I have some questions about BRAS and ip address assigment to users.
Let`t say we have the interface below on our BRAS 7200.
encapsulation dot1Q 10
ip address 184.108.40.206 255.255.255.0
So the IPDSLAM is connected to this 7200 series router, and all users are in the same vlan. Now how can I assign one ip address for 1 user, and don`t let him use another ip address than one we assigned to him. If he tries to use another one than he should not be able to acces the network.
I know about one isp which did this on the same way, and the best of all is they have not binded ip address to mac address, because their customers can use any router/modem they just want, but they can ONLY use the ip address they are assigned from this isp.
How is this possible ? we will not use PPPoE or PPPoA because this makes many problems for our customers when they need to restart their equipment, the authentication is not allways successfull.
Any idea ? what is the best way to accomplish this goal ??
I`ll not forget the rating !
Solved! Go to Solution.
This may not be so easy to meet. Anway, I think it's not possible for sure, as long you have a single vlan for all dsl pvcs. You should set the dlsma so maps each line to a vlan, then find the best configurtion there, I'm looking in more detail on how this would be possible, so ls stand by.
Hi again !!
Thank You for reply, I really tried to find a solution for this scenario, but it seems that I had no luck this time :( I hope that You can figure it out. I was thinking about static arp table, but not useful at all because this is used to ensure that user receives the same ip from dhcp each time it ask for it, but this will not pervent user to type another ip address manually and connect to the network.
Thank You I am waiting for some answer and I hope that You can find a solution.
One way could be this (I can't test that yet).
Configure the IP DSLAM to map each PVC that need a static address in a separate vlan.
Under the subinterface, configure a private address/mask, that is ok as long doesn';t overlap with others.
Then configure as many static routes as necessary with mask /32 for the static address, pointing each one to the corresponding subinterface.
Could I ask You for one "sample example config" that is working ?
I`ll be out of the office for 1 hour, but than I am back !!
Thank You very much for helping !!!!
I really need to fix this isue.
hmm, well let me think little about it, so I`ll let You know my understanding...
Looks very interesting solution......
Thank You very much !!!!
This one should work by virtue of proxy arp. The PC sends ARP for gateway address, and even if this address is not the one of the interface receiving ARP, router will reply with a MAC address.
Thanks for the nice rating and let us know how it goes!
You`re welcome !!!
Well hope that I have right understanding now.
Let say we have one sub-interface:
ensapsulation dot1q 10
ip address 220.127.116.11 255.255.255.0
Than we configure the IPDSLAM for example,
we configure switch port number 1 on the
IPDSLAM as a member of the VLAN 10, but hmm
I am still little confused here.. because this dsl user needs to use the ip 18.104.22.168
as the gateway and he can use 22.214.171.124 as
his static ip address. But I still don`t understand how I can (fix) this ip, so he can`t use for example 126.96.36.199 og .4 not just .2
I am really trying to understand but it is not that easy.
Thank You for helping !! any better explanation using config maybe ?
Well for 20 min ago I asked one of my old friends to test something for me. He is connected to the ISP which assigns static ip addresses for its customers.
Let`s say this is the ip address my friend got from his ISP:
ip address 188.8.131.52
And he is only able to use ip address 184.108.40.206 and not another ip addresses, even if this is a big subnet. Another customer got 220.127.116.11 and both of these customers uses the same gateway. But they can`t use another ip address than one ISP assigned to them.
My friend have Cisco ASA 5505 and he NAT`s to his internal LAN, so his lan ip of the ASA is 10.10.10.1 255.255.255.0.
And than I asked him to trace google.com
so after the trace was successfull:
As first HOP he got the ip address
1 10 ms 7 ms 6 ms 10.227.2.1
And if You see this ip address is not on his network, this is ip address from IPDSLAM I think ?? and why he receives this ip address, because as first hop he should get the ip address 18.104.22.168, because this is his GATEWAY he got from his ISP and this ip is used in the default route on his ASA, but not instead of ip 22.214.171.124 he gots this ip as first hop 10.227.2.1
So they must use one or another router on the PSTN which is connected to IPDSLAM or this is ip of the IP DSLAM.
Do You understand this scenario ??? maybe this will give You idea how to explain it to me ??
Thank You !!!!
I AM REALLY SORY for long post, but I like to describe every detail, so You understand what I mean.
You have observed in act, what I was suggesting you to try.
He gets an "off-subnet" first hop address because the router interface doesn't have the address configured as GW on the ASA. Instead that interface has a private address picked as ISP likes.
But due to proxy-arp, or call it router magic, no other address outside the static route will work on that vlan. You can also add more addresses to a customer, if you want.
Hello again !!
Well I really tried but no success, do You have any possibilities to create a short sample how the config exactly should look like ?? on the BRAS (Router) ? where the IPDSLAM is connected to.
Thank You for helping !!!
I`ll rate the answer !! hope You`ll create the short sample.
I`ll really appreciate Your help !!
Well, than how this ISP I was talking about fixed these issues ? They are just giving their customers "static ip address" "subnetmask" and "gateway" sÃ¥ than they are on the network, no PPPoA and no PPPoE. So this is 100% possible, but I just need one example from someone who did this before.
First of all are you an ISP/NSP..?? because if you are then YES, it is possible to perform direct static assignments to end users without the use of ppoe or pppoa. The protocols pppoa/pppoe are only used between the CPE and Telco LAC to uniquely identify users via there username-authentication mapping it to a unique realm, then, this realm is used to identify the upstream ISP that the telco needs to forward packets to the correct L2TP tunnel, or in telco terms is knows as DSL local aggregation.
Now having said all this, there are 2 options: 1) if you ACTUALLY are the ISP and the TECO (NSP) then you would own your own DSLAM meaning you can own every bit of infrastructure between your LNS/core network up to the DSLAM/CPE, which would enable you to easily configure static IP's and a Default gateway without any authentication stacks in your packets designated upstream.
2) if you are NOT the ISP or NSP then
The PC dialer interface would send off a request with the clients username and password. The username
plus the domain name(realm) is what the TECO use to domain route this PPP session to its destination(ie ISP).
ie email@example.com. The domain isp1.com denotes a predefined LNS IP address that the TECO will terminate
this PPP session upon. It is then the responsibility of the ISP to authenticate the user johnsmith or assign it a static ip address via configuring your LNS under vpdn group to map users to static IP.
which are you ??? what is your infrastructure like..??
Hello Steve !!
Thank You very much for reply !!
I am the first option, we are the ISP and have around 310 our own IPDSLAM`s. All of our DSLAMS are connected to our (BRAS) Core network Router.
So today we are using PPPoE but will move over to "static ip address assigment", therfore I am asking for god suggestion and ofcourse some "sample" example.
Our IPDSLAM is ZyXel, while whole core network is running on 5 Cisco 7200 Routers, which exchanges BGP.
Any sample example ? I could try ?
Our IPDSLAM`s can only filter on MAC address, but this is not useful option, because users may want to change their modems, or bridge them, than they need to call us for configuring new mac address on the IPDSLAM, so I need an option which can assign static ip address to users without to filter MAC address.
Hello again dude,
Could you please provide me an example for your explanation you wrote above on this forum:
"Confirm first that you have set the DLSAM to map individual lines into an individual vlan. Create the subinterface, add the correct vlan ID as encapsulation, assign any IP address and enter static route for the remote, pointing to subinterface. That's it."
I tried but I am not 100 % what you mean with
"enter static route for the remote"
I hope you can provide me an example for this.
Thank You !!