How to bring your own equipment and have static IPs
How to bring your own equipment and have static IPs
While it may be going away. Classifying ISPs under Title II is a great thing, and requires that an ISP (Comcast) let you use your own equipment. This is federal law, and even if Title II was repelead. Saying it is technically mandatory for you to use comcast's equipment just to get you to rent it, I'm pretty sure that could violate parts of the uniform commercial code, but let's just say the tech's don't know any better.
Let's clarify some things.
1. Comcast owns no propietary internet technology everything from your modem / router to their hub runs on well known standards usually described in RFC's
2.Every piece of comcast equipment you will see is mass produced linksys / netgear low end devices.
3. Comcast uses a well known standard called DOCSIS 3.0 to get you internet over coax, tftp to load your modems config and SNMP to manage it. While they have some smart people. They didn't make any changes to the standards and while some of them may have been a part of the design, I doubt it.
4. Comcast built it's one custom web interface for your device specificially designed to prevent a consumer from getting full access to their information.
5. Aside from popping up xfinity hotspots these modem/routers scan your internal network and are vulnerable. The CG300DCR for instance. You cannot fully turn off or change the 10.1.10.1 ip addresses. You can't isolate them. it also has an way more open ip address if 192.168.100.1/24. It will respond to DNS requests from almost any local ip set. It will grant that 10.1.10.1 access to the internet, and so on. It really is insecure.
6. At no time are all the Static IPs loaded into a comcast modem router. That doesn't even make sense.
Here is how comcast does their static ip address configuration.
There is a virtual port (or perhaps it's the coax port) that gets a dynamic public ip address. This is not part of your static range.
The modem/router then gets the default gateway IP address assigned to another virtual port. Which those ports on the back can talk to.
What needs to be loaded is the dynamic routing config. (because apparently one spoke site couldn't possibly work with a static routing. That'd be to easy).
Comcast uses RIPv2 with an authentication key to do route updates. The comcast techs can log into your modem and see what this authentication key is, among other things and make other changes.
I rent a business class internet with 13 static IPs and I finally found an employee who would provide the info. I am running a CPE TP link modem in bridge mode and my Cisco 4948 is doing the RIPv2 routing, and it works, and a device I can fully control is now the gateway, which for people who use their own firewalls or perhaps like to not do nat on an internal network between public and private ips,and while I acknowledge that some of the comcast routers can do some of this, they don't do it well, their techs aren't informed and it just creates more headaches for the it department.
Anyway here's the excerpted config from my cisco 4948 switch, but any device that supports RIPV2 will be able to handle this.
So get a CPE modem and put it into bridge mode (I used a TPLINK 7620)
plug it into a port on the cisco switch (I used Gi1/1)
Configure rip globally. (notes in bold
router rip brings you into the rip config
version 2 specifies version
no validate-update-source This may not be necessary. In fact comcast doesn't send any rip routes your way
passive-interface default This turns off RIP messages going out all the interfaces on your switch,
no passive-interface GigabitEthernet1/1 This tells it to use port Gi1/1 to send RIP routing info
network 0.0.0.0 so this is lazy, it identifies any network you want to advertise and advertise on, but because the wan ip is dynamic there was really no other way
distribute-list 28 out GigabitEthernet1/1 This refers to an access list and uses it to prevent you from sending internal routes out to comcast
no auto-summary This is probably unecessary but a hold over from training or a place I worked
//////// So this access list basically blocks any private ip address from being advertised to comcast. (and I hope they have some safequards on their end. If you have other wan links in your network I would add them to deny statements if possible
access-list 28 deny 10.0.0.0 0.255.255.255
access-list 28 deny 172.16.0.0 0.15.255.255
access-list 28 deny 192.168.0.0 0.0.255.255
access-list 28 permit any
/////// this is the authentication key for the rip messages, I've blocked it out. It's done in the global config
key chain comcast
key-string 7 ##########################
////////// Interface to comcasat router
description /Link -> Comcast Router/
ip address dhcp tell's it to grab an ip address via dhcp. Also on cisco make sure you don't have a gateway of last resort. this will add one to your config with a space than 254 at the end. If you have another one pointing at the same interface it will screw with your performance on some models
ip rip authentication mode md5
ip rip authentication key-chain comcast
ip summary-address rip xx.xx.xx.xx 255.255.255.240 this should be your static ip address, makes it really easy for rip to advertise
no cdp enable
spanning-tree bpdufilter enable
///////////////So to each his own, but I use Vlans and this just happens to be where my static ip vlan is.
description /Static Gateway/
ip address xxx.xxx.xxx.xxx 255.255.255.240
and we're done