it works in their environment. Major providers like Google, Facebook, Yahoo!, Akamai are using June 8, 2011 (GMT) as their test. For people on our campus, the official “day” will be 7pm on June 7th through 7pm on June 8th. The goal of this exercise is to see what is easy, what is hard, and what breaks when you turn on IPv6.

The website http://www.worldipv6day.org/ has more information on the World IPv6 Day.

What is IPv6 and Why do I care?

  • The short version is IPv6 is the next generation of IP addressing, since the world is running low on the current IPv4 addresses. Low enough that some users are only getting IPv6 addresses. You care because those users can only access your services through conversion systems, and those are out of your control. You don’t know what their user experience is and whether or not they think your service is poor because of that conversion. So you want your services native on IPv4 and IPv6 so that all users get the experience you planned for them.
  • CITES Networking and Security groups did a pair of presentations at the Fall 2010 IT Pro Forum about this. You can see the video here: http://itproforum.illinois.edu/2010Fall/schedule.php#2-B

What IPv6 services are available on the Urbana campus?

Urbana Campus Permanent IPv6 Services

  • Network Time (NTP)
  • Akamai (the caching servers are hosted on the ICCN network and serve all three campuses)
  • Network Backbone
  • ICCN (The regional network that connects Urbana with the other U of I campuses, the Internet, and R&E network providers like Internet2)

Urbana Campus Services being tested on World IPv6 Day

How to participate in World IPv6 Day

From the Urbana campus, you need to get on the IllinoisNet wireless SSID, and try things out. Android phones, some iPods and iPhones (running iOS 4), iPads, Windows laptops (native on Vista and 7, a patch is needed for XP to support IPv6) and Apple laptops (10.4.8 and later) should all be able to get IPv6 addresses and use them. If you haven’t connected to IllinoisNet before, you can get information on doing that at this webpage: http://www.cites.illinois.edu/wireless/wpa2/index.html

Once you are on IllinoisNet, go to a website like http://www.whatismyipv6.com/ and make sure you got an IPv6 address (if you didn’t, see the troubleshooting section below). Then try out websites like Google and Facebook see if you can tell a difference. Try the campus IPv6 websites listed above and make sure you can connect. You might want to try and see the “Dancing Turtle” which is a page that is only animated if you connect with IPv6 to this website: http://www.kame.net/ . If everything is going smoothly, you shouldn’t be able to tell you are on IPv6. Just do your normal email, web and other network things. For the servers and services testing IPv6 you’ll be providing them with data in their log files, in number of IPv6 users they served and if there are problems, by letting them know about them.

A handy tool for Firefox users is https://addons.mozilla.org/en-us/firefox/addon/showip/ which shows the IP address of the server you’re connecting to at the bottom of your window. you can quickly tell if you’re on an IPv6 server or not.

How to provide feedback on your IPv6 experience

  • ITPros can call 244-1000 to report problems or outages of any kind, whether or not they are related to IPv6
  • For less urgent feedback, ITPros can join the IPV6-USERS listserv and post feedback there
  • If you are not an ITPro then please send email to ipv6day-feedback@ct-mail.cites.uiuc.edu with your feedback.

Troubleshooting IPv6

I didn’t get an IPv6 address, how do I get one?

  • First make sure you are connected to IllinoisNet wireless as your only network connection
  • Then make sure you haven’t turned IPv6 off on your system
  • Windows XP users might need to install a patch. http://support.microsoft.com/kb/2478747
  • If you are on IllinoisNet and have IPv6 enabled but still aren’t getting an address you can stop by our World IPv6 Day table just outside the CITES Help Desk in DCL from 10am to 4pm on June 8th and someone will help you figure out why it isn’t working.

I got an IPv6 address but I can’t get to any of the IPv6-only pages

  • If you have time, come to our table just outside the CITES Help Desk in DCL from 10am to 4pm on June 8th and someone will help you figure out why it isn’t working.

I got an IPv6 address but now nothing works

  • Follow the instructions for turning IPv6 off below.
  • If you have time, come to our table just outside the CITES Help Desk in DCL from 10am to 4pm on June 8th and someone will help you figure out why it isn’t working.

I got an IPv6 address and something are working but others aren’t

  • Follow the instructions for turning IPv6 off below.
  • If you have time, come to our table just outside the CITES Help Desk in DCL from 10am to 4pm on June 8th and someone will help you figure out why it isn’t working.

How to turn IPv6 off

CITES multicast information

Multicast usage on campus is growing, and CITES is working hard to make the underlying networking system for multicast more stable. In order to do this we will need some help from the departmental IT Professionals.

If you’re not familiar with multicast and how it works, please take a minute or two to read this UIUCnet multicast basics document on the CITES website:

http://www.cites.illinois.edu/network/advanced/multicast.html

Here’s what CITES has already done and what we have in progress:

We have updated our campus edge multicast filters to the current best practices list based on information gathered from Abiline and other I2 institutions. These filters keep us from sending out to the rest of the world things like our Ghost and Retrospect Remote traffic, and also keeps us from getting that traffic in from other places. We are blocking well known “problem” multicast addresses like Norton Ghost, as well as all reserved addresses that are not allocated for use at this time. For a complete list of what we are blocking at the campus edge, please see the end of this email. If there is an address we are blocking that you have a need for, please contact multicast@uiuc.edu and we will work with you to enable the groups you need.

We worked extensively with our core router vendor to make changes to their multicast routing behavior so that it would work in a supportable way in our environment. At this time we believe that the core routers support of multicast is up to the every-day use of multicast.

We have setup an “anycast” style Rendezvous Point (RP) on the campus side of the firewalls for responsiveness to things on campus (and for functionality incase of an exit issue) and one on the far side of the firewalls to use for multicast peering to other institutions. This will remove the RP as a single point of failure for on-campus use, since either can take over if one is not working. the campus side RP is offline due to software issues. We are working on returning that to service.

CITES is also working with our various hardware vendors where we have found multicast problems to be sure that the vendor knows about the issues we are seeing and are working on a fix.

CITES Network Designers are making sure that IGMP snooping is turned on for all newly deployed devices to be sure that multicast isn’t flooded throughout the building networks by default. They are also working with net admins to turn on IGMP snooping in existing equipment where it is not already on. If you would like to request multicast to be enabled for your network please have the networking contact for the subnet mail ndo@uiuc.edu with your request.

CITES has moved to a default of turning multicast routing on for a newly created subnet so that multicast features can be used by the IT Professionals and the Unit’s users. Any Unit can choose to leave multicast off, and any Unit with an existing subnet that does not have multicast on can request it be turned on.

To request a multicast address send email to multicast@illinois.edu and describe what you’re doing, how long you need the address for and whether it should be a global address to a limited-to-campus address.

As mentioned above here’s a list of multicast groups that are blocked at the campus exits. For those of you not familiar with the details of the exits, NCSA is on the far side of these connections, and so these groups are also blocked to NCSA.

inbound to campus information on the following groups:

224.0.1.1
224.0.1.2
224.0.1.3
224.0.1.8
224.0.1.22
224.0.1.24
224.0.1.25
224.0.1.35
224.0.1.39
224.0.1.40
224.0.1.60
224.0.2.1
224.0.2.2
224.1.0.38
224.0.0.0 0.0.0.255
224.77.0.0 0.0.255.255
224.128.0.0 0.0.0.255
225.0.0.0 0.255.255.255
226.0.0.0 0.255.255.255
227.0.0.0 0.255.255.255
228.0.0.0 0.255.255.255
229.0.0.0 0.255.255.255
230.0.0.0 0.255.255.255
231.0.0.0 0.255.255.255
234.0.0.0 0.255.255.255
235.0.0.0 0.255.255.255
236.0.0.0 0.255.255.255
237.0.0.0 0.255.255.255
238.0.0.0 0.255.255.255
239.0.0.0 0.255.255.255

outbound from campus traffic blocked on the following groups:
10.0.0.0 0.255.255.255 any
127.0.0.0 0.255.255.255 any
169.254.0.0 0.0.255.255 any
172.16.0.0 0.15.255.255 any
192.168.0.0 0.0.255.255 any