A. Name: Policy on Routing Devices Connected to PennNet
B. Number: 2003mmdd-routing
C. Author(s): M. Wehrle, J. Edwards, ISC N&T
D. Status: [ ] proposed [ ] under review [X] approved [ ] rejected [ ] obsolete
E. Date proposed: 2002-09-17
F. Date revised: N/A
G. Date approved: 2003-03-10
H. Effective date: 2003-03-25
II. Authority and Responsibility
Information Systems and Computing's Networking & Telecom (ISC N&T) organization is responsible for the operation of PennNet (Penn's data networks) and therefore has the authority and responsibility to specify requirements for any devices connecting to PennNet. This authority extends to the device type in the case of networking electronics such as a router, repeater, or switch. It also extends to certain configuration parameters of a device which could adversely impact other parts of the network.
III. Executive Summary
This policy specifies the conditions under which a routing device may be connected to PennNet via a wall plate or any other media type such as fiber optic link.
The purpose of this policy is to identify the circumstances when a routing device may be connected to PennNet. This policy defines the scenarios and procedures for connecting a routing device to PennNet, and in doing so, not adversely affecting the provision of network service to others.
Router: A router is a device that connects to at least two networks or broadcast domains and is capable of deciding which way to send data packets based on its current understanding of the state of the linked networksit is connected to. Examples of routing devices are NAT devices and some firewalls, computing devices with operating systems that enable routing, and network equipment that can perform switching at layer 3 of the OSI model
Routing: Routing is a function associated with the Network layer (layer 3) in the standard model of the Open Systems Interconnection (OSI) model. A layer-3 switch is a switch that can perform routing functions.
Broadcast Domain: A broadcast domain is a subnet or collection of subnets on which IP broadcasts are shared. On PennNet, a broadcast domain is typically separated by a router. ISC Network Operations can assist with determining the limits of your broadcast domain.
Subnet: A subnet (short for "subnetwork") is an identifiably separate part of the PennNet network. Typically, a subnet may represent all the machines at one geographic location, in one building, or on the same local area network. A subnet is generally an IP broadcast domain.
VI. Risk of Non-compliance
Improper use of routing devices in certain situations can cause significant problems (poor performance, communication failure, etc.) for other users of PennNet. Additionally, it can make troubleshooting the network more difficult and time consuming for service restoration. Therefore it is important to keep ISC N&T Operations updated on routing configuration changes to limit negative effects on PennNet.
This policy applies to any device acting as a router that has at least one connection to PennNet and either runs a dynamic routing protocol, or requires routing configuration changes to the central PennNet routing core. Restrictions on the use of routing devices apply to all networking segments of PennNet.
VIII. Statement of Policy
- Anyone who wishes to connect a routing device to PennNet must register the device with ISC N&T Operations. ISC N&T Operations will review the request and reserves the right to disallow a routing device if the proposed setup would conflict with other devices in the same broadcast domain.
- Authorized routing device(s) and configuration(s) may need to be reviewed again at a later date, if ISC N&T or another academic or administrative unit sharing the broadcast domain finds a routing-related conflict.
- ISC N&T should be given advance notice of at least 2 business days before any changes are made to the user's routing configuration. These include changes that would require ISC N&T to update routing information on the central PennNet routing core. Examples of user changes requiring notification are: increasing or decreasing the user's subnet size, adding an additional subnet to a router interface, or the actual removal of the routing device.
- All network interfaces on routing devices that are configured with one or more IP addresses, including addresses from the non-globally routable ranges, must comply with the Policy on the use of PennNet IP address space at http://www.net.isc.upenn.edu/policy/approved/20000124-ipaddress.html.
- Any authorized routing device that is connected to PennNet should be considered a critical host, and therefore should comply with the Critical PennNet Host Security Policy at http://www.net.isc.upenn.edu/policy/approved/20000530-hostsecurity.html
- Dynamic routing protocols can only be run on routing devices that ISC N&T Operations manages or on which they have full administrative access ("root" access).
- Routing devices cannot be connected to more than one point on the PennNet side of the demarcation point as this may have negative service implications on central PennNet routing operation.
- Links to external networks from outside organizations or commercial providers are not permitted to be connected to any routing devices other than to the PennNet central routing core. Connectivity of these external networks is subject to review and approval by ISC N&T Operations.
- ISC Networking will not be responsible for the operation of the routing device or any local wiring associated with the routed LAN(s) that resides on the customer side of the PennNet demarcation point.
IX. Recommendations and Best Practices