The CL network
Simplified network structure
What the network looks like
The Computer Lab network is connected via routers to the Cambridge University Data Network (CUDN). This has a connection to the Joint Academic NETwork (JANET), and thence to the Internet as a whole.
The main router also acts as a central switch – it has fast connections to a filestore and various other machines, and also connects to a set of switches distributed around the building. There are one or more switches in each of the 6 wiring closets on each floor. Each connection on the switches is connected to a patch panel, and the patch panel also has connections into all of the offices (this is known as structured wiring).
So, the network appears in offices as a set of 4 RJ45 sockets in the floor boxes which also house power sockets. A few areas without false floor have the sockets presented on wallplates instead. Computers and telephones are connected to these sockets.
There is also a wireless network which is intended to be available throughout the building.
... and how to connect to it from outside
The RJ45 sockets in the floor boxes are not enabled by default – the wires from the sockets lead back to patch panels in a number of wiring closets and the connections within those patch panels need to be set up by a system administrator.
Please do not rearrange connections to sockets yourself:
- a connection may not be enabled on the socket you plug into.
- a connection may be enabled on the socket you plug into, but it may be to the wrong VLAN (see below).
- fault finding is difficult if our documentation concerning what is connected where is out of date.
If you need a socket enabled we have a web form for you to fill in – go to Request a network connection and fill in the details requested.
If you no longer require a connection could you remember to email sys-admin so that the switch port can be reused.
If there are not enough sockets in a particular place, it may be possible to use a local switch, but please do not connect one without asking first.
The wireless network
There are several wireless networks available in the William Gates Building. For full details see Wireless Networks available in the Computer Lab.
The (802.11a/b/g/n) wireless network is intended to be available throughout the building. The network is part of a larger network covering most of the University and is managed for us by University Information Services. The physical access points provide more than one logical network, so there are different ESSIDs for different purposes.
If you wish to request a connection go to our web forms page – select Request a network connection and fill in the details requested.
We operate a large number of Virtual LANs (VLANs) to separate network traffic by logical function. VLANs are used to limit the propagation of broadcast traffic and as a way of enforcing security policies. In general a machine will not work if it is connected to the wrong VLAN.
Although there are well over 50 VLANs in total, most have specialised functions and only a handful of them are routinely used for desktop machines. When we provide a machine for a standard purpose, such as an ordinary workstation, we will choose the appropriate VLAN for it. However there are many cases in which a machine has a non-standard purpose and a decision has to be made about the best one. Whilst we cannot offer an entirely free choice of VLAN, the selection will depend primarily on what you tell us about the purpose of the network connection. It is impossible to document here every detail of the decision process. We usually refer to VLANs by their function, but the primary identification is a small integer known as the "tag". For your general guidance, here is a list of the VLANs most commonly used for connections of machines:
- VLANs 298, 398 and 498 are the default VLANs normally used for managed workstations running Windows, Linux and MacOS respectively. The separation between them is mainly for administrative convenience and they have very similar properties. Machines on these VLANs have good access to internal facilities and can make outbound connections to the internet. They are largely protected from inbound connections from the internet, with the main exception that inbound ssh is allowed under controlled conditions. IPv6 is supported. These VLANs are suitable for most workstations. It is important to realise that "managed" simply means that management of the machine is shared; you can still install software and tailor the system to your needs, subject only to a few common-sense restrictions for security reasons.
- VLAN 290 is available for internal machines whose configurations we do not manage, perhaps because they need to run an operating system that we do not support. The majority of such machines are nevertheless owned by the department and we expect to keep track of them and know who is responsible for them. They will normally be given a static IP address. They have full access to internal facilities and can make outgoing internet connections. Remote access from outside the department is blocked because we have no control over their authentication and authorisation policies (though we still expect them to be reasonably secure). IPv6 is supported.
- VLAN 190 is sometimes known as the "aliens" VLAN. It is primarily intended to give internet connectivity to personal machines, typically laptops. The majority of such devices now use the wireless network so this VLAN is not as heavily used as it once was. Access to internal networks is restricted. Addresses are allocated by dynamic DHCP. IPv6 is currently not supported. In general this VLAN is intended for casual connectivity rather than serious work.
- VLAN 105 acts as a "demilitarised zone" for machines intended to provide services to the outside world (typically web services). Access to internal networks is restricted because we cannot be certain that such services are secure, though every effort should be made to make them so.
- A number of research groups have VLANs assigned to them for specialised purposes. They are assigned
to groups which have a need to manage a dedicated slice of address space, or have unusual security requirements.
They are also used to limit the potential disruption that may be caused to others by experimental network
software. Amongst these VLANs are:
- VLAN 108 is used by the Security group
- VLAN 101 is used by the Systems Research group
- VLAN 390 is used by the Digital Technology group
- VLAN 100 is a legacy VLAN. It was formerly the default VLAN for workstations but is no longer used for new connections. If a machine on this VLAN is upgraded or refurbished we will probably move it to a different VLAN. It does not support IPv6 and never will.
A longer list of VLANs and address block allocations is available to members of the department here. This list is primarily intended as internal documentation for the network management team.
Almost all telephones are connected directly to the IP network. There are only a handful of analogue lines used for legacy devices such as FAX machines. The number assigned to an IP phone is a property of the physical handset and it does not matter where it is plugged in on the network.
Voice traffic is carried on a dedicated VLAN (2456) but this does not need to be configured explicitly. The switches detect the presence of a Cisco phone and automatically deliver the voice VLAN to it. In addition, the ordinary data VLAN that is configured on the port will automatically appear on the phone's downstream socket, enabling a workstation to be "daisy-chained". This economises on the use of switch ports, but has the disadvantage that most phones restrict the link speed to 100Mbit/s.
The CUDN and JANET
All the machines in the Computer Laboratory are used subject to the conditions of the University Information Strategy and Services Syndicate (ISSS). In particular use of the CUDN connection implies acceptance of the JANET Acceptable Use Policy. It is important that you do not do any kind of port scanning or security probing, even of your own machines. If your research requires you to do something which might appear suspicious, talk to us first.
You should also be aware that the department is charged real money for traffic that goes to and from sites outside the University. This is an internal charging mechanism intended to share out the fixed cost of connecting to the JANET network. For most normal research requirements this need not concern you as the charges are covered centrally. Excessive network use is likely to be noticed and investigated. See the UIS page on Usage charging for network traffic for details.