When CPE devices are directly connected to a BNG, you
may want the router to ignore any DSL Forum VSAs that it receives
in PPPoE control packets because the VSAs can be spoofed by malicious
subscribers. Spoofing is particularly serious when the targeted VSAs
are used to authenticate the subscriber, such as Agent-Circuit-Id
[26-1] and Agent-Remote-ID [26-2]. You can include the direct-connect statement to ignore DSL Forum VSAs on static or dynamic PPPoE interfaces
or PPPoE underlying interfaces.
To configure the router to ignore DSL Forum VSAs on specific
PPPoE interfaces:
- Specify that you want to configure PPPoE-specific options
on the interface:
For a PPPoE family in a dynamic profile for a VLAN demultiplexing
(demux) logical interface:
[edit dynamic-profiles profile-name interfaces demux0 unit logical-unit-number]
user@host# edit family pppoe
For a PPPoE family in a dynamic profile:
[edit dynamic-profiles profile-name interfaces interface-name unit logical-unit-number]
user@host# edit family pppoe
For a PPPoE underlying interface in a dynamic profile:
[edit dynamic-profiles profile-name interfaces interface-name unit logical-unit-number]
user@host# edit pppoe-underlying-options
For a PPPoE family on an underlying interface:
[edit interfaces interface-name unit logical-unit-number]
user@host# edit family pppoe
For an underlying interface with PPPoE encapsulation:
[edit interfaces interface-name unit logical-unit-number]
user@host# edit pppoe-underlying-options
- Specify that the router ignores DSL forum VSAs received
on a specific interface.
[edit ... family pppoe]
user@host# set direct-connect
or
[edit ... pppoe-underlying-options]
user@host# set direct-connect
