Operational Procedures for Ethernet Private Networks; rev. 1.4 (published 07/19/16)
Network Infrastructure and Services (NI&S) encourages the use of NI&S installed and managed Ethernet portals for all connections to the campus network. However, there may be cases where a user wishes to set up a private network of Ethernet hosts connecting to the campus network via a single managed portal. NI&S permits the connection of these wired local area networks (LANs) to the campus network under certain conditions.
All private networks are required to register and agree to a Memorandum of Understanding (MOU) which outlines responsibilities of LAN operators and NI&S. An MOU will be drafted after a brief consultation with NI&S engineers for review and approval by both parties.
What Qualifies as a Private Network?
A typical connection to the campus Ethernet network is a single host (e.g. computer or network connected printer) with a single Ethernet Media Access Control (MAC) address attached to a NI&S-managed network portal via a NI&S-provided Ethernet jumper cable. A private LAN constitutes any connection to the campus network that is either multiple individual hosts (machines utilizing a private switch, including virtual hosts utilizing a hypervisor layer of software to provide “guest” systems and/or router for access to the NI&S maintained network) or hosts with multiple MAC addresses (as in a virtualized environment). This includes:
- 10/100 megabits per second (Mbps) and/or 1 gigabit per second (Gbps) hubs and switches;
- Routers, wired and wireless;
- Ethernet repeaters;
- Other devices enabling multiple machines to simultaneously connect to a single wall jack; and/or
- Software that emulates multiple Ethernet stations on the same physical computer, e.g. hypervisors.
NI&S recognizes many legitimate use cases for such networks including, but not limited to:
- Testing and securing devices before deploying to the public network
- For “intranet-like” file sharing
- For higher bandwidth on such an intranet
- To implement virtualization
- To restrict access by means of a firewall or other middlebox device
- For ease of management of multiple machines, such as in labs
- To provide quick and easy access for university guests
- To provide a service or use case that NI&S cannot currently provide
Publicly routable IP addresses versus Private (RFC 1918) addresses
Those who wish to utilize private network connections (PNCs) must do so with private Internet Protocol (IP) addresses conforming to Internet Engineering Task Force (IETF) Request for Comments (RFC) 1918 since IPv4 address space is in very short supply at Virginia Tech. PNC’s that require access to off campus services have the following options.
- Allocation of VT globally routed IPv6 addresses
- Allocation of NI&S campus routed RFC-1918 addresses (172.16.0.0/12) in conjunction with dynamic Network Address Translation (NAT) services now in use at the campus border.
Departments may register private LANs through their departmental liaison. When ordering the private network connection, operators will need to know the network portal number where the LAN connects to the campus network. The portal number should be labeled on the portal faceplate. A registration fee applies for each order, but the fee is designed to provide flexibility for the users while covering the associated infrastructure and maintenance costs incurred by NI&S.
A Memorandum of Understanding (MOU) will be established for all permitted private network systems. The purpose of the MOU is twofold; 1) to define more specifically the features that the private network requires and will be provided by NI&S, and 2) to establish a responsible party within the requesting unit.
This program is not intended to replace managed ports provided by NI&S and bandwidth monitoring (sustained and peak measurements) will be engaged on all registered ports to ensure use does not negatively impact other network traffic within the building. Increased traffic needs could be accommodated by a graduated fee if a sustained need is required.
NI&S reserves the right to disable any Private Network connection from accessing the public network if the connection activity is deemed to be negatively effecting either the performance or security of the shared network. NI&S will work with departments to minimize impact loss of such a connection would have on operations.
Students are not permitted to connect personal wireless routers to the Virginia Tech network in buildings with Virginia Tech wireless service. Each residence hall room, with the current exception of Thomas and Monteith Halls, has one active 1 Gigabit per second (Gbps) wired network portal. Residents may purchase an Ethernet switch to provide more wired network connections.
Faculty and staff are prohibited without permission from NI&S from using wireless routers due to interference and security issues. NI&S will work with all units to assess needs and ensure proper technical and security implementation where situations warrant the use of a private wireless systems. Periodic, unannounced audits and RF surveys will be conducted by NI&S staff to ensure compliance with this policy.
Unregistered private wireless networks will be documented and NI&S staff will engage with departmental communications and network liaisons to resolve potential issues. Some of these will likely be the result of misconfigured devices or unintended open networks from printers or other devices that need defaults (which are usually set to “open”) reset. NI&S staff will endeavor to assist in securing such networks, including consulting on proper channel and frequency use, whenever and wherever possible.
NI&S reserves the right to disconnect any device or private LAN from the network that negatively impacts the performance of the campus network. For example, NI&S may disconnect the private LAN if a machine on the private LAN is misconfigured in such a way as to cause significant disruption to the campus network or creates security vulnerabilities or events. IT Security Office policies apply to these ports as they do for all NI&S managed ports. Before disconnecting any service, NI&S will attempt to notify the registered contact person when possible. The goal is to trace these types of issues as quickly as possible.
Regulations and Enforcement
The operation, maintenance, and troubleshooting of the private LAN is the sole responsibility of the private operator. At the request of the department or operator, NI&S may assist in troubleshooting efforts. Dependent on the level of effort required, this assistance may trigger a fee or charge for services.
Similarly, any cabling or other infrastructure installations required to instantiate a private network must conform to building and safety regulations as interpreted and enforced by the University Building Official. Inspections conducted on any part of a building may bring this cabling and infrastructure in scope. Violations will be cited and mitigation could include removal of said infrastructure. NI&S can be contracted to provide consulting and/or installation services to ensure compliance with all regulations.
Operators of private LANs must also comply with the rules and specifications governing the design of computer networks as described by the IEEE 802.3 standard. Failure to do so will result in degraded performance on your private LAN and between your private LAN and remote networks on campus or via the Internet. Access to your private LAN from machines on remote networks may be similarly affected. For more information about this visit http://www.ieee.org/.
Glossary of Terms:
Portal: Ethernet connection point generally located on a wall, ceiling, floor or patch panel within the users’workspace or office. A portal will be identified with a label that may read something like 203TP01B, 984DA1700F.
Private LAN (PLAN): constitutes any connection to the campus network that is either multiple individual hosts (machines utilizing a private switch/or router for access to the NI&S maintained network) or hosts with multiple MAC addresses (as in a virtualized environment).
Private Network Connection (PNC): An Ethernet service provided by NI&S for the purpose of connecting a PLAN to the university data network.