Skip to main content

What is 10-Space and What Does it Do?

10-Space can be described as a "parallel network" that prevents a system from communicating with off-campus sites while still giving hosts on-campus connectivity.

This article applies to: DNS


10-Space uses RFC-1918 addresses to do this. RFC-1918 is the document that defines private address space. For more information, see

The ranges defined by RFC-1918 are not routed across the Internet, which is what makes them "private." Cornell filters traffic to ensure that no direct connectivity can be had to or from 10-space hosts.

In addition to its allocated routable space, each VLAN on the Cornell network has the corresponding subnet of as well. Hosts can be placed in 10-space simply by replacing the first 'octet' of 128 or 132 with 10. The gateway for 10-space hosts similarly has the first octet replaced with 10.

You can associate hostnames with 10-Space IP addresses and assign 10-space addresses to specific hosts through Network and Host Registration Host List Maintenance as you would for real-space addresses. 

Note: 10-Space hostnames will not work off campus, but they are accessible via the VPN.

You can assign dynamic DHCP addresses using 10-Space, but you cannot assign both real and 10-Space addresses via dynamic DHCP on a single VLAN. You can mix statically assigned addresses via DHCP, though.

Example has the 10-Space network overlaid on it. Systems on this VLAN can use addresses in either subnet. The gateway for the 10-Space host is


  • No NUBB bills for hosts: Hosts assigned a 10-Space IP address cannot directly connect to anywhere off campus.
  • No scanning/hacking attempts from off-campus: Connections to 10-Space are not permitted to enter our network.
  • Double the address space available to network administrators.


To allow systems assigned a 10-Space address to connect to off-campus services, the host will have to use a proxy.

  • Individual departments can deploy their own proxies to allow 10-Space systems to connect off campus.
  • CIT offers a proxy that allows 10-Space systems to access operating system software updates, virus software updates, and some application updates. Use of this proxy requires no configuration changes for the client system.

Traffic between a real-space address and a 10-Space address on the same VLAN will go through the gateway router. Any traffic filtering, including Managed Firewall, that affects the subnet will be applied to that traffic.


Though 10-Space addressed hosts cannot be directly attacked from outside the Cornell network, they are still vulnerable to attacks from on-campus hosts. 10-Space addressed hosts should be maintained as any other campus host should be.

Was this page helpful?

Your feedback helps improve the site.