Proper routing for lan through verizon private network (GRE) to airlink gateways

Okay, I give up, and think I have done my due diligence (I have been engrossed and fascinated spending many more hours than allotted to try and learn some of the finer details).  Time for some advice.  My usual trade is controls engineering which generally require only basic knowledge of networking principals.  However I recently took a job to integrate 100 or so lift stations scattered around a county into a central SCADA system.  I decided to use cellular technology to connect these remote sites back to the main SCADA system.  Well the infrastructure is now in and it’s time to get these things talking.  Basic topology description is as follows:  Each remote site has an Airlink LS300 gateway.  Attached to the gateway via Ethernet is a system controller that I will be polling via Modbus TCP from the main SCADA system.  The Airlinks are provisioned by Verizon utilizing a private network with static IP's.  This private networks address is 192.168.1.0/24.  Back at the central office the SCADA computer is sitting behind a Cisco 2911.  The LAN address of the central office is 192.168.11.0/24.  The 2911 is utilizing GRE tunnels that terminate with Verizon.  The original turn up was done with another contractor that did a basic config of the router which you will find below.  As it stands now I am pretty confident the tunnels are up and working (if I change a local computers subnet to 255.255.0.0 I can surprisingly reach the airlinks in the field), but this is obviously not the right way to solve the problem, not to mention I was unable to successfully poll the end devices on the other side of the Airlinks.  I think I understand just about every part of the config below and think it is just missing a few items to be complete.  I would greatly appreciate anyone’s help in getting this set up correctly.  I also have a few questions about the set up that still don’t make sense to me, you will find them below the config.  Thanks in advance.
no aaa new-model
ip cef
ip dhcp excluded-address 10.10.10.1
ip dhcp pool ccp-pool
 import all
 network 10.10.10.0 255.255.255.248
 default-router 10.10.10.1 
 lease 0 2
ip domain name yourdomain.com
no ipv6 cef
multilink bundle-name authenticated
username cisco privilege 15 one-time secret 
redundancy
crypto isakmp policy 1
encr 3des
hash md5
 authentication pre-share
 group 2
crypto isakmp key AbCdEf01294 address 99.101.15.99  
crypto isakmp key AbCdEf01294 address 99.100.14.88 
crypto ipsec transform-set VZW_TSET esp-3des esp-md5-hmac 
mode transport
crypto map VZW_VPNTUNNEL 1 ipsec-isakmp 
 description Verizon Wireless Tunnel
 set peer 99.101.15.99
 set peer 99.100.14.88
 set transform-set VZW_TSET 
 match address VZW_VPN
interface Tunnel1
 description GRE Tunnel to Verizon Wireless
 ip address 172.16.200.2 255.255.255.252
 tunnel source 22.20.19.18
 tunnel destination 99.101.15.99
interface Tunnel2
description GRE Tunnel 2 to Verizon Wireless
 ip address 172.16.200.6 255.255.255.252
 tunnel source 22.20.19.18
 tunnel destination 99.100.14.88
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
interface GigabitEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
 ip address 10.10.10.1 255.255.255.248
 shutdown
 duplex auto
 speed auto
interface GigabitEthernet0/1
 ip address 192.168.11.1 255.255.255.0
 duplex auto
 speed auto
interface GigabitEthernet0/2
 ip address 22.20.19.18 255.255.255.0
duplex full
 speed 100
 crypto map VZW_VPNTUNNEL
router bgp 65505
 bgp log-neighbor-changes
 network 0.0.0.0
 network 192.168.11.0
 neighbor 172.16.200.1 remote-as 6167
 neighbor 172.16.200.5 remote-as 6167
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip route 0.0.0.0 0.0.0.0 22.20.19.19
ip access-list extended VZW_VPN
 permit gre host 99.101.15.99 host 22.20.19.18
 permit icmp host 99.101.15.99 host 22.20.19.18
 permit esp host 99.101.15.99 host 22.20.19.18
 permit udp host 99.101.15.99 host 22.20.19.18 eq isakmp
 permit gre host 22.20.19.18 host 99.101.15.99
 permit gre host 22.20.19.18 host 99.100.14.88
access-list 23 permit 10.10.10.0 0.0.0.7
control-plane
end
So after spending countless hours analyzing every portion of this,  I think that adding one line to this will get it going (or at least closer).
ip route 192.168.1.0 255.255.0.0 22.20.19.19
That should allow my internal LAN to reach the Airlink gateways on the other side of the tunnel (I think)
Now for a couple of questions for those that are still actually hanging around.
#1 what is the purpose of the Ethernet address assigned to each tunnel?  I only see them being used in the BGP section where they are receiving routing tables from the Verizon side (is that correct?).  Why wouldn't or couldn't you just use the physical Ethernet address interface in its place (in the BGP section)?
#2 is the config above correct in pointing the default route to the physical Ethernet address?  Does that force the packets into the tunnel, or shouldn’t you be pointing it towards the tunnel IP's (172.16.200.2)?  If the config above is correct then I should not need to add the route I described above as if I ping out to 192.168.1.X that should catch it and force it into the tunnel where Verizon would pick it up and know how to get it to its destination??
#3 Will I need to add another permit to the VZW_VPN for TCP as in the end I need to be able to poll via Modbus which uses port 502 TCP.  Or is TCP implicit in some way with the GRE permit?
 I actually have alot more questions, but I will keep reading for now.
I really appreciate the time you all took to trudge through this.  Also please feel free to point anything else out that I may have missed or that can be improved.  Have a great day!

My first comment is that you have two posts in this forum and as far as I can tell they are exact duplicates, other than changing the title of the posts. It is better to figure what you want to ask and then to ask once.
My second comment is that you have given us information about your central site. At some point we may also need some information about what is at the remote and how that is set up. But for now we will deal with what we know about your site.
Before I deal with your specific questions I will comment that if you are able to access the remote airlinks that it is a pretty good indicator that the tunnels are probably working. But to understand the significance of this it would help if you clarify for us what address is on the local computer when you change the subnet to 255.255.0.0.
Also what you have shown us allows us to see that BGP is configured but provides no insight into whether BGP is working or now. It would provide helpful information if you would post the output of show ip bgp sum.
So to address your specific questions:
You suggest that adding a static route for 192.168.1.0 might be part of the solution. But we have no information about what that network is or its significance. So we have no way to know whether the static route would help or not. But my guess (based on very scant information and therefore based mostly on assumptions) is that if BGP is working correctly that the static route is not needed.
1) asks about an Ethernet address on the tunnel. I assume that you really meant to ask about the IP address assigned to the tunnel. The reason that the tunnel needs it own IP address is that we want a unique subnet assigned to the tunnel. If we used the address from the physical interface as you suggest then both tunnels would have the same address and that implies that they both connect to the same place, and that assumption is not correct.
2) Yes it is correct to point the default route to the IP address that is the next hop from the Ethernet interface. You might want to have a route pointing at the tunnel address for remote subnets reached via the tunnel. But in looking at the config and trying to understand what was intended it is pretty obvious that running BGP over the tunnel is intended to learn the remote addresses over the tunnel and therefore there is no need for static routes for the remote resources.
3) You should not need an additional permit for TCP 402. The TCP packet will be carried through the tunnel and the access list you are referring to will see the packet will modbus polling as GRE traffic and not as TCP traffic.
HTH
Rick

Similar Messages

  • IP routing utilizing Verizon private network (GRE tunnel) with remote cellular gateways

    Okay, I give up, and think I have done my due diligence (I have been engrossed and fascinated spending many more hours than allotted to try and learn some of the finer details).  Time for some advice.  My usual trade is controls engineering which generally require only basic knowledge of networking principals.  However I recently took a job to integrate 100 or so lift stations scattered around a county into a central SCADA system.  I decided to use cellular technology to connect these remote sites back to the main SCADA system.  Well the infrastructure is now in and it’s time to get these things talking.  Basic topology description is as follows:  Each remote site has an Airlink LS300 gateway.  Attached to the gateway via Ethernet is a system controller that I will be polling via Modbus TCP from the main SCADA system.  The Airlinks are provisioned by Verizon utilizing a private network with static IP's.  This private networks address is 192.168.1.0/24.  Back at the central office the SCADA computer is sitting behind a Cisco 2911.  The LAN address of the central office is 192.168.11.0/24.  The 2911 is utilizing GRE tunnels that terminate with Verizon.  The original turn up was done with another contractor that did a basic config of the router which you will find below.  As it stands now I am pretty confident the tunnels are up and working (if I change a local computers subnet to 255.255.0.0 I can surprisingly reach the airlinks in the field), but this is obviously not the right way to solve the problem, not to mention I was unable to successfully poll the end devices on the other side of the Airlinks.  I think I understand just about every part of the config below and think it is just missing a few items to be complete.  I would greatly appreciate anyone’s help in getting this set up correctly.  I also have a few questions about the set up that still don’t make sense to me, you will find them below the config.  Thanks in advance.
    no aaa new-model
    ip cef
    ip dhcp excluded-address 10.10.10.1
    ip dhcp pool ccp-pool
     import all
     network 10.10.10.0 255.255.255.248
     default-router 10.10.10.1 
     lease 0 2
    ip domain name yourdomain.com
    no ipv6 cef
    multilink bundle-name authenticated
    username cisco privilege 15 one-time secret 
    redundancy
    crypto isakmp policy 1
    encr 3des
    hash md5
     authentication pre-share
     group 2
    crypto isakmp key AbCdEf01294 address 99.101.15.99  
    crypto isakmp key AbCdEf01294 address 99.100.14.88 
    crypto ipsec transform-set VZW_TSET esp-3des esp-md5-hmac 
    mode transport
    crypto map VZW_VPNTUNNEL 1 ipsec-isakmp 
     description Verizon Wireless Tunnel
     set peer 99.101.15.99
     set peer 99.100.14.88
     set transform-set VZW_TSET 
     match address VZW_VPN
    interface Tunnel1
     description GRE Tunnel to Verizon Wireless
     ip address 172.16.200.2 255.255.255.252
     tunnel source 22.20.19.18
     tunnel destination 99.101.15.99
    interface Tunnel2
    description GRE Tunnel 2 to Verizon Wireless
     ip address 172.16.200.6 255.255.255.252
     tunnel source 22.20.19.18
     tunnel destination 99.100.14.88
    interface Embedded-Service-Engine0/0
     no ip address
     shutdown
    interface GigabitEthernet0/0
     description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
     ip address 10.10.10.1 255.255.255.248
     shutdown
     duplex auto
     speed auto
    interface GigabitEthernet0/1
     ip address 192.168.11.1 255.255.255.0
     duplex auto
     speed auto
    interface GigabitEthernet0/2
     ip address 22.20.19.18 255.255.255.0
    duplex full
     speed 100
     crypto map VZW_VPNTUNNEL
    router bgp 65505
     bgp log-neighbor-changes
     network 0.0.0.0
     network 192.168.11.0
     neighbor 172.16.200.1 remote-as 6167
     neighbor 172.16.200.5 remote-as 6167
    ip forward-protocol nd
    ip http server
    ip http access-class 23
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip route 0.0.0.0 0.0.0.0 22.20.19.19
    ip access-list extended VZW_VPN
     permit gre host 99.101.15.99 host 22.20.19.18
     permit icmp host 99.101.15.99 host 22.20.19.18
     permit esp host 99.101.15.99 host 22.20.19.18
     permit udp host 99.101.15.99 host 22.20.19.18 eq isakmp
     permit gre host 22.20.19.18 host 99.101.15.99
     permit gre host 22.20.19.18 host 99.100.14.88
    access-list 23 permit 10.10.10.0 0.0.0.7
    control-plane
    end
    So after spending countless hours analyzing every portion of this,  I think that adding one line to this will get it going (or at least closer).
    ip route 192.168.1.0 255.255.0.0 22.20.19.19
    That should allow my internal LAN to reach the Airlink gateways on the other side of the tunnel (I think)
    Now for a couple of questions for those that are still actually hanging around.
    #1 what is the purpose of the Ethernet address assigned to each tunnel?  I only see them being used in the BGP section where they are receiving routing tables from the Verizon side (is that correct?).  Why wouldn't or couldn't you just use the physical Ethernet address interface in its place (in the BGP section)?
    #2 is the config above correct in pointing the default route to the physical Ethernet address?  Does that force the packets into the tunnel, or shouldn’t you be pointing it towards the tunnel IP's (172.16.200.2)?  If the config above is correct then I should not need to add the route I described above as if I ping out to 192.168.1.X that should catch it and force it into the tunnel where Verizon would pick it up and know how to get it to its destination??
    #3 Will I need to add another permit to the VZW_VPN for TCP as in the end I need to be able to poll via Modbus which uses port 502 TCP.  Or is TCP implicit in some way with the GRE permit?
     I actually have alot more questions, but I will keep reading for now.
    I really appreciate the time you all took to trudge through this.  Also please feel free to point anything else out that I may have missed or that can be improved.  Have a great day!

    This post is a duplicate of this thread
    https://supportforums.cisco.com/discussion/12275476/proper-routing-lan-through-verizon-private-network-gre-airlink-gateways
    which has a response. I suggest that all discussion of this question be done through the other thread.
    HTH
    Rick

  • Wrong mac address listed in verizon router for a device on my network

    Hi folks,
    I'm having some routing issues and hope you can help.
    I've got the standard  verizon actiontec MI424WR-GEN3I router for my standard LAN and then a 2nd router (linksys wrt54g) for a testing environment I set up, to help isolate the traffic.  I'm using the LAN to WAN strategy to set up the two networks.
    everything seems to be working fine except for the fact that my devices behind the actiontec router cannot ping/access any devices behind the linksys router, but the devices behind the linksys router are able to ping and reach the devices behind the actiontec router.
    my actiontec subnet is 192.168.1.X while my linksys subnet is 192.168.2.X.  I followed this tutorial on the verizon forum to hopefully get the two networks talking correctly: http://forums.verizon.com/t5/FiOS-Internet/Multiple-routers-and-subnets-can-t-access-across-subnets/...
    an issue I see in my actiontec router is that it appears as though the mac address is not correct for what I'd imagine is the WAN port on the linksys router.  the actiontec is showing the MAC as 00:13:10:73:72:6a while the sticker on the router itself and through the ARP command in the command prompt shows the MAC for the linksys router as 00:13:10:73:72:69.  I've power cycled both routers 2x and nothing has changed.  I currently have the ethernet cable that goes from my actiontec to the linksys unplugged so hopefully it'll drop from network list eventually and reaquire an address when it's hooked back up, hopefully correcting the wrong MAC address issue.
    I'm a bit perplexed as to why I can get out to the internet just fine on my 192.168.2.X network with a botched MAC address, but I can't ping the network that's just a hop away...even after following the guide mentioned above.
    any ideas here? 

    You can release the address yourself.  It's a function under my network, network connections, broadband connection (whichever one is connected), configure connection
    dhcp lease Release
    Then recycle the router
    After you set up the static route did the ping work? - ensure that you have icmp enabled on the linksys.  If you don't get a ping response it indicates an issue with the static route rule.

  • EA6500 - Static IP routing for LAN

    Hello,
    I would like to know how to setup STATIC IP on my local network.
    I got 5  Public Static IP address from Comcast.
    I can only use "DHCP" for lan. I can't see option to setup STATIC IP on my lan.
    I did configure that WAN port with static ip but now I need to setup lan.
    please help.

    You can test drive the LRT224 at the below URL:
    http://ui.linksys.com/files/LRT224/1.0.0.07/cgi-bin/welcome.htm
    The feature you need is in:
    Login => Configuration => One-To-One NAT => Enable One-To-One NAT
    There is a good description if you click the Help link while in the One-To-One NAT section.
    Please remember to Kudo those that help you.
    Linksys
    Communities Technical Support

  • Broken Link - Firewall and Virtual Private Network Communication for Oracle

    The link for Firewall and Virtual Private Network Communication for Oracle Enterprise Manager on http://otn.oracle.com/products/oem/files/best_practices.html returns a 404 error. It is not pointing to the correct document

    This link is still broken !
    Can you please correct this ASAP ?
    Best regards, Yolanda
    Oracle HUB support services

  • WRT54GS Advanced Routing for Public Access

    Hi,
    I have searched everywhere for what should be a simple task. I have done this with many routers, but this linksys just doesnt want to play ball!
    The senario;
    I have a BT wireless router modem which has my private network (192.168.1.x). This is to act as my defaut web gateway (192.168.1.1)
    I have this wireless linksys router which is configured with the IP address 192.168.0.1 and allows people to connect (192.168.0.x).  I have pluged the private router (bt router) into the WAN port of the linksys.
    I basically want to let public users to connect to the linksys wireless router and get internet access.  I dont want them to see my private network- ie you should not be able to access (192.168.1.x).
    I thought that normally it's not possible to see the 192.168.1.x network connected to the WAN port over the 192.168.0.x (public) network; however I can see everything on both the WAN network and linksys router network.
    Do I need to use the advanced routing settings?  If so, should the device be configured as a router or gateway?  Should I use RIP and should I put a static route in for the router connected to the WAN port?
    I don't expect a full answer, but any guidance would be wonderful!
    I think I need to add a static route for the gateway and somehow make sure everything else is blocked? 
    Regards,
    Luke. 

    Of course, everything connected to the Linksys router can see everything connected to the WAN port side or the internet. This is how every standard router works: you have a LAN side which is protected from the internet and you can access everything in the internet.
    Due to that, the correct setup for two separated networks is to connect the public network first to the internet connection and then connect the private network with a router to the public network. Basically you would have to swap your two routers.
    Unfortunately, the first router is your modem which means you cannot swap them.
    There is nothing you can do on the WRT54GS to prevent access to your 192.168.1.* IP addresses. It's not possible.

  • How to connect to an iMac in a LAN through Time Capsule as router

    SITUATION:
    We have a Time Capsule at work, which we use as a router for a LAN which includes 2 iMacs, 1 PowerBook G4, and an HP Officejet Printer.
    The Time Capsule connects to the internet through Ethernet, via a Static IP address. All the computers connect to the internet wirelessly through the Time Capsule, and the printer is wired to the Time Capsule.
    We are trying to connect remotely to the computers in the office, keeping in mind that the Time Capsule as a router is in the middle.
    SET-UP WORK DONE SO FAR:
    We opened the Airport Utility, selected the Time Capsule, Advanced tab, Port Mapping option and added a device, using the local IP address of the computer we want to make available remotely.
    In the Port Mapping Setup Assistant that comes up, we ran three scenarios: (1) left the Service field without a choice once and then (2) with Apple Remote Desktop and (3) Personal File Sharing.
    In the first scenario, we chose 49999 as Public and Private TCP Ports (we read the figures could be in an approximate range of 42-65k), while we left the UDP Ports fields blank. In the other two scenarios we left untouched both the UDP and TCP Ports that appear as defaults when the Service field is selected.
    We hit the Continue button and the Update button afterwards. The Time Capsule saved the information and restarted.
    In the Sharing preference under System Preferences we chose Remote Management and clicked on the Computer Settings... button. We checked the VNC button and included a password.
    REMOTE ACCESS WORK:
    When we wanted to access the iMac that we just thought we had set up for remote access using a different computer connected to another network, we could not connect.
    We used Chicken of the VNC to try to access the local iMac, using the Time Capsule Static IP address and the VNC password set in the Sharing/Remote Management preference in the iMac. We have been unable to access the local computer connected wirelessly to the Time Capsule so far.
    We get the following message:
    Could not connect to server
    Connection timed out: ()
    Any help out there?
    Rod

    The TC is not a streaming device.. it is merely a hard disk mounted inside a router.
    That means My Receiver.. whatever that happens to be.. has to be a media device that can play from a network file store.. So there is no settings in Airport utility.. because the TC is too dumb to need to know anything.
    BTW the TC is a bad place to store files, as it has no way to back itself up.

  • How to Open Ports for HP Printers for all computers within the network (router)

    Hi,
    I have the EA6700 router and a few HP printers and Multi purpose printers/scanner/fax ...
    When installing the print drivers, they are ok.  Sending to printers are not a problem.  However, the problem comes with scanning.
    The HP Software ask to open a port for it...     How do I do that?   I checked, it seems other computers are affected by it too after changing to this new router.
    I read that it can be done on the "App and gaming" section at the Security page.  Do I go to the port forwarding section?   But it only forward to one computer.  that doesn't work...    
     I'd like to open a port and a lot of other IPs can print and scan from it.
    Thanks

    Ports are not needed to be opened on the LAN side of the router for Printers and Scanners. I recommed that tiy contact hp for help and information regarding setup and configuration of those devices. Also the addition of a external Gb network switch for these devices is recommended as well. Would help eliminate any un-necessary router configuration or processing. 

  • What is the correlation of Logger Private network to Router Private Network.

    What is the correlation of Logger Private network to Router Private Network.
    You have to define them in Websetup for the Router and Logger but what is communicating on the Private network path between the Logger and Router?    I thought that was over the Public network.  is it only Recovery from the Loggers talking over the Private network?

    Hi,
    you can read about the types of messages exchanged over various links in the SRND.
    G.

  • HT201250 I am having trouble setting up my time capsule.  the amber light is flashing.  i have a Verizon FIOS network that i use for the internet (WiFi) and do not want to configure the Time Capsule to do that function.  I just want the Time Capsule to ba

    I am having trouble setting up my time capsule.  the amber light is flashing.  i have a Verizon FIOS network that i use for the internet (WiFi) and do not want to configure the Time Capsule to do that function.  I just want the Time Capsule to back up.

    Simple.. bridge the TC.. in the apple utility in the NAT and DHCP area.
    Plug it into the FIOS router.. you can turn off wireless in the TC if you want.. or use it.. it can work faster if you are nearby and can select 5ghz.. but up to you.

  • ICM Router & Logger Private Network connectivity

    Hi,
         Can any one give me clarification on the following
     Is there any private network connectivity betwen ICM router and Logger ?

    No, call routers (central controller) communicates between side A and B over private network for synchronization, so do PG pairs. Loggers receive data from local call router over public traffic.
    Chris 

  • Build a gateway server for private network ???

    Hello all good friends,
    I has a private network, and one Linux box with public IP address, two NICs connecting direct to ISP. Now, I want to set up this linux box to operate as Gateway server so that all my private networks can use Internet. I have asked this question to many peoples and got much suggestions such as install IPchains (NAT server), IPtables (NAT server), SQUID (Proxy server), ... But until now the big question to me is which software is the best one, I mean which software allow my private network accessing to Internet fastest ? (Proxy server or NAT server only ?) and which one is the most secure ? Besides, you know another opinion, please tell with me if you don't mind.
    I very grateful to all of you answers me in all my life.
    Tu from Vietnam

    Best thing I would suggest is to buy a Gateway Router. I have D-Link 804, but you can buy anything that pleases you more or suits your demands. Also this way, you donot have to have a computer "turned-on" all the time. Some other advantages are that functions like DHCP, NAT and other features are built into the router. This way you can connect upto 253 Computers to a router and also have a 100Mb/sec, internal home network. You can also go for the wireless option, if you have more money to spend. Just look up on the net for more information.
    i2l2

  • What is the proper config for the Airport Extreme when a Voice over IP device is between the cable modem and the router.

    What is the proper config for the Airport Extreme when a Voice over IP device is between the cable modem and the router.  Its a VoIPo device. The cable modem is connected to the VoIP WAN port and the LAN port on the device feeds the Airport Extreme.  The VOIP is working fine, and my Mac are getting 10. addresses from the Airport Extreme.  But I do get confict messages and lose my connection periodicaly.  Looking for help.

    Its a VoIPo device.
    Per chance, is this device the Grandstream HT502?

  • DCNM for LAN routing

    Hello,
    I'd like to know how to configure routing in DCNM for LAN for Nexus 5000 for instance. I didn't find it either looking through the options of the tool, nor in the configuration guides in Cisco.com
    Thanks,

    You can manage 2K & 5K devices but a $0 cost license is required. A purchase order for DCNM-NXACC-100-K9 should do the trick.
    Thanks.

  • Is there a way to have internet access for my laptop through Verizon?  I have a smartphone, but I don't want to rack up too much data.

    Is there a way to have internet access for my laptop through Verizon?  I have a smartphone, but I don't want to rack up too much data.  How would the laptop connect to the  4G? network?  Thanks for any info:)

    Rcshnoor nailed it, everything will depend on how they manage their data connection once the laptop is connected.  It is perfectly feasible that they will have no issues with this new connection.  However, there is nothing stopping the user from going above and beyond the data usage cap currently sufficient for the phone by itself.  We cannot presume that any estimations on new usage will be accurate either.
    Users should always be aware of the reality that revolves around data usage and the devices that consume them.  Its no different than installing a 2nd waterline/hose on your house.  Sure the hose will be fine if you remember to turn it off when you are done, but no one is going to stop you from letting it run all night if you forget.

Maybe you are looking for