Skip to content Skip to navigation

Networking Overview

Networking Overview

The Basics

There are a range of options to networking at Cornell which I will describe more fully in turn.

  • A public IP address on a LASSP managed subnet.
    • Aside: Definition of "10 space" and Cornell's implementation
    • 10 space subnets corresponding to public subnets at Cornell.
  • Aside: Definition of NAT routers
  • Access net, run by CIT on a per building basis with self registration via NetID or visitor email
  • Wireless
    • The eduroam and RedRover wireless networks run by CIT with self registration via NetID.
    • Cornell Visitor wireless for visitors without NetID or eduroam from another participating institution.
  • Departmental NAT subnet
  • A private subnet for your group running behind a firewall/router - depending on your research group. If the subnet spans multiple rooms and uses CIT wall ports, there will also be a private VLAN for the group.
  • A CIT provided public subnet that is managed by a faculty member - depending on your research group.

Public IP on LASSP managed subnet

The most common way to get internet for a desktop is to get an IP address on one of LASSP's public networks. These are:

LASSP Public Subnets
Description IP Range VLAN
Main LASSP subnet "241" 128.84.241.0/24 417
Secondary LASSP subnet "231" 128.84.231.0/24 413
LASSP self registration (old wireless subnet) 132.236.95.0/24 860
IT install subnet 128.84.249.0/24 316

Any computer registered on one of these subnets will have a DNS name that maps to its unique IP address. The name should be memorable and it will end in lassp.cornell.edu. For example, owl.lassp.cornell.edu or rs-las-owl.lassp.cornell.edu. The latter form is required for certified desktop. This is the most flexible type of connection. It can connect to anywhere inside or outside of Cornell. It has historically been the most prone to hacking, because it was also available for inbound connections from anywhere off campus. The new firewall rules should mitigate this, but it will still be the most potentially vulnerable type of connection.

Aside: 10 space IP address

The Internet Protocol version 4 or IPv4 (See: https://en.wikipedia.org/wiki/IP_address) contains a few ranges of private address space that are guaranteed not to route on the internet. These are 192.168.0.0/16, 172.16.0.0/12, and 10.0.0.0/8. This latter is by far the largest and is often referred to as 10 space. 

Cornell leverages 10 space in many ways. Cornell generally routes 10 space subnets around campus and allows DNS registration in the on campus nameserver, but it blocks 10 space hosts from communicating off campus directly.

10 space subnets corresponding to public subnets

A public subnet on campus like LASSP's 128.84.241.0/24 subnet has 10.84.241.0/24 available on the same physical network ports. A computer or another network device like a printer or a data taking device that needs to allow connection from on campus for printing or data file serving, can be given a 10 space address. That protects the device from off campus hacking, but it also prevents the computer or device from connecting to off campus services. CIT does have a proxy server for these subnets that will serve things like Windows and macOS security patches to devices on these 10 space subnets. It should be noted that now that there is a good managed firewall for Cornell, it is probably better to protect such systems with firewall rules on a public IP rather than using 10 space.

Aside: Network Address Translation (NAT) Routers (one-to-many)

See this wikipedia page for the explanation of one-to-many NAT routers: https://en.wikipedia.org/wiki/Network_address_translation

Many on campus networks are partially served by NAT routing by CIT, including the RedRover, eduroam, and Cornell Visitor wireless networks, the per building wired Access Net subnets, and Departmental NAT subnets. For these, the internal subnets are in 10 space. Therefore, connecting to or from other on campus computers can be done directly through the 10 space IP rather than through the NAT. However, whenever the system wishes to connect off campus, it goes through the NAT router and appears to the off campus server as coming from the public IP of the NAT router. The NAT router receives the response and automatically routes it to the host that initiated the remote connection.

Networks behind CIT NAT routers on campus are protected connections initiated from off campus.

Access Net

CIT has established a service they call Access Net. Each building has an Access Net subnet and one can enable wired ports in conference rooms, shared offices, and labs to be on Access Net. Computers that connect to these ports initially have web pages redirected to a self-registration page. One can register them with a NetID. Thereafter, the computer just connects to the network whenever it is plugged into Access Net. LASSP's AV rooms and many graduate student offices have Access Net enabled. Access NET connections get dynamic IP assignments. Connecting to a computer on Access Net from elsewhere on campus is difficult because one must know the current IP 10 space address of the computer.

Wireless Networks - eduroam, RedRover, Cornell Visitor

Much of campus is covered by Cornell centrally managed wireless. These carry eduroam, RedRover, and Cornell Visitor. See: https://it.cornell.edu/wifi It is best to use eduroam if you have a NetID. Connecting to eduroam registers your wireless device automatically and immediately. The eduroam wireless network is encrypted and supported by many higher education institutions. RedRover is an unencrypted wireless network. Using it for a regular laptop or desktop is insecure, but it can work for older or less sophisticated devices like an ebook reader. Also, it can be used briefly when eduroam proves too difficult. RedRover does self registration with a NetID like Access Net. There is also a manual registration page for RedRover if you know the device's MAC address. Go to: https://mycomputers.cit.cornell.edu/ from another computer and scroll to the bottom to register a device without a web browser. Like Access Net, the 10 space IP of the computer is not fixed but dynamic.

Cornell Visitor wireless is available to visitors. It just requires an email address to register, but it is short term - meant for guests.

Departmental NAT

Groups can now request a Departmental NAT subnet. These function like access net, in 10 space routable on campus with a CIT managed NAT router. However, one can do static registration of hosts so that access from other hosts on campus is simplified. These networks can also be further protected by the managed firewall service.

Private Networks in research groups

Some research groups in LASSP have their own firewall, either NAT style or more sophisticated. In order to work in multiple rooms, these groups generally need to get what Cornell terms a private VLAN. This is the equivalent of having a dumb network switch for the group in networking closets that connect to ports in the various rooms across the groups lab and office space. No other subnets will be able to see the private VLAN. The group will typically have one port on one of LASSP's public networks that connects to the public side of their firewall and then the private side of the firewall connects to one wall port on their private VLAN and provides networking to the rest of the ports on the private VLAN. 

Public Subnets in LASSP Research Groups 

A few research groups for various historical reasons obtained their own public subnets from CIT. These are not managed by LASSP IT. The PI or a permanent research scientist in the group needs to serve as a Network Administrator for the group's subnet. Of course, the LASSP IT manager provides advice and assistance, and serves as the IT Security Liaison for the subnet. But, you will need to consult your PI or group to get connected.