skip to content
Home

IT Help and Support

University Information Services
 

UDN border router upgrades and IPS config changes coming in July

What's happening

  1. The primary router connecting the University Data Network (UDN) to Janet will be replaced with new equipment on Tuesday, 12 July from 07:30.
     
  2. If we encounter problems that can’t be resolved by 08:30, we will back out the replacement and revert to the previous router. In this scenario, we will try again on Wednesday, 13 July at 07:30.
     
  3. Assuming all goes as planned, we will replace the secondary router on Wednesday, 20 July at 07:30.
     
  4. Later in the year, once the new configuration is in place and working, UIS Security Operations will be contacting institutions to confirm the exceptions in place are still valid and correct.



Why we’re doing this

This will support a doubling of the UDN's connection speed to Janet from 20Gbit/s to 40Gbit/s.

Impact

Replacement of the primary router on 12 July

We expect a brief (a few seconds') interruption if everything goes smoothly. The UDN will fail over to the secondary link that is already active for a portion of the traffic and then fail back when the new primary connection is activated.

Replacement of the secondary router on 20 July

This should not be disruptive, aside from another short interruption. The new configuration will have been verified and running on the primary router for several days prior to this.

The IPS will no longer protect clients connected to the UIS Wireless Service

After this upgrade, clients connected to UIS Wireless services will no longer be protected by the University Intrusion Prevention System (IPS). This is to maintain uncontested data transfers through the IPS platform.

IPv6 port blocking

IPv6 ports will be blocked in line with IPv4. Traffic on restricted ports will be blocked unless explicit exceptions are in place.

Technical information for IT staff

The configuration on the replacement router is entirely new and will involve changes to traffic flow to support the increased bandwidth. It also has a rebuilt border Access Control List (ACL) to implement the UDN-Janet port blocks.

Functionally, the ACL should be the same as the current configuration (but the upgrade has involved a reorganisation of the rules and how they are implemented) with one major exception: IPv6 ports will be blocked in line with IPv4, so traffic on restricted ports will become blocked unless explicit exceptions are in place.

We would also like to remind IT staff that when an exception is in place the address is "locked" in the IP Register database. This prevents the address from being rescinded until the exception is removed. An error message will be displayed (unfortunately, not clearly stating this is the cause, but it will mention an 'ANAME').  

When a host is decommissioned, we strongly recommend the corresponding entry in the IP Register database is rescinded. If an error occurs that is caused by this, it is reminder to contact the UIS to investigate and remove the exception. Once the exception is removed, the address will become unlocked within a few hours and can be rescinded. This avoids exceptions remaining in place for a new host and inadvertently exposing it to external attack.

How to report issues after the router replacement

There is a possibility that some subtle changes may result in access being blocked which was previously permitted, or vice-versa, or some of the rules may have been incorrectly converted.

End users

Report issues to your local IT support channels to investigate and escalate to UIS.

IT staff

Once you have confirmed you believe the issue to be related to the router replacement, please report directly to UIS Network Systems at network-systems@uis.cam.ac.uk.

We will then compare the reported issue with the current and previous access control list to determine if the rule has been incorrectly mapped into the new configuration and fix it, if so.  It some cases, it may be necessary to seek approval or to discuss further with UIS Security Operations.

Required information

Please include the following information:

  1. Whether the traffic flow is inbound (internet -> UDN) or outbound (UDN -> internet).
  2. The local (UDN) address(es) affected.
  3. The remote (internet) address(es) affected.
  4. The source and destination port number(s) involved.
  5. The expected behaviour versus actual behaviour. For example, something is blocked that wasn't, or vice versa.
  6. If the behaviour extends to other addresses and/or ports, please describe this. For example, if a DNS server is blocked, but there are several which should be permitted, please confirm the other DNS server(s) address(es).
  7. The affected service and impact, for example, if all institutional email cannot be sent or received.
     

Publication date: 24 June 2022. Copied to UIS Announce distribution list.

Contact us

UIS facilities

Resources

UIS websites

Study at Cambridge

About the University

Research at Cambridge