Retail Service Provider: Layer 2 - Connectivity

The RSP (Retail Service Provider) supplies connectivity services.  The RSP does not supply other services like a firewall, a web filter. web hosting or email relay services.  This means that if you run an email server then that server will send email directly to the internet for delivery to the recipient.  If your mail server is ever compromised and is found to be a source of spam your email server may be blacklisted.  An obvious way around this is to not run a mail server at the school and instead use the services of an email provider like Google (Google Apps Education Edition) or Microsoft (Office 365) - Mt Aspiring College has been using Google for email for several years so this was not a consideration for us.

Before anything can happen the fibre drop to the school needs to be completed.  The latest updates on fibre drop installation time frames can be found here:

http://www.chorus.co.nz/fibre-to-schools - scroll down the the "Fibre to Schools List" and download the latest spreadsheet.

The Chorus website also lists the available providers in each geographic area.  A geographic area is defined by where the hand-over point is. Generally these match the UFB (urban fibre) areas and nearby RBI (rural broadband) tails will terminate in a nearby UFB area.  (Do not confuse UFB with UFB!  "Urban Fibre" and "Ultra Fast" are different!)

Once the school has had its fibre drop completed and the school has decided to use ultra fast broadband then it is time to find a retail service provider.  

As Wanaka uses the Queenstown UFB/RBI handover point Mt Aspiring College had a choice of three providers.  We rated those three providers using the following criteria:
  • price
  • circuit speed
  • datacap
  • ability to supply static public IP addresses
  • knowledge of Network for Learning
  • knowledge of the school sector and its needs
  • feedback from other schools
Telecom were the clear winner and the school purchased the Telecom Ultra Fibre for Schools product.  This was initiated by ringing the 0800 number listed on the Telecom web site.

Telecom confirmed that they were able to supply fibre service to the school and then sent a contract.  Relevant details were added to the contract, it was signed, scanned and sent back as a PDF.  At the same time we requested a static public IP address for the connection and a static IP address range for use by servers and video conferencing units.


2 August 2013 - N4L Update:

Government has announced that Telecom/gen-i will be providing Managed Network Services to N4L.  The full text of the announcement is at:

http://www.beehive.govt.nz/release/211-million-opens-digital-world-schools


It is worth noting these details from the Telecom/gen-i page:
  • Telecom encourages schools that are eager to connect to fibre to take advantage of Telecom’s Ultra Fibre broadband for schools services, as a first step. Telecom is connecting NZ schools to fibre, with no data caps or installation fees, and will be able to provide a smooth transition to N4L, without break fees, as it becomes available. Static IP addresses will be available and Port 25 unblocking will be supported across all Ultra Fibre for schools plans and school areas by the end of this month.
  • Currently, 640 schools are able to connect to Telecom Ultra Fibre. This number is due to grow to almost 2500 by the end of 2015, as the Ultra Fast Broadband (UFB) project and Rural Broadband Initiative (RBI) progress, and Telecom’s Ultra Fibre becomes available via the remaining Local Fibre Companies.


Chorus as the RBI contractor were in touch and arranged to come to the school to complete fibre termination at the ETP (External Termination Point - this may be inside your buildings and not outside), install the ONT (Optical Network Terminal - essentially a flash media converter between fibre optic cable and CAT6 copper cable) and finally to install the  gateway device - a Cisco 2960.

         


A fibre fly lead runs from the ETP on the left to the ONT in the middle, then a CAT6 cable runs from the ONT to the Cisco on the right - plugged in to the RJ45 socket on the left side of the yellow box at the right hand end of the Cisco.  Port 1 on the Cisco is the live port - port 1 is at the left hand end of the 8 RJ45 sockets.  (The blue socket on the left end is the Cisco's console port - do not use that!)  Obviously the ONT and Cisco both need power available.  The ETP does not need power - it is just a place to unravel the street fibre and keep everything tidy.

During the time that Chorus were completing their work Telecom were in touch to supply IP configuration details for the point-point /31 network used by the link, to supply details about the /29 static public IP range that is routeable by the connection, and to supply access details to a website that allows the school to monitor traffic flows and keep contact details up to date.

We were supplied with the following details (some of which are *'ed out as we would like to keep them secure!):

Details of your Gen-i Internet Service are summarised below:


Access Designation:

*********

Speed:

100 Mbps

Mixed VLAN Designation:

IDL 1005*****

Speed:

100 Mbps

VLAN Tag:

200

CPE Port:

GE 0/1

CPE:

Cisco 2960 (Layer 2)

LAN Interface Setting:

100 Meg Full Duplex  



MIXED Point to Points

Ethernet IP – Telecom Platform:

The Global Gateway BGP router sub-interface or Default Gateway

122.56.103.94/31

Ethernet IP – Customer:

The customer BGP router or firewall sub-interface (e.g.: Safewall)

 122.56.103.95/31

Telecom DNS (Optional):

202.37.245.20
202.37.245.17



Portal Address:

http://mydata.global-gateway.net.nz

Global Gateway User Name:

**********

Global Gateway Password:

*********



As the RSP Telecom supplies what is technically called a "Layer 2" service to the school.  The school will need its own "Layer 3" device to connect to the Cisco 2960 switch to use the routeable IP addresses that have been supplied.  

The above details from Telecom thus define how the school Layer 3 device needs to be configured and connected:
  • The port or NIC that is on the Layer 3 device must have its duplex set to "100/Full".  Do not use "Auto".
  • You must connect the school Layer 3 device to port 1 on the Telecom supplied Cisco 2960 switch.
  • The school Layer 3 device ethernet port that is connected to the Cisco 2960 must have the "Ethernet IP - Customer" IP address assigned to it - in our case 122.56.103.95.  The subnet mask needs to be /31 - ie 255.255.255.254 and the gateway IP address is "Ethernet IP - Telecom Platform" which for us is 122.56.103.94.
  • Mt Aspiring College chose to use pfSense as the Layer 3 device.  More about that in the next section. 
  • The "Ethernet IP - Customer" address is the IP number that the internet will see our traffic coming from.  Eg if we browse to whatismyip.com then our traffic will be seen as coming from IP 122.56.103.95.  This IP address can be used with services that need to know the school's source IP address.
  • The "Ethernet IP - Telecom Platform" IP address does not reside locally.  That address is in the Telecom core.  If the Cisco is powered off then you can still ping that IP address from the public internet.  Those reading this who understand Layer 2 v. Layer 3 will realise immediately why this is!  Otherwise start here: http://en.wikipedia.org/wiki/OSI_model
As well as details on the /31 point-point network we were also sent details relating to our static IP address range:

Management Domain

GIS

Customer

Mt Aspiring College

Network

GIS-MTASPC-NZ

IP Subnet Start Address

122.56.33.96

IP Subnet Net Length

29

Description

040613

APNIC Registered

Yes

Status of IP subnet allocation

OK


The range 122.56.33.96/29 is statically routed via 122.56.103.95.  To use these IP addresses we have to enter the IP addresses as virtual IPs on our Layer 3 device and then create NAT rules.  More about that in the next section.

It is reasonable to expect this process can be completed in 4 weeks.  It may be quicker or longer depending on the availability of staff to complete the installation.  Remember that there are things beyond the ability of the RSP to control and the RSP may have to wait on the fibre provider to complete work before the RSP can even begin their process.

Once the circuit was live we wanted (naturally!) to see how it performed on a speed test.  The Telecom GIS fibre connections are designed for multiple users so no one can take all the traffic.  This is great for a school.  Testing was thus completed to an external upstream iPerf server using multiple sessions.  The results confirmed the connection was performing as expected.  Sustained traffic speeds of nearly 80Mb/s both up and down were measured.  The graph below shows traffic out of the "FIBRE" interface during an upstream iPerf test from our pfSense firewall.


Whoo hoo!