Networking/ISP



  • Hi folks,

    Quite confused here, could you help me understand how this works...

    My ISP provide a fibre line to my office for our Internet. This comes in to my office in to their device sitting in my cabinet (the POP?) by fibre cable. A cable (cat6) comes from their device in to a switch (which is also their device). I then connect my firewall to interface 2 on their switch.

    I connect my WAN on my firewall (89.x.x.x) in to interface 2 on their switch. Traffic then goes from my LAN on the firewall out to the Internet over the existing setup.

    We are looking to put a device in their datacenter and they have said we can use datacenter connect. Which is 'like a private network' from my office to the devices I will put on their site over our existing line. I just don't understand how it works...

    They have said I can use private addresses for this and want the IPs from me, but I still only have the one fibre connection coming in to their kit and just cant grasp what is going on...

    I am guessing they are saying I can connect a device to Interface 3 on their switch (not through my firewall) with an IP like 10.10.10.3, and their datacenter could have another device using 10.10.10.4 at the DC end, and over the fibre they can talk 'private'/point to point over my fibre line...

    In this case, will the one fibre link pass traffic from me to them on this private setup, whist also passing traffic for my public internet access? (Over the one cable)?

    Probably a totally idiot question, but any help to help me understand this?

    Ta,
    J



  • At first glance this sounds like a site-to-site VPN.

    Something that strikes me as odd is that your ISP is offering colocation services (assuming you're talking about a server being put into "their datacenter.") Generally you'd want to avoid having one vendor provide all of the services you need -- or at least think through the ramifications of it.



  • We have a few ISPs, we just happen to have a device that we want to host with them off site.

    Can one fibere cable route our Internet traffic to them, whilst also passing 'private' traffic over this line too?

    I guess the switch/cable they have just passes 'data', and their routers at their end will be configured based on the IPs I give to pass 89.x out, and 10.x to my site their end?



  • @Jimmy9008 said in Networking/ISP:

    We have a few ISPs, we just happen to have a device that we want to host with them off site.

    Can one fibere cable route our Internet traffic to them, whilst also passing 'private' traffic over this line too?

    I guess the switch/cable they have just passes 'data', and their routers at their end will be configured based on the IPs I give to pass 89.x out, and 10.x to my site their end?

    I'm curious, what device would they be hosting?

    To your networking question, the answer is yes. That's a use-case for a VPN. You'd have your office network's router establish a tunnel to the other end point's router, and traffic passes through that tunnel. The traffic is encrypted and passes over the Internet between each point of the tunnel. There's more detail involved, but that is basically what's going on.



  • Its an off site backup NAS. I'll draw a diagram after cooking dinner. Hopefully that will help explain it to me...



  • This is more like an MPLS than a site to site VPN.

    They will have to tell you were to hook up, but yes, likely on another port.

    Just give them the private IP on your LAN that you want the thing to have.



  • @JaredBusch said in Networking/ISP:

    This is more like an MPLS than a site to site VPN.

    You're right. Didn't think about MPLS. We have that where I am, but my team never gets to touch it; thus, I don't know what the requisite hardware looks like.



  • @EddieJennings said in Networking/ISP:

    @Jimmy9008 said in Networking/ISP:

    We have a few ISPs, we just happen to have a device that we want to host with them off site.

    Can one fibere cable route our Internet traffic to them, whilst also passing 'private' traffic over this line too?

    I guess the switch/cable they have just passes 'data', and their routers at their end will be configured based on the IPs I give to pass 89.x out, and 10.x to my site their end?

    I'm curious, what device would they be hosting?

    To your networking question, the answer is yes. That's a use-case for a VPN. You'd have your office network's router establish a tunnel to the other end point's router, and traffic passes through that tunnel. The traffic is encrypted and passes over the Internet between each point of the tunnel. There's more detail involved, but that is basically what's going on.

    Hopefully not, I wouldn't expect the internet to be involved in his private IP range at all.

    As JB mentioned - a second port on the switch could be plugged directly into his LAN network switch - then the vendor does their routing magic and makes it appear either as the same LAN in the DC, or a routed interface that the OP will need to setup a routing rule for.

    To me the question is - will you send data over this connection encrypted or plain text? This is the type of connection that most huge companies had in the past - Google from one DC to another through AT&T, etc. Google thinking the traffic was not being spied upon, just sent unencrypted data over it - then Edward Snowden showed us that the phone companies were allowing the NSA to tap all of those 'private' lines, and the NSA was reading all that data. So to fix that Google had to start encrypting everythign that goes over those lines to keep the damned NSA and shitty phone companies who don't care about our privacy, out!.



  • @Dashrender said in Networking/ISP:

    Hopefully not, I wouldn't expect the internet to be involved in his private IP range at all.

    As JB mentioned - a second port on the switch could be plugged directly into his LAN network switch - then the vendor does their routing magic and makes it appear either as the same LAN in the DC, or a routed interface that the OP will need to setup a routing rule for.

    Yeah. . . Upon rereading OP and Jared's answer, I realized my dumb moment. Somehow I didn't put it together in my head that the traffic would lever be leaving the ISP's network.



  • Hi folks,

    As I say, networking isnt my focus but trying to get my head around it. Hopefully this diagram will help... (sorry for how crap it looks!)...

    So, top = ISPs 'end'. Red dash lines next to the black lines, thats one fibre cable.

    So, is it possible to connect eth3 on the ISP switch on my site in to my switch (the lower red line), and for the ISP to connect that to their end, (I guess a switch), whilst also connecting my internet line through my firewall traffic?

    Essentially the top device x.x.3.5 can communicate with x.x.x.3.2 like its on my LAN? At the same time as Internet traffic going through the fibre cable?

    Really confused and just imagine im going drastically wrong here...

    ![0_1551300420313_diagram.PNG](Uploading 100%)



  • mynetworkdiag.PNG



  • @EddieJennings said in Networking/ISP:

    Something that strikes me as odd is that your ISP is offering colocation services (assuming you're talking about a server being put into "their datacenter.") Generally you'd want to avoid having one vendor provide all of the services you need -- or at least think through the ramifications of it.

    Rarely something that you want, which means it is what is most commonly offered and pushed.



  • @Jimmy9008 said in Networking/ISP:

    Can one fibere cable route our Internet traffic to them, whilst also passing 'private' traffic over this line too?

    That's the norm. And not just for ISPs, VPNs do this, too.



  • @scottalanmiller said in Networking/ISP:

    @Jimmy9008 said in Networking/ISP:

    Can one fibere cable route our Internet traffic to them, whilst also passing 'private' traffic over this line too?

    That's the norm. And not just for ISPs, VPNs do this, too.

    The gateway out is public IP to the Internet. VPN tunnels between two public IPs, etc... all Internet.

    What they seem to be saying is that the 89.x.x.x public 'Internet Stuff' can go through that cable, and my 192.168.3.x 'LAN' stuff can also go through that cable, and at the same time I can have Internet served to my Firewall, and 'LAN' to my device... can it work that way?

    So their switch interface 2 is routing 89.x.x.x traffic, and interface 3 is is extending my LAN on 192.x.x.x (public IPs going on and private)... all through the fibre cable to their DC?



  • @Jimmy9008 said in Networking/ISP:

    @scottalanmiller said in Networking/ISP:

    @Jimmy9008 said in Networking/ISP:

    Can one fibere cable route our Internet traffic to them, whilst also passing 'private' traffic over this line too?

    That's the norm. And not just for ISPs, VPNs do this, too.

    The gateway out is public IP to the Internet. VPN tunnels between two public IPs, etc... all Internet.

    What they seem to be saying is that the 89.x.x.x public 'Internet Stuff' can go through that cable, and my 192.168.3.x 'LAN' stuff can also go through that cable, and at the same time I can have Internet served to my Firewall, and 'LAN' to my device... can it work that way?

    So their switch interface 2 is routing 89.x.x.x traffic, and interface 3 is is extending my LAN on 192.x.x.x (public IPs going on and private)... all through the fibre cable to their DC?

    More or less - yes.
    They can trunk the single line to act like many lines - think VLANs



  • @Dashrender said in Networking/ISP:

    @Jimmy9008 said in Networking/ISP:

    @scottalanmiller said in Networking/ISP:

    @Jimmy9008 said in Networking/ISP:

    Can one fibere cable route our Internet traffic to them, whilst also passing 'private' traffic over this line too?

    That's the norm. And not just for ISPs, VPNs do this, too.

    The gateway out is public IP to the Internet. VPN tunnels between two public IPs, etc... all Internet.

    What they seem to be saying is that the 89.x.x.x public 'Internet Stuff' can go through that cable, and my 192.168.3.x 'LAN' stuff can also go through that cable, and at the same time I can have Internet served to my Firewall, and 'LAN' to my device... can it work that way?

    So their switch interface 2 is routing 89.x.x.x traffic, and interface 3 is is extending my LAN on 192.x.x.x (public IPs going on and private)... all through the fibre cable to their DC?

    More or less - yes.
    They can trunk the single line to act like many lines - think VLANs

    Ok. I think that makes more sense to me.

    So, the ISP switch eth1 is vLAN1, which passes 89.x.x.x to my firewall for my organisations Internet access. eth1 routes out over their eth0 fibre link. Then, vLAN2 is eth2 on their switch, which extends my 192.x.x.x private range to them, again over the eth0.

    Ok, I think in that warped way I get it.

    So, I can say to them:

    "I'm going to plug my device 10.10.10.2 in to your switch at my office on eth3.
    Connect my box at your DC. Its set to be 10.10.10.3. Now, make them talk over my fibre line..."



  • @Jimmy9008 said in Networking/ISP:

    @Dashrender said in Networking/ISP:

    @Jimmy9008 said in Networking/ISP:

    @scottalanmiller said in Networking/ISP:

    @Jimmy9008 said in Networking/ISP:

    Can one fibere cable route our Internet traffic to them, whilst also passing 'private' traffic over this line too?

    That's the norm. And not just for ISPs, VPNs do this, too.

    The gateway out is public IP to the Internet. VPN tunnels between two public IPs, etc... all Internet.

    What they seem to be saying is that the 89.x.x.x public 'Internet Stuff' can go through that cable, and my 192.168.3.x 'LAN' stuff can also go through that cable, and at the same time I can have Internet served to my Firewall, and 'LAN' to my device... can it work that way?

    So their switch interface 2 is routing 89.x.x.x traffic, and interface 3 is is extending my LAN on 192.x.x.x (public IPs going on and private)... all through the fibre cable to their DC?

    More or less - yes.
    They can trunk the single line to act like many lines - think VLANs

    Ok. I think that makes more sense to me.

    So, the ISP switch eth1 is vLAN1, which passes 89.x.x.x to my firewall for my organisations Internet access. eth1 routes out over their eth0 fibre link. Then, vLAN2 is eth2 on their switch, which extends my 192.x.x.x private range to them, again over the eth0.

    Ok, I think in that warped way I get it.

    So, I can say to them:

    "I'm going to plug my device 10.10.10.2 in to your switch at my office on eth3.
    Connect my box at your DC. Its set to be 10.10.10.3. Now, make them talk over my fibre line..."

    This assumes it's a straight extension of your network - and not a routed new network.


Log in to reply