direkt zum Inhalt springen

direkt zum Hauptnavigationsmenü

Sie sind hier

TU Berlin

Page Content

Network administration

The supervisors for the computers and subnetworks of your faculty (or central facility or university administration) are the respective FIOs (Faculty Information Officers). They can delegate network-maintenance-tasks in the TU portal to the following persons or groups: network administrators, server administrators and local administrators. The network administrator of your unit can register, change and delete IP-addresses and DNS-Entries.

Instructions

Web interface for DNS administration

The web interface for the administration of registered computers is currently tested. It's meant to automate most of the DNS and computer administration but not to cover every exotic case. Computers of non-TU-domains, multiple IPs with a shared name (DNS-Round-Robin) and such can not be administered via the web interface in the foreseeable future.
In those cases the old IP application form should be used (if absolutely necessary a simple email will do).
We talk to appropriate test users and ask them to test the web interface. The web interface is not yet released and may still contain a number of grave errors! In order to use the web interface your computers have to be in (a) separate subnet(s). Computers in a building network cannot be administered using the web interface!
After all the tests are done you may reach the web interface from within your personal portal (TUBIS, via TUB-Login) if your role administrator issued the role "dns-verwalter" (dns administrator) or if someone with that role declared you deputy.
In both cases TUBIS enters your name (unique ID) and your cost center into the web interface. You then will be able to see all the IPs registered to your cost center. That means:

  • Everyone with this role and cost center can administer every computer registered to the that cost center.
  • When a role administrator of another unit issues you that role you can administer that unit's computers too.
  • A restriction within a cost center is not possible. Every DNS administrator for a given cost center can do everything with the cost center.
  • If you administer more than one cost center on every login you have to decide what cost center to administer.
  • Computers registered with too many cost centers may reduce administrative efficiency - you will need a lot of roles each showing only a small set of computers.It may be advisable to reduce the number of cost centers a computer is registered to to one.

Changes to the DNS don't take immediate effect. NOC will be informed automatically and changes will be checked before released (or if necessary discarded).

We plan on releasing DNS changes once a day. During the test phase the time between releases may differ a lot.

Network administrators

About network administrators

Due to historical reasons, we have a register of responsible persons for every computer. For modern subnetworks (not house networks) we have replaced this by network administrators who are responsible for all computers of their cost centre and subnetwork. Requirements are:

  • own subnetwork (no house network)
  • provisioned account
  • person officially appointed using TU Portal TUBIS

You can see through the network administrators of cost centres using the TU Portal application "Liste der Rollenverwalter und IT-Betreuer". The application does not give information about the correspondent subnetworks.

For house networks applies: the network administrator is not responsible for the entire network, but for those computers belonging to his/her organisational unit. He does not have any influence on other computers within the house network.

Entitled is only the person appointed by the person in charge of the cost centre, a provisioned employee of TUB.

The network administrator will be notified by NOC if any computers within his administration cause any problems (such as abuse) and is allowed to issue register/change applications. If the administrator does not apply himself, it has to be ensured that the administrator is notified. This can be done by sending an e-mail as applicant (not entitled) to noc@tubit.tu-berlin.de with CC (Copy) to the correspondent (entitled) network administrator.

We use the address information saved in TUBIS for contacting the network administrator. If we do not have that information, we can not contact the network administrator. The operations necessary for maintenance and security will be conducted in any case.

Why can't everyone be an administrator?

  1. Nobody wants 20000 administrators for 20000 computers. There would be a chaos of responsibilites, directives, unauthorised applications, vacations, representatives and so on.
  2. Most users do not want to (and should not) be confronted with administration details.
  3. Computers are not alone but form groups in subnetworks. If a network has to be renumbered every user has to be notified individually
  4. We can not and do not want to decide over contradicting interests within an organisational unit. We need one person who communicates with us and has dealt with all internal issues in advance.

Persons who own the network administrator (Netzbetreuer resp. dns_verwalter) are entitled by definition.

Subdomains

A domain is text which describes an entry of the hiearchic DNS. Germany has the top-level-domain DE and TU Berlin has the part TU-Berlin.DE meaning it is a subdomain of DE if you chose DE as starting point.

General information about subdomains at TUB

Every computer name at TUB ends with TU-Berlin.DE there we call this our "main domain" and the subordinated hierarchic layer as "subdomain". This is necessary since there are more than 20000 TU computers which can not all be labeled name.TU-Berlin.DE. Instead they receive a name like name.subdomain.TU-Berlin.DE. Every department with a organisational character can receive its own subdomain name. This name is conneted with the OrgName and has the same name. These rules apply - not only for websites: 

  1. 2 to 20 characters, no person names
  2. Characters: a-z, 0-9, hyphen, first character has to be a letter
  3. The person in charge of the cost centre resp. FIO assures, that there are no 3rd party claims for the name. For a use in a university context name and trademark rights are relevant (according to Prof. Dr. Hoeren, Lehrstuhl Rechtsinformatik, Uni Münster, DFN-Conference "Praktische Rechtsfragen" 14.02.2008).
    You can make your research about name rights with the following methods:
    Contract a lawyer 
    Use a major search engine and examine the first 30 hits

In addition to that subdomain you can apply for more subdomains if necessary:

Langname (if the orgname is an abbreviation: extended form of the orgname, for example orgname info, langname: informatik)
Übersetzung (only for departments with strong focus on international activities, for example orgname info, translated into computer-science)
Internet/Project name (name for specific projects, they will be deleted 6 months after the project has been finished)

At the moment dozens of subdomains exist with names like:

  • math.TU-Berlin.DE (Institut für Mathematik)
  • siwawi.TU-Berlin.DE (Fachbereich Siedlungswasserwirtschaft)
  • zuv.TU-Berlin.DE (zentrale Universitätsverwaltung)
  • cs.TU-Berlin.DE (Informatik)

Another hiearchic level (subsubdomains) is not available at the moment. Existent subsubdomains are exceptions.

General information about domains outside TUB

External domains (which do not end with TU-Berlin.DE) are not administrated by NOC. Existent domains are exceptions.

You can get external domains from external providers and administrate them using the provider's tools, but please note: 

  1. Such domains do not comply with the corporate design of TUB as enacted by the chancellor and all faculties.
    Therefore they are usually in admissible.
    Exceptions are for example cooperations with other universities or projects where TUB is not in charge (or just acts as a host). These websites must notcarry the corporate design. 
  2. You are responsible for the actuality of the entries. NOC can not help.
  3. The domain is registered for a natural person (not for an institute or similar). This person will receive a bill (which can be covered by TUB) and is the responsible party in case of a lawsuit.
  4. The natural person ensures that the desired name is free of 3rd party rights. For a use in a university context name and trademark rights are relevant (according to Prof. Dr. Hoeren, Lehrstuhl Rechtsinformatik, Uni Münster, DFN-Conference "Praktische Rechtsfragen" 14.02.2008).
    You can make your research about name rights with the following methods:
    Contract a lawyer 
    Use a major search engine and examine the first 30 hits

Differing from the first paragraph NOC can conduct the registration of an external domain in special cases. In that case NOC chooses the provider and only takes care of the technical execution but will not provide a responsible person for the content and will not pay the charges (36 EUR/year + 36 EUR for setup).

Getting a subdomain

Subdomains are the technical basis for OrgName, Internet and Project names. They can only be applied for by the correspondent role administrator. 
Websites must comply with the Rules for the allocation of webdomains (PDF, 237,1 KB) (see current notice of the chancellor from 15.05.2007).
Note: This is not about Domain-Name-Service (DNS-Entries) for computers and not about Windows domains.

Administrating network connections

Switching network connections

By default, the network connections are connected to the corresponding subnetwork. Should you want to configure the network connections differently, you can set them up yourself.

Preparation:

  1. Needed role: "Netzwerkverwalter" (network administrator)
  2. The cost center has to have a network
  3. The building, floor, room and number of the network connection has to be known

Navigation to the administration of the network connections:

Persönliches Portal > Netzwerkverwaltung > Netzwerkanschlüsse > Konfigurieren

Procedure:

  1. Select the cost center
  2. Select the building, floor and room
  3. Select the connection to be switched based on the number
  4. Now select the network to be switched in the column 'Status'
  5. Possible networks:

    1. Gast (standard) - see above
    2. Alle Netze der Kostenstelle (all networks of the cost center)
    3. Telefon - Attention: If a connection is switched to Telefon, it has to be physically reconnected. Therefore this process takes time and can be difficult to revert.

  6. Click on "Änderungen übernehmen" to accept the changes
  7. Check the changes in the new window
  8. After checking the changes check the box "Ja, das will ich wirklich." (Yes, I really want that) and click the button "Absenden"
  9. After 20 minutes the new network should be activated on the network connection. Please note the point 4.1.4) regarding Telefon.

Managing subnets

General information about subnets at TUB

The TUB has two Class-B networks which could potentially contain 2 times 65000 computers. Due to numerous reasons these 2 networks are divived up into subnetworks. (An assembly of the two networks to a 130.000 IP network is not possible - and does not make sense.)
All TUB subnetworks of the first network have 130.149 as first and second number, two more numbers follow. Only in connection with the subnet mask (255.255.x.y) the size of the subnetwork is determined. Therefore please provide both. (We do not assume that you have a Class-C network. Therefore it is not sufficient to specify only the third number of your IP address.)
Example: If you have the IP address 130.149.107.32, it is not sufficient to say that you have the 107 subnetwork, since you only have a part of the 130.149.107 subnetwork which is a part of the TUB network 130.149. You could only say: "I have one of the 107 subnetworks", but this specification is still incomplete. Instead please give us the IP (130.149.107.32) and subnet mask (255.255.255.192). Allowing us to see that your subnetwork ranges from 130.149.107.0 to 130.149.107.63.

We do not know how the IPv6 address space will be divided as soon as IPv6 will be officially implemented.

Subnetworks have nothing to do with Subdomains.

General information about IP (Version 4)

Every computer within a network needs a unique IP address. For the world wide internet the TCP/IP established itself. Therefore the so-called IP Address has to be unique world wide. This has to apply for every computer: it has to be reachable via ping (at least within TU network, see Class-B Networks of TU).

There are two IP (Internet Protocol) types: IP Version 4 and IP Version 6.

IP (Version 4)

IP Version 4 (often abbreviated IPv4 or IP4 or just IP) is the established protocol used for decades. An IP address (more precise: an IPv4 address) is a number of digits seperated by 3 colons. Example: 130.149.0.251
The 4 numbers of IP addresses must be between 0 and 255. Thus the lowest IP address is 0.0.0.0 and the highest 255.255.255.255.

For special purposes there are also private IPv4 addresses which are not world-wide unique. They are formed from a certain part of the IPv4 address area:

  • 10.0.0.0 to 10.255.255.255 (10.0.0.0/8 - a Class-A-Network)
  • 172.16.0.0 to 172.31.255.255 (172.26.0.0/12 - 16 Class-B-Network)
  • 192.168.0.0 to 192.168.255.255 (192.168.0.0/16 - 256 Class-C-Network)

In addition there are further IP address areas with special features (e.g. 169.254.0.0/16).

Due to the immense success of IPv4 addresses there is a shortage of addresses and they will not be sufficient in a long term.

IP Addresses of TUB (IPv4)

The TUB has got two Class-B networks for IPv4 with the public addresses:

  • 130.149.0.0 to 130.149.255.255 (130.149.0.0/16, 65000 IPs)
  • 141.23.0.0 to 141.23.255.255 (141.23.0.0/16, 65000 IPs)

Thus the first numbers of public IP addresses always start with 130.149 or 141.23.

Firewall rules covering the TU network always have to apply to both address areas.
A firewall ruleset "exclude all IP addresses but TU addresses" would look like this:

Ruleset "Allow TUB-IPs only" (IPv4)
Action
Prot.
Src-IP
Src-Port
Dst-IP
Dst-Port
permit
ip
any
any
130.149.0.0/16
any
permit
ip
any
any
141.23.0.0/16
any
deny
ip
any
any

General information about IP (Version 6)

Every computer within a network needs a unique IP address. For the world wide internet the TCP/IP established itself. Therefore the so-called IP Address has to be unique world wide. This has to apply for every computer: it has to be reachable via ping (at least within TU network, see Class-B Networks of TU).

There are two IP (Internet Protocol) types: IP Version 4 and IP Version 6.

IP Version 6

In order to compensate the shortage of addresses and to increase some details, IP Version 6 (abbreviated IPv6) has been specified.

An IPv6 address is a hexdecimal character string seperated by 7 colons. A method of abbreviation allows the omittance of colons in some cases. Example: 2001:0638:0809:0000:0000:0000:0000:AC7F resp. 2001:0638:0809::AC7F
The 8 hex numbers of the IPv6 address must be between 0000 and FFFF. (A single hex number can be formed by the numbers 0-9 and the letters A-F).

IP Addresses of TUB (IPv6)

The TUB has got these public addresses:

  • 2001:0638:0809:0000:0000:0000:0000:0000 bis 2001:0638:0809:FFFF:FFFF:FFFF:FFFF:FFFF
    (2001:0638:0809::/48, more than 1 septillion IPv6 addresses)

Thus a TUB IPv6 address always begings with 2001:0638:0809.

Ruleset "Allow TUB-IPs only" (IPv6)
Action
Prot.
Src-IP
Src-Port
Dst-IP
Dst-Port
permit
ipv6
any
any
2001:0638:0809::/48
any
deny
ipv6
any
any

Please note that ICMPv6 must not be prohibited in any firewall.

IPv6 is currently not being employed at TUB.

The IPv6 team currently evaluates the technical and organisational aspects which are the basis for a later implementation of the protocol. In advance one can say:

  • IPv6 offers advanced technologies which will facilitate working in some cases.
  • TUB does not need IPv6 since there are enough IPv4 addresses.
  • IPv6 is (despite the long history of 20 years) a new and rarely employed technology
  • The traffic monitored by DE-CIX is 99.8% v4 and 0.2% v6 showing the current significance in Europe
  • IPv6 offers new technological challenges which are not completely covered by manufacturers and us
  • Possible issues: v6-ACLs completely hardware based? -> interaction: Sup, FWSM, OSPF, BGP, ASA; DAD-Attacks; FW-Rules for /64-Networks; DNS-Entries for diced v6-Adressen; different interfaces for local/global-communictation; static DHCPv6; ...

As a currently not supported technology we reserve the right to block IPv6 traffic (including tunnels).
If you need IPv6 for research or teaching please contact your network administrator. The administrator should inform us about the project and we will evaluate whether the project can be realised with our capacities.

Create a new subnetwork

The need for a new subnetwork can emerge, if

  • a new subnetwork with another functionality needs to be created, which has to exist seperately from the existing subnetwork(s).

Preparation:

  1. Needed role: "Netzwerkverwalter" (network administrator)
  2. Determine the number of needed IP addresses for the next approx. 18 months (at least the number of devices in the network)

Navigation to the administration of the connections:

Persönliches Portal > Netzwerkverwaltung > Netze und IPs verwalten

Procedure:

  1. Click on the "+" (add) button
  2. Fill in the number of needed IP addresses that were determined previously in the field "Wieviele IP-Adressen (Geräte) benötigen Sie?"
  3. Choose the building
  4. Click on the tab "Neu-Beantragung"
  5. Specify the purpose of the subnetwork
  6. [optional] Specify an additional explanation
  7. Click on the button "Subnetz jetzt beantragen"

Move subnetwork

The need for a new subnetwork can emerge, if 

  • the presesnt subnetwork got too small (or too big). Please note: Your current subnetwork can not be extended; a move of all IP addresses in a new, bigger network with other Ip addresses is needed for this! In case of a reduction, you can keep the previous IP addresses.

Preparation:

  1. Needed role: "Netzwerkverwalter" (network administrator)
  2. Determine the number of IP addresses for the next approx. 18 months (at least the number of devices in the network)
  3. There must be a subnetwork that is to be moved

Navigation to the administration of the connections

Persönliches Portal > Netzwerkverwaltung > Netze undIPs verwalten

Procedure:

  1. Click on the "+" (add) button
  2. Fill in the number of needed IP addresses that were determined previously in the field "Wieviele IP-Adressen (Geräte) benötigen Sie?"
  3. Select the building
  4. Click on the tab "Umzug"
  5. Select the network that is to be moved
  6. [optional] Specify an additional explanation
  7. Click on the button "Subnetz jetzt beantragen"

Editing the data of subnetworks

Preparation:

  1. Needed role: "Netzwerkverwalter" (network administrator)
  2. There has to be a subnetwork that is to be edited

Navigation to the administration of the connections:

Persönliches Portal > Netzwerkverwaltung > Netze undIPs verwalten

Procedure:

  1. Choose the subnetwork that is to be edited
  2. Click on "Subnetzdaten bearbeiten"
  3. Now change the desired data in the new opened window
  4. To save the changes, click on the button "Ändern"

Deleting subnetworks

Preparation:

  1. Needed role: "Netzwerkverwalter" (network administrator)
  2. A subnetwork has to exist, which is to be deleted

Navigation to the administration of the connections:

Persönliches Portal > Netzwerkverwaltung > Netze und IPs verwalten

Procedure:

  1. Select the subnetwork to be deleted
  2. Click on the "-" (remove) button
  3. In the new window verify the data again and check if the right subnetwork was chosen
  4. Click on the button "Ja, löschen!"

DNS

DNS

The Domain Name Service (DNS) translates IP addresses into names which are handy for humans and vice versa. For example www.heise.de becomes 193.99.144.85 and vice versa. DNS is a structured as a hierarchy. The single components are seperated by dots. 

Each organisation with its own addresses has one or more DNS servers.

The nameserver of TUB is:

130.149.7.7 (ns.tu-berlin.de)

The system corresponding to that IP is redundant. For an increased safeguarding against failure you can use the following name server in addition (not instead) which is outside of TUB:

193.174.75.142 (ws-ber1.win-ip.dfn.de)

Caution: The name servers used until 2010 (130.149.4.20 and 139.149.2.12) are shut off!
If you still use them (even as second or third server), please remove them immediately. The IPs will be used for other purposes soon and the DNS-requests may be regarded as attacks or malfunction.

To all operators of firewalls:
Please ensure that the IP 130.149.7.7 is cleared for DNS.

To all operators of DNS servers:
Please ensure that you have the DNS server 130.149.7.7 for all zones which are not covered by your DNS server. Do not expect that your name server is allowed to send requests to our server recursively.

Managing clients in a subnet

Computer names

A complete name/IP address pair looks like this at TUB:

licman1.tubit.TU-Berlin.DE  =  130.149.4.120

Are names necessary?

Depending on the task of a computer it often not necessary to assign a name, but it facilitates administration and troubleshooting. Therfore every computer at TUB retreives a name in a subdomain.

DNS Names using Windows (Windows Domains)

Windows employs its own name and domain concept which only partly complies with the actual DNS. For you this means, that you do not necessarily need to use the DNS name you chose in your IP application as your computer name for Windows. But you should do it anyway in order to avoid confusion and to facilitate troubleshooting.

Subdomains have nothing to with subnetworks.

Register a device on the subnetwork

Preparation:

  1. Needed role: "Netzwerkverwalter" (network administrator)
  2. There has to be a subnetwork whose IPs are to be managed

Navigation to the administration of the connections:

Persönliches Portal > Netzwerkverwaltung > Netze und IPs verwalten > [Select the subnetwork to be edited] > [Click on the button "IPs verwalten"]

Procedure:

  1. Click on the "+" (add) button
  2. Fill in the fields

    • IP-Adresse: Fixed IP address to be assigned to the device
    • Hostname: Technical name of the device
    • Subdomain: The domain where the device is to be routed. Devices are divided into groups by domains
    • MAC: The unique address of the device's network card.

  3. [for experts]: Click on the button "Mehr Einstellungen (Für Experten)"

    1. Specify the PXE Filename and PXE Next Server to boot from a network image
    2. [not recommended] The MAC address does not have to be entered. The device is then searched by the hostname
    3. You can assign (any number of) aliases for the device, which can then be found in the subnetwork

  4. Click on the button "Speichern"

Change IP settings for a device

Preparation:

  1. Needed role: "Netzwerkverwalter" (network administrator)
  2. There must be a subnet whose IPs are to be managed
  3. There must be a fixed IP for the device to be edited

Navigation to the administration of the connections:

Persönliches Portal > Netzwerkverwaltung > Netze und IPs verwalten > [Select the subnet to be edited] > [Click on the button "IPs verwalten"]

Procedure

  1. Select the IP address to edit
  2. Click on the button "Bearbeiten"
  3. Change the desired fields

    • IP-Adresse: Fixed IP address to be assigned to the device
    • Hostname: Technical name of the device
    • Subdomain: The domain in which the device is to be routed. Devices are divided into groups by domains
    • MAC: The unique address of the device's network card

  4. [for experts]: Click on the button "Mehr Einstellungen (Für Experten)"

    • Specify the PXE Filename and PXE Next Server to boot from a network image
    • [not recommended] The MAC address does not have to be entered.The device is then searched by the hostname
    • You can assign (any number of) aliases for the device, which can then be found in the subnet

  5. Click on the button "Speichern"

Delete the IP address of a device

Preparation:

  1. Needed role: "Netzwerkverwalter" (network administrator)
  2. There must be a subnetwork whose IPs are to be managed
  3. There must be a fixed IP for a device which is to be deleted

Navigation to the administration of the connections:

Persönliches Portal > Netzwerkverwaltung > Netze undIPs verwalten > [Select the subnetwork to be edited] > [Auf den Button „IPs verwalten“ klicken]

Procedure:

  1. Select the IP address to edit
  2. Click on the "-" (remove) button
  3. Check in the new window if the right IP has been selected
  4. Click on the button "Ja, löschen!"

Managing WLAN2VLAN & VPN2VLAN

Activate WLAN2VLAN/VPN2VLAN for a subnetwork

Lupe

Step 1: Log into the TUB-Portal and select "Netzwerkverwaltung" > "WLAN- und VPN-Zugänge verwalten" > tab "Subnets"

Step 2: Select a network that you want to approve for VLAN usage

Step 3: By checking WLAN and/or VPN, you can decide whether you want to approve the subnetwork for WLAN and / or VPN.

 

Result:

After confirmation you will be informed about the results of your action in a new window:

  • Activation: When you confirm your details, an E-mail will be sent to the network-team, who will setup the network for you
  • Modification/Deactivation: These actions will also be reported to the network-team (Please note that deactivation causes all permissions of your users to be lost)

Status:

  • Box checked: Network is activated for WLAN/VPN
  • Box unchecked: Network is not activated for WLAN/VPN
  • Box deactivated (greyed out): You can not activate the subnetwork

Authorize a user for WLAN2VLAN/VPN2VLAN

Lupe

Step 1: Log into the TUB-Portal and select "Netzwerkverwaltung" > "WLAN- und VPN-Zugänge verwalten" > Tab "Berechtigungen"

Step 2: Select one of the desired networks and enter the name of the person who should be authorized to use the network in the input field. Then click on "+".

Step 3: After the person is listed in the list below, you can check whether the use of WLAN2VLAN or VPN2VLAN or both is allowed. (Changes are made immediately by the checked boxes)

Firewall/Packet Filter

Firewall/Packet Filter

A firewall is a software which can filter data in some cases more precisely than a packet filter.
A packet filter is a software which operates in the data path between sender and receipient of data packets in particular

  1. on the sender's computer and/or
  2. on the router between sender network and receipient network and/or
  3. on the receipient's computer

and can permit or deny the transfer based on a ruleset.

tubIT offers a firewall for every subnetwork (which is not a house network) which is installed on our routers. By definition these firewalls can not influence the traffic within the same subnetwork.

Please note:
The firewall rules of a subnetwork correspond to the terms of use as determined by the network administrator. A bypassing of these rules using tunneling technologies (VPN, Skype, Teredo, ...) is a violation of the terms of use!
If you need a certain service, please contact your network administrator who is entitled to apply for the firewall change at NOC.

Zusatzinformationen / Extras

Quick Access:

Schnellnavigation zur Seite über Nummerneingabe

Auxiliary Functions