[Chugalug] EPB VLAN

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

[Chugalug] EPB VLAN

David White-2
I have a client who is getting EPB to install a VLAN between their 2 physical locations.

What all is included in this? Will the 2nd location have a public IP address, since it's internet will be routed through the 1st location? Will I need to put a router / firewall at the 2nd location, or can I just hook up a switch to EPB's hand-off and grab an internal IP address, just as if that switch were at the home office?

Anything else I need to be aware of?

--
David White
Founder & CEO

@developCENTS
https://developcents.com

Develop CENTS
Computing, Equipping, Networking, Training & Supporting for small businesses and nonprofits
Providing: Web Hosting, Technical Support & IT Consulting

Signup to our Newsletter at https://developcents.com/contact/

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] EPB VLAN

Jason Brown-2
There are so many ways that an ISP can do it, that question is best asked to EPB, but they are typically not internet connected on purpose.  A router of some sort is typically required on each end since the sites should be configured to use separate subnets for the private LAN.

YMMV.

On Wed, May 31, 2017 at 12:44 PM, David White <[hidden email]> wrote:
I have a client who is getting EPB to install a VLAN between their 2 physical locations.

What all is included in this? Will the 2nd location have a public IP address, since it's internet will be routed through the 1st location? Will I need to put a router / firewall at the 2nd location, or can I just hook up a switch to EPB's hand-off and grab an internal IP address, just as if that switch were at the home office?

Anything else I need to be aware of?

--
David White
Founder & CEO

@developCENTS
https://developcents.com

Develop CENTS
Computing, Equipping, Networking, Training & Supporting for small businesses and nonprofits
Providing: Web Hosting, Technical Support & IT Consulting

Signup to our Newsletter at https://developcents.com/contact/

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug



_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] EPB VLAN

Alex Smith (K4RNT)
Use a site-to-site VPN to accomplish this.

I have started using SoftEther VPN, it's open source and free.



Sent with Mailtrack

" 'With the first link, the chain is forged. The first speech censured, the first thought forbidden, the first freedom denied, chains us all irrevocably.' Those words were uttered by Judge Aaron Satie as wisdom and warning... The first time any man's freedom is trodden on, we’re all damaged." - Jean-Luc Picard, quoting Judge Aaron Satie, Star Trek: TNG episode "The Drumhead"
- Alex Smith
- Kent, Washington (metropolitan Seattle area)

On Wed, May 31, 2017 at 11:05 AM, Jason Brown <[hidden email]> wrote:
There are so many ways that an ISP can do it, that question is best asked to EPB, but they are typically not internet connected on purpose.  A router of some sort is typically required on each end since the sites should be configured to use separate subnets for the private LAN.

YMMV.

On Wed, May 31, 2017 at 12:44 PM, David White <[hidden email]> wrote:
I have a client who is getting EPB to install a VLAN between their 2 physical locations.

What all is included in this? Will the 2nd location have a public IP address, since it's internet will be routed through the 1st location? Will I need to put a router / firewall at the 2nd location, or can I just hook up a switch to EPB's hand-off and grab an internal IP address, just as if that switch were at the home office?

Anything else I need to be aware of?

--
David White
Founder & CEO

@developCENTS
https://developcents.com

Develop CENTS
Computing, Equipping, Networking, Training & Supporting for small businesses and nonprofits
Providing: Web Hosting, Technical Support & IT Consulting

Signup to our Newsletter at https://developcents.com/contact/

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug



_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug



_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] EPB VLAN

mdquerng
In reply to this post by David White-2
Hi David

I have a financial institution customer with about six branches that converted to EPB's 'VLAN' solution a couple of years ago as part of a data center move to EPB's colo. Feel free to call me directly with any questions you may have.

Best
Mark
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] EPB VLAN

Aaron welch
99% of the time it is a tagged VLAN. Place a port on your switch in that VLAN with an IP in the range you want routed over that link and you are good to go.

-AW



Sent from my iPhone

> On May 31, 2017, at 4:08 PM, mdquerng <[hidden email]> wrote:
>
> Hi David
>
> I have a financial institution customer with about six branches that
> converted to EPB's 'VLAN' solution a couple of years ago as part of a data
> center move to EPB's colo. Feel free to call me directly with any questions
> you may have.
>
> Best
> Mark
>
>
>
> --
> View this message in context: http://chugalug.1100489.n5.nabble.com/Chugalug-EPB-VLAN-tp11957p11961.html
> Sent from the Chugalug mailing list archive at Nabble.com.
> _______________________________________________
> Chugalug mailing list
> [hidden email]
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] EPB VLAN

David White-2
Alex, my thoughts too. The decision was made before I was involved, though, and the customer can afford it - so they're getting it. They just want my help with some support, etc... along the way and moving forward.

Thanks, Mark. I appreciate it.

Aaron: Makes perfect sense. I'll have the customer verify with EPB that this is a tagged VLAN. Either way, I think I'll make things simpler on me, and put in an EdgeRouter (those things are pretty cheap), at the very least, so that devices on that VLAN / location can pull a DHCP address. 

On Wed, May 31, 2017 at 4:37 PM, Aaron Welch <[hidden email]> wrote:
99% of the time it is a tagged VLAN. Place a port on your switch in that VLAN with an IP in the range you want routed over that link and you are good to go.

-AW



Sent from my iPhone

> On May 31, 2017, at 4:08 PM, mdquerng <[hidden email]> wrote:
>
> Hi David
>
> I have a financial institution customer with about six branches that
> converted to EPB's 'VLAN' solution a couple of years ago as part of a data
> center move to EPB's colo. Feel free to call me directly with any questions
> you may have.
>
> Best
> Mark
>
>
>
> --
> View this message in context: http://chugalug.1100489.n5.nabble.com/Chugalug-EPB-VLAN-tp11957p11961.html
> Sent from the Chugalug mailing list archive at Nabble.com.
> _______________________________________________
> Chugalug mailing list
> [hidden email]
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug



--
David White
Founder & CEO

@developCENTS
https://developcents.com

Develop CENTS
Computing, Equipping, Networking, Training & Supporting for small businesses and nonprofits
Providing: Web Hosting, Technical Support & IT Consulting

Signup to our Newsletter at https://developcents.com/contact/

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] EPB VLAN

Mike Harrison-4
WTF!?!  

Maybe I don’t understand what else is in place, but Whether a “financial institution” or a “donut store” does not matter, internal traffic should NOT be “wide open net” (tagged VLAN) over someone else’s infrastructure.

OpenVPN would be the starting step. Yeah, edge routers, pfsense… reduce the ISP (Even EPB) from your “attack vector”.








> > I have a financial institution customer with about six branches that
> > converted to EPB's 'VLAN' solution a couple of years ago as part of a data
> > center move to EPB's colo. Feel free to call me directly with any questions

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] EPB VLAN

William D. Roush
Just because it comes out as a tagged VLAN means it goes over EPB's infrastructure as just an open VLAN (I sure hope not....).

William Roush | https://www.roushtech.net/
Office: 423.933.2114 | Cell: 423.463.0592 | Email: [hidden email]

-----Original Message-----
From: Chugalug [mailto:[hidden email]] On Behalf Of Mike Harrison
Sent: Wednesday, May 31, 2017 4:49 PM
To: Cha. Unix Gnu Android Linux User Group <[hidden email]>
Subject: Re: [Chugalug] EPB VLAN

WTF!?!  

Maybe I don’t understand what else is in place, but Whether a “financial institution” or a “donut store” does not matter, internal traffic should NOT be “wide open net” (tagged VLAN) over someone else’s infrastructure.

OpenVPN would be the starting step. Yeah, edge routers, pfsense… reduce the ISP (Even EPB) from your “attack vector”.








> > I have a financial institution customer with about six branches that
> > converted to EPB's 'VLAN' solution a couple of years ago as part of a data
> > center move to EPB's colo. Feel free to call me directly with any questions

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] EPB VLAN

David White-2
Point taken.

Edgerouter it is.

On Wed, May 31, 2017 at 4:51 PM, William D. Roush <[hidden email]> wrote:
Just because it comes out as a tagged VLAN means it goes over EPB's infrastructure as just an open VLAN (I sure hope not....).

William Roush | https://www.roushtech.net/
Office: <a href="tel:423.933.2114" value="+14239332114">423.933.2114 | Cell: <a href="tel:423.463.0592" value="+14234630592">423.463.0592 | Email: [hidden email]

-----Original Message-----
From: Chugalug [mailto:[hidden email]] On Behalf Of Mike Harrison
Sent: Wednesday, May 31, 2017 4:49 PM
To: Cha. Unix Gnu Android Linux User Group <[hidden email]>
Subject: Re: [Chugalug] EPB VLAN

WTF!?!

Maybe I don’t understand what else is in place, but Whether a “financial institution” or a “donut store” does not matter, internal traffic should NOT be “wide open net” (tagged VLAN) over someone else’s infrastructure.

OpenVPN would be the starting step. Yeah, edge routers, pfsense… reduce the ISP (Even EPB) from your “attack vector”.








> > I have a financial institution customer with about six branches that
> > converted to EPB's 'VLAN' solution a couple of years ago as part of a data
> > center move to EPB's colo. Feel free to call me directly with any questions

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug



--
David White
Founder & CEO

@developCENTS
https://developcents.com

Develop CENTS
Computing, Equipping, Networking, Training & Supporting for small businesses and nonprofits
Providing: Web Hosting, Technical Support & IT Consulting

Signup to our Newsletter at https://developcents.com/contact/

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] EPB VLAN

Dave Brockman
On 5/31/2017 4:57 PM, David White wrote:
> Point taken.
>
> Edgerouter it is.

Duplication of earlier reply for list benefit:

EPB's VLAN/Private VLAN is a layer 2 QnQ circuit.

Which means you "tag" a VLAN on both sides of the circuit.
With EPB's implementation, you are free to choose the VLAN (as long as
it is NOT VLAN 1, that does not work) and AFAIK you are still free to
tag multiple VLANs on the same circuit.  The Native VLAN does not pass
across the link, and I recommend shutting it down once connected.

My personal best practice advice is to ROUTE between the EPB VLAN and
each network.  IE.

SiteA EPB-VLAN SiteB
192.168.1.0/24 172.16.1.0/24 192.168.2.0/24

The key thing to remember here, anything with an IP address is your
equipment, not EPB.  It also requires a routing device at each location.
You can use it to extend layer 2 across the link, but I will personally,
never, ever suggest you extend layer 2.  So, since we're going to
properly route this traffic, and we don't really trust anyone, including
the ISP, we're going to build a VPN across that link.  At this point,
you have spent 2x $$ for 1/2 the performance of running a VPN across a
$70/month 100Mb Internet Connection.

Regards,

dtb


_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] EPB VLAN

Dave Brockman
In reply to this post by Mike Harrison-4
On 5/31/2017 4:48 PM, Mike Harrison wrote:
> “financial institution” or a “donut store” does not matter, internal
> traffic should NOT be “wide open net” (tagged VLAN) over someone
> else’s infrastructure.

Do you realize that you just described MPLS in layman's terms?

:P

--dtb


_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] EPB VLAN

David White-2
In reply to this post by Dave Brockman
Thanks, Dave.

I never did take the CCNA exam (although sometimes I'm still tempted). I'm giving myself a refresher on VLANS though, with an old copy of the ICND2 prep book, and am already finding some good info on the 'net covering Q-in-Q. 

When I worked for LPG, we had VLANS setup for each physical location, so I'm very familiar with the concept, and some of the best practices, of putting each office onto a different network.

I wasn't the one to set up any of that stuff though. :)

Everything you wrote makes sense to me. 



On Wed, May 31, 2017 at 5:36 PM, Dave Brockman <[hidden email]> wrote:
On 5/31/2017 4:57 PM, David White wrote:
> Point taken.
>
> Edgerouter it is.

Duplication of earlier reply for list benefit:

EPB's VLAN/Private VLAN is a layer 2 QnQ circuit.

Which means you "tag" a VLAN on both sides of the circuit.
With EPB's implementation, you are free to choose the VLAN (as long as
it is NOT VLAN 1, that does not work) and AFAIK you are still free to
tag multiple VLANs on the same circuit.  The Native VLAN does not pass
across the link, and I recommend shutting it down once connected.

My personal best practice advice is to ROUTE between the EPB VLAN and
each network.  IE.

SiteA                   EPB-VLAN                        SiteB
192.168.1.0/24                  172.16.1.0/24           192.168.2.0/24

The key thing to remember here, anything with an IP address is your
equipment, not EPB.  It also requires a routing device at each location.
You can use it to extend layer 2 across the link, but I will personally,
never, ever suggest you extend layer 2.  So, since we're going to
properly route this traffic, and we don't really trust anyone, including
the ISP, we're going to build a VPN across that link.  At this point,
you have spent 2x $$ for 1/2 the performance of running a VPN across a
$70/month 100Mb Internet Connection.

Regards,

dtb


_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug




--
David White
Founder & CEO

@developCENTS
https://developcents.com

Develop CENTS
Computing, Equipping, Networking, Training & Supporting for small businesses and nonprofits
Providing: Web Hosting, Technical Support & IT Consulting

Signup to our Newsletter at https://developcents.com/contact/

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug