I. Title

A. Name: Policy on Routing Devices Connected to PennNet

B. Number: 2003mmdd-routing

C. Author(s): M. Wehrle, J. Edwards, ISC N&T

D. Status: [ ] proposed [ ] under review [X] approved [ ] rejected [ ] obsolete

E. Date proposed: 2002-09-17

F. Date revised: N/A

G. Date approved: 2003-03-10

H. Effective date: 2003-03-25


II. Authority and Responsibility

Information Systems and Computing's Networking & Telecom (ISC N&T) organization is responsible for the operation of PennNet (Penn's data networks) and therefore has the authority and responsibility to specify requirements for any devices connecting to PennNet. This authority extends to the device type in the case of networking electronics such as a router, repeater, or switch. It also extends to certain configuration parameters of a device which could adversely impact other parts of the network.

III. Executive Summary

This policy specifies the conditions under which a routing device may be connected to PennNet via a wall plate or any other media type such as fiber optic link.

IV. Purpose

The purpose of this policy is to identify the circumstances when a routing device may be connected to PennNet. This policy defines the scenarios and procedures for connecting a routing device to PennNet, and in doing so, not adversely affecting the provision of network service to others.

V. Definitions
 

Router: A router is a device that connects to at least two networks or broadcast domains and is capable of deciding which way to send data packets based on its current understanding of the state of the linked networksit is connected to. Examples of routing devices are NAT devices and some firewalls, computing devices with operating systems that enable routing, and network equipment that can perform switching at layer 3 of the OSI model

Routing: Routing is a function associated with the Network layer (layer 3) in the standard model of the Open Systems Interconnection (OSI) model. A layer-3 switch is a switch that can perform routing functions.

Broadcast Domain: A broadcast domain is a subnet or collection of subnets on which IP broadcasts are shared. On PennNet, a broadcast domain is typically separated by a router. ISC Network Operations can assist with determining the limits of your broadcast domain.

Subnet: A subnet (short for "subnetwork") is an identifiably separate part of the PennNet network. Typically, a subnet may represent all the machines at one geographic location, in one building, or on the same local area network. A subnet is generally an IP broadcast domain.


VI. Risk of Non-compliance

Improper use of routing devices in certain situations can cause significant problems (poor performance, communication failure, etc.) for other users of PennNet. Additionally, it can make troubleshooting the network more difficult and time consuming for service restoration. Therefore it is important to keep ISC N&T Operations updated on routing configuration changes to limit negative effects on PennNet.

VII. Scope

This policy applies to any device acting as a router that has at least one connection to PennNet and either runs a dynamic routing protocol, or requires routing configuration changes to the central PennNet routing core. Restrictions on the use of routing devices apply to all networking segments of PennNet.

VIII. Statement of Policy

  1. Anyone who wishes to connect a routing device to PennNet must register the device with ISC N&T Operations. ISC N&T Operations will review the request and reserves the right to disallow a routing device if the proposed setup would conflict with other devices in the same broadcast domain.
  2. Authorized routing device(s) and configuration(s) may need to be reviewed again at a later date, if ISC N&T or another academic or administrative unit sharing the broadcast domain finds a routing-related conflict.
  3. ISC N&T should be given advance notice of at least 2 business days before any changes are made to the user's routing configuration. These include changes that would require ISC N&T to update routing information on the central PennNet routing core. Examples of user changes requiring notification are: increasing or decreasing the user's subnet size, adding an additional subnet to a router interface, or the actual removal of the routing device.
  4. All network interfaces on routing devices that are configured with one or more IP addresses, including addresses from the non-globally routable ranges, must comply with the Policy on the use of PennNet IP address space at http://www.net.isc.upenn.edu/policy/approved/20000124-ipaddress.html.
  5. Any authorized routing device that is connected to PennNet should be considered a critical host, and therefore should comply with the Critical PennNet Host Security Policy at http://www.net.isc.upenn.edu/policy/approved/20000530-hostsecurity.html
  6. Dynamic routing protocols can only be run on routing devices that ISC N&T Operations manages or on which they have full administrative access ("root" access).
  7. Routing devices cannot be connected to more than one point on the PennNet side of the demarcation point as this may have negative service implications on central PennNet routing operation.
  8. Links to external networks from outside organizations or commercial providers are not permitted to be connected to any routing devices other than to the PennNet central routing core. Connectivity of these external networks is subject to review and approval by ISC N&T Operations.
  9. ISC Networking will not be responsible for the operation of the routing device or any local wiring associated with the routed LAN(s) that resides on the customer side of the PennNet demarcation point.

IX. Recommendations and Best Practices

  1. The use of routing devices in buildings should be carefully considered before implementation. In all cases, it is best to check with your School or Center computing director before planning, then consult with ISC N&T before any hardware purchases are made.
  2. The use of NAT has the potential to cause problems for certain applications. It's use should be avoided when possible. The use of Proxy ARP is preferred over NAT.
  3. When connecting any networking device to a PennNet wallplate, it is best to evaluate the area that you intend to serve and to keep associated wiring within the room. If there is a need for larger networking coverage areas, consult with ISC N&T before any wiring begins.

X. Compliance

  1. Verification: ISC Networking does not plan to actively police the network in an effort to discover non compliant routing devices, but will act on those discovered during the normal course of events in operating and/or troubleshooting the network.
  2. Notification: Notification shall be made to the LSP for the area. Whenever possible and practical, the system administrator of the routing device(s) will also be notified.
  3. Remedy: Remedy will normally be the immediate disconnection of the routing device(s) from the network until it can be brought into compliance. ISC N&T will offer assistance to the LSP for the area to bring the router configuration and registration into compliance.
  4. Financial Implications: The network user will be responsible for troubleshooting charges associated with interim solution assistance and policy compliance where applicable. See also the Policy on Troubleshooting Charges for PennNet at http://www.net.isc.upenn.edu/policy/approved/20020827-troubleshooting.html
  5. Responsibility: Responsibility for remedy (and associated costs) lies with the network user, or the user's department. In the vast majority of cases, the area LSP will have involvement in the implementation of the remedy.
  6. Time Frame: Non compliant routing devices must be remedied immediately to reduce risk of networking failures for other network users. Interim solutions should be made within 2 business days to allow the network user to continue to receive service. Final solutions should be implemented within 30 days.
  7. Enforcement: Please see the Policy on Computer Disconnection from PennNet at http://www.upenn.edu/computing/policy/disconnect.html
  8. Appeals: Please see the Appeals section of the Policy on Computer Disconnection from PennNet at http://www.upenn.edu/computing/policy/disconnect.html.

XI. References