Overview

This is a list of Banno’s networks and IP addresses used within our data centers, cloud providers, customer networks, and remote access VPN. It also includes any known JHA services that we consume.

Avoiding Overlap with On-prem

Corporate has reserved 10.230.0.0/16 for workloads that need to egress from GCP across the interconnect to jconnect or corporate addresses. If your workload remains in that reserved range you are guaranteed not to overlap with anything on-prem.

GKE pods should use the 100.64.0.0/10 range: RFC 6598 which GCP supports as a valid range.

Banno Public/jConnect Networks

This Public/jConnect information can be communicated to our customers when they ask, What network or IP will Banno's traffic come from? For specific services or servers please check with someone from the Infra team.

Banno Public Outbound

These are the IP addresses from which traffic from Banno services can come.

Network	Environment	Location
`35.224.46.79`	Dev	GCP US Central 1
`34.48.34.9`	Dev	GCP US East 4
`35.225.222.103`	Stage	GCP US Central 1
`35.245.131.89`	Stage	GCP US East 4
`104.197.255.72`, `35.224.134.249`, `35.226.174.114`, `104.154.130.129`, `34.28.173.105`, `34.172.96.251`, `35.202.249.150`, `34.135.87.254`, `34.136.33.57`, `34.30.183.205`, `34.29.100.65`, `35.223.211.119`, `104.154.29.232`, `34.123.195.5`, `34.30.231.160`, `35.232.79.192`	Prod	GCP US Central 1
`34.85.227.147`, `34.86.249.10`, `35.245.59.5`, `34.86.193.238`, `35.188.255.55`, `35.245.9.28`, `34.48.40.164`, `34.48.17.244`, `34.86.8.73`, `35.186.189.94`, `35.236.252.11`,`35.221.53.152`, `34.150.189.205`, `35.236.203.179`, `35.194.82.92`, `34.86.45.93`	Prod	GCP US East 4
`35.184.160.94`, `34.136.131.163`	Prod	GCP US Central 1 OpenSRS Requests `216.40.33.39/32`
`34.48.52.35`, `35.245.56.117`	Prod	GCP US East 4 OpenSRS Requests `216.40.33.39/32`

Banno jConnect Network Translations

jConnect summaries; 10.90.72.0/24, 10.90.86.0/24, 10.90.100.0/24

Environment	Real IP	jConnect translation	Location
Production	10.211.0.0/24	10.90.86.0/24	LKS DC
Production	10.211.1.0/24	10.90.72.1	LKS DC
Production	10.211.2.0/24	10.90.72.2	LKS DC
Production	10.211.3.0/24	10.90.72.3	LKS DC
Production	10.228.88.0/22	10.90.72.88	AZ Central US
Production	10.228.92.0/22	10.90.72.92	AZ East US 2
UAT	10.211.16.0/24	10.90.72.16	LKS DC
UAT & Jenkins	10.228.82.0/23	10.90.72.82	AZ Central US
UAT & Jenkins	10.228.80.0/23	10.90.72.80	AZ East US 2
Staging	10.211.19.0/24	10.90.72.19	LKS DC
Staging	10.228.86.0/23	10.90.72.86	AZ Central US
Staging	10.228.84.0/23	10.90.72.84	AZ East US 2
Dev	10.211.21.0/24	10.90.72.21	LKS DC
All	10.10.0.0/24	10.90.100.0/24	AWS DC

A brief note about customer connectivity

Some financial institutions (FI) have their core systems and ancillary products hosted by JHA data centers while others host these services at their own premise. Since not every product is web hardened JHA has provided an encrypted private WAN(jConnect) to connect our FIs to JHA’s services. jConnect is a large private VPN based WAN connecting JHA to almost all of our clients(some CUs use a similar WAN called SymConnect). At last count we had approximately 2500 FIs connected with jConnect. jConnect routers translate our customer’s networks to networks compatible with the JHA WAN and data centers and vice versa.

Banno has jConnect translations setup to allow communication to/from either Lenexa, AWS, or Azure. This is also known as being in an active/active communication posture. This allows systems within LKS and AWS to simultaneously communicate across jConnect to other services or customers independently of one another. This strictly applies to communication readiness, the systems in either site would need to support active/active as well.

Disaster Recovery

We’ve reserved 10.90.100.0/24 for our translated range for customers when we are operating out of AWS in a DR scenario. We will translate our 10.10.{1,3,5}.x ips that use jconnect over to using this range. This lets customers whitelist a network range for LKS and a range for DR. (Previously we had many more networks we requested for them to whitelist.)

Banno Data Center Networks

The data centers have been assigned large summarized network blocks to use immediately and to provide space for expansion in the future.

Network	Description
10.211.0.0/19	LKS BANNO
10.10.1.x, 10.10.3.x and 10.10.5.x	AWS (us-east-1 subnets: us-east-1a, us-east-1c and us-east-1d)
10.228.80.0/20	Azure (split across two subscriptions and 2 regions)

Assigned

Production

Network	GW	VLAN	Description
10.211.0.0/22	3.254	109	MicroServices/containers/applications
10.211.4.0/22	n/a	n/a	unused
10.211.8.0/24	.254	100	unused
10.211.9.0/24	.254	101	unused
10.211.10.0/24	.254	102	LB Front
10.211.11.0/24	.254	103	unused
10.211.12.0/24	.254	111	unused
10.211.13.0/24	n/a	n/a	unused
10.211.15.64/27	n/a	113	unused
10.211.15.96/27	n/a	112	unused
10.211.15.128/27	n/a	104	WAN InterDataCenter
10.211.15.160/27	n/a	105	WAN JCONNECT(Customer & BU to BU connectivity)
10.211.15.192/27	n/a	106	WAN Amazon Web Services
10.211.15.32/27	n/a		WAN Azure
10.211.23.128/27	n/a		WAN Azure
10.211.15.224/27	n/a	107	ACI-FW
10.203.131.24/24	n/a	N/A	Vsphere

UAT, Staging, Dev

Network	GW	VLAN	Description
10.211.16.0/24	.254	460	UAT App
10.211.17.0/25	.126	461	UAT-LB-FRONT
10.211.17.128/25	.254	462	UAT-LB-BACK
10.211.18.0/25	.126	463	UAT Orchestration
10.211.19.0/24	.254	470	STG App
10.211.20.0/25	.126	471	STG-LB-FRONT
10.211.20.128/25	.254	472	STG-LB-BACK
10.211.18.128/25	.254	473	STG Orchestration
10.211.21.0/24	.254	480	Dev App
10.211.22.0/25	.126	481	Dev-LB-FRONT
10.211.22.128/25	.254	482	Dev-LB-BACK
10.211.23.0/25	.126	483	Dev Orchestration

AWS

Network	GW	Availability Zone	Description
10.10.1.0/24	10.10.1.1	us-east-1a	private-1a
10.10.3.0/24	10.10.3.1	us-east-1c	private-1c
10.10.5.0/24	10.10.5.1	us-east-1d	private-1d
10.10.101.0/24	10.10.101.1	us-east-1a	test-1a-private
10.10.103.0/24	10.10.103.1	us-east-1c	test-1c-private
10.10.0.0/24	10.10.0.1	us-east-1a	public-1a
10.10.2.0/24	10.10.2.1	us-east-1c	public-1c
10.10.4.0/24	10.10.4.1	us-east-1d	public-1d
10.10.100.0/24	10.10.100.1	us-east-1a	test-1a-public
10.10.102.0/24	10.10.102.1	us-east-1c	test-1c-public

Azure

Network	GW	VLAN	Description
10.228.86.0/23			Azure Staging VNET Central US
10.228.84.0/23			Azure Staging VNET East US 2
10.228.82.0/23			Azure UAT VNET Central US
10.228.80.0/23			Azure UAT VNET East US 2
10.228.88.0/22			Azure Production VNET Central US
10.228.92.0/22			Azure Production VNET East US 2

SPECIFIC IP ASSIGNMENTS

https://docs.google.com/a/banno.com/spreadsheets/d/1tQLSr1H1yz4J26fAh0746XTmMkawuE9vbgCvV_XPLUs/edit?usp=sharing

Banno Client VPN Networks

Various options and privilege levels exist to connect to Banno production and development. These are the source networks that you’ll be assigned depending on location and privilege level.

Group	Site	CIDR	Range
Standard	Branson	10.103.232.0/24	10.103.232.1 - 10.103.232.254
Non-DC	Branson	10.103.25.0/24	10.103.25.1 - 10.103.25.254
Techops	Branson	10.103.231.64/26	10.103.231.65 - 10.103.231.126
Infrastructure	Branson	10.103.231.128/26	10.103.231.129 - 10.103.231.190
Contractor	Branson	10.103.231.0/26	10.103.231.1 - 10.103.231.62
Standard	Monett	10.103.61.0/24	10.103.61.1 - 10.103.61.254
Non-DC	Monett	10.103.17.0/24	10.103.17.1 - 10.103.17.254
Techops	Monett	10.103.60.64/26	10.103.60.65 - 10.103.60.126
Infrastructure	Monett	10.103.60.128/26	10.103.60.129 - 10.103.60.190
Contractor	Monett	10.103.60.0/26	10.103.60.1 - 10.103.60.62

LDAP Common Names

Security group common names for active directory

JHA-PSA-F5APMVPN-Banno-Contractor
JHA-PSA-F5APMVPN-Banno-Techops
JHA-PSA-F5APMVPN-Banno-Infrastructure
JHA-PSA-F5APMVPN-Banno-Standard
JHA-PSA-F5APMVPN-Banno-Non-DC

Infrastructure Services

Some of these are provided by ETS and some we (Banno) maintain.

VSPHERE

A list of vsphere endpoints for interacting with JHA hosts

10.203.131.24 lksbnvc01.jkhy.com
10.203.131.23 lksbnpsc01.jkhy.com
10.203.131.25 lksbnpsc02.jkhy.com
10.203.131.26 lksbnvdp01.jkhy.com

NTP (private)

Suggest using Allen as primary and Branson as secondary.

Location	IP
Monett	10.202.248.248
Monett	10.202.248.249
Branson	10.204.248.248
Branson	10.204.248.249
Allen (Dallas)	10.207.248.248
Allen (Dallas)	10.207.248.249

NTP (public restricted access)

For these to work traffic needs to originate from a JHA owned IP block or have our source IP address added to a whitelist.

Location	IP
Monett	216.116.87.116
Branson	74.200.43.240
Allen	74.200.33.240

DNS

These cannot be randomly interchanged. Some of these only service specific domains or environments.

Location	IP	domains	Owner
Lenexa	10.211.1.53	prod recursor	Banno
Lenexa	10.211.1.54	prod recursor	Banno
Monett	10.1.1.25	jhacorp.com, dev.jha	ETS
Branson	172.24.17.41	jhacorp.com, dev.jha	ETS
Monett	10.202.133.1	jkhy.com	ETS
Branson	10.204.133.1	jkhy.com	ETS

Log Collection

Most system logs are sent to TechOps systems for aggregation and correlation. We also collect Intrusion Prevention System(IPS) logs to syslog.infra.production.lks.banno-internal.com.

JHA Public Networks

JHA owns and operates a few large blocks of public IP space. It is assigned out to our offices and data centers for various purposes. Each network is listed with CIDR notation, sometimes called slash notation for the /##, which indicates a range of addresses rather than a single IP.

Network Summaries

Network	Range
52.128.64.0/18	52.128.64.0 - 52.128.127.255
74.200.32.0/19	74.200.32.0 - 74.200.63.255
216.116.80.0/20	216.116.80.0 - 216.116.95.255

The networks above are dynamic and their physical location is subject to change.