External Customer Networks

Sometimes an external organization with a need for Internet connectivity at the University is provided with an external customer network.

One example may be a building contractor who needs Internet connectivity in one or more construction trailers.

In these circumstances, it is sometimes appropriate to treat the organization as "external" to the University. Instead of providing the organization with connections "on" the campus network, they are instead provided with connections that appear to be "external" to the campus network.

The existing physical network infrastructure on the campus may be used to provide these connections, but the connections are configured in such a way as to make them appear to be logically external to the campus network.

The service provided to the organization is roughly similar (but not identical) to what it would receive had it contracted with a commercial ISP for network service.

These connections are very different than other campus network connections OIT normally provides to University customers. You should assume that unless indicated otherwise, any documentation published by OIT regarding network service at Princeton University do not apply to these external customer network connections.

This document provides general information about external customer networks.

The document External Customer Network Assignments lists all the external customer networks, showing the VLAN names and VLAN numbers, IP network ranges, network masks, default IP routers, and to which organization each of these networks is assigned.

General Information

• When OIT determines that the networking needs of an external organization should be met through the use of an external customer network, we will ask the external organization to provide us with an estimate as to the number of IPv4 addresses that network will need at the outset, and the number it may grow to require over time.

  (For example, "we currently need three to five IPv4 addresses, and expected to need fewer than a dozen total IPv4 addresses during the three years we will be on campus.")

  This estimate is necessary so we can create an external customer network of an appropriate size.

• OIT will ask the external organization to provide us with contact information we should associate with this external customer network. That information will be published in External Customer Network Assignments .

  OIT will use this information if it becomes necessary to contact someone regarding this network, or regarding an issue involving some device attached to this network.

• OIT will allocate a network, and refer you to the External Customer Network Assignments for you to obtain information about that network. .

• OIT operates an IPv4 router that connects this network to the Internet. The IPv4 address of the router will be the first usable IPv4 address on the network.

  (For example, in the example network 192.168.10.64/28 above, the first usable IPv4 address is 192.168.10.65. That IPv4 address is assigned to the IPv4 router operated by OIT.)

  If you need to look up this information for your network, please consult External Customer Network Assignments .

• OIT does not operate provide IPv6 service to this network at this time in most cases. Exceptions where IPv6 service is provided are indicated in External Customer Network Assignments.

  When OIT operates IPv6 service for the network, OIT operates an IPv6 router that connects this network to the Internet. The IPv6 Global Unique Address of the router will be the first usable IPv6 Global Unique Address on the network.

  IPv6 devices identify their default router(s) by the router's IPv6 Link-Local addresses, not the router's IPv6 Global Unique Address. The IPv6 device will learn the default router(s) IPv6 Link-Local address(es) by listening to ICMPv6 Router-Advertisement messages.

• It is the responsibility of the external organization to manage the IPv4 space on that external customer network, and assign IPv4 addresses to their devices.

  Keep in mind that the first and last IPv4 addresses on any IPv4 network are never usable.

  The first usable IPv4 address is already assigned to the IPv4 router operated by OIT.

  The second and third usable IPv4 addresses are also used by OIT, as the IPv4 router service operated by OIT needs two additional IPv4 addresses because OIT's router is actually a high-availability pair of routers. (There are a few exceptions to this noted in External Customer Network Assignments , in which the two additional IPv4 addresses used by OIT are not the second and third usable IPv4 addresses on the network, but intead are other specific addresses on the network.)

  The remaining IPv4 addresses are available for the external organization to assign to their devices.

  (In the example IPv4 network 192.168.10.64/28, IPv4 addresses 192.168.10.64 and 192.168.10.79 are unusable because they are the first and last IP addresses. IPv4 address 192.168.10.65 is the first usable IPv4 address, so it is assigned to router operated by OIT. IPv4 addresses 192.168.10.66 and 192.168.10.67 are also used by OIT in support of our router service. The remaining IPv4 addresses 192.168.10.68 through 192.168.10.78 inclusive are available for the external organization to assign.)

• When OIT operates IPv6 service for the external customer network, it is the responsibility of the external organization to manage the IPv6 space on that external customer network, and assign IPv6 addresses to their devices, or to use SLAAC to allow the devices to generate their IPv6 addresses.

  The first usable IPv6 Global Unique address is already assigned to the IPv6 router operated by OIT.

  The second and third usable IPv6 Global Unique addresses are also used by OIT, as the IPv6 router service operated by OIT uses two additional IPv6 Global Unique addresses because OIT's router is actually a high-availability pair of routers.

  The remaining IPv6 Global Unique Addresses on the network are available for the external organization to assign to their devices, or for their devices to generate using SLAAC.

• Devices attached to the external customer network should not be registered in Princeton University Network Registration. We do not treat them as "attached to the campus network." OIT does not allocate IP addresses to these devices; it is up to the external organization to assign IP addresses to their devices.

• When the external organization needs additional Ethernet ports (e.g. in the same location, or elsewhere on campus), they need to be sure to clearly specify to OIT that these Ethernet ports must be attached to their particular external customer network.

  (For example, "I am with building contractor Smith Contractors Inc. You've assigned external-customer-network-513 to my company. Please install/enable in my construction trailer three additional Ethernet ports wired to that network.")

• When the external organization no longer needs the network service, it should advise OIT so we can reclaim the network that was allocated to you.

• OIT does not provide DNS resolving service to external customer networks. If you want your devices to be able to look up information in DNS, you will need to do one of the following:
  • Configure your devices to use someone else's DNS resolving servers. You might choose to use any of the publicly-available DNS resolving services on the Internet; for example, the service provided by Google Public DNS, Cloudflare 1.1.1.1, Quad9, or Cisco OpenDNS.

  • If no one's publicly-available DNS resolving service meets your needs, you will need to make your own arrangements for DNS resolving service. For example, if your company operates its own DNS resolving servers elswhere on the Internet, arrange for your devices to use your company's DNS resolving servers. Or set up your own DNS resolving servers (here, or elsewhere on the Internet) for your devices to use.

• OIT does not insert your devices' names into Princeton University's forward DNS data. For example, there will not be a foo.princeton.edu DNS name that maps to the IP address of the customer's device.

  If you want your device to have a name in DNS, you will need to arrange for it yourself.

  (For example, if your company operates its own DNS domain smithcontractors.com, and you want the name foo.smithcontractors.com to map to IPv4 address 192.168.10.66 (on the external customer network), arrange with your own company to update your company's DNS data to add a DNS record for foo.smithcontractors.com pointing to 192.168.10.66.)

• OIT does not insert your devices' IP addreses into any reverse DNS data.

  (For example, we will not arrange for there to be a record in DNS that maps from your device's IP address (e.g., 192.168.10.66) to your device's name (e.g. foo.smithcontractors.com).

  If you have such a need, and your company is prepared to operate its own DNS servers for the reverse DNS zone corresponding to the network range we've assigned to you, please contact OIT to have us delegate the appropriate reverse DNS zone to your DNS servers.

• OIT does not provide DHCP or BootP services to devices attached to external customer networks.

  If you feel your external customer network needs DHCP or BootP service, you are welcome to operate your own DHCP or BootP server(s) on that network. (Note that you must take great care to only operate a DHCP or BootP server on your external customer network, not on the campus network. Attaching a DHCP or BootP server to the campus network will disrupt service on the campus network, and lead OIT to blocking your network service. So be sure that the Ethernet port on which you plan to operate your DHCP or BootP server is one that is wired to your external customer network.)

• OIT does not provide NTP (Network Time Protocol) service to devices attached to external customer networks.

  You are welcome to operate your own NTP server(s) on that network, or use any of the freely available NTP services on the Internet.

• Because NAT (Network Address Translation) Routers often malfunction and disrupt network service, OIT strongly discourages the connection of NATs to the campus network.

  However, there is no such proscription regarding such devices attached to external customer networks. You are welcome to attach NATs to your external customer network (and deal with any problems they may cause).

  Attaching a malfunctioning NAT to the campus network (as opposed to an external customer network) may disrupt service on the campus network, and lead OIT to blocking your network service. So be sure that the Ethernet port on which you plan to operate your NAT is one that is wired to your external customer network (not the campus network). That way, if your NAT malfunctions and disrupts services, it will likely disrupt service to just your external customer network. As disruptions of that nature do not affect the campus network (just your network), they will not lead to OIT blocking your network service.

• Devices that are attached to external customer networks are not eligible to use "wired dynamic" service if they visit other campus wired networks which may provide "wired dynamic" service.

  (Recall that devices attached to external customer networks are not normally registered in Princeton University Network Registration, and that would include lack of registration for "wired dynamic" service.)

• External customer networks are (to some extent) treated as "outside" the campus network from the point of view of IP. The IPv4 network range is treated as being "off-campus," somewhat similar to other off-campus IPv4 network on the Internet.

  Like other "outside" networks, devices attached to external customer networks are not able to reach some on-campus services that are intended to be restricted to clients within the campus network.

• The Internet bandwidth allocated to external customer networks may be limited to ensure they do not consume an inordinate amount of the University's Internet bandwidth.

• OIT's responsibility for an external customer network is primarily to provide working physical connectivity, and to operate the OIT IP router leading to the Internet. OIT doesn't actively monitor or manage the external customer networks at a higher layer.

  For example, unlike the campus network, we don't attempt to discover misconfigured or malfunctioning customer devices attached to external customer networks that are causing problems on those networks.

  The external organization to whom the external customer network has been allocated is responsible for the devices attached to that network (except for OIT's router). Any misconfigured or malfunctioning devices causing problems on that external customer network are the customer's responsibility.

  Each external organization is assigned its own separate external customer network, so that problems with one organization's devices do not affect another organization's network. It's up to each external organization to manage their devices.

  OIT is, of course, responsible for any physical problems with the network connections we provide (e.g. defective Ethernet port) or any problem with the OIT router that connects the external customer network to the Internet.

  If a device attached to an external customer network is the source of a problem that affects the campus network or the Internet, OIT may take appropriate measures to contain the problem to the external customer network. For example, if such a device is attacking other devices outside the external customer network, OIT may block the device from communicating outside the external customer network. When OIT takes such measures, we will attempt to notify the contact(s) specified for the external customer network.

• OIT provides only Ethernet connections to external customer networks, not wireless service.

• Traffic Filters on the Campus Network and Secure Internet Border also apply to External Customer Networks. Such filters are one way in which External Customer Networks differ from the service the customer would receive had the customer contracted with a commercial ISP.