Switching

Hi All,

I have an EX2200 48 switch which terminates a load of PPPoE customers (PPPoE termination done on a Cisoc 7200) I am wondering what the best way to secure each access port so not to pass any NetBios traffic etc. I only want to allow PPPoE traffic on this one Vlan and nothing else. Is this the best way to go around this issue?

Thanks.

Hi Ryan,

If you want to filter down to just PPPoE, then put together a firewall filter such as:

bdale@ex2200# show firewall 
family ethernet-switching {
    filter TENANT-TRAFFIC {
        term PPPOE {
            from {
                ether-type [ pppoe-discovery pppoe-session ];
            }
            then accept;
        }
        term ALL-ELSE {
            then discard;
        }
    }
}

apply this to each of your customer-facing interfaces, but remember not to apply it to your uplink or any interfaces you'll be managing the box from.  For ease of deployment, you can use an interface-range so you only need to apply it in one spot:

bdale@ex2200# show interfaces                    
interface-range TENANT-PORTS {
    member ge-0/0/0;
    member ge-0/0/1;
    member ge-0/0/2;
    member ge-0/0/3;
    member ge-0/0/4;
    unit 0 {
        family ethernet-switching {
            vlan {
                members RESIDENTIAL-ACCESS;
            }
            filter {
                input TENANT-TRAFFIC;
            }
        }
    }
}

Hope this helps!

Thanks dfex, I was playing around yesterday and thats the config I came up with which is the same I think:

family ethernet-switching {
    filter pppoe {
        term pppoe_1 {
            from {
                ether-type [ pppoe-discovery pppoe-session ];
            }
            then accept;
        }
        term pppoe_2 {
            then discard;
        }
    }
}

Thanks heaps.