Professional Documents
Culture Documents
Data Center Standards
Data Center Standards
Data Center Standards
1. Requesting installation
2. Acquisition guidelines
2.3 Power
3. Equipment installation
3.3 Cabinet/Rack
3.4 UPS
3.10 Negotiations
4. Equipment removal
5. Operations procedures
5.1 Data Center access
5.6 Security
6.11 Multicast
6.14 IPv6
7. Data Center Network Firewalls
All UITS staff and external departmental staff who have equipment responsibilities in
the Data Centers should accept the terms and responsibilities outlined in this document.
1. Requesting installation
1.1 Space request: Prior to your submitting a proposal for new equipment, you’ll need
to begin initial discussions regarding machine room space. Once you submit a machine
room space request form, the System Assurance Group (SAG) will schedule a meeting.
The SAG includes the following participants: the UITS Operations Manager, a
representative from UITS Facilities, a representative from Networks, and the system
administrator and/or system owner. The purpose of the SAG meeting is to address
environmental issues (i.e., equipment BTU and power specifications), space, and floor
location. The floor location may be determined based on environmental data.
2. Acquisition Guidelines
2.1 Rack mounted devices: Ensure that you’re purchasing rack mounted equipment --
everything needs to be either mounted in the rack or in its own proprietary cabinet (as
opposed to free standing). The Operations Manager must approve any exceptions.
2.2 Equipment specifications: Upon making your equipment selections, send the vendor
specification sheet to sag-l@indiana.edu
2.3 Power: Request power for each device from the electrical engineer. Power requests
will be handled as follows:
IUPUI: Two rack-mounted cabinet distribution units (CDU) will be installed in each
standard rack. These CDUs utilize 208V IEC C13 and C19 outlets. Your hardware will
need to operate at 208V and have the proper power cords. Installation of CDUs can
take up to a month, so please request power as early as possible. For non-standard or
proprietary racks, twist-lock receptacles shall be provided under the floor for connection
of user-supplied CDUs.
IUB Data Center: In order to maintain Uptime Institute Tier III requirements, two rack-
mounted CDUs fed from different power sources will be supplied in each rack. In order
to assist with load balancing, you should purchase hardware with 208V IEC C13 or C19
plugs whenever possible. Please do not plug hardware into any receptacle without
authorization of the electrical engineer.
2.4 Receiving and placement: When large, heavy equipment is involved, you’ll need to
make arrangements for receiving the order. It is also your responsibility to arrange for
the equipment to be moved to the proper place in the machine room. In emergency
situations, the Operations staff will act as the contact and receive equipment/parts after
normal dock hours.
2.5 Equipment arrival notification: Receiving dock personnel will notify you of
equipment arrival (unless otherwise arranged).
3. Equipment installation
IUB Data Center: A staging area for equipment is located just off the dock. This space is
for uncrating/unpacking and preparing equipment for installation. This area is only for
temporary storage – you have two weeks to move/install all items to their intended
location. If for some reason you cannot do so within this time period, please make other
arrangements through UITS Facilities or Operations. (This will not guarantee other
storage locations.)
3.2 Cabinet design: Unless the server manufacturer specifically dictates the equipment
must be housed in their proprietary cabinet, all servers will be installed in the standard
cabinets provided by Operations. You’ll need to submit proof of vendor proprietary
cabinet requirements to SAG. Such cabinets should have front, back, and side panels.
Unless someone is working in the unit, cabinet doors must remain closed.
3.3 Cabinet/Rack: The standard cabinet is vendor-neutral EIA-310 19in rack mounting
compatibility guaranteed - vendor-neutral mounting for guaranteed compatibility with
all EIA-310 compliant 19" equipment. Tall and wide enclosure with 48U spaces, the top
6U are RESERVED for networking equipment. Operations will label the cabinet (both
front and rear) with the unique floor grid location and with the power circuit serving
that unit.
Equipment spacing within the cabinet/rack should allow appropriate airflow for proper
cooling. Blanking panels will need to be installed to fill in all vacant rack space.
3.4 UPS: NO rack mounted uninterruptible power supplies (UPSs) will be allowed. The
Enterprise Data Centers will provide backup power.
3.5 KVM solutions: Rack mounted monitors and keyboard trays are required only if you
need KVM. Cabling between racks not allowed.
3.6 Hardware identification: Supply Operations with the appropriate fully qualified
server names, and they will label all equipment within the cabinets so that hardware is
easily identifiable. You will need prior approval from the Operations Manager and
Communications Office to display any signage.
3.7 Disposal of refuse: The person/team installing the device is responsible for the
disposal of all refuse (cardboard, styrofoam, plastic, pallets, etc.). Please see that you
remove any refuse – and, if possible, recycle any cardboard – from the IUPUI machine
room and IUB Data Center staging area on a daily basis.
3.8 Combustible and flammable material: Do not leave combustible materials in the
machine rooms – such materials include cardboard, wood, and plastic, as well as
manuals and books. This also prohibits the use of wooden tables/shelves.
3.9 Review installation: The person requesting installation should arrange with the
Operations Manager for a final review of equipment installation, to ensure that
appropriate policies and procedures are implemented before the equipment becomes
production ready.
3.10 Negotiations: Any negotiations and exceptions must be arranged between the
system owners and the Operations Manager, and approved by the Director of Enterprise
Infrastructure and the relevant director or officer of the area involved.
3.11 Replacement parts: All onsite replacement parts should be stored in a storage
cabinet or on storage shelves in the storeroom (e.g., for use by service vendors such as
IBM or Service Express). Make any necessary storage arrangements with Facilities or the
Operations Manager.
4. Equipment removal
4.1 When a new system is replacing a pre-existing machine, the old system must be
properly decommissioned via the Change Management process. Submit a request to CNI
for the removal of firewall rules for machines that are decommissioned.
4.2 Removal of old hardware must be coordinated with the UITS Facilities Manager and
follow all appropriate policy, standards, and guidelines relating to data destruction,
wiring removal, and component disposition.
4.3 Please be sure to include all of the appropriate capital asset transfers.
4.4 The cost of removal is borne by the owner, and all equipment must be removed no
later than 30 days after it has been decommissioned. Exceptions to the 30 day removal
period require approval by Facilities or the Operations Managers.
5. Operations procedures
5.1 Data Center access: Due to the sensitive nature of the data and computing systems
maintained within its facilities, security and access are important aspects of the
OVPIT/UITS environment. In most cases, the university is contractually and legally
obligated to limit access to only those who have IT responsibilities requiring frequent
access.
Security cameras are located throughout OVPIT/UITS buildings. These cameras record
footage for follow-up in the case of a security incident. They also provide an effective
deterrence function in the safe operation of the building.
UITS staff with responsibilities in the data center may gain access through an
arrangement between the department manager and Operations. Requests should be
made via the Special Access Request Form.
Persons other than full-time UITS staff are permitted in the data center only under one
of the following conditions:
D. They are escorted by a full-time UITS staff member as part of a tour of the
facilities.
ID badges and access cards will be provided for those individuals who meet criterion A,
B, or C. The ID badges must be worn and visible during visits to the data center. All staff
who meets criteria A, B, or C is expected to sign in to the data center through
Operations prior to entering the room, and to sign out upon exiting.
Biometric hand geometry scanners are installed at both Data Centers. A registration
process will be scheduled and performed by the UITS Facilities or Operations staff.
For additional information and to learn about biometric hand geometry scanners,
review the internal KB document at https://kb.iu.edu/data/azzk.html
(Note: the internal document requires authentication).
The Vice President for Information Technology has developed a policy related to the
handling, management and disposition of "biometric" data used in the hand geometry
scanner. It is stored in an internal KB document at https://kb.iu.edu/data/bapr.html
(note: the internal document requires authentication).
5.3 Essential information: The system owner will enter the essential information into
the Machine Room Inventory System and update that information if it changes. Essential
information includes:
On-call notification: Primary and secondary system contacts and schedules, plus
contact information for the manager supporting the system (Please provide prior
to production date.)
The following types of changes will generally not be allowed during the Limited Change
Period (unless deemed an Essential Change by the director and communicated to the
Change Management email list):
a. Medium- and high-risk changes requiring significant changes and testing.
b. Anything impacting the usability, functionality or availability of certain
key services required for a smooth semester start-up. This includes:
i. Tier0 and Tier1 services as defined by the Incident
Management Team
ii. CrimsonCard
iii. Google at IU
iv. Box
v. IU Print (except to load allotments for the new semester)
5.5 Monitoring tools: Network monitoring tools will scan incoming machines as
appropriate. Please supply the network address and any special considerations for the
monitoring mode.
5.6 Security: All servers are expected to be administered in a secure manner using
industry best practices IT Policy 12, including employment of host based firewalls and
operation behind the machine room firewall. You are expected to properly review and
formally acknowledge all relevant security polices and standards. For more information,
please see the University Information Security Office Resources page.
5.7 System backups: Best Practices should include the implementation of a proper
system backup schedule. This includes the deployment of incremental, full, and archive
program processes as needed. You must use proven, supported backup software and
apply appropriate standards for off-site backup data for production systems.
5.8 Data Center tours: All tours of the machine room must be scheduled with the
Operations Manager.
System Classification:
Non-IU Colocation Systems: Systems that are using only Indiana University data
center space, power, and cooling. These external customers are not using IU IP
address space and networking.
6.1 Campus Network Availability: All enterprise racks come standard with one switch
installed at the top of the cabinet to provide 48 ports of 10/100/1000 Mbps Ethernet
connections into the data center switching infrastructure. 10G or additional 1G
switches are available by request at an additional cost. All public and private Ethernet
connections are to be provided by UITS unless special circumstances are reviewed and
approved by Campus Network Engineering (CNE). This policy applies to Enterprise and
any Research System using IU campus networks.
6.15 VLAN Availability: Data Center VLANs can only be extended between the IUB or
IUPUI Data Centers. Data Center VLANs cannot be extended to other areas on campus.
6.2 Projects / RFPs: If you are embarking on a new project, include Campus Network
Engineering (CNE) in these discussions. They can help assist you with the networking
requirements and ensure they are compatible with our existing network design and will
achieve the performance you require. Contact noc@indiana.edu to schedule a meeting
with these individuals.
6.3 Requesting Network Connectivity: Entire Data Center VLANs/subnets are allocated
to departments/teams specifically. Data Center VLANs/subnets are designed to not be
shared across multiple departments/teams. If your department does not have a Data
Center VLAN/subnet yet, contact noc@indiana.edu to request one. Once you have a
VLAN/subnet assigned, you must request network switch portsby going to
https://telecom.iu.edu/services/ and selecting “Data Center – Networking” and then
“Switch Port Activation”.
Static IP addresses must be assigned by using the Campus Network Portal (CNP). More
information regarding the management of static IPs with the CNP can be found in the IU
Knowledge Base.
This policy applies to Enterprise and any research system located in the enterprise
environment using IU campus networks.
6.4 Firewall Security: This policy applies to Enterprise and any Research Systems using
IU campus networks. All servers must be protected by the Data Center firewalls.
Request firewall rules via firewall.uits.iu.edu. The firewall request page includes
additional information on firewall policies and standards. A full explanation of firewall
policies and best practices can be found in Section 7 of this document.
Exceptions to this policy require your director’s approval. This exception request must
be submitted to Campus Networks Engineering (CNE). Approvals will be stored and
audited by CNI annually. Rogue non-firewalled hosts are subject to being shut down if
they do not have a documented exception. Submit your request to noc@indiana.edu
and an engineer will assist you.
6.5 Rack Ethernet Switches: All enterprise environment switches in the Data Center will
be managed by CNI. System administrators shall not manage their own switches. This
applies to any Ethernet switch located in a rack in the enterprise environment. This
policy also includes private switches that are not designed to connect to the campus
network switches.
Blade chassis switches are allowed in the enterprise environment in certain cases. If you
intend to install a chassis server environment, please contact noc@indiana.edu to
schedule a meeting with a campus networks Data Center engineer to discuss the chassis
networking.
6.6 Internal Rack Wiring: Internal rack wiring should follow rack cabinet management
standards. Cables should be neatly dressed. All cables should be properly labeled so
they can be easily identified. Refer to TIA/EIA-942 Infrastructure Standard for Data
Centers, section 5.11; a copy is available in the Operations Center. Applies to all users.
Users in the Enterprise environment are not allowed to run cables outside of the racks.
6.7 Sub-Floor Copper/Fiber Wiring Requests: All data cabling under the floor, including
SAN and Ethernet, must be installed by CNI in a cable tray. Any requests for sub-floor
copper or fiber can be made via the telecom.iu.edu site. CNI can supply copper, single-
mode fiber, and multi-mode fiber connectivity between locations. This applies to
anyone with systems in the data center. The requestor is responsible for paying for
these special requests. CNI can provide an estimate for any work requested.
6.8 Server Network Adapter Bridging: Server administrators are not permitted to use
any form of software based network adapter bridging. Attempts to bridge traffic
between two server interfaces are subject to automated detection and shutdown. This
policy applies to Enterprise and any Research System using IU campus networks.
6.10 SAN Fiber Channel (FC) Switches: CNI does not provide the management or
hardware for SAN switches. Administrators are allowed to install and manage their own
SAN switches. CNI can provide fiber trunks outside of the racks as needed (policy 6.7).
6.12 Jumbo Frames: Jumbo frames are available by request. Jumbo frame functionality
should not be assumed to work until requested and tested with a network engineer.
6.13 Tagged VLANs: CNI can provide VLAN tagging when needed. VLAN tagging
(trunking) can be used to aggregate VLANS over a common physical link to
environments such as VMWare, Hyper-V, etc.
6.14 IPv6: IPv6 is available in the data centers by request. IPv6 functionality should not
be assumed to work until requested and tested with a network engineer. Note: IPv6 is
already enabled in most IU Bloomington and IUPUI academic buildings.
o Firewall Security: All servers must be behind the Data Center firewalls.
Provide firewall configuration requests via firewall.uits.iu.edu.
Exceptions to this policy require your director’s approval. This exception
request must be submitted to Campus Networks Engineering. Approvals
will be stored and audited by CNI annually. Rogue non-firewalled hosts
are subject to being shut down if they do not have a documented
approval. Submit your request to noc@indiana.edu and an engineer will
assist you.
7.1 Exception requests to any standards described within this section can be submitted
via noc@indiana.edu. Include the nature of the exception request and any related
policies defined in this document.
7.2 A general guideline is that all firewall policies should be as restrictive as possible.
Recommended guidelines:
7.3 Hosted based firewall rules should be used on every host where applicable. Host
based rules should be more restrictive than the data center firewall rules when possible.
7.4 Outbound traffic (traffic leaving a firewall zone) is allowed by default. You only
need to create exceptions for traffic entering the data center from outside of a host’s
security zone.
7.5 Service port ‘Any (1-65535)’ as a destination port in a firewall policy is allowed when
meeting all of the following criteria:
7.6 Source address ‘Any (0.0.0.0)’ in a firewall policy is allowed when meeting the
following criteria:
7.7 Destination address ‘Any (0.0.0.0)’ in a firewall policy is not allowed. The
destination should be specific to a subnet or set of IP addresses which have been
assigned to your department.
7.8 Entire Subnets as destinations are allowed when meeting the all of the following
criteria (accepted starting 1/13/14):
Source addresses must all be IU owned IP space. This can be a source subnet as
long as it is from IU-owned IP space. Must be as specific as possible. For
example, global groups such as “All IU Statewide” should not be used.
7.9 Individual DHCP addresses cannot be used as sources. The dynamic nature of DHCP
allows for the potential of unexpected access during future IP allocations. VPN space,
global groups, entire subnets, or static addressing can be used instead.
7.10 DNS entries must exist when using specific IPs as destination addresses. DNS
entries can be setup by contacting IU DNS Administration.
7.11 Source & Destination Host Groups can be used to group together source and
destination objects when meeting the following criteria:
Source host groups can be both specific /32 IP addresses and entire subnets
outside of the data center. Source host groups cannot be selected as a
destination in a policy. The same source host group may be used within multiple
security zones.
7.12 Firewall security zones are used to split up networks within the data center.
1
Interactive logins include technologies such as SSH, RDP, Citrix, VNC, Remote Powershell etc.
2
User-provide code includes all executable code installed on the system with user-level access instead of
by a designated system administrator, system developer, or enterprise deployment process. This may
include binaries, shell scripts, interpreted languages such as Perl or Python, as well as web-based code
such as PHP/ASP.
CAS, Intelligent Medicine,
Exchange, Infrastructure Speech &
Lync, Oracle virtual servers Hearing,
Databases, provisioned for Optometry,
HRMS, FMS, departments Dentistry, IUB
Onestart, etc Heath Center
Each Firewall Security Zone exists at both the IUPUI and IUB Data Centers. The following
list describes which zones are related as well as what the relationship means:
o Campus Members:
IN-30-CORE
BL-30-CORE
o Campus Members:
IN-32-UITS
BL-32-UITS
o Campus Members:
IN-33-COLO
BL-33-COLO
Campus Members of the same security zone do not need firewall rules to
communicate to each other. For example a host in IN-30-CORE does not need
any firewall rules to communicate to a host in BL-30-CORE and vice versa. Rules
are required to communicate to different zones.
Training on these zones can be provided by Campus Networks Engineering
(CNE). Contact noc@indiana.edu to request a meeting with CNE regarding
firewall security zone training.
7.13 Rules are specific to a single member firewall zone. One rule cannot cover
inbound traffic for hosts in both BL-30-CORE and IN-30-CORE. If you had a server in IN-
30-CORE and another server in BL-30-CORE that you wanted to allow HTTPS traffic to
from the world, it would require two rules.
o Source: Any
o Destination: 129.79.1.1/32
o Port: HTTPS
o Source: Any
o Destination: 134.68.1.1/32
o Port: HTTPS
7.14 Global address groups are built-in groups that any department can use. These are
commonly used source groups that are maintained by CNI. “All_IU_Networks” is an
example of a global address group. This group contains every IU owned IP address.