The ECE department operates our own large and complex wired computer network, with over 20 class C subnets, about 2500 network outlets, and more than a thousand client computers in six buildings.

As you can imagine, this is a lot to keep track of. We ask the cooperation of all network users for some simple courtesies:

• Please use only the network address assigned to you by our network staff.
• Never re-assign IP addresses between machines.
• Never guess new IP addresses by trial and error!

For computers on Tier-1 and Tier-2 networks you must not select your own IP address; you have no way of knowing if we have assigned a specific IP address to another computer!

Guessing IPs usually leads to other innocent users experiencing interruptions to their network access when your wild guess collides with their legitimate, officially assigned IP address.

Please send email to ECEhelp ( ecehelp at ece.utoronto.ca ) …

• when you need to relocate a computer to a different network outlet,
• when you receive a new computer that you want to connect to the network,
• when a computer now on the network is being taken out of service.

Use of the network is subject to University policies and regulations. Terms of use and access are spelled out at our policies page.

At times we may ask you to find the “MAC address” of your computer's network interface (this is nothing to do with Apple Macintosh - it's an acronym). To find the MAC address on a Windows PC:

• In the Start menu, choose “Run”
• In the Run box, type “cmd” and press ENTER
• at the command prompt, type “ipconfig -all” and ENTER
• in the response, find the section for “fast ethernet” or “gigabit” (for your wired interface); note the 'physical address' which is in the form 00-01-23-4a-5b-6c.
• if you have a laptop, it may also have a wireless interface. This has its own separate MAC address. For this, find the section heading that mentions wireless.

Include this information in your email to ECEhelp.

The output of “ipconfig” will also tell you what IP address your computer is currently using. This may be set manually in the Network properties window, or it can be assigned automatically by our network if you select “obtain address automatically.” This is our preferred configuration.

If you have MacOSX or Linux, you can find the MAC address at the shell command prompt in a terminal window (Xterm, console, etc.) using the command

ifconfig -a (you may have to give the full path /sbin/ifconfig -a ) Find the section for the wired ethernet card, typically assigned the name “eth0”, “hme0” or something else ending in zero. The MAC address should appear in the form 00:01:12:23:3a:4b

If your IP address starts with “128.100” or “142.150” or “142.151”, then you are on the UofT network. If it starts with 169, you did not get a network connection and Windows has created a random non-routing address for ad-hoc networking - not useful here.

If you are unsure of your network connection, note the “gateway” address in the ipconfig information, and at the command prompt, type:

ping 128.100.mmm.nnn

using the gateway address. If you get responses from the gateway, your connection is set up properly. If not, and you've confirmed that the cable is connected and the interface shows being “up”, then one common problem is if your network port is assigned to a different subnet or “VLAN” than the correct one for your IP address. Contact ECEhelp to resolve this problem.

Many areas within ECE employ “port security” on the network switches, in which each network port is assigned a limited number of computers which are permitted access, based on their MAC addresses; all other devices are prohibited from connecting via that port. This enables us to ensure that only computers authorized to be on an ECE network are connected. We are in the process of expanding port security to cover more network switches and rooms, with the ultimate goal of applying it on all network ports across the department.

We operate a few network firewall systems that secure our departmental computer network resources from the rest of the university (and beyond). These firewalls allow outgoing connections but restrict incoming connections to only designated services on specific hosts, such as our web-servers, mail servers, VPN, and remote SSH access to specific Solaris or Debian Linux servers.

There are also separate firewalls in front of the two subnets that have been designated for “Tier 2” self-supported systems, namely 128.100.23.0/24 and 128.100.241.0/24. These subnets are protected from the outside world, but they are topologically “outside” the main firewalls protecting the Tier 1 subnets. This means users on a Tier 2 subnet do not have unlimited access to computers on Tier 1. The connections available are limited to those accessible from outside, plus a small number of exceptions, described below.

ECE operates our own departmental firewall between our network and the main UofT backbone network. This blocks all inbound connections with specific exceptions for access to web servers, email, and a limited number of hosts open for SSH or other specific connection types.

We also operate our own Virtual Private Network to give access across our firewall from outside. Note that this is a separate VPN than the UTORvpn service operated centrally for all of UofT. Use of UTORvpn gives you access to library and journal subscription resources but does not give access past the ECE departmental firewall – only our ECE VPN does that.

Any research user with current affiliation with ECE may request a login on the ECE VPN - email ecehelp at ece.utoronto.ca and let us know your status and the name of your supervisor.

When your VPN account is set up, you may connect to it by following the VPN instructions specific to your O/S version. Note that this requires knowledge of a pre-shared secret, which is accessible by faculty and staff on our internal website. Grad students can ask their supervisor's administrative coordinator to check on their behalf, at the ECE internal website

Department firewalls will permit computers connected via ECE-VPN to “map network drive” of our ECE unix servers using Samba protocol, and to access Tier-1 printers (for users with login accounts on Tier-1 research group computers). Instructions for various configurations are available here .

Department firewalls will permit computers connected via ECE-VPN to use Windows Remote Desktop to connect to a Windows PC at the university. Here's how to set it up:

Here at the university, enable remote access on your Windows PC:

• Make sure your login here has a password assigned; you can't RDT to a login with a blank password
• Check that your account is enabled for remote desktop: right-click on My Computer, choose Properties, and click the Remote tab. If needed, type in your login name, click “check names”, then click “Add.”
• Record your computer's IP address. (See How to find your IP and MAC address, above.)

From your off-campus computer,

• Begin by connecting to the ECE-VPN, then
• Start the Remote Desktop connection and specify your university PC's IP address as the host name to connect to.

Departmental firewalls prevent unauthorized access to computers within ECE. Only a limited number of Tier-1 computers are accessible via SSH, including:

• alpha.comm.utoronto.ca

• alfheim.control.utoronto.ca

• anubis.eecg.toronto.edu
• bastet.eecg.toronto.edu
• ra.eecg.toronto.edu
• seth.eecg.toronto.edu

• energy.ele.utoronto.ca

• comet.light.utoronto.ca
• photonics.light.utoronto.ca
• rocket.light.utoronto.ca

• mail.vrg.utoronto.ca

• emserver.waves.utoronto.ca

If you are on Tier_2 or Tier_3, you may choose to run an SSH server. You should ensure your system is configured securely, with up-to-date patches for sshd, and have strong passwords for all logins. Consider enabling a security software package such as tripwire, and use iptables if you only need to grant access to specific addresses.

For Tier_2, users may specify if they want their own workstations or servers to be accessible via SSH. Email updates to ecehelp@ece

Computers on Tier_3 are “outside” of the ECE firewall and are neither protected nor blocked by it. All Tier_3 IP addresses are open for SSH from anywhere on the internet.