[cisco-bba] L2TP on dynamic IP

Arie Vayner ariev at vayner.net
Thu Jan 20 11:28:05 EST 2011


In that case I would suggest looking at EasyVPN or simple DMVPN
solutions, which are built for this dynamic spoke model, and use GRE,
which will allow you to run any overlay IP assignments and protocols.

You can also use basic IPsec to authenticate the sessions.

Arie

On 1/20/11, John Fitzgerald <john.fitzgerald at internet.de> wrote:
>
>
> Hi Arie,
>
>
>
> I definitely would like to define a fixed IP to the customer, but on the WAN
> side the CPE is configured by a third party provider (an access provider).
>
>
>
> So in fact, I can't get my hands on the CPE. So the idea was to place an
> L2TP Client behind the CPE (on LAN side) which makes the connection outbound
> to my Router. My router terminates the L2TP Tunnel.
>
>
>
> When my router recognizes the L2TP Connect, my router provides an IP address
> statically of my pool to the client's interface.
>
>
>
> Furthermore, my router will insert a somewhat static route to the client in
> his routing table, so the customer will be reachable through this IP. In
> detail, the customer L2TP Server has 2 NICs, one points to the CPE and has
> masked IP Adresses (e.g. 192.168.X.X) and the other one should route the
> ofically routed net, my router is sending (like AAA.BBB.CCC.DDD).
>
>
>
> With this tunnel, I would be able to tunnel other data packets to the client
> as well as speak bgp to the client though still use my IP space.
>
>
>
> At last, the customers computers would be reachable through the L2TP tunnel
> and the IP addresses would be from my nets.
>
>
>
> The only trick is: The client as a access network from another provider and
> I can't get hands on the configuration of his CPE. Furthermore, the external
> IP address of the customer might change from day to day.
>
> For reliability, I would prefer fiber, of course. But the next fiber is
> approx. 2 miles away and digging is approx. 40k EUROS (!).
>
> So, I am looking for a solution to provide BGP redundancy to smaller
> customers (e.g. 50 Users) even at locations, where I can not do what I want.
> This would make it possible for customers with provider independent address
> space to have bgp with 2 neigbors (e.g. one is thier standard ISP with a
> fast line (100Mbps), one is the backup ISP (e.g. 20 Mbps via G.SHDSL .).
>
>
>
> Cheers,
>
> John
>
>
>
> From: arievayner at gmail.com [mailto:arievayner at gmail.com] On Behalf Of Arie
> Vayner
> Sent: Wednesday, January 19, 2011 8:58 PM
> To: John Fitzgerald
> Cc: cisco-bba at puck.nether.net
> Subject: Re: [cisco-bba] L2TP on dynamic IP
>
>
>
> John,
>
> What would most likely be a better solution for both solutions is to assign
> the customer a fixed IP allocated from RADIUS when they connect over L2TP (I
> assume PPP...)
> This will allow you to have a static BGP session with the statically
> allocated IP address.
>
> Another option is to look at the BGP dynamic neighbors feature:
> http://www.cisco.com/en/US/docs/ios/12_4t/ip_route/configuration/guide/brbpe
> er.html#wp1131929
>
> For IPSec there are quite a few solutions for IPSec sessions with dynamic
> peers.
> I think this could be a good starting point:
> http://www.cisco.com/en/US/products/ps6635/prod_white_papers_list.html
>
> Arie
>
> On Wed, Jan 19, 2011 at 8:23 PM, John Fitzgerald
> <john.fitzgerald at internet.de> wrote:
>
> Hi,
>
> I've got two design questions:
>
>
> 1. Is it possible to map a net via L2TP (IPv4 PI Space) to a client, which
> comes from a dynamic IP Address? E.g he has RIPE PI Space AAA.BBB.CCC.DDD
> and as he connects, routers will allow traffic to his network
> AAA.BBB.CCC.DDD and BGPv4 will recognize an will aloe route servers to be
> changed...
>
> 2. Is it possible to have the IPSec with (1.)?
>
>
> Cheers,
>
>
> John
>
> _______________________________________________
> cisco-bba mailing list
> cisco-bba at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-bba
>
>
>
>

-- 
Sent from my mobile device


More information about the cisco-bba mailing list