Edgecore: ip source-guard a PPPoE traffic

[eKrajnak]

Ahojte,

hrám sa so switchom Edgecore 4210-28T a riešim ip source-guard. Mám zákaznícky trunk port kde na jednej vlane beží IPTV s DHCP konfiguráciou a na druhej vlane PPPoE internetový traffic. Ak na takýto trunk port nasadím ip source-guard zabezpečenie, odfiltruje mi to PPPoE odchádzajúci traffic ethertype 0x8864. PPPoE intermediate agent je nastavený, ale ten nezapisuje do binding tabuľky.

Riešili ste niekto niečo podobné?

[krtko]

Ahoj,

aka je tam verzia FW? posledna je 1.0.0.62

V1.0.0.36 (Build 2014/7/31)
ES4328QV-FLF-EC-00262 ECS4210-28T/ECS3510-28T DHCP SNP trust port without setting DAI trust may fowards ARP packets to others ports.
ES4328QV-FLF-EC-00265 mvr proxy switching sends IGMPv1 report with source ip 0.0.0.0
ES4328QV-FLF-EC-00266 IPSG function will drop PPPoE packets
ES4328QV-FLF-EC-00268 After copy TFTP file to running-config,reload will show fail message.
ES4328QV-FLF-EC-00269 Enable/Disable ACL on port will have error message : Free PCL from device failed
ES4328QV-FLF-EC-00270 ACL will failed to bind on port after repeat enable/disable
ES4328QV-FLF-ZZ-00217 The queue that use by rule to trapped my target ARP is not as expected
ES4328QV-FLF-EC-00271 DNS fragment packet cause leakage

zaroven citam:
Chip limitation

================

1. ARP packets are trapped into CPU by ACL rule, that is mean user can not use ACL rule to have action on the ARP packets.
2. Wen TCAM priority is IPv4 MAC IPv6 and IPSG is SIP mode, PPPoE packets with un-compressed data will be dropped.
3. Switches are not matching all of multicast and broadcast UDP traffic with service policies in output direction.

[eKrajnak]

Bežím na najnovšej verzii 1.0.0.62.

Mám to chápať tak, že od verzie 1.0.0.36 menili správanie a IPSG jednoducho dropuje PPPoE a neviem to potlačiť?
Zmena tcam priority a následne reload nepomohlo.

[krtko]

citam si manual:

IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see “DHCP Snooping” on page 338). IP source guard can be used to prevent traffic attacks caused when a host tries to use the IP address of a neighbor to access the network. This section describes commands used to configure IP Source Guard.

takze ak nie je zaznam v dynamic table (co pri pppoe logicky nie je) skusit ho doplnit do static entry pre mac adresu pppoe klienta.

[eKrajnak]

Pochopitelne, viem o com IP source-guard je. Ale od kedy PPPoE je IP traffic? Ethertype 0x0800 vs 0x8863/4
Manual binding neprichadza do uvahy. Tymto to cele pokaslali. Na filtrovanie PPPoE je PPPoE intermediate agent alebo MAC access listy. Podla mna IPSG do toho nema co zasahovat.

[Salamander]

Pochopitelne, viem o com IP source-guard je. Ale od kedy PPPoE je IP traffic? Ethertype 0x0800 vs 0x8863/4
Manual binding neprichadza do uvahy. Tymto to cele pokaslali. Na filtrovanie PPPoE je PPPoE intermediate agent alebo MAC access listy. Podla mna IPSG do toho nema co zasahovat.

Muzu se (mozna trosku blbe) zeptat proc je tam potreba IPSG? Nejaka podrobnejsi konfigurace by nebyla? Treba by se to dalo vyresit i jinak.

[eKrajnak]

Pochopitelne, viem o com IP source-guard je. Ale od kedy PPPoE je IP traffic? Ethertype 0x0800 vs 0x8863/4
Manual binding neprichadza do uvahy. Tymto to cele pokaslali. Na filtrovanie PPPoE je PPPoE intermediate agent alebo MAC access listy. Podla mna IPSG do toho nema co zasahovat.

Muzu se (mozna trosku blbe) zeptat proc je tam potreba IPSG? Nejaka podrobnejsi konfigurace by nebyla? Treba by se to dalo vyresit i jinak.

Ide o standardny zakaznicky port v bytovke. Potrebujem na nom zabezpecenie (loopback detection, ipsg, dhcp snooping, arp inspection, traffic segmentation, ...)
1) NET vlana na vytocenie PPPoE (ziaden IP traffic ani ARP)
2) IPTV vlana pre IPTV - DHCP autokonfiguracie pre STB, igmp snooping, multicast + unicast pre archiv a APP vrstvu

Je to jeden trunk port, neviem odlisit PPPoE od IPTV IP trafficu.