Computer Laboratory

VLANs

We operate a large number of Virtual LANs (VLANs) to separate network traffic by logical function. VLANs are used to limit the propagation of broadcast traffic and as a way of enforcing security policies. In general a machine will not work if it is connected to the wrong VLAN.

Although there are well over 50 VLANs in total, most have specialised functions and only a handful of them are routinely used for desktop machines. When we provide a machine for a standard purpose, such as an ordinary workstation, we will choose the appropriate VLAN for it. However there are many cases in which a machine has a non-standard purpose and a decision has to be made about the best one.

Whilst we cannot offer an entirely free choice of VLAN, the selection will depend primarily on what you tell us about the purpose of the network connection. We usually refer to VLANs by their function, but the primary identification is a small integer known as the "tag". For your general guidance, here is a list of the VLANs most commonly used for connections of machines:

298, 398 and 498

These are the default VLANs normally used for managed workstations running Windows, Linux and MacOS respectively. The separation between them is mainly for administrative convenience and they have very similar properties. Machines on these VLANs have good access to internal facilities and can make outbound connections to the internet. They are largely protected from inbound connections from the internet, with the main exception that inbound ssh is allowed under controlled conditions. IPv6 is supported. These VLANs are suitable for most workstations. It is important to realise that "managed" simply means that management of the machine is shared; you can still install software and tailor the system to your needs, subject only to a few common-sense restrictions for security reasons.

290

This VLAN is available for internal machines whose configurations we do not manage. The majority of such machines are nevertheless owned by the department and we expect to keep track of them and know who is responsible for them. They will normally be given a static IP address. They have full access to internal facilities and can make outgoing internet connections. Remote access from outside the department is blocked because we have no control over their authentication and authorisation policies (though we still expect them to be reasonably secure). IPv6 is supported.

190

VLAN 190 is sometimes known as the "aliens" VLAN. It is primarily intended to give internet connectivity to personal machines, typically laptops. The majority of such devices now use the wireless network so this VLAN is not as heavily used as it once was. Access to internal networks is restricted. Addresses are allocated by dynamic DHCP. IPv6 is currently not supported. In general this VLAN is intended for casual connectivity rather than serious work.

105

VLAN 105 acts as a "demilitarised zone" for machines intended to provide services to the outside world (typically web services). Access to internal networks is restricted because we cannot be certain that such services are secure, though every effort should be made to make them so.

Research group VLANs

A number of research groups have VLANs assigned to them for specialised purposes. They are assigned to groups which have a need to manage a dedicated slice of address space, or have unusual security requirements. They are also used to limit the potential disruption that may be caused to others by experimental network software. Amongst these VLANs are:

  • VLAN 108 is used by the Security group
  • VLAN 101 is used by the Systems Research group
  • VLAN 390 is used by the Digital Technology group

It is important to realise that being a member of one of these groups does not necessarily imply that your machine needs to be on that group's VLAN. Experts within the research groups should normally be able to advice on whether it is appropriate to use the group VLAN.

A longer list of VLANs and address block allocations is available to members of the department here. This list is primarily intended as internal documentation for the network management team.