UCI’s Internet Connections Upgraded

connectivityOIT recently improved UCI’s connection to the Internet, increasing bandwidth from 6 Gbps (billion bits per second) to 20 Gbps. This upgrade enhances connections from the main campus, UCI Medical Center, and the residential network. The upgrade provides faster network access both to the research Internet and the general commodity Internet.

UCI connects to the Internet via CENIC, a regional network service provider providing Internet connections to California research and education organizations. CENIC provides two connections for the campus: CalREN-HPR and CalREN. CalREN-HPR supplies researchers with high-speed connectivity to other research networks, such as Internet2 and the Energy Science Network (ESnet). CalREN provides general Internet commodity services.

Last July, when OIT began work on the UCI Lightpath project, our CalREN-HPR network connection was upgraded from 1Gbps to 10Gbps with a 1Gbps diversified backup link. (Lightpath is a dedicated science network funded by the National Science Foundation). This February, our CalREN general Internet connection was upgraded from five 1Gbps connections to a 10Gbps connection.

OIT is also working with CENIC to establish additional fiber infrastructure between UCI and UCLA which will enable us to upgrade our diversified backup paths from 1Gbps to higher bandwidth. Our goal is to upgrade both backup links of CalREN-HPR and CalREN to 10Gbps in the near future.

OIT Upgrades Interface to the Internet

border router

Border Router

OIT used the holiday break as an opportunity to upgrade the border router and campus firewall, improving network performance and reliability.  The timing  was chosen to minimize the impact on the campus community who rely on UCInet Internet connectivity.

Prior to this project, UCI had a single system providing the link between UCInet and the Internet, and this device was also responsible for providing the campus firewall service.  This represented a vulnerability, in that hardware failure could result in loss of connectivity.

The border router was also aging, having been put into service in August of 2003, and Cisco had announced the end of maintenance for this model later this year.

The project replaced the components within the border router, added a second border router, distributed Internet services between them, and isolated the firewall service to its own redundant systems.  Tests have demonstrated a significant increase in network bandwidth as well.  Now if one of the two routers should go down, connectivity will be sustained by the redundant architecture of the new system.

The current arrangement also makes use of Cisco’s Virtual Switching System technology, allowing the two routers to be managed as a single service.

An upcoming goal is to house the two border routers in different buildings.  One will remain in Central Plant, and the other will be housed in OIT’s SSPA network vault.  This geographic distribution will further reduce the risk that loss of power or other facilities to a single building could interrupt UCI’s connection to the Internet.

Visitor Access to UCInet

UCInet Mobile Access

1-Day Access

Visitors to the campus who need temporary access to the internet with a laptop or mobile device may make use of Express Registration for the UCInet Mobile Access network.  In order to do this, the visitor should go to a wireless access location, open a web browser, and connect to any web page.  (See list of wireless locations). This will direct the visitor to our registration process.  Access is granted for 24 hours, and this access will only be granted seven times in a 30-day period. Visitor access is restricted to Web, email, and secure shell (SSH).

4-Week Access

There is a second option for visitors who need access to UCInet beyond the restrictions of Express Registration.  Manual Registration is a process by which UCI faculty, staff, or graduate students can authorize access for a visitor.  The authorizer will need to use his or her own UCINetID and password, and will need the MAC address (the unique address of the network card) of the visitor’s laptop or other mobile device.  More information on these two options can be found at the UCInet Mobile Access Registration page.

Longer-Term Access

Another option is available for guests whose visit to UCI will be longer than a month.  (Examples include visiting scholars, volunteer faculty/staff, or those who may be employees of a different UC campus but are teaching here.)  In these cases a faculty or management-level staff member may request a Sponsored UCInetID for the visitor.  This is essentially a normal UCInetID, but it is only valid for as long as the sponsor authorizes it — typically one to four quarters.  Note that the Sponsored UCInetID request form is now online and requires the sponsor to log in with his or her own UCInetID and password.

Eduroam

Visitors from participating educational institutions may choose to gain access to UCInet using their home-campus network identities via the Eduroam secure federated network access service.  For eligible visitors, this option may be a better choice given the requirements and restrictions of the alternatives listed above.

Blocking Misbehaving Systems Protects UCInet

NACS is working hard to ensure that a robust and secure UCInet is always available to do the University’s business. To that end, we will occasionally deny access to systems which threaten the safe operation of the network.

Whenever a system connected to the UCInet is discovered attacking other computers, or engaging in other forms of inappropriate behavior (such as the illegal distribution of copyrighted material), NACS may block that system from further network access. Occasionally, NACS may also block systems that have not been patched in a timely manner against particularly nasty viruses.

There are two simple strategies you can follow if you suspect your system has been blocked. You can search the blocked systems list athttp://www.nacs.uci.edu/ucinet/blocked/ (usually, you’ll need to use an unblocked system to do that). Or, you can call NACS at (949) 824-2222. Our helpful consultants will explain why your system was blocked, and what to do to correct the problem. Generally, once you have taken the appropriate steps, the system can be unblocked within a few hours. Please note, however, that unblocking can only be performed during regular business hours except in emergency situations.

NACS is responsible for UCInet, but you are responsible for the proper operation of your own systems. By staying up to date on security patches, and by carefully abiding by the Computer and Network Use Policy at http://www.policies.uci.edu/adm/pols/714-18.html you can preserve your access to the UCInet and help guarantee a secure and reliable service for the entire campus.

Peer-to-Peer Applications On UCInet

First popularized by Napster, peer-to-peer file sharing, or P2P for short, is a growing concern for network administrators. The newest generation of P2P programs, such as Morpheus and Kazaa, download not only music files, but photos, applications, and even video files with sizes ranging from multi-megabyte to multi-gigabyte. Users engaging in this activity can adversely affect network performance.

Instruction and research on campus and affiliated locations depends on a high-performance network infrastructure, and the University must act to preserve it for its intended use. Beyond this concern, increased downloads from the commercial Internet increases the cost of UCI’s connection to the Internet.

In response, Residential Networking Services has installed a specialized gateway that allows Housing to fine-tune the flow of specific kinds of network traffic. In particular, Housing has limited the amount of total bandwidth that P2P can consume, while keeping connections for academic uses wide open.

P2P applications are not permitted on the campus wireless network (UCInet Mobile Access, http://www.nacs.uci.edu/ucinet/mobile/) because such traffic would overwhelm the network and prevent other uses. Wireless is both a slower technology as well as a shared one (that is, all users are sharing the bandwidth of a single connection). We welcome campus comment on this issue.