[nsp] RE: Provide routable IP over dynamic assigned remote link

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Wed Dec 18 16:25:40 EST 2002 

Hi Dave,

> >> 	Framed-IP-Address = 10.0.0.190
> >> 	Framed-IP-Netmask = 255.255.255.254
> >>
> >> would assign 2 addresses, 10.0.0.190 and 10.0.0.191 correct?
> >
> >No, it would assign .190 to the peer and create a static route
> >"10.0.0.190 255.255.255.254" to the interface. We handle 
> Framed-Netmask
> >similar to a Framed-Route, i.e. the radius profiles
> 
> So it would assume the peer would assume the NAS only has a 
> .254 netmask...  and
> would result in non-routable packets?  or would the NAS not 
> pay attention to the
> netmask that the peer is broadcasting?

The peer is not broadcasting any netmask to the NAS.. The NAS behaves
just how every router treats a network route, it just forwards the
packets. Only the last hop (which knows the network as "connected") pays
attention to broadcast addresses..

> >  Framed-IP-Address = 10.0.0.188
> >  Framed-IP-Netmask = 255.255.255.0
> >
> >and
> >
> >  Framed-IP-Address = 10.0.0.188
> >  Framed-Route = "10.0.0.0 255.255.255.0"
> >
> >will produce the same result. I doubt that we will actually 
> allocate any
> >of the addresses referenced by 
> framed-route/framed-ip-netmask from the
> >pool..
> 
> so this is more for the client benefit than actually routing 
> IP traffic for the
> specified address/mask to and from the peer

Well, it is for the client's benefit when we route packets over the
link, so I don't understand your question :)

> 
> >> ...and (staying in our "ip local pool default 10.0.0.1 10.0.0.192")
> >>
> >> 	Framed-IP-Address = 10.0.0.188
> >> 	Framed-IP-Netmask = 255.255.255.252
> >>
> >> would assign 4 addresses, 10.0.0.188 through .191 to the user
> >> interface correct?
> >>
> >> Does the Framed-Routing Avoid having to use two of the IPs
> >> for Address and
> >> Broadcast and just assign both to the interface with the same
> >> broadcast as the
> >> rest of the NAS?
> >
> >The user's interface on the NAS is not affected by any of this (it is
> >usually configured as ip unnumbered), it is up to the peer 
> how he sets
> >up his interfaces/routing. We just set up the routing table 
> and send the
> >packet across the p2p link, it is up to the peer to interpret
> >network/broadcast addresses.
> 
> Hmmm...  so by this is it safe to assume that;
> 	1) the IP addresses are not actually assigned if the 
> netmask is is used

Correct, we only assign a single address via IPCP. The peer has no
knowledge about the static route through PPP.

> 	2) that the NAS will still route traffic for the IP 
> addresses (4 in last case)
> to the peer in question

Yes.

> 	3) that if the peer router is configured to accept the 
> ip/netmask for the 4 IP
> addresses that it will be able to use and route them across 
> the connection
> without problem?

Yes, this only depends on the peer's configuration. To come up with a
correct config might be challenging, you might need to use NAT/PAT on
the client to use all four addresses, because

int e0
 ip address 10.0.0.188 255.255.255.252
!
int dialer0
 ip unnumb e0

is not a valid configuration (.188 is the network address), and you
would waste two addresses.

> If not, is there anyway to enable the following via Cisco 
> AVPairs generated from
> the RADIUS server (with the RADIUS server specifying IP 
> addresses to use from
> the .1 - .192 pool block for each and every connection...  
> RADIUS manages IP
> distribution;
> 
> NAS AS5300
> 	56k 1 Channel Dialup Users
> 		- need to send/receive via 1 IP address
> 	128k 2 channel connection from Cisco 802 ISDN
> 		- needs to send/receive via 2 IP addresses
> 	256k 4 channel connection from Cisco 1720 w/2 WIC-1B-U ISDN
> 		- needs to send/receive via 4 IP addresses
> 	512k 8 channel connection from Cisco 3620 w/NM-1E & NM-4B-U ISDN
> 		- needs to send/receive via 8 IP addresses
> 
> Again, dynamic or reserved IP address would be managed by the 
> RADIUS server.  We
> would keep track of which IP addresses we are wanting 
> reserved for static users,
> and simply removing them from a "PickAvailableIP" script 
> which would assign the
> IP addresses for non-static clients so I am not concerned 
> about how the NAS
> manages or whether it will accidently reallocate IP addresses...

This of course makes things easier on the NAS :)

> Currently we can already assign any IP address we want using 
> Framed-IP-Address
> AVPair for each and every AUTH request.
> 
> Finaly, and again, the NAS is not owned by us in this 
> scenario, so we have to be
> able to accomplish this over AVPairs.

If you need to use Cisco-avpair, specify the static route as "ip:route".
If you can only use IETF attributes (what might be the case if the nas
is not owned by you), use Framed-Netmask or Framed-Route.

	oli

More information about the cisco-nsp mailing list