BRAS (Broadband Remote Access Server) is one of the key components of VAS Experts DPI. It ensures flexible control over user sessions, management of data plans by customer, and introduction of advanced options.

BRAS for VAS Experts DPI

Operating modes: BRAS L2, BRAS L3

IPv4/IPv6 Dual Stack


Whitelisting based on domain names, regardless of IP address changes

Minimum risk of packet loss for high-priority applications, Quality of Service (QoS) as per data plan

Multi-user mode (one login associated with multiple IP addresses)

Enhanced marketing activities with statistics collection and QoE evaluations

BRAS Modes

BRAS ensures layer 3 connectivity by routing IP packets to the DPI system. In this scheme, IP addresses are assigned manually in the network parameters window or dynamically via an external DHCP server, DPI DHCP Relay, or RADIUS Proxy. BRAS L3 aggregates user traffic via intermediate routers, concealing the original MAC addresses.

This scheme is popular with broadband operators thanks to the ease of building redundant and distributed infrastructure.

I want to request a consultation

Advantages of VAS Experts DPI BRAS over traditional server gateways:

  • Independent traffic control and prioritization by applications and AS in each uplink, torrenting throttling in case of bandwidth congestion.
  • Traffic prioritization by applications and AS as per data plan, which is especially practical for corporate customers purchasing a single data plan for multiple simultaneous users.
  • Unlimited IP addresses, both static and dynamic.
  • Redirecting to the Captive Portal when the balance is low. The Captive Portal works with whitelisted URLs of bank payment portals and other similar resources, where users can add funds. The portal works even if the resource IP address is changed.
  • Comprehensive NetFlow analytical data per bandwidth or per subscriber.

BRAS ensures layer 2 connectivity by routing VLAN/QinQ/PPPoE traffic to the DPI system. MAC, VLAN, QinQ, or login PPPoE/option 82 can be used to authorize a user and assign an IP address. From the subscriber’s point of view, the DPI system acts as a virtual gateway answering ARP requests.

I want to request a consultation

In VLANs and QinQ, BRAS L2 performs the following functions:

  • DHCP – tracks requests generated by DHCP Clients for immediate RADIUS-based authorization if the acknowledgement message from the DHCP server is received.
  • Proxy ARP – monitors ARP requests inside a subnet and blocks any other ARP requests.
  • IP Source Guard — checks LAN packets against VLAN entries stored in the DHCP database, If the packet header does not match the entry, the packet is discarded.
  • LAN traffic termination.
  • LAN to WAN, and WAN to LAN connectivity.

BRAS performs these functions by establishing when a user session starts and ends, using IP addresses, MAC addresses, and VLAN/QinQ tags. Using this data, BRAS filters out malicious requests, significantly improving LAN security in general.

Use Cases

  • BRAS L2 can be used with QinQ technology, enabling precise user identification irrespective of the hardware used.
  • BRAS L2 can also be used as a security tool in common VLANs (single VLAN tag per frame), with VLAN ID associated not with a single user, but with a group of users, e.g., several apartments in a building or a whole apartment block.


Available Editions
VAS Experts DPI options
Filtering by the blacklisted internet sites
L1 Bypass mode support
NetFlow statistics collection on protocols and flows
Protocol-based traffic prioritization (QoS)
External access channel usage optimization (QoS)
Marketing company and user notifications
White list, Captive Portal
IPv4 and IPv6 address allocation
BRAS L3 (IPoE), IPv4/IPv6 Dual Stack, Radius CoA
BRAS L2 (PPPoE, DHCP), Dual Stack IPv4/IPv6
CG-NAT — network address translation and NetFlow export
Mini-firewall for blocking traffic over specific ports
Ad blocking and replacement
Banner integration
Resource category selector for black and white lists
QoE Lite
QoE Standart (web resources by categories, custom reports, notification triggers, DDoS and botnet detection)
Trade-In (SCE8000 and SE100-600-1200)
Services Consulting