Get Help

Online: Request Help
Phone: (707) 826-4357 • Hours
Email: help@humboldt.edu
Walk-In: Library 101 • Hours
Reset HSU Password
System Status

Adding IP NAT Capacity to Guest Wireless Router

Printer-friendly version
Purpose: 

You have run out of IP addresses on the NAT router that provided overloaded NAT translations for Guest network through the subnet outside the border firewall.

Frequency/Schedule: 
As needed, once capacity reaches 75% regularly or just before Spring Preview if there is any doubt that there is enough capacity. Best to assess this during the summer or just after Spring Preview (peak load).
Impact of Change: 
High
Test Plan: 

Using NAC dashboard, simulate new users via expiring old records and purging them. Test each use case.

- Very infrequent visitors and conference and meeting attendees can self-register for the HSUGuest wireless network. These accounts provide a maximum of 15 days' access in total and only permit access to the HSUGuest network. Extensions may be granted on application in person to the Technology Help Desk.
- Visiting faculty and administrators from other CSU campuses are given an HSU Guest User Name and Password by their sponsoring department which enables them to use the HSUGuest wireless network and open access computer labs for the duration of their stay on campus.
- Consultants and contractors working on campus projects are given an HSU User Name and Password by their sponsoring department, but are encouraged to use the HSUWireless-Secure network rather than the HSUGuest network. In certain instances, Trusted Guest status may be given to these users.
- CSU auditors and other legal or compliance professionals are provided with Trusted Guest accounts which enable them to access privileged information stored inside the HSU firewall as well as other resources such as wireless printing. These users are required to connect via the HSUWireless-Secure network and install the SafeConnect policy key software.

Communication Plan: 
Target all departments who interact with Guests, Contractors, or Consultants. Utilize Systat and a directed e-mail if necessary.
Implementation Procedure: 

1) Coordinate details of outage with Campus (Must be during business hours of Vendor (SafeConnect). Suggest early morning Pacific time.
2) Post Systat
3)Send directed message
3a) Plan new subnet size and inform vendor in advance of which routes to change (Remember static routes are used to enable communication between enforcer and NAT router ACL) traffic can't go through Firewall.
4) Disable hsu-vap-visitors VAP in Aruba Master Control and push changes to local to "down network"
5) Change static routes on cores to from NAT network subnets
6) Adjust all DHCP scopes on all local and master controllers to reflect new subnet mask (ip range[s]).
7) Have vendor change their side in enforcer. Then restart the process.
8) Build test instance of copied VAP for the visitor "HSUGuest" network VAP. bring it up in test area and test it (and all use cases). Ensure Vlan Tagging is still correct. If this is a pool, you may have to trunk new vlan etc, add it to each controller.
9) decide to roll back or not.
10) finalize all changes, have vendor expire all users in Guest system and via automatic portal enrollment.
11) Disable test VAP and re-enable production VAP.
12) be available to tweak as needed.
13) Update systat

Change Approval: 
Lead Network Analsyst and/or Central IT Director
Production Validation Plan: 

Test all use cases of the HSUGuest on-ramping process. Including:

Very infrequent visitors and conference and meeting attendees can self-register for the HSUGuest wireless network. These accounts provide a maximum of 15 days' access in total and only permit access to the HSUGuest network. Extensions may be granted on application in person to the Technology Help Desk.
Visiting faculty and administrators from other CSU campuses are given an HSU Guest User Name and Password by their sponsoring department which enables them to use the HSUGuest wireless network and open access computer labs for the duration of their stay on campus.
Consultants and contractors working on campus projects are given an HSU User Name and Password by their sponsoring department, but are encouraged to use the HSUWireless-Secure network rather than the HSUGuest network. In certain instances, Trusted Guest status may be given to these users.
CSU auditors and other legal or compliance professionals are provided with Trusted Guest accounts which enable them to access privileged information stored inside the HSU firewall as well as other resources such as wireless printing. These users are required to connect via the HSUWireless-Secure network and install the SafeConnect policy key software.

Ensure DHCP is balanced between controllers.

Backout Plan: 

Roll back all changes, and have vendor do the same.

Approved: 
Approved