Skip to main content

Cornell University

What is 10-Space and What Does it Do?

10-Space can be described as a "parallel network" that prevents a system from communicating with off-campus sites while still giving hosts on-campus connectivity.

This article applies to: DNS

On This Page


10-Space uses RFC-1918 addresses to do this. RFC-1918 is the document that defines private address space.

The ranges defined by RFC-1918 are not routed across the Internet, which is what makes them "private." Cornell filters traffic to ensure that no direct connectivity can be had to or from 10‑space hosts.

In addition to its allocated routable space, each VLAN on the Cornell network has the corresponding subnet of as well. Hosts can be placed in 10-space simply by replacing the first 'octet' of 128 or 132 with 10. The gateway for 10-space hosts similarly has the first octet replaced with 10.

You can associate hostnames with 10-Space IP addresses and assign 10-space addresses to specific hosts through Network and Host Registration and Host List Maintenance as you would for real-space addresses. 

Note: 10-Space hostnames will not work off campus, but they are accessible via the VPN.

You can assign dynamic DHCP addresses using 10-Space, but you cannot assign both real and 10-Space addresses via dynamic DHCP on a single VLAN. You can mix statically assigned addresses via DHCP, though.

Example has the 10-Space network overlaid on it. Systems on this VLAN can use addresses in either subnet. The gateway for the 10-Space host is


  • No scanning/hacking attempts from off-campus: Connections to 10-Space are not permitted to enter our network.
  • Double the address space available to network administrators.


To allow systems assigned a 10-Space address to connect to off-campus services, the host will have to use a proxy.

  • Individual departments can deploy their own proxies to allow 10-Space systems to connect off campus.
  • CIT offers a proxy that allows 10-Space systems to access operating system software updates, virus software updates, and some application updates. Use of this proxy requires no configuration changes for the client system.

Traffic between a real-space address and a 10-Space address on the same VLAN will go through the gateway router. Any traffic filtering, including Managed Firewall, that affects the subnet will be applied to that traffic.


Though 10-Space addressed hosts cannot be directly attacked from outside the Cornell network, they are still vulnerable to attacks from on-campus hosts. 10-Space addressed hosts should be maintained as any other campus host should be.


To share feedback about this page or request support, log in with your NetID

At Cornell we value your privacy. To view
our university's privacy practices, including
information use and third parties, visit University Privacy.