This Page is nearly obsolete and needs rewritting to remove references to the decommissioned "Maintain" application, decommissioning of the CS localized firewall and document the redesign of Intranet (private IPv4) network usage to support ACL's replacing the firewall rules where possible.

Network design philosophy and basic schema

Our basic network philosophy is to try to exploit locality at layer-2 and to use layer-3 routing wherever possible. We try to allocate networks within a single building at layer-2 and route between buildings with a /30 Point-to-Point (P2P) layer-3 Vlan as much as possible. To support Network Storage devices, all server rooms are full mesh contected by 10 Gb P2P OSPF links with the Master Server Room in each building containing that Buildings Aggregation Switch. Some networks are large (/23) and some are small (e.g. /26 for smaller research groups. Not considering security, the tradeoff of small versus large is generally one of whether or not we can tolerate the broadcast traffic. Some protocols are "broadcast noisy" and so we probably don't want any general-use networks larger than /23. We might consider a /22 client network. but that's about it (a /22 is ~1000 hosts -- that can add up to a lot of broadcasting, especially if Samba/CIFS/Windows is present).

Using smaller layer-2 networks has the potential to allow better security design with the firewall. Small broadcast domains are isolated from each other and thus can be more secure for some classes of compromise -- at least, we can say that smaller networks don't leak broadcast traffic and compromised system can't see other non-local hosts at layer-2. That's the basic idea, at least -- it doesn't alway work out that way because many classes of compromise go beyond the local network.

CSCF has three basic ranges of network presently (as of Spring 2010):

Maintain zone name Address space Usage Threat
cs-inet Internet addresses; routable to the world High
cs-campus UW-Intranet; routable only within the UW Autonomous System Medium
cs-private CS-Intranet; routable only within the CS OSPF area 4 Lowest

"Maintain" refers to the IST "Maintain" web application, which is used to record and manage UW network allocations. When choosing a "Maintain" zone for a new host, the question to ask is: "What level of threat does it need to be exposed to?".

See the current network assignments for specific usage details.

Internet ("Maintain" zone cs-inet)

As of 2012-01-01, CSCF managed the following Internet networks: 129.97.{7, 15, 26, 51, 59 (as a pair of /25s), 74, 75, 78, 79, 84, 134, 152, 168, 169, 173 (split into smaller networks)).0/24, and


  • we're trying to allocate so that in can be split into two /25s some day. In particular:
    1. the lower half is for systems in MC and DC 2303a
      1. (ie 32 addresses from for Solaris servers
    2. the upper half is for systems in DC and M3
  • exists in both buildings and likely won't be building-specific for the foreseeable future.
  • the client-only networks 129.97.(82,168,169).0/24 and are DC-only, because that's where all the clients are
  • 51-network is in both buildings on the firewalls
  • 59-network is in both buildings on the firewalls
  • 74- and 75-network are legacy non-firewall networks in DC only
  • 78- and 79-network are legacy non-firewall networks in both buildings
  • 134-network is for CS undergrad-student organizations and is (should be) MC only
  • 173-network is subdivided for research groups and is DC only (non-firewall)
  • 7- and 26-network are firewalled research-server networks and are DC only
Some research groups within the School of Computer Science have their own networks, which they manage:
  • Shoshin (129.97.105), routed via on the firewall
  • Graphics Lab (129.97.114),
  • PLG (129.97.186).

UW-Intranet ("Maintain" zone cs-campus)

We have allocated to us the entire /16 network, which we carve up into various smaller networks, as follows:

Network Usage Maintain DNS setup non-firewalled networks various, see below firewall zone 0 (CSCF systems) as a /20 firewall zone 1 (CS servers) as a collection of /24s firewall zone 2 (thin clients) as a /20 firewall zone 3 (teaching lab workstations) as a /20 firewall zone 4 (office workstations) as a /20 firewall zone 5 (research computers) as a collection of /24s unallocated as a /20 unallocated as a /20 unallocated undefined unallocated DC 3558 server room unallocated DC 2303a server room unallocated MC 3015 server room unallocated M3 3101 server room unallocated undefined unallocated undefined unallocated undefined unallocated undefined unallocated undefined unallocated undefined usage

Within the network, the allocation is as follows:

Network Usage unused
172.19.1.{0,4,8,12,...,252}/30 OSPF point to point links (64 2-usable-nodes per network) some sort of legacy management network unused
172.19.4.{0,16,32,48,...112}/28 block of eight 16-host (14 usable) networks unused
172.19.5.{0,8,16,24,,,,120}/29 16 6-node small networks for IST wireless access points unused unused unused unused for use in MC for use in MC for use in DC for use in DC for use in DC for use in DC usage -- Firewall zone 1

Within the network, the allocation is as follows:

Network Usage campus-only servers in DC printers in DC VM hosts in DC VM hosts in MC campus-only servers in MC
remainder undefined usage -- Firewall zone 5

Within the network, the allocation is as follows:

Network Usage to 172.19.96.? used for management ports and ilom
remainder undefined

CS-Intranet ("Maintain" zone cs-private)

We use the network for devices that need no reach outside CS. This network was originally divided up as follows:

Network Usage non-firewalled networks various LOM networks unallocated thin clients in DC (48 and up) and MC (63 and down) various teaching/lab usage unallocated device management of research computers unallocated unallocated unallocated unallocated unallocated unallocated unallocated unallocated unallocated

The specific network allocations are recorded in the VLAN summary table.

Host numbering within networks

Within a network, certain addresses are reserved for standard usage, as follows:

  • 0 address: reserved for the network name
    • naming convention: subnet-name
    • eg: is
  • 1 and 2 addresses: reserved for route-points for the network
    • naming convention:
    • eg: is and is
  • 3 to 9 addresses: reserved for other networking devices, eg DHCP and DNS servers or caches
  • 10 and above: available for general allocation
Note that these addresses are relative to the subnet base. For a /24 network that starts at 0, the above addresses are literal. But for a /25 network that begins at address 128, the relative translation would be:

  • .128 network name
  • .129 and .130 for routing
  • .131 to .137 reserved for networking devices
  • .138 and above are available for use
Topic revision: r23 - 2014-07-31 - DaveGawley
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback