Not sure I understand your post, is your question directed at me?PPP frames inside ethernet providing unique layer 2 tunnel based on unicast frames on session level. Why torch should show you destination IP, when PPP tunnel operates only with mac address?
Well yeah. I thought you didn't get why dst ip is 0.0.0.0 and you thought it's mean it's broadcast frame.Not sure I understand your post, is your question directed at me?PPP frames inside ethernet providing unique layer 2 tunnel based on unicast frames on session level. Why torch should show you destination IP, when PPP tunnel operates only with mac address?
Well yeah. I thought you didn't get why dst ip is 0.0.0.0 and you thought it's mean it's broadcast frame.Not sure I understand your post, is your question directed at me?PPP frames inside ethernet providing unique layer 2 tunnel based on unicast frames on session level. Why torch should show you destination IP, when PPP tunnel operates only with mac address?
Well yeah. I thought you didn't get why dst ip is 0.0.0.0 and you thought it's mean it's broadcast frame.Not sure I understand your post, is your question directed at me?PPP frames inside ethernet providing unique layer 2 tunnel based on unicast frames on session level. Why torch should show you destination IP, when PPP tunnel operates only with mac address?
About your second cent:My two cents:I can agree with @Anumrak on almost nothing:
- the target PPPoE client device doesn't send anything in its uplink direction so the ISP gear starts to broadcast frames for it after the record for that MAC in its forwarding table expires (this normally takes minutes after it has seen the last frame with client's MAC as source), whereas the PPPoE payload is a stream which doesn't require any backward confirmations so it doesn't stop in the absence of an uplink traffic,
- the forwarding table size is so limited at some of the ISP boxes that it starts broadcasting because newer records squeeze out older ones; once any of the boxes between that resource-limited one and you receives such a frame, it has no choice but to broadcast it as it can never see a frame in the opposite direction,
- the ISP gear is merely broken.
- isolation of client-facing ports on the ISP gear from one another cannot help as it's not that you'd be getting an upload traffic of a foreign client, you get its download traffic, so it doesn't ingress through one client-facing port and egress through another one,
- I cannot imagine 7.3 Mbps of PPPoE-discovery traffic towards a MAC address of a single client (unless the client would be frenetically sending PADI at similar pace)
- if the ISP gear was receiving frames with source MAC address of the client from your gear, you would be stealing part of the stream (and the ISP gear should report MAC flapping if this was happening)
I'm not sure we talk about the same? @CZFan (the topic starter) cannot affect by his own configuration what the upstream ISP is sending to him, except if he was actively sending frames with the affected customer's MAC address as source and thus stealing the traffic by making the ISP switch learn that MAC on @CZFan's port. I would expect the ISP's switch to have client-facing ports isolated from each other (i.e. no forwarding from one client-facing port to another), but that doesn't prevent frames sent by the PPPoE server from being broadcast via all client-facing ports as long as the dst-mac is unknown.1) It will help alot, especially if both clients in the same broadcast domain. They could interact with one another directly. It's not about direction of traffic. It's about misconfiguration of topic starter and abusing the "network hole" by someone in same vlan.
No doubt about this As stated above, this is what port isolation can help against.2) I can generate whatever traffic you want with any ether type number.
Sure, but to happen, this requires that the legit recipient doesn't send anything during that burst and that something between @CZFan's uplink port and @CZFan's clients (including both extremities) sends frames with legit recipient's MAC as source.3) While mac flapping happening, you can receive that bursted 7 mb/s sometimes.
This is the most straightforward explanation, but as it happened twice for different clients, the ISP's staff must suffer from dysgraphia to make the same typo twice for two different clients to be monitored.I bet that ISP misconfigured port mirroring from some client to their chosen one with another vlan, and picked a port of topic starter. After he called them, they configured mirroring correctly. In this scenario you could see that traffic on a legit port.
1) Can affect by his own hands (Why you think that it's a session of a legit ISP client?(mac spoffing)) Also, all clients could know all macs in their service if there is no l2 isolation.I'm not sure we talk about the same? @CZFan (the topic starter) cannot affect by his own configuration what the upstream ISP is sending to him, except if he was actively sending frames with the affected customer's MAC address as source and thus stealing the traffic by making the ISP switch learn that MAC on @CZFan's port. I would expect the ISP's switch to have client-facing ports isolated from each other (i.e. no forwarding from one client-facing port to another), but that doesn't prevent frames sent by the PPPoE server from being broadcast via all client-facing ports as long as the dst-mac is unknown.1) It will help alot, especially if both clients in the same broadcast domain. They could interact with one another directly. It's not about direction of traffic. It's about misconfiguration of topic starter and abusing the "network hole" by someone in same vlan.
If you start thinking about spoofed traffic, then of course isolation of client-facing ports can prevent frames spoofed by one client from being forwarded to other client-facing ports at the ISP.
No doubt about this As stated above, this is what port isolation can help against.2) I can generate whatever traffic you want with any ether type number.
Sure, but to happen, this requires that the legit recipient doesn't send anything during that burst and that something between @CZFan's uplink port and @CZFan's clients (including both extremities) sends frames with legit recipient's MAC as source.3) While mac flapping happening, you can receive that bursted 7 mb/s sometimes.
This is the most straightforward explanation, but as it happened twice for different clients, the ISP's staff must suffer from dysgraphia to make the same typo twice for two different clients to be monitored.I bet that ISP misconfigured port mirroring from some client to their chosen one with another vlan, and picked a port of topic starter. After he called them, they configured mirroring correctly. In this scenario you could see that traffic on a legit port.
@CZFan, @Anumrak's point of view made me review the whole thread and I've noticed I may be misunderstanding some points all the time.
So
1) are the two clients whose traffic you could see to arrive to the "CPE management router" connected via your own OLTs or their MAC addresses are unrelated to your part of the network at all? I.e. can we be sure that the "misforwarding" happens already at the ISP or can it happen as late as at your CRS (because the CRS gets it legitimately)?
2) what exactly did you have in mind when saying "almost like vlan 501 leaking over to native vlan from their side"? The torch shows that those frames do come to the "CPE management router" tagged with VID 501.
@tdw's suggestion regarding collision of hashes of MAC addresses cannot be excluded (neither at your CRS nor at the ISP gear), it is just a bit complex to prove that - to do so, you'd need to store the complete list of MAC addresses known to the switch while the issue happens, and then try to spoof frames with each of these MAC addresses as source, one by one, to another CRS and see which one of them purges (actually, shadows) the MAC address of that "unrelated client" from the FDB.
Okay. So the 8864 traffic for that MAC address is coming from the ISP to the CRS legitimately, and the "only" issue is that your "CPE management router" and all the other clients downstream from the CRS receive a copy of traffic of a random victim. I'd say you are lucky ZA is not subject to the famous GDPRI am providing L2 connectivity from clients behind OLTs to ISP's, the PPPoE AC is at the ISP.
Yes, the dst MAC addresses belongs to customers behind the OLTs, traffic that I see, dst MACs changes every now and then, so it is not a specific customer behind OLTs whose traffic I see, but is all from this specific ISP customers. The CRS seems to be receiving info, then it sends it to all Vlans internally.
Who said benefit, I think about bugs, or, more precisely, I'm trying to find a logical explanation why this should happen only with clients of that single ISP, given that the broadcasting itself happens at your CRS which should keep learning the right egress port from the client's traffic in upload direction.What will the benefit be for ISP, etc to disable the "Keep Alive Timeout" settings?
I cannot read this differently than that the CRS has a problem.I saw the keep alive responses being sent by the client device at the client device while the issue were present, i.e. I could see PPPoE session traffic to this client on other devices.
This might indicate some issue on the path between the client and the CRS (like insufficient bandwidth between the OLT and the CRS to accommodate upload traffic of all clients or mere bit errors causing some frames to be dropped at receiving side on FCS error), but as such it does not explain the broadcast - as long as the record in the FDB exists, even if it is an old one, the frames matching that record should not be broadcast. I've seen dumb switches which didn't update existing records, only create new ones for "unknown yet" MAC addresses, so every now and then a single frame was broadcast in the window between expiration of the old FDB record and creation of a new one, but I have never seen (maybe yet?) a switch which would ignore existing FDB records when forwarding "because they are too old".What else I noticed short while ago, I looked at the MAC address of this client in host table in bridge, and noticed the age from this MAC in this specific vlan sometimes went to 1 minute before it "resets", indicating that CRS has not received any frames from this MAC on that vlan for quite a while.
I'm afraid I don't have enough information to agree or disagree here. The voice VLAN traffic may be prioritized in the OLT so the limited bandwidth towards the CRS may not affect it.So above might be inline with your theory. This ISP has 2 VLAN's, one data and one voice, I am not seeing the long age on the voice vlan, so this indicates physical network / devices are not faulty.
Post the CRS config, maybe I can see something there (don't expect too much, though). And the output of /interface bridge port print.
It becomes so complicated that I'm close to proposing a Skype call, however do you have in mind you can see only data of two customers out of expected 700 on the ISP upink interface? If so, that's most likely because the MAC addresses of those two customers aren't found in the FDB of the switch chip, so the switch chip broadcasts them not only to all Ethernet ports but also to the CPU port, which is what makes it possible for the CPU to sniff them. If you disabled the "hardware acceleration" on this uplink port, you'd see the traffic of all 700 in the sniff, but you'd throttle the bandwidth for the clients severely as each frame would go etherA -> CPU -> etherB and even if the CPU lane is a 10 Gbit/s one so effectively 5 Gbit/s in such a loopback operation, I doubt the CPU can handle that volume of traffic, given that a quad-core ARM on about the same clock (hAP ac²) glows red at 1 Gbit/s per direction.But for some reason, these frames come in on the wire strange way, i.e. If I sniff interface directly connected to ISP, I can see data for 2 customers inside FTTh network, keep in mind this specific ISP has 700+ customers inside the FTTh network
I'd neverteless like to see the configi will get in touch with Mikrotik support
I'd neverteless like to see the configi will get in touch with Mikrotik support