block pppoe servers on crs125-24g-1s-in

jone31 · May 21, 2014, 12:30pm

you need to lock pppoe server client ports 1-24, and allow for sfp1 port.

tried through bridge filters - works, but high load on the CPU - up to 100%.

configure ports 1-24 - slave, sfp1 - master - CPU load is low, but can not understand how in this mode pppoe configure filtering on ports 1-24?

config attached below.

vlan2 - vlan with users who want to protect from fake pppoe server

Ports 21-25 - trusted trunk ports are running genuine pppoe-server

please help me understand …

/interface vlan
add interface=ether24 l2mtu=1584 name=vlan2 vlan-id=2
add interface=ether24 l2mtu=1584 name=vlan3 vlan-id=3

/interface ethernet
set [ find default-name=ether1 ] master-port=ether24
set [ find default-name=ether2 ] master-port=ether24
set [ find default-name=ether3 ] master-port=ether24
set [ find default-name=ether22 ] master-port=ether24
set [ find default-name=ether23 ] master-port=ether24

/interface ethernet switch egress-vlan-tag
add tagged-ports=ether21,ether22,ether23,ether24,sfp1 vlan-id=2
add tagged-ports=ether21,ether22,ether23,ether24,sfp1 vlan-id=3

/interface ethernet switch ingress-vlan-translation
add customer-vlan-format=untagged-or-tagged new-customer-vid=2 ports=\
    ether1,ether2,ether3,ether4,ether5,ether6 sa-learning=yes \
    service-vlan-format=untagged-or-tagged

doneware · May 21, 2014, 1:09pm

if you only do pppoe on those ports, all ip traffic should go through the “legitimate” pppoe server (connected to the uplink ports, i guess).
this pretty much implies that no traffic should be “switched” between the user facing ports.

this gives a perfect opportunity to use isolation.
the uplink ports should have isolation profile 0 - uplink (can speak to anybody)
the user facing ports should have isolation profile 1 - isolated (can speak only to uplink ports, but not among themselves)

if i see, all the customer facing ports are configured as untagged.

jone31 · May 21, 2014, 7:30pm

added as you write on the client ports “isolation profile” - 1 for uplinks - 0

did not help.
got this:

/interface vlan
add interface=ether24 l2mtu=1584 name=vlan2 vlan-id=2
add interface=ether24 l2mtu=1584 name=vlan3 vlan-id=3

/interface ethernet
set [ find default-name=ether1 ] master-port=ether24
set [ find default-name=ether2 ] master-port=ether24
set [ find default-name=ether3 ] master-port=ether24
set [ find default-name=ether22 ] master-port=ether24
set [ find default-name=ether23 ] master-port=ether24

/interface ethernet switch egress-vlan-tag
add tagged-ports=ether21,ether22,ether23,ether24,sfp1 vlan-id=2
add tagged-ports=ether21,ether22,ether23,ether24,sfp1 vlan-id=3

/interface ethernet switch ingress-vlan-translation
add customer-vlan-format=untagged-or-tagged new-customer-vid=2 ports=\
    ether1,ether2,ether3,ether4,ether5,ether6 sa-learning=yes \
    service-vlan-format=untagged-or-tagged

/interface ethernet switch port
set 0 isolation-leakage-profile-override=1 qos-scheme-precedence="pcp-based,sa\
    -based,da-based,dscp-based,protocol-based,vlan-based,pcp-based"
set 1 isolation-leakage-profile-override=1 qos-scheme-precedence="pcp-based,sa\
    -based,da-based,dscp-based,protocol-based,vlan-based,pcp-based"
set 2 isolation-leakage-profile-override=1 qos-scheme-precedence="pcp-based,sa\
    -based,da-based,dscp-based,protocol-based,vlan-based,pcp-based"
set 3 isolation-leakage-profile-override=1 qos-scheme-precedence="pcp-based,sa\
    -based,da-based,dscp-based,protocol-based,vlan-based,pcp-based"
set 4 isolation-leakage-profile-override=1 qos-scheme-precedence="pcp-based,sa\
    -based,da-based,dscp-based,protocol-based,vlan-based,pcp-based"
set 5 isolation-leakage-profile-override=1 qos-scheme-precedence="pcp-based,sa\
    -based,da-based,dscp-based,protocol-based,vlan-based,pcp-based"
set 20 isolation-leakage-profile-override=0 qos-scheme-precedence="pcp-based,s\
    a-based,da-based,dscp-based,protocol-based,vlan-based,pcp-based"
set 21 isolation-leakage-profile-override=0 qos-scheme-precedence="pcp-based,s\
    a-based,da-based,dscp-based,protocol-based,vlan-based,pcp-based"
set 22 isolation-leakage-profile-override=0 qos-scheme-precedence="pcp-based,s\
    a-based,da-based,dscp-based,protocol-based,vlan-based,pcp-based"
set 23 isolation-leakage-profile-override=0 qos-scheme-precedence="pcp-based,s\
    a-based,da-based,dscp-based,protocol-based,vlan-based,pcp-based"
set 24 isolation-leakage-profile-override=0 qos-scheme-precedence="pcp-based,s\
    a-based,da-based,dscp-based,protocol-based,vlan-based,pcp-based"

jone31 · May 23, 2014, 8:17pm

What if there is any solution to my problem?